ML20217P844
| ML20217P844 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 04/07/1998 |
| From: | Joseph Sebrosky NRC (Affiliation Not Assigned) |
| To: | NRC (Affiliation Not Assigned) |
| References | |
| NUDOCS 9804100208 | |
| Download: ML20217P844 (50) | |
Text
4 April 7,1998
._ 3' APPLICANT: Westinghouse Electric Corporation
{
PROJECT: AP600
SUBJECT:
SUMMARY
OF AP600 MEETING AND TELEPHONE CALL REGARDING THE ;
LEVEL 1 PROBABILISTIC RISK ASSESSMENT (PRA) INSIGHTS I 7
The subject meetin2 was held on February 12,1998, at the Nuclear Regulatory Commission's office in Rockville, Maryland. The meeting did not resolve all of the issues and an additional phone call was held on February 17,1998, to continue the discussion. Attachment 1 contains a list of the participants for the meeting and the telephone call.
1 The purpose of the meeting was to discuss the level 1 PRA irivights found in Westinghouse's letter of January 15,1998 (NSD-NRC-98-5524) and to come to an agreement on what the important insights and assumptions were for the AP600 PRA. As a result of the meeting on February 12, Westinghouse agreed to make the ch.tages identified in Attachment 2 to the level 1 insights found in Chapter 59 of their PRA. As a result of the phone ,all on February 17,1998, Westinghouse agreed to make the changes contained in Attachment 3. Westinghouse committed to incorporate the changes found in Attachments 2, and 3 in PRA revision 11.
A draft of this meeting summary was provided to Westinghouse to allow them the opportunity to comment on the summary prior to issuance, original signed by:
Joseph M. Sebrosky, Project Manager l Standardization Project Directorate !
Division of Reactor Program Management '
Office of Nuclear Reactor Regulation i
Docket No.52-003 i
Attachments: As stated cc w/atts: See next page i
DISTRIBUTION w/ attachment- !
Docket File PDST R/F TKenyon PUBLIC BHuffman JSebrosky DScaletti JNWilson SMagruder ),
JHWilson MDunsaniwskyj DJackson \
DISTRIBUTION w/o attachments:
SCollins/FMiraglia,0-12 G18 BSheron,0-12 G18 BBoger,0-12 G18 f, g)
JRoe DMatthews TQuay \ !
ACRS (11)
RYoung,0-8 D1 JMoore,015 B18 EConr. ell,0-8 D1 JLyons,0-8 D1 AEl-Bassioni,0-10 E4 9 '
MPohida,0-10 E4 NSaltos,0-10 E4 HLi,0-8 H3 DOCUMENT NAME: A:\PRA_lNS. SUM To wive a copy of this document, indicate in the box: "C" = Copy without attachment / enclosure "E" = Copy with attachment / enclosure "N" = No copy OFFICE PM:PDST:DRPM l SPSB:DSSA u n D:PDST:DRPM l l l NAME JMSebrosky:sgfrF AEl-Bassioni l '"TRQuay -TIM DATE 'A /2;f /98 I/ /l / I /98 4 / / /98 900410o20e 9eo4
?" ^ " ** =oy i M C RLFCEYE3 COPY
)
I . i l
l Westinghouse Electric Corooration Docket No.52-003 cc: Mr. Nicholas J. Liparulo, Manager Mr. Frank A. Ross Nuclear Safety and Regulatory Analysis U.S. Department of Energy, NE-42 Nuclear and Advanced Technology Division Office of LWR Safety and Technology ;
Westinghouse Electric Corporation 19901 Germantown Road P.O. Box 355 Germantown, MD 20874 Pittsburgh, PA 15230 Mr. Russ Bell Mr. B. A. McIntyre Senior Project Manager, Programs Advanced Plant Safety & Licensing Nuclear Energy institute Westinchouse Electric Corporation 1776 l Street, NW
- Energy Systems Business Unit Suite 300 Box 355 Washington, DC ' 20006-3706 Pittsburgh, PA 15230 Ms. Lynn Connor Ms. Cindy L. Haag Doc-Search Associates Advanced Plant Safety & Licensing Post Office Box 34 Westinghouse Electric Corporation Cabin John, MD 20818 Energy Systems Business Unit Box 355 Dr. Craig D. Sawyer, Manager Pittsburgh, PA 15230 Advariced Reactor Programs GE Nuclear Energy Mr. M. D. Beaumont 175 Curtner Avenue, MC-754
! Nuclear and Advanced Technology Division San Jose, CA 95125 Westinghouse Electric Corporation One Montrose Metro Mr. Robert H. Buchholz 11921 Rockville Pike GE Nuclear Energy Suite 350 175 Curtner Avenue, MC-781 Rockville, MD 20852 San Jose, CA 95125 i l Mr. Sterling Franks Barton Z. Cowan, Esq.
l U.S. Department of Energy Eckert Seamans Cherin & Mellott NE-50 600 Grant Street 42nd Floor 19901 Germantown Road Pittsburgh, PA 15219 Germantown, MD 20874 Mr. Ed Rodwell, Manager Mr. Charles Thompson, Nuclear Engineer PWR Design Certification AP600 Certification Electric Power Research Institute NE-50 3412 Hillview Avenue 19901 Germantown Road Palo Alto, CA 94303 Germantown, MD 20874 Mr. Robert Maiers, P.E.
Pennsylvania Department of Environmental Protection Bureau of Radiation Protection Rachel Carson State Office Building P.O. Box 8469 Harrisburg, PA 17105-8469 I
. s AP600 MEETING TO DISCUSS AP600 LEVEL 1 PRA INSIGHTS MEETING ATTENDEES FEBRUARY 12,1998 .
! l' NAME ORGANIZATION l
l CINDY HAAG WESTINGHOUSE JIM WINTERS WESTINGHOUSE
! BRIAN MCINTYRE WESTINGHOUSE l JIM LYONS NRR/DSSA/SPLB l RON YOUNG
- NRR/DSSA/SPLB l ED CONNELL* NRR/DSSA/SPLB l ADEL EL-BASSIONI* NRR/DSSA/SPSB .
l MARIE POHIDA* NRR/DSSNSPSB l NICK SALTOS NRR/DSSA/SPSB
! HULBERT Ll* NRR/DRCH/HICB
)
JERRY WILSON
- NRR/DRPM/PDST JOE SEBROSKY NRR/DRPM/PDST PHONE CALL ATTENDEES l FEBRUARY 17,1998 l
- l. NAME ORGANIZATION I l' CINDY HAAG WESTINGHOUSE l
- BRIAN MCINTYRE WESTINGHOUSE l l TERRY SCHULZ WESTINGHOUSE '
! JIM LYONS NRR/DSSA/SPLB
! NICK SALTOS NRR/DSSA/SPSB JOE SEBROSKY NRR/DRPM/PDST ~ l l
l I
1 l
Attachment 1 I
I i
hem Y ggg fdd.'OtiSinNr}(p j
j Yt ls 14edd N ina6nke Ah avaElabll1 h li n S< n.0 $ c) v.sdL inchea:Nm c0A)rie RCS pg pr4 WM i< c Swe.$
s%w.,g g~ A swL. & -
Ccmb:ned- L:e e~a && h h ysUk h M p rde i prbet M V M b 'c b P N " Y M a# r~,
i.o / =
SSA A /3 C 31sPo s t r7or) =
i i
I .
4-i l
l
~~%.
,wd
I l
g (oL dead 6e 55 ce Mf dM t dog g _k Abd a dmkc4me e st 6k q
l NRC FSER OPEN ITEM b5P'M cMee +
Disp. = 6' AR. b,3. 2.. Z. L 2 '
m-"
l l & & . 3. 0
- I
}
IRWST injection and recirculation check valves a re exercised at each refueling. IRWST injection and recirculation squib valve actuators are tested every 2 years for 20 percent of the. v:lves. IRWST recirculation j
l MOVs are stroke. tested quarterly.
The reliability of the IRWST subsystem is important %c COL will maintain the reliability of the IRWST subsystem. ;
IRWST injection and recirculation are required by Technical Specifications to be available from power conditions to refueling without the cavity flooded, j s W Response: The stafs statements above on IRWST is covered by item ld of PRA Table 59 29. escept Westinghouse wishes to note the following change should be made to what is written above:
i Second bullet remove the work ' ensure"for reasons provided earlier in rhis document.
An accurate statement would read * . recirculation line which prevents clogging by debris
- .
- Also note the COL ttem is covered by a higher level action of the COL will maintain I, the reliability of the IRWST subsystem iSSAR Section 17.4). l The IRWST provides a safety-related long term source of water during shutdown conditions. De following are some
{. ditional important ar.pects of the IRWST subsystem as represented in the shutdown PRA.
\A
~
e applican mQ provide administrative controls t ntrol trash Een od1!uring shutdown i i - ation entering thNt the IR T wh' uld possily p g e screens.
E Response: As stated in SSAR section 13.5, the Combined License applicant is responsible for developing bSh l /'t> administrative controls. The COL item in SSAR chapter 13 covers the stafs statement at a hisher (,.3 g l l
level. 1 l
On low hot leg level, the PMS actuates the squib valves to open allowing gravity injection from the IRWST.
'E Response: This statement is a duplicate of the 8th bullet on IRWST(see above).
Passive Residual Heat Removal (PRHR) Saltm The PRHR provides a safety-related means of performing the following functions: (1) removes core decay heat l during accidents, (2) allows adequate plant performance during transient (non-LOCA and non-ATWS) accidents l
without ADS,(3) allows automatic termination of RCS leak during a SGTR accident without ADS, and (4) provides core cooling and pressure control during the early phase of an ATWS accident.
I j g Response: For item (2), recommend changing the word " allows" to "provides." Item (4) is ambiguous by
\ using the words early phase of an A7WS. The phrase should read. " allows plans to ride out an A7WS event without rod insertion."
l 720.434F-18 W"
Westinghouse t
l
I 1
. o l
NRC FSER OPEN ITEM E Response: The stofs above statements on ADS are covered by item Ib of PRA Table 59-29. Notefor the 6th bullet, as a result of NRC review, the stage 1, 2, and 3 valves are now stroke-tested every cold gb shutdown. With the number of cold shutdowns and refuelings assumed in the shutdown PRA, the
>' test frequency is equivalent to being tested every 6 months. PRA Table 59 29 will be revised appropriately. Notefor the 9th bullet, the wording "during a severe accidentshould be changed to "qper core uncovery."
- Fire-induced hot shorts, especially in I&C copper cables from the protection logic cabinets to the squib valve operators, could cause detonation of a squib valve, his risk important concern should be addressed by l appropriate power and control cable separation and routing and by the incorporation of features and requirements in the detailed design of ADS cabling. .
i h E Response: Westinghouse recommends the words of the stafs statement be changed to read as described in 1' SSAR subsection 9A.2.7.1, spec (fically, " Spurious actuation ofsquib valves is prevented by the use Q of u squib valve controller circuit which requires multipit hot shons for actuation, physical O separation of potential hot short locations, and provisions for operator action to remove power .
l from the pre zone ~ Note as stated in the internalfire PRA analysis, it is conservatively modeled in the PRA analysis that one hot shon can cause spurious ADS squib valve actuation whereas, per design, multiple hot shorts are required.
gj
- s. f The first, second, and third-stage valves, connected to the top of the pressuriz 7, f, precludeyressurization of the RCS during shutdown conditions if_rtmy heat removal is los). Om fumGr stage S valve is required to open if gravity injection is actuated during cold shutdown and refueling with
- the RCS is open to preclude surge line flooding. On low-low hot leg level (empty hot leg), the PMS signals ;
Jc the ADS 4th stage squibs to open to preclude surge line floodmg. j lE Response: This is an accurate statement. A statement will be added to PRA Table 59-29./
l Normal Residual Heat Removal System (RNS)
De normal residual heat removal system (RNS) provides the following nonsafety related means of core cooling i I
during accidents: (1) RCS recirculation at shutdown conditions,(2) low pressure pumped injection from the IRWST, and (3)long-term pumped recirculation frotn the containment sump. Such RNS functions provide defense-in-depth in mitigating accidents,in addition to that provided by the passive safety-related systems.
E Response: This is an accurate statement. The statement is covered by item 6 of PRA Table 59 29. V ne following are some important aspects of RNS as represented in the PRA:
l + he RNS has redundant pumps, powered by separate non Class IE buses with backup connections from the diesel generators, and redundant heat exchangers.
E Response: This is an accurate statement and is covered by item 6 of PRA Table 59-29. /
720.434F-22
- W Westinghouse
i NRC FSER OPEN ITEM l
I
. The containment isolation valves in the RNS piping close automatically via PMS with a high radiation signal.
Westinghouse analyses indicate that under all accident conditions but large LOCAs, the containment radiation level is well below the point that would cause the RNS MOVs to automatically close.
.LV Response: ne first sentactitmusistent with item 6 of PRA Table 59-29. The second sentence tends to lead beyond an insightfrom the PRA. However, (f the staf explains why it considers this an insight, then Westinghouse recommends the second sentence be reworded to read: The actuation setpoint was established consistent with a DBA non mechanistic source term associated with a large IDCA. "
. The following AP600 design features contribute to the low likelihood of interfacing system LOCAs through the NRIIR system:
. The ponion of the RNS outside containment is capable of withstanding the operating pressure of the RCS.
- A relief valve located in the common RNS discharge line outside containment provides protection ogsinst excess pressure.
. Each RNS line is isolated by at least three valves.
- ne pressure in the RNS pump suction line is continuously indicated and alarmed in the main control trom.
- ne pump suction isolation valves connecting the RNS pumps to the RCS hot leg are interlocked with RCS pressure so that they cannot be opened until the RCS pressure is less than 450 psig, his prevents overpressurir.ation of the RCS when the RNS is aligned for shutdown cooling.
- ne two remotely operated MOVs connecting the suction and discharge headers, respectively, to the IRWST are interlocked with the isolation valves connecting the RNS pumps to the hot leg. His prevents inadvertent opening of any of these two MOVs when the RNS is aligned for shutdown cooling l
and potential diversion and draining of reactor coolant system.
. The power to the four isolation MOVs connecting the RNS pumps to the RCS hot leg is administratively blocked at their motor control centers during normal power operation. [ COL).
- De operability of the RNS is tested, via connections to the IRWST, immediately before its alignment [dd, G
to the RCS hot leg, for shutdown cooling,t m M diere 3re-no-any-epen-manonbalves in the
-drain- lines-tStAR;-GObrPrscEUltrP- -A j r
72a N 24 W
Westinghouse i t
\
i i
! l t i l
I l
NRC FSER OPEN ITEM
+
._ . . . . . . . ,, . , .u
? Response: Westinghouse has thefollowing commentsfor the stap's above statement:
- Change "NRHR system
- to 'RNS",
. Second sub. bullet is a true statement, but notfactored into the PRA and is not a ley to providing a low likelihood ofinterfacing systems LOCA. Thus, Westinghouse does not see this as an important statement to include as an insight. ,
- lart sub-bullet: It is true that the system is tested; however, it is done to test operabilQ gut T c-of the system, not solely to minimize potentialfor interfacing syetems LOCA or in detect cs/)
A vl' g, an open valve in the drain lines. flowever, the testing does have this end rev < efect.
t 'The words should be revised appropriately. j
- The IRWST suction isolation valve (V023) and the RCS pressure boundary isolation valves (V001 A, V001B, l V002A and V002B) are qualified for DBA conditions.
it is not understood why the stag's statement is an insightfrom the FRA. I W Response:
- k. -
l
- De reliability of the IRWST suction isolation valve (V023) to open on demand (for RNS injection during g4 power operation and for IRWST gr.avity injection via the RNS hot leg connection during shutdow is importantQ' COL 7ill ensure high reliability 7GQL., D RAP).
\
% Response:
SWY "
This item is acceptable and is covered by SSAR section 17.4 (RAP).
') Y M ,,J, ,
0 Af l l ,,
L abes P. i l
t '
NT i, j
- An altemative gravity injection path is provided through RNS V-023 during cold shutdown and refuelin
, T
-(
conditions with the RCS open. The COL applicant should have policies that maximize the availability of this l
valve and procedures to open this valve during cold shutdown and refueling operations when the RCS is opea. l ,
W Response: The ERGS cover the operation of the valve. In addition, as stated in SSAR section 13.5, it is the responsibility of the Combined License applicant to develop procedures.
To be accurate and consistent whAR see io e 16.3-2, item 2.2) change the E Response:
- statement to read: "P,lanned maintenance afecting the RNS cooling function andjs support ysJhouldit2ttformed in Modes 1, 2, 3 when the RNS is not nfofpperating."
{
De COL be able to applicant open if needed during Mode 5 when will have the RCS administrative is open, and PRHR cannot be used for core controls cooling. to m I35 l
W Response: As stated in SSAR section 13.3, it is the responsibility of the Combined License applicant to develop administrative procedures.
M-hdY)i e
i F -
t QN Y
720.434F-25 W-Westingtmuse
. s i
NRC FSEll OPEN ITEM 1
NRC, Staff Insights of the AP600 Level 1 PRA and Westinghouse Feedback i
Gr.Dmut plant-wide t reauirements gg
hsj8M b E Response: The risk-important SSCs within the scope of D-RAP are provided in SSAR Table 17.41. There is no additional action required by Westinghouse to maintain this list after Final Design Approval.
s-534d}
/ 7. 'f Westinghouse does not agree that this item is an insight of the Leve 1 PRA, rathe@ PRA results are usedfor ident{fying the risk imponant SSCs in D RAP . T
- 2. "Ihe COL Applicarit should perform a seismic walkdown to ensure that the as-built plant conforms to the assumptions in the AP600 PRA based seismic margins analysis and to assure that seismic spatial systems interactions do not exist. Details of the seismic wa!Ldown will be developed by ttye COL applicant.
't l
. W Response: As provided in the response to FSER open items 720.451F through 720.453F, the seismic margin
' ' Combined License applicant action item will be changed in AP600 PRA Revision )), subsection f 59.10.6 to read as follows:
I The Combined Ucense applicant referencing the AP600 certified design should perform a seismic
..I walkdown to confirm that the as-built plant cortforms to the design used as the basisfor the seismic margin evaluation and that seismic spatial systems interactions do not exist. Details of the seismic walkdown will be developed by the Combined Ucense applicant. j I 3. WEC will maintain a list of the SSC llCLPF values used in the AP600 Seismic Margins Assessment in the D-RAP. The COL Applicant should compare the as-built SSC HCLPFs to those assumed in the AP600 seismic margins analysis (SMA). Deviations from the HCLPF values or assumptions in the SMA should be evaluated by the COL Applicant to determine if any vulnerabilities have been introduced.
2 Response: The HCIPF values usedfor the AP600 seismic margin analysis are provided in AP600 PRA Table 551. The SSCs captured by the D RAP process using the results of the seismic margin analysis as the rationalefor inclusion, are provided in SSAR Table 17.41. There is no additional action required by Westinghouse to maintain this list after Final Design Approval. Westinghouse does not agree that "WEC will maintain a list of the SSC HCLPF values' is an insight of the isvel 1 PRA.
l As provided in the response to FSER open items 720.451F through 720.4S3F, the following Combined License applicant action item wi!! be included in AP600 PRA Revision 11, subsection 59.10.6:
The Combined Ucertse applicant referencing the AP600 cenified design should compare the as-built SSC HCLPFs to those assumed in the AP600 seismic margin evaluation. Deviationsfrom the HCLPF values or assumptions in the seismic margin evaluation should be evaluated by the Combined License 1 applicant to determine if unacceptable vulnerabilities have been introduced.
l 3 Westilighouse Attachment 2
l NRC FSER OPEN ITEM
.s ic COL Applicant will malatain an operation reliability assurance process based on the system reliability I 4.
information derived from the PRA and other sources. The COL Applicant should incorporate the list of risk-important SSCs, as presented in the SSAR section on D RAP,in its D RAP and operation reliability assurance r~
process.
gm m! Jti < eg " SW- [' bhp :
There is a Combined License applicant 0-RAP action wishin SSAR subsection 17.4.8 that reads E Response:
the Combined 1.icense applicant is responsible for performing the tasks necessary to maintain the
$3 j y,Mll ,,,,{
reliaEility of risk tgnincant i SSCs." In addition, SSAR subsection 17.4.7.3 states the "CGC 3 applicant will need to establish PRA importance measures, the expert panel process, and other deterministic methods to determine the site specific list ofSSCs under the scope of RAP." These two COL action items address the staf's insight staternents.
s j g ce L < g .< % '
h 9a N ,7 !M shQ uM_f.0Dsider- pc informationf en @isk important operator action r ' DIS #
presented in Chspter 18 of the SSAR on human factors engineering 3in developing and training and other human reliability related programse h yAr.J . /8 E Response: In the AP600 PRA, credit is taken for various tasLs to be performed in the control room &, e,,y(
team of trained operators. These tasks are rule-based and proceduralized. The tasks refer to the i completion of a well-defined mission by a team of trained operatorsfollowing procedures. As stated in SSAR section 18.10, operator training is the responsibility of the cot. Westinghouse W .y // !
input to the COL is provided in WCAP 146SS. PRA Table 59-29, item 11, also reflects what is l written in SSAR chapter 18. Westinghouse believes what is provided in SSAR section 18.10, and e
$y24 l how it is captured in PRA Table 59-29, addresses the stqfs insight statement.
= ,7
- 6. urin detailed designM4 sbaldg -
%g.thefgal design information and site-spect ic informatijon. ' s deemed necessary, the COL Applicant shoul upda A l'AK,*Iiimi3ing the lire
,sd Ik~d --a .6rTor s both at-oower and shutdown operation @ed on site-specific information, the COL ific susee tib V
Aylicant should also re-evalu3te the. qualitative screening of exhiffEtven If an site s are found, the applicable external event should be included in the^ updated PRA. p[ .
gC E Response: There is a COL item provided in PRA subsection 59.10.6 that reads the " C applicant referencing the AP600 cert { fled design wi!I verify the as-built plant is consistent with the g' g design used as the basis for the baseline AP600 PRA.' It is the COL's responsibility to describe how this will be done and whether any portions of the baseline PRA need to be updated.
- 7. No safety-related equipment is located outside the Nuclear Island.
2 Response: This is an accurate statement. V faclu da d an ^ e w 'A /" f
(* kuML wa w.
I 720.434F-4 W Westinghouse
(
r i
i j NRC FSER OPEN ITEM i s
l J
- 8. De AP600 low pressure systems which interface with the RCS are protected against interfacing vsystems LOC (ISLOCA b 3.comhimiottof multiple isolation valves,valveinterlocking,increaseinthepipingpressurelimits l
pressure relief capability) gg d b *df si (c Ted4t 67 29, (n
E Response: This is an accurate statement. ,Pghtr 59-29. item 6. specifically discusses the elements which prevent interfacing systern LOCA between the RNS and the RCS. t 1 Solid state switching devices and electro-mechanical relays resistant to relay chatter will be g 9 I&C systern[ Use of these devices and relays either eliminates or minimires the mechanical discontinuitiel i associated with similar devices at operating reactors.
di l
\Y 2 Response: It is not understood why the stafs statement is an insightfrom the AP600 PRA. The staf would need to explain why this is an important insight of the PRA to justify its placement in the DCC 0
The stafs statement is accurate, but is not explicitly stated in the SSAR or PRA. t (tfp
[10)Dere are no watertight doors used for finnd erotection in the AP600 design.
-~
i,._
o er ,&
.p E Response: This is an accurate statement per SSAR subsection 3.4.1.1.2.
l
/ li. De AP600 design minimizes potential flooding sources in safety-related equipment areas, to the extent possible.
- - De design also minimizes the number of penetrations through enclosure or barrier walls below the probable maximum flood level. All flood barriers (e.g., wallt, floors and penetrations) are designed to withstand the
~..
maximum anticipated hydrodynamic loadGas well as water pressures generated by floods in adjoi y Excluding the ending phrase as well as water pressures generated byfloods Y
in .2djoi E Response: j
} 'l h{~ 3 the staf statement is supported by SSAR subsection 3.4.1.1.2. This is essentially itern 23 of PRA 4 Table 59 29.
/12. Drains are capable to remove flow from an assumed break in a line up such as check valves and siphon btcaks, that prevent backflow.
E Respo ew9.: L-l:r-4~ m worded in the stafs statement is not supported by text in the AP600 SSAR. s
. : SSAR subsection 9.3.5.52" Woes read 'Plurring of the drain headers is minimized by designing he' 3' m large enough to acc'ommodate more than the design flow and by making the flow path ai straighpossible.
t Drain headers are at least 4 inches in diametez," Regarding the ponion 3 of the stafs statement on backflow prevention see the last bulletfrom item 15 below.
$[
\
- 13. Dere is no cable spreading room in the AP600 design.
n Res,.nse: rhis u .n -.,a,e s,a,eme;,. gp .g xqsl y
~r (e d
l l
l I
r 1 i
kpV
>s
\
NRC FSER OPEN ITEM g 12 )
l -
3 l
a , ,
. s ,
b
/,14, %t separrdonpf equipment and cabling associated with dif etent divisions of safety related equipreent0as well 6- as the smration of safety-related from nonsafety-related trumnfu"Tes the liretiE55dihat a fire or flood
)' !
l would affect more than one safety-telated system or train. eq spment,4 #
[- [ l W kesycnse: This is an accurate statement.
PRA Table 59-29, item 13, provides the same informl t
i (i De following minimize the probability for fire or flood propagation from one area to another and helps limit l V risk from internal fires and floods:
Fire barriers are sealed and flood baniers are watertight. 4 W Response: This statement isfrom PRA l'able 59-29, item 14, but is inissing the words "to the exte a possible" L
l after the word sealed.
Each the door is clarmed in the control room.
,P -
a PRA Tah'e 59-29. item 14 provides the same statement. V ** t
- l W Response' I
' - he COL Applicant will ensure the reliable performance of fire barriers through appro riate inspe on (
and malatenance of doors, dampers, and penetration seals. Also, all water tight penetrations will be l j
maintained with high reliability during power operation to prevent the propagation of water from one g, -
area to the next.
\Y- V*,
b esponse: The staf's statement appears to be concentrating on a COL item for inspection and maintenance of fire barriers and maintenance of reliable water tight penetrations. Westinghouse is not
'Q g specifying the COL items to this level because it is the COL's responsibility to describe how this y i will be done. Rather, Westinghouse includes a COL item provided in SSAR subsection 9.5.1.8 that I
reads the " Combined License applicant will address quahfication requirements for individuals l
responsible for development of the fire protection program, training offire fighting personnel, administrative procedures and controls governing the fire protection program during plant j
\
u operation, andfire protection system maintenance." In addition, as stated in SSAR Table 9.5.1-1, \
items 29, it is the COL's responsibilityfor " establishing administrative controls to maintain the g performance of the fire protection system and personnel"
- De COL Applicant will ensure the availability of proper fire fighting equipment in all plant areasse+-
-esperIruly m me most risk sigraflatidire areas.-
i SSAR Table 9.5.1 1, itenu 4,30, and 32, cover this staf statement. Note that it is not appropriate Eie onse:
to add the phrase "and especially in the most risk-significantfire areas" because Table 9.S.11 covers allfire creas. There is no need to limit this to the most risk-sigruficantfire areas.
lh b / e w,
720.434F-6 W Westinghouse I
_ ~ _
( --. -.
o I
NRC FSER OPE ITEM h*g y .
f' la
- De COL Applicant will maintain an adequately staffed, well-trained, and we& prepared fire brigade.
WP , k esponse: SSAR Table 9.5.1-1, items 4 and 30 throush 34, cover this sta)Tstatement.
- When a fire door, fire barrier penetration, or flood barrier penetration must be open to allow specific maintenance (e.g., during plant shutdown), appropriate compensatory mer.sures will be taken to mini-mize risk. Risk during shutdowa is minimized by appropriate outage management, administrative g controls, procedures, and operator knowledge of plant configuration. In particular, this will rcquire
,V configuration control of fire / flood barriers to ensure the integrity of fire and flood barriers between areas l containing equipmer; performing redundant safe shutdown functions.
E Response: The intentions of what is described in the stafs statement is covered by good plant operatin f practices. It is covered in a higher level by SSAR Table 9.5.11, items 4 and 29.
- Drains include featutes, such as check valves and siphon breaks, that prevent backflow.
~
$ E Response: Assumption m, as written in PRA Chapter 56, reads "f&, drains, appropriate precautions such as check valves, backDow preventors, and siphon breaks are assumed to prevent back pow and_ ff'
'pt~ ,
any potentialflooding." g y ep,3,G ,
9
- 16. Fire detection and suppression capability as well as flooding control features and sump level indication are provided in the AP600 design. Appropriate compensatory measures will be taken by the COL Applicant to
/, . p
' maintain adequate detection and suppression capability during maintenance activities.
E Response: Per SSAR section 13.5, the Combined License applicant is responsible for developing the plant d y) L procedures. The stafs statement is part of good plant practices, and should be addressed by the J applicable procedures which the COL will develop.
- 17. In addition to the MCR which has its own dedinted ventilation system, separate ventilation systems are provided for each of the two, pairs of safety-r. ned equiptr.ent divisions supportine redundant functions (i.e..
D V
h divisions-A&Cand_B&DFFurthermore, the c .u. ve.itilation systems include features to prevent propagation f smoke from a non-safety related area to a safety related area or between safety-related areas supported by _
" different divisions.jne COL holder must ensure the reliable performance of such smoke propagation prevention features. ' El Excluding the COL staternent, the staff's statement is covered by isem 20 of PRA Table 59-2_9. \
Response: '
Regarding the .QpL_ stasement, this level of detailis not included within Westinghouse COL items
= p 'y I of SSAR 9.S. 1 '
g/ 1 u,
O g ga J a SL 49 0 z%
W w - 720.434F-7 j
l l 2
- j
\
NRC FSER OPEN ITEM [
He COL applicant should imolement the_mninunnam guidelines.as describe &in.the Shutdown Evaluation 'o .
-lAF kPott (WCAP-14837). g E Response: ffRyction 13.5.1 (as revisedper the response to FSER open item 440.763F, Westinghouse letter l DCP/NRC1198, dated December 22, 1997) includes the following statement: WCAP-14837 provides input to the Combined License app:icantfor the developenent ofplant specific refueling ;
plans." This means the maintenance guide &,es, as well as other guidelines specified within the }
WCAP, should be considered by the Combmed license applicant when .they develop the plant procedures. nis SSAR COL item covers at a higher level t e stqfs statement. j 9; he COL applicant should control transient cornbustible; lu';h rga
, ,4-W Response: The insentions of what is described in the stafs starem st is to r d sn a higher level by SSAR
\
@le 9.5.1Dem - Y=- 4d. blSf. l Malg.C9Htrol Room (MCR) and Remote Shutdown Workstation (RSW) 1, he automatic function of the AP600 actuation systems (i.e., PMS and DAS) is not affected by a fire in l' cither the MCR or the RSW. His ensures an independent, automatic means, to reach safe shutdown even 0
g when a fire occurs in the MCR or the RSW (manual actuation is not needed unless the automatic actuation fails). Also, even though a fire in the MCR may defeat manual actuation of equipment from the MCR, it
.N[G will not affect the manual operation from the RSW His is because the I&C cabinets are located in fire areas
[ outside the MCR and the RSW.
2 Response: ne stafs statement is covered by_ item 19 of PRA Table $9 29. (
.O Redundancy in MCR operations,in terms of both monitoring and manual control of safe shutdown equipment, k\k is provided within the MCR itself. His provides an alternative means for mitigating certain MCR fires before deciding to evacuate the MCR and use the RSW.
H Response: The stafs statement is covered by jjem 17 of PRA Tt'ble 59-29.
- 3. If MCR evacuation is necessary, the RSW provi&; complete redundancy in terms of control for all safe shutdown functions.
W Response' This statement is paraphrasedfrom SSAR section 7.4.3.1.1. The stqfs statement is covered by l
jtem 12 of PRA Table 59 29. W affel. & p & f9-
- 4. ne MCR has its own de6cated ventilation system and is pressurized. This eliminates the possibility of smoke, hot gases, and fire scopressants, originated in areas outside the MCR, to migrate via the ventilation system to the control room.
I I W Response: The stafs statement is covered by item 20 of PRA Tobic $9-20 Note it is recommended that the stafs wording of " eliminates" be changed to " prevents".
720.434F-8 ,
W Westinghouse l
l l
l .....
l . . i l \
NRC FSER OPEN ITEM l
- 5. He MCR and the RSW are in separate fire and flood areas. They have separate arid independent ventilation
- Jtd
\ systems.
1 H Response: The stafs statement is covered by items 18 and 20 of PRA Tab.le 59-29.
AP600 MCR fire ignition frequency is limited as a result of the use of low voltage, low-current equipment 4 v 6. f N \ \- and fiber optic cables.
E Response: The stafs statement is covered by item 16 of PRA Table 59-29, 1
Containment / Shield Buildinn l
, 1. Containment isolation functions are protected from the impact of internal fires and floods by redundant l
containment isolation valves in each line which are located in separate fire and flood areas and, if powered,
- are served by different power and control divisions. Always, one isolation component in a given line is located inside containment, while the other is located outside containment, and the containment wall is a l fire / flood barrier. !
E Response: The stafs statement is covered by item 22 of PRA Table 59-29.
- 2. Although the containment is a single fire area, redundant divisions are generally separated by continuous structural or fire barriers without penetrations and by labyrinth passageways. In a few situations, the divisions are separated by large open spaces without intervening combustibles.
W sponse: Westinghouse recommends the stafs wording of this insight reflect what is written in SSAR h subsection 9A.3.1.1, specipcally: The containment/ shle!d building comprises onefre area which Oq ).
is separated intopre zones. "These zones are based on the establishment ofboundaries (structures V or distance) that inhibit fire propagation froin zone to zone. Complete fre barrier separation i
cannot be provided inside containment because of the need to maintain thefree exchange of gases \y' j -
) f\ for purposes such as passive containment cooling." .N
$3. Here are wo compartrnents inside containment (PXS-A and PXS-B) containing safe shutdown .
i equipment other than containment isolation valves that are floodable (i.e., below the maximum flood height).
Each of these two compartments contains redundant and essentially identical equipment (one acct.mulator with . %[ g associated isolation valves as well as isolation valves for one CMT, one IRWST injection line and one VW containment recirculation line). Rese two compartments are physically separated by z or 5 iuo6 hiis# '
"= hbe to ensure that a flood in one compartment does not propagate to the o er. Drain lines from the
- PXS-A and PXS-B compartments to the reactor vessel cavity and steam generato compartment are protected %)
from backflow by redundant backflow preventers.
J* *
% a >Q O /
\
720.434F-9 W Westinghollte l
-dM C
- . Jem cR [pgaon3VF-4
/08# f $.%bI->A<- @ /A ,* Y s...; 4 , w a f, naq++=> n & , w '%
np g n s s . : ,_ _ 1 4. p 4. J w v b : + k N d m .
l44 .f m .
1 l
l l
F 4 4 I
NRC FSER OPEN ITEM
) '
1 d E Response: Westinghouse recommends the staf remove the word "only"in thefrst sentence The cavity also l j
l
,y has source range detectors. D is correct that the PXS-A and PXS-B compartmen such that a food in one compartment does not propagate to the other; however, Westinghouse j' {e. f i
~p\ f*,wallsrecommends andpoor slabs." It appearsthe staf remove the staffinadvenently used the wordsthe specipes regarding 2 and 3 foot walls andpoor slabs that appear in SSAR subsection 3.4.1.2.2.2 which penains to the auxiliary that th ,
$ building separation of RCA and nonRCA areas. Once these recommendations are implemented, Y the stafs statement isfully supported by SSAR subsection 3,4.1.2.2.1.M gg;, t T b
Containment isolation valves located below the maximum flood height inside containment or in the Auxiliary g 4.
- Building are normally closed and are designed to fait closp..-.~., .
I I5f ,
re not designed tofait closed when !
l e E Response: The stafs statement is not technically accurate. The va subinerged. Wes mends sta nge the wording of their statement to read g ection 3.4.1.2.2&' Specipcally, the SSAR reads "There are fgg j consistently with SAR automatically actuated containment isolation valves inside containment subject topooding. 7hese yp j four normally closed containment isolation valves nn"!d nnLfaiLoprn astresult of the P.
G' coinpartmentpooding. Also, there is a redundantarpsgily elmed men!"~ -nr Imlation valyt located outside containment in series with each of these valves."
l
~
- 5. De fragility of valve rooms, labeled 11206/11207, where the passive cc,rc cooling system valves are concentrated is an important factor in the AP600 capability to withstand carthquakes. De capacity of the as built SSCs to meet the HCL?P vr.!ues assumed in the AP600 PRA will be checked by a seismic
~
walkdown.
f)/d It is not understood what the stqtf means by thefragility of valve rooms ]1206 and 11207 is an up)
E Response: .
imponantfactor in the capability ofAP600 to withstand earthquakes. the HCLPF valuefor these iD ' '
) rooms is 0.96g (per PRA Table $$ 1). The llClfF valuefor these valve rooms is not the limiting HCLPF elementfor the nuclear island. Westinghouse recommends theprst sentence of the stafs u;v&
statement be removed.
/
o c;yes ' s.
The stafs statement regarding a seismic walkdown is already addressed under item 2 of " general
& plant-wide requirements."
He passive containment cooling system (PCS) cooling water not evaporated fro n the vessel wall I
- 6. .M flow to the bottom of the inner containment annulus into floor drains. He redundant floor dcains ro water to storm drains. He drain lines are alwtys open (without isolation valves) and each is sized to accept maximum PCS flow. he interface with the su,rm drain system is an open connection such that any blockage in the storm drains would result in the annulus drains overflowing the connection, draining the annulus independently of the storm drain system.
720.434F-10 i
j t
i NRC FSER OPEN ITEM w -1 ,,.
f
' 151 l 2 Response: Westinghouse recommends the staf revise this statement to read "The passive containment cooling bg
' /*
o system (PCS) cooling water not evaporatedfrom the vessel wallflows down to the bottom of the inner cor rainment annulus. Two 100 percent drain openings. located in the side wall of the shield h.,.
buildhi, are always open with screens provided to prevent entry ofsmallanimals into the drains.
p' Note that the specfic drain cornfiguration has changed since 5 what w
- 8. when the drains were located on the floor of the annulus (see also response to FSE 720.440F). Thus the staff's statement should be revised.
ie annulus floor drains, which are essentially pipes embedded into the wall of the Shield Buildng, will have E fl ;
the same (or higher) HCLPF value as the Shield Building. His ensures that the drain system will not fail d at lower acceletation levels causing water blockitg of the PCS air baffle.
_._ hesponse: Refer to item 6 above regarding placement of the annulus drains.
3 h he COL applicant should develop and implement policies, procedures. and trainin to close containment penetrations during Modes 5 and 6 in accordance with TS 3.6.8.
/
' A COL item in SSAR subsection 13.5.1 states the Combined License applicant will address plant
~ Response:
f[ $ procedures. A COL item in SSAR subsection 13.2.1 states the applicant will develop and implement training programs for plant personnel These items inherently include following the l Technical Specylcationr. The COL items in SSAR chapter 13 cover the staff's statement.
v Auxiliary Building
- 1. Separate ventilation systems are provided for each of the two pairs of safety-related equipment divisions
,j p supporting redundant functions (i.e., divisions A&C and BAD). His prevents smoke, hot gases, and fire suppressants originating in divisions A or C from propagating to divisions B and D.
Y W Response: The stafs statement is covered by item 20 of PRA Table $9-29._ Note this is essentially a duplicate
~ ofitem 17 of ' general & plant. wide requirements." Gg
- - equipment rooms,I&C r 2. De major rooms housing divisional cabling and equipment (the battery rooms, d.
- 1. . I rooms, and penetration rooms) are separated by 3-hour rated fire walls without openings. Here are no doors, dampers, or seats in these walls. He rooms are served by separate ventilation subsystems. In order for a fire to propagate from one divisional room to another, it must move past a 3-hour barrier (e.g., a door) into g
21 a common corridor and enter the other room through another 3. hour barrier (e.g., another door).
i E Response: This is an accurate statement. It is essentially what is described in SSAR subsection-9A.3.1.
m W F-11 W westinghouse
~
r -
1
\
1 l
i
)
i NRC FSER OPEN ITEM i I )
k )
1 -
, ,f
- 3. , A two foot concrete floor (barrier) protects important safety related l&C equipment as well as the main )(o V
i control room and the temote shutdown panel, locar.ed in the north end of tt< Auxiliary Building, from #
potential debris produced by a postulated seismically. induced structural collapse of the adjacent Turbine l Building and propagated through the access bay separating the two buildings. p ,
i
, l t
~t' l E Response: To be an accurate statement, the stap's wording should be changed asfollows: (1) change "a two-foot concretefloor (barrier)" to "An access bay"; and (2) delete the ending words "andpropagated through the access bay separating the two buildings." By changing these words, the statement is now consistcnt with PRA subsectioQ49
- , .' here are no setmuswees to sources of " unlimited quantity of water in the Auxiliary Building. g$f ,
It is not understood what is the definition of " unlimited quantity of water" or the purpose o sis $1 \
E Response:
tatement. Uponfurther understanding of this statement, it may be accurate to state there are o fmally open conneciWnQ k: 5., To ensure that a flooding in a radiologically contro!!cd area (RCA) in the Auxiliary Building does not i propagate to nor.-RCAs (where all safety-related equipment except for some containment isolation valves is located), the non-RCAs are separated from the RCAs by 2 and 3-foot walls and floor slabs. In addition, lh electrical penetrations between RCAs and non-RCAs in the Auxiliary Building are located above the maximum flood level.
y 0
E Response: U is subj@
As it is not appropriate to use the word " ensure" since its interpretation Westinghouse recommends the stqfs statement be reworded to read "To preventJlooding in CA
_in tlte auxiliary buildingfrom propagating Io, .. " and to remove the siatement in parentheses. The statement will then be consistent with SSAR subsection 3.4.1.2.2.2.
t 9iSb
- 6. The two 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> rated Class lE division B and C batteries are located above the maximum flood height in g the Auxiliary Building considering all possible flooding sources (including propagation from sources located outside the Auxiliary Building).
3A9.
- Mh NJN E Response: it is not clear why the stafincludes this statement as an imponant insig tfrom the PRA. The 24-hour Class !E batteries are usedfor safe shutdown operation; the 72-hour batteries are usedfor functions such as post-accident sampling.
I 7, Flood water propagated from the Turbine Building to the Auxiliary Building valve / piping penetration room at grade level (the only Auxiliary Building area that interfaces with the Turbine Building)is directed to drains and to outside through access doors. His, combined with the presence of water tight walls and floor of the 4 valve / penetration roorn, limits the maximum flood height in the valve / piping penetration room (to about 36 g(p V inches) and ensures that the flooding does not propagate beyond this area.
E Response: Change the words " ensures that the flooding does not propagate . " to "preventsfloodingfrom propagating beyond this area." *lhe statement is then accurate per SSAR subsection 3.4.1.2.2.2 e
~
Auxiliary Building level 3, non RCA discussion. p 720.434F 12 W Westinghouse l
l l
i
lt NRC FSER OPEN ITEM m
WRI i 5 8.". J De mechanical and electrical equipment in the Auxiliary Building are separated to prevent propagation of 0N 1
t leaks from the piping and mechanical areas to the Class IE electrical and Class IB I&C equipment rooms. 4-V6 g Response: By revising the wording to read "... the piping and mechanic couloment eas", the staf]'s statement becomes consistent with SSAR subsection 3.4.1.2.2.2.
Turbine Building g f .]l No safety-related equipment is located in the turbine building. Des isa . hour fire barrier wall between y '
',.: the turbine building and the safety-related areas of the Nuclear Island 1his is an accurate statement, per SSAR ;ubsection 3.4.1.2L.
f'g6.gf , r W Response:
[ Note - there was not item 2 or 3 in Attachment 2 of NRC's November 7,1997 letter.]
- a,. .
.. 4. [ Connections to sources of "large" quantity of wats.r are loccted in the hrbine Building. Hey are the service water system (SWS) which interfaces with the component cooling water system (CCS) and the circulating water system (CWS) which interfaces with the turbine building closed cooling system (1ES) and the condenser. Features that minirtize flood propagation to c:her buildings are:
- Flow from any postulated ruptures above grade level (elevation 100' 0")in the Turbine Building flows down to grade level via floor grating and stairwe;is.11.is grating in the floors also prevents any significant propagation of water to the Auxiliary or Annex Buildings via flow under the doors.
- A relief panel in the Turbine Building west wall at grade level directs the water outside tle building to the yard and limits the maximum flood level in the Turbine Building to less than 6 inches. Flooding g
propagation to areas of the adjacent Auxiliary and Annex Buildings, via flow under doors or backflow p through the drains, is possible but is bounded by a postulated break in those areas.
'f i E Response: Infortnation irJSAR subsection 3.4.1.2.2.3 supports the staf's statement once the word " Annex" .
is removedfrom the two sub-vudm. y ,
> o,A-Annex Building
/ 1. Dere is no safety related equipment located in the Annex Building.
This is an accurate statement, per SSAR subsection 3.4.1.2.2.3._/ O
, E Response:
Flood water in the Annex Building grade level is directed by the sloped foor to drains and to the g yard a 2.
j through the fr t door of the Annex Building.
E Response:
~
Remove the word " front"from the statement, and then it becomes an accurate statement, per SSAR jff '
subsection 34.1.2.2.3.
%t5 f -
j -
720.434F-13 W
Westinghouse l l
I
! - m t
NRC FSER OPEN ITEM 6 _,a ;;._
L [^ I
. gh "3 Flow from postulated ruptures above grade level in the Annex Building is directed by floor drains to the N
\ e?, %
[ Annex Building sump which discharges to the Turbine Building drain tank. Alternate paths include flows to the Turbine Building via flow under access doors and down to grade level via stairwells and elevator shaft.
LO p -
E Response: Remove the word "any"from the statement, and then it becomes consistent with SSAR subsection 3.4.1.2.2.3. Qp, \
l'
)
'Ihe floors of the Annex Building are sloped away from the access doors to the Auxiliary Building in the j thdd
- 4. i vicinity of the access doors to prevent migration of flood water to the non-radiologically controlled areas of l } pf" {s
(
the Nuclear Island where all safety-telated equipment, except for some containment isolation valves, is located.fr"/AC]. +
W Response: This is an accurate statement per SSAR subsection 3.4.1.2.2.L ch SP. ;
\5. There are no connections to sources of " unlimited" quantity of water in the Annes Building. ::.SS M E Response: It is not understood what is the definition of "unilmited quantity of water" or the pu pose of this statement. f), ,(-l
! .- Egaetor Coolant System l' 1. To prevent overdraining, the RCS hot and cold legs are vertically offset which permits draining of the steam g
generators for nozzle dam insertion with a hot leg level much higher than traditional designs. E inJ ;; - "I'M i' k.J m 0.; S^* % 6
" 't 00 ; _ "
j., M* ehtey ,
E Response: This is an accurate statement per SSAR subsection S.4.6L Although the second sentence may be ya&.
l an insight of the Shutdown Evaludwn Report, it is not understood why this is anJmpertant insight
~ " "
from the PRA.
/k
- 2. 40 ium a k,4 m J.e; la kg * "^5m. = 1 , a step nozzle connection between the RCS hot leg and the RHR suction line is used. '7.m ,ap axi is a 20 h.d. ed.d* 140 pipe rappeoximatelyt fection rQ d
l f*
- E Response: Although this may be stated within the Shutdown Evaluation Report. it is not understood why this detail ofinformation is an important insight of the PRA. For esample, the schedule of the piping is not important in calculating the failuu probability. However, y the staf explains why this is important as a PRA insight, then please revise the openin %- j;.a ....z.. 'nce it appears to be missing some words. T be consistent withcSSAR suhrery, < A 711 w es tinchnuse D
recommerdc a c nronco ro o lower the RCS hot leg tevel at yhich a vortex occurs in the RNS suction Titep noge . ."
i ssM-
'D(58 4 6. u (.l~ S 720.434F-14 W -
Westingh00$8
l l
l NRC FSER OPEN ITEM l
~ w_-_ u sMM.
M h l
Should vortexing occur, ic mouumu. 7 air entrainment into the pump suction m." Acn ;wiu.suuuiy . MurS., l
- 3. '
3 S r.; roiu ih.u ~ j:.cm* [$ .*
t f .
W Response: Although this may be stated within the Shutdown Evaluation Repon. it is not understoed why this information is an imponant insight from the PRA. However, if the staf espiains why this is imponant as a PRA insight, then please revise the sentence to read ' . RNS pump suction . .".
/l .
- 4. Dere are two safety-related RCS hot leg level channels, one located in each hot leg. Rese level instrumenti are independent and do not share instrument lines. %ese !cvel indicators are provided primarily to monitor gQ
[,,(g RCS level during midloop operations. One level tap is at the bottom of the hot leg, and the other tap is on
,\' the top of the hot leg as close to the steam generator as possible.
W Response: Although this may be stated within the Shutdown Evaluation Report, it is not understood why this information is an important insight from the PRA.
1
- 5. Wide range pressurizer level indication (cold calibrated) is provided that can measure RCS level to the bottom f [nc N h
hf of the hot legs. na "nper 1 rmere 1 ap k cem ;d ;c ar. /.OS wive 4nles-he"
%e Imverievei tap is conuwid to thebe& ^'tha hot _lege.nis nonha. Wifd J,e
.:Y $
.V level indication can be used as an alternative way of monitoring level and~can't(used to identify g/ ;
inconsistencies in the safety related hot leg !cvel instrumentation. g ,
E Response: Although this may be stated within the Shutdown Evaluation Report, it is not understood why this t
information is an important insight from the PRA.
- 6. He RNS pump suction line is sloped continuously upward from the pump to the reactor coolant system hot /
leg with no local high points. His design eliminates potential problems in refilling the pump suction line if a RNS pump is stopped when cavitating due to excessive air entrainment. His self-venting suction line i
allows the RNS pumps to be immediately restarted once an adequate level in the hot leg is re-established.
W Response: This is an accurate statement per SSAR subsectionht111 :. bid.
- 7. De COL applicant should have procedures and policies to maximize the availability of the no afe@!ated cold wide range pressurizer level indication (cold calibrated) during RCS draining operations durin lated shutdown. De operators shall be trained to use this indication to identify inconsistencies in the safe hot leg level instrumentation to prevent RCS overdraining.
% Response: SSAR section 13.5 provides the committment that the Combined License applicant is responsible for developing procedures. The COL ltems reponed in sgon 13.5 provide the committnent et a higher level than described in the stag's statement above.
$ fl W Acta uill klob-b intNhJ M -720.434F-15
, m. 3 WestitlWlotise
,i t
L
... e-l .
l 1
.w ..
l J
Under item le (PRHR):
Capability exists for the control room operator to identify a leak in the PRHR HX before it c:n degrade to l a tube rupture. duda; : atq= : Ed;; in : =::6-: (DBA). ;
The PRHR HX, in conjunction with the PCS, can provide core coolingfor an indefinite period of time.
After the IRWST water reaches its saturation temperature, the process of steaming to the containment initiates. Condensation occurs on the containment vessel, and the condensato is collected in a safety-related gutter arrangement which returns the condensate to the IRWST. The gutter normally drains to the containment sump, but when the PRHR HX actuates, sqfety related isolation volves in the gutter drain line shut and the gutter overflow returns directly to the IRWST. (disposition = SSAR 6.3.2.1.1}
Under item 6 (RNS):
Planned maintenance of the RNS andits support systems (CCS and SWS) is performed es power in Modes I, 2, J. (disposition = SSAR 16.3) i l
- Under item 10:
The operation of RNS and its support systems (CCS, SWS, main ac power and onsite power) is RTNSS. l l important for shutdown decay heat removal during reduced RCS inventory operations. [SSAR 16.3 d.isposition will be added] j a& wuna,b.0 >
- C,... ,, l " ":6 ring at-power co.=Mm "-- - - ;r ;= L.., 6. .. ^ . ., T.;l;'.r w, ir,&
Short-term availability controls of the RNW.;z." $ (disposition = SSAR 16.3)
- Under item 13, add:
To preventflooding in a radiologically controlled area (RCA) in the auxiliary buildingfrom propagating to non-radio!&gically controlled areas, the non-RCAs are separatedfrom the RCAs by 2 and 3 foot wa!!s ,
and floor slabs. In addition, electricalpenetrations between RCAs and non RCAs in the auxiliary building are located above the maximumflood level idisposition = SSAR 3.4.1.2.2.2) l New item (#42):
l No safety related equipment is located outside the Nuclear Island. (disposition = SSAR 3.4.1)
[ W85tillgh00$8 l
l Attachment 3 l
l l
ou l
NRC FEER OPEN ITEM ;
i
- 8. The AP600 low pressure systems which interface with the RCS are protected against interfacing systems LOCA ,f (ISLOCA yju;ombinntinn of multiple isolation valves, valve interlocking, increase in the piping pressure limits v ghTpiess'})re u relief capability) gg d 4o M [a 'Mk 67- 29, 5 .
E Response: nis is an accurate statement. PRA ToMr 59 29. Item n. specifically discusses the elements which prevent interfacing system LOCA between the RNS and the RCS.
\ g l h 9 Solid state switching devices and electro-mechanical relays resistant to relay chatter will be used in the AP600 % rtla f I&C system [ devices Use atofoperating thesereactors.
minimizes the mechanical discontinuities devices and relaysd= "i n.k ,
d '
associated with similar . LA -
E Response: it is not understood why the stds statement is an insightfrom the AP600 PRA. The stag would I need to explain why this is an traponant insight of the PRA tojustify its placement in the DCD. l The stafs statement is accurate, but is not explicitly stated in the SSAR or PRA. ..
{
( '
e
[g10.lThere are no watertight doors used for finnd orotection in the AP600 design. g
' ~
(L'p - . r, m,- =,,.p . * *t.
~ .M j E Response: This is an accurate statement per SSAR subsection 3.4.1.1.2.
N!. The AP600 design minimizes potential flooding sources in safety-telated equipment areas, to the extent possible. l The design also minimizes the number of penetrations through enclosure or banier walls below the probable 4 maximum flood Ic el. All flood baniers (e.g., walls, floors and penetrations) are designed to withstand the ;
maxitnum anticipate 4 hydrodynamic loads) well as water pressures generated by floods in adjoining area}s g E Response: Excluding the ending phrase as well as waterpressures generated byfloods in afjoining the staf statement is supponed by SSAR subsection 3.4.1.1.2. Dis is essentially item 23 of PRA 1 Table 59-29. ) ,; * )
t
/. 4.
- 12. Drains are capable to temove flow from an assumed break in a line up to 4" in diameter and include features, N l such as check valves and siphon breaks, that prevent backDow, l f;#
9 E Respo hc !=l=-'% nc wnrded in the st4s statement is not supported by text in the AP600 SSAR. <
)'
0
& Y , s SSARlaree #section 9.3.5.52%oes read ~Plureing of the drain headers is minimited by de
~
enouxh to accommodate more than the design flow and by making the flow cath as :s$c .,
l straight as vossible. Drain headers are at least 4 inches in diameteg Regarding the ponion of 1 the stafs statement on baciflow prevention, see the last bulletfrom item 15 below, j
- 13. There is no cable spreading room in the AP600 design.
d[
\
E Response: This is an accurate statement. $
- 4 (ps i /f $ q.5.I W Westinghouse l
l l- _s
a LB f' E Response: Westinghouse recomn e..ds the stafrevise this statement to read "ne passive containment cooling system (PCS) cooling water not emporatedfrom the vessel wallfIows down to the bottom of the inner containment annulus. Two 100 percent drain openings, located in the side wall of the shield '
Y y building, are always open with screens provided to prevent emry of small animals into the drains. "
p' Note that the spectfic drain costfiguration has changed since what was modeled in PRA Revision )
8, when the drains were located on thefloor of the annulus (see N also 720.440F). nus the st.fs statement should be revised.
f e annulus f drains, d.M. .s -,,L.;;y yiyu uuMao imo megali vi me ';lakGuiidi ill han b the same (or higher) HCLPF value as the Shield Building. Ti =rr that the drain system will not fail C at lower acceleration levels causing water blocking of the PCS air baffle. #
& esponse: Refer to item 6 above regarding placement of the annulus drains. p
%P. sp col okm W Y h The COL applicant penettations during Modesshould 5 and 6develop andwith in accordance implement TS 3.6.8. policies, procedures, and trainin o close cont f
p
' f 5 Response: A COL item in SSAR subsection 13.5.1 states the Combined utense applicant will address plant procedures. A COL item in SSAR subsection 13.2.1 states the applicant will develop and
-i.
implement training programs for plant personnel. These items inherently include following the Technical Specifications. The COL items in SSAR chs.pter 13 rover the stafs statement.
Auxiliary Buildine s
y h ,
1.' Separate ventitation systems are provided for each of the two pairs of safery-related equipment divisions supporting redundant functions (i.e., divisions A&C and B&D). His prevents smoke, hot gases, and fire suppressants originating in divisions A or C from propagating to divisions B and D.
e Q % Response: The stafs statement is covered by_ item 20 of PRA Table 59-29. Note this is essentially a duplicate l ofitem 17 of " general & plant wide requirements ~~ Gg y . i
.r 2. He major rooms housing divisional cabling and equipment (the battety rooms, equipment rooms, I&C i '
rooms, and penetration rooms) are separated by 3-hour rated fire walls without openings. here are no doors, dampers, or seals in these walls, he rooms are served by separate ytntilation subsystems. In order for a fire to propagate from one divisional room to another, it must move part a 3. hour barrier (e.g., a door) into 4
a common corridor and enter the other room through another 3. hour barrier (e.g., another door).
H Response: This is an accurate statement. It is essentially what is described in SSAR subsection 9A.3.1.
720.434F-11 t
1 3
-l
') , - . . :
df Lwt @ t fI s ,a % r a n u s. s La r i es A cds - AcAn AL sw 6 L por Jm m 6 ,yb d.
-M ~' mCDLsh m g + M go de h ig y ro k s w p k ,,;9 udsL LwCx y % 9' M m -
= CA. /4.t Di s9. ssAl2 /3. 5 " D 3. s . s]
l t
l F f L'
. . . , nruvo e
- NRC FSER OPEN ITEM mm Passive Core Cooline Systems (PXS)
IM
'IVe passive core cooling system (PXS) is composed of (1) the accumulator subsystem. (2) the core makeup ta (CMTs) subsystem. (3) the in containment refueling water storage tank (IRWST) subsystem, and (4) the passive residual heat removal (PRTIR) subsystem. In addition, the automatic depressurization system (ADS), which is of the reactor coolant system (RCS), also supports passive core c ions.
l 2 Response:
The stqfs statement it covered b ytem i of PRA Table 5939. l O Assymulators Tne accumulators provide a safety-related means of safety injection of borated water to the RCS. The follow some important aspects of the accumulator subsystem as represented in the PRA:
There are two accumulators, each with an injection line to the reactor vessel / direct vessel injection (DVI) nozzle. Each injection line has two check valves in series.
The reliability of the accumulator subsystem is impcrtant. The COL will maintain the reliability of the accumulater subsystem.
Diversity between the accumulator check valves and the CMT check valves rninimizes the potential for common cause failures.
l EResponse: The staf's statement on accumulators is covere by item la of PRA Table 59-29._ lL Core Makeue Tanks (CMTs)
De CMTs provide safety-related means of high-p' essure safety injection of borated water to the RCS. ne following are some important aspects of CMT subsystem as represented in the PRA:
+
Dere are two CMTs, each with an injection line to the reactor vessel /DVI nozzle. Each CMT has a normally open pressure balance line from an RCS cold leg. Each injection line is isolated with a parallel set of air.
operated valves (AOVs) which open on loss of Class IE de power, loss of air, or loss of the signal from the PMS. The injection line for each CMT also has two normally open check valves in series.
The CMT AOVs are automatically and manually actuated from PMS and DAS and their positions are indicated and alarmed in the control room.
CMT levelinstrumentation provides an actuation signal to initiate automatic ADS and provides the actuation signal for the IRWST squib valves to open.
He CMTs are risk-important for power conditions be.cause the level indicators in the CMTs provide an open signal to ADS and to the IRWST squib valves as the CMTs empty. De COL will maintain the reliability of the CMT subsystem. Dese AOVs are stroke-rested quarterly.
l 720.434F-16 5 1
\
i
r l
l 1 1
CMT is required by the Technical Speci6 cations to be available from power conditions down through cold l shutdown with RCS pressure boundary intact. ~
j l E Response: 1he staff's statement on CMTs is cov ed by item Ic of PRA Table 59-29.
f In-Containment Refueline Water Storgne Tank flRWST) -
He IRWST subsystem provides a safety-relatol means of performing (1) low-pressure safety injection following ADS actuation, (2)long term core cooling via c(ntainment recimulation, and (3) reactor vessel cooling through the !
flooding of the reactor cavity by draining the mWST into the containment. He following are some import l aspects of the IRWST subsystem as represented la the PRA:
IRWST subsystem has the following flowpa hs:
Two (redundant) injection lines from IRWST to reactor vessel DVI nozzle. Each line is isolated with a parallel set of valves; each set with a check valve in series with a squib v'Ive. !
Two (redundand recirculation lines from the containment to the IRWST injection line. Each I recirculation line has two paths: one path contains a squib valve and a MOV, the other path contains a squib valve and a check valve.
l Ec two MOV/ squib valve lines also provide the capability to flood the reactor cavity.
+
There are screens for each IRWST injection line and recirculation line whichjasusg4 hat they are nud by debris or other materish generated in the TD WRT ar containment eurfrC s he COL Applicant will maintain (TielIEility of such screens.
k V.x tuurrd.cJw Explosive (squiM valves provide the pressure boundary and protect the check valves from any potential adverse impact of high differential pressures.
[ 5"7 gff
+
The Squib valves and MOVs are powered by Class 1E de power and their positions are indicated and alarmed De t in the control room.
/g De squib valves and MOVs for injection and recirculation are automatically and manually actuated via PMS, 0
and manually actuated via DAS.
De squib valves and MOVs for reactor cavity flooding are manually acturted via PMS and DAS from the control room.
Diversity of the squib valves in the injection lines and recirculation lines minimizes the potential for common j cause failure between injection and recirculationheactor e ' flooding.
l l +
l Automatic IRWST injection at shutdown conditions is provided using PMS low hot leg level logic.
l 720.434F-17 i
' i i9I PRA'Results and insights Table 59-29 (Sheet 5 of 16)
I l AP600 PRA. BASED INSIGHTS I INSIGHT DISPOSITION l 1d. (cont.)
IRWST injection and recirculation check valves are exercised at each SSAR 3.9.6 i
i refueling. IRWST injection and recirculation squib valve actuators are I tested every 2 years for 20% of the valves. IRWST recirculation MOVs I are stroke-tested quarterly.
'Ihe reliability of the IRWST subsystem is important. The CO will SSAR 16.2 I
I maintain the reliability of the IRWST subsystepjactvdtn t INi~ ]' & 3
!RWST injection and recirculation are required by Technical Specifications SSAR 16.1 I
I to be availab!c from power conditions to refueling without the cavity I flooded.
i
&m MClrC. 0 04Y E 5 '
Revision: 9 Y W85tiflgh0088 fb 59 21i W hN IW3I" Aptil 11,1997
(og (\tanhe o v.,c ca m em d h w h. \~ k a. k tww LL Lh dea M k%
e ,
n t,1,a_a ,_p NPC FSER OPEN ITEM 5^5 ' ****
V yp. : $$AR. b. 3. 2.. z.12 E fr 3. b n
- i ~
n
)
.i. -
IRWST injection and recirculation check valves are exercised at each refueling. IRWST injection and recirculation squib valve actuators are tested every 2 years for 20 percent of the valves. IRWST recirculation MOVs are stroke tested quarterly.
De reliability of the IRWST subsystem is important. The COL will maintain the reliability of the IRWST subsystem.
IRWST injection and recirculation are required by Technical Specifications to be asailable from power conditions to refueling without the cavity flooded.
.i W Response:
The stafs statements above on IRWST is covered by item id of PRA Table $9-29, except Westinghouse wishes to note thefollowing change should be made to what is written above:
\
Y -
l 1
Second bullet - remov'e the work " ensure"for reasons provided earlier in this document. 7 An accurate statement would read * . recirculation line which prevents cloering hv debris
- Also note the COL item is covered by a higher level action of the COL will maintain the reliability of the IRWST subsystem (SSAR Section 17.4).G yL. AD,[v? Ilb The IRWST provides a safety-related long term source of water during shutdown conditions. The following are some ditional important aspects of the IRWST subsystem as represented in the shutdown PRA.
p n o as uring shutdown
~
H Response:
bSM As stated in SSAR section 13.5 the Combined LJcense applicant is responsible for developing administratis e controls. The COL item in SSAR chapter 13 covers the stafs statement at a higher la.3 y_ g l level l
\
. l On low hot leg level, the PMS actuates the squib valves to open allowing grrcvity injection from the IRWST.
/H Response: This statement is a duplicate of the 8th bullet on IRWST(see above). p Epssive Residual Heat Removal (PRHR) System "ihe PRHR provides a safety-related means of perforatitig the following functions: (1) removes core decay heat during accidents, (2) allows adequate plant performance during transient (non-LOCA and non-ATWS) accidents without ADS,(3) allows automatic termination of RCS leak during a SGTR accident without ADS, and (4) provides core cooling and pressure control during the early phase of an ATWS accident.
- E Response: For item (2), recommend changing the word " allows" to "provides." item (4) is ambiguous by using the words early phase of an A7WS. The phrase should read, " allows plant to ride out an l
A1WS event without rod insertion. "
h Q TA E westinghouse no.4w.m N r
8
I
! , o l NRC FSER OPEN ITEM i
l' De following important aspects of the PRHR design and operation features are incorporated in the PRA models:
PRHR is actuated by opening redundant parallel air-operated valves (AOVs). Dese AOVs are designed to j
fail open on loss of Class IE power, loss of air, or loss of signal from the protection and safety monitoring system (PMS).
De PRHR AOVs are automatically actuated by two redundant and diverse I&C systems: (1) the safety-related protection and safety monitoring system (PMS) and (2) the nonsafety-related diverse actuation systern (DAS). De PRHR can also be actuated manually from the control room using either PMS or DAS.
Diversity of the PRHR AOVs from the AOVs in the core makeup tanks (CMTs) minimizes the probability for common cause failure of both PRHR and CMT AOVs.
De positions of the inlet and outlet PRHR valves are indicated and alarmed in the MCR.
J E Response: The stafs above statements on PRHR are covered PRA Table 59-29.
De PRHR AOVs and isolation MOV are tested quatterly. The PRHR HX is flow tested at shutdown.
g Response: It is true the PRHR AOVs are tested quarterly, per IST(SSAR subsection 3.9.6). As stated in the PRA and SSAR, the MOV is closed to test the AOVs, so indirectly, the MOV is also tested; !
however, the MOVis not spec @ed as such perISTand the PRA. The words "and isolation MOV" F;
' j!
should be removedfrom the stfs statement to be technically accurate. It is accurate to say the !
i PRHR HX isflow tested (as is stated by item le in PRA Table 59-29), but it is misleading to say ', !
it is tested at shutdown. The HX is flow tested at shutdown, but not every time the plant is shutdown. Per Technical Spec @ cation, the PRHR HX !sflow nsted every 10 years. It is not an 9 j insightfrom the PRA to include this level of detail (theflow testfrequency). The recommendation is the .itfs bullet above be changed to what is provided by item le in PRA Table 39-29. Ok f!
=
Y Use of the PRHR heat exchanger (HX) for long term cooling causes the IRWST wates to beat up, resul ' g in inventory loss through evaporation. To ensure successful long-term cooling by the PRHR HX, the evaporated IRWST inventory must retum to the IRWST after condensed on the contamment liner and j
collected in the IRWST gutter system. De IRWST gutter system, which directs the water to the containment ;
sump during normal plant operation, ir automatically re aligned to direct the water back to the IRWST during an accident. The following design features ensure proper re-alignment of the gutter system valves to direct water to the IRWST during accidents:
the IRWST gutter and its isolation valves are safety grade the valves that re-direct the flow are designed to fail-safe on loss of compressed air, loss of Class IB DC power, or loss of the PMS signal.
the isolation valves are actuated automatically by PMS and DAS.
I T Westinghouse
NRC FSER OPEN ITEM s tm*~
[
E Response: The stafs statement should be reworded asfollows, to be technically accurate. Note the statement below is consistent with SSAR subsection U2.1.1. ,
"The PRHR HX, in conjunction with the PCS, can provide core cooling for an indefinite period of time. After the IRWST water reaches its saturation temperature, the process of
,f, steaming to the containment initiates. Condensation occurs on the steel containment vessel, and the condensate is collected in a safety-related gutter arrangement which h,
') t returns the condensate to the IRWST. De gutter normally drains to the containment sump, but when the PRHR HX actuates, sqfety related isolation valves in the gutter drain
\l. r, line shut and the gutter overflow returns directly to the IRWST. Thefollowing design
'(* s features provide proper re-alignmentfo the gutter system valves to direct water to a IRWST:" '
ne stafs three sub-bullets above are accurate, except change the word " safety-grade"to " safety.
related" and " fail-safe" to " fall closed. "
Use of the PRHR HX for long-term cooling will result in steaming to the containment. The steam will normally condense on the containment shell and return to the IRWST via the gutter system. If the condensate does not return to the IRWST, the IRWST volume is sufficient for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of PRHR operation.
Connections to the IRWST are provided from the spent fuel system (SFS) and chemical and volume control system (CVS) to extend PRHR operation. A safety-related makeup connection is also provided from outside the containment through the normal residual heat removal system (RNS) to the IRWST.
, E Response: This is an accurate statement. - cart-4-et cb lL is ( k $$'Al0 A A
- Capability exists in the control room to identify a leak in the PRHR HX which could degrade to a tube rupture under the stress conditions, such as RCS pressure increase and temperature gradients inside the HX tube wells, likely to occur during a postulated accident requiring PRHR operation.
(t,
) <
K Response: Recommend the stafs statement stop q)ter the words " tube rupture". By continuing with the . $C specVics of tying this to a transient, it deminishes the leak tightness capability. Note the statemrnt Lb ' , *l gs will be consistent with PRA Table 59.20 item to hy ending the sentence as recommended. Also O note the operator guidNe is provided via Technical Specipcation 3.4.& Y e
Technical Specifications require the PD" te h .yailable, with RCS boundary intact, from power condh down through cold shutdownMwe is provided)for operator acuon whTn a Icar is detected in the PRHR he HX which cou5degradirT5'iftu rupture cunng normal power operation conditions or nder stress Ditions,such as RCS pressurei rease and temperature gradients inside the HX tube walls,li ly to occur h L*
t-p during a postulated accident tring PRHR operation.
Response: The prst sentenc is an accurate statement. De second sentence is essen ' a repeat of the previous bullet. Recommend the second sentence be deleted.
hG f5.d' h W Westinghouse a
,' 720.434F-20 P
a 1 \\
- 59. PRA Results and Insights 1
j l Table 59-29 (Sheet 6 of 16) i l '
l AP600 PRA-BASED INSIGHTS INSIGHT DISPOSITION l
Passive residual heat removal (PRHR) provides a safety-related means of SSAR 6.3.1 &
l le. 6.3.3 I perfor ning the following functions:
l - Removes core decay heat duritag accidents 1 - Allows automatic termination of RCS leak during a steam generator tube l rupture (SGTR) without ADS.
I The following are some important aspects of the PRHR subsystem as represented l in the PRA:
SSAR 6.3.2 1
PRHR is actuated by opening redundant parallel air-operated valves. These l air-operated valves open on loss of Class 15 power, loss of air, or loss of I the signal from PMS.
Certified Design l
'Ihe PRHR air-operated valves are automatically actuated and manually Material I
actuated from the control room by either PMS or DAS.
SSAR 6.3.2 i Diversity of the PRHR air operated valves from the CMT air-operated valves
-- l minimizes the probability for common cause failure of both PRHR and CMT
-l air-operated valves.
SSAR 6.3.1 &
l Long-term cooling of PRHR will result in steaming to the containment. The '
syste n drawings I
steam will normally condense on the containment shell and return to the IRWST. If the steam condensation does not return to the IRWST, the ;
i IRWST volume is sufficient for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of PRHR operadon.
l 1
Connections are provided to IRWST from the spent fuel system (SFS) and !
chemical and volume control system (CVS) to extend PRHR operation. A l
I safety-related makeup connection is also provided from outside the l
containment through the normal residual heat removal system (RNS) to the udogod% '..,preddel l IRWST.
SSAR 6.3.3 &
I Capability exist (for thE control room opdrator to identify a leak in the 16.1 PRHR HX before it can degrade to a tube rupture during a ,ubsequent I
I design basis accident (DBA).
SSAR 6.3.7 1
The positions of the inlet and outlet PRHR valves are indicated and alarmed l in the control room.
SSAR 3.9.6 I
PRHR mir-operated valves are stroke-tested quarterly. The PRHR HX is flow tested to detect system performance degradation.
i SSAR 16.1 I
PRHR is required by the Tech'sical Specifications to be available from I power conditions down through cold shutdown with RCS pressure boundary l intact.
ENEL T MWe l Revision: 9 'A h April 11,1997 mwvev.9 c59*pf Ib.04:197 59 212 g
l c -
- m m:
E j}!
L ,,,
=
ne PRHRfsystem provides a safhy-r ated means of removing decay heat following loss of .L .h cooling dunng safe / cold shutdown *rtfithe RCS intact.
RN5 h
b K Response: Change the words "shurdown cooling" to "RNS cooling". This is an accurare statement and is S17 2,q covered by Technical SpecUication bases 3.5.5..
&Q, Automatic Depressurization System (ADS) D M*
ADS provides a safety-related means of depressurizing the RCS. He following are some important aspects of ADS as represented in the PRA:
ADS has four stages. Each stage is arranged into two separate groups of valves and lines. Stages 1,2, and 3 discharge from the top of the pressurizer to the IRWST. Stage 4 discharges from the hot leg to the RCS toop compartment.
j e
Each stage I,2, and 3 line contains two MOVs in series. Each stage 4 line contains an MOV valve and a squib valve in series.
The valve arrangement and positioning for each stage is designed to reduce spurious actuation of ADS.
Stage 1,2, and 3 MOVs are normally closed and have separate controls.
Each stage 4 squib valve has redundant, series controllers.
Stage 4 is blocked from opening at high RCS pressures.
The ADS valves are automatically and manually actuated via the protection and safety monitoring system (PMS), and manually actuated via the diverse actuation system (DAS).
The ADS valves are powered from Class IE de power and their positions are indicated and alarmed in the control room.
Stage I,2, and 3 valves are stroke-tested every 6 months. Note: Westinghouse has indicated that this requirement may change as a result of an NRC review. Stage 4 squib valve actuators are tested every 2 years j for 20 percent of the valves.
i The reliability of the ADS is important. He COL will maintain the reliability of the ADS.
ADS is required by the Technical Specifications to be available from power conditions down through refueling without the cavity flooded.
i l
- Depressurization of the RCS through ADS minimizes the potential for high-pressure melt ejection events. {
Procedures will be provided for use of the ADS for depressurization of the RCS during a severe accident. )
l l
I i
W Westirigh0ilst 720.434F-21 l2 i L
h NRC FSER OPEN ITEM 4
\
IB & Y W Response:
The stafs above statements on ADS are covered by item Ib of PRA Table 59-29. Notefor the 6th
,~ bullet, as a result of NRC review, the stage 1, 2, and 3 valves are now stroke-tested every cold g6 shutdown. With the number ofcold shutdowns and refuelings assumed in the shutdown PRA, the Q testfrequency is equivalent to being tested every 6 months. PRA Table 59 29 will be revised appropriately. Notefor the 9th bullet, the wording "during a severe accident" should be changed to " aper core uncovery."
Fire-induced hot shorts, especially in I&C copper cables from the protection logic cabinets to the squib valve operators, could cause detonation of a squib vaive. His risk important concern should be addressed by -
appropriate power and control cable separation and routing and by the incorporation of features and requirements in the detailed design of ADS cabling. -
I5V-W Response: u'::"~ =4neHee mme the words of the stafs statement be changed to read as describe n S$bsection 9A.2. ,1 pecipca
- Spurious actuation ofsouib valves is prevented by rh Q ,
of a souib val" enntroller circu which reautres muitiale hot shorts for actuattore physical se j Y
separation from thefire rone." of Notepotential hot as stated in the short ternalfre PRAlocations, and provisions analysis, it is conservatively modeled for coerator actio in the PRA analysis that one hot short can ause spurious ADS squib valve actu whereas, a
per design, multiple hot shorts are required. (e.y , & ,_, 4 )ged.
- 4) h ne first, second, and third-stage valves, connected to the top of the pressurizer, 7, f, provide preclude pressurization of the RCS during shutdown conditions,if_ decay hcat removal is losj. C- R,m1 f
7g age ADS valve is required to open if gravity injection is actuated during cold shutdown and refueling with ycag g the RCS is open to preclude surge line flooding. On low low hot leg level (empty hot leg), the PMS signals the ADS 4th stage squibs to open to preclude surge line flooding. /q Q@y#
lE Response:
This is an accurate statement. A statement will be added to PRA Table 59-29./
Normal Residual Heat Removal System (RNS)
De normal residual heat removal system (RNS) provides the following nonsafety-telated means of core cooling during accidents: (1) RCS recirculation at shutdown conditions, (2) low pressure pumped injection from the IRWST, and (3)long-term pumped recirculation from the containment sump. Such RNS functions provide defense-in-depth in mitigating accidents, in addition to that provided by the passive safety-related systems.
E Response: This is an accurate statement. The statement is cove by item 6 of PRA Table 59 he following are some important aspects of RNS as represented in the PRA:
ne RNS has redundant pumps, powered by separ.*. non-Ch IE buses with backup connections from the diesel generators, and redundant heat exchangers.
W Response: This is an accurate statement and is covered item 6 ofPRA Table 59-29. o Yi1 W westinghouse m m 22 M
P
- / e\4 lnSor 5 l
l i
- ) ID ^
)
b}3 Cohkos Q {ow ygg C"Nc- hay , >& N o s,<. q dudy uses wk%s \oema w 44 I cab'meAh ,
s%,
be l
I i
M
NRC FSER OPEN ITEM M:,
a De RNS provides safety-related means for (1) containment isolation at the penetration of the RNS lines,(2)
RCS isolation at the RNS suction and discharge lines, and (3) IRWST and containment sump inventory [
makeup. '
E Response: Excep_tfor point aL the above is an accurate statement and covered by item 6 of PRA Table 59
- 29. Item (3) is incorrect. RNS does not provide a sqfety-related means, but rather a defense-i depth function ofIRWST and containment sump inventory makeup. TV f
a The RN many angned from tne conuoi wvm ie p~;'= aaa;ote cooling functions (SSAR .
Emergency Response Guidelines (ERGS) are provided for aligning the RNS from the control room for RUs injection and recirculation.
E Response: This is an accurate statement. h. lff, y Recirculation from the containment sump is actuated automatically by a low IRWST!evel signal or manually from the control room, if automatic actuation fails. j
>p E !!esponse: This statement is misleading as worded. It should read "PXS recirculadon valves are automatically actuated . ." It is believed the staf was intending to mean the IRWST recirculation valves rather than an RNS -ecirculation (i.e., pumps stop, start) as could be interpreted by the P.h statement. Note that sf RNS is operating, the RNS pumps will continue to operate and provide Wi containment recircularion.
YantrYc.
For long-term recirculation operation, the GRN5 pumps take suction from oefy(d y
one of the tw recirculation lines. Unrestricted flow through bc<h parallel paths (one containing an MOV and a squib valve in series, the other containing a check valve and a squib valve in series)is required for success of the sump recirculation function when both RNS pumps are running. If one of the two parallel paths fails to open.
operator action (in the control room through PMS) is required to manually throttle the RNS discharge MOV (V011) to prevent pump cavitation. [ ERGS).
~'y E Response: This is an accurate statement per the PRA.
a With the umps aligned either to the IRWST or the containment sump, the pumps' net positive suction head (NPSH) is adequate to prevent pump cavitation and failute even when the IRWST or sump inventory h
is saturated.
4 E Response: Change NRHR to RNS. This above is an accurate statement.
The RNS containment isolation and RCS pressure boundary valves are safety related. The MOVs are powered by Class 1E de power.
m JE Response: This is consiste with item 6 of PRA Table 59-29.
, C1h 720.434r-23 I5' l 1
i i
,d . .
T 59. PRA Results sad Insights 1
1
'l Table 59-29 (Sheet 13 of 16) l I AP600 PRA BASED INSIGHTS 1 INSIGHT DISPOSITION I 6. The normal residual heat removal system (RNS) provides a safety-related means Certified Designj l of performing the following functions: Material 1 - Containment isolation for the RNS lines that penetrate the containment 1 - Isolation of the reactor coolant system at the RNS suction and discharge l lines Makeup of containment inventory. d I -
L*Aag-4trm g Pet-at,Re,tt l SSAR 5.4.7 I RNS'provides a nonsafety-related means of core cooling through: l l - RCS recirculation at shutdown conditions
! - I.ow pressure pumped injection from the IRWST and tong temi pumped I recirculation from the containment.
l The RNS has redundant pumps and heat exchangers. De pumps are powered SSAR 5.4.7 &
1 by non-Class IE power with backup connections from the diesel generators. 8.3 I RNS is manually aligned from the control room to perform its core cooling SSAR 5.4.7 l functions. De performance of the RNS is indicated in the control room.
The RNS containment isolation and pressure boundary valves are safety related. Certified Design l
-l De motor-operated valves are powered by Class IE de power. Material l ne containment isolation valves in the .RNS piping automatically close via SSAR 7.3.1 PMS with a high radiation signal. j 1
l ne RNS containment isolation MOVs are automatically and manually actuated SSAR 7.3.1 l
l viaPMS.
1 Interfacing system loss-of-coolant awident (1.OCA) between the RNS and the SSAR 5.4.7 7 't l ICS is prevented by:
I - Each RNS line is isolated by at least three valves.
l - De RNS equipment outside containment is capable of withstanding the I operating pressure of the RCS.
1 - The RCS isolatien valves are interlocked to prevent their opening at RCS l pressures above its design pressure.
Certified Design I CCS provides cooling to the RNS heat exchanger.
l Material l Planned maimenance of the RNS is performed at-power.
l l
Revisiont 9 T Westingh0U88 fb 59-219 April 11,1997 oW M ***l'"
i
NRC FSER OPEN ITEM j s-a J, M He containmen olation valves in the RNS piping close automatically via PMS w h a high radiation signal.
Wettin oh- ady;;;ini;2: 9' ~ An all accitient red * .: L; 6 se iM/,The containment radiation
~
g* i level isMiow the point that would cause the RNS MOVs to automatically cNse. l E Responq[ b WM hi nrst sententissoasistent with item 6 ofPRA Table 59 29. The second sentence tends to lead \
beyond an insight from the PRA. However, if the staf explains why it considers this an insight, then Westinghouse recommends the second sentence be reworded to read: The actuation setpoint ,
was established consistent with a DBA non-mechardstic source term associated with a large l LOCA."
- i He following AP600 design features contribute to the low likelihood ofinterfacing system LOCAs through I the NRHR system: Dj p%'fU-He portion of the RNS outside containment is capable of withstanding the operating pressure of the RCS. .p-4 I 1
M A relief valve located in the common RNS discharge line outside containment provides protection against excess pnessure.
/
Each RNS line is isolated by at least three valves y West Me k he pressure in the RNS pump suction line is continuously indicated and alarmed in the main control room.
g g
p[7 The pump suction isolation valves connecting the RNS pumps to the RCS bot leg are interlock w RCS pressure so that they cannot be opened until the RCS pressure is less than 450 psig. His preve i overpressurization of the RCS when the RNS is aligned for shutdown cooling. %,
- 0 Re two remotely operated MOVs connecting the suction and discharge headers, respectively, to th IRWST are interlocked with the isolation valves connecting the RNS pumps to the hot leg. His prevents inadvertent opening of any of these two MOVs when the RNS is aligned for shutdown cooling 4 ,
atal potential diversion and draining of reactor coolant system. '
He power to the four isolation MOVs connecting the RNS pumps to the RCS hot leg is administratively blocked at their motor control centers during normal power operation. [ COL].
y J e De operability of the RNS is tested, via connections to the IRWST, immediately before its alignment to the RCS hot leg, for shutdown cooling [dd.
o mirain-lix.. [55/G. COL, LuccouisM,t: rn; iei ;6 m au eay q~a ;u ..d /&er in the l
i W Westinghouse 720.434F-24 17 1
t
1 I
NRC FSER OPEN ITEM s imii 1
_W. Response:
Westinghouse has the followine comments for the styf's above statement:
Change ~fR system"to "RWpY Second sutubullet ss a un . ..~.u;T, but notfa d ir.to the PRA and is not a key to providing a low likelihood ofinterfacing systems LOCA. nus, Westinghouse does not see this as an imponant statement to include as an insight. I Last sub-bullet: It is true that the system is tested: however, it is done to test operabilk stN*-
of the system, not solely to minimite potentialfor interfacing .ryetems LOCA or to detect o./
an open valve in the drain lines. However, the testing does have this end result effect. A O) g.
ne words shoul<f be revised appropriately.
M 1
De IRWSTsuction isolatia. tr. ee (V d the RCS pressure boundary isolation valves (V001 A, Vt, V002A and V002B) are qualified f r DB E Response:
nditions.
y h k snavS V W A '
A ' fh J j
11 is not understood why the staff's statement is an insightfrom the PRA.
hs e.
< s 5
De reliability of the IRWST suction isolation valve (V023) to open on demand (for RNS injection during . b. !
g ,,y power operation _and for IRWSTyravityinq'ection via the RNS hot leg connection during shutdown operation)
- is important he-COL %ill ensure high reliabilitf'1GQl,. D-RAP). acdd
/ !
E Response: Q w ? m lad v>/ eit.ak This item is acceptable and is covered by SSAR section 17.4 (RAP). ps , mhtJ'sr%r* Q
,y \
i L., et>e5 P. I
!y. l .
( An alternative gravity injection path is provided through RNS V-023 during cold shutdown and refueling conditions with the RCS open. De COL applicant should have policies that maximize the availability of this c*'Tb
, P, valve and procedures to open this valve during cold shutdown and refueling operations when the RCS is open.
3, E Response: 'Ihe ERGS cover the operation of the valve. In addition, as stated in SSAR section 13.5, it is the Q responsibility of the Combined Ucense applicant to develop procedures.
Re COL applicant will maintain RNS and its support systems (CCS and SWS) during power operation.
E Response: To be accurate and consistent hAR sec 16.3 2, item 2.2), change the statement to read: " Planned maintenance afectinn the RNS cooling function and its support yhould}tstiformed in Modes 1, 2, 3 when the RNS is not norkmaating. "
The COL applicant will have administrative controls to maximize the hkelihood that RNS valve V-023 M be able to open if needed during Mode 5 when the RCS is open, and PRHR c E Response: As stated in SSAR section 13.5, it is the responsibiti*y of the Combined Uceru: applicant to I35 develop administrative procedures. 60 .
l t )o :
tv O')ds pf f
l g Westinghouse 720.434F-25 q
/8 \
c
i c'
NRC FSER OPEN ITEM
& b l w f g s nadvertent opening of RNS valve V024 results in a draindo n of RCS inventory to the IRWST and '
requires gravity injection from the IRWSTge COL applicantanlEue administrative controls to ensure that gg inadvertent opening of this valve is unlikely. E ;f2:2... S COL appE=* ^~dhee duenor4a.the Ay
%maa.seliability-analysis /hurtfa4VactorsTrigTikiing'tntegation4mplementation plan. ch#"3y E Response: As stated in mnSP.
st.clian n 5 it is the responsibility of the Combined License applicant to develop administrative procedures.
De RNS is an impxtant " defense in-depth" system for accidents initiated while the plant is at power or at mid-loop during shutdown. De availability control of the RNS and its support systems (CCW SWS and diesel generators)is covered in SSAR Section 16.3. [R'INSS). [(
g W Response: The reason RNS is important while the plant is at power is not because it is important per the PRA 'V results or importance listings, but rather because it provides margin for long term cooling T&H uncertainty. Otherwise, the stafs statement is accurate. q p
Slarlyp Feedwater System (SFW)
('
The SFW system ptovides a nonsafety-related means of delivering feedwater to the steam generators (SGs) whc the niain feedwater pumps are unavailable during an transient. His capability provides an attemate core cooling mechanism to the PRIIR heat exchanger for non-LOCA and SGTR accidents which minimizes the PRHR challenge jd rate. The reliability of the SFW system will be maintained by the COL Applicant [D RAP). Y
~ h*
E Response: The stafs statement is essentia!!y taken directlyfrom the 5 Tab! .4iRAb be accurate, note the words should read startupfeedwater system twmps.
rationale provided in this table g for why the startup feedwater pumps are included is based on the Emert Panel, not PRA. s, Therefore, it is not clear why the staf's statement is considered an insightfrom the PRA.
y '
5-Instrumentation and Control (I&C) )
The following three I&C systems are credited in the PRA for providing monitoring and control functions during $f, accidents: (1) the safety related Protection and Safety Monitoring System (PMS),(2) the nonsafety-related Diverse Actuation System (DAS), and (3) the nonsafety-related Plant Control System (PLS).
M De PMS provides a safety-related means of perfonning the following functions:
Automatic and manual reactor trip.
Automatic and manual actuation of enginected safety features (ESF).
Monitor the safety-related functions during and following an acekicat as4equitedhtRegulatory Guide 1.97.
E Response: The stafs statements on PMS cre cove d by item 2 of PRA Table 59 29.) O i
l 720.434F-26 W
Westinghouse M
r l s NHC FSER OPEN ITEM De DAS provides a nonsafety-related means of performing the following functions.
Automatic and manual reactor trip. i I
1 Anomatic and manual actuation of selected engineered safety features.
l Provides control room indication for monitoring of selected safety-related functions.
R Response: The stafs statements on DAS are cove by item 3 of PM 1able 39 ZD lb The PLS provides a nonsafety-related means of performing the folloWL.e....
Automatic and manual control of nonsafety-related systems, including " defense-in-depth" systems (e.g., RNS). d 6 l Provides control room indication for monitoring overall plant and nonsafety-related system performance. ,
E Response: SSAR subsection 7.1.1 support the stafs statements on PLS; however, on thefirst bullet, she word \
" systems" should be changed to " functions."
l The following are some important aspects of PMS as represented in the PRA:
He PMS has four (redundant) divisions of reactor trip acd ESP actuation and automatically produces a reactor trip or ESF initiation upon an attempt to bypass more than two channels of a function that uses
~
2-out-of-4 logic.
De PMS has redundant divisions of safety-related post-accident parameter display.
. Each PMS division is powered from its respective Class IE de division.
- The PMS provides fixed position controls in the control room.
He reliability of the PMS is ensured by redundancy and functional diversity within each division:
The reactor trip functions are divided into two functionally diverse subsystems.
ne ESF functions are processed by two microprocessor based subsystems that are functionally identical in both hardware and software.
Separate input channels are provided for the' reactor trip and the ESF actuation functions, with the exception of sensors which may be shared.
l
. Sensor redundancy and diversity contribute to the reliab6 < of PMS. Four sensors normally monitor variables used for an ESF actuation. Different type sensors, or same type sensors in different environment, minimize common cause failures.
1 l
l 720.434F-27 3 Westinghouse 1 o20
NRC FSEP Olii4 ! TEM s
- "--~
l Continuous automatic PMS system monitoring and failure detection' alarm is provided.
l PMS equipment is designed to accommodate a loss of the normal heating, ventilation, and air conditioning (HVAC). PMS equipment is protected by the passive heat sinks upon failure or degradation of the active HVAC. !
+
The reliability of the PMS is important. The COL will maintain the reliability of the PMS.
%e PMS software is designed, tested, and maintained to be reliable under a controlled verification and validation program written in accordance with IEEE 7-43.2 (1993) that has been endorsed by Regulatory ,
Guide 1.152. Elements that contribute to a reliable software design include: 1 A formalized development, modification, and acceptance process in accordance with an approved software QA plan (paraphrased from IEEE standard, Section 53, " Quality") l A verification and validation program prepared to confirm the design implemented will function as l
required (IEEE standard, Section 5.3.4, " Verification and Validation") 1 Equipment qualification testing performed to demonstrate that the system will functiou t,s required in the environment it is intended to be installed in (IEEE standard, Sectic:s 5.4. "Equipmendhalification" ;
i Design for system integrity (performing its intended safety function) when subjected tnll conditiors, external or intetnal, that have significant potential for defeating the safety furetion (abnormal conditiens s_- )
and events) (IEEE standard, Section 5.5, " System Integrity") ;
Software configuration management process (IEEE standard, Section 5.3.5, " Software Configuration i Management"). dp
}! Response:
ne stafs above statements on PMSare covere by item 2 ofPRA Table 59 29, exceptfor the 7th C
bullet. Westinghouse does not claim specsfically '
wrirren as shedhirttTe'ntence of the stofs p ,
7th bullet. Rather, functional diversity minimizes the common causefailure among sensors, g
He following are some important aspects of DAS as represented in the PRA:
Diversity is assumed in the PRA that eliminates the potential for common cause failures between PMS and DAS. De DAS automatic actuation signals are generated in a functionally diverse manner from the PMS signals. Diversity between the DAS and PMS is achieved by the use of different architecture, different hardware implementations, and different software.
DAS provides control room displays and fixed position controls to allow the operators to take manual actions.
DAS actuates using 2-out-of-2 logic. Actuation signals are output to the loads in the form of normally de-energized, coergize-to-actuate signals. The normally de-energized output state, along with the dual 2-out-of 2 redundancy, reduces the probability of inadvertent actuation.
720.434F-28 c3
l l
l NRC FSER OPEN TEM De actuation devices of DAS and PMS are capable ofindependent operation that is not affected by the operation of the other. De DAS is designed to actuate components only in a manner that initiates the safety function.
Capability is provided for on-line testing and calibration of the DAS channels, including sensors.
Re DAS manual initiation functions are implemented in a manner that bypasses the signal processing equipment of the: DAS automatic logic. His eliminates the potential for common cause failures between j autornatic and manual DAS functions.
I .
De DAS reactnr tda functinn it imntement*A thmuch a trip of the control rods via the motor-generator (M-G) set which6eparate and diverse from the reactor trip %%e COL wil: maintain the reliability of the LO set breakers [D-RAP). gad Mittho ekt/dd.E O N.
. 'V DAS is an imponant " defense-in-depth" system. The availability of DAS, with respect to both its reactor trip t and ESF actuation functions, will be controlled. [RTNSS). De COL will maintain its reliability [D-RAP).
E Response: The stafs above statements on DA S are covered em 3 cfPRA Table S9-2 , xceptfor the 5th bullet, which is supported by SSAR sulsection 7.7.1.IlN C DP D k, .
The following are some important aspects of Pl.S as represented in the PRA: W
- PLS has redundancy to rninimize plant transients.
PLS provides capability for both automatic control and manual control.
Redundant signal selectors provide PLS with the ability to obtain inputs from the integrated protection cabinets in the PMS. He signal selector function maintains the independence of the PLS and PMS. He signal selectors select those protection system signals that represent the actual status of the plant and reject !
erroneous signals.
PLS control functions are distributed across muhiple distributed controllers so that single failures within a controller do not degrade the performance of control functions performeJ byvmu u llers. !
l -~
E Response: The stafs statements on PLS are cove y item 4 of PRA Table 59 29. LL Ons,ite Power The onsite power system consists of the main ac power system and the de power system. %e main ac power system l is a non-Class IE system. he de power system consists of two independent systems: the Class IE de system and l the non-Class IE de system.
- & Og K Response
- The stafs statement is covered item $a of PRA Table 59-29.
$ wawun sgk J.M y m"C" J -gewus co .$ie nbe < WA un ceAeub y (d sf a 55M/6.3) ;
I L
l i
/ 59. PRA Results and Insights
/
I l Table 59-29 (Sheet 9 of 16) l i AP600 PRA BASED INSIGHTS l INSIGHT DISPOSITION l 3. The diverse actuation system (DAS) provides a nonsafety-related means of Certified Design l performing the following functions: Material l . Initiates automatic and manual reactor trip I - Automatic and manual actuation of selected engineered safety features.
I Diversity is assumed in the PRA that climinates the potecial for common cause I failures between PMS and DAS.
l . The DAS automatic actuation signals are generated in a enctionally dsverse Certified Design i manner from the PMS signals. Diversity between DAS and PMS is Material l achieved by the use of different architecture, different hardware !
I implementations, and different software.
l DAS provides control room displays and fixed position controls to allow the SSAR 7.7.1 l operators to take manual actions.
I DAS actuates using 2 out-of-2 logic. Actuation signals are output to the loads SSAR 7.7.1.11 l in the form of normally de-energized, energize-to-actuate signals. 'Ihe normally de-energized output state, along with the dua 2-out-of-2 redundancy, reduces I I
_ l the probability of inadvertent actuation.
l 'Ihe actuation devices of DAS and PMS are capable of independent operation SSAR 7.7.1.11 1 that is not affected by the operation of the other. The DAS is designed to I actuate components only in a manner that initiates the safety function.
I 'Ihe DAS reactor trip function is to trip the control rods via the motor-generator SSAR 7.7.1.11 l set.
I in th'e PRA it is assumed the following eliminates the potential for common i cause failures between automatic and manual DAS functions.
DAS manual initiation functions are implemented in a manner that bypasses Certified Design 1 -
l the signal processing equipment of the DAS automatic logic. Material l j The COI. will maintain the reliability of the / DAS hcLEM NG Sef SSAR 16.2
/ J wkra. l I
i l
l I
i Revision: 9 i W Westinghouse ENEL -
April 11 t1997
- e,tas59-215 op_w.594 wn" -
Sb '
1
T NRC FSER OPEN ITEM s
mammm M
The main ac power system is a non-Class IE system comprised of a normal, preferred, and stendby power system.
It distributes power to the reactor, turbine, and balance of plant auxiliary electrical loads for startep, normal operation, and normal / emergency shutdown, E Response: The stqfs statement is covered by i m Sa of PRAlah - 29. d The Class IB de and uninterruptible power supply (UPS) ju - CDS; pun s reliable power for the safety-related equipment required for the plant instmmentation, control, monitoring, and other vital functions needed for shutdown of the plant.
E Response: The stqfs statement is cover . y item $b ofPRA TN!e $9h 4 6Y ne non-Class IE de and UPS system (EDS) cons .. J um upply and distribution equipment that provide de and uninterruptible ac power to nonsafety-rel " L4.,
E Response: The stqfs statement is covered y item 5c of PRA Table 59-29. O ,CO
\
ne following are some important aspects of the main t yvwc1 system as represented in the PRA:
The arrangement of the buses permits feeding functionally redundant pumps or groups ofloads from separate
_ buses and enhances the plant operational reliability.
~
During power generation mode, the turbine generator normally supplies electric power to the plant auxiliary !
loads through the unit auxiliary transformers. During plant startup, shutdown, and maintenance, the main ac power is provided by the preferred power supply from the high-voltage switchyard. The onsite standby power system powered by the two onsite standby diesel generators supplies power to selected loads in the event of loss of normal and preferred ac power supplies.
Two onsite standby diesel generator units, each furnished with its own support subsystems, provide powee to the selected plant nonsafety-related ac loads.
On loss of power to a 4160 V diesel-backed bus, the associated diesel generator automatically starts and produces ac power. The normal source circuit breaker and bus load circuit breakers are opened, and the generator is connected to the bus. Each generator has an automatic lead sequencer to enable controlled loading on the associated buses.
2 Response: The stqfs statements on main ac power are cov ed by item Sa of PRA Table 59-2 . ;
I l
9g 720.434F-30 c2
L 1 -
i NRC FSER OPEN ITEM i I
i ne following are some important aspects of the Class IE de and UPS system (IDS) as represented in the PRA:
l .
Here are four independent, Class IE 125 V de divisions. Divisions A and D cach consists of one battery i bank, one switchboard, and one battery charger. Divisions B and C are each composed of two battery banks, l two switchboards, and two battery chargers. He first battery bank in the four divisions is designated as the l 24-hour battery bank. De second battery bank in Divisions B and C is designated as the 72-hour battery bank.
I i De 24-hour battery banks provide power to the loads required for the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following an e' vent of
! loss of all ac power sources concurrent with a design basis accident. He 72-hour battery banks provide ;
power to those loads requiring power for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> following the same event.
Battery chargers are connected to de switchboard buses. ne input ac power for the Class IE de battery chargers is supplied from non-Class IE 480 V ac diesel-generator-backed motor control centers.
ne 24-hour and 72-hour battery banks are housed in ventilated rooms apart from chargers and distribution equipment.
Each of the four divisions of de systems are electrically isolated and physically separated to prevent an event from causing the loss of more than one division.
l Reliability of the Class 1E batteries is important. He COL will maintain the reliabifi_tv of the equipment.
E Responre: The stafs statements on Class IE dc power are cover d by item 3b of PRA Table 59-29.
ne following are some important aspects of the non-Class 1E de and UPS system as represented in the PRA .
j l
He non-Class IE de and UPS system consists of two subsystems representing two separate power supply trains. l l .
EDS load groups 1,2, and 3 provide 125 V de power to the associated inverter units that supply the ac power to the non-Class IE uninterruptible power supply ac system.
He onsite standby diesel-generator-backed 480 V ac distribution system provides the normal ac power to the battery chargers.
ne batteries are sized to supply the system loads for a period of at least two hours after loss of all ac power l sources.
l E Response: The stafs statements on non-Class IE de power are cove d by item $c of RA Table 59-2 htCLG 720.434F-31 L
. .= .
NRC FSER OPEN ITEM N w-
- IM Component Cooline Water System (CCS)
I ne component cooling water system (CCS)is a nonsafety-related system that removes heat from various components and transfers the heat to the service water system. He following are some important aspects of the CCS as repre-sented in the PRA: '
De CCS is arranged into two trains. Each train includes one pump and one heat exchanger.
During normal operation, one CCS pump is operating. De standby pump is aligned to automatically start l in case of a failure of the operating CCS pump.
{
The CCS pumps are automatically loaded on the standby diesel generator in the event of a loss of normal ac power. He CCS, therefore, continues to provide cooling of required components if normal ac power is lost.
E Response: The stafs starements on CCS are cove d by item 7 of PRA T 9 29. O Service Water System (SWS)
The service water system (SWS)is a nonsafety-related system that transfers heat from the component cooling water heat exchangers to the atmosphere. He following are some important aspects of the SWS as represent 4 in the PRA:
a ne SWS is ananged into two trains. Each train includes one pump, one strainer, and one cooling tower ce!!.
1 During normal operation, one SWS train of equipment h operating. De standby train is aligned to automatical:v start in case of a failure of the operating SW8 pump.
Re SWS pumps and cooling tower fans are automatically loaded onto their associated diesel bus in the event of a loss of normal ac power. Both pumps and cooling tower fsns automatically start after power from the diesel generator is available.
E Response: The stafs statements on SWS are cov ed by item 8 A T.: 29.
s h ;
i I
720.434F 32 g ,
,s a NRC FSER OPEN ITEM Chemical and Volume Control System (CVS) @ j& Acn f** ) l y ne chemical and volume control system (CVS) provides a safety-related means to terminate inadvertent RCS boron v dilution. In addition, the CVS provides a nonsafety-related means to (1) provide makeup water to the RCS during normal plant operation,(2) provide boration following a failure of reactor trip, (3) provide coolant to the pressurir a
k :s;uxiliary spray line,(4) safety related portions of the CVS provide inadvertent bororddctionj fg ~h'ad pdadh: CVS pic,.golation of normal CVS letdown during shutdown operation on low hot j
/gh leg level.
EResponse:
The stqFs above statement on CVS is covered byltafpf PRA Table $9-29 with supportfrom i
.' SSAR subsection 9.3_6. Note the second sentence begins by discussing nonsafety-related means, but items (4) and (5) state sqfety-related portions. It could be a confusing sentence. Also note, item (4) is a repeat of theprst sentence.
He following are some important aspects of CVS as represented in the PRA:
l
- He CVS has two makeup pumps and each pump is capabic of providing normal makeup. j E Response: This statement is cover d by item 9 of PRA ble One CVS pump is configured to operate on demand while the other CVS pump is in standby, ne operation ky M of these pumps will alternate periodicallypr: .J.:4 L i cLh- M E Response: The stpfs statement is accurate per PRA assumptions. The prst sentence is tre: The second INtt uf .
sentence's monthly statement is an assumption of the PRA: however, good operating practices would callfor the COL to periodically alternate the pumps. l
to isolate letdown during Mode 4 (when RNS is in operation), 5, and Mode 6 (with the upper internals ,
in place and the refueling cavity less than half full) as required by AP600 TS.
t 0 i E Response: Only two of the A0Vs are safety-related, the third is nonsAfety-related. Exceptfor this error, th above statement is true per the ESF Technical Spectfication.
,ff ,
D (()0 lated PMS boron dilution signal automatically re-aligns CVS pump suction to the boric acid tan -
He safes @ignal also closes the two safety-related CVS demineralized water sup his same ;
actuates on any reactor trip signal, source range flux multiplication signal, low input voltage to the Class IE ,
DC power system battery chargers, or a safety injection signal. 9 E Response: This is an accurate statement.
\
\W ' f I He CO.. applicant will maintain procedures to respond to low bot leg level alarms.3 /)JJ- .
E Response: The shutdown ERGS cover the procedure to respond to low hot leg level al rms.
/
720.434F-33 W Westinghouse
~
f p+p P
.m - -
l - <a - - . , .
1 . . . .
1 ~
l f or $~
- $9. PRA Results and Insights ve- $
j l M n 3e Table 59-29 (Sheet 15 of 16) l l
AP600 PRA. BASED INSIGHTS l
[ INSIGHT DISPOSITION l p[yM .i * ' , "
g l 12. Sufficient instrumentati and control is provided at the remote shutdown SSAR 7. 3 J4 l I
p /*hd b workstation room to bring th plant to safe shutdown conditions must be evacuat
. ~1h4 a^ 8 ^* h +wo m 'n ase 'y u thegontrolMCR4
~ { "'" g 4 yp' i P'5 g p
er ,.wm .
- 13. n Separation /lol,the equip nent and cabling among the divisions of safery-related
&p ,p
[SAR 3.4.1.1.2, g l
>l e ulpment and separati}on of safety-related from nonsafety-related equipment cM e probab j 9.5.1.2.1.1 & 9A g .
elased-sys..... m. uo .Q.1 W- /u J h 'y',i,l.s h 4thatda fire orLflood would affect 4 p.
~~ ^- :=N:
1 m.
l 14. 'The following minimizes the probability for fire'and Good propagation from one I ;
area to another and helps limit risk from intern ,
I n M i -
Fire barriers are scaled, to the extent possibt andil arriers are SSAR 3.4.1.1.2 &
I watertight. Each fire door is alarmed and monitored in the control room. 9.5.1.2.1.1
.- l 1 -
Requirements for fire barrier and maintenance will be implemented in I SSAR 9.5.1.8 l Combined 1.icense applicant programs.
l l -
When a fire door, fire barrier penetration, or flood barrier penetration must SSAR 9.5.1.8 l be open to allow specific maintenance activities, additional compensatory I
measures ne expected to be taken. Control of compensatory measures is a l Combined License applicant item.
I 15. Fire detection and suppression capability is provided in the design. Flooding SSAR 3.4.1, I control features and sump level indication are provided in the design. 9.5.1.2.1.2, &
l Compensatory measures are expected to be taken to maintain the detection and 9.5.1.8 i suppression capability to allow specific maintenance activities.
I 16. AP600 main control room fire ignition frequency is limited as a result of the use SSAR 7.1.2 &
I of low-voltage, low. current equipment and fiber optic cables. 7.1.3 l 17. Redundancy $ control room operations is provided within the control rcom SSAR 9.5.1.2.1.1 l itself for fires in which control room evacuation is not required.
i 18. The remote shutdown workstation provides redundancy of control and SSAR 7.3 & 9.5 l monitoring for safe shutdown functions in the event that main control room I evacuation is required.
l l The remote shutdown workstation is in a fire and floc,d area separate from the SSAR 7.1.2.
I main control room. 7.4.3.1.1. &
l 9A.3.1.2.5 Revision: 9
[ W86tiligh0Ll88 April 11,1997 59 221 * **' M*PU""
L
1 l
s..
l l
NRC FSER OPEN nEM .
\ h &
g jnadvertent opening of RNS valve V024 results in a draindo n of RCS inventory g to,/
the IRW requires gravity injection from the IRWST,,pm COL applicante" me administrative controls to ensure that #g4 inadvertent opening of this valve is unlikely, h ddhica,2: COL ;pg=' <ha"M4aluate4his+rrordn.the Md,
-+e amb!!!!y-analysis /humerHEtors et@MRing integration 4mplementation plan.
~ N TnSP.
As stated inhR section IIL.it is the responsibility of the Combined Dcense applicant to E Response:
develop administrative procedures.
. He RNS is an important " defense-in-depth" system for accidents initiated while the plant is at power or at ;
mid-loop during shutdown. He availability control of the RNS and its support systems (CCW, SWS and j J
diesel Eenerators) is covered in SSAR Section 16.3. [RINSS).
K Response: The reason RNS is important while the plant is at power is not because it is imponant per the PRA results or importance listings, but rather because it provides marginfor long term cooling T&H uncertainty. Otherwise, the stafs statement is accurate. {
Startup Feedwater System (SFW) l The SFW system provides a nonsafety-related means of delivering feedwater to the steam generators (SGs) when the main feedwater pumps are unavailable. during an transient. His capability provides an alternate core cooling l
mechanism to the PRHR heat exchanger for non-LOCA and SGTR accidents which minimizes the PRHR challenge rate. He reliability of the SFW system will be maintained by the COL Applicant (IARAP].
% Response: The stafs statement is essentially talen directlyfrom the SSAR Table 17.4 (RAF). To be accurate, note the words should read startupfeedwater system gumps. W rationale provided in this table for why the startup feedwater pumps are included is based on the Expert Panel, not PRA.
Wrefore, it is not clear why the stafs statement is considered an insight from the PRA.
It strumentation and Control G&C) ne following three 1&C systems are credited in the PRA for providing monitoring and control functions during accidents: (1) the safety-related Protection and Safety Monitoring System (PMS),(2) the nonsafety-related Diverse 1
Actuation System (DAS), and (3) the nonsafety-related Plant Control System (PLS). l i
ne PMS provides a safety-related means of performing the following functions: l l
. Automatic and manual reactor trip.
. Automatic and manual actuation of engineered safety features (ESF).
t
! . Monitor the safety-related functions during and following an accident as required by Regulatory C. tide 1.97.
E Response: The stafs statements on PMS are covered by item 2 of PRA Table 59-29.
720.434F-26 W Westinghouse 4
1 7
i L
~
a%.
NRC FSER OPEN ITEM i
Chemical and Volume Control System (CVS) hMA06f )
ne chemical and volume control system (CVS) provides a safety-related means to terminate inadvertent RCS boron yvdilution. In addition, the CVS provides a nonsafety-related means to (1) provide makeup water to the RCS during normal plant operation, (2) provide boration following a failure of reactor trip, (3) provide coolant to the pressurize g, suailiyy spray line, (4) safety _related portions _of the CVS provide inadvertent borqp difunnit pwan i ($ h 754 -Mad M^"'d% GVS ; ;Jgolation of normal CVS letdown during shutdown operation on low hot l$ g leg level.
'Y h EResponse: The stafs above statement on CVS is covered by. item 9 of PRA Table 59-29 with supportfrom
,&% S**AR subsection 916. Note the second sentence begins by discussing nonsqfety-related means, but items (4) and (5) state safety-related po,tions. It could be a confusirg sentence. Also note, item (4) is a repeat of the first sentence.
He following are some important aspects of CVS as represented in the PRA:
. He CVS has two makeup pumps and each pump is capable of providing normal rnakeup.
2 Response: This statement is covered by item 9 of PRA Table 59-29
. One CVS pump is configured to operate on demand while the other CVS pump is in standby. He operation of these pumps will alternate periodically (monthly).
l E Response: The stafs staument is accurate per PRA assumptions. The first sentence is true. The second sentence's monthly statement is an assumption of the PRA; however, good operating practices l
would callfor the COL to periodically alternate the pumps.
t
. On low hot leg level, the safehlated PMS signals hsted safe CVS AOVs to close automatically g to isolate letdown during Mode 4 (when RNS is in operation), h e 5, and Mode 6 (with the upper internals in place and the refueling cavity less than half full) as required by AP600 TS. M W )
X Response. Only two of the AOVs are safety related, the third is nonsafety-related. Exceptfor this error, th ,, Qee above statement is true per the ESF Technical Spectfication.
b (t)*
. De safe (<ylated PMS boron dilution signal automatically re aligns CVS pump suction to the boric acid tan nis same signal also closes the two safety-related CVS demineralized water supply valves. His signal actuates on any reactor trip signal, source range flux multiplication signal, low input voltage to the Class IE DC power system battery chargers, or a cafety injection signal. 9 p0-f E Response: This is an accurate statement. bf
. He COL applicant will maintain procedures to respond to low hot leg level alarms. [)N -
H Response: The shutdown ERGS cover the procedure to respond to low hot leg level a rms.
720.434F-33
+
W Westir,ghouse
$