ML20248F334
| ML20248F334 | |
| Person / Time | |
|---|---|
| Site: | 05000470 |
| Issue date: | 03/31/1989 |
| From: | ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY |
| To: | |
| Shared Package | |
| ML20248F332 | List: |
| References | |
| PROJECT-675A NUDOCS 8904130025 | |
| Download: ML20248F334 (70) | |
Text
{{#Wiki_filter:_
- _ _ - _ _ _ _ _ - _ - - _ _ _ _ - =_. _ _ _ _ _ _ _ _ _ _ _ .
i Enclosure to
, LD-89-033 l
COMBUSTION ENGINEERING, INC. SYSTEM 80+= STANDARD DESIGN DESIGN CERTIFICATION LICENSING REVIEW BASIS March,1989 i 8904130025 890330 PDR ADOCK 05000470 , Ag PDC , i
EXECUTIVE
SUMMARY
)
l Combustion Enginee-ing has announced to the U.S. Nuclear Regulatory Commission its intention to pursue a Design Certification for the System 80+= Standard Design. This is a new evolutionary design that is based on the past history and safety evaluation (incle: ling the FDA) of the current System 80* design. The design enhancements and expanded scope for the System 80+ Standard Design will be fully described in the Combustion Engineering Standard Safety Analysis Report-Design Certification (CESSAR-DC). CESSAR-DC describes an essentially complete standard plant design that is intended to meet not only all current regulations but also the criteria of the Commission's Severe Ancident, Safety Goal, Standardization Policy Statements, and the forthconn 3 standardization rule (proposed 10 CFR 52). I This Licensing Review Basis document will serve to (1) outline guidance for i key areas of the Staff's review of the System 80+ Standard Design and (2) establish a clear definition of the schedule, process, and administrative matters which will be used to review and certify the System 80+ Standard j 1 Design. l The System 80+ Standard Design will include all buildings, structures, systems, and components that can significantly affect the safe operation of ; the plant. Accordingly, the Staff's review of CESSAR-DC will close out all j questions concerning the System 80+ Standard Design and will establisn the acceptance criteria for site-specific construction verification. l 1 l
]
TABLE OF CONTENTS Section Paae Executive Summary i ! 1.0 Introduction 1 1.1 Scope & Content of CESSAR-DC 2 1.2 Scope & Content of Future 2 Applications Referencing CESSAR-DC 2.0 Schedule 3 3.0 Content of Aeolication 5 3.1 Dual Docket Approach 5 3.2 CESSAR-DC Format 5 3.3 CESSAR-DC Amendment Identification 5 4.0 Incorporation of New Issues , 7 5.0 NRC Staff Review 8 5.1 Overview 8 5.2 Procedure 9 6.0 ACRS Participation 10 7.0 Severe Accident Policy 11 7.1 Introduction 11 7.2 Compliance With General Licensing Criteria 11 7.3 Severe Accident Performance Goals 12 8.0 Additional Issues 18 4 8.1 Physical Security and Sabotage 18 8.2 Site Envelope Paraneters 19 8.3 Completeness of Design Documentation 19 8.4 Program for the Assurance of Quality in Design 20 8.5 Instrumentation and Controls 21 8.6 Generic Letters and I&E Bulletins 21 8.7 Maintenance and Surveillance 21 8.8 Safety Goal Policy Statement 22 8.9 Standardization Policy Statement 23 8.10 Sixty-Year Life 23 8.11 Fire Protection 23 8.12 Station Blackout and Electrical System 24 8.13 Leak-Before-Break 24 8.14 Source Term 24 8.15 Operational Basis Earthquake 24 8.16 Type C Containment Leak Rate 25 8.17 Hydrogen Generation 25 ii
Paae 9.0 Final Desian Aonroval 26 10.0 Qgslan Certification 27 10.1 Introduction 27 10.2 Design Certification Concept 28 10.3 Procedures Applicable to Design Certification 28 Appendix A Process for Resolution of A-1 USIs and GIs as Required by the Severe Accident Policy Statement Appendix B Process for Probabilistic B-1 Risk Assessment as Required by the Severe Accident Policy Statement Appendix C Process for Degraded Core C-1 Evaluation as Required by the Severe Accident Policy Statement LIST OF TABLES Table Paae 1 CESSAR-DC Submittal Schedule 4 LIST OF FIGURES Fiaure Pace 1 Dual Docket Approach 6 iii
i
)
1.0 INTRODUCTION
j f Combustion Engineering has announced its intention to pursue a ) Design Certification in accordance with the Commission's Nuclear Power Plant Standardization Policy Statement of September 15, 1987. ! I t The Commission's Standardization Policy Statement (52FR34884) declares that future reference system designs "are expected to be evolutions of existing proven LWR designs". Accordingly, Combustion R Engineering is enhancing the System 80 standard design to meet the l guidance of the NRC's Severe Accident, Safety Goal, and Standardization Policy Statements. The scope of the improved design, called the System 80+TM Standard Design, will include all buildings, structures, systems, and components requiring regulatory i review.. This expanded scope will provide sufficient information to enable the Staff to definitively reach the conclusion required for ! Commission certification of the System 80+ Standard Design. Both Combustion Engineering and the NRC Staff believe that the ; safety review of CESSAR-DC will proceed more smoothly if certain licensing review bases are established. This Licensing Review Basis (LRB) document will, therefore, be used to outline the development of acceptance criteria for key areas of the Staff's review of the System 80+ Standard Design and to establish a clear definition of the schedule, process, and administrative matters which will be used to review and certify this design. The LRB, in conjunction with the acceptance criteria to be developed, is intended to serve as guidance for the NRC Staff review of material submitted in compliance with criteria that go beyond current regulations and guidance (i.e., review of material submitted for compliance with the , Severe Accident Policy). I i j l _ _ - - _ _ _ _ _ - _ - _ _ _ b
l 1.1 Scoce and Content of CESSAR-DC The System 80+E Standard Design will use, as a starting point, the System 80R design covered by the current FDA and described in CESSAR-F. The scope of the System 80+ Standard Design includes all buildings, structures, systems, and components that can significantly affect the , safe operation of the plant. This expanded scope will ensure that all f safety issues for the System 80+ Standard Design are fully addressed and ! that all regulatory requirements are accounted for during the Design Certification process. The Staff's review of CESSAR-DC, therefore, will close out all questions concerning the System 80+ Standard Design and will address the tests, analyses and inspections that are necessary to provide reasonable assurance that the plant can be built and operated within the specifications of the certified design. l Since Combustion Engineering wishes to obtain an FDA and a Design Certification for the System 80+ Standard Design before any applicant, site, or equipment suppliers are identified, Combustion Engineering will provide the necessary level of detailed information to enable the Staff to complete its review without preempting competitive bidding on any future project that references the certified design. The corresponding format ano content of CESSAR-DC are described in Section 3.0 and 8.3. 1.2 Scoce and Content of Future Acolications Referencing CESSAR-DC When the certified System 80+ Standard Design is referenced in an application, the Staff's review of matters related to the approved reference design need consider only (1) whether the site envelope parameters of the certified design fall within the requirements of the j specified construction site, (2) the applicant's proposed means of assuring that plant construction will conform to the certified design requirements, and (3) a final determination (based on compliance reviews / audits during construction) that the plant has been constructed and can be operated in compliance with the design details and acceptance criteria certified by the Commission. No further review of the referenced design will be required. 1 l I
1 2 2.0 SCHEDULE The' schedule. for submitting groups of CESSAR-DC-chapters is shown_ in l' Table-1 along.with the schedule for NRC review of those submittals. The major milestones are an FDA by March 1991 and Design Cer.tification by September 1992. i _ - - _ _ _ - - n
aE a r r r c n e rSD a a a e u u e D . M M M D J J D D d e 7 8 8 t 9 9 Cl d8 d7 d8 d8 d8 t ' . 8 8 Da e9 e8 e9 e8 e9 i8b 9 9 t t1 t9 t1 t9 t1 m8e 1 1 Rt e t t1 t t1 t b9F Ait i . i il i i . u1 . Sma mt m . mi me b n mt b p S c
- 9 8
t p t p SbD bp bv br Eu ue uo up uu ue l e29 e e CS SS SN SA SJ SS EDE1 S S n o r ) 0 i e 1 t t a p t a 0 3t nfh 4 1 1 p eoC e m 1 2 & 5 & - c 1 - e I - x l R 3 6 7e p P ( m E e I l u ) d ) ) e ) 7 9 h c )87
,)
- 5. 4 S ) )
0 06,63 3, 9,1 B
) 4 4 5, A -
1 a l s n 0 5, ) 1 86,7,1 8 8 4.1 1 d n et t i o 1
)
4 36 3, 5,7 5 , 3, 9, ), a A 3 5 2
- 7. ), 2 4. )4 li t bm c 5 5, 6, 5, 6, 7, 8 A ab f e 0 , 3 3,3 9,1 0 8
. ) 8 o s Tu - S S
( 1 2 2 3. ) 1
- 3541 671 ,1 3
e 3, c C nF o - r 1 5, ) 5,6,4 3A. ) 5,6,7,1. 3 ,9 2. ( 6, i7 D ire 0 13 110 (32418 (2(08
- sat 1 . . 1 , . . . 1 . 11 2. 16d n 3, R iS p ( 59 56( 3l567( 379( 6',p5 e A vS a (( (( l((( ( , ( l 07 0 , . 8 , ,07 5 p . l S eEh S RCC 1 11 459 561 235671 17811 61 A2 A E -
C , s , m m r m m e eg o e , d , l e , ,t - t n t . t . n m at m mms eey e usi ryr cc ae s y I s a e cse G c
- e s t r i yt ttS t tSe el S n s s oms s y ss iys e RE g o I p ci n y t e yyr St nl n nei SS is o S chlS SS e eI oi , ,itt U emy i e aC o t &f rg kml sa .rsl w t nc e rg gna a ,t n aedau ,hoia e p on R ,t n now nSmnE et ni l l scCen i n
i r ia sr mni
,eol iid lt e oce i
g sss
,tCs eo r
rsa B yH .av ee sTd y e SA
,d R v
e o cs ru etC p e
- S dE i st es rs m oeF et y& o l a l anaca
,d en d
t en vs oyea Cj DnS t reeR+ n De nA CSmS ny e nc ovu 0 norn e i ~ m o u nI c gm . oa fiF ,8 Aigae t r l e C y rtl s w n nesiF et s t emp a c ar t onos oye igst Bc , mx yuDro r s ri ri t ave dt g dnean - eree tl ol g e eu el cl c t er l art a kt etl eo ,f e e D nq wa ou aod o eonr ufe irpnm ureeu aowsp fsArv eroyu aeRen t n ee h am LPPSN SRPPE GR PQ RC aP SSE BADmH I-l a t p t u i o mr bG u l 2 E F S A A B C D
l 3.0 CONTENT OF APPLICATION 3.1 Dual Docket Acoroach A second (separate) docket will be created which includes all. of the existing information and history of the current System 80 docket, docket number STN 50-470F, As shown in Figure 1, the new docket will be i utilized to describe the System 80+ Standard Design and, thus, to provide the basis for the Design certification Rule. This approach will allow current System 80 users to reference the first (current) docket while, at the same time, allowing for development of the System 80+ Design Certification Rule. l 3.2 CESSAR-DC Format i l The format of CESSAR-DC will be consistent with the guidance of the Standard Review Plan (NUREG-0800) and the Standard Format and Content of Safety Analysis Report for Nuclear Power Plants (Regulatory Guide 1.70, Revision 3). The numbering of CESSAR-DC sections related to the Nuclear l Steam Supply System will be consistent with CESSAR-F, since the System 80+ design is based on the System 80 design described in CESSAR-F. 3.3 CESSAR-DC Amendment Identification The CESSAR-DC submittals outlined in Table 2 will consist of changes to ! existing CESSAR-F material in chapter-by-chapter packages. Bars with , amendment identifiers will be provided in the margins to indicate all l areas of change relative to CESSAR-F and the CESSAR-DC amendment , identifier and date will be provided at the bottom of each amended page. l l 1 i
n o nit gae i siucl f eiR Dt r e C A 3- y J CA P N 'i 6 W 'l;L
- AD DF t
n e 3- Am V Dd H C P F n e A O m R P 2- A P 1 E A V R T P il l l 1 I l 1 ' U E . e G K I C F O 1 - D - L V - A P - U D - 2-A ^_ x
^ D F r 0
7 - 4 - 0 I 5 N - T S :C - e D t
.F -
o- A k - y, N R D c ^ P oR f_ t e A DA S k S cS wS oE eE DC NC
J 4.0 . INCORPORATION OF NEW-ISSUES 1 As stated in the Severe Accident Policy Statement (Section 7), the Commission expects that future plant designs will meet current l regulations and will address new issues such as the resolution of USIs f l
, and GSIs, Probabilistic Risk Assessment, and degraded core analyses.
Combustion Engineering will. address these new issues such that there are no open items when the NRC issues the FDA for CESSAR-DC (see Section 7 for more detail). Combustion Engineering is committed to full implementation of the Severe Accident Policy Statement and will include resolutions for all applicable USIs and High- and Medium-priority GSIs in the System 80+ Standard Design. ! l
5.0 FRC STAFF REVIEW 5.1 Overview Each NRC reviewer will be provided a complete copy of the CESSAR-F Safety Evaluation Report (NUREG-0852 and supplements). After reviewing this report, NRC Staff will review the design described in CESSAR-DC to ; confirm compliance with NRC regulations; guidance of the Standardization, j Severe Accident Policy, and Safety Goal Policy Statements; and'the i guidance of the Standard Review Plan (SRP). 1 Proposed acceptance criteria and design features suitable for resolution of all applicable USIs and High- and Medium-Priority GSIs will be proposed and documented by Combustion Engineering in an appendix to 1 CESSAR-DC. The NRC Staff will review the acceptance criteria and prooosed resolutions to these USIs and GSIs on a schedule consistent with issuance of the FDA (Section 2). Combustion Engineering has committed to the provision of a sufficient l level of information to allow the NRC Staff to complete its review of the System 80+ Standard Design and conclusively reach the public health and safety determination required for design certification. i l I
i I 5.2 Procedure 1 The staff will follow its review procedures in the SRP, supplemented and modified as follows: (1) CESSAR-DC f s to be submitted in groups as shown in Table 1. Correspondingly, the staff SER will also be issued in draft form, in sections in accordance with the schedule also shown in Table 1. The draft SER sections will be made publicly available. l (2) At the completion of the review of the individual SAR chapters, the ] staff will perform an integrated review of the application. This review wi?1 complement the Probabilistic Risk Assessment (PRA) review, in that it will be an overall assessment of the design. The staff will issue a composite. final SER in accordance with the schedule shown in Table 1. (3) It will be important to carefully document open or unresolved issues i that may be identified early in the review process, but which cannot be resolved until the completion of later chapters. Each draft SER section will contain a description of such issues. In addition, Combustion Engineering will maintain an updated checklist which identifies outstanding issues and the future chapter (s) in which resolution is anticipated. j (4) Each draft SER will contain a target schedule for closing outstanding SER issues that is compatible with the target date for the FDA. 1 4 l k I t
.i 6.0 ACRS PARTICIPATION j l
One step in the design review of a standard plant is the independent review by the Advisory Committee on Reactor Safeguards (ACRS). Periodic reviews will address the safety aspects of the design changes and/or l design enhancements on matters selected by the ACRS. The NRC Project Manager will keep the ACRS informed of the progress of the review and will schedule meetings with the ACRS . _ - _ _ _ __________ _ _ _ _ a
7.0 SEVERE ACCIDENT POLICY 7.1 Introduction ; On August 8, 1985, the Commission issued a policy statement on severe j accidents (50FR32138, " Policy Statement on Severe Reactor Accidents Regarding Future Designs and Existing Plants"). The policy statement provides general criteria and procedures for the licensing of new plants, .i and sets goals and a schedule for the systematic examination of existing pl ants. The Commission encouraged the development of new designs that might realize safety improvements and stated that the Commission intended i to take all reasonable steps to reduce the chances of occurrence of a severe accident and to mitigate the consequences of such an accident, should one occur. The Commission's gsnaral licensing criteria for future l plants are specified in the policy statement. The Commission further recognized the need to provide defense in depth by striking a balance between accident prevention and consequence mitigation, through a better understanding of containment performar.ce, with the understanding that new performance criteria for containment systems might need to be established. The Commission also recognized the importance of potential contributors to severe accident risk such as human performance and sabotage, and determined that these issues should i be carefully analyzed and considered in the design and operating procedures for the facility. As described below, Combustion Engineering will meet the guidance specified for new plants. 7.2 Comoliance With General licensina Criteria Combustion Engineering will comply with all applicable Commission i regulations, including those listed in 10 CFR 50.34(f), applicable to the System 80+ Standard Design. In special cases (e.g.,10 CFR 50.34(f)(2)(i) - Simulator Capability], this compliance may take the form of explicitly placing a requirement to comply with a particular regulation on any future applicant that references the System 80+ Standard Design. l 1
l 7.2.1 TMI Requirements for New Plants Combustion Engineering will comply with all regulations applicable to the System 80+ Standard Design which are listed in 10 CFR 50.34(f), with one l potential exception. As indicated in Section 8.17, criteria on hydrogen - generation may be based on the EPRI ALWR Requirements Document. 7.2.2 Resolution of USIs and GIs i The process for developing the resolution of USIs and GSIs is provided in 1 Appendix A. 7.2.3 Probabilistic Risk Assessment The process of preparing and using the System 80+ Standard Design PRA is f I provided in Appendix B. 7.2.4 NRC Staff Review l The approach to the Staff review of CESSAR-DC is described in Sections 2 J through 5 of this document. The process for the review of degraded core analyses complemented by PRA is discussed in Appendix C. 7.3 Severe Accident Performance Goals This section describes the goals for severe accident performance criteria. These goals are consistent with the guidance of the NRC's Severe Accident and Safety Gosi Policies. l One of Combustion Engineering's objectives for the development of the System 80+ Standard Design is to be responsive to utility requirements for increased public safety and protection of plant investment. The goals stated in the following sub-sections were developed to meet those j utility requirements while remaining consistent with NRC guidance. Combustion Engineering will demonstrate that the System 80+ Standard j Design meets the following design goals by submitting a Level III PRA as l described in Appendix B.
7.3;1 Prevention of Core Damace For the System 80+ PRA, Combustion Engineering has adopted the following criteria for potential severe core damage. A potential for severe core damage shall be assumed to exist if and only 1 if both of the following have occurred: (A) The collapsed level in.the RCS has decreased such that active fuel in the core has been uncovered; and, (B) A temperature of 2200 F or higher is reached in any node of the core as defined in a realistic thermal-hydraulic calculation. If the above criteria for potential severe core damage are exceeded, predictions of actual core damage and resulting radioactive releases will be calculated using the MAAP code. Review of the MAAP code, however, is unnecessary since the staff can apply its own MELCOR and Source Term Code Package (STCP) codes in its evaluation. The staff will review MAAP analyses and comparisons to other codes in order to assess the acceptability of conclusions based on MAAP. The above criteria are consistent with the EPRI definition provided in Section 1.2 of the EPRI ALWR Requirements Document. It is Combustion Engineering's goal that the estimated mean annual core damage frequency i (including both internal and external events) will be less than 1.0E-5 events per reactor-year. It is Combustion Engineering's goal that no containment failure modes i shall exist that lead to offsite doses in excess of the design goal (Section 7.3.3), with a mean frequency greater than 1.0E-6 events per . 1 reactor-year. l With regard to meteorology, the methods and assumptions employed in the analysis of environmental transport consequences (plume size / wind direction / wind speed / wind shift probability / adverse or expected weather),
population distribution (probability of individual seeing plume / location i of individual (s) during release), and time of exposure will be consistent with the guidance found in NUREG/CR-2300, dated January, 1983, and NUREG/CR-2815, dated August, 1985. 7.3.2 Mitiaation of Core Damaae The containment is one of the principal barriers to the release of radioactivity. Consistent with this defense-in-depth principle, the ! System 80+ design will provide protection against containment failure in the event of a release of radioactivity to the containment atmosphere. l The expected containment design features will include:
- a. a large dry steel containment; typical steel containments have ultimate strengths which are four or five times the design pressure, 4
- b. measures to reduce the probability of early containment failure, including'the safety-grade Containment Spray System and the Safety Depressurization System,
- c. a conservative design basis accident (guillotine pipe break),
- d. severe accident hydrogen control,
- e. an in-containment refueling water storage tank for scrubbing radioactivity out of reactor-coolant-system releases e i for providing a reliable source of water for flooding the reactor cavity,
- f. reliable containment heat removal systems, and
- g. consideration of severe ac- dents in the design of the reactor vessel cavity configuration, including entrainment of a hypothetical molten core.
I Any quantitative reliability prediction of the containment function must be stated together with the corresponding definition of the methodology 1 used in that prediction. The reliability of containment performance, in the context of the EPRI Requirements Document, is embodied in the PRA goals of (1) a mean core damage frequency of less than 1.0E-5 events per j reactor-year and (2) a mean frequency for occurrence of doses greater. l than 25 rem beyond one-half mile radius from the reactor of less than 1.0E-6 events per reactor-year. l 1 i Combustion Engineering believes that the above criteria are appropriate for evaluating the protection of the health and safety of the public with j respect to severe accidents and that it is inappropriate to specify a {' specific containment performance goal in the context of the above criteria. Nonetheless, the robust containment design selected for System 80+ ' permits Combustion Engineering to state its expectations for containment performance,I based on the following definitions: (1) " Credible core damage sequences" is defined as all core damage event f sequences with a frequency greater than 1.0E-6 per reactor-year. External events which would cause both core damage and concurrently ; fail the containment and which have a frequency of less than 1.0E-5 1 per reactor-year will not be considered in this evaluation. j (2) " Containment failure" is defined as a post-core-damage release resulting in a dose greater than 25 rem beyond one-half mile from the reactor. Based on the above, the System 80+ containment design is expected to be such that the containment conditional failure probability, when weighted over credible core damage sequences, will be less than one in ten, ; consistent with the EPRI PRA goals listed above. I Based on methodology consistent with the EPRI Xey Assumptions and Groundrules Document.
l i 7.3.3 Offsite Consequences for Severe Accidents ] Combustion Engineering has adopted the 1'ollowing large-offsite-release design goal for the System 80+ Standtrd Design.- i In the event of a severe accident, the dose beyond a one-half mile radius from the reactor shall not exceed 25 rem. The mean frequency of occurrence for higher offsite doses- shall be less than once per million reactor-years, considering both internal and external events. An industry effort, sponsored by EPRI, has evaluated the guidance of the ! Safety Goal and Severe Accident Policy Statements and documented a -! quantitative design goal for addressing the portion of these policies , dealing with large radioactive releases resulting from a, severe core accident (Chapter 1 of the EPRI ALWR Requirements Document). The Combustion Engineering design goal is consistent with the EPRI design ' goal. ! Probabilistic Risk Assessment (PRA), using mean values, will be used by Combustion Engineering to demonstrate that the System 80+ Standard Design achieves these design goals. The System 80+ Level III PRA will be R performed by modifying and extending the '.aseline System 80 PRA. The accident sequences to be quantitatively evaluated will be of the type and number listed in Tables 7.2-1 to 7.2-9 of the baseline PRA report (Enclosure to Letter, LD-88-008, A. E. Scherer (C-E) to G. S. Vissing (NRC), dated January 22,1988]. That report also provides detailed descriptions of the system modeling methods, analysis ground rules, and computer codes that were used (Section 2.0). The PRA evaluation process for the System 80+ Standard Design will be similar to that described in the baseline PRA report. l l I' J
1 1 External events will be considered in the System 80+ PRA. There is-currently an on-going Advanced Reactor Severe Accident Program (ARSAP) task to identify the degree to which each external ~ event category should be quantitatively evaluated in the System 80+ PRA. Combustion Engineering expects to adopt the ARSAP results. 1 Sabotage will be considered in the design by identifying those design features which minimite the potential for sabotage (see Appendix A to Chapter 13 of CESSAR-DC). In particular, Combustion Engineering will 4 utilize physical separation of safety trains as well as existing nuclear security design practices to minimize the risk of sabotage. Combustion Engineering will also address all appropriate NRC guidance. Sabotage will not be addressed quantitatively in the System 80+ PRA. In summary, the use of PRA, in conjunction with industry and NRC H guidance, will determine whether the Combustion Engineering design goals for severe accidents have been achieved. l L _ _ _ - _ _____ __
Q m 8.0 ADDITIONAL ISSUES 8.1 Physical-Security and Sabotaae The Severe Accident Policy states that "... sabotage threats will be carefully analyzed and, to the extent practicable, will be emphasized as special considerations in the design and in the operating procedures developed for .new plants." This statement will be addressed:in-Combustion Engineering's Sabotage Protection Program. The basic elements of this program were provided to NRC in separate correspondence [ Letter LD-88-091, A. E. Scherer (C-E) to G. S. Vissing (NRC), dated September 14,1988). In addition, the System 80+ Standard Design is being developed in accordance with all current NRC regulations and guidance regarding the physical security of nuclear power plants and the prevention of sabotage. The basis for this guidance will be as defined in 10 CFR 73.55,
" Requirements for Physical Protection of Licensed Activities in Nuclear Power Reactors Against Radiological Sabotage," and other applicable portions of 10 CFR'73. It-is intended that the final design be sufficiently complete to allow the development of a comprehensive l security plan that will. ensure the safety of the as-built facility will continue to be accurately described by the certified design. j CESSAR-DC will include enough information to ensure the existence of- l adequate physical barriers to protect vital equipment in accordance with 10 CFR 73.55(c), " Physical Barriers," and to identify access control points to all vital areas in accordance with 10 CFR 73.55(d), " Access Requirements." CESSAR-DC will also include a summary of insider / outsider sabotage scenarios and design features to provide sabotage protection (Appendix A to Chapter 13).
8.2 Site Enveloce Parameters EThe System _80+ Standard Design is based on assumed site-related parameters, to be discussed in CESSAR-DC, that ware selected so as to be-applicable to.the majority of potential nuclear power plant sites in the United States. l 8.3 Completeness of Desion Documentation CESSAR-DC is to provide essentially complete design information. The term " essentially complete" is defined as follows: (1) CESSAR-DC will' define the major design components and include the results of sufficient engineering to identify, as appropriate: l
- a. design basis criteria
- b. analysis and design methods ;
- c. functional design and physical arrangement of systems
- d. physical arrangements sufficient to accommodate systems and !
components
- e. functional and/or performance specifications
- f. acceptance / test requirements 9 risk assessment methodology (2) Design documentation of systems, structures, and components should include, as appropriate:
- a. design basis criteria
- b. plant general arrangements
- c. process and instrumentation diagrams i
- d. control logic diagrams !
- e. system functional descriptions and supporting studies and analyses
f 3 i
- f. sufficient detail to permit preparation of component specifications, including acceptance criteria and test requirements !
g.' sufficient detail to permit preparation of construction / installation specifications,, including acceptance criteria and test requirements
- h. program for the assurance of quality.
l
- i. design-related aspects for the emergency plans
- j. supporting design data
- k. design-related aspects of the physical security program
- 1. ALARA/ radiation protection plan
- m. accident analyses
- n. technical specifications
- o. probabilistic risk assessment ,
In a limited number of cases where detailed design information is not available, information on methods, procedures, and acceptance criteria will be provided. Combustion Engineering will also define those related tests, inspections, and acceptance criteria that are necessary to assure l that the design is properly implemented in the plant. These tests, , inspections, and acceptance criteria are intended to be implemented and verified in a series of reviews by the applicant during construction and pre-operation. The staff will monitor the performance of these reviews I and implementation of the design through its inspection program. The level of detail necessary for providing essentially complete design information is to be that which is suitable for obtaining specific equipment or construction bids and to demonstrate conformance to the safety limits and criteria. 8.4 Proaram for the Assurance of Ouality in Desian The Combustion Engineering Quality Assurance Program is described in topical report CENPD-210, Revision 5, " Quality Assurance Program", dated September 1988. Supplemental information is provided in Chapter 17 of CESSAR-DC.
8.5' Instrumentation and Controls The standards and criteria used by Combustion Engineering in the design ! of Instrumentation and Control Systems and used by the Staff in the-review of these systems are addressed in Chapters 7.and 18 of CESSAR-DC. j Detailed design descriptions are also presented therein. 8.6' Generic Letters and I&E Bulletins I All Generic Letters and I&E Bulletins are beint reviewed as part of the EPRI ALWR Requirements program. Combustion Er.; # sering-will utilize l EPRI's review of these items. It is anticipated th~.t all Generic Letters and I&E Bulletins applicable to the System 80+ Standard Design will be 1 addre'ssed through i;nplementation of EPRI ALWR Design Requirements and/or through resolution of all applicable USIs and GIs. A separate review of Generic Letters and I&E Bulletins, therefore, will not be necessary. . 8.7 Maintenance. Surveillance, and Reliability l The development of a detailed design implementation document and technical specifications, supplemented by an evaluation of PRA results, will ensure that sufficient maintenance guidance will be made available to the utility applicant. This documentation will allow the development of a comprehensive maintenance program that will ensure that the safety of the as-built facility will continue to be accurately described by the certified design. The proposed Technical Specifications will be developed as early as practicable and will be submitted for review and approval by the staff as part of the CESSAR-DC submittal. The Technical Specifications will be developed based upon risk and reliability considerations. These l Technical Specifications will be included in the Design Certification process. Combustion Engineering will identify (in CESSAR-DC) design features that are necessary for testing and maintenance during operation without challenging safety systems. 2 1
- i. 1 L .. _ i
Certification of a design will be based in part upon a Probabilistic Risk Assessment (PRA) of that design. In that the validity of a PRA is highly dependent on the reliability of systems, structures, and components, the staff requires assurance that programs will be implemented which will ensure that the reliability of those systems, structures, and components l (assumed in analyses) will be maintained throughout plant life. Therefore, a program to assure design reliability must be provided as part of the FDA review. This program will be reviewed as part of the Combustion Engineering Design Certification Program and will include items such as (1) the Technical Specifications and ISI/IST, (2) the Maintenance Guidelines, (3) Procedure Guidelines, and (4) Security Guidelines. 8.8 Safety Goal Policy Statement On August 4 and 21, 1986, the Commission published a Policy Statement on
" Safety Goals for the Operation of Nuclear Power Plants" (51 FR 28044 and 51 FR 30028). This policy statement focuses on the risks to the public from nuclear power plant operations. Its objective is to establish goals that broadly define an acceptable level of radiological risk.
Combustion Engineering will comply with those implementation requirements that are developed by the NRC which are applicable to the System 80+ Standard Design. Combustion Engineering will apply the severe accident performance goals of Section 7.3 during the design and analysis of the System 80+ Standard Design. 8.9 Standardization Policy Statement Consistent with the Commission's Standardization Policy Statement, Combustion Engineering's System 80+ Design Certification Program emphasizes the development of a standard design based on the evolution of a proven technology. The System 80+ Design Certification Program will be conducted in accordance with the Standardization Policy and any final Standardization Rule established by the Commission. J
i 8.10 Sixty-Year life The staff will' review the System 80+ design for a 60-year life notwithstanding the fact that a 40-year license. term limitation is presently in the regulations. Combustion Engineering will identify the components and systems which are affected. CESSAR-DC will contain information to support the review for a 60-year design life including information on fatigue, corrosion, and thermal aging. 8.11 Fire Protection Improved fire protection criteria will be implemented to minimize the contribution of fires to core melt probability. The current Appendix R and Branch Technical Position 9.5-1 requirements (e.g., 20 ft, separation) will be supplemented by a criterion for safe shutdown capability in the event of a complete loss of any fire area, assuming that re-entry into the fire area is not possible. Fire protection for control room shutdown capability is provided by independent alternate shutdown cap eility that is physically and electrically independent of the control room. Fire protection for redundant shutdown systems in the Reactor Containment Building will ensure, to as great an extent as possible, that one shutdown division will be free of fire damage. Consideration will be given for safety-grade provisions for the fire protection systems to ensure that the remaining shutdown capabilities are protected. In addition, it will J be demonstrated that smoke, hot gases, or the fire suppressant will not migrate into other fire areas to the extent that safe shutdown ) capabilities, including operator actions, illd be adversely affected, j 8.12 Station Blackout and Electrical System The System 80+ Standard Design includes improved electrical systems to ensure a safe shutdown of the reactor. These systems provide an additional source of AC electrical power and improved battery capacity in order to address the concerns related to Station Blackout.
8.13 Leak-Before-Break Leak-before-break can be considered where justified. Improved design features (described in CESSAR-DC) ensure that steam generator tube integrity will be maintained. Also, CESSAR-DC addresses the issue of material embrittlement associated with reactor vessel material and supports. 1 A new rule and draft SRP Section 3.6.3 have been issued. The System 80+ Standard Design addresses and meets the intent of the SRP. 8.14 Source Term The staff is concerned that the licensing basis source term " TID 14844" is not consistent with current knowledge. Therefore, with EPRI input, realistic source terms will be established to be uniformly applied to future ALWRS including the System 80+ Standard Design. 8.15 Operational Basis Earthauake The staff agrees that the OBE should not control the design of safety systems, which now occurs when 10 CFR 100, Appendix A, is applied. The System 80+ design will be consistent with the EPRI ALWR Requirements Document with respect to definition of OBE, SSE, and analysis methodology. It is expected that the OBE will be less than one-half of the SSE, which is a departure from 10 CFR 100, Appendix A. The NRC staff has agreed to consider an exemption from the regulations for the System 80+ Standard Design as part of the review of CESSAR-DC. 8.16 Tvoe C Containment leak Rate I Containment leakage is acknowledged by the staff as being a function of containment pressure. This pressure-dependence will be reflected in predictions of leak rate for the System 80+ containment. 1 l l l I l
l l 8.17 Hydroaen Generation l Consistent with the EPRI ALWR Requirements Document, Combustion Engineering will provide information to-justify a System 80+ containment design assuming 75% metal-water reaction and 13% maximum hydrogen concentration. The staff will review the System 80+ design considering these design criteria, the criteria of the current regulation 50.34(f),- and current information from industry programs. l
'1 l
1 i l
l . i i 3.0 FINAL DESIGN APPROVAL A Final Design Approval (FDA) means that the design is acceptable for incorporation by reference in individual applications for construction permits and/or operating licenses. The staff and the ACRS intend to use and rely on the approved final design in their reviews of referencing applications. However, an approved final design is still subject to litigation in individual licensing proceedings on referencing applications. In August 1985, Combustion Engineering requested that the current CESSAR-F FDA (FDA-2) be amended to permit forward referenceability to those plants which hold a preliminary design approval in accordance with the NRC Severe Accident Policy Statement (the Severe Accident Policy requirements would be resolved on a plant specific basis for each applicant for a full power license). Upon completion of NRC Staff review of that request, the Staff ctill issue a forward referenceable FDA t Amendment (FDA-2, Amendment 1) that will be applicable to Docket No. 50-470, as described in Section 3.1. j When the NRC Staff completes its review of CESSAR-DC, the resulting FDA will permit forward referenceability. This FDA will be the basis for a i System 80+ Design Certification Rule and will be applicable to the new docket only. (An FDA is a prerequisite for a design certification.)
10.0 DESIGN CERTIFICATION 10.1 Introduction The Commission revised its 1978 policy statement on the standardization of nuclear power plant designs on September 15, 1988 (52 FR 34884). The Commission also is developing proposed regulations that will address licensing reform and standardization and provide a regulatory framework for implementation of the standardization policy, including Commission certification of standard designs by rulemaking. Since design certification is the ultimate goal of the System 80+ Design Certification program, and since the focus of the revised policy statement and proposed regulations is reference system design certification, the essence of these proposals, and Combustion Engineering's commitment.to them, is summarized here. It should be noted, however, that the Commission has not yet acted on proposed regulations and that they are subject to change. The Commission's revised policy statement encourages the use of standard plant designs in all future license applications. The Commission believes that the use of certified standard plant designs can benefit public health and safety by: (1) Concentrating resources on specific design approaches without stifling ingenuity; (2) Stimulating standardized programs of construction practice, quality assurance and personnel training; and, (3) Fostering more effective maintenance and improved operation. The staff believes that the use of such standardized designs can also permit more effective and efficient licensing and inspection by the NRC. l Y __
l 10.2 Desian Certification Concept The design certification concept, as described in the Commission's revised standardization policy statement, provides for certifying a reference system design (such as the System 80+ Standard Design) through rulemaking. In this process, the Commission would certify a design after the staff issues an FDA and a rulemaking proceeding is completed. The design certification means that the portions of the nuclear power plant design that have been reviewed are acceptable for incorporation by reference in an individual license application. The conclusions of the certification rulemaking would be used and relied on by the staff, the ACRS, the hearing boards, and the Commission in their reviews of applications that reference the design. The certified design would not be subject to litigation in individual licensing proceedings, except as provided in 10 CFR 2.758. Under the staff proposed regulations implementing the Standardization Policy, the Commission could certify the System 80+ Standard Design for referencing by applicants for a period of 10 years. Renewal of the j design certification could be granted for an additional period of up to ten years. Applicants could reference the certified design in applications for cps and OLs docketed durinq the period beginning with the docketing date of the CESSAR-DC revisions and ending at the expiration date of the design certification. 10.3 Procedures Acolicable to Desian Certification 1 The System 80+ Standard Design will be reviewed utilizing the procedures of the forthcoming Standardization Rule (10 CFR 52). a l
\
l
\
APPENDIX A Combustion Engineering Design Certification Program f 1 i l Process for Resolution of Unresolved and Generic Safety Issues as Required by the Severe Accident Policy Statement. i l A-1
I. Qyv3rview of Process for Resolution of USIs and GSIs One of the major goals of Combustion Engineering's Design Certification Program is to develop and obtain NRC certification of a standard design (the System 80+D Standard Design) which meets the requirements of the Severe Accident Policy Statement for future plants. In order to comply with the Policy Statement, technical resolution of all applicable Unresolved Safety Issues (USIs) and Medium- and High-Priority Generic Safety Issues (GSIs) must be demonstrated for the System 80+ Standard Design. Combustion Engineering will integrate input from related industry programs (e.g., the EPRI Regulatory Stabilization Program) and implement resolutions to the USIs and GSIs for the System 80+ Standard Design. Documentation of the acceptance criteria and design features for l resolution of the USIs and GSIs will be provided in an appendix to combustion Engineering's Standard Safety Analysis Report - Design Certification (CESSAR-DC). It is anticipated that Combustion Engineering will provide the NRC Staff with the information necessary to close out all applicable review issues so that a Design Certification rulemaking can be concluded without open issues or conditions. II. Identification of Issues Aeolicable to the System 80+ Standard Desian USIs and GSIs are identified in "a Prioritization of Generic Safety Issues" (NUREG-0933), along with a summary of the status of each issue. The EPRI Regulatory Stabilization Program reviewed all USIs and GSIs and identified, as of uuly 1,1986, 386 "Not Applicable" issues (see NUREG-1197). The remainder (341 " Applicable" issues) were reviewed by Combustion Engineering for consistency with the most up-to-date version of NUREG-0933 (June 1988). This review resulted in a list of 370 issues which were considered to be applicable to the design of Advanced Light Water Reactors. Further i l review was performed to determine the subset of issues applicable to the System 80+ Standard Design. An issue was eliminated for System 80+ if it met one of the following criteria: A-2 l
/
l 4
- 1. The issue is prioritized in NUREG-0933 as DROPPED or LOW, or the I
issue has not yet been prioritized.
- 2. The issue is specific to another design (e.g., BWR, W, B&W).
- 3. The issue was classified as a DROP issue in the EPRI Regulatory Stabilization Program. I
- 4. The issue meets one of the criteria used in the EPRI Regulatory Stabilization Program for identifying "Not Applicable" issues (see NUREG-1197).
i
- 5. The issue is " resolved" in NUREG-0933 with no new requirements or l
guidance and with no reference to old requirements or guidance. The resulting list of 132 issues is presented on the following pages. As implementation of these issues progresses, including NRC review, the list of issues for the System 80+ design may be revised. An up-to-date listing will be available to the NRC Project Manager at all times. III. Acceptance Criteria for Resolution of USIs and GSIs In order to resolve the applicable USIs and GSIs, proposed acceptance criteria must first be documented (by either the NRC or by an applicant). Then, resolutions must be proposed and reviewed by NRC Staff. Combustion Engineering will evaluate input from various sources (described below) and each applicable safety issue will be resolved and documented on the CESSAR-DC docket. Some issues have already been resolved by the NRC and
-in these cases- Combustion Engineering will implement, to the maximum extent possible, the NRC's proposed resolutions. If, however, some revisions are necessary, Combustion Engineering will propose alternate resolutions appropriate for the System 80+ Standard Design.
l , A-3
Some issues have not yet been resolved. For those unresolved issues which are applicable to System 80+, Comoustion Engineering will review results of the EPRI Regulatory Stabilization Program and DOE'.s Advanced Reactor Severe Accident Program (ARSAP). To the maximum extent practical, results from these programs will be implemented for the System 80+ Standard Design. Combustion Engineering will also monitor and use, to the extent practical, the information provided by the NRC via the Generic Isst.e Management Control System (GIMCS). 1 The EPRI Regulatory Stabilization Program is developing. Topic Papers on ; proposed acceptance criteria for resolution of the more significant USIs and GSIs which are applicable to Advanced LWR designs. The primary purpose of these Topic Papers is to document criteria for resolution of applicable issues and incorporate NRC comments. The Combustion Engineering Design Certification Program will address and resolve the USIs and GSIs via design features which are expected to be consistent with the criteria in the Topic Papers. In this way, the issues can be closed out based on documented criteria which have been reviewed by the j NRC. Topic Papers will also be generated in the ARSAP to address severe accident issues. ARSAP staff have reviewed current information related to severe accidents to identify a composite list of related issues for which Topic Papers will be produced. Some of these Topic Papers may also be applicable to resolution of the USIs and GSIs which must be resolved for the System 80+ Standard Design. For these particular USIs and GSIs, Combustion Engineering will integrate input from the DOE ARSAP and present the proposed acceptance criteria and resolutions to the NRC for review and comments. There may be some USIs and GSIs, however, for which Topic Papers or other documented resolutions are not available from either the EPRI Regulatory Stabilization Program, the DOE ARSAP, or from the NRC. For these USIs and GSIs, Combustion Engineering will develop acceptance criteria and resolutions specific to the System 80+ Standard Design and waW obtain NRC approval through documentation in CESSAR-DC. A-4 - _ _ - _ - _ _ _ _ _ _ - _ _ _ _ _ . 1
I V .- NRC Review Process and Documentation Prorosed acceptance criteria and design features for resolution of applicable USIs and GSIs will be documented by Combustion Engineering in an appendix to CESSAR-DC. The NRC will review this appendix and ) l Combustion Engineering will provide any additional information necessary for preliminary NRC concurrence. Final NRC approval of the proposed , resolutions will occur as part of the Design Certification rul'emaking. Combustion Engineering will provide sufficient information in CESSAR-DC so that the appendix can serve as the primary documentation of acceptance { criteria for USIs and GSIs during NRC Staff and ACRS reviews. The NRC will review the acceptance criteria and proposed resolutions to i specific USIs and GSIs on a schedule consistent with NRC review for the I Final Design Approval . The schedule for the Final Design Approval is provided in Section 2 of thic Licensing Review Basis document. i NRC review results will be documented in draft Safety Evaluation Reports (SERs). The draft SERs will address the acceptance criteria for the USIs and GSIs, as well as the resolutions (design features) proposed for the System 80+ Standard Design. NRC's preliminary concurrence with the acceptance criteria and resolutions will be provided in the draft SERs. The draft SERs will be finalized when all CESSAR-DC chapters have been submitted and an integrated review has been completed by the NRC Staff. V. Summary Combustion Engineering's Design Certification Program for the System 80+ Standard Design will resolve all applicable USIs and GSIs, as required in the Severe Accident Policy Statement. Input from related industry programs and existing NRC documentation will be reviewed and integrated in order to identify acceptance criteria for resolution of the USIs and GSIs. I A-5 i
The resolution of USIs and GSIs for System 80+ will be based primarily on acceptance criteria from EPRI ALWR and DOE ARSAP Topic Papers and from existing NRC documentation. Combustion Engineering will integrate these inputs and develop additional criteria, if and where necessary. Documentation of the acceptance criteria and proposed design features for resolution G all applicable USIs and GSIs will be provided in an appendix to.CESSAR-DC. Combustion Engineering will provide whatever information is necessary to close the USIs and GSIs for the System 80+ Standard Design. NRC's preliminary concurrence with the acceptance criteria and proposed resolutions will be documented in the CESSAR-DC draft Safety Evaluation Reports. A-6 j
Pags No. 1 03/24/89 LIST OF UNRESOLVED SAFETY ISSUES AND HIGH/ MEDIUM PRIORITY GENERIC ISSUES APPLICABLE TO THE SYSTEM 80+ STANDARD DESIGN ISSUE ISSUE NUMBER ISSUE TITLE TYPE 003 SETPOINT DRIFT IN GSI INSTRUMENTATION 014 PWR PIPE CRACKS GSI 022 INADVERTENT BORON DILUTION GSI EVENTS 023 REACTOR COOLANT PUMP SEAL GSI FAILURES 029 BOLTING DEGRADATION OR GSI FAILURES IN NUCLEAR PLANTS 036 LOSS OF SERVICE WATER GSI 045 INOPERABILITY OF INSTRUMENTS GSI DUE TO EXTREME COLD WEATHER 048 LCO FOR CLASS 1E VITAL GSI INSTRUMENT BUSES IN OPERATING REACTORS 049 INTERLOCKS E D LCOs FOR GSI REDUNDANT CLADS 1E TIE BREAKERS 051 PROPOSED REQUIREMENTS FOR GSI IMPROVING RELIABILITY OF OPEN CYCLE SERVICE WATER SYSTEMS 057 EFFECTS OF FIRE PROTECTION GSI SYSTEM ACTUATION ON SAFETY RELATED EQUIPMENT , 064 IDENTIFICATION OF PROTECTION GSI SYSTEM INSTRUMENT SENSING LINES 066 STEAM GENERATOR REQUIREMENTS GSI l
+
'Pags No. 2 1 03/24/89 LIST OF UNRESOLVED SAFETY ISSUES AND HIGH/ MEDIUM PRIORITY GENERIC ISSUES APPLICABLE TO THE SYSTEM 80+ STANDARD-DESIGN ISSUE ISSUE
, NUMBER ISSUE TITLE TYPE f
079 UNANALYZED REACTOR VESSEL GSI THERMAL STRESS DURING NATURAL CONVECTION COOLDOWN
,082 BEYOND DESIGN BASES ACCIDENTS GSI-IN SPENT FUEL POOLS 083 CONTROL ROOM HABITABILITY GSI.
093 STEAM BINDING OF AUXILIARY GSI l FEEDWATER PUMPS ' 094 ADDITIONAL LTOP FOR LIGHT GSI ! WATER REACTORS ! 099 RCS/RHR SUCTION LINE G.SI INTERLOCKS ON PWRS 102 HUMAN ERROR IN EVENTS GSI INVOLVING WRONG UNIT OR WRONG TRAIN 103 DESIGN FOR PROBABLE MAXIMUM GSI PRECIPITATION 105 INTERFACING SYSTEMS LOCA AT .GSI LWRS 106 PIPING AND USE OF HIGHLY GSI COMBUSTIBLE GASES IN VITAL AREAS -- FIRE PROTECTION , 113 DYNAMIC QUALIFICATION TESTING GSI OF LARGE BORE HYDRAULIC SNUBBERS 119.1 PIPE RUPTURE REQUIREMENTS GSI/RI 119.2 PIPE DAMPING VALUES GSI/RI 119.3 DECOUPLING OBE FROM SSE GSI/RI
i Pags .io. 3 ' 03/24/89 ' LIST OF UNRESOLVED SAFETY ISSUES AND , HIGH/ MEDIUM PRIORITY GENERIC ISSUES APPLICABLE TO THE SYSTEM 80+ STANDARD DESIGN ISSUE ISSUE NUMBER' ISSUE TITLE TYPE 119.5 LEAK. DETECTION REQUIREMENTS GSI/RI 121 HYDROGEN CONTROL FOR LARGE, GSI DRY PWR CONTAINMENTS 122.2 INITIATING FEED AND BLEED GSI 124 AUXILIARY FEEDWATER SYSTEM GSI j RELIABILITY ' l 125.I.3 SPDS AVAILABILITY GSI ' 125.II.7 RE-EVALUATE PROVISION TO GSI l AUTOMATICALLY ISOLATE FEEDWATER FROM STEAM GENERATOR DURING LINE BREAK 128 ELECTRICAL POWER RELIABILITY GSI ! 130 ESSENTIAL SERVICE WATER PUMP GSI FAILURES AT MULTI-PLANT SITES 135 INTEGRATED STEAM GENERATOR GSI ISSUES A-01 WATER HAMMER USI A-02 ASYMMETRIC BLOWDOWN LOADS ON USI RCS A-04 C-E STEAM GENERATOR TUBE USI INTEGRITY A-09 ATWS USI A-11 REACTOR VESSEL MATERIAL USI TOUGHNESS A-12 FRACTURE TOUGHNESS OF SG & RCP USI SUPPORTS l
I i : Paga'Noi 4 03/24/89 LIST OF UNRESOLVED SAFETY' ISSUES AND FIGH/ MEDIUM PRIORITY GENERIC ISSUES APPLICABLE TO THE SYSTEM 80+ STANDARD DESIGN ISSUE- ISSUF NUMBER' ISSUE TITLE. TYPE A-13 SNUEBER OPERABILITY ASSURANCE' GSI-A-15 PRIMARY COOLANT SYSTEM GSI DECONTAMINATION AND STEAM. GENERATOR CHEMICAL CLEANING A-17 SYSTEMS INTERACTION USI A-24 QUALIFICATION OF CLASS 1E USI SAFETY-RELATED EQUIPMENT A-25 NON-SAFETY LOADS ON CLASS 1E GSI
-POWER SOURCES A-26 hrACTOR VESSEL PRESSURE USI l TRANSIENT PROTECTION i l
A-29 PLANT DESIGN.FOR REDUCTION OF GSI. VULNERABILITY TO SABOTAGE A-30 ADEQUACY OF SAFETY-RELATED DC USI POWER SUPE .YS A-31 RHR SHUTDOWN REQUIREMENTS USI A-35 ADEQUACY OF OFFSITE POWER GSI SYSTEMS A-36 CONTROL OF HEAVY LOADS NEAR USI SPENT FUEL A-40 SEISMIC DESIGN--SHORT TERM USI PROGRAM A-43 CONTAINMENT EMERGENCY SUMP USI PERFORMANCE A-44 STATION BLACKOUT USI A-45 SHUTDOWN DECAY HEAT REMOVAL USI REQUIREMENTS
P0g3 No. 5
'03/24/89 LIST OF UNRESOLVED SAFETY ISSUES AND 'l HIGH/ MEDIUM PRIORITY GENERIC ISSUES. APPLICABLE TO THE SYSTEM 80+ STANDARD DESIGN ISSUE ISSUE
' NUMBER ISSUE TITLE TYPE
.A-46 SEISMIC QUALIFICATION OF USI d EQUIPMENT IN OPERATING PLANTS
'A-47 SAFETY. IMPLICATIONS OF CONTROL USI ;
SYSTEMS ! A-48 HYDROGEN CONTROL, MEASURES & USI. l EFFECTS OF HYDROGEN BURNS A-49 PRESS'URIZED THERMAL SHOCK USI i B-05 DUCTILITY OF TWO-WAY SLABS & GSI e SHELLS -- STEEL CONTAINMENTS B-36 DEV.. DESIGN, TEST, MAINT. GSI CRITERIA FOR ATMOSPHERE' CLEANUP SYSTEM AIR FILTRAT. & ABSORPTION UNITS... B- 53 LOAD BREAK SWITCH GSI B-56 DIESEL GENERATOR RELIABILITY GSI B-58 PASSIVE MECHANICAL FAILURES GSI ! B-60 LOOSE. PARTS MONITORING SYSTEM GSI B-61 ALLOWABLE ECCS EQUIPMENT GSI OUTAGE PERIODS B-63 ISOLATION OF LOW PRESSURE GSI i SYSTEMS CONNECTED TO THE REACTOR COOLANT PRESSURE BOUNDARY B-64 DECOMMISSIONING OF REACTORS GSI B-66 CONTROL ROOM INFILTRATION GSI MEASUREMENTS C-01 ASSURANCE OF CONTINUOUS LONG GSI TERM CAPABILITY OF HERMETIC SEALS ON INSTRUMENTATION & ELECT. EQUIPMENT , I L l __ __- l
i Paga No. 6 03/24/89 LIST OF UNRESOLVED SAFETY ISSUES AND HIGH/ MEDIUM PRIORITY GENERIC ISSUES APPLICABLE ' TO'THE SYSTEM 80+ STANDARD DESIGN ISSUE ISSUE NUMBER ISSUE TITLE TYPE
'C-02' STUDY OF CONTAINMENT GSI' DEPRESSURIZATION BY INADVERTENT SPRAY OPERATION C-04 STATISTICAL METHODS FOR ECCS GSI/RI l ANALYSIS C-05 DECAY HEAT UPDATE GSI/RI C-06 LOCA HEAT SOURCES GSI/RI C-10 EFFECTIVE OPERATION OF GSI-CONTAINMENT SPRAYS IN A LOCA C-12 PRIMARY SYSTEM VIBRATION GSI ASSESSMENT HF 1.3.4a HUMAN FACTORS PROGRAM PLAN - GSI/TMI MAN MACHINE INTERFACE - LOCAL ,
CONTROL STATIONS HF 1.3.4b HUMAN FACTORS PROGRAM PLAN - GSI/TMI MAN MACHINE INTERFACE - ANNUNCIATORS MF 1.3.4c' HUMAN FACTORS PROGRAM PLAN - GSI/TMI MAN MACHINE INTERFACE - OPERATIONAL AIDS I i HF 1.3.4d HUMAN FACTORS PROGRAM PLAN - GSI/TMI MAN MACHINE INTERFACE - AUTOMATION AND ARTIFICIAL INTELLIGENCE HF 1.3.4e HUMAN FACTORS PROGRAM PLAN - GSI/TMI MAN MACHINE INTERFACE - COMPUTERS AND COMPUTER DISPLAYS HF 5.1 LOCAL CONTROL STATIONS GSI/TMI i l \
i
, Paga No. .7 03/24/89 LIST OF UNRESOLVED SAFETY ISSUES AND HIGH/ MEDIUM PRIORITY GENERIC ISSUES APPLICABLE TO THE SYSTEM 80+ STANDARD DESIGN-ISSUE ISSUE NUMBER ISSUE TITLE TYPE-HF 5.2 REVIEW CRITERIA FOR HUMAN GSI/TMI FACTORS ASPECTS OF ADVANCED I&C i
HF 8.O MAINTENANCE AND SURVEILLANCE GSI/TMI PROGRAM I.C.1 SHORT TEF.M ACCIDENT ANALYSIS GSI/TMI AND PROCEDURES REVISION I.D.1 (1-5) CONTROL ROOM DESIGN GSI/TMI REVIEWS -- GUIDELINES AND , REQUIREMENTS 1 I.D.2 CONTROL ROOM DESIGN. REVIEWS -- GSI/TMI PLANT SAFETY PARAMETER DISPLAY CONSOLE I.D.3 CONTROL ROOM DESIGN -- SAFETY GSI/TMI SYSTEM STATUS MONITORING I.D.4 CONTROL ROOM DESIGN STANDARD- GSI/TMI i' I.D.5 (1) CONTROL ROOM DESIGN -- GSI/TMI IMPROVED INSTRUMENTATION RESEARCH - ALARMS AND DISPLAYS I.D.5 (2) CONTROL ROOM DESIGN -- GSI/TMI l IMPROVED INSTRUMENTATION RESEARCH I.D.5 (3) CONTROL ROOM DESIGN -- GSI/TMI ON-LINE REACTOR SURVEILLANCE SYSTEMS I.D.5 (4) CONTROL ROOM DESIGN -- GSI/TMI IMPROVED INSTRUMENTATION RESEARCH I.F.1 QUALITY ASSURANCE - EXPAND GSI/TMI QUALITY ASSURANCE LIST FOR EQUIPMENT IMPORTANT TO SAFETY 1 1
I Paga No. .8-03/24/89
. LIST OF UNRESOLVED F FETY ISSUES AND HIGH/ MEDIUM PRIORITY GEN'A C ISSUES APPLICABLE TO THE SYSTEM 80+ STANDARD DESIGN ISSUE ISSUE NUMBER ISSUE TITLE TYPE I . F. 2- (6)' QUALITY ASSURANCE -- GSI/TMI DEVELOP MORE DETAILED QA CRITERIA I.F.2 (9) QUALITY ASSURANCE -- GSI/TMI DEVELOP MORE DETAILED.QA CRITERIA II.B.1 SAFETY REVIEW CONSIDERATION -- GSI/TMI-REACTOR COOLANT SYSTEM VENTS II.B.2 SAFETY REVIEW CONSIDERATION -- GSI/TMI PLANT SHIELDING TO PROVIDE POST ACCIDENT ACCESS TO VITAL AREAS ..
II.B.3 SAFETY REVIEW CONSIDERATION -- GSI/TMI J POST ACCIDENT. SAMPLING-SYSTEM
.1
]
- II.B.5 (1&2) BEHAVIOR OF SEVERELY GSI/LI DAMAGED FUEL & CORE MELT II.B.5 (3)EFFECT OF H2 BURNING AND GSI/LI
' EXPLOSIONS ON CONTAINMENT STRUCTURE II.B.6 RISK REDUCTION FOR OPERATING GSI/TMI REACTORS WITH SITES WITH HIGH POPULATION DENSITIES .II.B.7 SAFETY REVIEW CONSIDERATION -- GSI/TMI ANALYSIS OF HYDROGEN CONTROL II.C.4 RELIABILITY ENGINEERING GSI/TMI II.D.1 COOLANT SYSTEM VALVES --
GSI/TMI TESTING REQUIREMENTS II.D.3 COOLANT SYSTEM VALVES -- VALVE GSI/TMI POSITION INDICATION 1 1 l
l Pago No. 9 i 03/24/89 LIST OF UNRESOLVED SAFETY ISSUES'AND HIGH/ MEDIUM PRIORITY GENERIC ISSUES. APPLICABLE TO THE SYSTEM 80+ STANDARD DESIGN. ISSUE ISSUE NUMBER ISSUE TITLE TYPE { l' ( II.D.3.4 (1&2) CONTROL ROOM GSI/TMI. I HABITABILITY II.E.1.2 AUXILIARY FEEDWATER SYSTEM GSI/TMI-EVALUATION II.E.1.2 AUXILIARY FEEDWATER SYSTEM GSI/TMI AUTOMATIC INITIATION AND FLOW INDICATION II.E.4.1 CONTAINMENT DESIGN -- GSI/TMI DEDICATED PENETRATIONS II.E.4.2 CONTAINMENT. DESIGN -- GSI/TMI ISOLATION DEPENDABILITY II.E.4.3 CONTAINMENT' INTEGRITY CHECK GSI/TMI i II.E.4.4 (1-5) CONTAINMENT DESIGN -- GSI/TMI l PURGING II.E.6.1 TEST ADEQUACY STUDY GSI/TMI (VALVES, HANGERS, ETC.) II.F.1 (1-6) ADDITIONAL ACCIDENT GSI/TMI MONITORING INSTRUMENTATION -{ II.F.2 IDENTIFICATION AND RECOVERY GSI/TMI FROM CONDITIONS LEADING TO INADEQUATE CORE COOLING J i II.F.3 INSTRUMENTATION FOR MONITORING GSI/TMI ACCIDENT CONDITIONS
)
j II.F.5 CLASSIFICATION OF I & C, AND GSI/LI ELECTRICAL EQUIPMENT II.G.1 POWER SUPPLIES FOR PRESSURIZER GSI/TMI RELIEF VALVES, BLOCK VALVES, AND LEVEL INDICATORS I
l Pcgs No. 10 03/24/89 LIST OF UNRESOLVED SAFETY ISSUES AND HIGH/ MEDIUM PRIORITY GENERIC ISSUES APPLICABLE TO THE SYSTEM 80+ STANDARD DESIGN ISSUE ISSUE NUMBER ISSUE TITLE TYPE i 1 II.K.1 (3&4, 6&9, 14-28) MEASURES TO GSI/TMI
' MITIGATE SMALL BREAK LOCA'S AND LOSS OF FW ACCIDENTS IE BULLETINS II.K.3 (5, 25, 30&31, 55) FINAL GSI/TMI RECOMMENDATIONS OF B&O TASK FORCE TO MITIGATE ACCIDENTS III.D.1.1 (1) PRIMARY COOLANT SOURCES GSI/TMI ;
OUTSIDE THE CONTAINMENT j STRUCTURE III.D.3.3 (1-4) IN-PLANT RADIATION GSI/TMI MONITORING III.D.3.4 (1-2) CONTROL ROOM GSI/TMI HABITABILITY , i I
I APPENDIX B Combustion Engineering Design Certification Program
\
Process for Probabilistic Risk Assessment as Required by the Severe Accident Policy Statement O 1 8-1
l I. Overview of Process for Probabilistic Risk Assessment of System 80+ , One of the requirements of the Severe Accident Policy Statement is that a Probabilistic Risk Assessment (PRA) must be performed for all future plants. To address these requirements, a System 80+ Standard Design i Level III PRA is being performed. The System 80+ Standard Design PRA has two primary purposes. The first purpose is to identify (1) the dominant contributors to severe accident risk and (2) the accident sequences which are insignificant. The second purpose is to provide an analytical tool for evaluating the impact of design modifications on core damage probability and the overall risk to the health and safety of the public. This PRA is performed in two phases. In the first phase, Event Trees and Fault Tree Models were developed for the current System 80 standardized design. These models were used to establish a baseline core damage frequency and to determine the dominant core damage contributors for the current System 80 design. In this phase, the System 80 design was evaluated using generic reliability data. The second phase is an interactive process in which these models will be modified to reflect system design enhancements proposed for the System 80+ Standard Design. The models are being evaluated to determine the impact of the design enhancements on core damage frequency and dominant core damage contributors. These impacts will be reviewed and other i design enhancements will be considered as appropriate to achieve the overall safety goals. _ Phase One: Baseline System 80 PRA The baseline System 80 core damage frequency calculation is a Level I PRA. This PRA includes the identification and quantification of accident sequences attributable to internal initiators which lead to core damage. While the Balance of Plant (80P) systems are outside of the System 80 NSSS scope, information on certain 80P systems is required B-2
1 I in order to thoroughly evaluate the performance of the NSSS Systems. Where such information is required, functional system designs which meet CESSAR-F interface requirements and are consistent with support system. , configurations used in recent vintage Combustion Engineering plants will be used in the analyses. Phase Two: System 80+ PRA As the System 80 design evolves into the System 80+ Standard Design (the Nuclear Power Module and Standardized Functional Descriptions), the baseline PRA will also evolve so as to provide input to the many design decisions that will be made. Based on the results of the baseline PRA, initial system reliability targets will be established and ~ potential system weak links will be identified. Recognizing that some system reliability targets will be more difficult or expensive to meet than others, trade-offs.will be called for and the evolving PRA will serve as a valuable methcd to monitor the current-status of the design with respect to reliability and risk goals. These i goals include reliability goals from Standard Review Plans, large-release frequency goals from the Safety Goal Policy Statement and EPRI ALWR Program core melt frequency objectives. s The baseline PRA will identify dominant accident sequences with , occurrence frequencies high enough to prevent the design from meeting the goals. The System 80+ Standard Design development effort will then i be able to focus on improving the reliability of systems or equipment involved in the dominant sequences. As design improvements are adopted, the PRA models will be updated. The final PRA for the System 80+ Standard Design will include all of the design modifications that are implemented as a part of the ALWR Design j Verification Program. Additionally, with support from the DOE Advanced Reactor Severe Accident Program (ARSAP), the PRA will be upgraded to a Level III PRA and External Events will be addressed generically. B-3
0 II. Accentance Criteria and Methodoloav for PRA As stated in Section I, the objectives of PRA analyses are to calculate a baseline core damage frequency for a generic System 80 plant, to determine the dominant core damage contributors and to assess potential areas for design improvements in the System 80+ Standard Design and to document the System 80+ Standard Design PRA. These analyses are equivalent to the Probabilistic Safety Analysis (PSA) described in the PSA Procedures Guide (NUREG/CR-2815). The methods employed in this analysis are consistent with methods outlined in the PSA Procedures Guide and methods described in the PRA Procedures Guido (NUREG/CR-2300). This work will use the small event tree /large fault tree approach. Figure 8-1 shows the major tasks in this analysis. The following sections describe each of these tasks and associated methodology. B-4
D N T A L S R T i P L l l R U E E S S I E E N R R I P
~
N O T I N T E T E N C A A M E N C i T S A J D E I S I U F D E C Q I S C E T S A S N A A S U K Q S 1 A
- T D
A E R = R U G I P R O F J A M N T E O L G N C I J M N E N T E I D E I T L I U N S E C Q l Y D C E r r S 0 A S E 1 H D
=
M I T A T Z N I A R L A P I L I
) ,
\
~
I l
Plant Familiarization The objective of this task is to (1) collect the information necessary for identification of appropriate initiating events, (2) determine the success criteria for the front line systems required to prevent or mitigate the transients and accidents and (3) identify the dependence between the front line systems and the support systems which are required for oroper functioning of the front line systems. This task is , primarily an information gathering task. f i The information collected in this task includes design information, operational information and information on plant responses to transients. CESSAR-F will be used to provide information on the design of systems within the basic NSSS scope and interface requirements for the support systems. Where additional design detail is needed for l support systems, typical system designs will be generated based on support system designs described in the FSARs of recent vintage C-E plants with similar NSSS designs. Operator actions during plant transients will be evaluated and established based on C-E's Emergency Procedure Guidelines and discussions with licensed operators in C-E's Training Department and at an operating System 80 plant. Surveillance requirements and operability definitions will be derived from C-E's Standard Technical Specifications and, where more specific detail is needed, from System 80 plant specific Technical Specifications. Maintenance information, where needed, will be based on common industry practices. The Reactor Safety Study, several other published PRA studies, and the IDCOR IPE Procedures Guide will also be reviewed as part of the plant familiarization task. The objectives of these reviews are to provide a broad overview of areas to be addressed in this analysis and to identify potential problem areas. B-6
Accident Seauence Definition I The objective of this task is to qualitatively inentify those accident sequences which lead to core melt / core damage. This will be accomplished using event tree analysis. Event tree analysis involves defining a set of initiating events and constructing a set of system event trees which relate plant system responses to each defined initiating event. Each system event tree represents a distinct set of system accident sequences, each of which consists of an initiating event and a combination of various system successes and failures that lead to an identifiable plant state. Procedures for developing system event trees are described in detail in the PRA Procedures Guide. For this analysis, the small event tree /large fault tree approach will be used. In this approach, only the front line systems which respond to mitigate an accident or transient, will be addressed on the event tree. The impact of the support systems is addressed within the fault tree models for the front line systems. A Master Logic Diagram (MLD) will be constructed to guide the selection and grouping of the initiating events. An MLD is essentially a top level tree in which the general conditions that could lead to the top level event are deductively determined. For this analysis, the top event on the MLD is defined to be "offsite release" even though the scope of the analysis is limited to identifying core damage frequency and dominant contributors. This is to ensure completeness and to facilitate later extension of this analysis. System Modelina Quantification of the system accident sequences requires knowledge of the failure probability or frequency of occurrence for each element of ! the system accident sequence. The initiating event frequency and the probability of failure for a system accident sequence element involving l the failure of a single component can be quantified directly from the l B-7
appropriate raw data. However, if the system accident sequence element represents a specific failure mode for a system or subsystem, a fault tree model of the system or subsystem will be constructed and quantified to obtain the desired failure probability. The evaluation of each fault tree yields both qualitative and quantitative information. The quantitative evaluation of the fault trees yields several numerical measures of a systems failure probability, two of which are typically employed in the event tree quantification (i.e., the unavailability and unreliability). The unavailability is the probability that a system will not respond when demanded. The unreliability is the probability that a system will fail (at least once) during a given required operating period. The unreliability is usually added to the unavailability when the system accident sequence element represents the failure of a standby system to actuate and then run for a specified period of time. Two types of human failures will be included in the fault tree analyses. They are " pre-existing maintenance errors" and failures of the operator to respond to various demands. Pre-existing maintenance errors are undetected errors committed since the last periodic test of a standby system. An example of this type of error is the failure to reopen a mini-flow valve which was closed for maintenance. A failure of the operator to respond includes the failure of the operator to perform a required function at all or to perform it correctly. An example of this type of error is the failure of the operator to back-up the automatic actuation of a safety system. For this PRA, failure of the operator to respond to various demands where there was a time constraint will be quantified using the Human Cognitive Reliability Model. The human cognitive reliability model is a set of time dependent functions which describe the probability of a crew response in performing a task. The human cognitive reliability model ! permits the analyst to predict the cognitive reliability associated with B-8 _ - - _ - - - _ - - _ - - - - - - . - - - - - - - - - - _ _ i
a non-response for a given task or series of related tasks, once the dominant type of cognitive processing (skill-based, rule-based or knowledge-based), the medium response time for the task or tasks under nominal conditions and performance shaping factors such as stress. levels or environment are identified. The inherent time dependence in this. model makes it ideal for evaluating operator responses during a transient. The failure probability for " pre-existing maintenance errors" will be quantified using the Handbook of Human Reliability-Analysis. The Handbook of Human Reliability Analysis is an extension of the human reliability analysis methodology developed for WASH-1400, the Reactor Safety Study, and is intended to provide methods, models and estimated human error probabilities to enable analysts to make quantitative or qualitative assessments of the occurrence of human errors that affect the availability or operational reliability of engineered safety systems and components. The emphasis is on tasks addressed in the Reactor Safety Study, calibration, maintenance and selected control room tasks related to engineered safety features I It is the best available source for evaluating human availability. performance with respect to maintenance, calibration, testing and other tasks performed during normal plant operation. However, the time ) dependent model is not as thorough and explicit as that provided by the human cognitive reliability model. For this PRA, the small event tree /large fault tree approach has been j selected. The event trees developed for this PRA will address the ] response of the front line systems, that is, those systems directly involved in mitigating the various initiating events. The impact of the support systems will be modeled within the front line system model.s. CESSAR-F contains interface requirements for the support systems but does not contain any support system configurations or schematics. Therefore, in order to develop the support system models, representative l support system configurations will be developed using the CESSAR-F l interface requirements, support system configurations for System 80 plants and the typical system configurations in the Nuclear Plant j Reliability Data System (NPRDS) Reportable Scope Manual for Combustion l Engineering designed plants. B-9 l
Gnce the taseline PRA models are established, they will be used in the reliability assurance prcgram mentioned above. The models will identify where improvements are needed to assure reliability, risk, and core melt frequency goals are met. If system designs evolve, for example, from two-train to four-train systems, the system models will be revised in order to provide an up-to-date assessment of where the design stands I compared to the goals and to identify potential areas for improvement. As the system descriptions in CESSAR-DC are developed, and as additional requirements from the EPRI ALWR Requirements Document are adopted, the system models will be updated to reflect those requirements. The System Reliability Models that result from this process will form the heart of 1 the final System 80+ Standard Design PRA. Data Assessment Reliability data is needed for the quantification of the system fault trees and the system accident sequences which result in severe core damage. The data needed for this quantification includes:
- 1. initiating event frequencies,
- 2. component failure rates (demand and time-dependent),
- 3. component repair times and maintenance frequencies,
- 4. common cause failure rates,
- 5. human failure probabilities,
- 6. special event probabilities (e.g., restoration of offsite power),
and
- 7. error factors for the items above.
Because the analysis is for a generic System 80 plant, generic reliability data will be used in this analysis. The basic initiating event frequencies will be extracted from the PSA Procedure Guide, EPRI NP-2230 and the NREP Generic Data Base. The initiating event l frequencies in the Zion PRA, the Oconee PRA and the Calvert Cliffs IREP Report as well as those in NUPcG/CR-4550 will also be considered. I B-10
gcident Seauence Ouantification i The basic objective of this analysis is to model baseline core damage
~
frequency for a generic System 80 plant and then again for the System ; 80+ Standard Design. The total core damage frequency, due to internal events, is the sum of the frequencies of the system. level accident sequence frequencies for those accident sequences which result in, core damage. The system level accident sequences leading to core damage will be identified using event tree analysis. Each system level accident sequence will consist of an initiating event and one or more additional elements, each representing either a front line system failure or a special event such as failure to restore offsite power.within a given time or.the most reactive rod s' ticking out of the core. The frequency for the system level accident sequence will be determined by quantifying the individual elements in the sequence and then combining the results in the appropriate manne- The frequencies for the initiating events and the special events are directly calculable. The front line system failure probabilities will be calculated in the baseline analysis using conditioned fault tree analysis. In the System 80+ Standard Design PRA, fault tree linking will be used. The first step in this process will be to construct a fault tree model for each front line system that appeared as an element in a system accident sequence. The models will include submodels for the appropriate support j systems. The next st.ep will be to perform a baseline quantification of each fault tree using generic failure rates. For those front line systems l appearing in the LOCA or steam line break sequences, base line quantifications will be made with and without offsite power. This quantification provides a list of cutsets, the system unreliability and the system unavailability for each front line system. This I- B-11 Y . .
quantification will be performed using CEREC, a fault tree analysis computer code. The third step in this process is to identify common elements in fault tree models appearing in any given event sequence and to calculate conditional failure probabilities for these elements. After all the conditioned component failure rates are calculated, the system fault trees will be requantified using the appropriate conditioned component failure rates, thus yielding a set'of system failure probabilities specific to the initiating event classes. The final step in the quantification of the core damage frequency is to solve each system accident sequence equation using the appropriate initiating event, special event and system failure probabilities. This will be done using CESAM, a Monte Carlo sampling code for equation solving. Radionuclides Release and Transoort The evaluation of environmental radionuclides releases that result from severely degraded core accidents will involve four elements:
- 1. Radionuclides and structural material inventories;
- 2. Radionuclides and structural material source term from the core;
- 3. Transport, deposition, and release in the primary system; and,
- 4. Transport, deposition, and release in the containment.
The analysis will preceed in a sequential manner, starting with the radionuclides and structural material inventories. This will involve the determination of the quantities of radionuclides and structural materials that are present at the beginning of an accident. The next step will be the evaluation of the radionuclides and structural material source term from the core. This will entail the determination of the quantities of radionuclides and structural materials released from the core to the primary system or to the containment. (Direct releases of radionuclides and structural materials from the corium--the melted core B-12
and structural materials--to the containment can occur in meltdown accidents after the pressure vessel has melted through and the corium is interacting with the concrete basemat.) This source term will then be used in the analysis of radionuclides transport, deposition, and release in the primary system. The analysis will consider the various deposition processes that can occur in the primary system. The result will be the source term for release from the primary system to the containment; it is used in the analysis of transport, deposition, and ' release in the containment. This analysis will take account of the various deposition processes that c'an occur in the containment, and it will determine the quantities of radionuclides released from the i containment to the environment. III. NRC Review Pr^ cess and Documentation The System-80+ Standard Design Probabilistic Risk Assessment will be documented in an appendix to CESSAR-DC and submitted to the NRC in June 1989. In the meantime, however, Combustion Engineering will apprise the NRC and obtain feedback on the System 80+ Standard Design PRA via meetings and questions and responses. The purpose of these early interactions is to provide continuous NRC comments as the System 80+ Standard Design PRA is developed. Emphasis will be placed on establishing NRC criteria for acceptance of the System 80+ PRA. These commects and preliminary criteria will be documented in meeting minutes issued by NRC. Combustion Engineering will document, in the CESSAR-DC appendix, all acceptance criteria and descriptive information necessary to obtain NRC concurrence on the System 80+ Standard Design PRA. NRC concurrence on the CESSAR-DC PRA appendix will be provided in the Safety Evaluation l Report. B-13
APPENDIX C
-Combustion Engineering Design Certification Program i
Process for Degraded Core Evaluation as Required by the Severe Accident Policy Statement i
)
l j C-1 x
I. Overview of Process for Dearaded Core Evaluation The Severe Accident Policy Statement requires that the design bases for' future plants include. consideration of both the prevention and mitigation of degraded core accidents, using an evaluation approach bar- on deterministic engineering analysis and judgement, complements Ly l Probabilistic Risk Assessment (PRA). Combustion Engineering, with~ 1 support by the DOE Advanced Reactor Severe Accident Program (ARSAP), will' include degraded core evaluation in the design of the System 80+ Standard Design (the Nuclear Power Module and Standardized Functional Descriptions). The proposed approach for this evaluation is to identify the severe accident issues applicable to the System 80+ Standard Design, to develop criteria for resolution of those issues, and to prepare a resolution to each issue. II. Method of Evaluation ARSAP has identified severe accident issues on the basis of results of 4 the Industry Degraded Core Rulemaking (IDCOR) Program and all available research related to severe accidents. These issues will be aadressed in I Topic Papers which document technical information on the subject issues l and propose criteria for resolution of those issues. The resolution of l issues for the System 80+ Standard Design will be substantiated, as required, by plant specific evaluations. Topic Papers will be reviewed, prior to submittal to the NRC, by an Industry Technical Advisory Group organized by ARSAP. Figure C-1 shows the severe accident resolution i process. The Topic Papers have been divided by ARSAP into six categories corresponding to subject area and sequence of preparation. Table C-1 provides a list of the issues that are included in each category. Combustion Engineering and ARSAP have chosen the Modular Accident Analysis Program '(MAAP) Version 3B as the methodology for deterministic analysis of the System 80+ Standard Design to support resolution of severe accident issues. MAAP-3B will be revised to include model C-2
1 l 1 J l I improvements resulting from ARSAP activities. Severe accidents that are i found to occur at a frequency below a cut-off frequency of 1 x 10-8 per reactor year will 'not be analyzed. MAAP-3B wi'l be utilized for design-specific analyses of accident initiation, progression, and containment: response. It is a best-estimate method which uses a modular { format for modeling plant systems and for predicting a quantific'd release- l l of radioactive materials from containment corresponding to different i postulated accident sequences. It will also be used in sensitivity l analyses to_ investigate the effectiveness of alternative design features s for the mitigation of degraded core accidents. ] it should be emphasized here that NRC approval of the MAAP code is not required. -Technical disagreements between the MAAP-38 results and NRC methods will be addressed on a case-by-case basis (a proposed process for NRC review of MAAP-3B is the subject of Topic Paper 5.3). - C-3
4
)
Table C-1 ! Listing of Planned ARSAP Topic Papers . Set 1 RESOLVED IDCOR/NRC ISSUE - APPLICABILITY TO ALWRS o Reactor coolant system natural circulation-(IDCOR Issue 2) o In-vessel steam explosions and alpha mode failure (IDCOR Issue 7) o Ex-vessel heat transfer models from molten core to concrete (IDCOR Issue 10) o Fission product release prior to vessel failure (IDCOR: Issue 1) o Release model for control rod materials (IDCOR Issue 3) 1 o Fission product and aerosol deposition in primary system (IDCOR Issue 4) o Ex-vessel fission product release (during core-concrete interactions) (IDCOR Issue 9) o- Fission product and aerosol deposition in containment (IDCOR j Issue 12) o Revaporization of fission product (IDCOR Issue 11) o Secondary containment performance (IDCOR Issue 16) ] o Modeling of emergency response (IDCOR Issue 14) l l Set 2 PLANT RESPONSE UNDER SEVERE ACCIDENT CONDITIONS o In-vessel hydrogen generation (IDCOR Issue 5) o Core melt progression and vessel failure (IDCOR Issue 6) o Direct containment heating by ejected core materials (IDCOR Issue 8) j o Containment performance (capability, failure modes, isolation, bypass) (IDCOR Issue 15) o Hydrogen ignition and burning (IDCOR Issue 17) o Debris Coolability (IDCOR Issue 10) l l C-4 L__-.-._.-__________.___._____ . _ _ _ _ . _ . _ . . _ _ . _ _ _ _
.j Set 3 PROBABILISTIC METHODS o External events o Success criteria and mission time o Accident sequence selection Set 4 SEVERE ACCIDENT PERFORMANCE o Essential equipment performance (IDCOR Issue 18) l Set 5 SAFETY G0AL EVALVATION i
o Safety goal implementation - interpretation of goals and usage l of PRA results in comp -ison with goals, including interpretation of uncertainties o Uncertainties in plant risk analysis o MAAP acceptance - concensus on severe accident analysis I capability j Set 6 SEVERE ACCIDENT MANAGEMENT o Severe accident management program C-5 L______-_=______-__________
l FIGURE C-1 THE SEVERE ACCIDENT RESOLUTION PROCESS CONSENSUS ON DEFINITION OF ISSUE RESOLUTION 4 ; PRODUCE ARSAP 4 l TOPIC PAPER i I REVIEW WITH CE & ITAG AND MODIFY TOPIC PAPER
, CONDUCT l NRC REVIEW AND INTERIM ANALYSIS / DESIGN GUIDANCE MODS.
A NO ISSUE RESOLVED / YES FINAL RESOLUTION DOCUMENTED BY NRC C-6
.n....
III. Criteria for Deor*ded Core Evaluation The resolution of severe accident issues documented in Topic Papers are consistent with NRC guidance on implementation of the Severe Accident' ! Policy Statement and with the NRC Safety Goal Policy Statement. The. Safety Goal Policy Statement includes the general performance guideline j that the overall mean frequency of large releases of radioactive material i to the environment as a result of reactor accidents should be less than ! 10 per year of reactor operation. Procedural criteria for degraded core evaluations are expected to be issued in future regulatory documentation. The following criteria are currently proposed by the NRC ! staff: <
- the evaluation should use realistic prediction of radioactive material releases commensu/ ate with the event;
- for each design, the more likely of severe accidents needs to be considered in the design and licensing of the plant; l
- evaluation of severe accident consequences does not need to use conservative engineering practice common for design basis events; (
- consequences of more likely severe accidents should not represent a !
threat to the public; and, I
- extremely unlikely events need not be considered in computing consequences, but should be assured of extremely low probability of oCCurrenCO.
l l l C-7 L_______________
~ . .
IV. NRC Review Process The proposed resolutions of severe accident issues for the System 80+ Standard Design have been documented in-Topic Papers and submitted for NRC review. The NRC Staff will provide interim guidance as to the appropriateness of each resolution submitted so that the design process can proceed on schedule. It is possible that the NRC Staff may desire ! additional information, including results of deterministic analyses for degraded core accidents, to support their review. NRC review results will be documented, following completion of the initial review, resulting in resolution of the issue or agreement on an l achievable pathway for resolution. The documentation will address the acceptability of resolutions for severe accident issues, including criteria applied for the System 80+ Standard Design and methods of l evaluation. i l f i i C-8 !
l, f V. Summary The System 80+ Standard Design degraded core evaluation will address severe accident issues applicable to advanced pressurized water reactors. The resolution of severe accident issues will be based on the requirement to demonstrate safety acceptability in compliance with the NRC Severe Accident and Safety Goal Policy statements. Combustion Engineering and-ARSAP will propose criteria for resolution of severe acciden' issues. The NRC Staff will provide interim guidance on the appropr W inass of the proposed resolution and will request additional information,.as required, sufficient' for resolution of each issue. I I 1 l 1 I f C-9 I b}}