ML20211P638
| ML20211P638 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 10/31/1997 |
| From: | Fowler S, Lutz R WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML20211P626 | List: |
| References | |
| WCAP-13914, WCAP-13914-R02, WCAP-13914-R2, NUDOCS 9710210062 | |
| Download: ML20211P638 (63) | |
Text
- _ .
)
l M\
A: .
, w g ,
i $ [l ,JmJik ___ j l l 1 h;b'i, L w.ista o s
.,.k.
,. i,
-l f '[ .
'3 2 t
{ I.
t-ig i
RL e
t h
- y ti ? ;
e
- b. l Q Jr l e r a e$@g f
' i L , Id 5 n 1
7)jkgggg&e.w 3 g* $w&;f
- r= =_ o b weve m{gg {
a
(($IE!(($$!hh !Ikkh! No a
< e, +
e " 4 .[.
- Wsstinghouse Non Proprietary Class 3/ '
~
A F
,7Q 2.i .;
- + + +::+:+ +:+ +
x -
a E .
Frameworklfor AP600:
~ '
Severe Accident
. Managemerit Guidance: '
.~
I i
W-e s t i n g h o u s e Energy Systems f
- .. n +; '
- AP600 DOCUMENT COVER SHEET TDC
- IDS: 1 S
' Form 58202G(5/94)[tAxxxx.wpf:1x] AP600 CEPRRAL FILE USE ONLY; 0058.FRM RFSe: RFS ITEM #:
AP600 DOCUMENT NO. REVISION NO. ASSIGNED TO GWGLO27. 2- Page 1 of 1 ALTERNATE DOCUMENT NUMBER: WCAP-13914 WORK BREAKDOWN #: 3.2.4 DESIGN AGENT ORGANIZATION: Westmghouse TITLE: Frarnework for AP600 Severe Accident Management Guidance ATTACHMENTS: DCP #/REV, INCORPORATED IN THIS DOCUMENT REVISION:
CALCULATION / ANALYSIS
REFERENCE:
ELECTRONIC FILErdME ELECTRONIC FILE FORMAT ELECTRONIC FILE DESCRIPTION (C) WESTINGHOUSE ELECTRIC CORPORATION 199Z.
O WESTINGHOUSE PROPRIETARY CLASS 2 TNs document contains information proprietary to Westinghouse Electric Corporation: It is submitted in confidence and is to be used solely for the purpose for wNch it is fumished and retumed upon request. TNs document and such information is not to be reproduced, transmitted, disclosed or used otherwise in whole or in part without prior written authonzation of Westinghouse Electric Corporation Energy Systems Businese Unit, subject to the legends contained hereof.
O WESTINGHOUSE PROPRIETARY CLASS 2C TNs document is the property of and contains Proprietary information owned by Westinghouse Electric Corporation and/or its subcontractors and suppliers, it is transmitted to you in confidence and trust, and you agree to treat tNs document in strict accordance with the terms anJ conditions of the agreement under wNch it was provided to you.
@ WESTINGHOUSE CLASS 3 (NON PROPRIETARY) -
COMPLETE 1 IF WORK PERFORMED UNDER DESIGN CERTIFICATION gg COMPLETE 2 IF WORK PERFORMED UNDER FOAKE.
10 DOE DESIGN CERTIFICATION PROGRAM - GOVERNMENT LIMITED RIGHTS STATEMENT (See page 21 Copyright statement. A license is recerved to the U.S. Govemment under contract DE AC03-90SF18495.
@DOE CONTRACT DELIVERABLES (DELIVERED DATA)
Subject to specified exceptions, disclosure of this data is restricted until September 30,1995 90SF18495, wNchever is later, EPRI CONFIDENTIAL: NOTICE: 1 G 2 30 4 s O CATEGORY: A N B C D E F0 2 O ARC FOAKE PROGRAM - ARC LIMITED RIGHTS STATEMENT [See page 21 Copyright statement A license is reserved to the U.
mment under contract DE-FCO2 NE34267 and subcontract ARC-93-3-SC 001.
O ARC CONTRACT DELIVERABLES (C T DATA)
Subject to specified exceptions, disciogi re of tNs rettricted under ARC Subcontract ARC-93-3-SC-001.
ORIGINATOR Da *AJE d'
AP600 RESPONSIBLE MANAGER SIGNATU *% APPROVAL DATE S K. Fowter .
_ l ,,,hohg
' Approval of the reski.dWe manager sagruties that t is complete, au required reviews are complete, electronic file is attached and document is ro6 eased for use.
e AP600 DOCUMENT COVER CHEET Prge 2 ,
Form 58202G(5/94) LIMITED RIGHTS STATEMENTS DOE GOVERNMENT UMITED RIGHTS STATEMENT (A) These data are submitted with hmited nghts under government contract No. DE-ACO3 90SF18495. These data may be reproduced and used by the govemment with the express hmetation that they will not, ethout wntten permission of the Contractor, be used for purposes of manufacturer nor disclosed outsgie the govemment; except that the govemment may disclose these data outside the government for the following purposes, if any, provided that the govemment makes such disclosure subject to prohibit on against further use and disclosure:
(1) TNs
- Proprietary Data
- may be disclosA for evaluation purposes under the restnctions above.
(11) The 'Propnetary Data
- may be disclosed to the Electric Power Research Insttute (EPRI), electnc utahty representatives and their direct consultants, excluding dared commercial competitors, and the DOE National Laboratones under the prohibitons and restnctions above.
(B) This notice shall be marked on any .eproduchon of these data, in whole or in part.
ARC UMrTED RIGHTS STATEMENT:
TNs proprietary data, fumished under Subcontract Number ARC-93-3-SC 001 with ARC may be duphcated and used by the govemment and ARC, subi sct to the hmetations of Article H-17.F. of that subcontract, with the express hmitations that the propriuary dCa may not be disclosed outside the government or ARC, or ARC's Class 1 & 3 members or EPRI or be used for purposes of manufacture without pnor permission of the Subcontractor, except that further disclosure or use may be made solely for the following purposes:
TNs proprietary data may be disclosed to other than commercial competitors of Subcontractor for evaluation purposes of this subcontract under the restnction that the propnetary data be retained in confidence and not be further disclosed, and sub tect to the terms of a non-disclosure agreement between the Subcontractor and that orgaruzation, excluding DOE and its contractors.
DEFINITIONS CONTRACT /DEUVERED DATA - Consists of documents (e.g. specifications, drawings, reports) Which are generated under the DOE or ARC contracts which contain no background proprietary data, EPRI CONFIDENTIALITY / OBLIGATION NOTICES NOTICE 1: The data in this document is subject to no confidentiality obligatons.
NOTICE 2: The data in this document is proprietary and confidential to Westinghouse Electnc Corporation and/or its Contractors. It is forwarded to recipient under an obhgation of Confidence and Trust for hmited purposes only. Any use, disclosure to unauthorized persons, or coming of tNs document or parts thereof is prohibited except as agreed to in advance by the Electnc Power Research Institute (EPRI) and Weshnghouse Elec'nc Corporation. Recipient of this data has a duty to inquire of EPRI and/or Westinghouse as to the uses of the information containeo herein that are parmitted.
NOTICE 3: The data in tNs document is proprietary and confidential to Westinghouse Electnc Corpotation and/or its Contractors. It is forwarded to recipient under an obbgation of Confidence and Trust for use only in evaluation tasks specifically authonzed by the Electnc Power Research Insttute (EPRI). Any use, disclosure to unauthon2ed persons, or copying this document or parts thereof is prohibited except as agreed to in advance by EPRI and Weshnghouse Electnc Corporation. Recipient of this data has a duty to inquire of EPRI andor Westinghouse as to the uses of the informabon contained herein that are permitted. TNs document and any copies or excerpts thereof that may have been generated are to be retumed to Westinghouse, directly or through EPRI, when requested to do so.
NOTICE 4: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. it is being revealed in confidence and trust only to Employees of EPRI and to certain contractors of EPRI for hmited evaluabon tasks authorized by EPRI.
Any use, disclosure to unauthorized persons, or copying of this document or parts theroof is prohibited. This Document and any copies or excerpts thereof that may have been generated are to be retumed to Westinghouse, directly of through EPRI, when requested to do so.
NOTICE 5: The data in this document is proprietary and confidental to Westinghouse Electric Corporation and/or its Contractors. Access to this data is given in Confidence and Trust only at Westinghouse facilities for hmited evaluation tasks assigneo by EPRI. Any use, disclosure to unauthonzed persons, or copying of this document or parts thereof is prohibited. Neither this document nor any excerpts therefrom are to be removed from Westinghouse facilities.
EPRI CONFIDENTIALITY / OBLIGATION CATEGORIES CATEGORY "A"- (See Delivered Data) Consists of CONTRACTOR Foreground Data that is contained in an issued reported.
CATEGOP.Y v'- (See Delivered Data) Consists of CONTRACTOR Foreground Data that is not contained in an issued report, except for computer programs.
CATEGORY "C"- Consists of CONTRACTOR Background Data except for computer programs.
CATEGORY "D"- Consists of computer programs developed in the course of performing the Work.
CATEGORY "E*- Consists of cornputer programs developed prior to the Effective Date or Mter the Effectve Date but outside the sccpe of the Work.
CATEGORY "F"- Consists of administrative plans and administrative reports.
WESTINGHOUSE NON-PROPRIETARY CLASS 3 WCAP-13914 Framework for AP600 Severe Accident Management Guidance October 1997 Revision 2 Westinghouse Electric Corporation Energy Systems Business Unit P.O. Box 355 Pittsburgh, PA 15230-0355 C 1997 Westinghouse Electric Corporation All Rights Reserved m:\3324w.wpf;1b-093097
4 TABLE OF CONTENTS 1
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 2 REQUIREMENTS FOR SEVERE ACCIDENT MANAGEMENT . . . . . . . .. .. . . 2-1 3 DECISION-MAKING PROCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 3-1 3.1 ROLE OF THE PLANT PERSONNEL . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 3.2 STRUCTURE OF A P600 GUIDANCE . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 3.2.1 Diagnostic Flow Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . 3-2 3.2.2 Severe Challenge Status Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.2.3 Guidelines . . . . . . . ................................... 3-4 4 SEVERE ACCIDENT MANAGEMENT COALS . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 4.1 CONTROLLED, STABLE CORE STATE . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 4.2 CONTROLLED, STABLE CONTAINMENT STATE . . . . . . . . . . . . . . . . . 4-4
)
4.2.1 Hydrogen Flammability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 4.2.2 Core / Concrete Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 4.2.3 High Pressure Melt Ejection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 4.2.4 Steam Explosions . . . . . . . . ............................ 4-8 4.2.5 Creep Rupture Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 4.2.6 Containment Vacuum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 4.3 FISSION PRODUCT RELEASE PREVENTION, TERMINATION AND MITIG ATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11 4.4 SECONDARY GOALS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13 5 HIGH LEVEL ACTIONS FOR AP600 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 5.1 INJECT INTO RCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 5.2 INJECT INTO CONTAINMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 5.3 INJECT INTO STEAM GENERATORS . . . .....................5-7 5.4 DEPRESSURIZE RCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 5.5 DEPRESSURIZE STEAM GENERATORS . . . . . . . . . . . . . . . . . . . . . . . . . 5-10 5.6 DEPRESSURI7R CONTAINMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11 5.7 PRESSURIZE CONTAINMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12 5.8 BURN HYDROGEN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12 5.9 VENT CONTAINMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13 5.10. MITIGATE FISSION PRODUCT RELEASES . . . . . . . . . . . . . . . . . . . . 5-14 5.11
SUMMARY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15 6 CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . .. . . . 6-1 7 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 APPENDIX A AP600 SEVERE ACCIDENT MANAGEMENT INSIGHTS . . . . . . . . . . . . A-1 APPENDIX B AP600 SAMG RAls AND RESPONSES . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1 on3324w.wpt.lb.093097 Revision 2, October 1997
LIST OF TABLES Trble 5-1 AP600 High Level Actions Relative to Severe Accident M anagement Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Table 5-2 Smnmary of High Level Severe Accident Management Strategies for AP600 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16 o-\3324w.wpt:1b-093097 Revision 2, October 1997
11 1 INTRODUCTION Prevention and mitWrion of accidents has been an integral part of the design process for AP600, A significant driving force in the passive plant design is the key accident management philosophy of preventing accidents from progressing to core damage.
However, in the event of a low probability core damage accident, it is prudent to have severe accident management guidance with the objective of terminating the progression of the accident and returning the plant to a controlled, stable state. Therefore, this document contains a summary of the overall philosophy and high level strategies that will form the basis of the AP600 severe accident management guidance.
The Westinghouse plan for addressing severe accident management for AP600 will be based on the Westinghouse Owners Group Severe Accident Management Guidance (WOG SAMG) for the current generation of operating plants [Ref.1]. Since some of the AP600 design features reduce or eliminate the potential for some severe accident phenomena and fission product bouridary challenges, the WOG SAMG provides an envelope of possible severe accident management considerations. Thus, the WOG SAMC has dinxt applications to the development of AP600 severe accident management guidance, and will be the starting point from which comparisons are made.
The scope of the AP600 severe accident management guidance is to address significant core damage accidents. Prior to core damage, the Emergency Operating Procedures (EOPs),
which are based on the AP600 Emergency Response Guidelines (ERGS) will be used [Ref. 2).
Although the EOPs/ ERGS for existing plants (e.g., the WOG ERG package [Ref. 3]) have proven to be effective in the prevention of core damage, they do not address scenarios after significant core damage has occurred.
The AP600 severe accident management guidance will be developed for use after the AP600 emergency response guidelines are no longer applicable. The AP600 severe accident management guidance will include the application of insights that are derived from the AP600 Probabilistic Risk Assessment (PRA, .Ref. 4], and elements that have been learned through severe accident management research over the past 15 years. As such, severe accident management guidance is the mechanism that brings the current level of knowledge on severe accidents to the hands of the operating and technical staff at the plant. However, the overall uncertainty of the core melt progression is still quite high, and thus the management of a severe accident can only be prxonstructed by guidance that is less prescriptive than the guidelines for design basis events and other accidents prior to core damage.
The contents of this document include a discussion of severe accident management requirements, the anticipated structure for the decision making process, the goals that must Introduction Revision 2, October 199f o:\3324w.wpf:1b-093097
1-2 be accomplished for severe accident management, and a summary of possible strategies for AP600 severe accident management, included in the severe accident management discussions are key severe accident management insights obtained from the AP600 PRA.
This document provides the framework for future AP600 severe accident management guidance development and therefore does not specifically address many issues in detail.
Introduction Revision 2, October 1997 j o:\3324w.wph1W3097
- 2-1 2 REQUIREMENTS FOR SEVERE ACCIDENT MANAGEMENT There are no current NRC gr quirements for the development of severe accident management guidance. However, NRC policy statements from the NRC Staff to the NRC Commissioners (SECY letters) identify concerns and future actions of the NRC concerning this subject.
Specifically, SECY-89-012 [Ref. S] provides the followir, information.
" Accident Management encompasses those actions taken during the course of an accident by the plant operating and technical staff to: (1) prevent core damage, (2) terminate the progress of core damage if it begins and retain the core within the reactor vessel, (3) maintain containment integrity as long as possible, and (4) minimize offsite releases. Accident management, in effect, extends the defense-in-depth principle to plant operating staff by extending the operating procedures well beyond the plant design basis into severe fuel damage regimes, with the operator skills and creativity to find ways to terminate accidents beyond the design basis or to limit offsite releases.
The NRC staff has concluded, based on PRAs and severe accident analyses, that the risk associated with severe core damage accidents can be further reduced through effective accident management. In this context, effective accident management would ensure that optimal and maximum safety benefits are derived from available, existing systems and plant operating staff through pre-planned strategies... Accordingly, accident management is considered to be an essential element of the severe accident closure process described in the Integration Plan for Closure of Severe Accident Issues (SECY-88-147) [Ref,6) and the Generic Letter on the Individual Plant Examination (Generic Letter 88-20) [Ref. 7).
In the IPE Generic Letter, the staff deferred the requirement to develop an accident management plan, stating that we are currently developing more specific guidance on this matter and are working with NUMARC to (1) define the scope and content of acceptable accident management programs, and (2) identify a plan of action that will ultimately result in incorporating any plant-specific actions deemed necessary, as a result of the IPE, into an overall severe accident management program."
Also within SECY-89-012, the first objective for an accident management plan developed by licensees for each plant is:
" Developing technically sound strategies or maximizing the effectiveness of personnel and equipment in preventing and mitigating potential severe accidents. This includes ensuring that guidance and procedures to implement these strategies are in place at all plants."
Requirements for Severe Accident Management Revision 2, October 1997 c:\3324w.wpf:1b-093097
2-2 On November 4,1994, the Nuclear Energy Institute's (NEI) Nuclear Strategic Issues Advisory Committee voted unanimously to establish a formal industry position on severe accident management and to bind each of the utilities currently operating light water reactors in the U.S.A. to implement the measures in that position by December 1998. The formal industry position on severe accident management was issued as NEI 91-04, Revision 1, " Severe Accident Closure Guidelines" [Ref. 8]. The basic elements of the severe accident management required by NEl 91-04, Rev.1 include written guidance, training and a procus for periodic utility self assessment. The NRC has accepted the industry position on severe accident management as a substitute for formal regulatory requirements [Ref.17] but is defining an approach for assuring the quality and etictiveness of the implementation of the industry's initiative.
The previous information is in regards to general positions of the NRC on severe accident management, and it does not distinguish between current operating plants and new, advanced plant designs. However, the NRC has indicated their interest in AP600 severe accident management through several of the Requests for Additional Information (RAls) which are presented in Appendix B. Specifically, RAI 720.55 asks how Westinghouse plans to use the AP600 Probabilistic Risk Assessment to identify and assess accident management measures. Furthermore, in RAI 720.56, the NRC asked how Westinghouse plans to address the five elements of accident management as defined in SECY-89-012. These elements are:
- 1) accident management procedures,2) training for severe accidents,3) accident management guidance,4) instrumentation, and 5) decision-making responsibilities. Subsequently, in RAI 480.212, the NRC asked about severe accident management actions that might be required after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to prevent or mitigate uncontrolled fission product releases. More recently,in 3 RAI 480.439, the NRC has inquired about how insights developed from the AP600 PRA would be incorporated into the combined license (COL) applicant's severe accident management guidance.
In addition, the Advanced Light Water Reactor (ALWR) Utility Requirements Document (URD) [Ref 9] states that the Plant Designer shall establish the technical basis for a severe accident management program that includes core damage prevention and mitigation. The Plant Designer is also to translate the plant design bases into operational limitations and responses which can then be developed into procedural guidelines and training by the Plant Owner. The Plant Designer is also responsible for confirming that the plant design is compatible with the ERGS and the severe accident management program based on the plant specific PRA and other relevant information. The NRC's Safety Evaluation Report for this document states: "The use of PRA for developing and confirming the severe-accident management program and ERGS is also consistent with the Commission's severe-accident policy" [Ref.10].
Requirements for Severe Accident Management Rmsion 2. Cktober 1997 o:\3324w.wphlb 093097
3-1 3 DECISION-MAKING PROCESS Severe accident management involves the implementation of actions to bring the plant to a controlled, stable state following core damage and to mitigate challenges to the containment fission product boundary In a severe accident state, the first two fission product boundaries (the fuel rod cladding and the reactor coolant system) may be severely damaged and the focus shifts to maintaining the final fission product boundary. To effectively choose the appropriate severe accident management actions and to prioritized the implementation of the appropriate actions, assessment of the plant conditions is needed.
The nature of severe accidents and the possible responses dictate that severe accident management diagnostics be symptom-based. Several specific features of severe accidents can be cited which support the symptom-based approach:
a) Severe accident management must provide a response for a wide range of severe accident conditions. While a large number of possible scenarios have been identified in severe accident studies, it is likely that most of these scenarios do not accurately represent realistic severe accident scenarios due to modelling assumptions in these studies (such as all equipment failures are assumed to occur at time zero),
b) During a severe accident, the plant conditions are undergoing continual change.
Severe accident management must relate actions to symptoms.
c) The overall goals of severe accident management involve the response to challenges to fission product boundaries, which can be diagnosed through symptoms.
In other words, the symptom-based approach is a key method to develop flexibility in the AP600 severe accident management guidance. This flexibility refers primarily to the ability of plant personnel to shift priorities and implement accident management strategies based on the situation of the plant during the accident. Specific technical decisions may be knowledge-based, and will be dependent on the interpretation of the plant status. Therefore, the appropriateness of specific actions cannot be predetermined during the development of AP600 severe accident management guidance. This approach allows the guidance developed to be useful during any severe accident, even scenarios which are not currently recognized situations. As such, an AP600 severe accident management plan is the final stage in the defense-in-depth plant safety concept.
Although flexibility is a necessity, there is a need for the guidance itself to be a structured process for choosing the appropriate actions based on actual plant conditions. Human factor considerations during a high stress environment that would accompany a severe accident require that the guidance be simple to use. T.aus, the AP600 severe accident management Decision-Making Process Revision 2. October 1997 o:\3324w.wpf:1b-093097
3-2 guidance must be an effective decision-making tool based on some fundamental concepts about the organization of the guidance, as detailed below.
3.1 ROLE OF THE PLANT PERSONNEL NE1 has developed recommendations for severe accident assessment and mitigation that divide responsibilities of personnel into categories of evaluators, decision makers, and implementors. The evaluators must assess the plant symptoms to determine the plant state, and then evaluate the potential strategies that may be used to mitigate the event. The decision makers are to assess and select the strategies to be implemented. The implementors are responsible for performing the steps necessary to accomplish the objectives of the strategies, such as hands-on control of valves, breakers, controllers and special equipment.
The plant personnel to perform each of these functions will be identified by the AP600 COL applicant in the development of the severe accident management plan. Factors that will be considered include:
The structure of the organization that is needed for accidents prior to core damage, so that there would be an orderly transition to management of the accident after core damage is diagnosed, a
The instrumentation, equipment and computers necessary to fulfill each function, a
The skills, training and expertise of personnel, a
The size and location of the necessary staff, and The desire to address severe accident management preparation, while still maintaining a focus on the prevention of core damage.
3.2 STRUCTURE OF AP600 GUIDANCE The AP600 guidance for severe accident management will include overall diagnostic tools that control the flow of the decision-making process, as well as detailed guidelines. The following sections provide a summary of the expected flow charts, as well as further information on the content of the detailed guidelines. .
e 3.2.1 Diagnostic Flow Chart As identified in Section 3.0, there is a need for severe accident management guidance to have an organized structure to facilitate effective decision-making. For AP600, the form of this Decision-Making Process Redsion 2, October 1997 .
o:\3324w.wpth 093097
3-3 structure should be based on the WOG SAMG, although some of the details may differ. The element discussed within this section is the Diagnostic Flow Chart, which is the primary decision-making tool to determine when the plant has achieved the overall goals of severe accident management.
The Diagnostic Flow Chart (DFC) is the primary tool to identify the appropriate guidelines for the key possible plant conditions that may occur following a severe accident. The flow chzrt is the point of entry into severe a:cident management (from the ERGS), and it also serves as the exit point. The flowchart is based on setpoints for different parameters that are either necessary to define a controlled, stable state or which may prevent further challenges to fission product boundaries. The elements that determine a controlled, stade state are discussed in Section 4.0. Prevention of fission product boundary challenges refers to the prevention of severe accident phenomena, which may challenge fission product boundary integrity, such as induced steam generator tube rupture, high pressure melt ejection and reactor vessel lower head failure. Key plant conditions will be defined based on the capability to take actions to . ontrol the conditions and on the potential challenge to the containment fission product boundaries which these conditions may indicate. Based on the particular plant conditions identified in the DFC, a specific guideline is consulted to evaluate
.the availability and effectiveness of the various severe accident management strategie: which may be used to control the conditions. If a controlled, stable state is achieved, the DFC instructs plant personnel to develop a set of limitations and cautions for the long term recovery process, based on the consideration of large quantities of fission products released from the core and other important aspects of the severe accident scenario. The parameters in the DFC will be prioritized and the setpoint values will be determined during the development of the detailed AP600 guidance.
The development of the priorities for checking the parameters that determine a controlled stable state (i.e., the order of appearance of parameters on the DFC) will be based on fission W product challenges to the containment fission product boundary, the speed at which such challenges can occur, the time in the accident progression at which the challenges can occur, and the time available for intervention. The priorities and the actual values for the DFC parameters (i.e., the setpoints) will be based on the AP600 severe accident response characteristics as detailed in the AP600 PRA and will consider the severe accident management insights identified from the AP600 PRA, as documented in Appendix A of this report.
3.2.2 Severe Challenge Status Tree The Severe Challenge Status Tree (SCST) is the primary tool used by the emergency response team to identify immediate and severe challenges to containment fission product boundaries and to select the appropriate guideline for strategies to respond to the challenge. The SCST identifies the severe challenges for all possible plant conditions that may occur following a Decision-Making Process Revnion 2, October 1997 oA3324w.wpElb 093097
3-4 severe accident. The plant conditions on the SCST will be defined based on the severity of the challenge and capability to take actions to control the conditions in time to mitigate the challenge to the containment fission product boundaries. Based on the particular plant conditions identified in the SCST, a specific guideline is consulted to evaluate the availability and effectiveness of the various severe accident management strategies which may be used to control the conditions.
The parameters in the SCST are regularly monitored to determine whether a severe challenge has developed. The SCST parameters are to be monitored simultaneously with the usage of the DFC. The existence of the SCST as a monitoring tool allows for the effective use of the pre-prioritized DFC, which addresses less-immediate concerns. However, if the setpoint for a SCST parameter is reached, all activities being guided by the DFC would be put on hold until the SCST challenge has been addressed.
The development of the priorities for checking the parameters that determine challenges to the containment fission product boundary (i.e., the order of appearance of parameters on the SCST) will be based on the severity of the fission product challenges to the containment fission product boundary, the speed at which such challenges can occur, the time in the accident progression at which the challenges can occur, and the time available for intervention. The priorities and the actual values for the Severe Challenge Status Tree parameters (i.e., the setpoints) will be based on the AP600 severe accident response characteristics as detailed in the AP600 PRA and will consider the severe accident management insights identified from the AP600 PRA, as documented in Appendix A of this report.
3.2.3 Guidelines While a Diagnostic Flow Chart and Severe Challenge Status Tree are used to establish the organizational structure of severe accident management guidance, the details and the majority of the technical content are contained within guidelines. Guidelines are referenced directly from the DFC or SCST due tc, a plant parameter being outside the desired range.
The structure of the guidelines will include the following major considerations:
- 1) Equipment Availability - The guidelines will contain lists of the possible equipment that may be used to implement an action. If no equipment is available, instructions will include the consideration of restoring the non-functioning equipment.
- 2) Benefits vs. Potential Negative Impacts - The potential actions will be considered in regards to their benefits weighed against the expected negative impacts. If the negative impacts are judged to be large, then methods to minimize the negative impacts will be considered when possible. If the impacts differ based on the choice of methods or equipment, this distinction will be made.
Decision-Making Process Revuion 2. October 1997 i o \3324w.wpf-lb 093097 l
4 3-5
- 3) Implementation -If the decision is made to implement a strategy, implementation .
instructions will be provided that include any limitations that were identined during the evaluation. The implementation instructions will also identify the expected response of the plant as a basis to compare the actual response. The option to abort the action, or to implement additional actions, will also be considered.
- 4) . Long Term Concerns - Once a severe accident management strategy is implemented, there may be one or more additional plant parameters that require periodic surveillance to assure that the strategy implemented will continue to be effective.
These generally include support functions such at an adequate water supply, and continued equipment cooling. The identification of the long term concerns associated with the implementation of any severe accident management strategy should also include a brief description of the actions that can be taken to address the long term concerns when they become critical to the continuation of the selected strategy.
1 Decision-Making Process Revision 2, October 1997 -
o:\3324w.wpf-1b 093097
4 4-1 4 SEVERE ACCIDENT MANAGEMENT GOALS Before any guidance for severe accident management can be developed, the first step is to identify the overall goals that the guidance must achieve. As stated in the introduction, the overall objective of severe accident management is to terminate the core damage progression.
However, the scope of severe accident management also entails maintaining the capability of the containment as long as possible, and minimizing fission product releases and their effects.
These severe accident management oby -*ives can be translated into specific goals that must be met. These three goals are: 1) to return the core to a controlled, stable state, 2) to maintain or return the containment to a controlled, stable state, and 3) to terminate any fission product releases from the plant. Secondary goals, to be achieved while focusing on the primary goals, are to i) minimize fission product releases, and ii) maximize equipment and monitoring capabilities.
Before details are provided on each of these goals, it should be noted that severe accident management does not guarantee the achievement of the goals. Severe accident management is a structured approach that best utilizes available resources at the plant based on the current understanding of severe accidents.
4.1 CONTROLLED, STABLE CORE STATE A controlled, stable core state is defined as core conditions under which no significant short term or long term physical or chemical changes (i.e., severe accident phenomena) would be expected to occur. A significant short term or long term change is one which would require an operator response to prevent a change in core location, a challenge to containment integrity, or fission product releases. In order to achieve a controlled, stable core state, two primary conditions must be met:
- 1. A process must be in place for transferring all energy being generated in the core to a long term heat sink.
- 2. The core temperature must be well below the point where chemical or physical changes might occur.
Foi a severe accident, the core is assumed to be uncovered and overheated when severe accident management begins. Therefore, both decay heat and sensible heat must be removed from the core, along with any chemical heat which is produced during the recovery phase.
However, providing a means to remove all of the core energy does not guarantee a controlled, stable core state. This is best illustrated by the TMI-2 accident in which core relocation continued for a significant period of time after a process was in place for cooling the core [Ref.11]. This was because the core geometry did not facilitate efficient transfer of Severe Accident Management Goals Revision 2. October 1997 o:\3324w.wpf;1b-093097
4-2 energy from the molten core material to the coolant. Thus, the core can only be considered in a controlled, stable state when its temperatore is sufficiently low, and a heat removal process is in place. Thus, both criteria are necessary and sufficient conditions for achieving a controlled, stable core state.
The amount of energy that will have to be transferred from the core is dependent on whether the core remains subcritical. Before significant downward relocation of core material occurs, the amount of negative reactivity required for subcriticelity is bounded by the ERG considerations. As core downward relocation progresses, the required negative reactivity for subcriticality decreases due to geometry compaction [Ref.12]. The core compaction results in a significant change in the local moderator to fuel volume ratio, thus requiring less negative reactivity such as control rods or soluble boron.
However, for severe accident management, the extent of core relocation cannot be determined during the accident itself. If the water injected during the severe accident comes solely from the tanks inside the containment that are sufficiently borated, then there is no chance that the shutdown margin will be lost. However, if the only available water sources do not contain sufficient boron to ensure that the subcriticality conditions are achieved, there is the potential for a return to power, depending on the core geometry. The use of unborated (or under-borated) water could only result in a return to power in the core at very low levels, which is a function of the injection rate to the core. For this scenario, the core would be likely to continue to degrade since all of the heat g neration is not removed by boiling of the injected water, resulting in a change in core geometry which leads to a subcritical state.
If the core returns to a critical state, the excess reactivity would be compensated by void formation in the water. However, the rate at which criticality is approached must be sufficiently slow that the feedback associated with the void development can be effective. If the injection rate of the water were too high, prompt recriticality could be a concern, which could damage reactor coolant piping or steam generator tubes. However, generic severe accident studies [Ref. 7] have conservatively shown that even flow rates of 1000 gpm are an order of magnitude too low for prompt criticality. Since this is higher than any expected injection flowrates for the AP600 plant, there is no need to further consider criticality or prompt criticality issues.
The cooling of the core can be accomplished via several methods. The preferred method is to cover the core debris with water while it is stillin the reactor vessel. If the core cannot remain covered with water while in the vessel, submerging the bottom head of the reactor vessel with water may be sufficient to remove the core heat. (Ref.13 and Ref.14] If this method of flooding the containment cavity is successful and if the reactor coolant system is sufficiently depressurized, it prevents reactor pressure vessel (RPV) failure and movement of the core material into the containment. Although either water inside the RPV or water Severe Accident Management Goals Revision 2, October 1997 1 o:\3324w.wpf:lt493N7
{
4-3 submerging the bottom head of the RPV may be sufficient, the ideal condition is to create water inventories both inside and outside the RPV. This maximizes the possibility of reducing the core temperature and ensuring that further physical and chemical changes can no longer occur.
r if the core remains within the RPV, not only must the core initially be cooled, but a long term heat removal process must be established. The first possibility to be considered is heat transfer to the steam generators. For this option to be feasible, there must be a water inventory in the secondary side of the steam generators, Se reactor coolant system (RCS) should be relatively intact, and there must be some water inventory within the RCS.
However, it is not necessary to have a complete RCS water inventory, since condensation of steam is also an effective heat transfer mechanism.
Another possibility for long term heat removal while the core is within the reactor vessel is to use the passive residual heat removal (PRHR) system. This system is based on natural circulation from the RCS to heat exchangers in the in-contairunent refueling water storage tank (IRWST). Withm the IRWST, the heat is then transferred to the containment through steaming. Therefore, the PRHR is an indirect method to transfer the core heat to the containment. For the PRHR to function, the RCS must be relatively intact, and there must be some water inventory within the RCS. In addition, there must be a sufficient water inventory within the IRWST. Since the IRWST is the largest water source fc.r refilling the RCS and to flood the containment cavity, the IRWST water inventory is not likely to be maintained during a severe accident, and thus this method is not likely to be available for long term heat removal from the RCS unless the IRWST can be refilled from an external water source.
The third long term heat transfer process to be considered is a direct path to the containment, which is then cooled through passive containment cooling. If there is a loss-of-coolant accident (LOCA), steaming from the break can be an effective heat transfer medium, provided that additional water can continually be provided to the RCS. For a non-LOCA transient, an opening in the RCS can be created for direct steaming, such as opening the fourth stage valves of the automatic depressurization system (ADS). Another heat transfer pathway to the containment is via direct heat transfer through the walls of the RPV, coolant loops and direct vessel injection lines if water is surrounding the outside surfaces.
If the severe accident is not mitigated before the RPV lower head fails and the core debris is transported ex-vessel, the only long cerm heat sink is the containment. In this scenario, a water inventory in the reactor cavity and the containment is needed for initial core cooling and long term heat removal. If the limited surface area of the core debris is not sufficient to pem.it removal of decay heat and sensible heat, the core debris will remain molten and lateral movement will increase the heat transfer area until cooling can occur. Although some ablation of the concrete basemat may occur in this case, the investigations reported in the Severe Accident Management Goals Revision 2. October 1997 o;\3324w.wptH43097 l
1' m
4-4 AP600 PRA indicate that the core will eventually be quenched and concrete ablation will be arrested. One of the features of the AP600 plant is that the reactor cavity has been designed with sufficient floor area to permit debris spreading until a coolable geometry can be created.
Thus, the cooling of the core J.cbris extemal to the reactor vessel can be accomplished in the presence of water. However, if the core debris is transported ex vessel into a dry reactor cavity, the core debris will begir to ablate the concrete basemat. Subsequent introduction of water into the reactor cavity may only be partially successful in arresting the concrete ablation. Thus, it is important that the reactor cavity be flooded prior to core relocation from the reactor vessel and that a continued supply of water be available to maintain a water cover over any core debris in the reactor cavity, For core material dispersed at reactor vessel failure and refrozen on vertical containment surfaces and equipment, o. present as thin layers on horizontal containment surfaces or equipment, no water may ce required for long term cooling. Generic analyses [Refs.13 and 14] show that convection of the decay heat to the containment atmosphere could be sufficient to ensure long term cooling. If decay heat cannot be removed by convection, the dispersed core material will heat-up, become molten, and eventually drain to lower levels of the containment. Downward relocation of cere debris will stop when all of the heat can be removed, either via convection from a new configuration or via transfer to water if the debris becomes submerged at lower containment levels. Furthermore, AP600 is uesigned such that only a small fraction of the core debris that is ejected from the reactor vessel could reach the upper containment area. [Ref.13] Therefore, core coolability after vessel failure remains primarily a concern of establishing a water inventory in the lower cavity.
Thus, to maximize the possibility of achieving a controlled, stable core condition, the elements that must be considered in severe accident management are:
water inventory in the RCS, water inventory in the containment cavity, heat transfer to the steam generators, and heat transfer to the containment.
4.2 CONTROLLED, STABLE CONTAINMENT STATE A controlled, stable containment state is defined as containment conditions under wluch no significant short term or long term physical or chemical changes would be expected to occur.
A significant short term or long term change is one which would require an operator response to prevent a challenge to containment integrity or fission product releases. In order to achieve a controlled, stable containment state, several conditions must be met, as summarized below.
Severe Accident Management Goals Revision 2. Octder 1997 oA3324w.wpf:n493097
4-5
- 1. A process must be in place for transferring all of the energy that is being released to the containment to a long term heat sink.
- 2. The containment boundary must be protected and functional.
- 3. The containment and reactor coolant system conditions must be well below the point where chemical or physical processes ' severe accident phenomena) might result in a dynamic change in containment conditions or a failure of the containment boundary.
The first two of these conditions are relatively straight forward for the AP600. The energy removal condition requires that a heat sink be available and that a process for getting the energy from the containment to the heat sink exists. Without a means to remove the energy transferred from the core and from chemical processes occurring during a severe accident, the containment pressure and/or temperature will increase to the point where the containment stnvtural integrity could be challenged. Thus, ensuring that an adequate containment heat sink exists will prevent containment pressures and temperatures from reaching the point where the integrity of the containment boundary is challenged. For the AP600 plant, the primary containment cooling mechanism is the Passive Containment Cooling System (PCCS).
This system causes the gravity drain of water onto the outside of the steel containment vessel, which then evaporates into the natural circulation air flow around the containment vessel. The PCCS has sufficient water inventory to operate for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> following an accident. The PRA results indicate that with the PCCS in operation, the containment pressure remains below the design pressure for all severe accident scenarios, if the water flow over the outer containment shell is not available, air cooling alone is sufficient to remove decay heat from the containment. In the case without PCCS cooling, the AP600 PRA shows that the containment pressure will exceed the design pressuie and approach the containment ultimste pressure crability. The AP600 PRA shows that although there is a very small probability of exceeding the containment pressure capability without PCCS operating, the containment pressure remains well below the median estimate of the containment ultimate capability. In either case, (with or without PCCS cooling), natural circulation of air around the outside of the containment requires that the drairu at the bottom of the annulus remain open to prevent an accumulation of water from blocking the natural circulation fic,w path. In addition to the heat removal capability of the containment shell, the AP600 fan cooler system may be available to supplement the passive cooling. Whi'e the AP600 fan cooler heat removal capability cannot match decay heat, it can be an effective supplement to the passive heat removal capability of the containment shell.
The contahment boundary condition requires that containment isolation be established and maintained. In the case of severe accidents the containment boundary includes all piping which penetrates the containment and which can have an unrestricted pathway to the erwironment. These pipes can be considered to be isolated if at least one valve in the pipe is closed (plus any bypass valves in parallel pipes), the line is pressurized with water, or a
' vater seal is established in the line. In other words, all piping which is not actively carrying Severe Accident Management Goals Revision 2. October 1997 c:\3324w.wpf;1tW93097 1
4-6 Water to or from the containment, as part of severe accident management, must be isolated by closing at least one valve or establishing a sufficient water seal to prevent release of reactor coolant or containment fluids. Containment isolation considerations extend to the steam generators, main steam lines and feedwater lines since steam generator tube faults (either tube failures or pre-existing leaks) are a major concern for severe accident management. The limited number of containment penetrations in the AP600 design greatly simplifies this consideration, compared with the current generation of plants.
The third condition for a controlled, stable containment state is more difficult to accomplish than the previous two conditions. The changes in containment conditions which can lead to challenges to the containment include dynamic changes which cannot be predicted by trending contahunent parameters and longer term changes which can be more readily predicted by monitoring containment parameters. Both of these types of changes are of interest since they contribute to the potential for failure of the containment boundary. The dynamic and long term changes in containment conditions considered here are a result of severe accident phenomena. The severe accident phenomena considered in this goal include:
Hydrogen flammability, including diffusion flames Core.' concrete interactions (CCI)
High pressure melt ejection (HPME), which includes
- Direct contairunent heating (DCH)
- Reactor vessellift-off a Steam explosions Creep rupture failure of reactor vessel or SG tubes Vacuum caused by hydrogen burning or venting Although the treatment of severe accident phenomenology for AP600 has been addressed in WCAP-13388, the discussions below summarize the impacts on management of the severe accident.
4.2.1 Hydrogen Flammability The first of the severe accident phenomena to be considered is hydrogen. The containment pressure rise when a flammable hydrogen mixture is bumed in containment is a direct function of the mass of hydrogen present in the containment. During a severe accident, hydrogen is expected in the containment as a result of the in-vessel reactions between the fuel rod cladding and the steam as the core overheats. For any accident sequences in which the RCS pressure is low during core melting, most of the hydrogen generated would be released from the RCS to the containment. However, for sequences with high RCS pressures, a large fraction of the in-vessel hydrogen generation might be trapped in the reactor coolant system. For these latter sequences, a failure of the RCS or an intentional action to depressurize the RCS to the containment (such as any stage of the AP600 ADS) after l
l Severe Accident Management Goals Revision 2, October 1997 o:\3324w.wpf.H>493097 I
l
47 significant core damage has occurred can suddenly change the containment conditions and may have an impact on hydrogen flammability. In addition, the AP600 PRA shows that some modes of RCS depressurization using the ADS Stages 2 and 3 (which discharge to the IRWST) may result in the creation of a standing diffusion flame near the IRWST vents. The AP600 PRA also indicates that diffusion flames may be created in the Core Makeup Tank (CMT) room for the Direct Vessel Injection (DVI) line break scenario. In this scenario, the diffusion flame is created when the containment water level exceeds the DVI line break location and the core is reflooded through the DVI line; the additional hydrogen during reflood can results in the creation of a diffusion flame. Although the AP600 PRA analyses predict that these diffusion flames will not challenge the containment integrity, they can lead to a significant change in containment conditions.
Although the AP600 plant is equipped with hydrogen igniters, this discussion is in relationship to scenarios in which the igniters fail and hydrogen accumulates. AP600 analyses have shown that the containment can witbstand the pressure transient from the deflagration of the hydrogen equivalent to 100% of cladding oxidation. The AP600 PRA analyses also show that the containment atmosphere is well mixed due to the natural circulation cu4 rents setup inside containment for passive heat removal through the containment shell. The analyses do not predict any significant local concentrations of flammable gases oat require accident management considerations. If significant core debris is released to a dry containment, core / concrete interactions can result in additional hydrogen generation along with carbon monoxide, which is a flammable gas. Another significant source of hydrogen to be considered is from interactions between unreacted (unoxidized) metals in the core debris and water or steam in the containment after reactor vessel failure.
Sinct a hydrogen bum can result in a change in containment conditions, a controlled, stable containment can only be achieved if the hydrogen is maintained in a nonflammable state and no significant sources of additional hydrogen are expected. Thus, a controlled, stable containment state with respect to flammable gases requires that: a) the core is covered by water, b) the containment hydrogen is less than the global flammability limits for containment conditions near ambient, c) there are no ongoing core concrete interactions, and d) the reactor coolant system is at a low pressure.
4.2.2 Core / Concrete Interaction Core / concrete interaction (CCI) can produce substantial changes in the containment conditions in a number of different ways. CCI results in the erosion of the bottom of the containment structure and can result in a containment failure at the basemat. CCI also results in the production of hydrogen and carbon monoxide gases which increases the flammable gas concentration in the containment. CCI without an overlying water layer also results in substantial heating of the containment gases via high temperature gas generation, convective heating of existing gases and radiative heating of nearby structures. In addition, Severe Accident Management Goals Revnion 2, October 1997 o:\3324w.wpf It@3097 I
4-8 CCI can result in core material configurations which may not be readily coolable, even in the presence of an overlying water cover.
Core / concrete interaction can be prevented by having an adequate level of water covering the containment and the reactor cavity floor. The reactor cavity water inventory can submerge the reactor vessel and thereby prevent the core debris from leaving the reactor vessel, in the event of reactor vessel failure, the water inventory in the reactor cavity can quench and cool core debris in this region to prevent core / concrete interaction. Thus, a controlled, stable containment state, with respect to core / concrete interaction, requires that either: a) the core is in the reactor vessel (as a result of either recovering in-vessel cooling or submerging the reactor vessel) or b) the containment and reactor cavity floor regions are covered with sufficient water to quench any core debris discharged from the reactor vessel and c) water recirculation back to the cavity is available to maintain the cavity water level, and thus core debris cooling.
4.2.3 High Pressure Melt Ejection If the reactor vessel fails while the reactor coolant system is at a high pressure, several severe accident phenomena can occur which have the potential for producing substantial changes in the containment conditions. The subsequent high pressure melt ejection (HPME) can produce direct containment heating (DCH) effects which may substantially change the containment pressure and temperature. HPME can also result in vertical movement of the reactor vessel due to the thrust forces generated by core debris escaping through the failure location in the RPV. Some studies have indicated that the movement of the RPV may result in sufficient movement in other piping connected to the RCS to tear containment penetrations, thereby challenging containment integrity conditions. HPME also produces a substantial change in the containment hydrogen concentration as described under 'he hydrogen flammability discussion above. HPME is prevented by either preventing reactor vessel failure or by reducing the RCS pressure.
4.2.4 Steam Explosions Steam explosions, both within the RPV and in the containment, have been postulated as a concem because they may result in substantial changes in containment conditions by creating breaches in the containment boundary. Steam explosions are a subset of core-coolant interactions which can produce rapid pressure changes in the RCS and the containment.
Steam explosions have an accompanying shock wave which, by itself can cause damage to the containment or RCS boundary [Ref.15].
An evaluation specific to the AP600 design was conducted to investigate the potential for in-vessel steam explosions. The evaluation concludes that in-vessel steam explosions cannot generate sufficient energy, in a short time scale, to generate a missile that could fail the Severe Accident Management Goals Revision 2. October 1997 '
o-\3324w.wpf.It@93097 l
4-9 AP600 containment [Ref.13]. In addition, the evaluation shows that the peak pressure from any potential in-vessel steam explosion is well within the normal operating pressure of the reactor coolant system. Therefore, the integrity of the RCS pressure boundary is not tlucatened.
Because of the AP600 containment layout, a significant ex-vessel steam explosion from core debris-water interaction can occur only in the reactor cavity. Evaluation of both steam generation rates and potential shock waves induced by debris water interactions shows that their magnitude is not expected to be sufficient to threaten the AP600 containment integrity.
(Ref.13) The impact of the shock wave on the cavity wall and vessel support structure was also evaluated as part of the AP600 PRA evaluations, with the conclusion that while the structural integrity of the cavity walls may be threatened, there is no impact on the overall containment integrity. Therefore, the principal consequence of ex-vessel explosive debris-water interaction is to rapidly cool the debris and pressurize the containment. Neither the steam generation nor the shock waves are expected to challenge the containment integrity for any credible accident scenario.
4.2.5 Creep Rupture Failure Core damage accident scenarios in which the core material is located within the reactor vessel can lead to substantial changes in the containment conditions if either the reactor vessel, the reactor coolant system piping or the steam generator tubes should fall. Reactor vessel failure is primarily a result of contact between molten core material and the inside surface of the vessel bottom head. Reactor coolant system piping and steam generator tube failures are primarily a result of the circulation of high temperature gases within the reactor cWant system which leads to creep rupture failure of the piping.
Creep rupture failure of the RCS piping can result in substantial changes in the containment pressure, hydrogen concentration and fission product inventory. Creep rupture failure of the
- RCS piping can only occur if the RCS pressure is near its nominal operating value and is a -
result of heating the pipe walls to a high temperature under high stress conditions. Thus, creep rupture failure of the RCS piping can be prevented by reducing the RCS pressure or submerging the RCS piping in water. Creep rupture failure of the SG tubing can result in substantial changes in the containment integrity since the secondary side of the steam generator pressurizes to the SG safety valve setpoint. This creates a direct pathway for fission product transport from the RCS to the environment. Creep rupture failure of the SG tubes is a result of heating the tube walls to a high temperature and can only occur under conditions of high RCS pressure and a dry steam generator secondary side. Thus, creep
- rupture failure of the SG tubes can be prevented by reducing the RCS pressure or maintaining an adequate SG secondary side water inventory.
Severe Accident Management Goals Revision 2, October 1997 oA3324w.wpf.1b-093097
4 10 4.2.6 Containment Vacuum The final severe accident phenomena which must be considered in the definition of a controlled, stable containment state is the potential for changes in containment conditions which would result in a substantial vacuum in containment. A substantial vacuum in containment could result in containment boundary failure. These conditions are most likely to be a concern following a large hydrogen burn in the containment or following relief of some portion of the containment gases to the environment. A hydrogen burn will consume some of the oxygen which was present in the containment prior to the accident. Upon condensation of all of the steam in containment and the reduction in containment temperature to near its pre-accident value, the gas volume may be reduced by as much as 21% (assuming all of the oxygen is consumed in a hydrogen bum). This could result in a containment vacuum which challenges the negative design pressure of 2.5 psig.
1 In severe accident scenarios where a portion of the containment gases were released to the !
erwironment, either through late containment : solation or intentional containment venting, l the potential for a strong containment vacuum which threatens containment integrity may also exist. To prevent these conditions, air or water must be introduced to the containment such that the containment pressure is within the normal range when the containment temperature is near its nominal value. Thus, a controlled, stable containment state requires that the containment pressure be nearly ambient with no further significant decreases expected.
To maximize the possibility of achieving a controlled, stable containment condition, a summary of all the elements that must be considered in severe accident management are:
- heat transfer from the containment,
- isolation of contaitunent, hydrogen prevention / control, core / concrete interaction prevention, high pressure melt ejection prevention,
- creep rupture prevention, and containment vacuum prevention.
Severe Accident Management Goals Revision 2. October 1997 oA3324w.wpElb-093097
4 11 4.3 FISSION PRODUCT RELEASE PREVENTION, TERMINATION AND MITIGATION To achieve the goal of terminating fission product releases from the plant, several conditions must be met:
- 1. The isolation of the containment boundary, including penetrations and steam generator tubes, must be maintained.
- 2. The fission product inventory of the containment atmosphere must be minimized.
- 3. Significant leakage through the containment boundary must 'ee stopped.
Some of these :0nditions may be duplicates of previous conditions for maintaining a controlled, stable core and/or containment state. They are also included here to reinforce the goal of controlling and terminating fission product releases during a severe accident.
Prevention (or termination) of fission product releases therefore requires that the containment boundary be maintained and/or isolated or that the driving force for leakage be eliminated.
The containment boundary includes the containment structure, the containment penetrations, the steam generators tubes, and the piping of systems connected to the RCS or containment up to the first isolation valve which is operable. Isolation of the containment boundary includes: a) maintaining existing containment boundaries, and b) closing appropriate valves that isolate systems directly connected to the containment atmosphere or the reac;or coolant system, or c) creating a water seal whose static head is greater than the driving force where the first two methods are not available. All of the considerations for maintaining the containment boundary to prevent uncontrolled fission product releases are covered under the goal of maintaining a controlled, stable containment state and are not repeated for the terminatior: Md mitigation of fission product releases.
Reducing the inventory of fission products available for . release can be a function of the release pathway, which may be directly tied to the accident sequence. For containment releases, the fission product inventory al'rbome in the containment can be reduced by maintaining the RCS integrity thereby retaining a large fraction of fission products in the RCS. In addition, flooding the containment to submerge RCS piping and flooding the steam generators to submerge the U-tubes would provide cold surfaces for fission product deposition and retention. The nonsafety related containment spray system could be used to hasten the reduction in the containment inventory of volatile and aerosol fission products .
already provided by passive natural processes. For release pathways which bypass containment, such as steam generator tube faults or leaks and interfacing system LOCAs (ISLOCAs), the fission product transport can be reduced by reducing the RCS pressure. Also, fission product scrubbing by submerging the release pathway is effective in reducmg the dispersion.
Severe Accident Management Goals Revision 2 October IW7 a:\3324w.wptib-100997
i
- 4-12 In the AP600 design, airborne !ission product removal is performed by the operation of the passive containment cooling syrtem. The steam released in containment is condensed on the steel containment shell due to cooling from the passive containment cooling system and this process removes airborne fission products. In addition, the NRC has required a nonsafety-related containment spray system for the AP600 during a severe accident to actively reduce containment airbome volatile and aerosol fission products at a faster rate than the natural i processes. Fission products that are deposited in the containment sump are retained within the water by the containment sump pH control process. This process adds a chemical buffer ,
to the floodup water inventory in containment to maintain the required pH to promote fission product retention.
The final condition for this goal is to actually terminate the leakage from the containment.
Terminating leakage includes eliminating the driving force for leakage (generally a pressure differential across a leakage path), isolating the leaking system, or creating a water seal whose static head is greater than the driving force. Several sources of leakage are worthy of consideration in the SAMG, including: containment, steam generators, and systems connected to either the containment or the RCS. Low levels of leakage frc,m these sources are permitted within the plant design basis. The results of & lyses which establish pennissible leakage, with respect to offsite doses, are reported in the plant Safety Analysis Report. However, to de-escalate the emergency condition during a severe accident, essentially all of the leakage must be terminated. In the case of containment sources, the ,
leakage can be terminated by reducing containment pressure to near atmospheric. Leakage through containment penetrations can be terminated by closing all valves in the piping and/or by creating water seals in the piping. In the case of the steam generator tubes, leakage can be terminated by keeping the secondary system pressure above,the RCS pressure. For systems connected to the RCS and containment, leakage can be stopped by finding attemative methods of accomplishing the same function. For example, recirculation systems which involve trarlsporting high levels of radioactive water outside the containment can result in even very small amounts of leakage being significant. Use of systems that keep all radioactive water within the containment are' preferred.
To max,imize the possibility of terminating fission product releases, a summary of all the elements that must be considered in severe accident management are:
- isolation of containment, e
reduce fission product inventory, and a
reduce fission product driving force.
Severe Accident Management Goals RevWon 2, October 1997 o \3324w.wpf Ib100997
44 ~3 0
4.4 SECONDARY GOALS Although the previous sections have addressed the goals that must be met for successful mitigation of a severe accident, there are two additonal considerations that should be addressed. These considerations have been termed " secondary goals," since they are not fundamental to the termination of the accident, but their impact is widespread. The secondary goals affect the evaluation of which actions, or strategies, to implement. The two secondary goals are: i) to minimize fission product releases, and 11) to maximize equipment and monitoring capabilities.
The secondary goal to minimize fission product releases is similar to the primary goal of terminating fission product releases. However, the distinction is in the recognition that there may be a need to create an intentional, controlled, and short term fission product release to prevent a larger, uncontrolled, and long term release. Specifically, this is in reference to containment venting,if there is believed to be an immediate threat to the integrity of the containment structure. However, any action which violates the primary goal of terminating fission product releases should be done in a manner that minimizes the release. Another example is the case of steam generator depressurization. There are pathways that blow down directly to the environment, and other pathways (such as through the condenser) that would allow fission products tc be scrubbed, and thus dispersion minimized.
The other secondary goal, to maximize equipment and monitoring capabilities, acknowledges that the survivability of some equipment and instruments may become questionable under some severe accident conditions. In general, severe accident conditions are no more severe than the design basis for instrumentation inside the containment. Depending on the scenario, however, temperatures and pressures may exceed the containment design basis, and thus the operability of instruments and equipment is uncertain. Therefore, when making severe accident management decisions, the impact on the instruments and equipment is a factor that should be included in the evaluation process.
The capability to repair and maintain equipment following the onset of a severe accident is also important. First, to arrive at a severe accident condition, it is quite likely that some of the plant equipment is not operable. Second, during a severe accident, the potential exists for malfunctions in equipment which is being used during the recovery. Third, since equipment may be used in non-standard ways for severe accident response, local access to areas may be required for valve alignments and/or equipment maintenance. The severe accident progression or actions taken to recover from the severe accident conditions may compromise the habMility, particularly due to high radiation levels, of certain plant areas and result in a condition in which some equipment cannot be aligned, maintained or repaired. As in the case of emironmental conditions and power supplies for equipment operability, severe accident management decisions should tAe into account the habitability of plant areas in which alignment, maintenance or repair of e ;uipment enhances the recovery capabilities.
Severe Accident Management Goals Revision 2, October 1997 o:\3324w.wptib 093097
5-1 5 HIGH LEVEL ACTIONS FOR AP6('4 Based on the severe accident management goals defined in the previous section, certain elements are necessary to meet the goals. The elements can then further be divided into actions to be taken. 'Ihe relationship of severe accident management goals to potential actions are sununarized in Table 5-1, which fetms the basis for possible severe accident management strategies.
The definition of a strategy for AP600 severe accident management consists of three components. A strategy is 1) an action r r set of actions that 2) is taken for a specific purpose with 3) specific piece (s) of equipment. A strategy includes more than just the action, since the purposes must be well understood for an effective evaluation, and the equipment to be used may impact the positive and negative expectations. Th:s is the same strategy definition that was used for the WOG SAMG program, and it initially produced a list of over fifty strategies. Eventually, the strategies were combined to form a smaller number of guidelines, and they were grouped based on the potential actions. Since the AP600 severe accident management program is being developed based on the WOG SAMG program, this same process will be followed.
The information within this section is grouped according to the high level actions that may be taken during the mar,agement of a severe accident. The discussion of each high level action includes the ideatification of tl.e benefits (purposes) of the action, the potential negative impacts, and the equipment possibilities. The deve.iopment of the high level strategies is a prel!minary step in the development of the Ali600 severe accident management guidance.
The information in this section considers the AP600 PRA, through Revision 8, and the accident r.umagement insights derived from the PRA as discussed in Appendix A b.1 INJECT INTO RCS Injecting water into the RCS is the most fundamental action to mitigate the progression of a core damage accident. Regardless of where the core has relocated, the RCS may be the most effective pathway to get the water to the core debris. The underlying cause of all severe accidents is the inability to remove the decay heat generated by the core. Therefore, injecting water to the core region is the most direct means of restoring core cooling and stopping; the accident progression.
As just stated, one of the benefits of injecting water into the RCS is the restoration of core cooling. The only possibility of preventing the core from relocating to the RPV lower head is to restore injection flow. As water initially flows to an overheated core, the water will High Level Actions for AP600 Reyblon 2. October 1997 oA3324w.wpf.lb 093@7
5-2 o
Table 51 AP600 High Level Actions Relative to Severe Accident Management Goals Goal Element liigh Level Action Controlled, stable core Water Inventory in RCS - Inject into RCS
- Depressurize RCS Water Inventory in - Inject into Containment Containment Heat Transfer to SGs - Inject into RCS
- Inject into SGs l
- Depressurize SGs .
Heat Transfer to Containment - Inject into RCS Inject into Containment l Depressurize RCS Controlled, stable Heat Transfer from - Depressurize Contairunent containment Containment - Vent Containment l Isolation of Containment - Inject into SGs
- Depressurize RCS Hydrogen Prevention / Control - Vent Containment
- Pressurize Containment
- Bum Hydrogen
- Depressurize RCS
- Inject into Containment CCI Prevention - Inject into Containment HPME Prevention - Inject into Containment
- Depressurize RCS Creep Rupture Prevention - Depressurize RCS
- Inject into SGs
- Inject into Centainment Containment Vacuum . Pressurize Containment Prevention Terminate fission product Isolation of Containment - Inject into SGs releases - Depressurize RCS Reduce Fission Product - Inject into Containment Inventory - Depressurize RCS
- Depressurize Containment Reduce F.P. Driving Force - Depressurize Containment l
High Level Actions for AP600 Revision 2, October 1997 o:\3324w.wptib493097
0 5-3 flash to steam due to the high temperatures in the core region. Heat can be removed from the core by sensible and latent heat addition to the water and sensible heat addition to the steam.
If the flow of water can remove energy at a rate exceeding the decay heat rate, then core cooling can eventually be restored.
Another benefit of injecting water into the RCS is the scrubbing of fission products. if a pool of water is overlying a core debris bed, fission products released from the core debris bed will be scrubbed by the water pool. Fi-ion product scrubbing can result in a significant reduction in the amount of fission products released to the containment atmosphere. A water depth of a few feet is a sufficient level to significantly increase the decontamination factor. [Ref.11]
Finally, injection of water into the RCS may help retain the core within the reactor vessel.
The energy removed by the water can slow the core damage progression and may delay or even prevent vessel failure. The injection of water during the TMI 2 accident, for example, provided sufficient heat removal to retain the core debris within the vessel. However, there 13 ao guarantee that the injection of water in another severe accident would prevent the vessel from failing. Nevertheless, even a delay in vessel failure is a benefit worth achieving.
There are also negative impacts from injecting water onto hot core debris during a severe accident. The key potential impact of these adverse effects should be considered before a decision is made to implement the strategy. The key potential negative impacts are the production of hydro men and the potential for creep rupture of the steam generator tubes. A summary of these drawbacks is provided below.
The hot fuel cladding, in the presence of steam, oxidizes and produces significant amounts of hydrogen. If the containment hydrogen igniters are not working, the accumulation of hydrogen in the containment is a concern. Although AP600 analyses have shown that the containment can withstand the deflagration of hydrogen produced from 100% of the cladding being oxidized, the containment integrity could be challenged if there are significant additional combustible gases. The production of hydrogen is unavoidable when adding water to an overheated core (above 1800 F). However, the total hydrogen production for accidents where the core is recovered in vessel should be less than 100% cladding oxidation.
Ultimately, to achieve a controlled, stable containment, the possibility of future hydrogen production must be minimized by covering the core with water. Without the reflooding of the core debris, the potential exists for significant additional hydrogen production that could later create a containment challenge. Therefore, although the hydrogen production due to injecting water into the RCS is a negative impact, it is not a containment challenge.
High Level Actions for AP600 Revision 2. October 1997 e\3324w.wpf It@3097
The AP600 PRA chows that hydrogen diffusion flames at the IRWST vents do not present a threat to containment integrity based on opening the ADS valves to the IRWST in the AP600 PRA sequences. The same conclusion is reached with respect to diffusion flames in the CMT room for the case of a DVI line break. However, other sequences may not have similar conclusions. Additional investigations need to be carried out to define any special conditions under which opening the ADS valves to the IRWST could result in diffusion flaraes that could challenge the containment integrity.
Another potential negative impact is creep rupture of the steam generator tubes. This is a failure mode that can occur when the steam gerierator tubes are subjected to high temperatures and large primary-to-secondary pressure differences. Tube temperatures can reach creep rupture limits quickly if hot gases that accumulate in the core upper plenum are forced into the steam generatois by the rapid steaming that will occur when injection into the RCS reaches the overheated core debris in the reactor vessel. The potential for creep failure of steam generator tubes may be increased if the containment water level is above the coolant loop piping elevation because the RCS piping cannot fail by creep rupture. Since the steam generator tubes provide a fission product boundary, maintaining the tube integrity during a severe accident is important to the goal of eliminating fission product releases. There are two methods of preventing these adverse impacts: decrease the primary-to-secondary pressure difference, or inake sure that the steam generator tubes are at least partially covered on the secondary side.
Two negative impacts that were also included in the WOG SAMG but that are not applicable to the AP600 design are containment flooding and an insufficient injection source.
Contairunent flooding for current plants is a concern because equipment such as containment ver.t valves or fan cooler exhaust / intake ducts may be located where they will be covered with water and unusable. However, the AP600 plant has been designed so that significant
, containment flooding does not affect necessary equipment. Another concern in most current plants is that the use of the water from the RWST may limit other uses of that water.
However, the AP600 plant is designed so that there are rarely systems competing for the same water inventory, and thus the injection of water does not impact the ability to perform other actions. The exception is the case where the IRWST is being drained to the containment. In a non-LOCA event where the containment inventory cannot subsequently drain into the reactor coolant system through the break, there may be some instances in which a residual IRWST level is desired.
Furthermore, the design of the injection systems for the AP600 plant is significantly different than existing plants. Current plants rely primarily on the forced injection of water from sources outside the containment. However, the AP600 plant relies primarily on the passive injection from water tanks inside the containment. Each of the water tanks and injection methods for AP600 is further discussed below.
High Level Actions for AP600 Revision 2, Octoter 1997 oT3324w.wpf:11@3097
0 5-5 The Core hiakeup Tank (Chit) is a safety-related means to provide water inventory to the RCS. There are hvo Ch1Ts, each with a capacity of 2000 ft3 , which replace the function of high head safety injection pumps in current plants. Chits are located above the reactor coolant loops and each has a pressure balancing line from a cold leg. The Ch1Ts are maintained full of borated water and are designed to inject at any RCS pressure. The discharge from the Chits is routed from the bottom of the tanks to separate safety injection nozzles on the reactor vessel. Each discharge line is normally isolated by two parallel air-operated valves that fail open on loss of air pressure, loss of de power, or loss of control signal.
The AP600 is also provided with two accumulators that supply borated water at high makeup flow rates to refill the reactor vessel downcomer and lower plenum during a large loss of coolant accident or during other events requiring automatic or manual RCS depressurization. The back pressure for the accumulators is 700 psig, so that the RCS pressure must be reduced below this value before water will inject.
The in-containment refueling water storage tank (IRWST), in conjunction with the automatic depressurization system, provides the function of low head safety injection. To get injection from the in-containment refueling water storage tank, the RCS pressure must be reduced to a value near containment pressure. The automatic depressurization system is provided to accomplish this function. When the IRWST empties, the containment is flooded above the RCS loop level, and the water in the containment drains, by gravity, back into the RCS if there is a break in the hot or cold leg. Therefore, stable, long-term core cooling and makeup to the RCS is established. The passive containment cooling system supports this operation by removing heat from the containment. Steam released from the RCS is condensed. This condensate then drains back into the RCS for recirculation.
The normal residual heat removal system (NRHR) provides an additional mechanism for core cooling, taking water from the IRWST/ sump and injecting it into the safety injection lines.
The NRHR system needs cooling water and ac electrical power. If offsite power is lost, the power is supplied by two non-safety-related diesel generators. The NRHR loops take water outside the containment, which could be a negative factor during a severe accident, since the coolant water is highly contaminated with fission products and may result in more personnel access restrictions. The PRHR capability would not be available if the IRWST is drained into the reactor cavity.
Finally, the chemical and volume control system (CVS) is the normal RCS inventory makeup system. It has two non-safety grade high pressure pumps, which start automatically if a core makeup tank actuation signal is generated. The pumps are also automatically loaded on the non-safety diesel generators if offsite power is lost. The CVS is rated to provide a flowrate around 100 gpm per pump at full system pressure. If the core is totally uncovered, the CVS High Level Actions for .AP600 rwvison 2, october 1997 c:\3324w.wpf.H>093097
0 5-6 e
is insufficient, by itself, to quench the core and reflood the vessel. However, this may be sufficient to remove decay heat as it is produced.
Because the AP600 plant is a passive design, most of the methods of injecting water rely on the gravity draining of tanks. However, for this to occur from some of the tanks, the RCS must be depressurized. The largest tank, the IRWST, requires that the RCS be almost fully depressurized. Therefore, during a severe accident in which injection capability has failed, it may be due to the RCS having a pressure that is too high. This makes the action of depressurizing the RCS very important for AP600. This high level action is further discussed in Section 5.4.
5.2 INJECT INTO CONTAINMENT Another important strategy for AP600 h, to inject water into the containment cavity so that water surrounds the outside of the reactor vessel. According to WCAP-13388 [Ref. 8], this action has more impact on accident management considerations than any other individual phenomena except the direct water addition to the debris. Based on experiments and analyses, external flooding of the vessel can cause the core debris to be retained within the lower vessel plenum. This action also has the benefits of protecting the containment, creating a heat removal path from the core debris, stopping the accident progression through the prevention of vessel failure, and preventing all ex-vessel phenomena from occurring.
However, if the core is ex-vessel or if vessel failure is imnunent, the injection of water into the containment has other benefits. The presence of water in the cavity will scrub fission product inventory, and will prevent or limit care / concrete interaction (CCI). CCI is the phenomena of core debris attacking the concrete basemat if there is insufficient water in the containment cavity to cool the debris. The consequences of CCI include the generation of non-condensable gases that will pressurite the containment, the generation of combustible gases that can ignite and fail the containment, the generation of a significant amount of aerosols, and the eventual failure of the containment boundary due to basemat or liner melt-through.
Injecting water into the containment to a level that covers the RCS loops is a viable action for the AP600 design and automatically occurs if all in-containment water sources are directed into the containment cavity. For core damage events resulting from a large LOCA, this containment water level will ensure that water gets into the reactor vessel. For non LOCA events, this water level protects RCS loops from creep failure and cools gases to help prevent steam generator tube creep rupture.
There are very few negative considerations of injecting water into the containment cavity. In the WOG SAMG, three negative impacts are identified, which are 1) de-inerting the containment if the sprays are used,2) using the water inventory in the RWST that may be High level Actions for AP600 Revision 2, Octotwr 1997 c:\3324w.wpf H493097 l
5-7 needed for other actions, and 3) pressurizing the containment to the point that gravity drain of the RWST would not be possible. For AP600, none of these negative impacts apply. The AP600 containment design does not include any internal containment sprays. There are also no competing uses for the IRWST water although draining the IRWST to the reactor cavity may impact the capability to use NRHR for core cooling. And if the method of containment injection is gravity drain of the IRWST, the flow rate is high and is possible regardless of containment pressure. This is because the IRWST is internal to the containment and gravity drain would not be impacted by containment pressure.
One of the severe accident management insights from the AP600 PRA is that the total amount of hydrogen generated during some severe accident sequences is a strong function of the time / level for containment flooding. Thus, one of the negative impacts of flooding the containment to a level where water can flow from the containment into the RCS, may be the generation of additional hydrogen. '
Another potential negative impact that was discussed in the WOG SAMG and is also ap slicable to AP600 is the potential for an ex-vessel steam explosion if the vessel fails. A
' '.eam explosion could result in the destruction of the reactor cavity walls which provide support for the reactor vessel. If a steam explosion destroys the reactor vessel supports, the containment fission product boundary may be challenged due to tearing of contairunent penetrations connected to the RCS as the reactor vessel drops to the reactor cavity floor.
Evaluations of the AIM 00 reactor cavity wall structural capability reported in Ref. 4 concludes that steam explosions in the reactor cavity do not pose a challenge to the containment fission product boundaries. While cavity walls may not withstand the effects of a severe steam explosion the evaluations indicate that there will be no impact on containment integrity.
5.3 INJECT INTO STEAM GENERATORS In conventional plants, the steam generators are designed to provide a heat sink for the RCS during both normal and accident conditions. Therefore, in the WOG SAMG, injecting into the steam generators was judged to be one of the most important activities, in the AP600 plant, although the steam generators are designed for heat removal during normal operation, they are not a safety-related method of decay heat removal during an accident. However, injecting into the steam generators is still an important high level action for the management of a severe accident in the AP600 plant.
Because much of the secondary side is located outside of containment, the SG tubes act as a containment boundary. Therefore, the prevention of induced steam generator tube ruptures is important for severe accident management. One of the methods of doing this is to inject water into the steam generator to keep the tubes cooled. This protects them from rupturing due to heatup from hot gases on the primary side of the tubes. Nevertheless,if a tube High Level Actions for AP600 Rmsion 2, October 1997 oA3324w.wpf-1b-093097
5-8 rupture does occur, covering the break with water will scrub hssion products from the primary system following core damage.
Also, although the AP600 steam generators are not a safety related method for removing decay heat, they may still be useful for this function during a severe accident. Not only may the heat removal be of benefit, but the steam generators may be a method for depressurizing the RCS.
However, there are also several drawbacks associated with injecting water into the steam generators. These drawbacks have the potential to negatively impact the accident progression by allowing the direct release of fission products to the erwironment. The first concern is the thermal shock of the steam generators. If the steam generators have dried out during a severe accident, tb +ube temperatures may exceed 1000'F. The injection of cold water to the hot, dry stean, g,enerators can place significant thermal stresses on the tubes and other components. These thermal stresses can result in the failure of either the shell side of the steam generator or the steam generator tubes. Failure of the shell side of a steam generator during a severe accident reduces the amount of water that can enter the steam generator and increases flooding of the containment. Also, failure of the shell side of the steam generator can result in a direct release path to the atmosphere if the steam generator relief / safety valves are not closed or the MSIV is open. Failure of one or more tubes will result in a containment bypass and the potential release of fission products to the environment.
Another potential concern with the injection of water into the steam generators can occur if the steam generators must first be depressurized. If the RCS is pressurized, the depressurization of the steam generators could create a large primary-to-secondary AP that could induce creep rupture of the steam generator tubes. Either this induced tube rupture, or pre-existing tube ruptures, would then make fission product releases to the environment a concern. These potential negative impacts must be considered in the evaluation process that determines whether steam generator injection should be attempted.
i Equipment that may be used for this high level action is dependent on the pressure of the steam generators. For high pressures, only the startup feedwater pumps and the main feedwater pumps would be usable. For lower pressures, the list of possible equipment expands to include condensate pumps, firewater pumps and service water pumps.
5.4 DEPRESSURIZE RCS Many benefits can be realized by depressurizing the RCS during a severe accident. As previously discussed in Section 5.1, the depressurization of the RCS will facilitate the injection of water from the passive core cooling system tanks. It will also increase the flowrate that would be provided if pumps are being used. If the ADS valves are used, the High Level Actions for AP600 Revision 2, October 1997 c:\3324w.wpf 1b 093097
S-9 creation of the intentional opening in the RCS may be the method of establishing a long term heat removal path.
There are also many other effects of depressurizing the RCS that are unique to core damage scenarios. The possibility of creep rupture of the steam generator tubes and the RCS pipea can be reduced or climinated if the RCS pressure is lowered. Creep rupture is a plastic deformation process that occurs under high temperatures and sustained loads. Since high temperatures are a by product of the severe accident, the reduction of the RCS pressure is a good method to avoid failures due to creep rupture.
Another important severe accident concern is high pressure melt ejection (HPME). This is a phenomenon that may occur if the RCS pressure is elevated at the time of vessel failure.
During HPME, the momentum of the core debris along with the driving force of high velocity gases released from the vessel, can transport the molten core debris away from the reactor cavity region. One method of preventing this phenomenon is to decrease the RCS pressure.
Decreasing the RCS pressure also can help isolate the containment and reduce fission product releases for containment bypass sequences. If there are ruptures or leaks in the steam generator tubes, the reduction of the RCS pressure will reduce the driving force on the fission products, and will help to maintain them within the primary system. In addition, if injection of water occurs due to the reduction in RCS pressure, the water inventory will help to scrub the fission products.
The final benefit of reducing the RCS pressure is for long term control of the hydrogen inventory. In order to exit the severe accident management guidance, the containment must be in a controlled, stable state. Part of the definition of this state is that there should be no potential for sudden, future changes to the containment atmosphere. If the RCS remains pressurized with hydrogen accumulated within the system, any future failure of the vessel or opening in the RCS would release the hydrogen to the containment atmosphcre. Therefore, the RCS pressure should be reduced for long term concerns.
However, the long term benefit of hydrogen control also produces a short term negative impact. If the RCS is depressurized using a vent path to the containment, the sudden release of a large quantity of hydrogen to the containment could change the flammability status of the containment atmosphere. Although AP600 analyses have shown that the contailunent structure can withstand the resulting pressure transient, the plant decision makers should be aware of the potential of the burn. The method of depressurizing the RCS can influence the potential negative impacts. Depressurizing the RCS using a flow path to the IRWST could result in a diffusion flame at the IRWST vents to containment. While the AP600 PRA has concluded that diffusion flames will not impact containment integrity, the diffusion flame atill represents a slightly increased challenge to containment integrity since not all possible High Level Actions for AP600 Revision 2, October 1997 o:\3324w.wp8:1b 093097
l .
l 5-10 severe accident scenarios were treated in the PRA. Also with the opening of a pathway from the RCS to the containment, there could be a sudden increase in the containment pressure.
This pressure increase is not of sufficient magnitude to challenge the containment integrity.
The safety grade system for depressurizing the RCS is the Automatic Depressurization System (ADS). This system is a series of valves arranged in four stages, which provide a phased depressurization capability. The valves of the first three stages are motor-operated valves and are mounted on the pressurizer. These valves discharge steam to the IRWST through spargers. The discharged steam is condensed and cooled by mixing it with water in the tank. The valves of the fourth stage are squib valves and are located on lines connected to the two hot leg pipes. The fourth stage vents directly to containment.
Other equipment for depressurizing the RCS that will be investigated are the pressurizer spray, the RCS head vent, and CVS letdown. Another method is to depressurize the RCS via heat removal from the steam generators. The equipment associated with this action will be addressed in the following section.
5.5 DEPRESSURIZE STEAM GENERATORS The purposes of this high level action have been discussed :. Sections 5.3 and 5.4.
Depressurizing the steam generators may be the first step to enable injection of water into the SGs, to establish a heat transfer path from the RCS to .he SGs, or to depressurize the RCS.
The end purpose of this action may be the depressuri2ation of the RCS, or the establishment of a long term decay heat removal pathway.
The principal negative impacts from depressurizing the steam generators are related to the potential for creating a release pathway. Not only might the steam generator inventory be lessened, but any fission products within the steam gencrators may be released to the environment. Furthermore, if there is a steam generator tube rupture, the lower steam generator pressure willincrease the driving force of fission products from the primary to the secondary side. Even if no steam generator tube ruptures currently exist, the lowering of the steam generator pressure could increase the AP across the steam generator tubes, inducing a rupture or increasing leakage of fission products from the RCS through lealdng steam generator tubes.
The two principal methods of depressurizing the steam generators are opening the SG power operated relief valves which discharge directly to erwironment or opening the steam dump valves which discharge to the main condenser. There are no known differences in the AP600 design, when compared to existing Westinghouse PWR plants, that would impact the equipment to perform this high level acen.
High level Actions for AP600 Rmsion 2, October 1997 o:\3324w.wptib-093097
5-11 5,6 DEPRESSURIZE CONTAINMENT During a severe accide a it is likely that the containment will experience a substantial increase in pressure Jnless the RCS is intact, and the steam generators or the NRHR is being used for lu .noval, all of the energy generated during the accident must ultimately be removed thro. S the containment. Until the energy is effectively removed, the containment will p. ssurize. Therefore, one of the high level actions for severe accident manage 1nent is to enectively remove heat from the containment which will, in tum, depressurize the containment.
There are several benefits to depressurizing the containment. The fundamental benefit, as mentioned above, is the ultimate heat removal from the core, which is needed to conclude that the plant is in a controlled, stable state. However, depressurizing the containment might also be needed for immediate concerns. If overpressurization threatens the integrity of the containment, depressurization would be needed to address this severe challenge. Also, depre:surization may be the method of reducing or eliminating fission product releases from the containment. Reducing the AP from the containment to the environment reduces the dnving force behind the fission product leakage. Another benefit of depressurizing the containment is the general improvement of the containment atmosphere to alleviate potential equipment and instrumentation challenges. Finally, depressurizing the containment by condensing steam will increase water in the IRWST and cc,atainment for ex-vessel core debris cooling and flooding of the reactor pressure vessel and RCS loops.
The potential negative impact from depressurizing the containment is that with the condensation of steam from the containment atmosphere, the hydrogen becomes a larger j iraction of the overall containment atmosphere. The higher hydrogen fraction may lead to a flammable state inside the containment. If the hydrogen was previously inflammable at the higher pressure due to the presence of steam, and if it becomes flammable due to the condensation of steam, this process is known as de-inerting. However, this concern is not anticipated for AP600 due to the existence of hydrogen igniters. Nevertheless, if the igniters were not functioning properly and significant hydrogen accumulated, the containment could be de-inerted by depressurization. Thus, the containment boundary could be challenged.
The AP600 passive safety-related containment cooling is provided by a water tank that allows a gravity fed fkw onto the outside of the containment dome surface, with sufficient water for three days. After several days, the design basis is for heat removal by replenishment of the PCCS tank water inventory. This would permit the enhanced containment cooling for longer periods of time which would result in lower containment pressures compared to convective air flow alone. It is also important to ensure that the drains at the bottom of the annulus are open to prevent water from accumulating which could block or reduce the heat removal capability of the convective air flow. There are also two fan cooler units inside containment that were designed for normal operation heat loads.
High Level Actions for AP600 Revision 2. October 1997 o:\3324w.wptib-093097
4 5-12 Although their heat removal capability is low in comparison to accident heat loads, they could be used to augment the passive cooling and further reduce containment pressure. The use of the fan coolers can also increase fission product removal in the containment as steam laden fission products condense on the fan cooler coils.
5.7 PRESSURIZE CONTAINMENT This high level action addresses two very different concerns. The first concem is to pressurize the containment to create a steam inert atmosphere that would prevent a hydrogen bum. As discussed in the previous section, the presence of a sufficient quantity of steam in the containment atmosphere can ensure that the hydrogen is not flammable, and thus the containment is " inert." However, pressurizing the containment to create an inert containment atmosphere is only a temporary solution. The passive features of the AP600 containment cooling system will also be working to condense steam, and the removal of the hydrogen will eventually be needed.
On the other end of the spectrum, the high level action of pressurizing the containment is to prevent a vacuum failure of the containment due to too low of a pressure. The threat of a containment vacuum could be created by previous containment venting, delayed containment isolation, or hydrogen burns that have substantially reduced the oxygen in the containment atmosphere.
The methods suggested in the WOG SAMG to accomplish these actions focus on turning off the containment heat sinks. For AP600 the gravity drain of the water over the outside of the containment shell may be terminated, which will lessen the heat transfer. Another pressurization method in the WOG SAMG is to open a pressurizer power-operated relief valve, if the RCS is still intact, to release steam into the containment. This method is also available for the AP600 plant via the 4th stage ADS valves. In addition, the IRWST, if it is being used via the PRHR system, steams directly to the containment.
If containment pressurization is being performed to prevent a containment vacuum, another option is to introduce instrument air into the containment. However, the negative impacts of this action are that there will be more oxygen that could be used in a hydrogen bum, and the possible failure to isolate the path being used for pressurization.
5.8 BURN HYDROGEN If hydrogen igniters are not functioning properly, it may be desirable to intentionally bum the hydrogen using other methods to create the initial spark. If the containment atmosphere is flammable, it is possible that an immediate smaller burn may be preferable to a larger burn later. Since the AP600 containment is capable of withstanding a hydrogen bum from all the fuel cladding being oxidized, this action may only become a factor when CCI is believed to High Level Actions for AP600 Revision 2, October 1997 o:\3324w.wpf:1t>093097
5-13 be a potential concern. The negative impact would be a brief temperature and pressure spike in the containment. The methods that may be successful at creating the needed spark will be investigated during a later phase of the development of AP600 severe accident management guidance. One of the options that will be considered is to establish an alternate power source to the hydrogen igniters.
5.9 VENT CONTAINMENT Venting the containment is the last high level action to be addressed since the negative impacts from implementing this action are relatively certain. However, there are two strategies that consider this action as a method of achieving the long term goals of severe accident management. The first reason to consider venting is if the containment pressure has increased to the point that failure of the containment pressure boundary is expected. If the accident sequence has resulted in more severe containment conditions than anticipated, and if the heat sinks have not functioned as expected, there could be a need to consider the intentional venting of the containment. This would result in a release of fission products to the environment. But a short term release from which control can be regained may be preferable to a large release as a result of the failure of the containment structure.
Another reason to consider venting is as a hydrogen control measure in the containment. If hydrogen igniters have not functioned properly, and if core / concrete interaction has contributed to the hydrogen inventory, the containment integrity may be threatened by the potential for a hydrogen burn. Less drastic hydrogen control measures include inducing a hydrogen bum while the concentration is low enough that the possibility of containment failure can be precluded (Section 5.8) and pressurizing the containment to create an inert atmosphere (Section 5.7). However, the latter option is only a temporary solution, and it may be too late to implement the former option. Therefore, containment venting is also an action that may be considered as a method of hydrogen control. Note that venting the containment does not reduce the flammability of the containment atmosphere, however, it reduces the impact of a hydrogea b - ihis is because the containment pressure rise when a flammable hydrogen mixture is buined in contairunent is a direct function of the mass of hydrogen present in the containment. Therefore, reducing the hydrogen mass will reduce the amount of energy released in a burn. The hydrogen can be reduced, through vent 5g, to the point that there is not enough energy to fail the containment.
The main negative impact of venting the containment is obviously the radiological release of fission products to the environment. Ideally, this release would be relatively small.
However, there is also the possibility that the vent pathway cannot be re-isolated. In addition, the release of non-condensable gases during the venting leads to the potential for a future challenge of the containment pressure boundary due to a containment vacuum. If non-condensable gases are released, containment isolation is re-established, and steam condenses from the atmosphere, the resulting containment vacuum could be severe enough High Level Actions for AP600 Revision 2. October 1997 o:\3324warf.lb-093097
5-14 to fail the pressure boundary due to a compressee load. The methods that may be used to vent the AP600 containment will be investigated during a later phase of the development of the severe accident management guidance.
5.10 MITIGATE FISPON PRODUCT RELEASES In addition to the other severe accident management activities aimed at establishing or maintaining a controlled, stable core and containment state, there are several actions that can be taken solely for the purpose of controlling fission product releases from the plant after core damage has occurred. The actions are dependent on the release pathway.
In the event of leaking or ruptured steam generator tubes, fission products from the reactor coolant system may be released to the steam generator secondary side and subsequently to i
the atmosphere. If the steam generator is open to the atmosphere (e.g., open relief valves or MSIV), the releases can be mitigated by isolating the release pathway. If isolation of the pathway is not possible or is not desired due to other severe accident management objectives, the releases may be reduced by either providing a large inventory of water in the steam generator for scrubbing or by reducing the primary-to-secondary pressure differential.
If the release pathway is from the containment the most obvious action is to isolate the release pathway. If isolation cannot be accomplished or the source is containment leakage, that is unisolatable, there are several actions that can be taken. Depressurization of the containment would decrease the driving force for the releases and would be effective if the leakage pathway is not in a " choked flow" regime. Other actions that can be taken include use of the nonsafety-related containment spray system or the fan coolers to enhance fission product removal from the containment atmosphere and limiting the reactor coolant depressurization to keep the fission products inside the reactor coolant system. Depending on the location of the release pathway, it may also be possible to flood the containment to a level that stops the leakage from the containment vapor space.
Release pathways from the auxiliary building are not likely in the AP600 design since all of the emergency fluid systems are completely contained in the containment building.
However,if a release pathway from the auxiliary building cm be identified, the most likely source would be from lines directly cormected to the reactor coolant system. In this case, the most direct means of stopping the releases is to isolate the source. If this is either not possible or not desirable, then a reduction in the reactor coolant system pressure would be effective in reducing the fission product releases.
High Leven Actions for AP600 Revision 2, October 1997 o:\3324w.wpf-1b-100997
5-15 5.11
SUMMARY
Table 5-2 provides a summary of the high level severe accident management strategies for the AP600 plant design. These high level strategies should be considered in the development of the AP600 Severe Accident Management Guidance by the COL applicant.
High Level Actions for AP600 Revision 2, October 1997 o:\3324w.wpf:1W3097
5-16 Table 5-2 Summary of High Level Severe Accident Management Strategies for AP600 mummemumamm-Other Purpose Considerations Action (Positive impacts) (Negative impacts) Equipment inject into RCS
- To restore core coolmg
- Creation of hydrogen
- CMT hmmediate and long term)
- Creep rupture of SG tubes
- To scrub fission products
- To prevent, or delay, vessel
- NRHR failure
- CVS Inject into e Create inventory in sump
- Ex-vessel steam explosions
- Gravity Drain of IRWST Contamment for recirculation
- Spent Fuel System
- Submerge lower head of iniection into refuelmg RPV to prevent failure cavity
- Cool core debns Prevent /hrnit CCI
- Prevent basemat melt-through
- Reduce flammable gas production
- Prevent HPME Reduce hssion product inventory Intect into SGs
- Heat Sink
- Thermal shock of SG High Pressare:
- F.P. release from leaking Startup FW
- Scrub hssion products tubes Low Pressure:
- To make SGs available to e Creep rupture of SG - Condensate depressunze RCS tubes (tf SC is first Firewater depressunzed, creating - Service Water large AP)
Depressunze RCS
- To facihtate in;ection into e Short term hydrogen
- Auuhary Pressunzer
- To estabhsh long term
- Containment Spray heat transfer path pressurization
- Head Vent To prevent HPME
- CVS Letdowm
- To facthtate ingetion into e Loss of SG inver. ory
- SG hssion prod t
- Steam Dump To create heat transfer releases path with RCS
- Creep rupture of SG
= Depressunze RCS tunes if large AP is created.
Depressunze
- Prevent overpressurization
- Hydrogen flammabihty
- PCCS Containment
- Mitigate contamment
- Containment vacuum if a Fan Coolers fission product leakaSe venting
- Vents
- Alleviate equipment and instrumentation challenges l due to harsh conditions High Level Actions for AP600 Revision 2, Octoter 1997 o:\3324w.wpf:1b 093097
1 l
- 5-17 Table 5-2 Summary of High Level Severe Accident Management Strategies for AP600 (Continued)
Other Purpose Considerations Action (Positive impacts) (Negative Impacts) Equipment Pressunse . To create inert atmosphere . Re:ioval of hydrogen will + Turning eff contamment Contamment so that hydroe-n cannot c.:ntually be needed heat smks:
bum .
More oxygen for hydrogen Fan Coolers
- To prevent contamment burn - Stop water flow ever vacuum from fathng
- Possible failure to isolate contamment estenor contamment structure pathway used for pressunzation Intentionally burn
- Let hydrogen burn while
- Pressure and temperature . Alternate power source hydrogen contatnment failure is not a spike for hydrogen igniters ruk: to prevent future contamment challenge.
Vent Containtnent
- To avoid contamment + Radiological releases failure due to:
- Potential future concems CNerpressurization with contamment f ailmg
- Hydrogen Burn from sub-atmosphene loads
- No guarantee that vent pathway will be able to reclose.
Mitigete Fission .
To reduce releases of fission + Hydrogen burn
- Containment fan coolers Product Release products to atmosphere . Contauunent flooding
- Contamment spray Hydrogen buildup m lower compartments a
p1 Level Actions for AP600 Revision 2, October 1997 o:\3324w.wpf-1b 100997
- 6-1 6 CONCLUSION As described in the response to RAI 480.212, the COL applicant is responsible for developing a severe accident management plan for the AP600. This severe eccident management plan should, as a minimum, meet the requirements of the Nuclear Energy Institute's Severe Accident Issue Closure as described in Section 5.0 of NEI-91-04, Revision 1. As further described in the response to RAI 480.439, the COL applicant's severe accident management guidance should be based on the framework for severe accident management described in this report, the AP600 PRA and the severe accident management insights derived from the AP600 PRA as discussed in Appendix A to this report.
i i
Conclusions Revision 2, Octer 1997 c:\3324w.wpf.It>O93097
- 7-1
)
7 REFERENCES
- 1) Watinghouse Owner's Group Severe Accident Managemen+. Guidance, June 1994.
- 2) AP600 Sttndard Safety Analysis Report, Section 18.9.8.1, " Development of the Emergency Operating Procedures"
- 3) Westinghouse Owners Group Emergency Response Guidelines, Revision la, September 1983.
- 4) AP600 Probabilistic Risk Assessment, Revision 8, September,1996.
- 5) Staff Plans for Accident Management Regulatory and Research Programs, U.S.
Nuclear Regulatory Commission, SECY-89-012, January 18,1989.
- 6) Integration Plan for Closure of Severe Accident Issues, U.S. Nuclear Regulatory Commission, SECY-88-147, May 25,1988.
- 7) Individual Plant Examination for Severe Accident Vulnerabilities - 10 CFR 50.54(f),
U.S. Nuclear Regulatory Commission, Generic Letter 88-20, November 23,1988.
- 8) Severe Accident Issue Closure Guidelines, Nuclear Energy Institute, NEI 91-04, Rev.1, December 1994.
- 9) NP-6780-L, Advanced Light Water Reactor Utility Reauirements Document.
Volume III (ALWR Passive Plant), Chapter 1, "Overall Requirements,"
paragraph 2.3.3.9
- 10) NRC Project No. 669, " Issuance of Final Safety Evaluation Report (FSER) on the Electric Power Research Institute (EPRI) Requirements Document for Passive Plant Designs," from R. W. Borchardt, Office of Nuclear Reactor Regulation, August 31,1993.
)
- 11) EPRI TR-101869, Severe Accident Management Guidance Technical Basis Report, Volume 2, Appendix K, " Debris Transport to the Lower Plenum."
- 12) EPRI TR-101869, Severe Accident Management Guidance Technical Basis Report, Volume 2, Appendix BB," Potential for Criticality of the Core Material Under Recovery From Severe Accident Conditions."
References Revision 2. October 1997 o:\3324w.wph15 093097
7-2
- 13) WCAP-13388 (Proprietary) and WCAP-13389 (Non-Proprietary), AP600 Phenomenological Evaluation Summaries.
- 14) EPRI TR-101869, Severe Accident Management Guidance Technical Basis Report, Volume 2, Appendix L, " External Cooling of the RPV with Debris in the Lower Plenum."
- 15) EPRI TR-101869, Severe Accident Management Guidance Technical Basis Report, Volume 2, Appendix G, " Steam Explosions."
- 16) EPRI TR-101869, Severe Accident Management Guidance Technical Basis Report, _
Volume 2, Appendix U, " Water Overlying Core Debris."
- 17) Statt.3 of Implementation Plan for Closure of Severe Accident Issues, Status of IPEsa and Status of Severe Accident Research, U.S. Nuclear Regulatory Commission, 4 January 4,1995.
References Revision 2, October 1997 c:\3324w.wpf:lW3097
A-1 APPENDIX A AP600 SEVERE ACCIDENT MANAGEMENT INSIGHTS This appendix contains a brief description of the severe accident management insights identified from the AP600 PRA that are significantly alfferent from those for conventional plants. Each of the insights is described in relation to the principle issue or objective of the severe accident management strategy.
ADS Valves I Hydrogen Diffusion Flames Opening the Stage 2 and 3 ADS valves to the IRWST after core damage has occurred can result in a situation where the hydrogen generated in-vessel is transported to the IRWST and then to the containment through the IRWST vents. When the hydrogen exits the IRWST vents, a standing diffusion flame may be created if an ignition source (e.g., the hydrogen igniters) is available. The amount of hydrogen flowing through the Stage 2 and 3 valves can be significantly reduced if the Stage 4 valves are also used. The standing diffusion flame can radiantly heat any structures within sight of the standing flame. It has been postulated that a standing diffusion flame at the exit of the IRWST vent could threaten containment integrity.
However, detailed studies documented in the AP600 PRA [Ref. 4} for a wide range of accident sequences in which just the Stage 2 and 3 ADS valves were used indicates that containment integrity should not be challenged by this mode.
However, not all accident sequences with a range of accident management activities were evaluated in the AP600 PRA. Thus, the development of the AP600 severe accident management guidance needs to consider the possible inclusion of a caution on leaving the ADS valves to the IRWST in an open position during the period of time where significant hydrogen generation is occurring.
On the negative side of the issue, regarding use of the ADS valves for RCS depressurization, is the ability to depressurize the RCS using only the Stage 4 ADS valves. Based on the analyses documented in the AP600 PRA, the use of only the Stage 4 ADS valves may,in some cases, lead to issues related to the effectiveness of long term core cooling. In this case, the additional relief area provided by the Stage 2 and 3 ADS valves is required to maintain the RCS at a low enough pressure.
In-Vessel Retention of Core Debris / Reactor Cavity Flooding A substantial amount of experimental and analytical work has been performed to support the hypothesis that the core debris can be maintained within the reactor vessel if the reactor cavity can be 'nitially flooded to an elevation higher than the level of core debris in the Appendix A rwvision 2. October 1997 o:\3324w.wpf:11493097
A-2 reactor vessel AND if the reactor coolant system can be depressurized. The experimental and analytical evidence show that sufficient heat transfer occurs between the core debris, the reactor vessel walls and the water on the outside of the walls to maintain the temperature of the reactor vessel walls below the point where melt-through or creep failure of the vessel is physically possible. The AP600 PRA shows that for most severe accident sequences, the reactor cavity is passively flooded to, or above, the reactor vessel nozzle elevation as a result of the severe accident sequence progression. Only in the cases where draining of the IRWST fails does the potential exist for the reactor cavity to be dry or partially flooded. The Level 2 PRA, Revision 8, assumes that guidance will be asailable in the Emergency Response Guidelines (ERGS) for FR-C.1, " Response to inadequate Core Cooling" to initiate manual flooding of the reactor cavity from the IRWST if the core exit thermocouple temperatures cannot be reduced using the strategies suggested in that guideline. The placement of the manual cavity flooding initiation in the AP600 ERGS was necessary in order to assure that the cavity would be flooded to the appropriate level prior to the first downward relocation of core material inside the reactor vessel. The rate at which the IRWST could drain into the reactor cavity, assuming only gravity, required a lead time for initiation that is prior to the time at which transition to the SAMG might occur.
In the longer term, to prevent reactor vessel failure, it is postulated that the containment water level must be increased to submerge the reactor vessel up to the elevation of the coolant loops. With the entire core in the bottom of the reactor vessel, there might be sufficient heatup of the cylindrical walls of the reactor vessel in the longer term such that the vessel wall temperature might approach the point where creep failure of the reactor vessel could occur. By submerging the entire reactor vessel up to the coolant loop level, the evidence presented in the AP600 PRA shows failure of the reactor vessel is physically unreasonable. If the entire IRWST is drained to the containment, the containment water level should be above the elevation of the loop piping.
In both cases, the potential for reactor vessel failure is significantly reduced if the reactor coolant system is depressurized to the containment pressure. Reactor coolant depressurization is part of the ERG guidance.
Another advantage of flooding the reactor cavity / containment to slightly above the coolant loop level is that if a LOCA exists (either as an accident initiator or as an induced LOCA -
caused by creep failure of RCS piping) this becomes a means to provide water to the core debris inside the reactor vessel. In this case, the reactor coolant system pressure must be reduced to the containment pressure in order for reflood of the in-vessel core debris to be successfully accomplished.
A negative impact of flooding the containment to the level of the coolant loops was identified for the Direct Vessel Injection (DVI) line break but is also applicable to other scenarios Appendix A Revision 2, October 1997 o:\3324w.wpf-1b-093097 l
A-3 involving a break in the reactor coolant system. For the particular case analyzed in the AP600 Level 2 PRA, containment flooding reached the DVI line break location after the core was substantially uncovered but before the core began to relocate downward in the recctor pressure vessel. In this case, the amount of hydrogen generated was maximized due to the large surface area of overheated unreacted zirconium that was available. If the containment water level had reached the DVI line break location either earlier or later in the accident sequences, substantially less hydrogen would be generated. While the AP600 PRA concluded that the hydrogen generation in this case did not pose a challenge to the containment integrity, this case (including other RCS break cases) should be considered further in the development of severe accident management guidance.
For the DVI line break case with reflooding of the core through the DVI line break location,
~
AP600 also predicted the potential for diffusion flames in the CMT room. While the AP600 PRA concluded that the creation of these diffusion flames would not challenge containment integrity, this should be considered further in the development of severe accident management guidance.
Even though the PRA assumes that the initiation of cavity flooding and reactor coolant system depressurization is part of the ERGS, it should also be included in the AP600 SAMG since the SAMG should provide another attempt to accomplish actions to bring the plant to a
- controlled stable state after core overheating has begun when the ERG actions may have failed. The development of the AP600 severe accident management guidance needs to consider both cavity flooding to a level above the elevation of the core debris in the reactor vessel to prevent short term reactor vessel failure and cavit r flooding to the reactor coolant loop level to prevent long term reactor vessel failure. The development of the AP600 SAMG also needs to consider the depressurization of the reactor coolant system to the containment pressure.
Induced Steam Generator Tv hepture The AP600 PRA analyses show that the reactor coolant loop layout promotes strong full circuit natural circulation flows after core uncovery if the reactor coolant system pressure is at or near its nommal full power value. If the reactor coolant system pressure is high and the secondary side of the steam generator (s) is dry, the steam generator tubes can heat to a temperature where creep failure of the tubes is possible. In this case,it is postulated that the RCS piping in the vicinity of the reactor vessel nozzles will fait prior to the time that the SG tubes reach the temperature required for creep failure. However, due to uncertainties in the modelling, it is prudent to pro cide SAMG guidance to take steps to further preclude ae possibihty of induced tube rupture. These actions are to inject water into the SG secondary side and to depressurize the reactor coolant system.
Appendix A Revision 2, October 1997 o:\3324w.wpf 1b 093097
A-4 Due to the strong natural circulation flows after core uncovery in the AP600 design, extra care must be taken if the SG secondary side must be depressurized to utilize a low pressure source of water injection to the SG secondary side. Depressurization of the steam generator secondary side will increase the stresses on the steam generator tubes and can shorten the time required for creep failure of the tubes to occur. Thus, the development nf the AP600 SAMG should consider the necessity for a caution or limitation on steam generator secondary side depressurization for situations where the reactor coolant system pressure is above the steam generator secondary pressure.
If the reactor coolant system pressure is at or near its nominal full power value, flooding the containment above the level of the reactor coolant loop piping may result in a condition where creep failure of the steam generator tubes becomes more likely. In this case, the water b on the outside of the reactor vessel and the reactor coolant piping may prevent or delay creep failure of those portions of the reactor coolant pressure boundary. If the steam generator secondary side is dry and natural circulation flows remain strong, the steam generator tubes will continue to heat up. Without reactor vessel or reactor coolant pipe creep failure to relieve the reactor coolant system pressure (and the stresses on the steam generator
_ tubes), the steam generator tubes become more susceptible to creep failure. The development of the reactor cavity / containment flooding strategies for the AP600 SAMG should consider a caution or limitation on flooding to the reactor coolant loop level when the reactor coolant system pressure is high and the steam generator secondary side is dry.
The AP600 PRA indicates that most of the accident scenarios in which the RCS is at high pressure at the time of core overheating and downward relocation is a result of a total failure of the instrumentation and control system. Accident management should consider strategies to maintain steam generator tube integrity until the instrumentation and control system functions can be recovered. The priority for verifying and mitigating steam generator tube challenges after instrumentation and control power is recovered should also be considered in the development of the AP600 SAMG.
Hydrogen Igniter Operation Hydrogen igniters are installed in the AP600 containment to continually burn hydrogen as it is released to the containment, thereby preventing the accumulation of hydrogen to levels that could challenge the integrity of the con *ainment. All of the analyses in the AP600 PRA assume that the igniters either operate successfully for the duration of the accident or, if failed, are failed for the duration of the accident. In the case where the igniters are initially failed, the hydrogen accumulates in the containment and can reach concentration that, if ignited, could challenge the integrity of the containment. If the hydrogen igniters become available and are " turned on" after significant core damage has occurred, they could be an ignition source for burning the accumulated hydrogen. The development of the AP600 l
Appendix A Revision 2. October 1997 oA3324w.wpf:H493M7 l
, r 9
A-5 severe accident management guidance should address considerations for use of the hydrogen igniters when they are not operating at the time core overheating begins.
Passive Containment Cooling In the AP600 design, the ultimate heat sink for heat rejection from the containment to the atmosphere is via the containment passive cooling. Heat is transferred from the vapor inside the containment, through the containment wall to the natural convective air currents on the outside of the containment shell. To enhance the heat removal capability when the cere decay heat is high, a passive containment cooling system distributes water, via gravity drain from a tank, over the containment dome. Under this arrangement, the vapor inside the containment rises to a temperature where the heat rejection is equal to the hear generation.
In the case where the passive containment cooling water is available, the containment pressure will equilibrate at a level below the design basis pressure for the containment. If the passive cooling water is not available, a higher containment pressure will be established at equilibrium due to the higher containment temperatures required for the same heat rejection rate. The AP600 PRA analysis of the containment performance shows that there may be a minor threat to containment integrity at this higher containment pressure. Based on the conservative containment fragility curves presented in Section 42 of the AP600 PRA, there is a containment failure probability of about 1.0 E-03 at the predicted peak containment pressure for the case with no PCCS available. The predicted equilibrium pressure is well below the lower bound containment failure pressure from the containment fragility curve.
In those cases where no containment failure is predicted to occur, that conclusion is predicated on the assumption that the drains at the bottom of the annulus outside the primary contamnient are open. If these drains are not open, the water flowing over the containment dome could accumulate in the bottom of the annulus and block the natural convection air flow over the outside of the containment shell.
Therefore, the AP600 SAMG should consider that containment failure due to overpressurization is not expected to occur. The AP600 SAMG should address considerations for assuring that the drains at the bottom of the annulus outside of the primary containment steel shell are open.
The AP600 PRA does not provide detailed analyses of the containment performance if the reactor vessel fails and the core is ex-vessel. If the core is quenched and cooled by water in the reactor cavity, the containment performance should be nearly the same as for the in-vessel cc,re since only decay heat and in-vessel chemical heat additic,ns are possible.
However, if core concrete interactions generate an additional heat load for the containment and add noncondensible gases to the containment, severe accident management strategies for Appendix A Revision 2, October 1997 o;\3324w.wpf:1b 093097
l A-6 .
diagnosing and dealing with flammable gases and containment pressure that can challenge the containment need to be considered. *n general, this is several tens of hours after the accident initiation and therefore would have a relatively low priority compared to other severe accident management strategies for AP600.
Water Losses Frorn Containtnent In the case where the containment cannot be completely isolated, the ability to successfully accomplish several of the severe accident management strategies may be challenged. For the case where the isolation failure is above the flooded-up containment water level, steam would escape to the atmosphere rather than remain in the closed-cycle passive containment cooling. In this case, the containment water level would gradually decrease. If the isolation failure is below the flooded-up containment water level, the water would be directly lost from the containment. In this case, the containment water level may decrease more rapidly, depending on the size of the unisolated breach in the containment.
If the containment water inventory is not replenished at a rate equal to that being lost, the ability to continue accident management strategies is challenged. In particular, the ability to use the PRHR or NRHR from the IRWST would eventually be lost. At some other point in time, the ability to keep the rea . tor vessel cooled and thereby prevent vessel failure would be lost. Ultimately, the ability to cool any ex-vessel core debris would be lost and ablation of the concrete basemat would begin.
Thus, monitoring the containment water level and having the ability to replenish the containment water inventory needs to be addressed in the AP600 SAMG.
Nonsafety-relcted Containtnent Spray A nonsafety-related containment spray system is included in the AP600 design. It is clearly stated in Section 6.5 of the AP600 SSAR that the spray system is not to be used until the plant emergency response organization has transitioned to the AP600 Severe Accident Management Guidance and that guidance will be provided in the AP600 SAMG for the initiation and termination of the nonsafety-related containment spray provided by the fire protection system.
Evaluations cf the impact of containment spray operation have been performed and a number of limitations have been defined as follows:
The containment spray should not be used until the core exit thermocouples remain above 1200 F and the control room staff has completed the applicable Emergency Response Guidelines and subsequently transitioned to the SAMG.
Appendix A Revuion 2. October 1997 o:\3324w.wpf:1b-100997 ,
o
- A-7 m
- The use of a containment radiation setpoint for containment spray initiation of 10,000:
R/hr or less is not recommended since this is not indicative of a severe accident.
4- _ Intermittent use of the spray is discouraged due to the potential for decreased reliability of the system components.
The decision for initiation of the containment spray must consider the potential for a-hydrogen burn due to the de-inerting effect of the spray on the containment -
- flammability.
The containment spray termination criteria should consist of the following:
- Containment radiation is significantly reduced.
The volume of fire water pumped into containment is less than 300,000 gallons such that the containment water level is less than 109'. This precludes exceasive flooding of the containment and avoids potential adverse impacts to
- the containment air mixing flow patterns such that hydrogen buildup in the lower compartments is not a concern.
The measured containment water level is greater than 108'6".
Appendix A - Revision 2. October 1997 o:\3324w.wpf:1ba93097-
I-
- , 9=
B1 APPENDIX B SAMG RAIs AND RESPONSES
NRC REQUEST FOR ADDITIONAL INFORMATION -
Revision 1 Question: 480.212 Identify and discuss actions that would be required to prevent or mitigate uncontrolled fission product releases after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> due to (a) long term non-condensible gas generation, (b) depletion of coolant inventory due to normal leakage and early bypass sequences, (c) late containment bypass (temperature-induced SGTR), and (d) depletion of PCSS water inventory.
Response
As discussed ire the response to RAI 720.55 and RAI 720.56, Westinghouse has developed a framework and a set of high level strategies for severe accident management. This work is documented in " Framework for AP600 Severe l Accident Management Guidance", WCAP-139:3, S==hr 1")3 13914, revision I, Ne vember 1996. High level strategies to diagnose potential fission product release pathways and then to prevent, terminate and/or mitigate those fission product releases are identified and discussed in WCAP43M413914. The high level strategies presented in WCAP4391313914 are applicable to all of the items outlined in this question.
Westinghouse believes that the development of the framework for a severe accident management program for the AP600 plant design, including the identification of high level strategies provides a sufficient basis for the development of the detailed AP600 Severe Accident Management Guidance by the COL applicant, 480.212(RI)-1 1 __ -
-s NRC REQUEST FOR ADDITIONAL INFORMATION
. Ot'estion 480,490 B
Westinghouse responses to RAls 720.54 and 720.55 (May 1993) indicated that numerous accident management strategies or related EOP changes would be adopted for AP600, and that additional accident management strategies would be evaluated and integrated into the AP600 accident management plan if found to be effective. WCAP-13913
" Framework foi AP600 Severe Accident Management Guidance" (Dec 1993) was subsequently submitted, but does not provide a complete or current accounting of the critical PRA insights and accident management strategies that would need to be further evaluated by a COL applicant as part of their development of an accident management program, many of which have been developed or refined subsequent to issuance of the topical report. Examples of the insights or strategies that the COL applicant would need to address as part of their plant-specific imp!cmentation of accident management include:
initiation of reactor vessel cavity flooding use of fan coolers for fission product removal
+
use of igniters to control hydrogen
+
reclosing of the ADS valves to control hydrogen diffusion flames Imd fission products
+
makeup to the containment for long term cooling a
makeup to the passive containment cooling system (PCS)
+
strategies for reflooding a damaged core which is retained in-vessel s
+
use of portable battery chargers to backup batteries
+
identification and use of additional supplies of borated water a
strategies to enhance or restore flow through the PCS annulus
+
use of a firewater pump for injection into the steam gener;ccrs
+
use of existing penetrations to vent containment Furthermore, the response to RAI 720.56 (May 1993) indicates that the completion of the development of the severe accident management guidance for AP600 is part of the man-machine interface specification. However, neither thu specification nor a COL action item describing the necessary actions on the part of the COL applicant have been submitted to our knowledge. (The March 1996 response to RAI 480.212 indicates that the COL applicant will develop plant-specific severe accident guidance based on WCAP-13913, but WCAP-13913 is incomplete as discussed above, and a clear commitment or COL action item has not been provided to assure that this will be done).
480.439-1
1 NRC REQUEST FOR ADDITIONAL INFORMATION 1--
wm Please provide the following additional infonnation to assure that all severe accident insights / strategies to be addressed by the COL applicant are identified and that a process and commitment for performing the necessary plant-specific actions is established:
a) A complete accounting (e.g., annotated list) of severe accident insights / strategies that the COL applicant will be responsible for addressing as part of their plant-specific implementation of accident management, b) A description of the scope and objectives of each strategy, including whether the strategy is to be incorporated into the Emergency Operating Procedures (EOPs) or the Severe Accident Management Guidance (SAMG), and where in these documents this information is or will be located, and c) A description of the process by which the insights / strategies to be addressed by the COL applicant will be communicated to the COL applicant, and a corresponding COL action item addressing this commitment.
Response
The overall severe accident management philosophy and high level strategies applicable to AP600 are described in WCAP-13914, Revision 1 " Framework for AP600 Severe Accident Management Guidance," November 1996, The overall philosophy and high level strategies described in the previous version of WCAP-13913 and WCAP-13914 has been reviewed following the completion of the AP600 PRA. He severe accident management insights identified from the AP600 PRA have been incorporated into WCAP-13914, revision 1. Thus, WCAP-13914, revision 1, is a valid bas" upon which a COL applicant can develop Severe Accident Management Guidance.
As discussed in WCAP-13914, revision 1, the AP600 Severe Accident Management Guidance should be similar in "
content and structure to the generic Westinghouse Owners Group Severe Accident Management Guidance (WOG SAMG) that forms the basis for Severe Accident Management Guidance at existing plants. He COL applicant should use the generic WOG SAMG and the information in WCAP-13914, including the PRA insights described in Appendix A of that WCAP, to develop the AP600 Severe Accident Management Guidance. This process will address the example insights and/or strategies delineated in this RAI. The evaluation of the applicable accident management strategies by the COL applicant will include a determination of the appropriate guidance set (e.g.,
' Emergency Response Guidelines versus Severe Accident Management Guidance) where the strategy will reside.
Chapter 19 of the AP600 SSAR will include a COL item that commits the Combined License applicants to developing a severe accident management program.
480.439-2 W-Westinghouse
4 a
NRC REQUEST FOR ADDITIONAL INFORMATION u mans =
Response Revision 1 Question 720.55 The unique design of the AP600 may provide a passive method to both prevent and mitigate severe accidents with a minimum of human intervention. The insights to effective accident management plans can be developed from the success criteria developed from the PRA's assessment of containment performance. Provide a description of Westinghouse's planned use of the AP600 PRA to identify and assess accident management measures.
Response (Revision 1):
Prevention and mitigation of accidents, including severe accidents, have been an integral part of the design process for the AP600. A significant objective in the passive plant design is preventing accidents from progressing to core damage. Additional features to protect the plant fission product boundaries in the event of a core damage accident have also been included in the AP600 design. The derivations of the design features are diverse; some features are derived from generic severe accident analyses, and others have been derived from AP600 accident analyses. Specific design features have been incorporated into the AP600 plant as a result of generic severe accident phenomenological insights from previous severe accident work. An example of such a design feature is the lower containment layout, which provides for submerging the reactor vessel with a minimum water discharge to containment. There are also accident management features incorporated into the AP600 based on key findings from the AP600 PRA. Examples of AP600 features from the PRA include manual operation of the reactor coolant depressurization system and the passive RHR system upon detection of high core exit temperatures, and manual operatios to flood the reactor cavity with water from the IRWST if it has not dr# xi automatically into the reactor vessel.
As part of the development of a comprehe -
.ccident management plan for the AP600, a systematic review of the Level 1 and Level 2 PRA results is being carried out to identify and document potential accident management insignts. These insights relate to the presention of core damage, mitigation of core damage, provction of fission product boundaries, and mitigation of fission product releases. Prior to the beginning of the systematic review, guidelines were developed to establish the scope and conduct of the review of the various segments of the PRA.
An existing Westinghouse data base of accident management insights, which were derived from insights identified in a number of PWR IPE studies and from NRC research, is being reviewed for applicability to the AP600.
Additionally, insights identified and documented during the Westinghouse development of generic severe accident management guidance for the Westinghouse Owners Group (for operating Westinghouse PWRs) will be reviewed for applicability to the AP600. A number of accident management insights have already been identified and documented as part of the AP600 severe accident phenomenological evaluations; these are documented in WCAP-13388.
Based on the insights identified, candidate accident management strategies will be developed. Additional severe accident evaluations and analyses, when appropriate, will be carried out to determine the feasibility and effectiveness of candidate accident management strategies. All candidate accident management strategic.s will be evaluated by a small team of senior PRA experts and AP600 designers. Accident management strategies found to be effective will be integrated into the AP600 accident management plan. Initially, the candidate accident management strategies will be used to develop high level severe accident management guidance (see also the response to Q720.56).
y, m .sscai>-i l
NRC REQUEST FOR ADDITIONAL INFORMATION mn t=
- H Tj
=
Response Revision 1 This approach results in a complete and comprehensive integration of the AP600 PRA and severe accident considerations into the AP600 accident management plan which includes plant design features, symptom-based enm gency response guidelines, and severe accident management guidance. The development of the AP600 emergency response guidelines is discussed in the response to Q720.54, and the severe accident management guidance is discussed in more detail in the response to Q720.56. Also, the approach takes maximum advantage of the ongoing work in severe accidents by both the industry and the NRC, PRA Revision: NONE 720.55(RI)-2 W Westinghouse
NRC REQUEST FOR ADDITIONAL INFORMATION Response Revision 3 f
Question 720.56 -
He AP600 PRA does not indicate how the accident management issues discussed by SECY 89-012 will be implemented. Describe Westinghouse *s planned approach for assuring that each of the five elements of accident management defined in SECY-89-012 will be appropriately addressed by the vendor and licensee. Identify the respective resporsibilities of Westinghouse and the licensee for addressing each of the five elements, and any methods and/or guidance that are expected to be used in this piecess. !
Response (Revision 3):
The AP600 plan for addressing the severe accident management program requirements discussed in SECY-89-012 l is based on the current efforts by Westinghouse on behalf of the Westinghouse Owners Group (WOG) to develop l severe accident management guidance (SAhtG) for the current generation of operating plants. From the standpoint of potential severe accident phenomena and potential challenges to the plant fission product boundaries, the AP600 response to severe accidents is bounded by that of the current generation of Westinghouse PWRs. Thus, the engeing Westinghouse Owners Group peegn. etc &v&p generic severe accident management guidance has direct applications to the development of AP600 plant severe accident management response guidance. I: :::p=::d S=
l the The respective responsibilities of Westinghouse and the licensee for addressing each of the five elements of SECY-89-012 ?! be :irH :: S: =p=uv: =p;=ibmde f1:"Jednghcu= 0 == C: cup =d $ !!=a==
fc- $: :urc=: cp=:da; p!=t. Sc =pcedv: =peribiFd= are summarized in the following paragraphs.
Thef:= :wcdfc:ScA C^ =v=: = lin ::=;==:;u!&=: he b=a &v& ped =' & :==:d i "?C.' P 13913 (" cpri==y) =d "/ CAP !3911 (Mc: " cpi:=y). Se f:=n::ci d===: :=!;de : di==icn cf =v=e ee:iin ==;;ma ::querement, i: =:icip=d ==:= fc: t: & i:ic miin; p:ce:=, S: gc6 Se m=: b;
- =crp'id:d fc: =v= =:iin: n=:g== , =d c :ur:=y cf pczibk :: :::gic ' ^."6^^ =v=: :::i&at m;=n- C=p!=icn cf $: &v&pma: cfic =vm aci&n m:=;==: gui&=: fc te AP60^ i p=:
cf 1: == =h:= in:=f=: &v&pma: p:ce:=.
l Westinghouse has developed high level accident management guidance for AP600 based on the Westinghouse l Owners Group Severe Accident hianagement Guidance, and the analyses and results of both the AP600 SSAR and l the AP600 PRA. His high level guidance addresses differences in AP600 severe accident management strategies, l compared to those documented in the WOG SAhtG, as well as severe accident management insights identified during l the performance of the AP600 PRA. Rese AP600 high level severe accident management strategies are documented l in WCAP-13914. " Framework for AP600 Severe Accident hianageu ent Guidance", Revision 1. November 1996.
l It is the responsibility of the COL applicant to develop the AP600 Severe Accident hianagement Guidance, based 1 on the information contained in WCAP-13914.
He accident management issues discussed in SECY-89-012 cover a broad range of accident management activities including the symptom-based emergency operating procedures and the utility site emergency plan. H e severe accident management issues discussed in SECY-89-012 must interface with both of these. For the AP600, the interface with the symptom-based emergency operatin : procedures will be similar to the interface for the current generation of operving plants (i.e., the transition ..om emergency operating procedures to severe accident W Westinghouse 720.56(R3)-1
y e
NRC REQUEST FOR ADDITIONAL INFORMATION Response Revision 3 management guidance). While the site emergency plan is expected to be simplified for the AP600, the interface between the emergency plan and the severe accident management guidance, on a broad scale, is very similar to that for the current generation of operating plants. Dat is, the severe accident management guidance must fit the emergency response team responsibilities and authorities, including the chain of command. While generic symptom-based emergency operating guidelines exist to establish a concise interface, the site emergency plan is developed by each COL applicant, based on specifics of its emergency response organization and interfaces with federal, state and local government agencies. Rus, the severe accident management program for the AP600 cannot totally address the issues d'scussed in SECY-89-012. Issues, such as overall decision making responsibility and duties and responsibilities of individuals in the emergency response organization and training, are interfaces with the COL applicant site emergency plan that can be addressed only in the combined license application.
The following is a high-level discussion of the method in which Westinghouse will address each of the severe accident management issues discussed in SECY-89 012 for the AP60'h Accident Managernent Procedures This element refers to the consideration of generic accident management strategies identified by the NRC to enhance the ability to cope with the severe accident scenarios that tend to dominate risk in PRAs for the current generation of operating plants. These strategies have been identified in several NRC reports, including NUREG/CR-5474 and NUREG/CR-5781. The applicability of the strategies identified in NUREG/CR 5474 for AP600 is discussed in the re:ponse to RAI 720.54. He applicability of the strategies identified in NUREG/CR-5781 is part of the insights evaluation discussed in the response to RAI 720.55. As discussed in the responses to RAls 720.54 and 720.55, the applicable NRC strategies are further considered in the development of either generic symptcm-based emergency operating procedures or generic severe accident management guidance, as approcriate.
Training for Severe Accidents Training is within th. scope of the COL applicant emergency plan. 'Ihus, the specific details of severe accident management training are in the scope of the combined license application.
Accident Management Guidance -
l Westinghouse wi!! d:dp has developed high level generic severe accident management guidance for the AP600 I that provides a framework for :nc= cf diagnosing plant conditions during a severe accident and a high level set of s*rategies for responding to those plant conditions. The Westinghouse Owners Group severe accident management l guidance, bemg-developed for the current operating plants, u"! bc =:d = c was used as the basis fer defining the I high level AP600 severe accident management guidance documented in WCAP-13914. Revision 1. From the standpoint of potential severe accident phenomena and challenges to the plant fission product boundaries, the AP600 l severe accident response is bounded by the current generation of Westinghouse PWR . The AP600 high level severe l accident management guidance 0" :=crpc:cte incorporates those insights from the AP600 PRA and other applicable I sources, as described in the response to RAI 720.55. He high level severe accident management guidance developed I for the AP600 . "I pr "d: provides a means for diagnosing challenges to the plant fission product boundaries, for responding to challenges witA appropriate strategies, and for returning the plant to a controlled, stable condition. The 720.56(R3)-2 W westinghouse
s2
.-+-
9 NRC REQUEST FOR ADDITIONAL INFORMATION Response Revision 3 f
l high level severe accident management guidance "! 6: ihndfy also identifies potential negative impacts (e.g.,
increased challenge to a fission product boundary) of implementing each of the strategies contained in the guidance.
F '!y, i: ;;id== 2" catir :": cde: -&td t h: =p::::d i'=' :=pc=: d= lmpkm==d= cf a pria!= ==:gy. Sc xvn: :=id= :=:g m=: ;;ita= "! ic id= ify : P-i=d =: cf ecmp Sc=! cit
- zi: 5 di;;;=de =S= 'c ir :, npid :va:S= cf i: m:gnha& cf ==: cf 1: =g:nv: imp =t :=cied l wie 2;;km==d : cf : :priS ==gy. He detailed severe accident management guidance will be developed l by the COL appheant, based on the high level severe accident management strategies documented in WCAP-13914.
Instrumentation The severe accident management guidance relies upon the diagnosis of challenges to fission product boundaries and I the diagnosis of a controlled, stable state. W=S;h ,; ; "" iindfy, ' 6: The AP600 severe accident management l guidance, should identify primary and secondary instrumentation indications for those key parameters needed for diagnosis his approach is consistent with the approach taken in the Westinghouse Owners Group severe accident management guidelines for current operating plants. Where appropriate, the severe accident management guidance l wnl should identify methods for inferring the parameters needed for diagnosis from other instrumentation readings.
l During the development of the AP600 severe accident management guidance by the COL applicant, any insights regarding instrumentation (particularly with regard to instrumentation survivability and readout range) webe
.l &====d =d should be further evaluated.
Decision-Making Responsibilities Based on information developed during the Westinghouse Owners Group severe accident management guidance program, the decision-making responsibilities during a severe accident should not change significantly from those already specified in the utility site emergency plan for existing plants. The only significant difference introduced by severe accident management guidance is the broader responsibility for the plant technical support staff to provide recommended actions to the control room staff after core damage has occurred. The tools available to the technical support staff for this broader responsibility are the severe accident management guidance derived from the AP600 generic severe accident management guidelines. Considerations related to decision-making responsibilities durin; an accident, including severe accidents, are in the scope of the combined license application.
PRA Revision: NONE W W85tingh0Ee 720.56(R3)-3
_ _ _ _ _ _ _ _ _