NSD-NRC-96-4803, Forwards Responses to NRC RAIs on AP600 Design Certification Program

From kanterella
Jump to navigation Jump to search
Forwards Responses to NRC RAIs on AP600 Design Certification Program
ML20117E740
Person / Time
Site: 05200003
Issue date: 08/26/1996
From: Mcintyre B
WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To: Quay T
NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
NSD-NRC-96-4803, NUDOCS 9609030055
Download: ML20117E740 (35)
v  d  e


Text

@

Westinghouse Energy Systems Box 355 Electric Corporation Pittsburgh Pennsylvania 15230-0355 NSD-NRC-96-4803 DCP/NRC0587 Docket No.. STN-52-003 August 26,1996 Document Control Desk U.S. Nuclear Regulatory Commission Washington, D.C. 20555 ATTENTION:

T.R. QUAY

SUBJECT:

WESTINGHOUSE RESPONSE TO NRC REQUEST FOR ADDITIONAL INFORMATION ON THE AP600

Dear Mr. Quay:

Enclosed are Westinghouse responses to NRC requests for additional information (RAls) on the AP600 Design Certification program. Enclosure 1 contains responses to 12 DSER open items and 7 follow-on questions pertaining to the AP600 Probabilistic Risk Assessment. The DSER open items include 19.1.3.2-2 through 19.1.3.2-13. Specific topics covered by the RAls include internal fire analysis, shutdown PRA, and human reliability modeling.

These responses close, from a Westinghouse perspective, the addressed questions and open items.

The NRC technical staff should review these responses.

A listing of the NRC requests for additional information responded to in this letter is contained in Attachment A.

Please contact Cynthia L. Ilaag on (412) 374-4277 if you have any questions concerning this transmittal.

YfS Brian A. McIntyre, Manager Advanced Plant Safety and Licensing

/nja Enclosure 1

cc:

J. Sebrosky, NRC (I copy of enclosure)

N. Liparulo, Westinghouse (w/o enclosure)

\\

\\'

f um i

9609030055 960826 l

PDR ADOCK 05200003 A

PDR

e

+

Enclosure I to Westinghouse Letter NSD-NRC-96-4803 August 26,1996 1

l i

e 21199A

9 0

NRC DSER OPEN ITEM n -;;

W DSER Open item 19.1.3.2-2 (#1426)

Westinghouse should provide specific references to SSAR information used in th? fire PRA.

1

Response

PRA Chapter 57. Internal Fire Analysis, includes specific reference to SSAR Appendix 9A, the SSAR fire area drawings, and SSAR fire analysis assumptions and safety-related equipment impacts which were used in the internal fire analysis.

4 I

l W Westinghouse l

/

NRC DSER OPEN ITEM IM 1

DSER Open item 19.1.3.2-3 (#1427) j Westinghouse should provide information on fire areas and fire zones considered in the PRA.

l

Response

Definitions of fire areas and fire compartments as used in the PRA internal fire analysis are included in 7A of PRA Chapter 57. Fire areas analyzed for the internal fire analysis correspond to the fire areas defined in the SSAR, Appendix 9A (revision 1), except that the Radwaste Building was analyzed as a single fire area in the internal fire analysis, i

i 1

W Westirighouse i

.t NRC DSER OPEN ITEM a

LB DSER Open item 19.1.3.2-4 (#1428)

Westinghouse should address the use of the 3-hour fire-rated barriers.

Response

The fire barrier ratings as used in the PRA internal fire analysis are as specified in the SSAR. Fire areas containing safety-related equipment and cabling are separated from one another and from other plant fire areas by 3-hour rated barriers. The remaining fire areas are sufficiently bounded by fire barriers that will withstand the fire hazards within the fire area and protect important equipment within the area from fires outside the area.

Consistent with the SSAR, fire ratings are consistent with the fire loading within the area, with appropriate fire resistance ratings for fire doors, dampers, penetration seals, and so forth. The only plant area for which it is assumed that propagation across "sub-areas" not completely surrounded by rated fire barriers will not automatically occur is inside containment. Inside containment (for which an internal fire analysis is not normally performed) the combustible loadings within the sut-areas are sufficiently low that propagation is unlikely.

l i

l l

l l

l 1

W Westinghouse

=

1 1

a

/

9 NRC DSER OPEN ITEM selE DSER Open item 19.1.3.2-5 (#1429)

Westingbouse should quantitatively evaluate control room fires.

Response

Qualitative and quantitative evaluations of control room fires have been performed in the PRA internal fire analysis, for operation at power and at shutdown. Refer to PRA Chepter 57, sections 57.8.4 and 57.9.4.3.

l l

1 l

W Westinghouse l

i

t l

c NRC DSER OPEN ITEM i

i DSER Open item 19.1.3.2-6 (#1430)

Westinghouse should assess the risk of a fire-induced loss of systems during shutdown conditions.

i

Response

The PRA internal fire analysis includes a quantitative evaluation of the potential core damage effects of fire-induced loss of systems during both safe shutdown and RCS-drain (mid-loop) conditions. Refer to PRA Section 57.9 for funher information.

3 Westinghouse i

NRC DSER OPEN ITEM 11 5 i1 DSER Open item 19.1.3.2-7 (#1431)

Westinghouse should assess fire-induced opening of the ADS valves in the PRA.

Response

The PRA internal fire analysis includes a qualitative evaluation to identify scenarios in which fire-induced opening of ADS valves might occur as a result of hot shorts, and a quantitative evaluation of the impact of such openings on core damage frequency. This information is further discussed in PRA Chapter 57, snecifically as assumption m in subsection 57.5.1 and assumption i in subsection 57.5.2.

t I

i W Westinghouse

NRC DGER OPEN ITEM nae 11511 DSER Open item 19.1.3.2-8 (#1432) l Westinghouse should evaluate lube oil fires in the PRA.

Response

Lube oil fire scenarios were not explicitly examined in the PRA internal fire analysis. However, fires in a fire area have been conservatively assumed to disable all equipment and cabling located in that area for the PRA internal fire analysis.

1 W Westinghouse

' NRC DSER OPEN ITEM ii =

IIRB DSER Open item 19.1.3.2-9 (#1433)

Westinghotise should evaluate events involving fire-induced loss of offsite power in the PRA.

1

Response

The PRA internal fire analysis includes events involving fire-induced loss of offsite power. Refer to PRA Chapter 57 for more information on the fire analysis.

i l

i i

I 1

j l

[

W WBStingil0058 l

NRC DSER OPEN ITEM i

ii-ii in DSER Open item 19.1.3.2-10 (#1434) 1 I

Westinghouse should list all human actions that were credited in the fire analysis.

l Response.

1 The fire quantification generally credits the same set of in-control-room actions as modeled in the focused PRA.

For some main control room scenarios, however, it was assumed that no operator actions would be possible. No i

recovery actions are modeled and no local operator actions are credited.

One new action is implied in some of the control room scenarios. This action, to transfer control to the remote 1

shutdown panel, was not quantified; instead, scenarios were quantified assuming no credit for any operator l

actions, in order to bound the effect of failure to transfer control. For further information, refer to PRA Chapter 57, assumptions k and I in subsection 57.5.2.

l 1

W Westinghouse

NRC DSER OPEN ITEM b

DSER Open item 19.1.3.2 11 (#1435)

Westinghouse should identify the risk dominant fire minimal cutsets in the fire PRA.

Response

A listing of the top 200 cutsets from the at-power fire quantification is included as Table 57-12 of PRA Chapter 57.

l l

l l

I I

1 l

I T Westinghouse

4 NRC DSER OPEN ITEM LR DSER Open item 19.1.3.2-12 (#1436)

Westinghouse should identify the " focused PRA" results regarding fires.

Response

The PRA internal fire analysis has been quantified using the focused PRA models, modified to reflect fire-degraded equipment, for both power operation and shutdown conditions. The analysis results therefore reflect the focused PRA assumptions of no credit for nonsafety-related systems.

1 l

T Westinghouse 1

NRC DSER OPEN ITEM DSER Open item 19.1.3.2-13 (#1437)

Westinghouse should provide sensitivity and importance analyses in the fire PRA.

Response

Since the PRA internal fire analysis is a scoping analysis, performed with very conservative bounding assumptions, it is not appropriate to perform uncertainty, sensitivity, or importance analyses, which could produce biased " insights." These analyses were therefore not performed, since it is judged that they would be of little value in providing additional insights to determine whether fire vulnerabilities exist for beyond-design-basis fires.

This is consistent with the NRC's position concerning sensitivity, importance, and uncertainty analyses on fire PRAs for design certification of the evolutionary plant as stated in section 19.1.4.2 of NUREG-1462 and section 19.1.3.3.2.5 of NUREG-1503.

W Westinghouse

1 NRC REQUEST FOR ADDITIONAL INFORMATION 1

Question 720.280 (#69)

The staff does not accept fire barriers in a fire probabilistic risk assessment (PRA) that are not at least 3-hour rated barriers. For each fire area that is not completely surrounded by 3-hour rated barriers, the location should be analyzed as pan of the surrounding fire area.

Response

The fire barrier ratings as used in the PRA internal fire analysis are as specified in the SSAR. Fire areas containing safety-related equipment and cabling are separated from one another and from other plant fire areas by 3-hour rated barriers. The remaining fire areas are sufficiently bounded by fire barriers that will withstand the fire hazards within I

the fire area and protect important equipment within the area from fires outside the area. Consistent with the SSAR, the definition requires fire ratings consistent with the fire loading within the area, with appropriate fire resistance ratings for fire doors, dampers, penetration seals, and so forth. The only plant area for which it is assumed that propagation across "sub-areas" not completely surrounded by rated fire barriers will not automatically occur is inside containment. Inside containment (for which an internal fire analysis is not normally performed) the combustible loadings within the sub-areas are sufficiently low that propagation is unlikely.

PRA Revision: NONE l

l s

1 1

l l

l 1

i l

l l

l l

W westinghouse

NRC REQUEST FOR ACDITIONAL INFORMATION

,-m Ouestion 720.281 (#70)

Westinghouse should modify the fire risk assessment to treat the risk impact of breached fire barriers due to operator error or maintenance.

Response

The PRA internal fire analysis addresses fire barrier integrity, both qualitatively and quantitatively. For further information, refer to PRA Chapter 57, subsection 57.3.2.1.

PRA Revision: NONE l

[

W Westinghouse

i NRC REQUEST FOR ADDITIONAL INFORMATION 1_m

(

Ouestion 720.282 (#71)

Westinghouse has discussed the electrical and spatial separation between the control room and the remote shutdown work station with the staff. However, the presence of a spatially and electrically separate remote shutdown station does not guarantee that the risk from control room fires is negligibly small. Westinghouse should modify the fire risk assessment as follows:

a.

quantitatively evaluate control room fires (the dominant risk contributor in many fire PRAs). This assessment should include potential hardware, software failures, and human failures in transferring control to the remote shutdown work station.

b.

provide the rationale for placing the switch (that transfers power to the remote shutdown workstation) in the remote shutdown workstation area rather than outside of the main control room separated by a fire barrier, c.

evaluate the risk impact of switch location (that transfers power to the remote shutdown workstation) with respect to potential fires in the remote shutdown workstation.

d.

discuss and clarify whether pinch yints exist in the rooms carrying cable between the control room and remote shutdown work station.

e.

discuss and clarify whether pinch points exist in the remote shutdown work station room. '

f.

describe what equipment can be operated at the remote shutdown workstation.

g.

evaluate the consequences of hot shorts in the control room for equipment that cannot be operated at the remote shutdown workstation.

h.

Include the failure probability of the operator successfully transferring control to the remote shutdown workstation in Table D. " Summary of Human Error Probabilities."

Response

Control room fires have been quantitatively evaluated for power operation and shutdown, including the effects a.

of failure to transfer to the remote shutdown workstation. For further information, refer to PRA Chapter 57, subsections 57.8 and 57.9.4.3.

b.

The switches are located within a fire zone that is separate from the main control room. Refer to SSAR subsection 7.4.3.1.1 for more information on the transfer switches.

Fires in or around the remote shutdown workstation have no special risk significance because, for a fire in that l

c.

l location, the operators retain control from the main control room, and automatic actuation of safety-related equipment is not affected. The fire area in which the remote shutdown workstation is located was included in the qualitative screening evaluation. In the at-power analysis, it was assumed that a fire at the remote shutdown 720.282-1 W Westinghouse l

)

i NRC REQUEST FOR ADDITIONAL INFO *tMATION inn uuj g

workstation causes loss of main control room capability, i.e., no credit was taken for operator actions for the at-power fire scenarios for arca 1232AF01, which houses the remote shutdown workstation (see Table 57-8, sheet 4 of 7). For the shutdown cases, the operator action credit was not removed, but was noted to be sufficiently small such that the effect of crediting the actions does not significantly affect the results.

d.

Complete separation of cables from the different safety-related divisions is maintained between the control room and the remote shutdown workstation, up to the workstation itself. For further information, refer to SSAR Appendix 9A, subsection 9A.3.1.2.5.2.

e.

By design, cables from multiple safety-related divisions must come together in this room (1232AF01). In the PRA internal fire analysis, scenarios modeled for this area include fire-induced hot-short ADS actuation with no credit for any operator actions. The results show that this area is not a dominant contributor to fire-induced core damage frequency at power or during shutdown.

f.

A discussion of the remote shutdown workstation capabilities is provided in SSAR subsection 7.4.4 and Appendix 9A.

g.

A comprehensive evaluation of control room fires and consequences has been conducted for the PRA internal fire analysis and is provided in PRA subsection 57.8.2. All safety-related equipment required for safe shutdown can be controlled from the remote shutdown workstation.

h.

A detailed evaluation of this human action was not performed, and a failure probability was not calculated. In order to bound and simulate the impact of this failure, the quantification includes several control room fire scenarios in which no credit is taken for any operator action. Therefore, the impact of this potential failure has been addressed in the analysis, and the impact has been shown to be insignificant.

PRA Revision: NONE 1

720.282-2 W westinghouse

l NRC REQUEST FOR ADDITIONAL INFORMATION Ouestion 720.283 (#72)

The staff does not accept spatial separation of locations / zones (without intervening 3-hour rated barriers) to dismiss potential fire propagation scenarios. Therefore, Westinghouse should analyze and report 6re propagation scenarios between the feedwater and component cooling water pump areas. Westinghouse should also analyze and report fire propagation between the service water pumps in the updated PRA.

Response

The impact of fire propagation between the types of areas noted (i.e., areas containing only nonsafety-related equipment) has been bounded in the PRA internal fire analysis quantification through the use of the focused PRA models, which include no credit for nonsafety-related equipment. The only plant area for which it is assumed that propagation across "sub-areas" not completely surrounded by rated fire barriers will not automatically occur is inside containment. Inside containment (for which a PRA internal fire analysis is not normally performed) the combustible loadings within the sub-areas are sufficiently low that propagation is unlikely.

PRA Revision: NONE l

l l

I i

l l

i i

720.283-1

[ W85tingt10USe

4 9

NRC REQUEST FOR ADDITIONAL INFORMATION

=

u Question 720.284 (#73)

At the August 10, 1994, meeting, Westinghouse agreed to re-evaluate fire-induced loss of offsite power events.

Westinghouse should include this evaluation in the updated PRA.

Response

The PRA internal fire analysis includes events involving fire-induced loss of offsite power. Refer to PRA Chapter 57 for more information on the fire analysis.

PRA Revision: NONE i

l i

720.284-1 W Westinghouse 1

l

/

NRC REQUEST FOR ADDITIONAL INFORMATION O

n Revision 1 I

Re:

PRA Human Reliability Analysis for Shutdown Operation Question 720.302 (#2959)

Regarding DSER open item 19.1.3.3-1, Operator action, RHN-MANDIV, represents the likelihood that the operator would inadvertently drain reactor coolant into the IRWST through Normal RHR valve V-024. The probability of RHN-MANDIV was assigned a value of IE-5 in Chapter 30 of the PRA. The corresponding task analysis for RHN-MANDIV evalu sted the likelihood that the operator selects the wrong control to align Normal RHR and fails to close the diversion path This probability was then used as a frequency (IE-5 per year)in the shutdown PRA to represent the frequency of overdraining the Normal RHR system through inadvertent opening of V-024. This frequency is very low and suggests that a pipe rupture of Normal RHR is more likely than an inadvertent draindown event.

a.

Please search for other potential reactor coolant drain down paths that the operator could create, considering that the reactor coolant system may be pressurized (i.e. during hot shutdown) and document this search in the shutdown PRA.

b.

The task analyses for RHN-MANDIV only evaluates the likelihood of the operator selecting the wrong control (V-024) to align Normal RHR. ne staff believes that other conditions could create an opportunity to create this drain path (i.e., valve testing, etc.). Please use operating experience to obtain a frequency of inadvertent drain down events or justify in the shutdown PRA why operating experienc,e is not applicable, c.

Please explain why the failure probability of RHN-MANDIV is used, also, as the frequency of overdraining the NRHR system.

d.

Same time windows are used in the task analysis of event RHN-MANDIV for both pressurized (i.e., hot shutdown) and non-pressurized (i.e., cold shutdown) conditions. A draindown event when the RCS is pressurized would drain the RCS faster than an event with the RCS non-pressurized. This may require separate analysis of same scenario for hot and cold shutdown conditions, respectively. In addition, please provide the following details in the shutdown PRA for each potential drain path:

i) Define in the shutdown PRA what the term " time window" means for each scenario (time to core damage, time to core uncovery, etc.).

ii) Define in the shutdown PRA what the term " actual time" means for each scenario.

ii) Develop time windows considering both pressurized and non-pressurized conditions.

Response

a&b

"/=:inghc 2 previd: :==pr:h:=:v: !!:: cf RCS 6:!r cenn=:!c= :nd provid: : q=!!:: eve 3"

di=en:c, c: hev :b= &ain p S: h:v: t=n ec=i&r:d I, e: PPJ. 3: PPl. ::p!!:!:!y cd !: c,!y en: & in p:1 (in 1: PSS) in: :==!:: !, cer& !? ; c'1: RCS. Mc=:en, "!=:! ghc = hr !;mped eve &iH ;cf 1: RCS '!: i: CVS !::dce "= " br=b ' 1: !::deve "=, and Sr:fer 720,302(R1)-1 g

i NRC REQUEST FOR ADDITIONAL. INFORMATION Revision 1 ovente !Hn;; vi :51: !!n: h:2 5::: eca:!dered - Se PR^. This infc na:ica i!! be inec pera::d in:e 6 she:de" PRA The reactor coolant system and connected systems or interfaces are evaluated to identify all potential reactor coolant drain paths that could be created by the operators during shutdown. The evaluation considers the various shutdown modes and configurations and takes into account the possibility that the RCS could be piessurized or depressurized. He evaluation considers whether or not there are planned operations associated with each potential drain path, and determines if the drain path could cause overdraining of the RCS, Overdraining is defined as draining the RCS to a level below the minimum level necessary for continued normal residual heat removal system operation. If a drain path does not drain the RCS below this level, it is concluded that it could not overdrain the RCS.

RCS draining can occur if the operators mistakenly open a normally closed valve in the reactor coolant system, or a valve in a connected system to the RCS. This could occur during shutdown modes, with the RCS pressurized or depressurized, where the consequences of such actions may not be immediately obvious to the operators.

The following systems or portions of systems were found to directly interface with the reactor coolant system, and could present potential drain paths from the reactor coolant system:

ADS valves reactor vessel head vent valves chemical and volume control system (purification loop and letdown line) normal residual heat removal system passive core cooling system primary sampling system Manual drains The evaluation of these interfaces as potential drain paths is provided in the paragraphs that follow:

ADS Valves i

The first three stages of ADS valves are connected to the pressurizer and discharge to spargers located in the IRWST. Dese valves are manipulated by the operator during shutdown to perform in-service testing.

Interlocks are provided to prevent the inadvertent opening of two ADS valves in series that would cause an inadvertent ADS.

During shutdown modes, with the RCS pressurized, spurious or inadvertent opening of two ADS valves in j

series would cause a loss of RCS inventory. Derefore, spurious ADS is evaluated for shutdown as described in Section 54.2.4. In lower modes, with the RCS depressurized, spurious opening of these valves would not result in a loss of RCS inventory.

720.302(R1)-2 W Westingflouse

4 j

NRC REQUEST FOR ADDITIONAL INFORMATION m

Revision 1 i

The fourth stage ADS valves are connected to the hot legs. The valves are squib valves, and no in-service testing of these valves is required. Opening of these valves with the RCS pressurized would result in a loss of RCS inventory similar to a medium or intermediate LOCA. During RCS depressurized conditions, opening of these valves would drain the RCS down to the elevation where the valves discharge (i.e. ~109').

This is above the hot legs, and would not cause an overdraining of the RCS.

Since there are no planned operations to stroke open the fourth stage ADS valves, and since the consequence of opening these valves is easily understandable and highly undesirable, manual inadvertent opening of these valves is not considered credible.

Reactor Vessel Head Vent Valves i

The reactor vessel head vent valves are connected to the top of the reactor vessel head and discharge to the spargers in the IRWST. 'Ihey may be opened during shutdown operations to vent the vessel head during draindown operations. Opening of these valves cannot cause ovenfraining of the RCS because die location of these valves and their discharge point are above the elevation of the RCS hot leg.

Chemical and Volume Control System The normal drain path for the RCS is via the chemical and volume control system (CVS) letdown line which is connected to the CVS purification loop. This drain path is evaluated in Section 54.4.6. There are no other remotely-operated valves in the CVS purification loop that could cause overdraining of the RCS.

Small (l") manual valves are connected to the ytrification loop and they are discussed later under " manual valves",

Normal Residual Heat Removal System During shutdown modes, the normal residual heat removal system (RNS) is connected to the RCS hot leg.

Inadvertent operation of two remotely-operated valves could divert reactor coolant and drain the RCS. The RNS suction and discharge headers are connected to the IRWST and provide an IRWST recirculation loop that can be used to test the RNS pumps and to cool the contents of the IRWST. The RNS pump suction line to the IRWST contains a normally closed motor-operated valve (V023), while the RNS pump discharge line to the IRWST contains a normally closed motor-operated valve (V024). These valves are interlocked with the RNS valves connected to the RCS hot leg to preclude the operators from aligning the RNS to the RCS if these valves are open, thus preventing an inadvertent diversion of reactor coolant to the IRWST.

During RNS operation, inadvertent opening of V024 could cause the RCS to be overdrained. This is further evaluated in Section 54.4.5 and 54.5.10. However, inadvertent opening of V023 would not result in overdraining of the RCS. This line connects to the bottom of the IRWST, which is above he RCS loop piping. If the operator inadvertently opened this valve with the RCS depressurized, the IRWST would drain into the RCS via this line. If the RCS were pressurized, opening of V023 would depressurize the system, but the RNS pumps would continue to operate, taking suction from both the IRWST and / or the hot legs until the RCS was depressurized. Then the IRWST wouldd drain into the RCS via this line as in the scenario above.

W85tiflgt10US6

i l

l NRC REQUEST FOR ADDITIONAL INFORMATION Revision 1 i

Passive Residual Heat Removal Heat Exchanger j

The PRHR heat exchanger connects to the RCS via connections to a hot leg and a steam generator channel i

head. However, the elevation of the PRHR heat exchanger is above the RCS loops, and it therefore does J

not present a potential drain path for the RCS. No manual drains connected to the PRHR and piping are located below the RCS loop piping.

Core Makeup Tanks The core makeup tanks are connected to the RCS via connections to the cold legs and the reactor vessel injection nozzles. However, the elevation of the core makeup tanks is above the RCS loops; therefore, they do not present a potential drain path for the RCS. No manual drains connected to the core makeup tanks and piping are located below the RCS loop piping.

Primary Sampling System j

ne primary sampling system connects to top of the RCS hot legs. These lines are very small (.25") and could not significantly drain the RCS during shutdown. Furthermore, since they connect to the top of the RCS hot legs, they cannot overdrain the RCS.

Manual Drains The RCS, RNS and CVS contain manual 1" drain lines that, if opened, could provide a drain path for the RCS. Rese drains are discussed further.

Reactor Coo! ant Pump Flushing Connection Flushing connections are provided on each reactor coolant pump. These connections consist of a manual valve and a blind flange. Dese connections are only used during RCS decontamination operations (once every 10-20 years) during which time the fuel is off-loaded. Therefore, these connections are not evaluated further.

Normal Residual Heat Removal System Test Valves and Eauipment Drains

%ere are four 1" manual drain lines in the RNS that, if opened, could drain the RCS. These valves may be opened to perform maintenance on the RNS equipment, or to perform containment isolation valve leak tests. Dese operations are performed prior to RNS operation during shutdown. It is highly unlikely that these valves would be open prior to RNS initiation for cooldown because the operability of the RNS is tested (via connections to the IRWST) immediately prior to alignment to the RC3. During this checkout of the RNS, the operator would be able to detect significant leakage from the system to the auxiliary building sump, and would also recognize the mispositioning of the valves. Even in the highly unlikely event that the valve was left open and the system was aligned to the RCS, indication is provided to the operators to detect the pressurizer level decreasing. He CVS makeup pumps would operate to maintain pressurizer 720.302(RI)-4 W Westingtlouse

(

o b

NRC REQUEST FOR ADDITIONAL INFORMATION f4 St[

Revision 1

~

water level, and the operators are expected to isolate the RNS and perform a system checkout to verify all valves are correctly positioned.

Chemical and Volume Control System Drain Valves There are 1" manual drain valves in the CVS purification loop that,if opened, could drain the RCS. These valves may be opened to perform maintenance on the CVS equipment, or to perform containment isolation valve leak tests. These operations are performed during mode 6, after the CVS purification is not required.

During these operations, the CVS must be isolated from the RCS, and therefore, these valves could not drain the RCS.

c.

The failure probability of RHN-MANDIV is used only in the frequency of overdraining the reactor coolant system. This statement w4H-be is placed in Section 54.4.5 of the shutdown PRA.

Operator errors such as inadvertent actions, if determined to be risk significant from the PRA results, are further examined in the Human Factors Engineering process to ensure human factors / man-machine interface requirements are fully addressed to minimize or preclude such errors.

d(i)

The term " time window" is defined in the PRA as the time from which cues for a particular event are presented to the operating crew to the time when loss of the specific plant function is li,kely to occur if the

)

task is not performed.

d(ii)

The term " actual time" is defined in the PRA as the average time that it is likely to take the operating crew 1

to diagnose and execute the actions for a defined task. Similar to the " time window" definition, the actual time is defined from the time at which the cues are presented to the operating crew.

d(iii)

The operator actions used in the shutdown PRA are separated into the following three groups:

a) Most operator actions used in the shutdown PRA are also used in the at-power analysis. Those operator actions were calculated primarily for the at-power scenario; therefore, the time windows for such operator actions are judged to be conservative for both pressurized and non pressurized shutdown conditions.

b) Some operator actions are used only in non-pressurized conditions; therefore, the time windows for such

)

operator actions are based on scenarios when the plant is depressurized.

c) Two operator actions, namely, RHN-MAN 02 and RHN-MANO3, are used in the loss of offsite power event trees for both pressurized and non-pressurized shutdown conditions. Each of these actions has an j

estimated time window of I hour for pressurized condition, and 30 minutes for non-pressurized condition.

The 2-hour time window currently assigned to these operator actions will be changed; this correction will i

be reflected in the next revision of the HRA.

PRA Revision: NONE 720.302(RI)-5 W Westingtiouse

)

NRC REQUEST FOR ADDITIONAL INFORMATION REVISION 2

"-ET

[

Re:

Shutdown PRA question from NRC letter hted December 22,1995 Question 720.305 (#30')9)

In the shutdown PRA, many of the potential horon dilution initiating events are discussed and d.opped as being not significant. However, since the shutdown core damage frequency is 5.5E-8 per year, the staff cannot conclude that these initiators have frequencies less than this value. Based on previous screening calculations and the Surry shutdown PRA, the staff requests Westinghouse to quantify the following boron dilution events identified in the AP600 PRA:

a.

Chemical and Volume Control System (CVS) during safe shutdown using the DILUTE mode of operation.

b.

CVS water injection and boron dilution during plant stanup.

c.

CVS water injection and boron dilution following a loss of offsite power event, with subsequent startup of the reactor coolant pumps.

d.

Steam generator tube rupture event with transfer of water to and from the primary circuit.

Response

The AP600 shutdown PRA identified several potential events which could result in a dilution of the primary system boron concentration and possible power excursion concerns. These events included:

Chemical and Volume Control System operation during Safe Shutdown using the DILUTE mode of a.

operation.

b.

CVS water injection and boron dilution during plant startup.

c.

CVS water injection and boron dilution following a loss of offsite power event, with subsequent startun of the reactor coolant pumps.

d.

Steam generator tube rupture event with transfer of water to and from the primary circuit.

The first three events on the above list occur during low power or shutdown operation. During shutdown the control rods are inserted. If the operators are diluting the RCS boron concentration and the dilution rate exceeds the programmed rate, the operators will be notified of this problem by high flux alarms. The AP600 control system is designed to terminate the dilution event when the alarm setpoint is reached. If the automatic termination of dilution fails, the operators would have sufficient time to recognize the problem and manually terminate the dilution before any power excursion would occur.

720.305-1(R2)

W Westinghouse

=

3 9.

\\

NRC REQUEST FOR ADDITIONAL INFORMATION N

i REVISION 2

~

+

l During low power operations, the operators would be notified of boron dilution by the high flux alarms. The AP600 control system will insert the control rods and terminate the dilution event. Again, the operators would have sufficient time to recognize the problem and terminate the dilution event before any power excursion would occur.

Thus, there is not a significant risk of a power excursion due to boron dilution for the AP600. The automatic mitigation function with the long time for the operators to respond to a failure combine to prevent boron dilution from becoming a problem. Nonetheless, an evaluation of these dilution events follows, to provide a quantification of them.

The potential for boron dilution following the rupture of a steam generator tube is evaluated. In conventional PWRs, it has been postulated that dilute reactor coolant could collect in the crossover leg and cause a criticality problem if the associated reactor coolant pump were subsequently restarted. Since the AP600 does not contain a crossover leg, the amount of dilute water that could collect in the reactor coolant system is limited. Dilute water entering from the secondary side to the primary side would enter the cold leg and sufficiently mix prior to entering the core. The amount of water that could collect in the reactor coolant pump is limited. Evaluations have been performed to show that if the reactor coolant pump collected unborated water following a steam generator tube rupture, subsequent startup of that pump would not cause a boron dilution event.

To provide additional protection against the possibility of an unborated slug of water being directly injected to the core, the AP600 Emergency Response Guidelines instruct the operators to restart a reactor coolant pump in the opposite loop of a faulted steam generator during recovery from a tube rupture event. This operation will cause reverse flow in the faulted steam generator, thus mixing any unborated water in the steam generator, prior to it entering the core.

Based on the above considerations, boron dilution events following a steam generator tube rupture are not credible events for the AP600.

a.

Chemical and Volume Control System Operation during Safe Shutdown using DILUTE Mode of Operation As stated in the shutdown PRA, revision 6, Section 54, page 54-31, boron dilution resulting in reactor criticality is only a concern during the beginning of the fuel cycle, which represents a small fraction of the total cycle.

However, it will be conservatively assumed that dilution is a concern throughout the fuel cycle. The frequency of the plant at safe shutdowns conditions is 2.7/yr. nd i: 'me ion of +: u::! duidern: %!:5 : =f:

da:de==: i: 0.8. "::=f : $: :=b= cf s:f: du:dar- !:,2."' : 0.8, ; 2.!Uy:c While the plant is in safe shutdown, the CVS is in the DILUTE mode to counteract the buildup of Xenon.

720.305-2(R2)

W Westinghouse

4 I

?

NRC REQUEST FOR ADDITIONAL INFORMATION REVISION 2 e m 9

The HOTSD simplified event tree was constructed to estimate the magnitude of possible boron dilution frequency during safe shutdown due to operation in the dilute mode. The initiating event would be the frequency that the reactor would be at safe shutdown conditions (2.47/yr). It was then postulated that the

~

operator (OPF) fails to follow procedures to switch from the DILUTE to the AUTO mode during startup from safe shutdown. Startup is a routine, well-monitored phase with frequent checks, therefore this is a non-stressed action with a typical failure probability of I x 10" If the operator fails to switch to the AUTO mode, the control system (AUTO) should stop the dilution on a high flux alarm. The failure probability of the control system is approximately 1 x 10 If the operator is successful in switching from the DILUTE mode, the valve 4

(VAL 3) might fail to operate and the system would remain in the DILUTE mode. The failure probability for such a valve is approximately 1 x 10-2 If the control system succeeds in trying to close the DWS valve, the valve (VALDW) might remain open; the failure probability for such a valve is approximately 1 x 10-8 If dilution occurs, then there should be a high flux alarm. The operator should rerpond to this alarm to correct the event. Nc,rmally, the operator should monitor and detect dilution well before the alarm occurs. The human error probability to respond to the appropriate alarm is estimated to be approximately 1 x 104, with a worst case value of I x 10'8 Finally, even if dilution were to occur, the reactor coolant pumps would continue to run, resulting in a slow dilution of the primary system which should be detectable and controllable. The failure of both reactor coolant pumps (common cause) would be approximately 1 x 16'8 Reviewing the HOTSD event tree, only end states 4,8 and 131 could result in rapid dilution of the core, the 48 estimated frequency of these end states are 2.M7 x 10*,2.M7 x 10* and 2.M7 x 10 respectively. Since the 4

low power / shutdown core damage frequency (CDF) was calculated to be 4.72 x 10, end states 8 and 131 are sufficiently low that even significant uncertainties in their value should not affect the CDF. End state number 4 is approximately three orders of magnitude less than the CDF. However, if a worst case value for OPP above (1 x 10~') is assumed and another order of magnitude is allowed for uncertainties in the failure rates selected, the frequency of dilution (end state 4) could rise to 2.M7 x 10. This would represent approximately 4557%

4 of the CDF. Therefore, the dilution frequency during safe shutdown should not result in a significant increase in the CDF; it could result in a small increase about 4557% for this worst case (very conservative) situation.

b.

CVS Water Injection and Boron Dilution during Plant Startup Another possible dilution scenario identified in the previous analysis was a dilution during startup due to the operator inadvertently setting the wrong demineralized water flow. Again, it is assumed that the fuel is at a condition where dilution would be a concern. Therefore, the frequency of startups is 2.7/ year (the number of startups equal the number of shutdowns). The simplified STARE event tree was constructed to evaluate this dilutica event. The first postulated event following the startup is the failure of the operator (OPPI) to follow startup procedures and set the proper flow. Again, this event is occurring during startup which is a routine, well-monitored phase with frequent checks, therefore this is a non-stressed action with a typical failure probability i

of I x 10 If the operator is successful in setting the proper flow, the valve (VAL 4) might fail to operate; the 4

failure probability for such a valve is approximately 1 x 10' If the operator does not set the flow or the valve does not adjust as set, the dilution will begin. At this point a reactor trip (RTRIP) should occur on flux doubling. The control system reactor trip would have a failure probability of approximately 1 x 10

If the reactor trip succeeds, the demineralized water valve (DWSF) should close. The failure probability for this type I

of valve is estimated to be 1 x 10'8 If the reactor trip or the DWS valve fail, then the operator (OPP 2) should 720.305-3(R2) 1 i

?

NRC REQUEST FOR ADDITIONAL INFORMATION if %

REVISION 2

.q respond to the flux doubling or trip alarm. The human error probability to respond to the appropriate alarm is estimated to be approximately I x 10, with a worst case value of I x 10~'.

4 In the STARE event tree, only end states 4,6,9 and 11 could result in dilution of the core. The estimated frequencies of these end states are 2.7 x 10*,2.7 x 10*,2.7 x 10-" and 2.7 x 10'" respectively. As shown previously, end states-4 9, and 11 are significantly smaller than the shutdown core damage frequency (CDF),

so their value should not affect the CDF. End state: =1:: 4 and 6 isare approximately two orders of magnitude less than the CDF. However,if a worst case value for OPP 2 above (1 x 10)is assumed and another order of magnitude is allowed for uncertainties in the failure rates selected, the frequency of dilution (end states 4 and 6) could rise to 2.7 x 10' This would represent approximately 567% of the CDF. Therefore, the dilution frequency during startup should not result in a significant increase in the CDF. If the worst case (most conservative) assumptions were taken, the CDF could increase by 567%; however, this new CDF is still very low.

c.

CVS Water Injection and Boron Dilution following Loss of Offsite Power, with subsequent Startup of Reactor Coolant Pumps Another possible dilution scenario identified in the previous analysis was a dilution due to CVS water injection and boron dilution following a loss of offsite power event, with subsequent startup of the reactor coolant pumps.

Again, it is assumed that the fuel must be at a condition for dilution to be a concern. The frequency of LOSP is 8.13 x 10/ year. The simplified LOSP event tree was constructed to evaluate this dilution event. Assuming a LOSP, the first postuisted event is the failure of the automatic control system (AUTOF) to sense the LOSP 4

and close the DWS valve, preventing dilution. The failure probability for such control systems is 1 x 10. If the control system is successful in closing the valve, the DWS valve (VALVF) may fail to close. The failure probability for such a valve is approximately 1 x 10

If the control system fails to close the DWS valve or there is a failure of the OWS valve, the control system should also automatically align the Vil5 valve to the berate boric acid tank, aus preventing dilution. The failure probability of this type of valve is approximately 1 x 10-3. If the contM fails to close the valve or both of the valves fail to close, then the operator (OPFAl) should still follow proper procedures during CVS pump restart, and verify alignment to the berate boric acid tank prior to restart. This restart is a routine, well-monitored phase, therefore this is a non-stressed action with a typical failure probability of I x 10 (worst case,1 x 10~3). If the operator fails to properly align the berate 4

boric acid tank at startup, the operator (OPFA2) would then have to respond to the flux doubling or high tempuature alarm. As above, the operator should monitor and detect dilution well before the alarm occurs.

i The human error probability to respond to the appropriate alarm and take corrective action is estimated to be approximately 1 x 10", with a worst case independent value of I x 10, and a worst case conditional HEP of 4

0.5.

The LOSP event tree indicates only end states 5 and 9 could result in dilution of the core; applying the J

conditional IIEP of 0.5, the estimated frequency of these end states are 8434.07 x 10*3 and 8434.07 x IG*

j respectively. As above, these end states are significantly smaller than the shutdown core damage frequency (CDF), so their values should not significantly affect the shutdown / low power CDF.

720.305-4(R2)

T Westingflouse

L hh ti i rt

[

  • i;i' i

l ifr5 t

h I!L I5 t.

!abl!

w

. 0 s.

1

. T' 111151115 ED 123456789 AC 2

AF F

O

.=

1 AFP O

l l

5 1

1V I'

II FVLA V

F O

TUA 3

10 1

6 T

5 U

~ L 4

I 1:

D 4

S1 1

E l Sf 6l Uo 9i A

/ d_ C 1 U

3 P

2,s SpP e S

g O

8 oOa L

0l LP

0 0

1 T'

ED A

C 4

E X

E.

E R

T U

E S

D O

9 A

L C

C

\\

S S

E W

SM D

D P R O

MA C.

S UL E

PA T

E A

S.

I VP T

CM E

h TT t

I a

R P

TD AH E3 TG f

UA SI KEH TP 1

8 AS R/

A X

1 O

TOU 2

EL TL 6

L E

F 8

I S TE 1

HE ARH WS RUG 0

ODI 0

RE BEH ES C

2 W

OOO 0

OM TRT PE P

5 T

S S

ESSNSD 1

TYEGWN 2

I SSI OO 9

S OLLP

- LLALS 3,

n FOC OE 1

o FR 5FR

/

i OTE1 3

t NV1 RR 0

p FOLV)T O i OCA

' T I

r VEAA e

c SO VRR l

s STSLEE i

e OUWAP P F

D LADVOO 8

fO I s 6

Tt 5

Urn L e 4

I v 4

De

)

3 S

1 E c l S t 6l U 9i Af

,d_C o, t

UFF 1 2 3

2 pP t n POV5AA

,sS s e S TL1 FF 8 oOi v OUA1 F F 0 l LL E LAVVOO I ;

11151115115 123 45678901 1 1 P

M PC P

l l

l P

P O

8' I'

I' WDLAV I1 3LAV 11 O

TU li A

WODTU H

S TO H

MO RF P

F U

F T

O RAT 6

S 5

J 4

t 4

I R

3 UI 1

D 6

f fo f

9 O

D I 1 3 dT S

2 sue T

/ t Lg O

0 eI a H

ChDP

e (9/03,96 13:44:%

File: 03:13/92 15:02:00 186218 Path: E 'CODESiCADET.EXE CADET 1600 e

het s.1

?

DILUTIOt3 UURital STAP.WF FROM HOT SHUTDCWII List. cf top events Event Description HOTSD

- HOT SHtJFDOWil WHILE AT UET OfF OPERATOR SWITCHES FROM DILUTE % AUTO MODE TO STARWP AUTO CCt47 rot. SYSTEM DETECTS AtID SHUTS OFF DILUTIOt3 Oil HIGH FLUK VAL 3 DILUTIOtl VALVE SWITCHES FROM DILUTIOt3 COtJFIGUPATIOta VALLW DWS VALVE CLOSES WHEtt ACTUATED TO STOP DILUTIOt3 OFP OPEPAMR RESPOt3DS TU HIGH llEUTROtt FLUX

?

RCFMF REACTOR COOLANT PUMPS Col 1TINUE TO OPERATE. SLOW DILUTIOt1 i

r

}

)

[

t l

i i

I I

b o

r

_. _ _ _, -. -...,,, _ _. ~. -

_m.... _., _.,

,,_m.,_,_

I1

!h

!i w

w 0

0. -

1 '

1 1 15151 2 515 T-E 12345678911 D

1 1 A

C r

r 2P P

O l

,=

.=

,=

=

m

+

F S

W x

O 8'

l m

e 4,

a P

I m

R T

R m

v r,,

r y

~

4L A

V r

~

w 1

P P

P O

U T

w P.AT S

6 T

5 A

4 II m

4 C

I 3

TI 1

J tLf 6

I o 9

D 1

E 3 eII R

2 rC e A

i aP g T

8

' t O a S

sBP f

v it I

i

.. -. --.... ~~-...---

1

?

4 6

08.23. M 13:44:56 File: 03/13/9; 15:02:00 186218

' Path: E:\\CODESiCADET.EXE CADET 1.00 stare I

ECPCf3 DILUTIOt3 AT STAR'!UP I

List of tcp events 3

e 1

i Event Description STAFE BORO!! DILUTIOt3 DUR1!3G STARRIP AT UET f

OFF1

- OPERA'!OR SETS PROPER FLOW i

VAL 4 VALVE SETS FROPER FLOW BASED Oil OPERATOR SETTIfC PTRIP.

P.EACTOR TRIPS ON FLUX DOUBLIfC LMSF DWS VALVE CLOSES Ot3 TRIP SIGt3AL f

{

OFP2 OPERA'IDR RESPOt1DS W FLUX DOUBLIt3G OR 'IRIP ALARM 6

)

s e.

..e---.

eaa--ww

..a

--,w*-e ew----:=-

ee---

-i-ww-ee--w-urh-m,-e"~

?- - - -,w w-%

,u n

e i--mee e.s

= -

w-e e-w i --

r--

w em w-4.nr--

mw:=

-e-

-e.--mu.a.w e'-ee=_,ete-w--.rw e---ww

--w

-ww-.

m.-. -

=. -.

d 3

Attachment A to NSD-NRC-96-4803 J

Enclosed Responses to NRC Requests for Additional Information 4

4 Re: Internal Fire Analysis 720.280 through 720.284 Re: Shutdown PRA 720.305 - revision 2 Re: HRA 720.302 - revision 1 i

am i

1

.)

Retrieved from "https://kanterella.com/w/index.php?title=NSD-NRC-96-4803,_Forwards_Responses_to_NRC_RAIs_on_AP600_Design_Certification_Program&oldid=4284114"