Text

Forwards W Responses to NRC RAI Re AP600 PRA & Assessment of Potential Impact of Diffusion Flames on AP600 Containment Wall & Pentrations, for Review
	ML20135D020
Person / Time
Site:	05200003
Issue date:	11/27/1996
From:	Mcintyre B; WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:	Quay T; NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
Shared Package
ML20135D023	List: ML20135D025; NSD-NRC-96-4895, Forwards W Responses to NRC RAI Re AP600 PRA & Assessment of Potential Impact of Diffusion Flames on AP600 Containment Wall & Pentrations, for Review;
References
	NSD-NRC-96-4895, NUDOCS 9612090208
	Download: ML20135D020 (38)
	v • d • e

_ _ . - . . _ _ _ _ _ _ _ _ _ _ . _ _ . _ _ _ ._. _ _ _ _ _ _ - _

N !

3 ;

6 I

Westinghouse Energy Systems son 355 I Electric Corporation P:tt! burgh Pennsylvania 15230 0355 November 27,1996 NSD-NRC-96-4895 ;

DCP/NRC0666 Docket No.:STN-52-003 ' j i

Document Control Desk U.S. Nuclear Regulatory Commission Washington, D. C., 20555 i A'ITENTION: T.R. QUAY

SUBJECT:

AP600 RESPONSE TO REQUEST FOR ADDITION INFORh1ATION, AND HYDROGEN DIFFUSION FLAh1E ASSESSh1ENT

Dear Mr. Quay:

Enclosure 1 provides Westinghouse responses to NRC requests for additional information pertaining !

to the AP600 Probabilistic Risk Assessment. These responses close, from a Westinghouse !

perspective, the addressed questions. The status of these items in the OITS will be changed to Action i N. The NRC technical staff should review these responses. (

Enclosure 2 is a copy of a report titled " Assessment of the Potential Impact of Diffusion Flames on !

the AP600 Containment Wall and Penetrations." The NRC technical staff should review this report. ,

A li:; ting of the NRC requests for additional information responded to in this letter is contained in .

Attachment A.

l Please contact Cynthia L. Haag on (412) 374-4277 if you have any questions concerning this transmittal. i Brian A. McIntyre, Manager j/ [

Advanced Plant Safety and Licensing i Enclosures i

! cc: J. Sebrosky, NRC (enclosures) i J. Kudrick, NRC (w/o enclosures) ,

r J. Flack, NRC (w/o enclosures) -

l-N. J. Liparulo, Westinghouse (w/o enclosure)

! 9612090208 961127 i PDR ADOCK 05200003 '

A PDR '

vuvvw

f I k l

l Page 3 h

November 27,1996 Enclosure 1 to Westinghouse Letter NSD-NRC-96-4895 November 27,1996 l

l

a Pue5 1

l November 27,1996 Attachment A to NSD-NRC-96-4895 Enclosed Responses to NRC Requests for AdditionalInformation 1

l Re: Iavel 1 PRA 720.324 720.325 720.326 720.327 1 720.328 720.329 720.330 720.331 720.332 720.333 Re: Shutdown PRA Question 2 (OITS #2940)- revision 1 720.306 - revision 2 l

l 1

1 s

l i .

I I

l l NRC REQUEST FOR ADDITIONAL INFORMATION REVISION 1 j"' '"j y

Re: Shutdown PRA question from NRC letter dated November 9,1995 Ouestion 2 (#2940)

With respect to Open Item 19.1.3.3-2, Westinghouse responded in Section 54.3.2 of the PRA that the core damage contribution from the cool down period to 350F and 400 psig is negligible compared to hot / cold shutdown and l midloop/ vessel flange operations. In section 54.3.2, Westinghouse justifies this assumption based on 1) the cool down period to hot shutdown of 350"F and 400 psig lasts only eight hours, and (2) all mitigating systems available when the reactor is at power are available except the accumulators. In order for the staff to conclude that this shutdown period does not need to be quantitatively evaluated, the staff is asking Westinghouse to.

1

a. Modify this argument to indicate that the risk is low compared to the at-power risk. The argument that l Westinghouse gave does not directly lead to the conclusion that the core damage risk is low compared to l the risk from hot / cold shutdown and midloop/ vessel flange operations. I

b. Clarify in Section 54.3.2 of the PRA if all actuating signals that are available at full power are also available during this time period. In Table 54-2, it would be helpful if an additional column was created for full power operation to allow for a simple comparison of available signals.

c. Document in Section 54.3.2 of the PRA and Table 54-8 if any maintenance can be performed on any system during this period. Document how these maintenance assumptions will be . met (i c., Tech. Specs.,

administrative controls, etc.). i RESPONSE: l 1

a. If it is conservatively assumed that all accidents evaluated during power operation can occur during the first eight hours of shutdown, then, given the availability riall mitigating systems except the accumulators, the risk during this early shutdown period can be factored fmm the at-power core damage frequency. As shown in Section 54.3.2, the estimated annual duration for this plant state is 22 hours2.546296e-4 days 0.00611 hours 3.637566e-5 weeks 8.371e-6 months . Therefore, the estimated CDF during this shutdown mode is: [(2.43E-07 / 8760) x 22] = 6.10E-10; this is 0.25 percent of the at-power risk.

This conservative estimate shows that the risk during the first eight hours of shutdown is very low; much conservatism is evidenced by the fact that ATWS events, which are significant contributors to the at-power CDF, are not applicable to the shutdown assessment.

b. Table 54-2 of the Shutdown PRA w+H+e-has been revised to: 1) add a column for at-power; and 2) include the actuating signals for all systems in the table.

2-1(RI)

W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION 5$ REVISION 1

c. Availability (and corresponding maintenance restrictions) of the safety-related systems during shutdown operations are incorporated in the AP600 Technical Specifications. The technical specifications do not allow for scheduled maintenance of the passive safety-related components in mode 3 (hot standby) with the exception of the accumulators, which are isolated during this mode when the RCS pressure is reduced to below 1000 psig to prevent their injection. Table Q2-1 summarizes the availability of the safety-related systems as captured in the AP600 Technical Specifications. Per NRC staff request in a telecon on September 10,1996. Table Q2-1 has been placed in PRA revision 8. The table can be found in Chapt:r 54, as Table 54-93.

The Reliability Assurance Program specifies maintenance guidelines for RTNSS-important systems-emi can;r -"

l 1

l l

l i

1 l

i 1

i l

2-2(RI)

T Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION REVISION 1 [E E!!g Table Q2 Technical Specification Requirements for Safety-Related Components MODE ADS CMT PRHR IRWST Cont. Cont. Cooling MODE 1 - 4 (1) 10 of 10 paths Both CMTs PRHR HX Both IRWST injection paths Integrity Both water flow paths Full power - Safe OPERABLE OPERABLE OPERABLE and both Containment recire OPERABLE shutdown All paths closed paths OPERABLE MODE 5 9 of 10 paths One CMT PRHR HX One IRWST injection path and Nene Nene RCS pressure OPERABLE OPERABLE OPERABLE one Containment recire path Closurc (2) Both water flow paths boundary closed All paths closed OPERABLE OPERABLE MODE 5 Stages 1,2, and None None One IRWST injection path and Closure (2) Both water flow paths RCS pressure 3 open; 2 of 4 one Containment recirt path OPERABLE boundary open Stage 4 paths OPERABLE OPERABLE MODE 5 Stages 1, 2, and None None One IRWST injection path and Closure (2) Both water flow paths RCS pressure 3 open; 2 of 4 one Containment recirc path OPERABLE boundary open, Stage 4 paths OPERABLE reduced RCS OPERABLE inventory MODE 6 Stages 1,2, and None None One IRWST injection path and Closure (2) Both water flow paths Reactor internals in 3 open; 2 of 4 one Containment recire path OPERABLE place, refueling cavity Stage 4 paths OPERABLE not full OPERABLE MODE 6 None None None None None None Reactor internals Closure (2) removed refueling cavity full W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION er" El REVISION 1 H

Notes:

(1) Both accumulators required in modes 1-3, above 1000 psig. The accumulators are not required in modes 4-6.

(2) Containment closure is defined as the ability to close the containment prior to -c., .,s., :he time steam would be released to the containment following a loss of decay heat removal 26 W Westinghouse

l r

l NRC REQUEST FOR ADDITIONAL INFORMV,JN l

l l

REVISION 2 fin iiil Y

Re: Shutdown PRA question from NRC letter dated December 22,1995 Question 720.306 (#3010)

The PRA clearly states that containment integrity is maintained during modes I through 4. However, the status of containment during modes 5 and 6 is unclear in the PRA (Section 54.2.5). The PRA states that during midk>op operation, containment " closure" is maintained. Ilowever, midkx>p operation is only a subset of shutdown operations in mode 5 with the RCS open. Also, the term " closure" is not defined. The staff assumes that " closure" is different from containment integrity. The staff is concerned that the results of the PRA do not include the risk impact of a potentially open containment given a core damage event during mode 5. The staff needs this inforrnation since events occurring during midk>op/ vessel flange operation account for over 90% of the shutdown core damage frequency. Therefore, Westinghouse is requested to provide the following information in the shutdown PRA:

a. Westinghouse is requested to document in the PRA how the requirement for containment integrity will be maintained during Modes 1-4 (i.e. Tech. Specs., admin. controls, etc.).

b. West nghouse is requested to document in the shutdown PRA the status of containment during cold shutdown (mode 5) when the RCS is completely intact. This explanation should include the status of the equipment and personnel hatches, penetrations for operating systems, and temporary instrument and electrical penetrations. This explanation should also describe the operator's ability to close containment should a core damage event occur. Westinghouse is requested to document in the PRA how these assumptions will be met (i.e. Tech. Specs., admin. controls, etc.)

c. Westinghouse is requested to document in the shutdown PRA the status of containment during cold shutdown up to when the refueling cavity is Gooded with an open RCS (midk>op operation / vessel flange operation is a subset of this phase of shutdown). This explanation should include the status of the equipment and personnel hatches, penetrations for operating systems, and temporary electrical and instrument penetrations. This explanation should also describe the operator's ability to close containment before steaming through an open RCS makes centainment conditions intolerable to the operator. Westinghouse is requested to document in the PRA how these assumptions will be met (i.e.

Tech. Specs., admin, controls, etc.)

d. For both of the shutdown phases addressed above, Westinghouse is requested to identify in the shutdown PRA the probabilities assumed for containment isolation.

e. For both of the shutdown phases addressed above, Westinghouse is requested to report the fraction of core damage scenarios occurring with an open containment and their combined frequencies.

Response

a. The AP600 Technical Specifications will specify the requirements for containment status during all modes of operation including shutdown. This information will be referenced in the shutdown PRA. During Modes 1-4, containment integrity is required. In Modes 5 & 6, ? ng rAed Hen ag apcraa an ' " hen hc upper 720,306(R2)-1 W

Westinghouse

I NRC REQUEST FOR ADDITIONAL INFORMATION M H REVISION 2 a -

1 l

. i

'c n;?: ac m j'h.a. containment closure capability is required. Containment closure capability is defined in j the Technical Specifications as the capability to close the containment prior to c=c unscry the time steam l would be released to the containment following a loss of the normal deca, 'ieat removal capability through the I normal residual heat removal system. Details on the containment status during each operating mode are j summarized in Table Q2-1 of the response to shutdown PRA question 2c (of NRC letter dated Nov. 9,1995).

Th: 9?: '" kc pr : !cd : 'hc AP6* chu:6"'~' : Pqu " nd :" be refercaccJ : 'hc : hu:J^ '

FRAr

b. As shown in Table Q2-1 in the response to shutdown PRA question 2c (of NRC letter dated Nov. 9,1995), +here

rc: equa, nca '. . cgray : - 6: .=c containment closure capability is required during Mode l 5, '1 :he "CS ' n:eet.

1

c. As shown in Table Q2-1 in the response to shutdown PRA question 2c (of NRC letter dated Nov. 9,1995), !

during Mode 5. Eh :he RCS pr aurc H a ry apen ans" - duting reduced : .cn :ry apera:m . and during l Mode 6 with the upper internals in place, containment closure is required. As described above, containment closure capability is defined as the capability to close the containment prior to cr u c .c.5 the time steam would be released to the containment following a loss of the normal decay heat removal system. Equipment hatches and personnel hatches, penetrations for operating systems, and any temporary electrical and instrument I penetrations may be open during these conditions, provided that there is the capability to close the various j hatches and penetrations within prescribed time limits, corresponding to the minimum time k+-twe tmeewerysteam would be released to the containment following loss of decay heat removal capability.-The eesee,-+ak: . & .e he er ncn %' nue ca :de: 'hc ;x;:enaa! ' .:=n en ; nen' ide

. ' c-: ;;F S , nc " he"CS wuldr. ?:.an uw

d. This RAI response provides an assessment of the failure probabilities for containment isolation during shutdown j modes where containment closure is required. As stated in Section 54.2.4, in modes 5 & 6, during rcJuad

. :ry api nd when the upper internals are in place, containment closure capability is required.

Containment closure capability is defined in the Technical Specifications as the capability to close the containment prior to ec unce. cry the time steam would be released to the containment following a loss of the l normal decay heat remosal capability through the normal residual heat removal system. i According to the Technical Specification requirements, the capability to close the containment before steam is released to the containment must be demonstrated in order for the hatches and/or penetrations to be kept open during the respective plant conditions in modes 5 and 6. In that regard, containment closure capability can certainly be demonstated during the mid-loop period after refueling, since decay heat level is very low and there is a long time window (at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months from loss of decay heat) for the operators to complete this task.

In other plant conditions in modes 5 and 6, decay heat level would be higher than during the mid-k)op period discussed above; therefore, steaming to the containment would occur earlier, providing a shorter time window l for the operators to close the hatches and penetrations. Therefore, it is unlikely that the containment would be open during such periods of higher decay heat levels.

1 i

720.306(R2)-2 l W-Westinghouse l

l 1

i

l l

l NRC REQUEST FOR ADDITIONAL INFORMATION l

REVISION 2 74 l

1 -

The following evalu~ation assumes the containment is open anytime during reduced inventony conditions. The evaluation also assumes that the crew will work in a steam environment for some period of time to complete this task within 50 minutes from the loss of RNS. Based on the previous discussion, these assumptions are conservative; therefore, the human error probability for this task is conservative.

Operator actions to close valves for isolating the respective systems have been accounted for in the shutdown PRA, and are therefore excluded from this evaluation.

liased on the : W " " ^

, alelthe previous discussion, only events occurring in mode 5, during reduced inventory operations, are cc 'Jered : wiu;rc er nc .' c'murclikely to occur with an open containment.

The following assumptions are made in this evaluation:

Equipment hatches, personnel hatches, and temporary electrical and instrument penetrations are open during the mid-hop scenarios modeled in the PRA.

The openings include: one main equipment hatch, one maintenance hatch, two personnel hatches, and three spare penetrations.

More than one temporary line or cable can fit through each spare penetration. Such lines are fitted with quick disconnect attachments.

Each personnel hatch consists of two doors in series that are normally interkicked to maintain containment integrity. The interhick is defeated to allow both doors to be kept open .

The openings are closed manually; the equipment hatch is closed from inside containment, and the other openings are closed from outside containment.

The openings are manned by maintenance personnel with responsibilities as follows:

2 persons for closing main equipment hatch 2 persons for closing maintenance hatch 2 persons for closing each personnel hatch 2 persons for disconnecting the lines and closing the spare penetrations Each opening can be closed by one person with the second person serving as backup or assistant.

Based on the a e c. " AP600 shutdown emergency response guidelines, it is assumed that detailed written procedures will be developed and used for closing the openings.

Assuming reduced inventory is reached as early as 28 hours3.240741e-4 days 0.00778 hours 4.62963e-5 weeks 1.0654e-5 months after reactor shutdown, the fastest the reactor coolant can heat up to tuiling is about 17 minutes from the loss of RNS. It is estimated that the containment could heat up to 145"E in about 33 minutes after the reactor coolant begins to boil. Therefore, for this worst case scenario, the containment temperature could reach 145"F in 50 minutes from the loss of RNS.

720.306(R2)-3 W-Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION N" REVISION 2 It is assumed that loss of RNS is the cue for initiating closure of these openings; therefore, there is a time window of approximately 50 minutes to complete these actions. It is funher assumed the containment i

environment is habitable up to 145"F. '

Personnel are required to evacuate the containment before closing the personnel hatches; in that regard, the equipment hatch must be closed prior to closing the personnel hatches. It is assumed that it takes about 30 minutes to close the equipment hatch, and, during that time, personnel in the containment are evacuated.

+

lt is assumed the other openings, all of which are closed from outside containment, can be also closed within the actual time of 30 minutes discussed in the previous paragraph.

Although the loss of RNS is expected to be diagnosed by the control room personnel, it is expected that an alarm would be annunciated in the containment to signify the need for containment closure. To be conservative, it is assumed that cognitive diagnosis for closing the hatches (by the maintenance crew) is required and this diagnosis must be completed within 15 minutes from the alarm. According to previous assumptions, a time window of about 35 minutes remains to physically close the openings.

On closing each opening, one maintenance crew (MC) member is assigned a low dependency on the other crew member. 1

+

A ap: nA high stress level is assigned for this task according to TiiERP 20-16, item 45. I i

=

lt is assumed that the hatches and doors for the openings are exercised (when they are first opened) to j ensure they can close on demand. Therefore, hardware failures of these openings are judged to be highly unlikely; (i.e., an estimated failure probability less than 1.0E-06 per demand for each opening). Ilowever, if 1.0E-05 per demand is conservatively applied for the failure probability of one of these openings to close, then a failure probability of 7.0E-05 per demand is assumed for hardware failure of these openings.

Quantification of the human error probability for this task is as follows:

(Dm,) Diagnosis Error Calculation:

Dl: Failure to diagnose need for closing containment hatches within 15 minutes = 4.0E-02 [THERP 20-3

& Figure 12-4]

D2 men. Failure to respond to I of I kical alarm = 2.7E-04 [TiiERP 20-23 (1)]

D2 m e,,. Imw crew dependency assigned to the second crew member = 0.05 [TilERP 20-4] l D2 = D2 men x D2mc3 = 2.7E-04 x 0.05 = 1.35E-05; (Dm,) = Di x D2 < l.0E-05.

l 1

l f

720.306(R2)-4 3 Westinghouse l

l NRC REQUEST FOR ADDITIONAL INFORMATION I REVISION 2

.;j! . . .iin}*" I l

_ 1 (A m ,) Action Execution Calculation:

Al a) Omit action to close assigned opening (omission error) = 1.3E-03 [THERP 20-7 (1)]

b) Stress multiplier = 25 A 13 ,cn = a x b = 2.'" 036.5E-03 A13n = 0.05 [TIIERP 20-18]

Therefore, action execution failure for one opening is estimated as:

A 1,ur = A1,c, 3 , x A1 mi c2, = 44FA43.25E-N.

Since there are seven openings, the total action execution failure is:

A,ur = Alen:, x 7 = 4-AF-443.25E-N x 7 = 94FA42.28E-03.

Therefore, the HEP for closing the containment hatches and temporary penetrations is:

De u r + A , = 44F-4)42.28E-03..

iii Result The estimated failure probability of the openings for containment closure is the summation of the assumed hardware failure probability (7.0E-05) and the llEP ( 94F-4342.28E-03.); that is a failure probability of MF-042.35E-03.

The failure probability of the fault tree for containment isolation (CIST) is estimated to be 1.71E-02. By including the failure probability of MFA42.35E-03 in the CIST fault tree, the estimated failure probability of containment isolation changes from 1.71E-02 to ! !" 021.95E-02; an increase of approximately 614 percent.

This increase of 614% is judged to be insignificant and has no effect on the PRA results.

c. During the meeting between Westinghouse and the NRC PRA staff on January 18,1996, the staff clarified that this RAI pertains to events, identified in the shutdown PRA, that could be initiated when the containment is open. Therefore, this RAI response provides an estimation of the fraction of core damage frequency from events occurring with an open containment and their total frequency. As discussed previously (in the response to part

@)(d) of this RAI), event though containment closure capability is applicable to events in modes 5 and 6 (when the upper internals are in place) the requirement for containment closure is limited to events occurring during mid-loop conditions in the shutdown PRA.

Based on the results reported in Chapter 59 of the PRA, events occurring during mid-loop conditions contribute 85 percent of the level I shutdown core damage frequency. This contribution consists of the following:

Loss of decay heat removal due to CCS/SWS initiated failures 54.13 percent Loss of offsite power 19.N percent L,oss of decay heat removal due to RNS initiated failures 10.41 percent LOCA due to inadvertent opening of valve RNS-V024 1.45 percent 720.306(R2)-5 W

Westinghouse

l l

I l

NRC REQUEST FOR ADDITIONAL INFORMATION REVISION 2 r

The associated yearly frequencies of these events are:

toss of decay heat removal due to CCS/SWS initiated failures 2.98E-08 Loss of offsite power 1.05E-08 Loss of decay heat removal due to RNS initiated failures 5.73E-09 1,0CA due to inadvertent opening of valve RNS-V024 7.96E- 10 Therefore, the total yearly frequency of these events is 4.7E-08.

I l

I i

i 1

l I

720.306(R2) 6 T Westinghouse l 1

?

1 l NRC REQUEST FOR ADDITIONAL INFORMATION iii" %

n Question: 720.324 As part of the AP600 PRA review, the staff is performing confirmatory re-quantification of selected accident sequences. To compare with Westinghouse *s results, lists of top minimum cutsets for each of the sequences quantified by Westinghouse are needed. Each list should provide an adequate number of cutsets to be used for a meaningful comparison of results (e.g., top 50 cutsets or, if less than 50, top cutsets contributing to 99% of the sequence frequency). Please provide such lists.

Response

The requested information was provided to NRC via Westinghouse letter NSD-NRC-96-4742, dated June 7,1996.

In addition, cutsets for the dominant sequences are provided in the PRA.

720.324-1 1

WM Westinghouse

l l l

l I

i I

NRC REQUEST FOR ADDITIONAL INFORMATION

p. q l

1 Question: 720.325 i An important insight, reported by Westinghouse in Chapter 59 (Results) of Revision 6 of the PRA, is that the contribution of the steam generator tube rupture (SGTR) event to the at power core damage frequency (CDF)is very I small (about 1.5%). If true, given the low total CDF estimate for the AP600 design, this is a signincant improvement with respect to operating pressurized water reactors (PWRs). One of the reasons, reported by Westinghouse, for the small contribution of SGTR to CDF is that "the first line of defense is the startup feedwater system (SFWS) and chemical and volume control system (CVCS)." Please provide documentation showing that operation of CVCS only provides adequate Dow for inventory control and that there is sufGcient time to stabilize the plant before core uncovery occurs. Such documentation should clearly state all major assumptions made in the I analysis. i

Response

The event tree for the steam generator tube rupture (SGTR)is in the PRA on pages 4-128 and 4-129. It shows that not only is CVS required to mitigate a SGTR, but that startup feedwater, the condenser, pressurizer sprays, and isolation of the faulted steam generator are also required. Thus, CVS alone is not expected to be able to mitigate a SGTR. Other systems are required as well. l The event tree has two parts. The first part, entitled SGTR, is the nonsafety systems' response to a SGTR. The end states of this tree are either success, SGTRCONT (SGTR continues), or, in one case, an ATWS. The SGTRCONT states go into the other SGTR event tree, STGRC. This event tree models the safety systems' response to the SGTR.

As can be seen in the SGTR tree, there is no success path that includes only the CVS. That is, the SGTR cannot be mitigated only with this system. In fact, the top success path includes "RTRIP," the reactor trip, "CVCS," the CVS functions, "SFW," the SFS functions,"SGDEP," the depressurization of the unaffected steam generator with the steam dumps,"PRDEP," the depressurization of the primary system with the pressurizer sprays or the ADS, and "SGISO," the isolation of the affected steam generator.

This sequence is described below. Many of the events occur simultaneously as a result of the reactor trip, and the listing of the event sequence is not meant to imply a chronological order. The sequence described follows the event tree sequence in the PRA.

SGTR sequence;

1. The tube rupture occurs.

2. There is a reactor trip signal (The "S" signal that includes the reactor trip also isolates the secondary side. The isolation is accounted for later in the event tree.) The reactor trip will also trip the RCPs and actuate the CMTs on low pressurizer level. The CMTs will not actually inject since there will not be a sufficient loss of inventory or voiding in the RCS, but they will be available if the tube rupture progresses and more inventory is lost.

3. The CVS continues to provide makeup to the primary system. This may require the second train of CVS to start to provide additional flow. Initially the flow out of the ruptured tube may be on the order of 400 gpm. The i maximum CVS Dow is about 100 ppm. Thus, there will be a net loss ofinventory (and a reduction of pressure) l l

I W Westingtiouse

NRC REQUEST FOR ADDITIONAL INFORMATION from the RCS for a very short time in the beginning of the transient. Of course, as inventory is lost, the RCS pressure is further decreased, which decreases the flow out of the broken tube.

4. The reactor trip shuts down the reactor and the primary pressure is reduced significantly. This reduces the leak How.

5. The startup feedwater is started and provides flow to the unaffected generator which is used to cool the primary system. As the primary system cools, the primary pressure is further reduced, reducing the primary pressure significantly. This has all occurred in a few minutes. The SFW is able to regulate the Dow to the steam generators in order to maintain the level in each generator. If the level should exceed the setpoint (because of the flow through the broken tube), the SITV will throttle Dow to that steam generator to attempt to maintain the proper level.

6. The unaffected steam generator is depressurized through the steam dumps, which are available after the reactor trip. This further c(xils the primary system and reduces the primary system pressure, reducing the flow out of the primary system.

7. The primary system is depressurized with the pressurizer sprays or the first stage of ADS. This makes the I pressure difference between the primary system and the faulted steam generator much smaller, further reducing the now out of the broken tubes.

8. The feed flow into and steam now out of the faulted steam generator is isolated. This causes the pressure in I the faulted steam generator to increase (because the feed flow is stopped, and the steam generator inventory I boils). At this point the leak How thmugh the broken tube is stopped because the primary and secondary pressures are the same.

9. If all of these events are successful, then the transient is mitigated and the plant proceeds to reach a state where the repair of the broken tube is possible. If there is a failure in this sequence, then the event proceeds similar ;

to a small loss of ccx> ling event, and the plant systems function to mitigate it appropriately. This response is j depicted in the event trees. )

This sequence occurs very quickly, and it is expected that the water in the pressurizer would not be entirely lost.

Of course, if the RCS level dropped sufficiently, then the CMTs would inject and the plant systems would respond ;

as if to a I.OCA, as is modeled in the event trees. Core uncovery is not expected in the successful mitigation sequence of the SGTR.

1 720.325-2 W-Westinghouse

1 NRC REQUEST FOR ADDITIONAL INFORMATION au +:

+ t Ouestion: 720.326 Please provide the following information concerning the steam generator tube rupture (SGTR) event tree model.

a. The description of esent CVCS in Section 4.10.2 (page 4-29), entitled " Event Tree Model and Nodes," is not referring to the function (i.e., inventory control) CVCS is assumed to serve in the SGTR event tree. Please explain.

b. Event SGISO (failure to isolate the ruptured steam generator (SG)), as modeled by Westinghouse, does not include the possibility of an unisolable leak (e.g., stuck open SG power-operated relief valves (PORVs)/ safety valves or atmospheric dump valves (ADVs)). If an unisolable path exists from the ruptured SG to the atmosphere, the differential pressure between the primary and the secondary side will remain high since the ruptured SG could be at or near atmospheric pressure. This scenario would require decreasing the primary pressure down to the atmospheric pressure to terminate the leak prior to depletion of the available RCS inventory. Please explain why this scenario is not modeled in the SGTR event tree, if your answer is that unisolable leaks cannot occur, include appropriate documentation to support this assumption.

c. Please list and describe the specific AP600 design features that reduce the probability of SGTR events resulting in containment bypass with respect to operating reactors. Such features should improve SGTR diagnosis, increase the time available for operator actions, lead to less reliance on operator actions and reduce the likelihood of challenging the secondary side safety valves. Please refer to applicable event tree models and related analyses,

d. It is stated in page 6-13 (Chapter 6, Success Criteria Analysis, of the PRA) that "the passive response paths on the SGTR event tree pessimistically model active SG isolation, which would not be required, since turbine trip would provide an alternative to active SG isolation." llowever, this is not a " pessimistic" modeling of the

" passive response paths " On the contrary, credit is taken for SG isolation in all " passive response paths," as indicated by the multiplication of the frequency of these paths by the probability of failure to isolate the ruptured SG (events CIB and CIB/SGilL). Please clarify.

e. Following the SGTR event, an Emergency Safeguard Features (ESF) actuation signal is generated due to low pressurizer pressure. The ESF signal is supposed to trip the RCPs and actuate the CMTs. Ilowever, a statement made in page 4-27 implies that the event can be terminated by use of nonsafety systems and operator actions only. Please explain.

f. It seems that there are discrepancies between the PRA modeling of the SGTR accident sequences and the AP600 Emergency Response Guidelines (see Guideline AE-3, Rev.1, July 28,1995). For example, Table 2-1 of the ERGS shows CMT and PRilR actuation and need for operator action to isolate them when certain conditions are met. Please provide documentation explaining how applicable emergency procedures are incorporated into the PRA models of SGTR accident sequences.

g. The following statement is made (see Chapter 4, page 4-28 of Revision 2 of the PRA): " Analyses show that no overfilling occurs and no automatic depressurization is actuated, even if multiple tubes have ruptured in the steam generator." Please provide documentation justifying the reason for not modeling in the PRA multiple 720.326-1 W

Westinghouse i i

NRC REQUEST FOR ADDITIONAL INFORMATION SGTR events. This should include, in addition to the frequency of the initiating event, time windows available for required operator actions to isolate the faulted SG and stabilize the piant.

h. Please provide documentation justifying the reason for not modeling in the PRA SGTR coincident with loss of offsite power.

Response

a. A description of the "CVCS - Chemical and Volume Control System" in Section 4.10.2 which would be more applicable specifically to the steam generator tube rupture would be as follows:

"This event models the failure of the chemical and volume control system to provide makeup water, i.e., provide inventory control, for events within the capacity of the CVS pumps. Tje automatic actuation signal modeled is low pressurizer water level relative to the programmed level.

The CVS cannot provide makeup indefinitely without operator actions to align the spent fuel pool to the CVS l pumps' suction or to refill the boric acid tank. The event trees take no credit for this action, so it is assumed that even if CVS is successful, the plant will need to be shutdown and other mitigation functions required for successful mitigation of the steam generator tube rupture event."

The description in the PRA does refer to inventory control as does the description here. The CVS function is to maintain inventory in the RCS for any event, including steam generator tube ruptures.

1

b. The SGISO top event does include the probability of failure to close any secondary side safety valves, dump l valve, or PORVs. This statement is explicitly made in the latest revision PRA text on page 4-31 in section 4.10.2. The SGISO node uses CIB and XCIB (a combination of several events, including CIB) to model the isolation of the faulted steam generator. The events modeled in that node include the closure of the secondary l side pressure relief valves. l

c. The AP600 design differs from current generation plants in many ways. One of these is the inclusion of passive systems that act to replace RCS coolant lost through a leak and maintain the core in a safe, stable state.

Examples of this include the PRilR and the CMTs. These passive systems have a higher reliability than systems with pumps, because there are no pumps that need to be started and there are no pumps that can fail to run.

The CMTs are used for high head safety injection (SI) similar to current generation plants, but they have an important advantage over those SI systems in a SGTR event. The current generation plant SI systems are capable of pumping large volumes of water into the RCS. The output of the SI system in a current generation plant can match or even exceed the SGTR break flow. This tends to hold the RCS pressure at a high level.

The CMTs do not inject water into the RCS unless there is a sufficient loss of RCS inventory or voiding in the RCS. That is, they can provide inventory makeup as needed, but they do not maintain the RCS at a high pressure. The cooling provided by the other systems, such as SFW and PRilR, are better able to reduce the RCS pressure as a result.

720.326-2 W

Westinghouse

. . .. - . - - . - . -~ --- - .- - - - - . . ..

i I

NRC REQUEST FOR ADDITIONAL INFORMATION .

guMQ t 5 g __

The AP600 SFW also has improvements over the feedwater systems in current generation plants. The SFW has the ability to throttle the flow to the steam generators to prevent overfilling them. If the flow in a steam generator reaches the high level setpoint, the SIM will stop the feed flow to the steam generator. This reduces the potential for a challenge to the steam generator safety valves.

The AP600 steam generator overtill protection system also acts to reduce the challenges to the steam generator safety valves. The overfill protection system acts to isolate the steam generator should it start to overfill, again l' reducing the potential for opening the secondary side pressure relief valves. The overfill protection system function is modeled in the event trees with the automatic isolation of the faulted steam generators. This function is expected to function only if the SIM is unable to maintain the level in the steam generator.

These systems reduce the probability of core damage from SGTRs. The use of these passive systems to mitigate a tube rupture event is reflected in the event trees. They also reduce the chance that a tube rupture event will progress to the point that the secondary side pressure relief valves will be opened (and could fail to close) by working to depressurize the RCS, prevent the overfill of the steam generators, and maintain the RCS inventory ;

as necessary. '

The AP600 design includes radiation monitors to detect a SGTR as well as an automatic steam generator overfill protection system. The radiation monitors would alert the operators of a tube leak before it progressed very far, ,

thus providing time to respond to the leak and possibly mitigate it before the secondary side pressure relief valves are opened.

The AP600 PRA SGTR event tree is a conservative model for a stuck open secondary side safety valve. This model is used in the top nodes of the event trees labeled "SLB-V" and "SGISO." This conservative model ,

results in a large number of SGTR sequences that result in containment bypass relative to the total number of I SGTR sequences. The number of bypass sequences are higher than would be expected with a more realistic model for a stuck open secondary side safety valve. The frequency of containment bypass due to SGTR could be significantly reduced if a more detailed and realistic model were used for the secondary side safety valves.

d. The paragraph in section 6.3.2.8 is referring to the fact that no credit is taken for the automatic isolation of the faulted steam generator by the turbine trip resulting from the reactor trip. The event tree explicitly models a requirement to isolate the faulted steam generator (automatic or manual) assuming that it is not already isolated by the turbine trip signal. The PRA model does not take credit for isolation of the steam generator by the turbine trip signal (or the S signal that generates the turbine trip), and the isolation must take place based on another signal or operator action. The operators are alerted to check the steam generator isolation and perform this action if needed by the Emergency Response Guidelines (ERGS). If the steam generator isolation were assumed to be done by the turbine trip signal, the steam dump valves would still be available to the operators.

If credit were to be taken for the isolation of the faulted steam generator by the turbine trip signal, then the core damage frequency resulting from SGTR would be smaller than is presented in the PRA.

c. The response to RAI 720.325 discusses a SGTR sequence which is mitigated through the use of nonsafety-related systems. This is represented by the first success path on the tube rupture tree.

72a32w W westinghouse

1 I

NRC REQUEST FOR ADDITIONAL INFORMATION l

l It is true that the RCPs will be tripped and the CMT isolation valves will be opened. This does not change the fact that the SGTR can be mitigated by the nonsafety-related systems. The tripping of the RCPs does have a positive effect on the transient in that the RCS pressure is reduced when the RCPs trip. This effect is not very

trge compared to the effect of cooling the RCS with the intact steam generator or adding RCS inventory with l the CVS.

The opening of the CMT isolation valves causes the CMT water to recirculate, thus injecting boron into the RCS, but the reactor is already shut down and this will have little effect.

l Thus, the SGTR can be terminated through the use of nonsafety-related systems.

f. The PRA models are based upon the respmses indicated by the ERGS. The procedures in the SGTR section.

AE-3, that discuss the isolation of the CMTs and the restart of the RCPs are at the end of the guideline. The context of the guideline at that point is that the event is tenninated and it may be possible to isolate the CMTs and restart the RCPs. The guideline calls for certain conditions to be met before these actions are performed.

g. The simultaneous rupture of multiple steam generator tubes is not credible, thus it is not modeled in the PRA.

The initiating event frequency for SGTR is 5.2E-3. The core damage contribution from SGTR in revision 7 of the PRA is 6.lE-9. The initiating event frequency for the simultaneous rupture of two tubes would be the square of this, or 2.7E-5. The response times of the safety systems would not change with the simultaneous rupture of two tubes. As discussed in the PRA Section 6 the operator action times used for the rupture of one tube are already conservative, it is not expected that they would require further revision to model the rupture of two tubes. Also, the operator actions of concern are usually modeled as a backup to the automatic actuation of a particular system. Thus, it would be expected that the core damage contribution from multiple SGTRs would be at least two orders of magnitude smaller than the contribution from a single SGTR. This is not significant to the PRA results.

The statement, " Analyses show that no overfilling occurs...if multiple tubes have ruptured in the steam generator."is referring to analyses done to better understand the effects of multiple tube ruptures as part of the design process. The performance of the analyses does not make the simultaneous rupture of multiple steam generator tubes more probable. The analyses did show that the plant systems can effectively mitigate the effects of multiple steam generator tube ruptures.

h. The modeling of a SGTR coincident with a loss of offsite power is done as a " consequential SGTR" in the event tree LOSP. Node SLSOV in the LOSP event tree models a stuck open secondary side relief valve. If this occurs, the end state is SLB-V, indicating the esent continues with the Stil-V event tree, the event tree for a stuck open secondary side safety valve. In the SLB-V event tree, the top node NSGTR models a consequential SGTR. If the consequential tube rupture occurs, the event continues in the SGTRC event tree, where the safety systems' response to the SGTR is modeled. Thus, the SGTR coincident with a loss of offsite power is modeled in the PRA. In fact, the possibility for a consequential SGTR is modeled in several sequences, as can be seen by looking for sequences similar to the one described for the loss of offsite power in the event trees.

720.326-4 W

Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Ed y @J Question: 720.327 Follow-on RAI related to DSER Open Item 19.1.3.1 1.

In a previous RAI Westiaghouse was asked to evaluate the impact of several issues raised, by the staff on the estimated PRilR tube rupture frequency. The staff reviewed Westinghouse's response and identified the need for the following additional information:

a. It is stated that "The Technical Specifications will allow plant operation with a small PRilR llX leak and will require that the plant be shutdown before a PRiiR llX leak could degrade into a tube rupture." What are the criteria (and supporting analyses) that Westinghouse is proposing to use in deciding when to shut the plant down before a PR11R HX leak could degrade into a tube rupture. Do these criteria take into account the much higher stresses that would be established in the PRHR llX tubes in case of an accident that requires the PRilR to operate? These higher stresses could cause the pre-existing defect (w hich causes the leak) to reach its " critical" size and become a rupture, thus adversely affecting the availability of the PRilR when demanded to operate to miti Fate an accident. Please explain.

b. According to Revision 4 of the SSAR (see pp. 16.1-459 through 16.1-465), it appears that the plant will be allowed to operate for an as-yet unspecified period of time even if the PRHR is declared inoperable. The implication of Action D.2, p.16.1-464, is that this period of time may be indefinite if it is verified that the startup feedwater system (SFWS), in addition to the steam generators, is operable. Please clarify, if the Technical Specifications allow for T/M unavailability of the PRHR due to leaks, such unavailability should be included in the fault tree model.

c. Although several design features which reduce the likelihood of primary side corrosion are listed, none address the issue of secondary side corrosion which could accelerate under stagnant conditions by allowing h> cal concentrations of ions or oxygen. Please list (with adequate explanation) the AP600 design and operational features that aim at preventing secondary side corrosion (e.g., how proper chemistry is ensured?). Ilow do such features compare to features used to prevent secondary side corrosion in steam generator tubes?

d. Item (e) of Westinghouse's response lists several PRHR HX leak detection features. Please clarify the location of the pressure transmitter, its function and the type of information it provides about the leak.

Also, please provide documentation showing that the RCS leak detection instruments stated in your response (i.e., containment sump level, containment radiation, and RCS mass balance) can be used to quantify reliably small leaks, such as those that would be allowed by your proposed technical specification.

e. Westinghouse argues that choosing a PRHR llX tube rupture event frequency of 5E-4/yr (a fx Mr of 10 lower than the EPRI PRA KAG-recommended ALWR SGTR frequency of SE-3/yr)is conservatn c. Some of these arguments seem to be valid. Ilowever, it is not clear that a factor of 10 reduction is justified, let alone conservative. One could attempt to rationalize the factor of 10 reduction by k>oking at the SGTR events that have occurred and screening out those events that are not applicable to the PRHR HX tubes.

Due to these uncertainties in the assumed PRHR HX tube rupture frequency, please evaluate the sensitivity 72n2m W westinghouse j l

l

1 1

NRC REQUEST FOR ADDITIONAL INFORMATION i l

of PRA results to the PRilR llX tube rupture initiating event frequency and report the results in Chapter 59 of the PRA (Results and insights).

f. One of the arguments used to show that the PRilR llX tube rupture frequency is smaller than the frequency of SG tube ruptures, item (c), is that the primary side water has low oxygen content while the secondary side is "not really stagnant" and its temperature is normally low. Although, the lower oxygen content and low water temperature of the primary side do greatly reduce the problem of primary water stress corrosion cracking (PWSCC), it is less clear . hat the argument holds for the outside diameter stress corrosion cracking (ODSCC). The data for low temperature behavior of Alloy 6901T exposed to secondary water chemistry and crevice conditions are very limited or nonexistent, it is not clear what Westinghouse is referring to regarding the statement that the secondary side is "not really stagnant." is there a circulating pump? If so, is the operation of this pump necessary to reduce the likelihood of corrosion on the secondary side of the tubes? Please explain.

Response

a. The criteria to be used in determining when to shut down the plant given a leak from the PRilR heat exchanger will be that specified in the Technical Specifications (Tech Specs) for an RCS leak (LCO 3.4.8), 500 gallons / day. If the leak proves to be greater than these criteria, or increasing in magnitude, the operators will follow the guidance in the Tech Specs, and shut the plant down.

The PRiiR heat exchanger has many tubes in it. If a leak developed in I or 2 tubes and it was smaller than I discussed above, there would still be sufficient capacity in the heat exchanger to allow the PRilR to perform its function of adequately removing decay heat should it be called upon to do so. Thus, the function of the PRilR would not be impaired by a credible leak in 1 or more heat exchanger tubes.

Multiple undetected or multiple simultaneous ruptures of tubes in the heat exchanger are even less probable than would be the case for a steam generator tube rupture (SGTR), and are incredible. Put another way, the ,

probability of a sufficient number of tubes rupturing such that the function of the PRilR is impaired is l significantly less than the probability of multiple, simultaneous SGTRs. A comparison of the conditions l experienced by the PRIIR heat exchanger to those that are experienced by the tubes in the steam generators is presented in Table 720.327-1. This table shows that the PRilR heat exchanger tubes will be in an environment which is much less likely to cause defects than is the case for steam generators.

l l

The PRIIR tubes are at the pressure of the RCS. In the unlikely event of the development of a defect that could I lead to a tube rupture, the rupture is most likely to occur during power operation. In this case, as discussed i above, the Tech Spec leak rate would apply and the plant would be shut down if the leak from the tube was '

significant. The development of multiple defects which could cause a simultaneous rupture of multiple tubes in the heat exchangerjust at the moment when the PRilR is called upon to operate is not credible. As discussed earlier, the probability of multiple ruptures is very small. The probability of multiple ruptures occurring in conjunction with an event where the PRilR is needed is even smaller, and is not significant.

l l

l 720.327-2 t W

=

Westinghouse 1

i NRC REQUEST FOR ADDITIONAL INFORMATION i

iii Table 720.327-1 PRilR IfX tubes Current Generation Steam Generator Tubes No RCS How during normal operations (not subject Full RCS flow during normal operation ,

to denting and mechanical forces due to the How l which are the major causes of defects)

Essentially no temperature gradient across the tubes Full primary / secondary temperature gradient across l during normal operation (no high thermal stresses) the tubes during no: mal operation l i

Primary side water on tube side (Iow halogen, low Primary side water on tube side (low halogen, low oxygen, etc.) oxygen, etc.)

IRWST water on shell side of the heat exchanger Secondary side water on shell side of heat exchanger.

The purity and chemistry is comparable to the IRWST water.

Tube wall thickness is greater than is seen in current Tube wall thickness is less than is designed for the generation steam generators AP600 PRilR liX l

1 It is apparent that the PRilR heat exchanger tubes see an environment that is significantly less antagonistic with respect to corrosion, mechanical forces, and temperature extremes. Thus, it is expected that the development of defects in the PRilR HX tubes will be considerably less than is seen in current generation steam generators.

The PRA assumes that the rate of defect development in the PRilR 11X tubes will be the same as with current generation steam generator tubes. Therefore, the PRA uses a PRilR tube rupture frequency that is higher than it is expected to be in the AP600 PRilR, and overstates the AP600 tube rupture frequency.

b. The SSAR revision 9 (dated 8/9/96) sets specific time limits for the unavailability of the PRIIR.

The PRA models for the PRilR do include allowances for test and maintenance unavailability in the fault tree models. This is described in Chapter 8 of the PRA. j

c. One of the primary catalysts for corrosun in heat exchanger tubes, such as in steam generators, is the presence l of a large heat Oux and extended periods of boiling. The long periods of boiling with the high heat flux causes I a concentration of corrosive elements, such as oxygen ions, in " crevices" in the heat exchanger.

The purpose of the PRilR heat exchanger is not to produce steam. Its function is to cool the RCS when needed.

This function is performed only in the unlikely event of a transient where the PRiiR is required. The operators are expected to utilize the other, active, plant systems, such as SFW, to cool the plant when those ystems are available. Thus, the PRilR heat exchanger will be subject to boiling for only a very short period of time (relative to the time of plant operation), if ever. The PRilR heat exchanger will not be subjected to long periods (such as the time of operation) of boiling with high heat Dux which could cause a concentration of corrosive

elements on the tubes. This will preclude the formation of the type of secondary side corrosion seen in current generation steam generators.

l l

720.327 3 E Westinghouse

l l

l NRC REQUEST FOR ADDITIONAL INFORMATION Hiit !!n T j The design and operational features that will make the PRifR environment less antagonistic to corrosion., such as is seen in current generation steam generators, are presented in Table 720.327-l.

d. The pressure transmitter is located in the cold water trapped portion of the PRilR inlet line. The P&lD of the PXS is in SSAR section 6.3. That drawing shows F1065 and TE063. These two instruments are located on the part of the PRilR heat exchanger inlet line which is sloped down (notes 3 and 16 on the drawing discuss the sloping of the inlet valve), thus trapping the colder water in the h> cation of these instruments. If the temperature transmitter shwas an increase in temperature, it could be due to a leak in the PRiiR heat exchanger.

If the pressure transmitter shows a drop in pressure after the PRilR heat exchanger inlet line valve is closed, this could also indicate a leak in the heat exchanger. A RCS mass balance will show if there is a leak through the PRifR heat exchanger tubes (and out of the RCS) or only through the isolation valve (returning the flow to the RCS).

Leak detection in the RCS, w hich includes the PRilR heat exchanger, is discussed in SSAR section 5.2.5. That section of the SSAR discusses the RCS mass balance which will be used to determine leak rates of the size discussed in the Technical Specifications.

c. PRA Chapter 50, importance and Sensitivity Analysis shows the PRilR lleat Exchanger tube rupture initiating event, IEV-PRSTR, is ranked Hist using the risk decrease measure (Table 50-14). It contributes 5.6E-10, or 0.33%, to the core damage frequency of 1.7E-07/yr. This initiating event is ranked ninth in Table 50-2,

" Conditional Core Damage Ranking of Initiating Events."

If the IEV-PRSTR initiating event frequency were larger by a factor of 10 (i.e.,2.5E-03/ year), it would add approximately 6E-09 to the core damage frequency (CDF), or about 4%. This is not a significant contribution to the CDF.

f. There is not a circulating pump inside the IRWST, and such a pump is not necessary to reduce the likelihood of corrosion in the PRilR heat exchanger.

The IRWST water is " clean" water in that it is purified and cleaned before it is stored in the IRWST. The water chemistry of the IRWST is controlled, and on a monthly basis the water in the IRWST is tested. This requires that some of the water be circulated with the spent fuel pool pump and tested. Thus, the water in the IRWST is not "stagr. ant" Also, at every refueling, the water in the IRWST is used to flood the refueling cavity. Since this water enters the RCS, IRWST water chemistry is controlled to standards which are similar to those of the RCS. The water chemistry standards of the RCS are discussed in SSAR section 5.2. These standards are designed to reduce the potential for corrosion in the IRWST, including the PRilR heat exchanger tubes.

As discussed earlier, the PRiiR heat exchanger tubes are not subjected to conditions similar to " secondary water chemistry and crevice conditions." Most notably, there is no large heat flux through the PRiiR heat exchanger during plant operations. Thus, a comparison to those conditions is not relevant.

l 720.327 4

W~

Westinghouse l

i l

NRC REQUEST FOR ADDIT ONAL INFORMATION !

I i l Question: 720.328 l

l Follow-on RAI related to DSER Open Item 19.1.3.1-2. i Westinghouse's response to RAI #2, related to this open item, did not address the question. The question was: "The staff was unable to find in the revised PRA submittal a description of the analysis with enough details to understand how the contributions to intermediate, medium and large LOCA, reported in Section 3.5.3, were calculated. Please provide a clear description of the analysis (including assumptions, data and associated bases) used to calculate ADS spurious actuation frequencies and their contributions to the various LOCA initiating event frequencies." Please explain how the methodology, given in Section 26.5.3, for calculating the frequency of spurious ADS actuation from I

a 2 out of 2 signal train applies to the fault tree ADS-IC83 which uses a 2 out of 4 logic.

Response

The discussion in section 26.5.3 of the PRA is not limited to a 2-of-2 logic. The discussion there centers on the I derivation of the parameters needed to model multiple failures, such as those required to cause a spurious actuation l of the ADS from two actuation channels. At least 2 channels must fail to cause a spurious actuation of the ADS. !

The discussion in section 26.5.3 is about the ANDing of the failures of 2 channels that must fail in the same time frame to cause a spurious actuation. It does not restrict the 2 failed channels to a set of channels of any particular size. That is, the set of channels in the discussion could be 2 channels out of 4, or 2 channels out of 3, or any other set size. For the ADS actuation, there are 4 channels used for control, as described in the SSAR. Thus, the fault tree ADS-IC83 models 2 failures out of 4 channels. l l

The fault tree models combinations of 2 failures of signals which could cause an ADS actuation. These include l signals from the 4 channels of the CMT level, as well as others. If 2 channels produce a spurious signal within the same time frame, then actuation of the ADS is possible. In order to model this correctly in the fault trees, a value of 2R (R = repair time) is used as the mission time, T, in the fault trees. After the fault trees are quantified, the cutsets are reviewed and the appropriate cutsets are multiplied by the factor of T/2R. This is discussed in section 26.5.3 of the PRA. This provides the correct modeling of the requirement of 2 failures out of the 4 channels available.

The assumptions and bases implied in the model for spurious actuation of the ADS include:

+ The failures can be modeled as AT; It is possible to have a failure that creates spurious signals in the instrument and control systems, and; The ADS is designed such that 2 separate signals are required to open an ADS valve as discussed in the AP600 SSAR.

No data is needed for the theoretical description of how 2 failures in the same time frame can be quantified in section 26.5.3.

There is a typographical error on page 3-8 of the PRA. The yearly frequencies of the spurious actuation of the ADS are given in Table 3-3 in Chapter 3, not in Appendix 32B.

I 720.328-1 W-Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION On page 26-24, the last sentence of section 26.5.3 should read, " ..which is then converted to a failure rate per mission time, T, giving the number of spurious ADS events per year which could cause a large LOCA as 5.4E-5 events / year. The number of spurious ADS events which could lead to an intermediate and medium LOCA are 1.8E-Wyear and 1.lE-8/ year, respectively." These are the same numbers that appear in Table 3-3.

As discussed in the response to the presious RAI, the frequencies of large, medium, and intermediate LOCA events for spurious ADS actuations are calculated in Chapter 3. The method used to calculate Gie portion of those events caused by the instrument and control systems is as follows:

Determine the different ways the systems could produce spurious signals in the proper channels and detemiine which type of LOCA could be caused by each way; Inspect the cutsets of the ADS IC83 fault tree and assign each cutset to the appropriate LOCA category;

Sum the cutsets for each LOCA category.

These are the numbers discussed above and presented in the PRA.

l l

I l

l l

l I

l l l l

l 720.328-2 W-Westinghouse I

= .-

NRC REQUEST FOR ADDITIONAL INFORMATION q

t g

I Question: 720.329 Follow-on RAI related to DSER Open Item 19.I.3.1-4. l l

DSER Open Item 19.1.3-4 concerns LOCA sequences with impaired containment. These sequences (leading to endstate #2) were not quantified in Revision 0 (pre-DSER) of the PRA. The staff requested Westinghouse to either

)

modify the event trees by modeling recovery actions or count these sequences as leading to core damage with open containment. Westinghouse responded by removing the top event CI(containment not impaired) from the event trees in the revised PRA. According to Westinghouse, top event CI is not needed because analyses show that sufficient water for long-term recirculation cooling of the core is available for at least 2.7 days when containment isolation fails. Westinghouse argued that the use of a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time for long-term cooling was adequate for all accident scenarios.

In a follow-up RAI the staff asked Westinghouse to either show (e.g., through a bounding analysis) that the residual l risk (beyond 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) is not significant or extend the event tree models beyond 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (to a point in time where l it can be argued that the residual risk is not significant). Although statements made in Westinghouse's response to the follow-up RAI seem to agree with the staff regarding the need to look beyond 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (e.g., " core darrage is assumed....if core damage is anticipated following 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months without further system or operator action"), the residual l risk issue was not addressed. Iflong-term cooling must continue (e.g., beyond the estimated 2.7 days), what actions are needed to be performed by the operator and what systems must be available to perform these actions? How important are such actions and systems to plant risk! Please provide documentation, including important assumptions.

Response

There are two types of scenarios to consider regarding long term cooling in an event with impaired containment: !

one with long term cooling by the normal active systems and the other with long term cooling by the passive systems.

As discussed in the response to the previous RAI, for those success sequences where long term cooling is provided by a pumped system, such as RNS or MFW, the residual risk is negligible. These systems are redundant and are backed up by the passive systems. The residual risk in this type of situation is comparable to what would be seen in a severe accident in a current generation plant or an evolutionary plant in a similar situation. For those plants, the NRC staff has already accepted the " residual risk." The passive system backup of the pumped systems would provide an additional level of defense, further reducing the " residual risk" to the plant below what has already been accepted by the NRC staff. This statement assumes that the plant operators will continue to operate the plant according to the emergency response guidelines supplemented by the technical support teams, the state emergency response teams, and other people who will be actively concerned about the state of the plant after a severe accident.

These actions and systems are not important to the plant risk beyond what has already been quantified in the PRA.

For those few success sequences where long term cooling is provided through passive recirculation from the l containment sump, AND the containment is not isolated, then the sump water will eventually need to be replenished.

i In any case, this will not be needed for at least 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , or 3 days, after the accident. As has been discussed with the staff previously, the addition of water to the sump is a simple matter, requiring only commonly available 720.329-1 W-Westiftghouse

i l

l l

NRC REQUEST FOR ADDITIONAL INFORMATION l

l equipment, such as a pump. The long time available to set up this equipment, the number of people that would be concerned about this equipment, and the simplicity of the actions, make the potential for failure of this procedure negligibly small. It is also reasonable to assume that the plant pumped systems (RNS, SFW, etc.) would be made functional before the end of 3 days, further reducing the risk. These actions and systems are not important to the l

plant risk beyond what has already been quantified in the PRA.

An assumption made in this statement is that the plant operators, staff, technical support staff, state emergency I workers, and other people involved with the emergency response will not ignore the problem. It is expected that there will be many people actively working to ensure that the plant is maintained in a safe, stable state. This will include doing what is necessary to locate equipment, keep equipment running, and replacing consumable materials l as needed. It is not reasonable to assume otherwise. I In summary, <e AP600 design provides for relatively simple actions to maintain the plant in a safe, stable state after a severe accident. These actions have a negligiale importance to the plant risk because they affect sequences with a small probability of occurrence, and the actions themselves have a small probability of failure. The " residual risk" to the AP600 beyond the 3 days comes from:

+

success sequences where long term cooling is provided by pumped systems, or a

success sequences where long term cooling is provided by passive recirculation AND containment isolation is failed. -

The passive systems back up the redundant pumped systems, further reducing the risk in the first situation. The passive recirculation can provide cooling indefinitely with the addition of water that may be lost through the containment building, although the pumped systems are expected to be functional before the sump water level becomes a problem. These actions and system cre not important to the plant risk beyond what has already been quantified in the PRA. This level of " residual risk" t eyond that quantified in the PRA is comparable to the " residual risk" in current generation plants and evolutionary plants in similar situations. This " residual risk" has already been found acceptable by the NRC staff.

i 1

l l

i 720.329-2 W Westinghouse i

l l

NRC REQUEST FOR ADDITIONAL INFORMATION I

Question: 720.330 Follow-on RAI related to DSER Open Item 19.1.3.1-6.

DSER Open item 19.1.3-6 concerns the mission time (assumed to be 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) for long-term cooling in sequences such as those where the reactor is initially maintained at high pressure (i.e., non-LOCA sequences with the start-up feedwater or the passive RHR available). Examples are:

a. Sequences ending with startup feedwater system operating: Operator action is needed to replenish the condensate storage tank (CST).

b. Sequences ending with passive RHR operating: The IRWST water starts boiling (Westinghouse analyses show that it reaches saturation in about one to two hours). If the evaporated IRWST inventory does not return to the IRWST, which is probable, the heat exchanger will be uncovered at some time (estimated by Westinghouse to be l

beyond 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) and the IRWST inventory must be replenished or the plant must be depressurized to continue core cooling by recirculation. What actions are needed to be performed by the operator to bring the plant to cold shutdown conditions and what systems must be available to perform these actions? How important are such actions and systems to plant risk? Please provide documentation, including important assumptions.

I

Response

a. As discussed in the PRA success criteria, the plant is brought to a safe shutdown condition. That is, for most i of these events, the plant does not go to cold shutdown; the problem is fixed and then go back up to power operation.

1 If the plant is shutdown with the startup feedwater system (SFW) providing cooling, the CST may eventually I have to be refilled. As with current plants, the plant operators will have the ability to refill the CST through the usual methods, which will require a pump and the power to operate the pump. This is similar to the situation with current generation plants and the evolutionary plants. The " residual risk" from such an action has already been accepted by the NRC for those plants. The only assumption behind this action is that the plant operators, staff, technical support staff, state emergency workers, and other people involved with the emergency response will not ignore the problem. That is, the operators and the people providing support to them, will continue to follow the emergency response guidelines, and will do whatever is needed to ensure the plant remains in a safe, stable state. It is not reasonable to assume otherwise.

The operators can use the PRHR and IRWST if the CST is not refilled. It is necessary to open the PRHR isolation valve to use the PRHR. This is a simple action, and is not important relative to the plant risk which has already been quantified in the PRA. This further reduces the " residual risk" to something smaller than that seen in current generation plants or the evolutionary plants. That " residual risk" has already been found to be acceptable by the NRC for the current generation plants.

If the CST is not refilled, the PRHR will be able to provide cooling. In contrast to what was written in the RAI, it is more probable that the condensate from boiling in the IRWST will return to the IRWST. The failure of l the gutter system, a passive channel system is not very likely. It is less probable that the condensate will not J

r i

l

' 720.330-1 l W

=

Westinghouse l

l

l !

l l

l NRC REQUEST FOR ADDITIONAL INFORMATION l ? !!- i 1

\

l return to the IRWST and will go to the containment sump. Thus, the PRHR will be able to provide cooling without any additional actions fo* at least several days.

If the condensate does eventually end up in the sump, then the operators have the ability to use passive l

recirculation through the sump. If it is necessary to add water to the containment sump, the actions are relatively simple and utilize commonly available equipment. The long time available to set up this equipment, I the number of people that would be concerned about this equipment, and the simplicity of the actions, make the i potential for failure of this procedure negligibly small. The " residual risk" from this action is not important to !

the plant risk already calculated in the PRA.

Note that the RNS would be used as the first line of defense once SFW cools the plant to less than or equal to 350 F. At that point, the CST need not be refilled, since steaming stops due to subcooling of the RCS; however CCS and SWS are still needed.

b. If the situation is that PRHR is being used to provide plant cool down, boiling in the IRWST will start in several hours after the plant shutdown. Although it is more probable that the condensate will return to the IRWST than not, it is possible that some condensate could escape out of a failed containment. (Such a situation is a low probability sequence compared to the quantified PRA risk.)

l Extended PRilR heat exchanger operation during non-LOCA events and SGTR events can be accommodated in several different ways, including:

1. The SFW pumps can be recovered and the PRiiR heat exchanger isolated. 1

2. The RNS can be aligned to cool the IRWST during PRiiR heat exchanger operation. The RNS along with the CCS and SWS are capable of suppressing steaming in the IRWST. Containment isolation is not necessary. This mode of operation has not been modeled in the PRA.

3. The PRilR heat exchanger can operate indefinitely if the containment is isolated and the gutter return valves operate. In this case, the IRWST steams to the containment, the steam is condensed on the containment shell, the condensate is collected. In this case, the ADS actuation on timers at 22 hours2.546296e-4 days 0.00611 hours 3.637566e-5 weeks 8.371e-6 months is blocked. This blocking of ADS will be allowed by procedure based on plant conditions (Pzr level, CMT level, etc).

4. If options I,2,3 do not initially work, the PRilR heat exchanger can provide decay heat removal for at least 3 days. During this time, steam that leaves the IRWST is assumed to not return to the IRWST. The 3 days can be extended by providing makeup to the IRWST as discussed in the response to RAI 720.331.

This mode of operation provides ample time to recover options 1,2, or 3.

5. As a final backup to the above, ADS can be actuated and passive feed and bleed core cooling established.

This mode can be actuated manually at any time, including after ADS actuation on the timers is blocked.

Containment isolation is required for long term operation in this mode, l

l l

l 720.330-2 W Westirigh0Use

NRC REQUEST FOR ADDITIONAL INFORMATION

.m:

!! -"!:i The " residual risk" from the above is not important to the plant risk quantified in the PRA. The assumptions in this case are that the plant operators and the others concerned with a plant after a severe accident will continue to follow the emergency response guidelines and do what is needed to maintain the plant in a safe, stable state. This assumption is not important to any " residual risk."

720.330-3 i W

Westinghouse 1 1

I l

)

NRC REQUEST FOR ADDITIONAL INFORMATION ji;' =

Hi Ouestion: 720.331 Follow-on RAls related to DSER Open item 19.1.3.1-6.

Anoth:r example of sequences, categorized as successful in Revision 2 of the PRA, which need additional development or explanation are sequences with an open path outside containment (e.g., sequences initiated by a steam line break or a stuck open secondary side valve with consequential SGTR) and normal RHR available for long-term ;

core cooling. These " success" sequences, as modeled in Rev 2, end with normal RHR operating. This scenario ;

eventually requires replenishing the IRWST or sump inventory (because it is lost through the open path outside i containmen0. This is true (although to a lesser extent) also in sequences when IRWST injection and passive sump recirculation is ured instead of normal RHR. Can recirculation (either using the normal RHR pumps or by gravity) be estrblished for long-term cooling when a considerable amount of inventory has been lost (and in some sequences .

continues to be lost during passive recirculation) through the open path to the atmosphere? What actions are needed I to be performed by the operator and what systems must be available to perform these actions? How important are such actions and systems to plant risk? Please provide documentation, including important assumptions.

1

Response

The following scenarios would apply in the case of a SGTR event with partial ADS actuation and RNS operation

]

(note that panial ADS actuation is needed for RNS operation; otherwise RNS will not be considered). Note that the j

mass loss through the SG tube at the reduced RCS pressures associated with partial ADS are small which provides time (days) for the operator to take actions including jury-riging onsite equipment and procuring offsite equipment.

i

1. RNS is operating with CCS/SWS cooling. I In this case, the RCS v ater is subcooled and steaming does not occur. RCS pressure can be reduced to atmospheric and SG tube !cck terminated. Continued makeup of RCS water inventory is not needed.

2. RNS is operating without CCS/SWS cooling.

In this case, the RCS water continues steaming, and RCS makeup is needed. There are three ways to provide l long term RCS water makeup.

i

a. CVS is designed to provide manual makeup to either IRWST, or CMTs (2), or Accumulators (2), through l five connections, as well as directly to the RCS.

b. SFS (Spent Fuel Pool Cooling System) is capable of providing makeup to the IRWST from the spent fuel pool. The spent fuel pool normally receives makeup from the CVS. If the CVS is not available there are j many ways to transfer water into the spent fuel pool using installed connections as well as jury-rigged j connections. I

c. RNS has flanged drain connections which can be connected to water sources outside of the containment.

These connections are the same ones used to provide post 72-hour water supply to the RCS if other means W

- WestinEhouse

NRC REQUEST FOR ADDITIONAL INFORMATION fail. This water supply can come from tr plant fire water system or from temporary connection such as a fire truck.

To summarize, there are numerous methods available to provide RCS makeup, if needed. If RCS makeup is needed for long term cooling, there is a large time window available to establish that makeup, and as a result, the probability of not establishing RCS makeup is considered to be negligible to overall plant risk.

l l

l L

720.330-2 W-Westingh00Se

NRC REQUEST FOR ADDITIONAL INFORMATION y %

i Question: 720.332 Follow-on RAI related to DSER Open item 19.l.3.1-10.

The staff requested Westinghouse to assess and document the applicability of generic failure data to the AP600 design. While check valves are not unique to the AP600, the conditions under which they will be operating in the plant are substantially different from those in current generation nuclear plants. The concern is that they will have to open on demand under very low differential pressures after long periods of being held closed by fluid at RCS temperature, pressure and chemistry. Westinghouse responded that this is not an issue anymore because some check valves in the IRWST injectbn line have been replaced with squib valves which " reduces the number of check valves and eliminates the high differential pressure normal operating environment that the valves in the IRWST injection and recirculation lines would experience in the previous design." However, Westinghouse's response does not fully address the fact that these valves will have to open on demand under very low differential pressures (because gravity is being used instead of pumps). Useful information could be obtained by looking at failure histories of check valves at operating nuclear power plants that must open on demand under small differential pressures, such as the check valves used as vacuum breakers at the turbine exhaust lines for BWR HPCI and RCIC systems (the lines that go from the turbine exhaust to the suppression pool). Please address this question in your next response. Also, as part of the insights section (Chapter 59), please include sensitivity studies that assess the impact of potentially higher failure rates for such check valves to risk.

Response

NPRDS data on failures of check valves, including those for BWR HPCI and RCIC systems, have been studied for applicability to the failure probability used in the AP6(X) PRA. The results have supported the failure probability, or an even smaller one, used in the AP600 PRA. A review of the BWR HPCI and RCIC systems check valves resulted in an hourly failure rate of 2.8E-07/ hour. A review of PWR check valves resulted in an hourly failure rate of 6.2E-08/ hour. These are approximately the same as the 2.0E-07/ hour used in the AP600 PRA for the IRWST check valves.

Most of the check valves in the NPRDS data are designed to be leak free. They also are in a system which has a relatively high pressure (a large force) holding them closed. This type of design under such circumstances can produce a situation where a significant amount of force is required to open the valve. The gate and seat design for a check valve which is not supposed to leak when it is closed is different than for a check valve which is allowed to have small leakage, such as the IRWST check valves. For the IRWST check valves, a small amount of leakage is not a problem while they are closed, and they are not designed to be leak free while they are closed. This makes the valves less susceptible to binding or sticking when they is closed. Also, there is no pressure holding the IRWST check valves closed, so there is not a force to cause the disk to stick in the seat. Thus, because of the design of the IRWST check valves, the force required to open the valves will be what is available from the IRWST head, as required for the IRWST injection to be successful.

2a332a W westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION

!!W 'iii.

"{

Also, a sensitivity study was performed to see the (ffect on the PRA results of changing the failure probability of the check valves used in the models. The results of this study are discussed on page 50-12 of the AP600 PRA, revision 8. They show that the PRA results would still show a low core damage frequency (compared to that of current generation plants or evolutionary plants) if the failure probability of the check valves was increased by a factor of 10. Potential insights about the important AP600 systems if the larger check valve failure probability were to be used would be the same as in the AP600 PRA.

4 4

4 720.332-2 3 Westinghouse

i ,

I l

l l

NRC REQUEST FOR ADDITIONAL INFORMATION m m: l l

Question: 720.333 Follow-on RAI related to DSER Open item 19.1.3.1-13.

l The staff requested Westinghouse to explain why in calculating the common cause failure (CCF) probability of the l

IRWST injection line check valves, MGL factors from Revisions 5 and 6 of EPRI's Utility Requirements Document (URD) were used. A beta factor of 0.026 is recommended in Revisions 5 and 6 of the URD which is much lower than the value recommended in previous revisions of the URD (i.e.,0.17) as well as in previous PRAs (e.g., System 80+). Westinghouse responded that the reduced value of the beta factor for check valves reported in Revisions 5 and 6 of EPRI's URD, as compared to the value recommended in previous revisions of the URD, was due to better l understanding of individual events involving failure of check valves at nuclear power plants. It is further stated in Westinghouse *s response that "EPRI found no common cause failures to opeh of check valves (other than failure modes unique to testable check valves)." Please explain what you mean by " failure modes unique to testable check valves" and why such failure modes do not apply to check valves used in the AP600 design. An NRC-sponsored evaluation of LER and NPRDS events, which occurred between 1980 and 1993 at operating nuclear power plants, has found about twenty (20) events involving common cause failure of check valves. Such events should be reviewed for applicability to the AP600 design. Please state the AP600 design and operational features which ensure that such events cannot occur with AP600 check valves.

Response

" Failure modes unique to testable check valves" in the context of the SAROS letter quote provided in the RAI response refers to failures that occur in check valves constructed with special provisions (such as mechanical devices, levers, etc.) that allow for detailed testing methods. These valves are more complicated than the more common check valves such as those used in AP600. The AP600 check valves are not similar to " testable check valves," thus, failure modes unique to " testable check valves" are not applicable to AP600 check valves.

The AP600 check valves in the IRWST are safety-related components. Their design, procurement, and installation will be subject to rigorous review and testing, because they are safety-related. That is, it is not credible that the valves will not be able to provide the design How rate, or that they will not be able to open under the design pressure differentials. This type of failure mode is not applicable to the AP600 IRWST check valves.

The RAI referred to 20 events found in the NPRDS data which discussed check valve faih s. A copy of 8 of these events was provided (NRC letter dated May 7,1996). A review of check valve data WRDS d? wt produce events that could be considered to be the other 12 events. It is assumed that the othe 12 events referenced were represented by the 8 events provided. A review of the 8 events showed that the valves or the failure modes (or both) were not applicable to the AP6001RWST valves. Thus, the set of 20 events is not applicable to the failure rate calculation of the IRWST check valves.

The NRC May 7,1996 letter characterized the other 12 events (which were not presented) as " common cause failure" of the check valves due to improper maintenance, improper design, How oscillation induced failure, concentrated boric acid solidification inside the valves, buildup of corrosion products resulting in the valves sticking closed, and low How caused by binding of the Gap in the valves. As stated above, improper design in the AP600 for safety-j related comp (ments, such as the IRWST check valves of concern, can be precluded through the verification inherent l

l l W Westinghouse

l l

NRC REQUEST FOR ADDITIONAL INFORMATION in the design, procurement, and construction processes for safety-related components. The AP600 check valves of interest here will not be subject to flow oscillations, or the buildup of corrosion products in the valves because of the environment they will reside, i.e., the IRWST injection lines separated from the RCS pressure by the squib valves. The solidification of boric acid inside the valves can occur in check valves which are exposed to an air i environment on one side and a concentrated boric acid solution environment on the other. Such is not the case with I the AP600 check valves in the IRWST. Improper maintenance is always possible, but the verification processes used !

for safety-related components make such a failure much less likely. The lessons learned from many years of reactor operation will also provide insights to the development of procedures that will make failures from improper maintenance less likely.

l To see if data on the other 12 events could be found, additional reviews of the NPRDS data were made. These reviews included events between 1979 and 1993 at nuclear power plants, including BWR HPCI and RCIC system check valves. The data supported a failure rate that is the same as or smaller than that used in the AP600 PRA. l The only failures that could be termed common cause events in this data set were those involving corrosion of carbon l steel valves in a steam or dirty water environment. These are not applicable to the AP6001RWST check valves because those valves are not carbon steel valves, and they will not reside in a dirty water environment.

No failures were found to support a larger failure probability or common cause MGL factor in the AP600 PRA.

If one were to (arbitrarily) assume additional failures, such that a larger failure probability would result, the results would be similar to that reported in the PRA sensitivity on the failure probability of the check valves. The results l of this study are discussed on page 50-12 of the AP600 PRA, revision 8. They show that the PRA results would still show a low core damage frequency (compared to that of current generation plants or evolutionary plants) it the failure probability of the check valves was increased by a factor of 10. Potential insights about the important AP600 systems if the larger check valve failure probability were to be used would be the same as in the AP600 PRA.

To summarize:

The AP600 check valves will be designed and tested to ensure that they function under the conditions for which they are designed. Experience gained from check valves used in current plants will be incorporated as applicable into

, the AP600 check valve design to further protect against potential failures. There is no data to support an assumption that the AP600 check valves design or function will be less reliable. The ability to include experience, including testing experience, from many years of plant operation into the design, construction, and maintenance of the AP600 check valves suppons a potential for a higher reliability (lower failure probability) in the AP600 check valves, but no credit is taken for this in the PRA. The available data in NPRDS supports a failure probability which is the same as or smaller than the value used in the PRA. In addition, if the IRWST check valve reliability were to be worse by a factor of 10, the AP600 core damage frequency would still be very low and the insights presented in the AP600 PRA will not be different. !

l l

l 720.333-2 W-Westinghouse

t Page 4 November 27,19%

A Enclosure 2 to Westinghouse ktter NSD-NRC-96-4895 November 27,1996

\

l 1

NSD-NRC-96-4895, Forwards W Responses to NRC RAI Re AP600 PRA & Assessment of Potential Impact of Diffusion Flames on AP600 Containment Wall & Pentrations, for Review

Contents

Text

SUBJECT:

Dear Mr. Quay:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Navigation menu

NSD-NRC-96-4895, Forwards W Responses to NRC RAI Re AP600 PRA & Assessment of Potential Impact of Diffusion Flames on AP600 Containment Wall & Pentrations, for Review

Text

SUBJECT:

Dear Mr. Quay:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Navigation menu

Search