NRC-89-3448, Forwards Westinghouse SP/90 Position on Selected Severe Accident Issues to Be Discussed During 890714 Meeting W/Nrc in Rockville,Md.Issue Topics Include Fire Protection, Intersys Loca,Midloop Operation & ATWS

From kanterella
Jump to navigation Jump to search
Forwards Westinghouse SP/90 Position on Selected Severe Accident Issues to Be Discussed During 890714 Meeting W/Nrc in Rockville,Md.Issue Topics Include Fire Protection, Intersys Loca,Midloop Operation & ATWS
ML20247R262
Person / Time
Site: 05000601
Issue date: 07/11/1989
From: Johnson W
WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To: Chris Miller
NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM), Office of Nuclear Reactor Regulation
References
REF-GTECI-058, REF-GTECI-105, REF-GTECI-A-09, REF-GTECI-A-44, REF-GTECI-EL, REF-GTECI-NI, REF-GTECI-SY, TASK-058, TASK-105, TASK-58, TASK-A-09, TASK-A-44, TASK-A-9, TASK-OR GL-88-17, NS-NRC-89-3448, NUDOCS 8908070413
Download: ML20247R262 (31)
v  d  e


Text

___ -_ _ - _ _ _ _ _ - _. - - _ _ - _ _ _ _ _ _ _ _ _ __ _

'. 3. g

(

Westinghouse PowerSystems NucleaIIechnology systems omsion Electric Corporation Box 355 Pittsbutgh Pennsylvania 152'a 0 0355 July 11,1989 NS-NRC-89-3448 Docket No. STN 50-601 Document Control Desk U. S. Nuclear Regulatory Commission Washington, D.C. 20555 Attention: Charles L. iiiller, Director Standardization and Non-Power Reactor Project Directorate

Subject:

Submittal of Westinghouse SP/90 Position on Selected Severe Accident Issues for July 14, 1989 Westinghouse /NRC Meeting

Dear Mr. Miller:

Enclosed are ten '(10) non-Proprietary copies of the Westinghouse SP/90 position on selected Severe Accident Issues to be discussed during the Westinghouse /NRC meeting scheduled for 8:30 A.M. Friday, July 14, 1989, in the NRC Rockville office.

The purpose of that meeting is to obtain agreement on certain severe accident issues discussed during the May 8,1989 meeting with Dr. Thomas Murley and members of his staff, and during several follow-up Westinghouse / Staff conference calls during May and June. l The Westinghouse positions on issues included in this submittal have been previously transmitted in response to RESAR-SP/90 DSER Open Issues, or will be submitted in the near future in revisions to DSER Open Issues and in our  !

response to Unresolved Safety Issues (USI's) and Generic Safety Issues (GSI's).

Additional severe accident issues beyond those listed may be discussed if time allows.

Very truly yours,  !

s I

/ '

i )

hw l)) lGG1LtitLJ Q W. J. Johnson, Manager Nuclear Safety Department  ;

WMS/bek/0459B _ ,

cc: Thomas J. Kenyon - NRC (MS 11H3)

Trevor Pratt - Brookhaven National Lab 8908070413 890711 TF 00f PDR ADOCK 050006011 A 8 l PNU{

l j

. ... [ .... . =.

+

WESTINGHOUSE. CLASS 3 i'

r NRC/W-SP/90 MEETING JULY 14, 1989~

(

ROCKVILLE,: MARYLAND p

WESTINGHOUSE SP/90 POSITION ON SEVERE ACCIDENT ISSUES

~

(- . .

o Fire Protection - DSER Open Issues 67 & 69 o Intersystems LOCA -' Generic Safety Issue 105-o Mid-Loop Operation - DSER Open Issue 54 of ATWS - Unresolved Safety Issue A-9 o Station Blackout - Unresolved Safety Issue A-44 o Containment _- DSER Open Issue 58

.JUL'Y .14th MTG. (SP/90) JULY 1989 9077e:Id

-j

1 i WEST 2NGHOUSE CLASS 3

,c .

DSER Open Issue 54: . Lowered reactor coolant system (RCS) inventory operation of RHR -(Generic Letter'88-17) (5.4.3.4).

. Response:

Subsection 5.4.7 of RESAR-SP/90 PDA Module 1, " Primary Side Safeguards System" has been revised as follows: ,

"During certain. shutdown periods, it may be necessary to perform inspection and/or maintenance operations on the steam generators and reactor coolant pumps. Toward the end of the associated cooldown the reactor coolant inventory is reduced sufficiently to drain the steam generator channel heads and install steam generator isolation devices (nozzle dams). The RCS water leve1~~is lowered while RHR operation is continued; this is termed "mid-loop" operation.

Following nozzle dam installation, the RCS water level is raised to the appropriate level for continuation of the inspction/ maintenance work (just below the vessel flange) or for refueling (top of refueling canal),

unless the reactor coolant pump shaft is to be removed. Pump shaft removal requires that mid-loop operation be continued.

To ensure its continued availability to perform the residual heat removal function during -mid-loop operation, the following features are incorporated in the design of the reactor coolant system (RCS) and the residual heat removal (RHR) portion of the integrated safeguards system (ISS):

1. The layout of the RCS hot leg piping and the steam generator channel head is such that installation 'of the nozzle dams can be performed I. with an 80% level in the hot leg piping; this is 9.3 inches above the actual mid plane elevation.

~2. With the convent',onal Westinghouse arrangement of a residual heat removal piping connection at 45' from horizontal, it has been l u l

1 1

JULY 14th MTG. (SP/90) 1 JULY 1989 9077e:Id

WESTINGHOUSE CLASS 3 calculated that onset 'of vortexing with attendant air ingestion would occur at a level 3.0 inches below mid plane elevation. Therefore, during "mid-loop" operation, a margin in excess of 12 inches would exist between normal operating level and the critical level at which RHR pump operation may be impaired due to high levels of air entrainment. While this is a significant improvement relative to current' plants, Westinghouse commits to_ install, in addition, a vortex breaker in cach RHR suction nozzle. This vortex breaker consists of a 24 inch long section of 14 inch Schedule ~140 piping connected in a vertical direction to the bottom of the hot leg piping; .the 8 inch RHR suction line is connected to the bottom of this vortex breaker. With a a vortex breaker, air ingestion commences at about the same water elevation as with a conventional RHR suction nozzle; however, the amount of air entrainment will remain below 10% unless the hot leg is-completely drained. Therefere the potential for RHR pump damage has essentially been eliminated.

3. The RHR'. pump suction line is "self venting," i.e., it slopes continuously upward from the pump to its connection to the hot leg (vortex breaker). If the pump should stop during mid-loop operation (due.to interruption of electric power, for example) any air bubbles present in the pump or suction piping will be vented back up through the. suction line to the water surface.in the hot leg. This feature provides for re-starting the pump under conditions which automatically assure a flooded suction.
4. Separate narrow range level transmitters, calibrated for low temperature conditions, indicate tLe RCS water level between the bottoms of two hot legs and the tops of the steam generator inlet elbews in the same loops during the approach to and conduct of mid-loop operation. Indiention in the main control room and low level alarms are provided.
5. The range of the wide range pressurizer level instrumentation used during " cold" operations, has been expanded to the bottom of the hot i

JULY 14th MTG. (SP/90) 2 JULY 1989 9077e:1d

- 1- ,

WESTINGHOUSE CLASS 3

+

legs. .ThisL provides a continuous level indication in the main control.

room, transitioning to.the range of the two,- more accurate, narrow

. range >1oop level instruments.

6. The RHR pumps will be designed to operate without undergoing cavitation or other adverse effects under conditions of no subcooling in the hot.. legs. Specifically, definition of design values for "NPSH o available," "NPSH required" (by the pump) and- the required layout characteristics (elevation difference, pipe routing, etc.) will be coordinated to assure that the RHR pumps can be started and run at their full RHR flowrate even if boiling in the reactor vessel is occurring. This assures that the normal RHR function can be readily.

used to recover from a temporary loss of cooling.

7. A ' locally mounted flow transmitter in each RHR return header- j (downstream of the RHR heat exchanger), with readout in the main I control room, indicates RHR return flow to the reactor vessel. A low alarm will alert the operator to a decrease in RHR flow in the associated subsystem.
8. The drain down ~of the RCS to mid-loop operation level and RCS inventory. control during mid-loop operation is performed by the operator in the main control room, using the RHR to CVCS letdown flowpath and normal CVCS functions. This will eliminate the need to

_. coordinate local actions in the containment with the control room operators to control RCS drain down rate and level.

9. Procedures will require that one of the four HHSI pump subsystems always will be available for use during mid-loop operations. This will ensure that a backup sourc'e of water for' restoring RCS inventory is readily available and can be actuated from the main control room.

l l 10. At least two incore thermocouple will be available to directly measure the core exit temperature during mid-loop RHR operation. Each of these thermocouple will be on separate instrument electrical a JULY 14th MTG. (SP/90) 3 JULY 1989 9077e:Id ,

4

. . . WESTINGHOUSE CLASS'3 channels. Also, since; the SP/90 incore thermocouple are independent of the RV head, their availability can -be maximized; however,. these thermocouple will. be retracted from the core region during the actual movement / replacement of the fuel. .It should be noted that when fuel is being moved the refueling cavity would be flooded.

. Note that these design features provide the operator in the main control room with'all required instrumentation, alarms and operation controls necessary to adjust, maintain, and take any necessary recovery actions for both RCS inventory control and heat removal.

-- - Additionally, during the Final Design Application (FDA) phase, Westinghouse will perform evaluations to examine potential design criteria to establish procedures and administration controls that. will reasonably ensure that containment closure will be achieved prior to the time at' which a core uncovery could result from a loss of RHR coupled with an inability to initiate alternate cooling or addition of water to the RCS inventory.

In' addition to these design features, appropriate operating and emergency procedures will be defined to guide and direct the operator in the proper conduct of mid-loop operation, and to aid in detection and correction of off-normal-conditions which might occur during such operations."-

l JULY 14th MTG. (SP/90) 4 JULY 1989 9077etid

WESTINGHOUSE = CLASS 3

.DSER Open' Issue.58: . Hydrogen purge and vent system (6.2.5).

-Response:

It is Westinghouse's position that dedicated post-accident venting capability is not ' required for the SP/50 plant. This position is based on the following rationale.

o Prevention has 'been ' addressed by designing for a low core melt l frequency. For internal events, PRA. techniques were used as part of the design process, 'and have resulted in a calculated core melt frequency of 1.5E-6 per year. A _ review of .the three largest contributors (station. blackout, loss of cooling, and transients) which

~

togethe- account for 85 percent of the above total, indicates their J

analyses to be highly conservative. No PRA was performed for external '

events; however, issues encountered in previous PRA's were addressed in a rigorous manner and a significant improvement relative to current plants is, 'therefore, anticipated. Overall, the SP/90 is expected to I exceed the industry core melt frequency goal of .1.0E-5 per' year as r.tated in the EPRI ALWR Requirements Document, probably by about a  ;

factor of two.

o Nitigation has been addressed by incorporating a large dry containment l and by assuring core debris retention and coolability. MAAP analyses ,

have been performed to verify containment performance under severe

)

accident conditions. These analyses demonstrated that no sequence would result in a flammable mixture being reached in the containment atmosphere. l Nevertheless, hydrogen igniters are included in the SP/90 design to address the hypothetical case of a 100 percent Zr-water reaction.

o Calculated SP/90 containment failure frequency for internal events is 6.7E-07. Almost 96 percent of these are late (i.e., beyond 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />). j failures. About 4 percent are due to containment bypass, while ectly j i

l  : JULY _14th MTG. (SP/90) 5 JULY 1989 9077e:1d-

_______ ___-________-_ _ a

WESTINGHOUSE CLASS 3 V .-

I or intermediate failures account for well below 1 percent. The vast majority (approximately 98 percent) of containment failures are due to j the three events (station blackout, loss of cooling, and transients),

whose- core melt frequency as oreviourly indicated has been calculated in a conservative manner. Moreover, little creJit was given for potential recovery actions that could be taken during the almost 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> that would be available between core melt and containment failure. 1 Considering these conservatism inherent in the present analyses, Westinghouse anticipates that more detailed calculations to be 1

performed at the FDA stage will show the SP/90 containment failure frequency due to internal events to be lower than the current value.

Including external events, Westinghouse expects to meet the severe release frequency goal set forth in the EPRI ALWR Requirements Document, i.e., 1.0E-6 per year.

In summary, Westinghouse intends to meet the core melt and severe release frequency goals embodied in the EPRI ALWR Requirements Documents, and expects the present design of the SP/90 plant to be able to accomplish this. If more  ;

detailed analyses at the FDA stage indicate that these goals cannot be met by the. present design, additional design features aimed at reducing risk will be evalaated and will be incorporated in the design to the extent required to meet the goals. These features may include containment venting; however, in the evaluation process preference will in general be given to prevention (i.e., reducing core melt frequency) over mitigation (i.e., reducing conditional containment failure probability).

JULY 14th MTG. (SP/90) 6 JULY 1989 9077e:1d

.. WESTINGHOUSE CLASS 3 DSER Open Issue 67: Spatial separation of safety-related systems (9.5.1.2.1).

Response

Subsection 9.5.1.1.d of RESAR-SP/90 PDA Module 13. " Auxiliary Systems" has been modified as follows to state the SP/90 separation philosophy more clearly and to make it consistent with NRC letter SECY-89-013 " Design Requirements Related to the Evolutionary Advanced i.ight Water Reactors (ALWRS)," dated January 19, 1989:

d. Within the Nuclear Power Block, redundant divisions of safety related equipment outside containment are located in redundant safety areas which are separated from each other and from other areas in the plant by fire barriers with a minimum fire resistance rating of three hours. This degree of separation is in many cases not required, since there are non-safety related components and systems in other fire areas that could be relied upon to achieve safe shutdown following a fire affecting safety-related equipment; however, such separation addresses other external events (e.g. flooding anci nbotage) and greatly simplifies the design and analysis of the safety-related systems and is, therefore, cost effective. Each redundant safety area is further subdivided by internal fire barriers in order to separate components which present a fire ha:ard to other components or cable concentrations within the same area. For example, each diesel

_ generator is separated from the remainder of its associated safety i area.

Exceptions to the use of three hour fire barriers outside containment are only made in those cans where physical separation conflicts with other requirements or where the equipment is not clearly division j oriented. These exceptions are described in Subsection 9.5.1.3(a). I Outside containment, safe shutdown equipment is with very few exceptions division oriented, i.e. it can be clearly associated with either Division A or Division B. This is not the case inside JULY 14th MTG. (SP/90) 7 JULY 1989 l 9077e:1d i

)

1' WESTI:<GHOUSE CLASS 3 containment where only a few components fall into this category. In addition, separation by three hour fire barriers inside containment is not practical because all compartments need to be in communication with each other in order to ralleve pressure following a high energy line break. For this reason, the containment is considered to be a single fire area. Within this single fire area, separation of redundant shutdown equipment, including associated cables, will be designed to ensure, to the extent practical, that one shutdown division will remain free of fire damage.

I I

l l

\

\

-~ ,

l l

l JULY 14th MTG. (SP/90) 8 JULY 1989 I 9077e:Id l

L 1- -

WEST!NGHOUSE CLASS 3 DSER Omn Issue 69: Deviations to 3-hour fire-barrier separation criteria (9.5.1.2.1).

Response

. Subsection 9.5.1.3.a of RESAR-SP/90 PDA Module 13, " Auxiliary System," has-been modified to provide clarification with regard to the exception to the general SP/90 separation criteria. With regard to the staff's questions on valve operation in the main steam tunnel (MST), the following response is provided.

1 Ouestion: Could fire render these valves inoperable, either open or closed?

' Active valves located in the MST are normally deenergized and

~

Answer:

require a signal to change position. If the cable carrying this signal is damaged as a result of a fire, there is a' high probability that the valve n 'y be inoperable and will remain in its original position.

0uestion: Could fire cause spurious action of these valves?

Answer: Since' these valves require an active signal to change position, spurious action of these valves is not considered credible.

_ Question: If the answer to either or both of these questions is "yes," could the conditions cause or lead to unacceptable consequences vis-a-vis safe shutdown of the plant.

Answer: As explained in more detail in the modified Subsection 9.5.1.3.a.

inability te operate val ~ves in the MST does not inhibit the safe shutdown capability of the plant. 1 JULY.14th MTG. (SP/90) 9 JULY 1989 9077e:1d

._m.._.___

s . WESTINGHOUSE CLASS 3 i

L The revised Subsection 9.5.1.3 in RESAR-SP/90 PDA Module 13 follows:

9.5.1.3 Protection of Safe Shutdown Related Equipment l a. Separation of Safe Shutdown' Equipment ,

L Safety-related, redundant components which may be required ~to function following a. fire in order.to achieve safe shutdown will be protected' as described in Subsection 9.5.1.1(d).

-Outside containment, all safety related, redundant components are in

-2 principle located in two areas which are separated from each other and from other areas in the plant by fire barriers with a minimum fire resistance rating of three hours.

-Safety area A contains Division A equipment (mechanical, electrical and HVAC) as well as Channels I and III of the integrated protection system (IPS), including associated power supplies.- Within safety area A, Division A and Channel I are combined into.one separation group, while Channel III constitutes another separation group. Separ-ation between these two groups in safety area A is in accordance with

-the provisions of IEEE Standard 384-1981. Similarly, safety area B contains Division B equipment as well as IPS Channels II and IV, with internal separation handled in a manner identical to safety area A.

In order to minimize the potential for smoke and/or fire propagation, there are no HVAC systems serving both safety areas; thus, duct penetrations between the two safety areas, which w:"1d require automatic fire dampers, have been eliminated. Similarly, fluid systems have been designed without cross connections between redundant safety divisions and therefore, there are t.o piping connections

'between the two safety areas. Cabling penetrations through the fire barrier between the two safet.f areas are limited to the multiplexed, fiber-optic data links between the integrated protection and engineered safety features actuation cabinets of the IPS.

-JULY 14th MTG. (SP/90) 10 JU' Y 1989 9077e:1d

~

N . ,' WESTINGHOUSE CLASS 3' o

qq , .

s Sl .. . . .

Each redundant. safety area'is further subdivided by-fire barriers; the. I rating 'of .these fire barriers will bedeterminedasthebasisofS

~

Fire Hazard Analysis.to be' performed during the detailed design phase.

, All of'the equipment located in the redundant safety areas' can clearly y<

be . identified .with ' redundant divisions of safety related systems and can, therefore, be clearly separated. However, there is also safety rel*+ed equipment- located 'outside containment which cannot be' 1; . separated by three hour' fire barriers, either because that would conflict with other requirements (i.e. the main control room) or because the equipment is not division oriented (i.e. the safety class portions of the main steam and feedwater lines located in the main

~'

steam tunnel)~.

The main control room -(MCR) -is an area where by its nature and intended use, multiple, redundant Class IE circuits 'and functions must exist within close proximity to one another. The approach used to deal with fires in other parts of the plant, mainly fire barriers and/or separation by distance, is not practical sin'ce' to' do so. would inhibit the functionality. of the MCR. Other methods must be adopted-which, as in other design.creas, utilize defense-in-depth principles.

They 'also rely- in part on the important feature that the MCR is

. continuously. staffed. The following discussion addresses the RESAR SP/90 approach on three levels: prevention, detection, and mitigation.

The probability of a fire is reduced through a variety'of methods:

o Low level voltage on the switches (24V DC typically) reduces the opportunities for fire to be initiated due to the inherently low power levels available in the cabling.

{

, o Multiplexing significantly reduces the number of cables entering and leaving the MCR, thus reducing the number of. sites for initiation.

1 L

l ,

JULY:14th MTG (SP/90) 9077e:1d 11 JULY 1989-

)

l-

WESTINGHOUSE CLASS 3

'o' Moreover, cables carrying multiplexed signals use even lower signal voltages and carry miniscule power.

o Materials used in construction of the panels are inhdrently fire retardant. This includes the structures (steel), the surface coatings (fire retardant paint) and the cabling (fire retardant cabling).

These features collectively reduce the likelihood of fire initiation-and spreading. beyond the local area should one start. In the event of ,

a fire, rapid detection is likely because of the following:

o' Plant operating personnel is continually inhabiting and observing the MCR.

o Smoke detectors are installed, both inside the various panels and in the general room area.

Mitigation of the effects of a fire is handled in several ways:

o Physical separation and/or fireproof barriers, in accordance with the requirements of Regulatory Guide 1.75, are incorporated in the panels with the objective of limiting the fire to one separation group.

o Portable fire extinguishers are included in the MCR.

o A firewater hose station is located directly outside the MCR.

o Breathing apparatus is provided in the MCR.

Because of the features described above, the probability of a major j fire in the MCR is low. Nevertheless, the occurrence of such a fire with attendant MCR evacuation is postulated. For that purpose two emergency panel rooms are provided for in the SP/90 design. Each of '

i

. JULY 14th MTG. (SP/90) 12 JULY 1989 9077e:1d  ;

i - , WESTINGHOUSE CLASS 3 c;. 9 ,

these two emergency panel rooms is located in one of the redundant

, . safety related areas and provides the capability to bring the reactor to cold shutdown. For that purpose, the emergency panel rooms include

. indication of vital parameters and control of components required for 1 old shutdown. l The safety class portions of the main steam and feedwater systems are  ;

not division oriented and~ are therefore not located in-the redundant safety area; instead they are located in the main steam and feedwater j tunnel (MST), which is situated between the two safety areas. 'The MST l

constitutes a single' fire area which is separated by three-hour . fire j barriers from the two safety areas; it is also provided with a i separate and dedicated ventilation system. Within the MST, separation  !

~

of' redundant shutdown equipment, including as ociated cables, will be ')

designed to ensure, to the extent practical, that one shutdown  ;

division' will remain free of fire damage even though safe shutdown l equipment in the MST is backed up by equipment located in other fire l areas.

The components located 'in the MST are shown on RESAR-SP/90 PDA Module-6 and 8, " Secondary Side Safeguards System / Steam and Power Conversion j System," Figure 10.3-1 (4 Sheets). The probability of fire initiation ,

fs low because of the absence of combustible materials and because of  !

the small amount of cables in this area; furthermore, the majority of

. the cables normally do not carry voltage (valves in the MST need to be l l- energized to change position).  !

l Active components in the MST that could be used to effect safe l shutdown are:

1. The _startup feedwater . control valves (1-FCV-1905 through 1-FCV-1908) which control the flow of startup feedwater to the steam generators. i i

JULY 14th MTG. (SP/90) 13 JULY 1989 9077e:Id

- - _. - _ - - _ _ _ = __ _ _ _ _ _ _ . - - - .__ - - - .

WESTINGHOUSE CLASS 3

, t ,

h :2. The main; steam power operated relief valves-(1-PCV-1964 through L- 1-PCV-1967) which are used to dump steam to atmosphere in case the main condenser is unavailable, i

.In case a postulated fire in the MST were to disable these valves, the following equipment located in other fire areas would be available to perform a similar. function and to achieve safe shutdown:

1. The emergency feedwater system described in RESAR-SP/90 PDA Module 6 'and .8, " Secondary Side Safeguards System / Steam and Power Conversion System," Subsection 10.1.1.11.
2. As stated above, steam' relief would normally be to the main condenser. In the extremely unlikely event of a fire in the MST, disabling the main steam power operated relief valves coincident L with the main condenser being unavailable, the steam generator overfill protection valves (1-9783A through 1-97830 and 1-9784A through 1-9784D) inside containment would be available to effect steam relief from the steam generators.

In summary, equipment located in the MST that could be used as one means.for. achieving safe shutdown is backed up by equipment located outside' the MST such that a fire in the MST will not prevent the operators from bringing the plant to a cold shutdown condition.

I

' JULY 14th MTG. (SP/90) 14 JULY 1989 9077e:Id

__ ___-___ _-_--__-__ O

WESTINGHOUSE CLASS 3

. Issue A-9: Anticipated Transients Without Scram Discussion Nuclear plants have safety and control systems to limit the consequences of temporary abnormal operating conditions or " anticipated transients". Some deviations from normal operating conditions may be minor; others, occurring less frequently, may impose significant demands on plant equipment. In some anticipated transients, rapidly shutting down the nuclear reaction (initiating a " scram *), and thus rapidly reducing the generation of heat in the reactor core, ,i s an important safety measure. A potentially severe " anticipated transient" where the reactor shutdown system does not " scram" as desired, is an " anticipated transient without scram", or ATWS. The technical report on ATWS for water-cooled reactors (WASH-1270) discussed the probability of an

~

ATWS event as well as an appropriate safety objective for the event. After several years of discussions with vendors and evaluations of vendor models and analyses, the staff published in 1975 a status report on each vendor analysis. This report included detailed guidelines on analysis models and ATWS safety objectives. This item was originally identified in NUREG-0371 and was later determined to be a USI.

The staff's technical findings on the issue were published in Volume 4 of NUREG-0460. The USI was RESOLVED on June 26, 1984 with the publication of a final rule, Federal Register, Vol. 49, No.124, pp. 26036-26045, "10 CFR Part 50, Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants."

The requirements as shown below apply to all commercial light-water cooled nuclear power plants.

1. Each pressurized water reactor must have equipment from sensor output to final actuation device, that is diverse from the reactor trip system, to automatically initiate the auxiliary (or emergency) feedwater system and initiate a turbine trip under conditions JULY 14th HTG. (SP/90) 15 JULY 1989 9077e:1d

WESTINGHOUSE CLASS 3 indicative of an ATWS. This equipment must be designed to perform its function in a reliable manner to be independent (from sensor output to the final actuation device) from the existing reactor trip system.

2. Each pressurized water reactor manufactured by Combustion Engineering or by Babcock and Wilcox must have a diverse scram system from the sensor output to interruption of power to the control rods. This scram system must be designed to perform its function in a reliable I manner and be independent from the existing reactor trip system (from sensor output to interruption of power to the control rods).

l l

l

3. Each boiling water reactor must have an alternate rod injection (ARI) system that is diverse (from the reactor trip system) from sensor output to the final actuation device. The ARI system must have redundant scram air header exhaust valves. The ARI must be designed to perform its function in a reliable manner and be independent (from the existing reactor trip system) from sensor output to the final actuation device.

l l

l 4. Each boiling water reactor must have a standby liquid control system (SLCS) with a minimum flow capacity and boron content equivalent in l control capacity to 86 gpm of a 13 percent sodium pentaborate solution. The SLCS and its injection location must be designed to perform its function in a reliable manner. The SLCS initiation must be automatic and must be designed to perform its function in a reliable manner for plants granted a construction permit after July 28, 1984, and for plants granted a construction permit prior to July 28, 1984, that have already been designed and built to include this feature.

5. Each boiling water reactor must have equipment to trip the reactor coolant recirculating pumps automatically under conditions indicative of an ATWS. This equipment must be designed to perform its function l in a reliable manner.

l__

1 JULY 14th MTG (SP/90) 16 J1'LY 1989

, .9077e:Id 1

__ ____________ - _ - J

. . WESTINGHOUSE CLASS 3 i .

SP/90 Response The SP/90 plant includes the following design features related to ATWS.

o The design of the integrated protection system (IPS) is highly reliable. The IPS is based on two-out-of-four logic throughout and features continuous on-line testing. The system contains " fail-safe" features to the extent practical, i.e., it is designed to generate a reactor trip signal when failures occur.

o The reactor trip switchgear consists of eight circuit breakers arranged in a two-out-of-four matrix and located in two separate cabinets. The trip is implemented by undervoltage trip attachments and shunt trip devices on the circuit breakers. To generate a trip, power is interrupted to the undervoltage trip attachment, and the shunt trip attachment is energized. Either device will trip the breaker. The eight breaker configuration permits testing of the reactor trip breakers without the use of auxiliary bypass breakers, o The reactor trip switchgear can be actuated manually from the main control board via reactor trip switches hard wired to the shunt trip and undervoltage coils on each circuit breaker. In addition, it is possible to trip from the main control board the motor generator sets that provide power for control rod operation.

(

o The moderator temperature coefficient (MTC) is significantly more negative than in the case of current plants, t3pically by a factor of three to four.

o ATWS considerations will be factored into the design of the pressurizer safety and relief valves during the detailed design phase.

i o An ATWS mitigating system is included in the SP/90 design to generate l turbine trip and emergency feedwater start signals independent (including sensors) from the IPS.

1 JULY 14th MTG. (SP/90) 17 JULY 1989 i 9077e:Id

. _ =

a .

o Detailed analyses of-limiting ATWS transients will'be performed at the FDA stage to demonstrate that ATWS acceptance criteria are met. l

.RESAR-SP/90 PDA Module 16 "Probabilistic Safety Study," includes a-probabilistic analysis of ATWS sequences. The core melt frequency j contribution from this event has been calculated to be 5.5 E-08 per year.

-Recently Westinghouse has completed a number of -ATWS- analyses for current plants. A review of this effort has indicated that the SP/90 analysis include a non-conservative assumption in that common mode failure of the rods to enter ,

the core because of mechanical problems was not assumed. The probability of-

-this.conmon mode failure has been evaluated as 1.0 E-6 per demand. Applying this value to the SP/90 ATWS analysis would have the effect of increasing the I core melt frequency for this event by a factor of 3.3.

On the other hand, the SP/90 analysis contains several conservatism:

o The assumed number of transients (10 per year) is much higher than the SP/90 design goal of 1 per year, and is well above current operating experience. Moreover, no credit was taken for the fact that some of  !

the transients are initiated as a result of reactor trip.  !

o No credit was taken for the startup feedwater-system; this system is automatically started by the integrated control system on loss of main  !

feedwater, which is typically the limiting ATWS event.  !

When all of the above factors are considered, it is expected that the core melt frequency due to ATWS will be less than 1.0 E-7 per year for the SP/90 plant. In addition, it should be noted that the probability of a severe release following an ATWS induced core melt is very low, such that this event has negligible impact on public risk.

Based on the above discussion, Westinghouse is of the opinion that the SP/90 i

design adequately addresses ATWS issues and that no additional hardware design  !

-" features are required.  !

JULY 14th MTG (SP/90) 18 JULY 1989 i 9077e:1d 1

i

WEST!NGHOUSE CLASS 3 Issue A-44: Station Blackout Discussion The complete loss of AC electrical power to the essential and nonessential l l

switchgear buses in a nuclear power plant is referred to as a " Station i Blackout." Because many safety systems required for reactor core decay heat removal are dependent on AC power, the consequences of a station blackout could be a severe core damage accident. The technical issue involves the likelihood and duration of the loss of all AC power and the potential for severe core damage after a loss of all AC power.

The issue of station blackout arose because of the historical experience

~

regarding the reliability of AC power supplies. There had been numerous reports of emergency diesel generators failing to start and run in operating plants. In addition, a number of operating plants experienced a total loss of offsite electrical power. In almost every one of these loss of offsite power events, the onsite emergency AC power supplies were available to supply the power needed by vital safety equipment. However, in some instances, one of the redundant emergency power supplies had been available. In a few cases, there was a complete loss of AC power, but during these events AC power was restored in a short time without any serious consequences.

The results of WASH-1400 showed that, for one of the two plants evaluated, a

_ station blackout accident could be an important contributor to the total risk from nuclear power plant accidents. Although this total risk was found to be small, the relative importance of station blackout accidents wat established.

This finding and the concern for diesel generator reliability based on operating experience raised station blackout to a USI in the 1979 NRC Annual Report. A detailed action plan for resolving this issue was published in NUREG-0649, Revision 1.

The final evaluation of station blackout accidents at nuclear power plants was performed by the staff and published in NUREG-1032. In resolving this issue, the staff performed a regulatory enelysis which was documented in NUREG-1109.

JULY 14th MTG. (SP/90) 19 JULY 1989 9077e:Id

4 -

WESTINGHOUSE CLASS 3 In June 1989, this USI was resolved with the publication of a new rule (53 FR 23203) and Regulatory Guide 1.155. Thus, this issue was RESOLVED and new requirements were established.

SP/90 Response 1

The SP/90 design includes the following design features specifically aimed at i

mitigating the consequences of a station blackout. 1 o The emergency feedwater system (EFWS) includes two turbine-driven l L emergency feedwater pumps. These pumps are independent of AC and DC, I

-. and the rooms they are located in are cooled in a passive manner. j Only one of two pumps is required for decay heat removal. j o The chemical and volume control system (CVCS) contains a backup seal injection pump. This pump takes suction from the spent fuel pit and is powered from a small (~100 kW) diesel generator which is independent of off site and on-site AC power supplies. The diesel generator and pump are started automatically on loss of normal seal injection.

o The Class IE batteries are sized for four hours of operation under blackout ecnditions. This assumes normal operation for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and selective load shedding by the operators thereafter.

o Permanently installed connections are provided between the power source of the backup seal injection pump and the Class IE batteries.

This will allow the operators to recharge the batteries in order to maintain vital functions such as monitoring of RCS and SG parameters and emergency lighting.

o Emergency response guidelines will be developed as part of the FDA application to ensure correct operator action during station blackout. These will cover the operation of the above equipnent, as well as any other equipment that may be useful in a station blackout condition.

JULY 14th MTG. (SP/90) 20 JULY 1989 9077e:1d

WESTINGHOUSE CLASS 3 These features allow the plant to be maintained at hot standby conditions for approximately 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. At that time, additional water supplies need to be provided in order to allow continued operation of the emergency feedwater and backup seal injection pumps.

Westinghouse believes that the SP/90 design exceeds the requirements of the final rule 10 CFR50.63 and Regulatory Guide 1.155, and that therefore the Station Blackout Issue should be resolved for this plant.

JULY 14th MTG. (SP/90) 21 JULY 1989 0077e:Id

a .

-WESTINGH0'SE J CLASS 3 m

-Issue 105: l Interfacing Systems LOCA at LWRs Discussion This issue concerns the suitability of leak test and operability test requirements for valves that isolate the low pressure systems that -are connected to-the RCS and outside the containment.

This issue was originally limited to pressure isolation valve testing concerns on BWRs. Recent BWR operating experience indicates that the isolation valves between the RCS and low pressure interfacing systems (including related test

-and maintenance requirements) may not adequately protect against everpressuri-zation of low pressure systems. There have been three reported failures of the boundary between the RCS and low pressure injection systems. Two of the events were the result of maintenance errors which lef t the testable isolation check valve in.the'open position. The third was the result of personnel errors (improper combination of surveillance tests) and a stuck open failure of an: isolation check valve. In all three of these cases, there was a degradation of the pressure isolation valves due to personnel errors. None of these plants was required to leak test pressure isolatior, valves.

Overpressurization of low pressure piping systems due to RCS boundary isolation failure could result in rupture of the low pressure piping. This,

'if combined with failures in the ECI and/or the DHR systems, would result in a core-melt accident with an energetic release outside the containment building causing significant offsite radiation release.

Generic Safety Issue 105 has since been expanded to include concerns with interfacing LOCAs on PWRs. This issue will be resolved with the pressure isolation valve portion of Generic Safety Issue II.E.6.1, Test Adequacy Study.

SP/90 Response i

The principal contribution to core melt frequency from interfacing systems LOCA originates from the four residual heat removal (RHR) suction lines of the integrated safeguards system (ISS). An initiating frequency of 1.0E-6 per JULY 14th MTG. (SP/90) 22 OULY 1989 9077e:Id i J

WEST 1NGHOUSE CLASS 3'

~

year was established in RESAR-SP/90 PDA Module 16 "Probabilistic Safety Study"'

for this event. These. lines connect the RCS hot legs to the RHR pumps suction j and therefore_' penetrate the containment boundary; the low pressure portions of J

.these lines are norma 11,v isolated from the RCS by two closed motor operated valves' in series. In an-interfacing systems LOCA scenario ~ it is postulated that either one valve is inadvertently left open and that the other one fails, or that. both valves fail while the RCS is pressurized, causing failure of the piping outside containment.

The SP/90 design includes the followir.g features not normally provided in current plants specifica11y' aimed at reducing the probability of this scenario.

(i) The RHR. isolation valves have been included in the system.provided to allow leak testing of the valves in the lines connected 'to the RCS during plant startup (Figure 1). Thus, the probability of one of these valves not being fully closed has essentially been eliminated.

(ii) The design pressure of all RHR piping downstream of the RHR isolation valves (including RHR pump casings) has been increased such that no gross failure would occur even when exposed to full RCS operating pressure.

(iii) The RHR piping downstream of the RHR isolation valves is normally

, _ in open connection with the EWST such that any leakage through these valves is normally directed back into containment (Figure 2).

(iv) Failure of the RHR pump seal could still be postulated; however, the four separated rooms containing the four subsystems of the ISS have been designed for minimum volume such that when the water levels in the EWST and in the pump room are equal, there remains sufficient inventory in the EWhi to ensure continued core cooling with the unaffected ISS subsystems (Figure 3).

JULY 14th MTG. (SP/90) 23 JULY 1989 9077e:1d

WESTINGHOUSE CLASS 3 F

These features combine to significantly reduce the probability of a core melt i in case of leakage from or failure of the RHR isolation valves, which has been  !

shown to be the most probable interfacing system LOCA sequence.

The next most probable interfacing system LOCA scenario associated with the ISS results from the high head safety injection (HHSI) paths (Figure 4).

Failure of the three check valves in series is expected to occur with a frequency of 2.0E-9 per year as derived in RESAR-SP/90 PDA Module 16 "Probabilistic Safety Study". Small or even moderate leakage through these valves would have no effect, since they would be vented back to the EWST.

Gross failure of the valves may result in overpressurization of the HHSI pump suction piping, although it should be noted that the injection lines contain flow limiting orifices (for HHSI pump runout protection) which would tend to limit suction piping pressures; more detailed analysis in this respect will be

'~

performed at the FDA stage when specific piping layout information will be available. Finally, it should be noted that the HHSI injection lines contain remotely operated valves that could be used to terminate the LOCA, and that the layout is such that even with a LOCA outside containment, the EWST would not drain completely (see item (iv) above). It can therefore be concluded that even in case of an interfacing system LOCA via the HHSI injection lines, there is reasonable probability that a core melt would not occur.

Other interfacing systems LOCA scenarios in the ISS involve normally closed motor-operated valves and are even less likely to occur than those described

_ above.

Outside the ISS, there are other low pressure systems which are connected to the RCS. A brief description of these connections is provided below.

o RCS drain and vent connections, and the ISS emergency letdown lines are previded with redundant closed isolation valves. Since these lines do not penetrate the containment, the failure of both isolation valves would not only be a low probability event, but would not result in an "intersystem LOCA."

JULY 14th MTG. (SP/90) 24 JULY 1989 9077e:Id

WESTINGHOUSE CLASS 3 o ' Sampling system lines both penetrate- the containment and may' be open during' . normal operation. These piping connections are provided with a 3/8-inch flow restrictor such that failure would not require safety system actuation. These lines contain redundant and automatic containment isolation valves.

o The CVCS letdown line is normally open during plant operation. .This line contains . redundant- valves ~(normally open) which will.

automatically close- on low pressurizer level, and redundant and automatic containment isolation valves.

o- -The CVCS alternate letdown line contains redundant, normally closed' isolation valves, redundant' and automatic containment isolation

~

valves, an operator controlled. throttle valve and a temperature sensor.

o The 'CVCS charging line contains multiple check valves and redundant isolation valves.

All piping connections up to and including their isolation valves are designed for full RCS pressure and. temperature conditions.

i I

lVLY'14th MTG. (SP/90) 25 JULY 1989 9077e:1d

WEST!NGHOUSE CLASS 3 IWB OMB 1

I OPE N PERWISSIVE g DN LO RC5 PRESSURE

, , ,--INOTE 81 g i I 8 15 -2501-R

\ L up ___.

, R C DT

-I c.....

-h N OTE 2 RCDT g 160EE96 5H. t *

<RC5 H.L. LOOP LOC.C-4 / [ A \N \

g.9000A 1*900iA 8-GW8BFNO ,

8-GW88FND 8 2501 R NOTE 5 ( 3 g ( NOT 5 3/4 15-2501 R m /N -

V 155 TEST HDR 155 T E ST HDR Z

- I 1554E 46 5H. 6 L OC. T-4 1554E 46 5H. 6 L OC . E-4

3) C78 I i \ 3/4 25DI R g

4-IS 250l-R I

Figure 1. RHR Isolation Valves Leak Testing Capability JULY 14th MTG. (SP/90) 26 JULY 1989 9077e:Id

r

. . WESTINGHOUSE CLASS 3 l

l I

Dite : EstC CCVS I

TD CDWTADMENT -

SPRAY HEA KR d y "'

j l I nHR/C3 I o sea-rmv Nx to nHe y 5-McAr excw w.tR a

I am/cs rune 4 l rn:m ecs -

- 11

,7 g, tvsT Figure 2. RHR Suction Arrangement JULY 14th MTG. (SP/90) 27 JULY 1989 9077e:1d

1 9

8 9

1 Y

L U

J T t s N n _

t E t

E s MY e _

_ T V to NR m _

N E uo I A e g

E L cl AD _

M F TN n T R M NU a

- R A

P E

T A

tT t N uE OO CB A

r r

9 9

- M O

C P

W L

A M

tT tR yA M

[ t n

e

\

O O O R Lw t

e t m

L N 'Rc r E a ts p

- As m 3 vI o C

S u m A e L

C 3 C C Im L

a T..

t s

y E

S A _

P S 8

U O

H F M U d s

r 2

G P a N " l u l f g i

9 e S f E

W v 9%

1 S

d t

a e

a 1 r O g

.M I e i MO EO t_ t I

n PR 3

e r

u g

i F

)

0 9

/

P .

S _

( _

G -

T M

h td 41 1 :

e Y7 L7 U0 J9

I  !  !

' . r 9

8 9

- 1 Y

L U

J i

J P)

M

, U4 P F IO S 1 H

H(

t n

9 e m

e g

n a

r

%i r

A C g

$ R n O i p

$ II iI

$ - i A C

- P L RI C - n o

E S

U a T

- I i

t c

9 2

O -

j e

H -

G -

n N -

I I

T )

y S X4 t

E S H T e W V F -

S f a

V N RO _

C -

S C H -

E P1 ( -

l

- 4.

_ e

_ r u

-_ g i

- F r

a )

0 9

/

P S

(

= .

G T

M Tac C

E Rs I

h td 41 Da 1 :

e Y7 L7 U0 J9 1 l ,

Retrieved from "https://kanterella.com/w/index.php?title=NRC-89-3448,_Forwards_Westinghouse_SP/90_Position_on_Selected_Severe_Accident_Issues_to_Be_Discussed_During_890714_Meeting_W/Nrc_in_Rockville,Md.Issue_Topics_Include_Fire_Protection,_Intersys_Loca,Midloop_Operation_%26_ATWS&oldid=3259934"