NSD-NRC-98-5581, Forwards W Response to FSER Open Item 720.434F Re AP600 Level 1 PRA Analysis.W Status Column Will Be Changed to Confirm W

From kanterella
(Redirected from NSD-NRC-98-5581)
Jump to navigation Jump to search
Forwards W Response to FSER Open Item 720.434F Re AP600 Level 1 PRA Analysis.W Status Column Will Be Changed to Confirm W
ML20203F203
Person / Time
Site: 05200003
Issue date: 02/23/1998
From: Mcintyre B
WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To: Quay T
NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
NSD-NRC-98-5581, NUDOCS 9802270225
Download: ML20203F203 (60)


Text

{{#Wiki_filter:- - . - . . - - - . . - - - - _ - . - - - . . . - - - . - _ - - - - . - - . 4

o. T 4

~ Westingh0use _ - Energy Systems Bo 3 p 4 45 ,p ,,g , g 33.g333 Electric C0rporail0n i DCP/NRC1265 NSD-NRC-98 5581 Docket No.: 52-003

                    .                                                                                         February 23.1998 Document Control Desk U.S. Nuclear Regulatory Commission Washington, DC 20555 ATTENTION: T. R. QUAY l-SUIUECT:             AP600 RESPONSE TO FSER OPEN ITEM I

Dear Mr. Quay:

Enclosed with this letter is the revised Westinghouse response to FSER opea item 720.434F. This i open item pertainc to the AP600 Level 1 PRA Insights. The OITS numbcr associated with this open item is #6163. The Westinghouse status column in the OITS will be changed to " Confirm W." The , NRC should review the enclosure and inform Westinghouse of the status to be designated in the "NRC I Status" column of OITS. - Please contact Cynthia L. Ilaag on (412) 374-4277 if you have any questions concerning this transmittal. 2/),02Y w Ilrian A. McIntyre, Mana 'er Advanced Plant Safety and Licensing I jml Enclosure cc: J. Sebrosky, NRC (Enclosure) J. E. Lyons, NRC (Enclosure) 5 N. J. Liparulo, Westinghouse (w/o Enclosure) .- g p V L / W  ! 9802270225 990223 PDR ADOCK 05200003 E PDR g

4 Enclosure to Westinghouse Letter DCP/NRCl265 February 23,1998 I6)iGW%

NRC FSER OPEN ITEM L - Question: 720.434F (OITS #6163) Revision 1 As documented in a May 13,1997, rneetmg summary of an April 15, 1997, meeting, Westinghouse proposed that the staffs set of insights resulting from their review of the PRA be shared with Westinghouse. Unless Westinghouse determined that there was technically incorrect information in the staffs list there would be no new meetings or information transfer, and the staffs insights would be added to the Westinghouse insights. To that end Enclosure 2 [of NRC letter to Westmghouse dated November 7,1997] contains the staffs insights as a result of the review of the level 1 PRA. Enclosure 2 contains additional insights from those contained in Chapter 59 of Westinghouse's PRA. Incorporation of the additiona: msights that exist in Enclosure 2 to the Westinghouse insights is an open item.

Response

He NRC May 13,1997 letter summaruing the April 15,1997 PRA insights meeting states "Unless Westinghouse determined that there was technically incorrect information in the staffs [ insights] list, there would be no new meetings or information transfer. The staffs insiphts would be added to the AP600 Design Control Document." Westinghouse did not agree during the April 15 meeting to include the staffs insights into the Westinghouse AP600 PRA report, nor does the NRC May 13.1997 letter state the commitment. The NRC's PRA insights provided as Enclosure 2 of their November 7,1997 letter, will be included in the AP600 Design Control Document per the agreement on Apnl 15, and not duplicated in Chapter 59 of the AP600 PRA. Westinghouse did agree at the April 15, 1997 meeting to review the staffs insights for technical accuracy and

   , appropriateness. In that vein, attached is the Westinghouse feedback on the staff insights (see Attachment 720.434F-j   I). Note that much of what is provided in tne staffs insights is already provided in Table 59 29 of the AP600 PRA.

Westinghouse does agree to preside some additional insights into PRA Table 59 29 based on the staff insights. These are shown below. The wordinF of the staffs insights ser,us what is meluded within the AP600 Design Control Document will oc worked out with the staff prior to issi ance of the Design Control Document. PRA Revision: The R AP section in the SSAR has been moved to section 17.4, per request of NRC. As a resnit, when "SSAR 16.2" n named in the disposition column of PRA Table 59 29, it will be changed to "SSAR 17.4" Table 720.434F 1 provides a description of the changes that will be made to PP.A Table 59 29. Attachment 720.434F 2 provides a description of a change to PRA Appendix C, The-Mic ~ng ch: g:: " he -t * "RA Tab!c 59 29

     <     Unce i: m NADF+-

800g; 3, 2, ad ? '.Chri .70 ' -"k; l0-d:d ;;;;y # - - ' h CG!d ;b;.;'.dc r"; 720,434F(R1)-1

NRC FSER OPEN ITEM A If-RNS-is4mt during red seed inventery-renduiens-wuk-the-ree:: : =knnystem-epenra-ven+ path Iheeugh 4k+A US4th-stageiverquired Wpreelude the+eeurrence ef-surge linepending-end thereby not effect gravuy injection. -}detmtm&--PR A4unehmeM44R{ A US44k +tege squib + elves receives signal te+ pen during-shutdowneenduiens-using PhlS low-krodeg levellegier-{thymtton -4SAR-64}

      .-U+wlestem-1e4 PR HH e-Gopabd+ty-emt+ fe+4heemte rdioom4 petaue4+wlenu f y-*4eak-mahe- PR H R44 X-before4t r*+derviale-to a-t.ibeaupture-ituemp-a-wbs:quen:-de Jgn-bam*valenHDRAF TWPRHR HXcinenjunctionwukake4CSceanpromd+eere-eeelingfer-anindefinue-;>eried-ef-timer Aftes4kr4RWST-seter-reaekes-us-saturetien4emperature        r    the-p ::. =f:treming4e-threenteinment inuienese-Cenden+etion-verurs en :': : =teinment-vesselrand4keenden+ese-is-reHected-in-esefroy-related gutter errengemenMich +eturns :k: : =d:=see+ teskedR WSTr--The-guttennermou.nirein*4e ske-eenteinment-sumpchut-when4ke-PRHR-HK-actuates           r sefety-::k::d iselessen-velves-in-thegurter draindin++kut end-the gutter : :-p== :::==sMy-s*4k+4R WSTr-{dwpemtson =-SSAR44444]
       .---41mlet-ne++4H R NS H Planned mentenans+chhe RN&end unupport+ystems4CCSend6WSMperfoemed a: p :-::in#edes fr4rJdhemt;un = SSAR464}
       *-4 'mlestem-44 The-oper atiomef-R N&-em%uppewtytem HCC&r&W&rme++aep+*er-em64w:: ;= ::+-w-RTNS&-

empoetrM4*-4mtik.w+sleeay-heat-semoval-thering-fesheml-RCG--en nory oper*He*w-{SSAR-ithJ dwpev.*tton-*di-be-eekledi Opreshm+f RNS,during :: p==:r eenditienopt :id:: : .=ginfee lentocemeeting-T& H-uneertaintyr skers-term-availehdit.svnerelvef-the4tNSere-p:, vid:d. -{rktet;en = SSAR4k&}

        .-Umlestem44--mkb Topreventpendinginarad!"hgically::-' =!!:deree4RCMinthenusi!i=y hi! ding-f.. . ,, 7 geting to.-       :=di:':;i: !!y :- ' =!)ederees ekenen-RCAs-are::p==::df r                        :- the-RCA+by4*nd-3-fee ++ ells and-fleee-shy != z'di'u =, <4eetri::! p:netratiens-between-RCAs-end-non-RCA+-en-the-eu.siliary buii=g =: k::::d :h^ : the-maximum l4:2 !: :!. idwpc, m = ESAR-M-1-14-1)
             e-   acoHMak
                   ,-i
^f::j ^' h::d ;^u 5p.~ ~=.' 5sNetWeed-oussek&th: N;;'::: Notend. { W,f ^^ = E? ' R ? l-5k 720.434F(R1) 2 W

Westingtiouse

l , l Table 720.434F.I Modifications to AP600 PRA based Insights INSIGilT DISPOSITION lb ADS provides a safety-n ' 'ed means of depressurinng the RCS. Cert:0ed Design hiaterial The following are some important aspects of ADS as represented in the PRA: ADS has four stages. Each stage is arranged into two separate groups of Certified Design vahes and lines. Material

              -       Stages I,2, and 3 discharge frota the top of the pressuriier to the IRWST
              -       Stage 4 discharges from the hot leg to the RCS loop compartment.

Each stage I,2. and 3 line contams two motor operated valves (h10Vs). Certified Design Matenal Each stage 4 line contains an MOV valve and a squib vahe. Certified Design Matenal ne valve arrangement and positioning for each stage is designed to CSAR 6 3.2 reduce spunous actuation of ADS.

                -      Stage 1,2. and 3 MOVs are normally closed and have separate controls.
                -      Each stage 4 squib vahe has redundant, series controllers.
                -      Stage 4 i blocked from opening at high RCS pressures The ADS valves cre automatically and manually actuated via the                                          Certified Design protection ar.d safety monitonng system (PMS), and manually actuated via                               Matenal the diverse actuation system (DAS).

The ADS salves are powered from Class IE dc power. Certified Design Matenal The ADS sabe positions are indicated and alarmed m the control room. SSAR 6.3.7 Stage 1. 2. and 3 valves are stroke tested every hw+mb cold shutdown. , SSAR 3.9.6 Stage 4 squib salve actuators are tested escry 1 years for 20% of the s alves, if RNS is lost during reduced insentory conditions with the reactor PRA coolant system open, a sent path through the ADS 4th stage is Attachment 54B required to preclude the occurrence of surge line flooding and thereby not affect gravity injection. 720 434F(R I F3

      ~

Table 720 434lL1 Modifications to Al'MXI l'RA. based insights INSIGitT DISPOSITION lb (w nta ADS 4th stage squib salies reccine a algnal to open during shutdown SS A R 6.3 conditions using PNIS low hot leg leul logic. The reliability of the ADS is important. ' Die COL will maintain the reliabihty ShAR 17.4 of the ADS. ADS is required by the Technical Specifications to be available from power SSAR 16.1 conditmns down through re'ueling without the cauty thaled. States I,2 and 3. connetted to the top of the pressuriser, preside a sent SS A R 16.1 path to preclude pressurisation of the RCS during shutdown condittorts if decay heat remosal is lost. Depressuritation of the RCS through ADS minimites the potential for high- limergency pressure melt ejection esents. Response

                -    thedures will be prouded for use of the ADS for depreuutiration of the      Guidelines RCS after core uncosery
                'the ADS mitigates high preuure core damage egents which can produce large        PRA Chapter 36 uncertainties m containment mtegrity due to th, following sesere accident phenomena:

liigh preuure melt ejection

                 . Direct containment heatmg Induced steam generator tube rupture Indocad RCS piping rupture and rapid hydrogen release to containment a

7:0 434R RI F4

t . Table 7 0 434F 1 Modifications to Al'600 l'RA. based insights INSIGilT DISPOSITION Id IRWST subsptem proudes a safety ielated means of performing the following SSAR 6 3 functions:

             -    1.ow preuure safety injection following ADS actuation
             -    Long term core cooling via containment recite station Reactor vessel cooling through the flooding of the reactor cauty by draining the !RWST into the containment.

The following are some important accts of the IRWST subsptem as rtpresented in the pRA: IRWST subsptem has the following flowpaths: Certified Design

                  -      Two tredundant) injection lines from IRWST to reactor senet/DVI                                                                                                       Material nonle. Each hne is isolated with a parallel set of vahes; each set with a check salve in series with a squib vahe.

Two (redundant) recirculation lines from the containment to the IRWST injection line Each recirculation line has two paths: one path contains a squib vahe and a MOV the other path contains a squib sabe and a check vahe.

                  -      1he two MOV/ squib vahe lines aho provide the capabihty to flood the reactor cauty.

There are screens for cash IRWST injection hne and recirculation kne. Certified Design Material Squib vahes proude the pressure boundary and present the check salves SSAR 613 from normally seeing a high delta P. Squib sahes and MOVs are powered by Clau IE de power. Certified Design Material lhe squib sahes and MOVs for injection and recirculation are Certified Design automatically and manually actuated via PMS, and manu:41ty actuated via Material DAS-

                    'the squib vahes and MOVs for reactor cauty flooding are manually                                                                                                           Certified Design actuated ua PMS and DAS from the control room.                                                                                                                              Material Dnersity of the squib vahes in the injection hno and recirculation knes                                                                                                    SSAR 6 3.2 mmimites the potential for common cause failure between injection and recirculation / reactor cavity flooding.

Automatic IRWST injection at shutdown conditions is previded using SSAR 7.3.1 PMS low hot leg level logic. The positions of the squib valves and MOVs are indicated and alarmed in SSAR 6 3.7 the control room. 720134RRI b5

                                                .A
                                          . - - - _   _ _ _    _ - - - - - _ - - - . - _ ~ - - , , _ _ _ _ . , _ _ _ _ , , . - - _ , _ _ , _ _ _ _ , . , _ _ - , _ , , . , _ _ , _ _ , _ _ ___

Table 720.434F l 4 Modifications to AP600 PRA.hased insights INSIGitT DISPOSITION 4 ld. (cont.) lRWST injection and recirculation check vahen are esercised at each SSAP M 6 refueling. IRWST injection and recirculation squib valve actuators are j tested every 2 ) cars for 20% of the vahes. IRWST recirculation htOVs are stroke tested quarterly. the reliability of the IRWST subsystem is important. The COL will SSAR 17.4

            ,I                      maintain the reliability of the IRWST subsystem, including the IRWST i                       and containment recirculation screens.
 'I                                                                                                                                          I IRWST injection and recirculation are required by Technical Specifications SSAR 16.1                     !

to be available from power conditions to refuelic, without the casily ) Comled.

,                                  The operator action to Good the reactor cavity is determmed in Emergency    Emergency Response Guideline FR C.I. which instructs the operator to Good the        Response reactor cavity if injection to the RCS cannot be recoscred or containment  Guidelines radiation reaches a lesel that indicates Ossion product releases as determined by a core damage assessment guideline.

PXS recirculation sabes are automatically actuated by a low IRWST SSAR 6.3 level signal or manually from the control room,if automatic actuation falls, le. Passhe residual heat removal (PRHR) provides a safety related means of SSAR 6.3.1 &

performing the following functions: 6.3.3 Remoses core decay heat duttng accidents
                               -   Allows automatic termination of RCS leak during a steam generator tube rupture (SGTR) without ADS.
                               . Allows plant to ride out an ATWS esent without rod insertion.

l The following are some important aspects of the PRHR subsystem as l represented in the PRA: ! PRHR is actuated by opening redundant parallel air operated valves. SSAR 6.3.2 These air operated vahes open on loss of Class IE power, loss of air, or loss of the signal from PhiS. The PRHR air operated vabes are automatically actuated and manually Ce.tified Design actuated from the control room by either PhiS or DAS. hiaterial i Dnersity of the PRHR air operated vabes from the ChtT air operated SSAR 6.3.2 vahes minimites the probability for common cause failure of both PRHR and Ch1T air operated sahes. l l l l l 720.434F(R I) 6 l

l l Table 720 434F l Modifications la AP600 PRA.hawd Inughts INSIGitT DISPOSITION

Ic. (cont.)
1. cog term coohng of PRilR w 11 result in steaming to the containment. SSAR 6.3.1 &

The steam a tll normally con /me on the w. tainment shell and return to system drawings the IRWST. If the steam con'mation does not return to the IRWST. the i IMWST volume is sufficient for at least 72 hours of PRilR operatmn. ' I Connections are provided to IRWST from the spent fuel system ISFS) and chemical and volume control system (CVS) to ettend PRilR operation. A safety related makeup connection is also provided from outside the i containment through the normal residual heat removal systern (RNS) to the IRWST. I Capabihty esists and guidance is provided for the control room operator SSAR 6.3.3 & to identify a leak in the PRilR liX before it can degrade to a tube rupture 16.1  ; during a subsequent design basis assicent (DilA). 4 The positions of the s . and outlet PRilR valves are indicated and SSAR 6.3.7 alarmed in the contrc - n. f f PRilR air operated vain , are stroke tested quarterly. He PR}{R llX in SSAR 3.9.6 flow tested to detect system performance degradation. PRilR is required by the Technical Specifications tc, be available from SSAR 16.1 power conditions down through cold shutdown with RCS pressure boundary intact. The PRilR llX,in conjunction with the PCS, can proside core cooling SSAR 6.3.2.1.. for en indefinite period of time. After the IRWST water reaches its saturation temperature, the process of steaming to the containment

                                             . Initiales. Condensation occurs on the steel containment sessel, and the condensate is collected in a safety.related gutter arrangement which
returns the condensate to the IRWST. The gutter normally drains to

[ the containment sump, but uhen the PRHR llX sclustes, safety. related isolation salses in the gutter drain line shut and the gutter

oserflow returns directly to the IRWST. The following design 1 features preside proper re alignment to the gutter system valses to direct water to the IRWST

( . IRWST sutter and its isolati:.a valves are safety related

                                               .         valves that redirect the flow are designed to fall closed on loss of compressed air, loss of Class IE de power, or loss of the PMS signal
                                               .         Isolation vahes are actuated automatically by PMS and DAS.

The PRHR subsystem proindes a safety related means of remosing , decay heat following loss of RNS cooling during safe / cold shutdown with the RCS Intact. SSAR 16.1 j= l l l 720.434F(R 1) 7 [

Table 720 4'4F 1 j Modifications to Al'600 l'RA. based insights INSIGilT DISPOSITION

                   .L The dacrse actuation system (DAS) provides a nonsafet) related means of                Certificj Design performing the following functione                                                      hiatettai Initiates automatic and manual reactor trip Automatic and manual actuatmn of selected engineered safety features.

Diversity is auumed in the PRA that ehminates the potential for common cause failures between Ph15 and DAS.

                      -       The DAS au omatic actuation signals are pencrated ir a functmnally             Certified Design diverse rnanner from the Ph15 signals. Disersity between DAS and PhtS            hiaterial is achieved by the use of different architecture, different hardware implementatmns, and dif ferent sof tware.

DAS provides control room displays and fned position controls to allow the SSAR 7.7.1 operators to take manual actions, DAS actuates using 2 out of 2 logic. Actuation signals are output to the loads SS AR 7.7.1.11 in the form of normally de-energised, energire to actuate signals. The normally de energired output state, along with the dual 2 out of 2 redundancy, reduces the probahihty of inadsettent actuation 1hc actuatmn devices of DAS and Ph15 are capable of independent operation SSAR 7.7.111 that a not affected by the operation of the other. 'ihe DAS is designed to actuate components only in a manner that initiates the safety function. The DAS reactor trip function is to trip the control rods via the motor. SS AR 7.7.1.11 generator set. In the PRA it is auumed the following chniinates the potential for common cause failures between automatic and manual DAS functions. DAS manual initiation functions are implemented in a manner that Cenified Design bypanes the stFnal processing equipment of the DAS automatic logic. hiaterial The COL will maintain the reliability of the DAS. Including the blG set SSAR 17.4 hreakers. l { l 720 434RRI) 8

_ . _ ._ _ . . . ~ _ . . _ _ _ _ _ _. _ _ . _ _ _ , _ . _ _ _ . _ . _ . _ _ _ _ _ _ _ _ . . _ _ _ _ _ _ . lable720.434F 1 l Modifications to AP600 PRA based insights INSIGHT DISPOSITION 4

4 The plant control system (PLS) provides a nonsafety related means of SSAR 7.l.3 & f controlkng nonsafety related equipment. 7.1.1
                                                .      Automatic and manual control of nonsafety.related fumtions.
                                                                                                                                                                                                                                                            )

Imluding " defense in depth" systems.

 ,                                  !           .       Prosides control room Indicatlon for monitoring oserall plant and nonsafety.related sptem performance.

l PLS has redundancy to minimite plant transients. SSAR 7.7.1.12 i PLS provides capability for both automatic control and manual control. SSAR 7.1.3 Redundant signal selectors provide PLS with the ability to obtain inputs from SS AR 7.l.3.2 the integrated protection cabinets in the PMS. The signal selector function maintains the independence of the PLS and PMS. The signal selectors select those protection systern signals that represent the actual status of the plant and reject erroneous signals. PLS control functions aie distnbuted actms multiple distributed controllers so SSAR 7 l.3.1 l that single failures within a controller do not degrade the performance of ', control functions perfortned t other controllers. 1 l r d P 720.434F(R I b9 - 1

    ._--_.,._.,._____.,__._,..,.__,m...__.                         . _ _ , _ . . ,           , , . . . , , _ _ . . . , _ , _ .- ____,,,                     -- . . . _ . . . _ . , , , . , , . , . . _ , . . . _ _ _ . _ _ , _ . . , _ , . , . , . . . . _

1 Table 720 434F 1  ; I Modificatiorts to Al'600 l'l(A based insights 1 INSIGilT DISPOSITION  ;

6. The normal tridual heat removal sptem (RNS) provides a safety related Certified Design j

means of periorming the following functions: Material Containment nolatmn for the RNS l nes that penetrate the containment Isolatmn of the reactor coolant sptem at the RNS suction and dacharge knes

              !                              . I,ong term, post accident makeup of containtnent insentory.

RNS provides a nonsafety related means of core cooling through: SSAR 5.4.7 RCS tecirculation at shutdown conditions Low pressure pumped injection from the IRWST and long term pumped redculation from the containment. The RNS has redundant pumps and heat eschangers. Tne pumps are powered SSAR 5 4.7 & by non Clan lli power will backup connections from the diesel generators. M.) RNS is manually aligned from the control room to perform its core cooling SSAR 5 4.7 functmns. The performance of the RNS is indicated in the control room. The RNS containment notatmn and prenure boundary vahes are safety- Certified Design related. 'the motor operated valves are powered by Class IE de power. Material hom4ainmen4+ 4eemale mahe-RN& f,pennutomatiee4y-ekeia SKAR-L44 PMS-mih-*4 ugh-f*=hetam4g**h The RNS containment nolation MOVs are automatically and manually SSAR 7.31 actuated via pMS. Interfacing sptem lou of-coolant accident (LOCA) between the RNS and the SSAR 5 4.7.2.2 RCS is presented by:

                                            . Each RNS hne n nolated by at least three vahes The RNS equipment outside containment is capable of withstanding the operating pressure of the RCS.

The RCS nolation vahes are interlocked to prevent their opening at RCS preuures abose its design pressure. i l l l 720 434R R I)-10

j . l . Table 720 434F 1 Modifications to AP6M) I'RA. based insights INSIGilT DISPOSITION

6. (cont.)

CCS proudes coohng to the RNS heat eschanger. Certihed Design Material Planned maintenance affecting of the RNS cooling function and its support SSAR 16 3 splems CCS and SWS should be n performed in modes I,2 and 3, when the RNS is not normally operating.

9. The chemical and volume control system (CVS) provides a safety related Certified Design ,

means to terrmnate inadsettent RCS boron dilution. Material 1he CVS provides a nonsafety.related means to perform the following Certified Design functions: Material Makeup water to the RCS dunng normal plant operation

                  -      lloration following a failure of reactor trip
                  .      Coolant to the preuurver auuliary spray line.

Two makeup pumps are provided. Each pump provides capabihty for nr .nal SS AR 9 3.6.3.1 makeup. Two safety related air. operated salves preside isolation of normal CVS SS A R 9.3.6 letdown during shutdown operation on low hot ;cg lesel. . 10 1he operation of RNS and its support sptems (CCS, SWS, main ac power SS A R 16.3 and onsite power)is RTNSS.imlertant for shutdown decay heat remosal Junng reduced RCS insentory operations. Reliability of these sptems is cosered by the Reliability Anurance SSAR 17.4 Program (RAP) Operation of RNS during at. power conditions presides margin for long SSAR 16.3 term cooling T&ll uncertainty Short term atallability controis for the RNS during at power conditions reduces PRA uncertalntles. II. Open.iora remer-cr4 he-m pon*+b+ht y-of-4 he C4L--Weweerhosenptes SSAR I8 pemic44n-WGAP444 The information used by the COL regarding risk.important operator actions from the PRA, as presented in Chapter 18 of the SSAR on human factors engineering,is important in developing and implementing procedures, training, and other human tellability related programs.

12. Suf ficient instrumentation and control is prosided at the remote shutdown SSAR 7.4.3 workstation to bnng the plant to safe shutdown conditions in case the control room must be evacuated.

There are no differences between the main co mi room and remote SS A R 7.4.3.1.1  ; shutdown workstation controls and monitoring tnat would be expected to affect safety sptem redundancy and reliability. l 720 43419R1) I1

_.. ~. , - . . - . ~ . -. - . - --. - - . _ .__ _._-. - - _ - - _.. - - - 1 . 4 Table 720 434F l l Modifications to AP600 PRA. based insights INSIGitT  !)lSPOSITION

13. Separation or protection of the equipment and cabling among the densions of SS AR 3 4.1.1.2.

safety related equipment and separatica of safety.related from nonsafety. 9.5.1.2.1.1 & 9A related cyuipment minimites the probability that a Dre or dood would affect i more than one safety.telated system or train, escept in some arcan inside containment uhere equipment will be capable of achlesing safe shutdown prior to damage, i Although the containment is a single fire area, adequate design features SSAR 94 esist for separation (structural or space), suppresskm, lack of j combustibles, or operator action to ensure the plant can senlese safe d I a.hutdow n. l To prevent nooding in a radiologically controlled area (RCA)in the SSAR 3.4.1.2.2.2

                               .                  Ausillary fluilding from propagating to non radiologicaily controlled
                               !                  areas, the non RCAs are separated from the RCAs by 2. and 3 foot walls I                  and Door slabs. In addition, electrical penetrations between RCAs and non RCAs in the Ausillary llullding are located ahose the masimum
                               ,                  nood level.
14. The following minimites the probability for Dre and Good propagation from

! one area to another and helps limit risk from internal fires and Goods:

                                                  -    fire barriers are sealed, to the estent possible (i.e. doors) and Hood     SS Ag 3,4, g,l,2 &

i barriers are watertight. liach Ore door is alarmed and monitored in the 9.5.1.2.1.1 control room. i - Requirements for fire barrier and maintenance will be implemented in SSAR 9.5.l.8

Combined License apphcant programs.

l When a Ore door, fire barrier penetration, or nood barrier penetration SS AR 9.5.1.8 l must be open to allow specine maintenance actmties, additional compensatory measures are espected to be taken. Control of compensatory measures is a Combined License applicant item. W i I e 1 720.434F(R I)-12

  . _ - _ _ _ _ _ . . . _ . _ . _ _ _ _ _ . _                                                                                                             ~__, _ _ . _ .
              -                                                                                                                                           )

I Table 720 434F 1 Modifications to AP600 PRA.hased Insights 1 INSIGHT DISPOSITION 16 ApN10 main control room f re ignition frequency is limited as a result of the SSAR 7.1.2 &

use of low soltage, low currtnt equipment and fiber opue cables. 7.1.3 There is no cable spreading room In the AP600 deslan. SSAR Table 9.5.1 1 i 17. Redundancy n in control room operations is plosided within the control room SSAR 9.5.1.2.1.1 i itself for fires in which c(ntrol room evacuation is not required.
20. The main control room has its own ventilation system, and is pressurited. SSAR 9.4.1 1 This prevents smoke. hot gases, or fire suppressants orignatmg in areas outside the control room from entering the control room via the sentilation system.

l There are separate sentilation systems for each set of safety telated equipment SSAR 9.4.1 divisions (A & C and 11 & D). This prevents the possibihty that smoke, hot gases, or fire suppressants originating from a fire affecting one safety related I equipment set from affecting the other set. The sentilation splem for the remote shutdown workstauon is independent of SS \R 9 4.1 the sentilation sptem for the main control room.

             !                    Plant ventilawon sptems include features to present propagation of                    SSAR 9A l                    smoke from a nonsafety related area to a safety related area.
23. The Ap600 design minimites potential flooding sources in safety related SSAR 3.4.1 equipment areas. to the extent posuble. The design also minimites the number of penetrauons through enclosure or barrier walls below the probable maximum Good lesel. Walls, Ooors, and penetrations are designed to withstand the maximum anticipated hydrodynamic loads av.=:::d :th-e pyw4mbne 1
42. No safety related equipment is located outside the Nuclear Island. SSAR 3.4.1 2

i f i 1 720.434R R 1)-13

i .. j . Table 720.434F.I Modifications to AP640 PRA.hased insights INSIGilT DISPOSITION

44. A list of risk important a) stems, structures, and components (SScal has SSAR 17.4 been prosided in the D. RAP.

Combined Liceme applicant is respons'ble for performing the tasks SSAR 17.4 necessar) to maintain the reliability of risk significant SSCs. l i 45. As deemed necessary, during th : detailed design phase, the Combined PRAchapter Lkenne applicant should update ti.e PRA, including fire and flood 59.10.6 analyse 2 for both at power and shutdown operation, using Anal design i information and site. specific information. liased on site. specific j Information, the Combined 1.kenne appikant should also re.etaluate the j qualitative screening of esternal esents. If any site specific j susceptibilities are found, the appikable esternal event should be

                                !            included in the updated PRA.

46 There are no watertight doors used for flood protection in the AP600 SSAR 3.4.1.1.2 1 design. r i i Plugging of the drain headers is minimlied by designing them large SSAR 9.3.5.1.2

                               ;             enough to accomodate more than the design now and by making the now 4

i path as straight as possible. Drain headers are at least 4 laches in t diameter.

47. The Col, applkant should implement the maintenance guidelines as SS A R 13.5.1 described in the Shutdown Evaluation Report (WCAP.14837).

! 48. The COI, appikant should control transient combustibles especially SSAR Table during shutdown operations. 9.5.1 1

49. There are two compartments inside containment (PXS.A and PXS.H) SS A R 3.4.1.2.2.1 containing safe shutdown equipment other than containment isolation 5alses that are noodable (i.e., below the masimum nood height). Each of i

these two compartments contains redundar.t and essentially identkal equipment (one accumulator with associated Isolation salses as well as i isolation vahes for one CMT, one IRWST injection line and one containment recirculation line). These two compartments are physcially separated to ensure that a nood in one compartment does not propagate to the other. Drain lines from the PXS.A and PXS.B compartments to j the reactor vessel casily and steam generator compartment are protected From backflow by redundant backnow preventers,

50. There are four automatkally actuated containment isolation tahes inside SSAR 3.4.1.2.2.1 containment subject to flooding. These four normally closed containment isolation saltes would not fall open as a result of the compartment nooding. Also, there is a redundant, normally closed, containment isolation valse located outside containment in series with each of these

, s als es. 720.434R R il 14

Tabic 720.434F t l Modincations 1o AP600 PRA. bawd insights INSIGHT DINPOSITION ! $1. The paulie containment cooling splem IPCSI tooling wster not PRA Chapter 40 i esaporated from the sessel wall flows down to the bottom of the inner , containment annulus. Two 100 percent drain openings located in the  ;

;                        l                          side wall of the shield bulfding, are almap open with screens presided to present entry of small animals into the drains.

i ] 1 $2. The major rooms housing disislonal cabling and equipment (the battery SSAR 9A.3 rooms, de equipment rooms. I AC rooms, and penetration rooms) are separated by 3 hour fire rated walls without openings. There are no

                         ,                          doors, dampers, or seals in these walls. The rooms are seried by 4

separate ventilation subsystems, in order for a fire to propagate from

! one divisional room to another,it must mose past a 3 hour barrier (e.g.,
                        !                           a door) into a common corridor and enter the other room through I                           snother 3 hour barrier (e.g., another door).

I 3. An access hay protects important safety related IAC equipment as well PRA Chapter 3 as the main control room and the remoe shutdown panel, located in the $$.5

~

i north end of the musillary building, from potential debris produced by a

postulated seismically included structural collapse of the adjacent turbine i building.
                           $4.                      There are no normally open connections to sources of "tanlimited"                                 SSAR Figure j                                                    quantity of wster in the musiliary building.                                                      9.5.1 1
                           $$.                      To prnent flooding in a radiologically controlled area (RCA) in the                                SSAR 3.4.1.2.2.2 ausillary building from propagating to non RCAs, the non.RCAs are
separated from the RCAs by 2 and 3. foot walls and floor slabs. In l a Jdition, electrical penetrations between RCAs and non.RCAs in the ausiliary building are located abose the maximum flood level.

Sfi. The two 72 hour rated Class IE division H and C batteries are located SSAR 9A above the manimum nood height in the autillary building considering all poulble nooding sources (includ:ng propagation from sources located outside the autillary building).

                           $7.                      Flood water propagated from the turbine building to the autillary                                  SSAR 3.4.1.2.2.2

! building salve / piping penetration room at grade lesel(the only musil!ary building area that interfaces with the turbine building) is directed to j drains and to outside through access doors. This, combined with the presence of water tight walls and noor of the valse / penetration room, limits the masimum flood helpht in the salse/ piping penetration room (to about 36 inches) and presents flooding from propagating beyond this area.

                           $8.                      The mechanical and electrical equipment in the musiliary building are                              SSAR 3.4.1.2.2.2 separated to present propagation of leaks from the piping and mechanical equipment areas to the Class IE equipment and Class IE I&C equipment rooms.

720.434R R 1).15

                                                                                                                                          .. _ . _ -                                                       -. - ~_.                    -. _-

i

                  .                                                                                                                                                                                                                           \

Table 7 0434F 1 Modifications to AP600 PRA. based insights INSIGitT DISPOSITION ,

59. Connections to sources of "large" quntity of wster are located in the SSAR 3.4.1.2.2.3 4

turbine building. They are the sersice water system, whkh interfaces 1 with the component cooling water system and the circulating water s> stem whkh interfaces with the turbine build!as closed cooling system and the condenser. Features that minimite the nood propagation to other buildings aret b i . Flow from any postulated ruptures above grade lesel (elevation 100') r

                       !                             in the turbine bui; ding news down to grade level via noor grating
                       !                             and stairwells. This grating in the noors also presents any i                       !                             signifkant propagation of water to the musillary building sia now
                      !                              under the deors.

l . A relief panel in the turbine building west wall at grade lesel directs . I the water outside the building to the yard and limits the masimum > nood lewi in the turbine building to less than 6 inches. Flooding propagat on to areas of the ad,jacent ausiliary building, via now under , i doors or nacknow through the drains, is possible but is bounded by a postulated break in those areas. I

60. Flood water in the annes building grade lesel is directed by the sloped SSAR 3.4.1.2.2.3 Door to drains and to the yard area through the door of the annes

! I building. Flow from postulated ruptures above grade level in the annes building is ! directed by noor drains to the annes building sump whlch discharges to + the turbine building drain tank. Alternate paths include now to the i turbine building sia now under access doors and down to grade level sia stairwells and elevator shaft. l The noors of the annes building are sloped away from the access doors to the musillary building in the vicinity of the access doors to prevent migration of nood water to the non.RCAs of the nuclear liland where all safety.related equipment, escept for some containment isolation valves,is located. n

61. There are no connections to sources of " unlimited" quantity of water in SSAR Figure the annes building. 9.5.1 1 3

4 700.434 Ft R I >- 16

  --*..-e--  .-a.-ww--..myu.     -.---,,w-,~,-.-          . . . . - . - - - - .       ,..,m-..e,--,-_---,            -,,,,.,,,w,----,- - . .         - - . -. . - . , - . . - . . - . - . . . , -    .      _...-..m..,c.o.m,-ce.-..

Table 7:0 434F. I Modifications to AP600 PRA.hased Insights INSIGilT lllSPOSITION

62. To present oserdraining, the RCS hot and cold legs are sertically offset SSAR 5.4.6 which permits draining of the steam generators for norrie dam insertion with a hot leg lesel much higher than traditional desigm.

lo lower the RCS hot leg lesel at which a vortex occurs in the RNS SS A R 5.4.7 & i suction line. a step nonle connection between the RCS hot leg and the figure 5.15

                   <            RNS suction line is used.

Should tortesing occur. air entrahment into the RNS pump suction is SSAR 5.4.7 i limited. t There are two safety related RCS hot leg level channels, one located in SSAR Figure i cach hot leg. These lesel Imtruments are independent and do not share 5.1 5 i instrument lines. These lesel Indicators are provided primarily to i monitor RCS lesel during midloop operations. One level tap is at the bottom of the hot leg, and the other tap is on the top of the hot leg as close tc the steam generator as possible.

                  }

I Wide range pressurirer lesel indication (cold calibrated) is prosided that SSAR Figure can measure RCS lesel to the bottom of the hot legs. This nonsafety. 5.1 5 related pressurirer leselindication can be used as an alternative way of monitoring lesel and can he used to identify incomlstencies in the safety. related hot leg letel instrumentation. The RNS pump suction line is sloped cootinuously upward from the SSAR 5.4.7 pump to the reactor coolant system hot leg with no local high points. This design eliminates potential problems in refilling the pump suction line if an RNS pump is stopped when cavitating due to excessise air entra'nment. This self senting suction line allows the RNS pumps to be immediately restarted once an adequate level in the hot leg is re-established. SSAR 13.5 It is important to maximize the availability of the nonsafety.related wide range pressurlier lesel indication during RCS draining operations during cold shutdown. The Combined License applicant is responsible for developing procedures and training which encompass this item.

63. Solid state switching desices and electro machanical relays resistant to PRA Chapter 55 relay chatter will be used in the AP600 safety related I&C system,
64. The annulus drains will ha$e the same or higher itCLPF salue as the PRA Chapter shield buildlag so that the drain system will not l'all at lower acceleration 59.10.6 lesels causing water blocking of the PCS air bame.
65. The ability to close contair. ment hatches and penetrations during Modes SSAR 13.5 & 16.1 5 & 6 prior to steaming to containment is important. The COL is responsible for deseloping procedures and training which encompass this item.

720.434R R I bl7

     .                                                                                                         \
    .*                                                                                                         \

l e 1 Table 720 434F I 4 Modifications to AP(,00 PRA.hawd insights 4 , ? INSIGIIT DISPOSITION

66. Spurious actuation of squib Salies la presented by the use of a squib SSAR 9A.2.7 talie controller circuit which requires multiple hot shorts for actuation.

phpical separation of potential hot short locations (e.g.. routing of ADS l' . cables and low voltage cable trays, and the use of redundant series controllers located in separate cabinets), and protisions for operator

!            action te . tmote power from the fire zone.

4 l o 720.434F(R i b l8

   - - _. - .-...- -.._.~ - -                                             .  -                   - - -                                          -            -

i Table 720 434F.I Modifications to AP600 PRA.hased insights 1 INSIGHT DISPOSITION i

67. l'or long term recirculation operstlou, the RNS pumps can take suction PRA Chapter 17 l j i from one of the two sump recirculation lines. Unrestrkted flow through and Emergency i j imth parallel paths is required for success of the sump recirculation Response function when both RNS pumps are running. If one of the two parallel Guidelines 1  ! paths falls to open, operator action is required to manually throttle the i RNS discharge MOV (Voll) to present pump casitation. ,

I The containment isolation valves in the RNS piping automatkally close SS A R 7.3.1 i sie PMS with a high radiation signal. The acNation setpoint was  ; i catablished consistent with a DilA non.mechanistk source term l_ masociated with a large LOCA. The containment radiation level for other i accidents is espected to be below the point that would cause the RNS , j MOVs to automatkally close. i SSAR 5.4.7

                            !              With the RNS pumps aligned either to the IRWST or the containment I              sump, the pumps' net positive suction head is adequate to present pump cavitation and failure even when the IRWST or sump intentory is l

l saturated. ! I I Emergency response guidelines are provided for aligning the RNS from Emergency I the control room for RCS injection and recirculation. Response I Guidelines l The following are additional AP600 features whkh contribute to the low SS A R 5.4.7 l likelihood of interfacing system LOCAs between the RNS and the NCS:

                            ,              -     A relief valse located in the common RNS discharge line outside containment presides protection against excess pressure.
                                           -     Two remotely operated MOVs connect > the suction and discharge i

headers to the IRWST are Interlocked w the isolation salves connecting the RNS pumps to the hot leg. l'his pretents inadvertent opening of these two MOVs when the RNS is aligned for shutdown i cooling and potential diversion and draining of reactor coolant sy stem.

                                           -      Power to the four isolation MOVs connecting the RNS pumps to the RCS hot les is administratively blocked at their notor control centers during normal power operation.

Per the Shutdown Evaluation Report (WCAP.14837), operability of the Shutdown RNS is tested, via connections to the IRWST, before its alignment to the Evaluation RCS hot les for shutdown cooling. Report inadsertent opening of RNS valve V024 results in a draindown of RCS SSAR 13.5 inventory to the IRWST and requires gravity injection from the IRWST, The COL appikant is responsible for deseloping administrative controls to ensure that inadvertent opening of this valve is unlikely. l The reliability of the IRWST suction isolation valve (V023) to open on SSAR 17.4 demand is important. The COL will maintain the reliability of this 720.434F(RI) 19

l Table 720 434lti Modifications to AP600 PRA.hased insights

INSIGilT DISPOSITION 6N. The startup feeduster system pumps preside feedwater to the sum SSAR 17.4 generator. This capability presides an alternate core cooling mechanism '

j to the PRllR heat eschangers for non.l.OCA or steam generator tube l ruptures. The Col, will maintain the reliability of the startup feedwater pumps. l

69. Capability is protided for on.line testing and callkration of the DAS SS A R 7.7.1.11 channels, including sensors. ,

j Short term availability controls of the DAS during at. power conditions SSAR 16.3  ;

i reduces PRA uncertainties.

i 70. One CVS pump is conngured to operate on demand while the other CVS PRA Chapter 15 j pump is in standhy. The operation of thew pumps will alternate I perkedically. l The safety related PMS teron dilution signal automatically re. aligns CVS SSAR 7.3 1  ; pump suction to the horic acid tank. This signal also closes the two

                           !         safety related CVS deminerallied water supply sahes. This signal
i actuales on reactor trip signal (Interlock P.4), source range pus doubling 4 1 signal, or low Input soltage to the Class IE de power system hattery chargers.
                          ;      71. The Col, applicant will maintain procedures to respond to low hot les            Emergency level alarms.                                                                    Response Guidelines
72. A Col, applicant cleanliness program controls tureign debris from being SS A R 6.3.2.2.7.2 Introduced into the IRWST tank during maintenance and inspection and 6.3.N.I

> operations.

73. l'or noor drains, appropriate precautions such as check saltes, back now PRA Chapter $6 presentors, and siphon breaks, are assumed to present back now and 1 any potential nooding.
74. Plant sentilation systems include features to prevent propagetion of Certifled Design 4 smoke from a nonsafety.related area to a safety.related area. Material

, 75. An alternative grasily injection path is presided through RNS %023 Emergency during cold shutdown and refueling conditions with the RCS open. Response Guidelines The COL applicant is responsible for developing administratise controls SSAR 13.5 to mailmlre the likelihood that RNS salte %023 will be able to open if needed during Mode 5 when the MCS is open, and PRHR cannot he used for core rMing. , i 76. The IRWST suctkm isolation salve (V023) and the RCS pressure Certined Design boundary isolation saltes (Y00l A/It, V002A/Ill are environmentally Material qualined to perform their safety functions. 720 434fiRI F20 l >

l

 .o                                                                                                                        I

. I NRC FSER OPEN ITEM A'l*f ACilMiiNT 720 434F 1 NRC Staff insights of the API,00 Lesel i PRA and Westinghouse l'cedback OrnetaLAxlantwJducquittmsnts

1. WIiC will enamtain a hst of rnk important systems, structures and components (SSCs)in the D. RAP.

n' Response: The ristamportant SSCs nahin the scope of thRAP are prostded in SSAR Tabie 17.4.L There is no adJuianalaction requirrJ by Westinghouse to masntain this list after FinalI)essgn Approval. Westinghouse does not agree that this stem os an insight of the inel I PRA, rather the PRA results are usedfor identsfying the rosL unportant SSCs in thRAP Per the 2/12/98 W/NRC meeting, Westinghouse agreed to include an item in PRA Table 59 29 that reads: "A list ofrisk.important systems, structures, and components (SSCs) has been provided in the thRAP." (disposition a i SSAR 17.41. Iser item #44 of Table 720.4.t4F l)

2. 1he COL Apphcant should perform a senmic walldown to ensure that the as. built plant conforms to the auumptions in the APW) PRAUnsed senmic margins analysn and to auure that seismic spatial systems interactions do not exist. Details of the senmic walldown will be descloped by the COL appheant.

W Response: As prosidrJ m the response to FSER open items 720.451F through 720 453F, the sessmic marum Combmed Lisense apphrant actwn arm null be changed m AP600 PRA Resision ll, subsection 5910 6 to trad as follows: The Combmed Lis ense applicant referencing the AP6W) certified Jessgn should perform a seismsc walldown to sonfirm that the as. built plant conforms to the design used as the basis for the sessmic margon esaluatwn and that seismic spatial systems snteractions do not esist. lktasis of the seismic walLJonn nsil be deseloped by the Co nbined License apphcant Note . At the 2/12/9N W/NRC meeting, NRC stated Westinghouse resporsse is acceptable for this item. A WEC will maintam a hst of the SSC llCLPF salues used in the APM) Senmic Margins Auessment in the D. R AP. The COL Apphcant should compate the as. built SSC HCLPFs to those assumed in the APM) seismic margms .malysis ISMAL Deviations from the llCLPF values or auumptions in the SMA should be evaluated by the COL Applicant to determine if any winerabihties base been mtreduced n' Response: The IICLPF salues useJfor the AP600 smmsc margin anaI>sss are provideJ in AP600 PRA Table

                       $$.I. The SSCs capturrJ by the thR AP process using the results of the seismic margm anaI> sis as the rationale for mclusion. are p.: . JeJ in SSAR Table 17.41. There is no additwnal action requirrJ by Westini: house to maintain this list after Fmalikssgn Approsal Westmghouse does not agree th st "WEC ndt maintam a list of the SSC HCLPF values" ss an insight of the Lesel i PRA.

720.434F(RI) 21

NRC FSER OPEN ITEM As prossdrJ m the response to ISER open stems 720A$lf through 720 4.UF. the follonme Combmed Lu rnse applucant aaion item u sll be mcluded in AP600 PR A Rension i1. subsectwn 59.10 6: The CombencJ Luense applicant referencing the AlWW certsfied dessen should wmpare the as.budt SSC llCll'Fs to those assumed in the AP600 seismtc margm rsaluatwn Deviatwns from the llCLPF salues or assumptions in the scismic margin esaluation should be esaluatrJ by the Combmed Lit ense applisant to Jetermme of unaarptable sulnerabilities have been entrodmed. Note . At the 2/12/9N W/NRC neeling, NRC stated Westinghouse resporne h acceptable for thh item.

4. The COL Apphcant will maintain an operatmn rehability assurance process based on the sptem rehability informatmn derised frorn the PRA and other sources The COL Applicant should incorporate the hst of risk.

unportant SSCs. as presented m the SSAR section on D RAP,in its D RAP and operation reliabihty assurance process. it' Response: There is a Combined Liunse applicant 0 RAP anion nahm SSAR subsection 17A.8 that reads the "Combmed License applicant is responsublefor performmx the tasks necessary to maintam the reliabshty of rosL signsficant SSCs." In adduion. SSAR subsection 17.C l states the " COL apphcant nJI need to establssh PRA importance measures, the espert panel process and other determimstic methods to determine th: sitespectlic list of SSCs under the scope of RAP. These tno COL actwn trems address the staff's insight statements. Per the 2/12/98 W/NRC meeting, Westinghouse agreed to include an item in PRA Table 59 29 that reads: " Combined License applicant is responsale for performing the tasks necessary to maintain the reliability of thk. signtlicant SSCs." [ disposition = SSAR 17.4] (see item #44 of Table 720.434F.!) 5 The COL apphc.nt shoulJ consider the informatmn on risk important operator actions from the PRA. as presented in Chapter lH of the SS AR on human factors engineering,in deseloping and implementing procedures, training and other human rehabihty related programs. it' Response: In the AP600 PRA. credet is taken for sarious tasks to be performed in the control room by the team of trainrJ operators. These tasks are rule based and procrJurali:rd. The tasks refer to the completwn of a nell defined mission by a tram of trained operators folloning procedures. As starrJ m SSl,R sectwn 1810. operator training is the responsubshty of the COL. 4rstrnehertse vnpstrin-thr401 ss , v,,Jcd iii "l CAP H655-PlH-TaHe-5?29. ,eim ll, ali, i,-pa . ; - %r-rs

                                                      -i,ee,, iii SSAR cl,uo.e, r lo-Westrnghosese+rittui hat ii ,~ . diJ,n-SSAlHerstenr+ - n-and how it ii cu, e. red sur-PRA-TerHe-MWaddresses el,i ,,u;fi iustt he ieaei; , .e Per the 2/12/98 W/NRC meeting, Westinghouse agreed to revise item 11 of PRA Table 59 29 as follows: (1) remove words currently in item 11 of Tabir $9 29, (2) add: "The information used by the COL regarding risk.important operator actionsfrom the PRA, as presented in Chapter 18 of the SSA R on h umanfactors engin eering, is important in de veloping and implem en ting procedures, training and other human reliability related programs." [ disposition = SSAR 18] (see item alI of Table 720 434F.I) 720.434F(R1) 22

1 a NRC FSER OPEN ITEM j 6 During detaileJ deugn phase, the COL Apphcant s' auld update the PRA uung the final deugn information and ) uteopecibe informatmn As deemed neceuary, the COL Apphcant should update the PRA including the hre and flood analpes for both at-power and shutdown opelation liased on ute.specifie information, the COL Apphcant should aho te esaluate the quahtative screening of esternal esentt if an) ute specine susceptibihties 1 are found, the upphcable esternal event should be included m the updated PRA. n' Response: There os a COL arm prosided in PRA subsectmn 39.10.6 that reads the "Comboned License applicant referencmg the AP600 certofied Jnsgn u til s erify the as buult plant is conststent nith the design used as the basis for the ba.seline AP600 PRA." It is the COL's responssbdsty to describe hon this well be st one and n hether any portions of the baselme PRA need to be updated. Per the 2/12/98 \\'/NRC meeting, \\'estinghouse agreed to include an item in PRA Table 39 29 that trads: "As dermed necessary, during the detailed design phase, the Combined license appliennt should updair the PRA, including fire and flood analysts for both at power and shutdown operation, using final design information and site specyle information. Based on site specyle information, the Combined license applicant should also re esaluate the qualitatis't screening of esternal esents. If any site specific susceptibilites are found, the applicable e. sternal esent should be included in the updated PRA." [dispositium a PRA $9.10.6]. (see item #43 of Table 720.434F.I)

7. No safety related equipment n hicated outude the Nuclear Island.

n' Respon se: Thi.s is an accurate statement. and will be included as item #42 in PRA Table 39 29. fser item

                      #42 of Table 720.434F l)

M The APfallow prenurc sptems which interface with the RCS are protected against mterfacing systerm LOCA t ISI OCA) by a combmation of multiple nolation s ah es, s ah e interhickmg. merease in the pipmg prenure hmits and prenure rehef capabihty. n' Response: Thus is an accurate statement PRA Table 39 29 utem 6. symfically discusses the elements nhich pers ent interfacmg sy stem LOCA bets een the RNS and the RCS. Per the 2/12/98 \\'/NRC meeting,

                       \\'estinghouse agreed to modify item 6 of PRA Tab!r 39 29 to include the pressure relief capability phrase. Iloweser, a more detailed discussion on features that protect against interfacing :ystems LOCA is prosided later in this FSFR open item response under the RNS ducussion. Refer to the RNS section to ser how the pressure relief capability is addressed (i.e.,

the addition of the second sub bullet under the RNS item discussing interfacing systems LOCA1. 9 Sohd state swttching deuces and electro-mechanical relays remt nt to relay chatter will be used m the AP600 IAC systems. Use of these deuces and relays either chmmates or minimites the mechanical discontmuities awociated with umilar devtces at operatmg reactors. E' Response: It as not understood nhy tin staffs statement ss an mssghtfrom the AP600 PRA. The staff sould nrrd to esplain uh> this is an important insight af the PRA to justify its placement in the DCD. The staffs statement ns accurate, but i' not explicitly stated m the SSAR or PRA. Per the 2/17/98

                      \\'/NRC telecon, \\~rstinghouse agreed to include the following item into PRA Table 39 29:

720.434F(R1) 23 g

j NRC FSER OPEN ITEM A  ;

                         " Solid state switching devices and rIrctro mechanical relays troistant to relay chatter will be used in the Al'600 safety related I&C system." (see item #63 of Yable 720,434F.I) 10 'there are no watettight dmir, used for Good protection in the AP(ul design.

W Response: This ts an accurate statement per SSAR subsection 3.4.1.1.2. Per the 2/12/98 WINRC meeting, Westinghouse agreed to include an item in PRA Table 59 29 that trads: "There are no watertight doors usedforJ1cmdprotection in the AP600 design." (disposition = SSA R 3.4.1.1.2) (ser item #46 of Table 720.434F.!) i1. '!he AP(0) design minimites potentialikxw. ling sources in safety.related equipment areas, to the entent ponible.

          'Ihe design also minimites the number of penetrations through enclosure or barrier walls below the probable maumum ikxd lesel. All thul barners (e g., walls, doors arW penetrations) are designed to withstand the manimum anticipated hydrodynamic loads as well as water prenures generated by Goods in adjoining areas.

W Response: thcludmg the endmg phrase "as nellas nater pressures generated byfloods m adjoimng areas." the staff statement ss supported by SSAR subsection 3.4.1.1.2. This is essentially arm 23 of PRA Table 59 29. Per the 2!)2/98 W/NRC meeting,it was agreed to keep item 23 of PRA Table 59 29 with the removal of the words " associated wish a pipe failure." (see item #23 of Table 720.434F.I)

12. firains are capable to remose now from an auumed break in a hne up to 4" in diametes and include features.

such as check salses and siphon breaks, that present backDow. W Response: The information as norded in the staff's statement is not supported by text in the AP600 SSAR. SSAR subsection Y.331.2 does read " Plugging of the dram headers is mimmi:rd by destgmng them large envueh to accommodate more than the design flow and by malmg the flow path as straight as possnble. Ibram hrs.Jers are at Irast 4 im-hes m diameter." Regardmg the pornon of the staff's statement on bac kflow presentwn. see the last bullet from item 15 below. Per the 2/12/98 W/NRC morting, Westinghouse agreed to include the information quoted abortfrom the SSAR as an item in PRA Table 59 29. The disposition will be SSAR 9.3.5.1.2. (see item #46 of lable 720.434F.I) 13 Ihere is no cable spreading room in the AP600 design. W Response: This is an accurate statement. Per the 2/12/98 W/NRC meeting, Westinghouse agreed to include the NRC's sentence as an item in PRA Tabir $9 29. The disposition willbe SSAR Table 9.3.11. (see item #16 of Table 720.434F.I)

14. The teparation of equipment and cabling aunciated with different diusions of safety related equipment as well as the separation of safety related from nonsaf ety related equipment, minimites the likelihood that a fire or Good would affect more than one safety rel.ited system or tram.

720.434F(RI).24

NRC FSER OPEN ITEM j

<              W Response:                       This is an accurate statement. PRA Tabir 59 29. item 13, prosides the same irtformation. Per the 2/12/98 %'/NRC meeting, n'estinghouse agreed to modify item 13 in PRA Table 59 29 to as followst " Separation or protterion of the equipment and cabling among the divisions of safety.
          !                                     related equipment and separation of safety relatedfrom nonsafety related equipnent minimites the probability that a fire or food would affect more than one safety related system or train,
;          i                                    escept in sener areas inside containment where equipment will be capable of achieving safe
           ,                                    shutdown prior to damage " Ort item #13 of Table 720.434F*l)
15. The following minimite the probability for fke or flood propagation from one area to another and helps limit risk from internal fires and Goods:
                             .         Fire barriers are sealed and flood barriers are wattrtight.

W Response: This statement isfrom PRA Table 39 29, item 14, but es missing the words "to the enient possible" I after the word sealed. Per the 2/12/98 n'/NRC meeting, H'estinghouse agreed to modify item 14

          !                                     in PRA Table 59 29 to include "(i.e., doors)" after the word possibir. (see item #14 of Table
          !                                     720.434F.I)
                             .         Each fire door is alarmed in the control room.

W Response: PRA Table 39 29, item 14 provides the same statement. l Note . At the 2/12/98 W/NRC meeting, NRC stated Info in item 14 of Table 59 29 is acceptable for this item.

-                           -          The COL Applicant will ensure the reliable performance of fire barriers through appropriate inspection and mainteaance of doors, dampers, and penetration seals. Also, all water tight penetrations will be maintainsu with high reliabihty during power operation to present the propagation of water from one area to the nest.

W Response: The staff's statement appears to be concentratmg on a COL stem for inspection and mamtenance of fire barriers and maintenance of reliable water light penetrations. %'estinghouse is not specibing the COL items to this level breause it is Ihr COL's responssbility to descrube how this nill be done. Rather, n'estinghouse includes a COL item prosided in SSAR subsection 9.51.8 that reads the " Combined License applicant will address qualfication t requirements for individuals resp <msible for development of the fire protection program, traming of fire fightmg personnel, administrative procedures and controls goserning the fire protection program during plant operation andfire protection system maintenance." In addition. as stated in SSAR Table 9.3.1 1, items 29, it is the COL's respcmstbility for ' establishing administrative controls to maintain the performance of thefire protection system ar,Jpersonnel." Note, at the 2/l2/98 WINRC meeting, NRC stated info in item 14 of Table 59 29 is acceptable for this item.

                            .         The COL Applicant will ensure the availability of proper Ore fighting equipment in all plant areas, and especially in the most risk significant fire areas.

720.434F(RI) 25

NRC FSER OPEN ITEM A 1Y Response: SSAR Table Y $ l.I. arms 4. 30. and 32. cm er this staff statement. Note that ut is not appropriate to add the phrase "and especially in the mmt ri>L signtficant fire areas" because Table Y $ l 1

                                                                                                                      < mers allfire areas. There is no need to hma this to the most risk sigmficant fire areas Note, at the 2/12/9N W/NRC meeting. NRC agreed thh !!cm does not need to be an imight listed in the PRA.
                                                                                           .                     The Col. Apphcant will maintain an adequately staffed, well tramed, and well prepared fire brigade.

1Y Resporne: SSAR Table V 3.11, trems 4 and 30 through 34. cmer this staff statement. Note. at the 1/l2/vs W/NRC meeting, NRC agreed this item does not need to be an imight listed in the PRA.

                                                                                           -                     When a fire door, fue barrier penetration. or Good barrier penetration must be open to allow specific mamtenance (e p., during plant shutdown). appropnate compensatory measures will be taken to mini.

mite nsk. Risk during shutdown is minimited by appropriate outage management. administrative controls, procedures. and operator knowledge of plant con 0gurauon. In particular this will require configuration control of Gre/ flood barners to ensure the mtegnty of fire and Hood barriers between areas containing equipment performmg redundant safe shutdown functions. 1Y Response: The mtentions of nhat is described in the staffs statement is covered by good plant operatmg practices. It ts cmered m a higher level by SSAR Table 9.5.l.l. items 4 and 29. Note, at the 2/12/98 W/NRC meeting, NRC agreed this item does not need to be an insight listed in the PRA. Additionally, the intent of what the NRC wrote is cmered by item 14 of Table 59 29.

                                                                                          .                      Drains include features, such as check vahes and siphon breaks, that present bacL0aw.

1Y Response: Assumption m. as n rotten m PRA Chapter $6. reads "forfloor drams, appropriate precauttons such as che< L sahrs. ba< L flow preventors, and siphon breaks are assumed to present back flou and any potentialfloodmg." Per the 2/12/98 W/NRC meeting, nestinghouse agreed to include an ser- in PRA Table 39 29 that includes the information quoted in the previous sentence. [ disposition a PRA Chapter $6] fsee item #73 of Tabir 720.434F.1)

16. I:ite detection and suppression capability as well as Gooding control features and sump level indication are prmided in the Ap600 design. Appropriate compensatory measures will be taken by the cot. Applicant to mamtam adequate detection and suppreuion capabihty during mamtenance actiuties.

1Y Response: Per SSAR sectwn 13 3. the Combined 11<ense applicant is responsible for deseloping the plant procedures. The staffs statement us part of good plant practices, and should be addressed by the applicable procedures uhich the Col. null deselop. Per the 2/12/98 W/NRC rnerting, it was agreed the staff's statement is covered by items 14 fthird bullet) and l$ of PRA Table 59 29.

17. In addition to the MCR which has its own dedicated sentilation system, separate ventilanon systems are prouded fo. each of the two pairs of safety related equipment diusions supporting redundant functions (i e..

diusions A&C and il&D). Furthermore, the plant sentilation systems include features to prevent propagation of smoke from a non safety related area to a safety related area or between safety related areas supported by 720.434F(RI).26

i NHC FSER OPEff ITEM l 1 l two dif ferent diviuons. The COL holder must ensure the rehable performance of such smoke propagation I presention features. j h Response: Euludmg the COL statement, the staff's statement is costred by item 20 of PRA Table 59 29. Regardmg the COL statement, this les el of detailis not included within Westmghouse COL items of SSAR 9 5 Per the 2/12/98 W/NRC meeting, Westinghouse agreed to include a statement into item 20 of Table 59 2V that reads: " Plant ventilation systems include features to prevent propagation of smokefrom a notaafety related area to a safety related area." (disposition = ,  : SSAR 9Al (see item #20 of Table 720.434F.I)

18. The COL applicant should implement the maintenance guidehnes as described in the Shutdown livaluation Report (WCAP 14H37).

h' Response: SSAR section 135 I (as revised per the response to FSER open item 440.763F, Westinghouse letter DCP/NRCilV8, Jared I)ecember 22, 1997) mcludes the following statement: WCAP 14837 provides input to the Combined License applicantfor the development of plant specufic refueling plans." This means the maintenance guidelines. as nell as other guidelines spectfied nithin the WCAP, should be considered by the Combined License applicant when they develop the plant l procedures. This SSAR COL item covers at a higher les el the staff's statem*nt. Per the 2/12/90

                                                                                ,                                         W/NRC meeting, Westinghouse agreed to include the staff's words as an item in PRA Table 59
29. [ disposition a SSAR 13.5.1] (see item #47 of Table 120.434F.I)
19. The COL applicant should control transient combustibles during shutdown operations.

S' Resp. cnse: The intentwns of nhat is descrsbed in the staff's statement is cosered ,n a higher lesel by SSAR Table 9 51 1, item 4d. Per the 2/12/98 WINRC meeting, Westinghouse agreed to include an itern in PRA TabIr 59 29 that reads: "The Combined License applicant should control transient combustible: especially during shutdown operations." (disposition = SSAR Tabir 9.$.I.1) (see item #48 of Table 720.434F.I) WHLCnMIol Room (MCR) and Rtmeic_Shyidown Workstation (RSW)

1. The automatic function of the AP600 actuation systems (i.:. PN15 and DAS) is nct affected by a fire in either the htCR or the RSW, This ensures an independent, automatic means, to reach safe shutdown even when a fire occurs in the MCR or the RSW (manual actuation is not nee <ied unless the automatic actuation f ails). Also, even though a fire in the htCR may defeat manual actuation of equipment from the NiCR, it will not affect the manual operation f rom the RSW. '!his is because the I&C cabmets are located in fire areas outside the htCR and the RSW.

E' Resp <mse: The stafs statement is cor red by trem 19 of PRA Table 59 29. At the 2/l2D8 WINRC meeting, NRC agreed this item is cosered by item 19 of Table 59 29, 720.434F(RI) 27

NRC FSER OPEN ITEM l

2. Redundancy in MCR operations,in terms of both monitoring and manual control of safe shutdow n equipment.

is prouded withm the MCR stself. This provides an alternative means for mitigating certain MCR fires before deciding to evacuate the MCR and use the RSW. E' Response: The staffs statement is coscred by item 17 of PRA Table 39 29. At the 2112/98 WINRC meeting, i NRC agreed this item is cosered by item 17 of Table 59 29,

3. If MCR evacuation is necessary, the RSW provides complete redundancy in terms of control for all safe shutdown functions.

h' Response: This statement is paraphrasedfrom S5AR section 7.4.3.1.1. The staffs statement is costred by

item 12 of PRA Table 39 29. Per the 2/12/98 WINRC meeting, Westinghouse agreed to add i "There are no dyferences betnern the main control room and remote shutdown workstation
     !                    controls and monitoring that would be expected to affect safety system redundancy and l                    reliabilay." This sentence will be added to item 12 of Table 59 29. Isee item 412 of Table
     !                     720.434F.))
4. The MCR has its own dedicated ventilation system and is pressurited This ehminates the possibility of smoke, hot gases, and Gre suppressants, originated in areas outside the MCR, to migrate via the ventilation system to the control room.

W Response: The staffs statement is covered by item 20 of PRA Tabir 39 29. Note it is recommended that the staffs wording of " eliminates"he rhanged to " prevents". At the 2112/98 WINRC meeting, NRC agreed this item is cosered by item 20 of Table 59 29,

5. The MCR and the RSW are in separate 6te and Good areas. They have separate and independent sentilation systems.

E' Re.spon.se: The staffs statement is cosered by items 18 and 20 of PRA Table 39 29. At the 2il NN WINRC meeting, NRC agreed this item is covered by items 18 and 20 of Table 59 29.

6. AiW10 MCR 6te ignition frequency is hmited as a result of the use of low.voltaEe, low current equipment and 6ber optic cables.

E' Response: The stays statement is covered by item 16 of PRA Tabir 39 29. At the 2il2/9N WINRC meeting, NRC agreed this item is coscred by item 16 of Table 59 29. Cuninnnient/ Shield Bmlding

1. Containment isolation functions are protected from the impact of internal Gres and Goods by redundant containment isolation vahes in each line which are located in separate 6te and Good areas and, if powered, are sersed by different power and control divisions. Always, one isolation component in a given hne is located inside containment, while the other is located outside containment, and the containment wall is a Gre/Dood barrier.

720.434F(R1) 28

 ..                                                                                                                                            )

l NRC FSEM OPEN ITEM A 11' Respamse: The staffs statement is coscred by item 22 of PRA Table 39 29. At the 2/12/98 WINRC meeting, NRC agreed this item is cosered by item 22 of Table 59 29,

2. Although the containment is a single fire area. redundant dmsions are generally separated by contmuous structural or fire barriers uithout penetrations and by labyrmth passagew a) s. In a few situations, the divisions are separated by large open spaces without intervening combustibles.

W Response: Westmghouse-treemmendi iki seuf'i vidmg vf-thrs-mstght-refrici .l.a;-si n i,ee.i, ... SSAR ssrbsertron4A-M4:-sperrfreaHy~4herentarnmiiielihkld+stridentremprtici . ni fbi aiia whreh rs-separated mtofrener.es'Thesnorresttrebasedan thi ii;ublii'. . ..; ofl, ndartertstrsretteres or,1rstemii; ela, ,iihrber-frie , iojqueisei f,0,,, we,i ,o c.ui. hmple. . ; l,.i i ii ; ,ij.u , u. .cu ermnetbryrvrrded mstdero,,;a; , .. ..e l-icastseof thi ..ied is ,nu,,.;aei, thij,,i iu hauge,fgases t for psrepses-such-srs-pasii.i iiu;au, . u; icv lmp" Per the 2/12/98 WINRC meeting.

  !                          Westinghouse agreed to include the following words into PRA Table 59 29: "Although the f                         conta'nment is a single fire area, adequate design features exist for separation (structural or i                         space), suppress %s, I t ofcombustibles, or oprator action to ensure the plant can achieve safe shutdown." (disposuwn = S3AR 9Al (see item #13 of Table 720.434F.I)
3. Dere are only two compartments inside containment (PXS A and PXS II) containing safe shutdown equipment other than contamment isolation valves that are Hondable (i c.. below the maximum Hood height).

Isach of these Iwo compartments contains redundant and essentially identical equipment (one accumulator with auociated isolation vahes as well as isolation vahes for one CMT, one IRWST injection line and one containment recirculatmn line). These two compartments are physically separated by 2 or 3 foot walls and door slabs to ensure that a Good in one compartment does not propagate to the othet. Drain lines from the PXS A and PXS Il compartments to the reactor vessel cavity and steam generator compartment are protected from backnow by redundant backdow preventers. W Response: Westmghouse recommends the stag remove the nord "only"in thefirst sentence. The casity also has sour:e range detectors. It is correct that the PXS A and PXS B compartments are physically such that a flood m one compartment does not propagate to the other: honeser. Westmghouse recommends the sts.H remme the spectfics that the compartments are separated "by 2 or 3. foot walls andfloor slabs " It appears the staffinadvertently used the words regarding 2 and 3 foot nalls andfloor slabs that appear in SSAR subsection 3AI.2.2.2 nhich pertains to the auxiliary building separation of RCA and nonRCA areas. Once these recommenJations are implemented. the staffs statement is fully supported by SSAR subsection JAI.2.2.1. Per the 2/12/98 W/NRC meeting, Westinghouse agreed to include the stalfs statement with the Westiaghouse comments incorporated. The disposition will be SSAR 3AI.2.2.1. (see item #49 of Tabir 720.434F.I) A Containment isolation vahes located below the maximum Good height inside containment or in the Auuliary fluilding are normally cimed and are designed to fail closed when submerged. W Response: The staffs statement is not technically accurate. The valves are not designed tofail c!osed n hen submerged. Westinghouse recommends the staff change the nording of their statement to read consistently nah SSAR subsection JAI.2.2.1. Specofically, the SSAR reads "There are four 720.434F(R1).29

NRC FSER OPEN ITEM A automatucally aauated contamment isolatwn vah es anside containment subjet t tofloodmg. These four normally closed contamment isolatwn sahrs nould not fail open as a result of the wmpartment floodmg. Also, there is a ordundant. normalls closed. contamment isolation sahr Im ated outssJe contatnment m series nah rac h of these sah es," Per the 2/12/98 WINRC meeting, Westinghouse agreed to include she above quotrJ statement. Disposition will be SSAR U.l.2.2.l. (see item #$0 of Table 7?O.434F.I)

5. lhe fraFility of valve rooms, labeled 11206/11207 where the passne core coohng systern sahes are concentrated b an important factor in the APful capabihty to withstand carthquakes. The capacity of the as built SSCs to meet the llCl.PF values auumed in tne APru) PRA will be checked by a senmic w alkdow n.

W Response: It is not w.Jerstood nhat the staff means by the fragihty of vahe rooms I1206 and i1207 is an tmportantfactor in the capability ofAP600 to wethstand earthquales. The llCLPF saluefor these rooms is 096x (per PRA Table 351). The llCLPF waluefor these wahr rooms is not the hmiting IICLPF e!<mentfor the nuclear Island Wenmghmese m. . - -di arfirsese ntener of chestaffs naremenrk ~ ,, ..-J The staff's statement regardmg a seismic walLJoa n is already addressed under stem 2 of " general

                         & plant nide requarments."

At the 2/12/9N W/NRC vi.ecting. NRC agreed their statement does not need t'. he induded in Table $9 29 because it is cosered by the sekmle margins analysis (SMAl COL ltems (see

r. tral items section, numbers 2 and 3).

6 Tac panne containment cooling syst:m (PCS)coohng w ater not evaporated from the s enel w all nows dow n to the bottom of the inner containment annulus into floor drains. The redundant Door drons toute the excess water to storm drains. The drain knes are alwa)s open (without notation sahes) and each n stred to accept masimum PCS Gow.1he interf ace with the storm drain s) stem is an open connection such that any blockage in the storm drains would result in the annulus drains osernowing the connection. draining the annulus independently of the storm drain system. W Response: Westmghouse recommends the staff reuse this statement to read "The passise contamment cooling s.sstem (PCS) cooling water not evaporatedfrom the sessel wallflows down to the bottom of the inner containment annulus. Tu o 100 percent drain openings. located in the stJe nail of the shield building, are always open nith screens provided to pres ent entry of small ansmals into the drains." Note that the specufic drain configuration has changed since nhat was modeled m PRA Resiston

8. n hen the drains nere located on thefloor of the annulus (see also re.sponse to FSER open item 720.440F). Thus the staff's statement should be revised. Per the 2/12/98 WINRC meeting, Westinghouse agreed to include the above quoted information into PRA Table 59 29.

(disposition a PRA Chapter 40l (see item M$l of Table 720.434F.I) [ W85tingh00$8

NRC FSER OPEN ITEM

7. the annulus ther draim whnh a:e essentially pipes embedded into the w all of the Shield fluildmp, will base the same lor hg.ierlllCl PF salue as the Shield Building. This ensures that the drain spt< 1 will not fail at lower acceleration lesch causing water bhwking of the PCS air ballle.

W Response: Refer to arm 6 abm r regardmg plac ement of the annulus dramt Per the 2/17/98 W/NRC telecon. Westinghouse agreed to include thefollowing item into PRA Table 59 29: "The annulus drains will have the same or higher llCLPF value as the shield building so that the drain system uill notfail at lower acceleration Irrels causing water blocking of the PCS air baffle." (disposition a PRA Chapter $9.10.6] iser kom #64 of Table 720.434F 9). M. 1he Col. apphcant should deschip and implernent pebcies, procedures, and training to cime containment penetrations during Modes 5 and 6 in accordance with TS 3 6 H. W Response: A COL stem m SSAR subsr< tion 13 5.1 states the Combined License applicant asil address plant proc rJures. A COL stem m SSAR subsectwn 13 2.1 states the applicant null Jeirlop and smplerirnt Irasmng programs for plant personnel 'these stems wherently include folloning the Tre hnical Specofications. The COL items m SSAR <harter 13 cmer the staffs statement. Per the 2/l1/9x WINRC telecen, Westinghouse agreed to include thefollowing item into PRA Table 59-19: "The ability is close containment hatches and penetrations during Modes 3 & 6 prior to steaming to containment is important. The COL is responsible for developing procedures and training which *ncompass this item." l disposition = SSAR 13.$ & 16.l] (ser Urm #65 of Table 720.434F,1). hubart.J1'iMmg

1. Separate sentilation splena are provided for each of the two pairs of safety telated equipment dnisions supportinj redundant functions O c , dnnions A&C and B&D). Thk presents smoke, hot gases snd fire supprenants orIFinating in dnnions A or C from propagating to divatoin !! and D.

W Respon.,r: The taffs statement as cmered by arm 20 of PRA Table 59 29 Note this ts essentiall; a duplisare of stem 17 of " general & plant nide requsrements: At the 2/12/98 WINRC meeting, NRC agreed that thh information h cosered b) item 20 of Table 59 29,

2. The major rooms housing dnnional cabhng and equipmert (the battery room % DC equipment rooms. IAC rooms, and penetration rooms) are separated by 3 hout rated fire walls without openings. There are no doors, dampers on seals in these walls. The rooms are sersed by separate senulation subsptems. In order for a fisc to propagate from one dnisional room to another, it must mme past a 3. hour barrier (e g , a door) into a common corridor and enter the other room through another 3 hour barrier (e g.. another doort W Response: This os an accurate statement. h is essentially uhat us described in SSAR subsection 9A 31. Per the 2/12/98 WINRC meeting, Westinghouse agreed to include the staff's statement into PRA Table 59 29. (disposuion = SSAR 9A.3) (see utm c52 of Table 720.434F.!)

720.434F(RI) 31

NRC FSER OPEN ITEM y =m

3. A two-foot concrete Door (barrier) protects important safety related l&C equipment as well as the main control room and the temote shutdown panel, located in the north end of the Auxiliary Building, from potential debris produced by a postulated seismically induced structural collapse of the adjacent Turbine ,

Building and propagated through the access bay separating the tuo buildings. W Response: To be an accurcre statement, the staff's wording should be changed asfollos s: (I) change "a two-foot concretefloor (barrier)" to "An access bay"; and (2) delete the endmg words "andpropagahd through the access bay separating the two buildings." By changing these words the statement is now consistent with PRA subsection $5.5 8. Per the 2/12/98 WINRC meeting, Westinghouse agreed to include the staff's statement, with mmlyications as neted in the previous sentences, into PRA Table 59 29. (disposition = PRA $5.5] per item #33 of Table 720.434F.I)

4. There are no connections to sources of " unlimited" quantity of esater in the Auxiliary Building.

W Response: It is not understood ahat is the definition of "s nlimited quantuy of aater" or the purpose of this statement. Upon further understanding of this statement. it may be accurate to state there are no normally open connections . At the 2/12/98 WINRC meeting, the term " unlimited" was discussed. The NRC staff explained that it means an unlimited body of water such as a lake or the ocean. Therefore, based on this understanding, Westinghouse agreed to incluu the following into PRA Table 59 29: "There are no normally open connections to sources of

                          " unlimited" quantity of water in the Auxiliary Building." (disposition = SSAR Figure 9.5.1.I)

(see item #54 of Table 720.434F.I)

5. To ensure that a Gooding in a radiologically controlled area (RCA) in the Auxihary Building does not propagate to non RCAs (where all safety related equiprnent except for some containment isolation valves i:,

located), the non RCAs are separated from the RCAs by 2 and 3 foot walls and Goe slabs. In addition, electrical penetrations between RCAs and nca RCAs in the Auxiliary Building are located above the maximum Hood lesel. W Response: As it is not appropriate to use the word " ensure" since its interpretation is subjective. Westinghouse recommends the stafs statement be reworded to read "To preventfloodmg in a RCA in the autiliary buildingfrom propagating to . ' and to remos e the statement in parentheses. The statement will then be consistent with SSAR subsection 3.4.1.2.2.2. Per the 2/12/98 WINRC meeting, Westinghouse agreed to include the staff's statement, with the modifications noted above in this Wresponse, into PRA Table 59 29. (disposition = SSAR 3.4.1.2.2.2] (see item #SS of Table 720.434F 1) h The two 72 hour rated Class IE dmsion B and C batteries are located above the maximum Hood height in the Auxiliary Building considermg all possible Gooding sources (includmg propagation from sources located outside the Auxiliary Building). . W Response: It is not clear shy the staffincludes this statement as an important insightfrom the PRA. The 24 hour Class lE batteries are usedfor safe shutdown operation: the 72. hour batteries are usedfor functions such as post accident sampling. The staff's statement is accurate. Per the 2/12/98 720.434rcai> 32 W wennmus. l

l NRC FSER OPEN ITEM A WINRC meeting, Westinghouse agreed to include the staff's statement into Table 59 29 (disposition = SSAR 9A) (see item #56 of Table 720.434Fd)

7. Flood water propagated from the Turbine Building to the Auxiliary Building salve / piping penetration room at grade level (the only Auxihary Buildirg rea that interf aces with the Turbine Building)is directed to drains and to outside through access doors. This, combined with the presence of water tight walls and floor of the valve / penetration room, limits the maximum flood height in the valve / piping penetration room (to about 36 inches) and ensures that the Gooding does not propagate beyond this area.

E' Response: Change the words " ensures that theflooding does not propagate . " to " presents flooding from propagating be.sond this area." The statement is then accurate per SSAR subsection 3.4.1.2.2.2. Auxiliary Building Lesel 3, non RCA discussion. Per the 2/12/98 WINRC meeting, Westinghouse

         !                      agreed to include the stcf' statement, with the modifications noted above in this W response, into Table 59 29. (dispo. . ion = SSAR 3.4.1.2.2.2] (see item #57 of Tale 720.434F l)
8. The mechanical and electacal equipment in the Auxiliary Building are separated to prevent propagation of leaks from the piping and mechanical areas to the Class IE electrical and Class IE I&C equipment rooms.

E' Response: By rettsing the wording to read " the piping and mechanical eauipment areas", the stafs

          <                      statement becomes consistent wsth SSAR subsection 3.4.1.2.2.2. Per the 2/12/98 WINRC meeting, Westinghouse agreed to include the staff's statement, with the modification noted above in the W response, into Table 59 29. [ disposition = SSAR 3.4.1.2.2.2] (see item #58 of Table 720.434F.I)

Turbine Building

1. No safety related equipment is located in the turbine building. There is a 3-hout Ore bamer wall between the turbine building aiid the safety related areas of the Nuclear Island.

E' Response: This is an accurate statement. per SSAR subsection 3.4.1.2.2.3. At the 2/12/98 WINRC meeting, NRC agreed thh item need not be included in Table 59 29 because it is superseded by item #42 of PRA Table 59 29. (Note there was not item 2 or 3 in Attachment 2 of NRC's November 7,1997 letter.)

4. Connections to sources of"large" quantity of water are located in the Turbine Building. They are the service water system (SWS) which interfaces with the component cooling water system (CCS) and the circulating water system (CWS) which interfaces with the turbine building closed cooling system (TCS) and the condenser. Features that mmimize flood propagation to other buildings are:
                      -     Flow from any postulated ruptures above grade level (elevation 100'- 0")in th Turbine Building flows down to grade level via Coor grating and stairwells. Riis grating in the floors also prevents any significant propagation of water to the Auxiliary or Annex Buildings via 1.1w under the doors.

720.434F(RI)-33 1

1 j s NRC FSER OPEN ITEM 2

                     -        A relief panel in the Turbine Building west wall at grade level directs the water outside the building to the y ard and limits the maximum flood lesel in the Turbine Building to less than 6 inches. Floodmg propagation to areas of the adjacent Auxilbry and Annex Buildings. via now under doors or backnow through the d*ains. is possible but is bounded by a postulated break in those areas.

E' Response: Information in SSAR subsntion 3Al.2.2.3 supports the staff's statement once the word " Annex" s is remosedfrom the two sub-bullets. Per the 2/12/98 H'/NRC meeting, n'estinghouse agreed to include the staffs statement but with the word "Anr.:x" removed. The disposition willbe SSA R 3Al.2.2.3. (see item #$9 of Table 720.43IF.1) Anatilhillding

1. There is no safety-related equipment located in the Annex Building.

W Response: This is an accurate statement. per SSAR subsection 3.41.2.2.3. At the 2/12/98 n'/NRC meeting, NRC agreed this item need not be included in Table 59 29 because it is superseded by item #42 of PRA Table 59 29.

2. Flood water in the Annex Building grade level is directed by the sloped floor to drains and to the yard area through the front door of the Annex Building.

n' Response: Remove the nord " front"from the statement. and then et becomes an accurate statement. per SSAR subsection 3AI.2.2.3. Per the 2/12/98 H'/NRC meeting, n'estinghouse agreed to include the staffs statement but win the word " front" removed. The disposition willbe SSAR 3Al.2.2.3. (see item #60 of Table 720.434F l)

3. Flow from any postulated ruptures above grade level in the Annex Building is directed by Moor drams to the Annes Building sump which discharges to the Turbine Building dram tank. Alternate paths include Dows to the Turbme Building via now under access doors and down to grade lesel via stairwells and elevator shaft.

h' Response: Remose the word "any"from the statement, and then st becomes consistent wsth SSAR subsection 3 4 1.2.2.3. Per the 2/12/98 %'INRC sneering, n'estinghouse agreed to include the staffs statement but with the word "any" removed. The disposition will be SSAR 3AI.2.2.3. (see item

                                     #60 of Table 720.434F I) 4        The doors of the Annes Building are sloped away from the access doors to the Auxiliary Building in the sicinity of the access doors to present migration of Good watcr to the non radiologically controlled areas of the Nuclear Island where all safety-related equipment, except for some containment isolation vahes, is located. llTAAC).

h' Response: This is an accurate statement per SSAR subsection 3AI.2.2.3. Per the 2/12/98 H'/NRC meeting, n'estinghouse agreed to include the staffs statement but with the word "(ITAACJ" removed. The disposition will be SSAR 3A1.2.2.3. (see item #60 of Table 720.434F l) W85tingh0US8

l . NHC FSER OPEN ITEM gm- .. if

5. There are no connections to sources of " unlimited" quantity of water in the Annex Building.

W Response: It is not understood what is the definition of " unlimited quantsty of sater" or the purpose of this statement. At the 2/12/98 H7NRC meeting, the term " unlimited" was discussed. The NRC staff explained that it means an unlimited body of water such as a lake or the ocean. Therefore, based on this understanding, %'estinghouse agreed to include the staff's statement into PRA Table 59 29. (disposition = SSAR Figure 9.5.11] (see item #61 of Table 720.434F.I) Rugwr Coolant Svstem

1. To present overdraining, the RCS hot and cold legs are vertically offset which permits draining of the steam generators for nozzle dam insertion with a hot les level much higher than traditional designs This lesel is nominally 80 percent lesel m the hot leg.

W Response: This is ar. accurate statement per SSAR subsection 5 4.6.2. Although the second sentence may be an msight of the Shutdown Evaluation Report. it is not understood a hy this is an important insight from the PRA. Per the 2/12/98 %7NRC meeting, %'estinghouse agreed to include the staff's first sentence into PRA Table 59 29. [ disposition = SSAR 5.4.6] (see item #62 of Table 720.434F.!)

2. To lower the level in that hot leg the vortexing can occur, a step nozzle connection between the RCS hot leg and the RHR suction line is used. The step nozzle is a 20 inch schedule 140 pipe, approximately 2 feet long.

W Response: Although this may be stated within the Shutdown Evaluation Report, it is not understood why this detail of unformation is an important insight of the PRA. For esample, the schedule of the piping is not umportant in calculating the failure prchability. Mc~,,i .) i'.i >;uff r wlu.~ u l. , ;lui .i .

                                     .,9 #, u .i os o NM mnglu. i'..,. pl. ss is..se ..b c p ,u,g cf i's jiss; 3 ,..< .cs u,.c. .i eppenes tMir u n.us u... n, ei To be consistent anh SSAR subsection 5.4.7.2.1. %'estinghouse recommends thefirst sentence read "T3 lower the RCS hot leg level at which a vortes occurs in the RNS suction line, u iiip uc ul< . " Per the 2/12/98 %7NRC meeting, %'estinghouse agreed to include the staff's first sentence, with the modifications noted in the %' response, into PRA Table 59 29. (disposition = SSAR 5.4.7 and SSAR Figure 5.15] (see item #62 of Table 720.434F.!)
3. Should vortexing occur, the maximum air entrainment into the pump suction was shown experimentally to be no greater than 5 percent.

W Response: Although this may be stated within the Shutdown Evaluation Report. it is not understood ahy this information is an important snsight from the PRA. However if the sta[f esplains shy this is important as a PRA insight, then please revise the sentence to read " . RNS pump suction . " Per the 2/12/98 %7NRC meeting, n'estinghouse agreed to include thefollowing into PRA Table 59 29: "Should vortexing occur, air entrainment into the RNS pump suction is limited." [ disposition = SSAR 5.4.7.2.11 (see item #62 of Table 720.434F.!) 720.434F(R1)-35 W

                      - WestinEflotse

l l . NRC FSER OPEN ITEM A

4. There are two safety-related RCS hot leg level channels, one located in each hot leg. These lesel instruments are independent and do not share instrument lines. These lesel indicators ate provided primanly to monitor RCS lesel during m;Jkiop operations. One lesel tap is at the bottom of the hot leg, and the other tap is on the top of the hot leg as close to the steam generator as possible.

W Resp <mse: Although thic may be stated a sthin the Shutdown Esaluati<m Report. it is not understood nhy this mformation es - important instght from the PRA. Per the 2/12/98 WINRC meeting, Westinghov ed to include the staff's statement into PRA Table 59 29. (disposition = SSAR Figure 5.!.51 (see item #62 of Tabir 720.434F l)

5. Wide range pressunier level indication (cold cahbr ied)is provided that can measure RCS level to the bottom of the hot legs. The upper level tap is connected to an ADS valse inlet het. der pbose the top of the pressunier. He lower level tap is connected to the bottom of the hot leg. his non-saiety related pressurizer lesel indication can be used as an alternatise way of monitoring lesel and can be used to identify inconsistencies m the safety related hot leg lesel instrumentation.

W Response: Although this may be stated within the Shutdonn Evaluation Report, it is not understood why t'.is unformation is an important insight from the PRA. Per the 2!!2/98 WINRC meeting, Westinghouse agreed to include the staff's first and last sentence into PRA Table 59-29. (disposition = SSAR Figures 5.l 5] (see item #62 of Table 720.434F.I) 6 The RNS pump suction hne is sloped contmuously upward from the pump to the reactor coolant s) stem hot leg with no local high points. This design eliminates potential problems m refilling the pump suction line if a RNS pump is stoppm when cavitating due to excessise air entramment. This self ventmg suction hne allows the RNS pumps to be immediately restarted once an adequate level in the hot leg is re-established. W Response: This is an accurate statement per SSAR subsection 5.4.7 2.1. Per the 2/12/98 W/NRC meeting, Westinghouse agreed to include the staff's statement into PRA Table 59 29. (disposition = SSAR 5.4.7.2.ll (ser M #62 of Table 720.434F.I)

7. The COL applicant should hase procedures and policies to maumite the asadabihty of the non safety related wide range pressunter lesel indication (cold calibrated) dunng RCS draining operations during cold shutdown. The operators shall be trained to use this indication to identify inconsistencies in the safety related hot leg level instrumentation to present RCS overdraming.

W Response: SSAR section iJ.5 provides the committment that the Combined License applicant is respons ble for developing procedures. The COL items reported in section 13.5 provide the committment at a higher lesel than described in the staffs statement abore. Per the 2/12/98 WINRC meeting, tinghouse agreed to include thefollowing statement into PRA Table 59-29: "It is important naximize the availability oj the nonsafety related wide range pressuri:er levcl indication during RCS draining operations during cold shutdown. The Combined License applicant is responsible for developing procedures and training which encompass this item." [ disposition

                              = SSAR 13.51 (see item #62 of Table 720.434F.I)

W85tiligh0LIS8

NRC FSER OPEN ITEM A Passive Core Cooline systems (PXS) The passive core cooling system (PXS) is composed of (1) the accumulator subsystem, (2) the core makeup tanks (CMTs) subsystem, (3) the in containment refueling water storage tank (IRWST) subsystem, and (1) the pasme residual heat removal (PRHR) subsystem. In addition, the automatic depressurization system (ADS), which is part of the reactor coolant system (RCS). also supports passise core cochng functions. i }i' Response: The staff's statement is cosered by item I of PRA Table 59 29. On the 2/17/98 W!NRC telecon,

         !                       NRC agreed that this information is covered by item I of Table 59 29, Acnimula10n The accumulators provide a safety related mean: of safety injection of borated water to the RCS. The following are some important aspects of the accumulator subsystem as represented in the PRA:
  • There are two accumulators, each with an injection line to the reactor sessel/ direct sessel injection (DV!)

norile. Each injection line has two check valves in senes.

  • Re reliability of the accumulator subsystem is important. The COL will maintain the reliability of the accumulator subsystem.
  • Diversity b tw n the accumulator check valves and the CMT check salves minimites the potential for s

common cause tailures.

               }k' Response:      The stafs statement on accumulators is coscred by item la of PRA Table 59 29. On the 2/17/98 W/NRC telecon, NRC agreed that this information is covered by item la of Table 59 29, Cnts_Llutp Tanks (CMTs)

The CMTs provide safety related means of high pressure safety injection of borated water to the RCS. The following are scme important aspects of CMT subsystem as represented in the PRA:

  • There are two CMTs, each with an injection hne to the reactor sessel/DVI nozzle. Each CMT has a normally open pressure balance line from an RCS cold leg. Each injectian hne is isolated with a parallel set of air-operated valves ( AOVs) which open on loss of Class IE de power, loss of air, or loss of the signal from the PMS. The injection line for each CMT also has two normally open check valves m series.
  • ne CMT AOVs are automatically and manually actuated from PM5 and DAS and their positions are indiwted and alarmed in the control room.
  • CMT level instrumentation prosides an actuation signal to initiate automatic ADS and provides the actuation signal for the IRWST squib valses to open, 72 m m 7 W Westinghouse

NRC FSER OPEN ITEM

                                                                                                                                    ~

b

  • Re CMTs are risk important for power conditions because the lesel indicators in the CMTs provide an open signal to ADS and to the IRWST squib salves as the CMTs empty. The COL will maintain the reliability of the CMT subsystem. These AOVs are stroke tested quarterly.
  • CMT is required by the Technical Specifications to be available from power conditions down through cold shutdown with RCS pressure boundary intact.
               }\' Respon se:          The .stafs statement on CAfTs is covered by item Ic of PRA Table $4 29. On the 1/17/98 W/NRC telecon. NRC agreed that this information is covered by item Ic of Table 59 29.

IrtContainmtnLRefueling Water Storag:Ank (IRWST)

The IRWST subsystem provides a safety related means of performing (1) low pressure safety injection following ADS actuation,(2)long term core cooling via containment recirculation and (3) reactor vessel coolmg through the flooding of the reactor cavity by draining the IRWST into the containment. He following are some important aspects of the IRWST subsystem as repmented in the PRA
  • IRWST subsystem has the following flowpaths:
                        -        Two (redundant) injection lines from IRWST to reactor sessel DVI noule. Each line is isolated with a parallel set of sabes; each set with a check vahe in series with a squib valve.

Two tredundant) recirculation lines from the contamment to the IRWST injection line. Each recirculation line has two paths: one path contains a squib vahe end a MOV, the other path contains a squib valve and a check valve.

                         -        The two MOV/ squib sabe hnes also provide the capability to flood the reactor cavity.
  • There are screens for each IRWST injection line and recirculation line which ensure that they are not clogged by debris or other materials generated in the IRWST or containment sump. The COL Applicant will maintain the rehability of such screens.
  • Esplosise (squib) sabes provide the pressure boundary and protect the check val <es from any potential adserse impact of high differential pressures.
  • The Squib vahes and MOVs are powered by Class IE de power and their positions are indicated and alarmed in the control room.
  • The squib valves and MOVs for injection and recirculation are automatically and manually actuated via PMS, and manually actuated sia DAS.
  • Re squib vahes and MOVs for reactor cavity flooding are manually actuated via PMS and DAS from the cot. trol room.

720.434F(RI) 38 g

 ._ _ _ . . __ _ __      _               __ __                            . _ _    _     . . _.__ ~ .                  _.    . _ _ _ _ _ __ . _ _ . _

NRC FSER OPEN ITEM e u .. 1

  • Disersity of the squib salves in the injection imes and recirculation lmes minimites the potential for common cause failure between injection and recirculation / reactor cavity flooding.

.

  • Automatic IRWST injection at shutdown conditions is provided using PMS low hot leg level logic.
  • IRWST injection and recirculation check vahes are exercised at each refueling. IRWST injection and recirculation squib vahe actuators are tested every 2 years for 20 percent of the valves. IRWST recirculation MOVs are stroke-tested quarterly.
  • The reliability of the IRWST subsystem is important. The COL will maintain the reliability of the IRWST subsys:em.
  • IRWST injection and recirculation are required by Technical S,r cifications to be available from power conditions to refueling without the cavity flooded.

W Response: The staffs statements above on IRWST is covered by item Id of PRA Table 59 29. except Westinghouse wishes to note thefollowing change should be made to what us written above:

                                                 .       Second bullet - remove the work " ensure"for reasons provided earlier m this document.

An accurate statement would read * . recirculation line which prevents clogging by debris

                                                             " Also note the COL item is covered by a higher level action of the COL will maintain the reliability of the IRWST subsystem (SSAR Section 17.4).

During the 2lli/98 WINRC telecon, Westinghouse agreed to change the text of the RAF item under Id of Table 59 29 to read as follows (note the added text is in quotes): The reliability of the IRWST subsystems is important. *rhe COL will maintain the reliability of the IRWST subsystems ", including the IR WSTand containment recirculation screens. "(disposition remains the SSAR RAF section 17.4) (see item Id of Table 720.434F.!). The IRWST provides a safety related long term source of water during shutdow n conditions. The follow mg are a me additional important aspects of the IRWST subsystem as represented in the shutdown PRA. The COL applicant shouM provide administrative controls to control trash generated during shutdown operations from entenng the RCS and the IRWST which could possibly plug the screens. W Response: As stated in SSAR section 13.5. the Combined License applicant is responsible for developing administrative controls. The CUL item in SSAR chapter 13 covers the staff's statement at a higher level. Per the 2/12/98 WINRC meeting, Westinghouse agreed to include the following item into PRA Table 59 29: "A Combined License applica'nt cleanliness program controlsforeign debris from being introduced into the IRWST tank during maintenance and inspection operations." (dhposition = SSAR 6.3.2.2.7.2 and 6.3.8.1) (see item #72 of Table 720.434F.!) ] On low hot leg lesel, the PMS actuates the squib valves to open allowing gravity injection from the IRWST. 720.434F(RI)-39

NRC FSER OPEN ITEM W Response: This statement is a duplicate of the 8th bullet on IRWST(see abose). On the 2/11/98 WINRC telecon, NRC agreed this is a duplicate item. Passise RuidsUhat Removal (PRHR) System The PRHR provides a safety related means of performing the following functions: (1) remoses core decay heat during accidents, (2) allows adequate plant performance during transient (non LOCA and non-ATWS) accidents without ADS,0) allows automatic termination of RCS leak dunng a SGTR accident without ADS, and (4) provides core coolmg and pressure contros during the early phase of an ATWS accident. W Response: For item (2). recommend changing the word " allows" to "provides.* Item (4) is ambiguous by using the words early phase of an ATWS. The phrase should read, " allows plant to ride out an ADVS esent without rod insertion." During the 2/17/98 WINRC telecon, Westinghouse agreed to include the following in item le of Table 59 29: ". Allows plant to ride out an A TWS event witi.out rod insertion." (see item le of Table 720.434F l) The following important aspects of the PRHR design and operation features are incorporated in the PRA models:

          +        PRHR is actuated by opening redundant parallel air operated valses (AOVs). These AOVs are designed to fail r:n on loss of Class IE power, loss of air, or loss of signal from the protection and safety monitoring system (PMS).
  • The PRHR AOVs are automatically actuated by two redundant and diserse I&C systems: (1) the safety.

related protection and safety monitonng system (PMS) and (2) the nonsafety related diserse actuation system (DAS). The PRHR can also be actuated manually from the control room usmg either PMS or DAS.

  • Dise;sity of the PRHR AOVs from the AOVs in the core makeup tanks (CMTs) minimizes the probability for common cause failure of both PRHR and CMT AOVs.
  • The positions of the inlet and outlet PRHR valves are indicated and alarmed in the MCR.

W Response: The staff's above statements on PRHR are covered by item le of PRA Table 59 29. On the 2/17/98 W/NRC telecon, NRC agreed that this information is covered by item le of Table 59-29.

  • The PRHR AOVs and isolation MOV are tested quarterly. The PRHR HX is flow tested at shutdown.

W Response: It is true the PRHR A0Vs are tested quarterly, per IST(SSAR subsection J.9.6). As stated an the PRA and SSAR, the AIOV is closed to test the AOVs. so indirectly, the Af0V is also tesad; however, the Af0V is not specsfied as such per IST and the PRA. The words "ad isolation A10V" should be removedfrom the staffs statement to be technically accurate. It is accurate to say the PRHR HX is flow tested (as is stated by item le in PRA Table 59 29), but it is inisleading to say st is tested at shutdown, The HX is flow tested at shutdown, but not every t me the plant is shutdonn. Per Technical Specsfication, the PRHR HX is flow tested every 10 years. It is not an 720.434F(RI)-40

Ng rSER OPEN ITEM

i + i..
                                                                                                                                       !i i

insightfrom the PRA to include ti.is level of detailItheflow testfrequency). The recommendation is the staffs bullet above be changed to nhat is provided by item le in PRA Table 59 29. On the 2/17/98 W/NRC telecon, NRC agreed that this Westinghouse response is acceptable. No further action is required.

  • Use of the PRHR heat exchanger (HX) for long term cooling causes the IRWST water to heat up, resulting in inventory loss through evaporation. To ensure successful long term cooling by the PRHR HX, the evaporated IRWST inventory niust return to the IRWST after condensed on the containment liner and collected in the IRWST gutter system. The IRWST guter system, which directs the water tr. the containment sump during no mal plant operation,is automatically re a!:,ned to direct the water back to the IRWST during an accident. The following design features ensure proper re alignment of the gutter system valves to direct water to the IRWST during accidents:

2

                   -     the IRWST gutter and its isolation valves are safety grade
                   -     the valves that re-direct the flow are designed to fail safe on loss of compressed air, loss of Class IE DC power, or loss of the PMS signal.
                   -     the isolation valves are actuated automatically by PMS and DAS.

W Response: The staffs statement should be reworded asfollows, to be technically accurate. Note the statement below is consistent with SSAR subsection 6.3.2.1.1.

                                               "The PRHR HX. in conjunction with the PCS. can provide core coolingfor an indefinite period of time. After the IRWST water reaches its saturatir - romperature. the process of steaming to the containment initiates. Condensation occs.. on the steel containment vessel, and the ccmdensate is collected in a safety related gutter arrangement which returns the condensate to the IRWST. The gutter normally drains to the containment sump. but when the PRHR HX actuates, safety related isolation valves in the gutter drain line shut and the gutter overlow returns directly to the IRWST. The following design

, features provide prsper re alignmentfo of the gutter system valves to direct water to the IRWST " The staffs three sub bullets above are accurate, etcept change the word " safety grade" to " safety related" and " fail safe" to " fait closed." During the 2/17/98 WINRC telecon, Westinghouse agreed to include the quoted information in our response into item le of Table 59 29, alcng with the other word changes noted above in the response. (disposition a SSAR 6.3.2.1.1] (see item le of Table 72i).434F 1)

  • Use of the PRHR HX for long term cooling will result in steaming to the containment. The steam will normally condense on the containment shell and return to the IRWST via the gutter system. If the condensate does not return to the IRWST, the IRWST volume is sufficient for at least 72 hours of PRHR operation.

Connections to the IRWST are pmvided from the spent fuel system (SFS) and chemical and volume corarol 720.434F(RI) 41

! 6 NRC FSER OPEN ITEM A syst6m (CVS) to estend PRHR operation. A safety-related makeup connection is also provided from outside the contamment through the normal residual heat removal system (RNS) to the IRWST. W Response: This is an accurate statement and is covered by item le of Table 59 29. On the 2/17/98 WINRC telecon, NRC agreed that this information is cosered by item le of Table 59 29.

  • Capabihty exists in the control room to identify a leak m the PRHR HX which could degrade to a tube rupture under the stress conditions, such as RCS pressure increase and temperature gradients mside the HX tebe walls, likely to occur durmg a postulated accident requiring PRHR operation.

W Response: Recommend the staff's statement stop after the words " tube rupture". By continuing with the specifics of tying this to a transient, it deminishes the leak tightness capability. Note the statement will be consistent nith PRA Table 59 29, item le, by ending the sentence as recommended. Also note the operator guidance is provided via Tcchnical Specification 3.4.8. On the 2/17198 WINRC telecon, NP.C agreed that this information is cosered by item le of Table 59 29,

  • Technical Specificatmns require the PRHR to be available, with RCS boundary intact. from power conditions down through cold shutdow n. Guidance is provided for operator action when a leak is detected in the PRHR HX which could oegrade to a tube rupture during normal power operation conditions or under stress conditions, such as RCS pressure increase and temperature gradients inside the HX tube walls, hkely to occur dunng a postulated accident requiring PRHR r peration.

W Response: The first sentence is an accurate statement and is covered by item le of Table 59 29 The second sentence is essentially a repeat of the previos.: bullet. Recommend the second sentence be deleted During the 2/17/98 WINRC telecon, Westinghouse agreed to change the wording ofitem le in Table 59 29 as follows (note change is shows in quotes): Capability exists "and guidance is provided"for the control room operator to idemify a leak ... . (see item le of Table 720.434F.I)

  • The PRHR systems proudes a safety related means of remoung decay heat followmg loss of shutdown cooling dunng safe / cold shutdown with the RCS intact.

W Response: Change the words " shutdown cooling" to "RPS cooling" This is an accurate starement and is covered by Technical Spectfication bases 3.5.5. During the 2/17/98 ValNRC telecon, Westinghouse agreed to include thefollowing statement in item le of Table 59 29: "The PRHR subsystem provides a safety related means of removing decay heas following loss of RNS cooling during safe / cold shutdown with the RCS intacts." [dispositism = SSAft 16.11 (see item le of TaHe 720.434F 1) Automatic Depressunzation System ( ADS) ADS provides a safety-related means of depressurizing the RCS. The following are son.e important aspects of ADS as represented in tl e PRA: 720.434F(RI)-42

NRC FSER OPEN ITEM A

       .         ADS has four r,taEcs. Each staFe is arranged into two separate groups of valves and lines. Stages 1,2, and 3 discharge from the top of the pressuriier to the IRWST. Stafe 4 discharges from the hot leg to the RCS loop compartment.
  • Each stage 1,2, and 3 line contains two hiOVs in senes. Each stage 4 line contains an hiOV valve and a squib valve in series.
        .        The valve arrangement and positioning for each stage is designed to reduce spurious actuation of ADS.
                  -      Stage 1,2, and 3 N10Vs are normally closed and have separate controls.
                  -       Each stage 4 squib valve has redundant, series controllers.
                  -       Stage 4 is blocked from opening at high RCS pressures.
  • The ADS valves are automatically and manually actuated via the protection and safety monitoring system (PhtS), and manual' ...ated via the diverse actuation systen ,DAS).
  • T1 e AD .c powered from Class IE de power and their positions are indicated and alarmed in the ce r
         .         Stage 1, 2, and 3 valves a.e stroke-tested escry 6 months. Note: Westinghouse has mdicated that this requirement may sh m e a result of an NRC review. Stage 4 squib valve actuators are tested every 2 years for 20 percent of the vahes.
  • The reliabihty of the ADS is important. The COL will maintain the reliabihty of the ADS.
  • ADS is required by the Technical Specifications to be available from power conditions down through refueling without the cavity flooded.
  • Depressuritation of the RCS through ADS minimites the potential for high-pressure melt ejection events.

Procedures will be provided for use of the ADS for depressunzation of the RCS dunng a severe accident. 11' Response: The staff's above statements on ADS are covered by stem Ib of PRA Table 59 29. Note for the 6th bullet, as a result of NRC review, the stage I, 2, and 3 valves are now stroke-tested every cold shutdown. With the number of cold shutdowns and refuelings assumed in the shutdown PRA the test frequency is equivalent to being tested every 6 months. PRA Table 59 29 well be revised appropria: sly. Notefor the 9th bullet. the wording "during a severe accident" should be changed to "afte core uncovery." On the 2/17/98 WINRC telecon, NRC agreed with the Westinghouse resprinse. It was also agreed during the telecon that Westinghouse willprovide a change to the table in PRA Appendix C to address the ADS stage 1/2/3 valve stroke test frequency. See Attachment 720.434F 2for the markup of PRA Appendix C. fsee item Ib of Table 720.434F 1 for change to stage 1/2/3 testfrequency) 720.434F(RI)-43

 .-.      .-             - . . - -           _-. .- . ~ . - - . .- .-                             .-          - . _ .      .-           . , - .

NRC FSER OPEN ITEM

  • Fire induced hot shorts, especially in I&C copper cables from the protection logic cabinets to the squib vahe operators. ceutd cause detonation of a squib vahe. This risk important concern should be addressed by appropriate power and control cable separation and routing and by the incorporation of features and requiremt ;ts in the detailed deugn of ADS cabhng.

W Response:  %'estinghouse recommends the words of the staffs statement be changed to read as described in SSAR subsection 9A.2.7.1. specsfically, " Spurious actuation of squib valves is pres ented by the use of a sqush valve controller circuit which requires multiple hot shorts for actuation. physical separation of potential hot short locations (e.g., routing of ADS cables and low voltage cable trays, and the use of redundant serses controllers located in separate cabinets), and provisions for operator action to remove poner from the fire zone ~ Note as stated in the unternalfire PRA anaI> sis. it is conservatively modeled in the PRA analysis that one hot short can cause spurious ADS squib valse actuation. whereas. per design. multiple hot shorts are required. During the 2/17/98 %'/NRC telecon, n'estinghouse agreed to include the above quoted information in Table 59 29. (disposition a SSAR 9A.2.7] (see item 66 of Table 720.434F 1)

  • The first, second, and third. stage vahes, connected to the top of the pressurizer, provide a sent path to preclude pressuritation of the RCS during shutdown conditions if decay heat removal is lost. One fourth stage ADS vahr is required to open if gravity injection is actuated during cold shutdown and refueling with the RCS is open to preclude surge ime flooding. On low low hot leg level (empty hot leg), the PMS signals the ADS 4th stage squibs to open m preclude surge line Hooding.

E Response: This is an accurate statem. nt. A statement discussing the fourth stage valves will be added to PRA Table 59 29 Per the 2/12l98 %*/NRC meeting, n'estinghouse agreed to also include a , statement about thefirst, secend, and third stage valves as on item in PRA Table 59 29. (see item Ulb of Table 720.434F.I) N2muLBntslual lleat Remosal Ssstem (RNS) The normal residual heat removal system (RNS) provides the following nonsafety related means of core cooling i durmg accidents: ( t ) RCS recirculation at shutdown conditic.ru,(2) low pressure pumped injection from the IRWST, and (3)long term pumped recirculation from the containment sump. Such RNS functmns provide defense-m depth m mitigatng accidents, in addition to that provided by the pa.ssise safety related systems. W Response: This is an accurate statement. The statement is covered by item 6 of PRA Table 59 29. On the 2/17/98 W/NRC telecon. NRC agreed that this information is cosered by item 6 of Table 59 29. The following are some important aspects of RNS as represented m the PRA: The RNS has redundant pumps, powered by separate non-Class IE buses with backup connectmns from the diesel generators, and redundant heat exchangers. ~ y menwm. *d3* "

                                                      .           .                          _                      _    __ .          m     _ _ . _ .        _ _

, NRC FSER OPEN ITEM y . .. a

                                                                                                                                                =         s I
       , W Response:       This is an accurate statement and is cosered by item 6 of PRA Table 59 29. On the 2/17/98
                            %7NRC telecon, NRC agreed that this information is covered by item 6 of Table 59 29.
  • The RNS provides safety-related means for (1) containment isolation at the penetration of the RNS lines,(2)

RCS isolation at the RNS suction and discharge lines, and (3) IRWST and containment sump inventory makeup. 4 W Response: Gape foi p, . ,e i3t.-the uba.. u .st ucc.iuei ieae., . ,,e aiid co.iiid by ,a, i 6 of rllA Tabli 59-27 leci i (3) v vu viiice. RNS-daii iise r, , .'di u iuf. e.,-iilaei d i- uuu. b-i is.il ii a J.J. iai , ,

      ,                    J r l,e f,. . .. ,i of lRWST aiid ca.ieuu., ....e i ,,.p , . . . ,.vi) i.al. p. During the 2/17/98 %7NRC
      \                    telecon, Westinghouse agreed to change the third sub bullet of the first item ofinsight #6 of i                    Table 59 29 to read asfollows (note changes are shown in quotes): "Long-term, post accident" l                    makeup of containment inventory. (see item #6 of Table 720.434F l)
  • The RNS is manually aligned from the control room to perform its core cooling functions [SSAR).

j Emergency Response Guidelines (ERGS) are provided for aligning the RNS from the control room for RCS mjection and recirculation. I W Response: This is an accurate statement. During the 2/17/98 %7NRC telecon, it was noted that the first I sentence is already covered by item 6 of Table 59 29. The second sentence will be added to l Table 59 29. (disposition = ERGS] (see item #67 of Table 720.434F l)

  • Recirculation from the containment sump is actuated automatically by a low IRWST level signal or manually from the control room, if automatic actuation fails.

E Respons*: This stateme u is misleading as worded. It should read "PXS recirculation salves are automatically actuated . " It is believed the staff was intending to mean the IRWST recirculation i salves rather than an RNS recurculation (i.e., pumps stop, start) as could be interpreted by the statement. Note that of RNS is operating the RNS pumps nill continue to operate and provide containment recirculation. During the 2/17/98 %7NRC telecon, Westinghouse agreed to add the following statement to item Id of Table 59 29: "PXS recirculation valves are automatically actuated by a low hb "levelsignalor manuallyfrom the controlroom, sf automatic actuation fails." (disposition SSAR 6.3] (see item Id of Table 720.434F 1} ' a For long term recirculation operation, the RNS pumps take suction from only one of the two sump recirculation imes. Unrestricted now through both parallel paths (one containing an MOV and a squib valve in series, the other containing a check vahe and a squib valve m series) is required for success of the sump recircuiraion function v hen both RNS pumps are running. If one of the two parallel paths fails to open, operator action (in the control room through PMS)is required to manually throttle the RNS discharge MOV (V0ll) to prevent pump cavitation. [ ERGS). W Response: This is an accurate statement per the PRA. During the 2/17/98 %7NRC telecon, Westinghouse agreed Ic add the staff's statement to Table 59 29. (disposition = PRA Chapter 17 and Emergency Response Guidelines] (see item #67 of Table 720.434F 1) 720 434F(RI)-45 W Westinghot..e

NRC FSER OPEN ITEM Lg e With the NRHR pumps aligned either to the IRWST or the containment sump, the pumps' net positise suction head (NPSH) is adequate to present pump cautation and failure esen when the IRWST or sump insentory is saturated E Response: Change NRHR to RNS. This above is an accurate statement. During the 2/17/98 W/NRC telecon, Westinghouse agreed to add the staff's statement, with the changefrom NRHR to RNS, to Table 59 29. (disposition = SSAR 5.4.7] (see item #67 of Tc.ble 720.434F l)

  • The RNS containment isolation and RCS pressure boundary valves are safety related. The MOVs are powered by Class IE de power.

W Response: This is consistent wnh item 6 of PRA Table 59 29 On the 2/17/98 WINRC telecon, NRC agreed i the statement is covered by item 6 of Table 59 29.

  • The containment isolation valves in the RNS piping close automatically via PMS with a high radiation signal.

Westinghouse analyses indicate that under all accident conditions but large LOCAs, the containment radiation lesel is well below the pomt that would cause the RNS MOVs to automatically close. W Response: Thefirst sentence is consistent with item 6 of PRA Table 59 29. The second sentence tends to lead besond a.. insightfrom the PRA. However, if the staff explains why it considers this an insight. then Westinghouse recommends the second sentence be reworded to read: The actuation setroint was established consistent with a DBA non. mechanistic source term associated with a large LorA.' During the 2/17/98 WINRC telecon, NRC agreed the first sentence is covered by item 6 of Table 59 29. Westinghouse agreed to include the above quoted statement plus the following: "The containment radiation levelfor other accidents is expected to be below ..'.s point that would cause the RNS MOVs to automatically close." fsee item #67 of Table 720.434F 1)

  • The following AP600 design features contnbute to the low likehhood of interfacing system LOCAs through the NRHR system:

The portion of the RNS outside containment is capable of withstanding the operating pressure of the RCS. A relief salve located in the common RNS discharge lme outs le containment provides protection against excess pressure. Each RNS line is isolated by at least three vahes. The pressure in the RNS pump suction line is continuously indicated and alarmed in the main control room. The pump suctwn isolation vahes ennecting the RNS pumps to the RCS hot leg are interlocked with RCS pressure so that they cannot be opened until the RCS pressure is less than 450 psig.11us prevents oserpressurization of the RCS when the RNS is aligned for shutdown cochng. 720.434F(RI) 46 1 1

\ . NRC FSER OPEN ITEM

                                                                                                                                                                   . a;;.
                -      The two remotely operated MOVs connecting the suction and discharge headers, respectnely, to the IRWST are interlocked with the isolation sabes connecting the RNS pumps to the hot leg. This prevents inadsertent opening of any of these two MOVs w hen the RNS is aligned for shutdown cooling and potential diversion and draining of reactor coolant system.
                -       The power to the four iulation MOVs connecting the RNS pumps to the RCS hot leg is administratively bkicked at their motor control centers during normal power operation. [ COLL
                 -      The operability of the RNS is tested, via connecuans to the IRWST, immediately before its abgnment to the RCS hot leg, for shutdown cooling, to ensure that there are no any open manual vahes in the drain hnes. [SSAR, COL, Procedures].
         }Y Response:        Westinghouse has the following comments for the staff's above statement:
                             -          Change "NRilR system" to "RNS".
                             -          Second sub bullet is a true statement. but net factored into the PRA and is not a Ley to providing a low likelihood of 4terfacing systems LOCA. Thus. Westmel.ouse does not see this as an important statement to include as an insight.
                             -          Last sub bullet: It is true that the sxstem is tested; hosever, it is done to test operability of the system. not solely to minimi e potentialfor interfacing syetems LOCA or to detect an open valve in the dram lines. Hom ner, the testing does have this end result effect.

The words should be revised appropriately. During the 2/17/98 WINRC telecon, Westinghouse agreed to include the informanon of the second, sixth, seventh, and eighth sub bullets in Table 59 29. Notefor the last sub bullet, the sentence will stop after the words " ..for shutdown cooling." fsee item #67 of Table 720.43JF.

                               !)
  • De IRWST suction isolation vahe (V023) and the RCS pressure boundary isolaton valves (V001 A. V001B.

V002A and V002B) are quahfied for DBA conditions.

          }Y Response:         It ts not understood ahy the staffs statement is an instght from the PRA. During the 2/17/98 WINRC telecon, the staff explained what they meant by DBA conditions. DBA is not refering to Chapter IS DBA analyses, but rather the staff meant enviaonmentally qualified. The staff then pointed to the table showing these valves as being environmentally qualified per AP600 Certified Design Material page 2.3 6. Thus, Westinghouse agreed to include a statement in Table 59 29 that reads: "The IRWST suction isolation valve (V023) and the RCS pressure boundary isolation valves (Y00!A/B, V002A/B) are environmentally qualified to perform their safetyfunctions." [ disposition = Certified Design Materiall (see item #76 of Table 720.134F.I)
  • De reliability of the IRWST suction isolation vahe (V023) to open on demand (for RNS injection during power operation and for IRWST gravity injection via the RNS hot leg connection during shutdow n operation) is important. The COL will er.sure high reliabihty. [ COL, D-RAPl.

NRC FSER OPEN ITEM I i W Response: This item is acceptable and is covered by SSAR secthm 17.4 (RAP). Per the 2/12/98 HYNRC meeting, Westinghouse agreed to include the staff's statement as an item in PRA Table 59 29;

however, the last senience will read "The COL will maintain the reliability of this valve."

(disposition a SSAR 17.4) (see item #67 of Table 720.434F.I)

  • An alternative gravity injection path is provided through RNS V-023 during cold shutdown and tefueling conditions with the RCS open. The COL applicant should have policies that maximite the availability of this vahe and procedures to open this valve during cold shutdown and refueling operations when the RCS is open.

E Response: The ERGS cover the operation of the valve. In addition, as stated in SSAR section 13.3, it is the

          !                     responsibility of the Combined License applicant to develop procedures. Per the 2/12/98 n7NRC l                    meeting, Westinghouse agreed to include the staff'sfirst sentence in Table 59 29. (disposition l                     = Emergency Response Guidelines] (see item #75 of Table 720.434F 1) (see also response to l                     item two bullets below which is related to this item]
  • The COL apphcant will mamtain RNS and its support systems (CCS and SWS) during power operation.

W Response: To be accurate and consistent with SSAR section 16.3 (Table .23 2, item 2.2). change the statement to read: " Planned maintenance afecting the RNS cooling function and its support

         !                     systems should be performed in Modes I, 2, 3 when the RNS is not normally operating " Per the 2/12/98 WINRC meeting, Westinghouse agreed to include the previous sentence (in quotes) as an item in PRA Table 59 29. (see item #6 of Table 720.434F.I)
              *     'the COL apphcant will have administrative controls to maximite the likehhood that RNS valve V-023 will be able to open if needed dunng Mode 5 when the RCS is open, and PRHR cannot be used for core cooling.

E Response: As stated in SSAR section 13.5, it is the responsibility of the Combined License applicant to develop administrative procedures. Per the 2/12/98 WINRC meeting, Westinghouse agreed to include a statement in Table 59 29 about the COL being responsiblefor administrative controls of this topic. (disposition = SSAR 13.5] (see item #75 of Table 720.434F 1) Since inadvertent opening of RNS valve V024 results in a draindown of RCS inventory to the IRWST and requires granty injection from the IRWST, the COL applicant will have administrative controls to ensure that inadsertent opening of this valve is unlikely. In addition, the COL applicant should evaluate this error in the human reliability analysis / human factors engineering integration implementation plan. W Response: As stated in SSAR section 13,5, it is the responsibstity of the Combined License applicant to develop administrative procedures. Per the 2/12/98 WINRC meeting, Westinghouse agreed to include thefollowing as an item in PRA Table $9 29: " inadvertent opening of RNS valve V024 results in a draindown of RCS inventory to the IRWST and requires gravity injection from the IRWST. The COL applicant is resp'ssiblefor developing administrative controls to ensure that inadvertent opening of this valve is unlikely." [ disposition = SSAR 13.5] (see item #67 of Table 720.434F.!} 720.434F(RI) 48 ggg

NRC FSER OPEN ITEM A

  • De RNS is an important " defense in depth" system for accidents initiated while the plant is at power or at mid loop during shutdown. He availability control of the RNS and its support systems (CCW, SWS and

! diesel generators) is coseted in SSAR Section 16.3. [RTNSS). W Response: The reason RNS is important while the plant is at pon er is not because it is impot. mt per the FRA results or importance listings, but rather because it provides margin for long term cooling T&H uncertainty. Otherwise, the sta[f's statement is accurate. Per the 2/17/98 WINRC telecon, Westinghouse agreed to include thefollowing statementfor item 10 of Table 59 29: "Short term availability controls for the RNS during at-power conditions reduces PRA uncertainties." (disposition a SSAR 16.3] (see item #10 of Table 720.434F 1) Swigg.fredwger System (SFW) i The SFW system provides a nonsafety-related means of delivering feedwater to the steam generators (SGs) when the mam feedwater pumps are unavailable during an transient. This capability provides an .; ternate core cooling mechanism to the PRHR heat exchanger for ron LOCA and SGTR accidents which minimizes the PRHR challenge rate. The reliability of the "FW system will be maintained by the COL Applicant [D RAPl. i W Response: The staff's statement is essentially taken directlyfrom the SSAR Table 17.4 (RAP). To be accurate, note the words should read startupfeedwater system pumps The rationale provided in this table for why the startup feedwater pumps are included is based on the Expert Panel not PRA. Therefore, it is not clear why the staff's statement is considered an insightfrom the PRA, Per the 2/17/98 W/NRC telecon, Westinghouse agreed to include thefollowing statementfrom the RAP:

                                        "The startupfeedwater system pumps providefeedwater to the steam generator. This capability provides an alternate core cooling mechanism to the PRHR heat exchangers for non LOCA or i-                                      steam generator tube ruptures. The COL will maintain the reliability of the startupfredwater pumps," [ disposition = SSAR 17.4] (see item #68 of Table 720.434F 1)

Ltnitumentation and Control (I&C) The following three I&C systems are credited in the PRA for providing monitoring and control functions during accidents: (1) the safety rehted Protection and Safety Monitoring System (PMS) (2) the nonsafety related Diverse Actuation System (DAS), and (3) the nonsafety-related Plant Control System (PLSh The PMS provides a safety related means of performing the following functions:

  • Automatic and manual reactor trip.
  • Automatic and manual actuation of engineered safety features (ESF).
                     =

Monitor the safety-related functicns dunng and following an accident as required by Regulatory Guide 1.97. 720.434F(RI) 49

i . NRC FSER OPEN ITEM W Response: The staff's statements on PMS are covered by item 2 of PRA Table 59 29. Per the 2/17/98 W/NRC telecon, NRC agreed their statements are covered by item 2 of Table 59 29. The DAS provides a nonsafety-related means of performing the following functions:

  • Automatic and manual reactor trip.
  • Automatic and manual actuation of selected engineered safety features.
  • Piovides control room indication for monitoring of selected safety related functions.
           ! W Response:          The r 's statements on DAS are covered by item 3 of PRA Table 59 29. Per the 2/17/98 W/NRC i                      telecsn, NRC agreed their statements are covered by item 3 of Table 59 29.

The PLS provides a nonsafety-related means of performing the following functions:

  • Automatic and manual control of nonsafety-related sy stems, including " defense in depth" systems (e.g., RNS).
  • Provides control room indication for monitoring overall plant and nonsafety-related system performance.

W Response: SSAR subs ction 7.1.1 support the staff's statements on PLS: howeser, on thefirst bullet, the word

                                   " systems" should be changed to " functions." Per the 2/17/98 W/NRC telecon, Westinghouse agreed to add the staff's statement, with the changed noted in the Westinghouse response, to item 4 of Table 59 29. (disposition = SSAR 7.I,l] (see item #4 of Table 720.434F 1)

The following are some important aspects of Ph15 as represented in the PRA:

  • The PhtS has four (redundant) divisions of reactor inp and ESF actuation and automatically produces a reactor inp or ESF initiation upon an attempt to bypass more than two channels of a function that uses 2 out-of 4 logic.
  • The PhtS has redundant divisions of safety related post-accident parameter display.
  • Each PhtS division is powered from its ' respective Class IE de diusion.
  • The PN1' provides fixed position controls in the control room.
  • The reliabihty of the PN15 is ensured by redundancy and functional diversity within each division:

Ti.e reactor trip functions are divided into two functionally diverse subsystems.

                         -    The ESF functions are processed by two microprocessor based subsystems that are functionally identical in both hardware and software.

720.434F(R1)-50 W Westin ouse

o? NRC FSER OPEN REM - naamm,

  • Separate input channels are provided for the reactor trip and the ESF actuation functions, with the excene of sensors which may be shared.-
  • Sensor redundancy and diversity contribute to the reliability of PMS. Four sensors normally tr.onitor variables used for an ESF actuation. Different type sensors, or same type sensors in different environment, minimize common cause failures.
  • Continuous automatic PMS system monitoring and failure detection / alarm is provided.
  • PMS equipment is designed to accemmodate a loss of the normal heating, ventila' ion, and air conditioning (HVAC). PMS equipment is protected by the passive heat sinks upon failure or degradation of the active HVAC,
  • The reliability of the PMS is important. De COL will maintain the reliability of the PMS.
  • De PMS software is designed, tested, and maintained to be reliable under a controlled verification and validation program written in accodance with IEEE 7-4.". 2 (1993) that has been endorsed by Regulatory Guide 1.152. Elements that contribute tu a reliable software design include:
                 -     A formalized development, modification, and acceptance process in accordance with an approved software QA plan (paraphrased from IEEE standard, Section 5.3, " Quality")
                 -     A venfication and validation program prepared to confirm the design implemented will function as required (IEEE standard, Section 5.3.4, " Verification and Validation")
                 -     Equipment qualification testing performed to demonstrate that the system will function as required in the environment it is intended to be installed in (IEEE standard, Section 5.4, " Equipment Qualification")
                 -     Design for system integrity (performing its intended safety function) when subjected to all conditions, external or internal, that have significant potential for defeating the safety function (abnormal conditions and events) (IEEE standard. Section 5.5, " System integrity")
                 -     Software configura. ion management process (IEEE standard, Section 5.3.5, " Software Configuration
                      - Management").

W Response: The stafs above statements on PAfS are covered by item 2 of PRA Table 59 ?9, aceptfor the 7th bullet. Westinghouse does not claim specifically what is written as the third sentence of the stafs 7th bullet. Rather,functionaldiversity minimi:es the common causefailure among sensors. Per the 2/17198 WINRC telecon, NRC agreed the statements are covered by item 2 of Table 59 29. NRC also agreed to change the wording of the 7th bullet to read as noted in the W response. 4 720.434F(R1) 51

NRC FSER OPEN ITEM r  % . 1 [ He following are some important aspects of DAS as represented in the PRA:

  • Diversity is assumed in the PRA that eliminates the potential for common ca;se failures between PMS and DAS. The DAS automatic actuation signals are generated in a functionally diverse manner from the PMS signals. Disersity between the DAS and PMS is achieved by the use of different architecture. different hardware implementations. and different software.
  • DAS provides control room displays and fixed position controls to allow the operators to take manual actions.
  • DAS actuates using 2 out of 2 logic. Actuation signals are output to the loads in the form of normally de-energized. energize-to actuate signals. He normally de-energized output state, along with the dual 2-out of 2 redundancy, reduces the probability of inadvertent actuation.
  • The actuation devices of DAS and PMS are capable of independent . tion that is not affected by the operation of the other. The DAS is designed to actuate components ont, . a manner that initiates the safety func' ion.
  • Capability is provided for on-line testing and calibration of the DAS channels, including sensors.
  • He DAS manual initiation functions are implemented in a manner that bypasses the signal processing equipment of the DAS automatic logic. This climinates the potential for common cause failures between automatic and manual DAS functions.
  • De DAS reactor trip function is implemented through a trip of the control rods via the motor generator (M-G) set which is separate and diverse from the reactor tnp breakers. The COL will maintain the reliability of the M G set breakers [D RAPl.
  • DAS is an important " defense in depth" system, he availabnity of DAS with respect to both its reactor trip and ESF actuation functions. will be controlled. [RTNSS]. De COL will maintain its reliability [D-RAP).
               }Y Rasponse:         The staff's above statements on DAS are covered by item 3 of PRA Table 59 29. exceptfor the 5th bullet, which is supported by SSAR subsection 7.7.1.11. Per the 2/17/98 WINRC telecon. NRC agreed that the above statements are covered by item 3 of Table 59 29, exceptfor the 5th bullet.

Westinghouse agreed to add the staff's 5th bullet to Table 59 29. (disposition = SSAR 7.7.1.1ll (see item #69 of Table 720.434F 1) In addition, Westinghouse agreed to include thefollowing item into Table 59 29: "Short term availabilitv cont. ols of the DAS during at power conditions reduces PRA uncertainties." (disposition = SSAR 16.3] (see item #69 of Table 720.434F 1) The following are some important aspects of PLS as represented in the PRA:

               -       PLS has redundancy to minimize plant transients.

PLS provides capability for both automatic control and manual control. ', 720.434F(RI) 52 T Westinghouse 9

 -      -                  ~       -         _-                . - _ - . - - - . _ .     ._ .             -, . _ - .

e NRC FGER OPEN ITEM

  • Redundant signal selectors provide PLS with the ability to obtain inputs from the integrated protection cabmets in the PMS. The signal selector function maintains the independence of the PLS and PMS. The signal selectors select those protection system signals that represent the actual status of the plant and reject erroneous signals.

4

  • PLS control functions are distnbuted across multiple distnbuted controllers so that single failures within a controller do not degrade the performance of control functions performed by other controllers.

l }Y Resp <mse: The staff's statements on Pts are covered by item 4 of PRA Table 59 29. Per the 2/17/98 %7NRC l telecon, NRC agreed the statements are covered by item 4 of Table 59 29. Opsite Power The onsite power system consists of the main ac power system and the de power system. The main ac power system is a non Class IE system. The de power system consists of two independent systems: the Class IE de system and the non-Class IE de system.

              ! }Y Response:          The stafs statement is covered by item Sa of PRA Table 59-29. Per the 2/17/98 %7NRC telecon, l                       NRC agreed the statements are covered by item Sa of Table 59 29.

De main ac power system is a non Class IE system comprised of a normal, preferred, and standby power system. It distnbutes power to the reactor, turbine, and balance of plant auxiliary electrical loads for startup, normal operation, and normal /cmergency shutdown. l }Y Response: The stafs statement is covered by item Sa of PRA Table 59 29. Per the 2/17/98 %7NRC telecon, NRC agreed the statemen:s are covered by item Sa of Table 59 29. The Class IE de and uninterruptible power supply (UPS) system (IDS) provides reliable power for the safety-related equipment required for the plant instrumentation, control, monitoring, and other vital functions needed for shutdown of the plant.

                  }Y Response:        The stafs statement is covered by item $b of PRA Table $9-29. Per the 2/17/98 %7NRC telecon, NRC agreed the statements are covered by item Sb of Table 59 29.

The non Class IE de and UPS system (ED3) consists of the elec:ric power supply and distnbution equipment that provide de and uninterruptible ac power to nonsafety-related loads.

                  }Y Response:        The stafs statement is covered by item Sc of PRA Table 59 29. Per the 2/17/98 %7NRC telecon, NRC agreed the statemenu are covered by item Se of Table 59 29.

720.434F(RI)-53

e-e

  • l NRC FSER OPEN ITEM ,

gn: YF The following are some important aspects of the main A2 power system as represented in the PRA:

  • The arrangement of the buses permits feeding functionally redundant pumps or groups of loads from separate buses and enhances the plant operational reliabihty.
  • During power generation mode, the turbine generator normally supplies electric power to the plant auxiliary loads through the unit auxiliary transformers. During plant startup, shutdown, and maintenance, the main ac power is provided by the preferred power supply from the high-voltage switchyard. The onsite standby power system powered by the two onsite standby diesel generators supplies power to selected loads in the event of loss of normal and preferred ac power supplies.
  • Two onsite standby diesel generator units, each furnished with its own support subsystems, provide power to the selected plant nonsafety related ac loads.
                   .           On loss of power to a t'60 V diesel backed bus, the associated diesel ;enerator                          1                        automatically starts and

, produces ac power. De normal source circuit breaker and bus load circuit breakers are opened, and the generator is connected to the bus. Each generator has an automatic load sequencer to enable controlled j loading on the associated buses. l W Response: The staff's statements on main ac power are covered by item $a of PRA Table 59-29. Per the l 2/17/98 W/NRC telecon, NRC agreed the statements are covered by item Sa of Table 59 29. De following are some important aspects of the Class IE de and UPS system ODS) as represented in the PRA:

  • There are four independent, Class IE 125 V de divisions. Divisions A and D cach consists of one battery
bank, one switchboard, and one battery charger, Divisions B and C are each composed of two battery banks, two switchboards, and two battery chargers. De first battery bank in the four divisions is designated as the 24 hour battery bank. De second battery bank in Divisions B and C is designated as the 72 hour battery bank.

l

                   .          The 24 hour battery banks provide power to the loads required for the first 24 haurs following an event of loss of all ac power sources concurrent with a design basis accident. De 72 hour battery banks provide power to those loads requiring power for 72 hours following the same event.

Dattery chargers are connected to de switchboard buses. De input ac power for the Class IE de battery chargers is supplied from non-Class IE 480 V ac diesel generator backed motor control centers. -

  • De 24 hour and 72 hour battery banks are housed in ventilated rooms apart . rom chargers and distribution equipment.
                   *-         Each of the four divisions of de systems are electrically isolated and physically separated to prevent an event from causing the loss of more than one division.
  • Reliability of the Class IE batteries is important. The COL will maintain the reliability of the equipment.

720.434F(RI)-54

                                                     ~        -- - - - -. . - _ _ _ _ _ _ _ . . _ _ _ _ _ _ _ _ _ _ _ . _ _.              _ . _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _        _ . _ _ _ _ _ _ _ _ _ _

e' e NRC FSER OPEN ITEM 4:ii W Response: The stafs statements on Class IE de power are covered by item $b of PRA Table 59 29. Per the 2/17/98 W/NRC telecon, NRC agreed the statements are covered by item Sb of Table 59 29. De following are some important aspects of the non Class IE de and UPS system as represented in the PRA:

  • ne non-Class lE de and UPS system coinists of two subsystems representing two separate power supply trains.
  • EDS load groups I,2, and 3 provide 125 V de power to the associated inverter units that supply the ac power to the non Class IE uninterruptible power supply ac system.
  • The onsite standby diesel generator backed 480 V ac distribution system provides the normal ac power to the battery chargers.
  • ne batteries are sired to supply the system loads for a period of at least two hours after loss of eP. ac power sources.

i W Response: The stafs statements on non Class IE de poner are cmered by item Se of PRA Table 59 29. Per

      !                      the 2/17/98 WINRC telecon, hRC agreed the statements are covered by item Se of Table 59 29.

Comoonent Cooline Water System (CCS) ne component cooling water system (CCS)is a nonsafety-related system that removes heat from various components and transfers the heat to the senice water system. The followmg are some important aspects of the CCS as repre sented in the PRA:

  • The CCS is arranged into two trains. Each train includes one pump and one heat exchanger.
  • During normal operation, one CCS pump is cperating. The standby pump is abgned to automatically start in case of a failure of the operating CCS pump.
  • The CCS pumps are automatically loaded on the standby diesel generator in the event of a loss of normal ac power. De CCS, therefore. continues to proside cooling of required components if normal ac power is lost.

W Response: The stafs statements on CCS are covered by item 7 of PRA Table 59 29. Per the 2/17/98 WINRC telecon, NRC agreed the statements are covered by item 7 of Table 59 29. Service Water System (SWS) The service water system (SWS)is a nonsafety related system that transfers heat from the component cooling water heat exchangers to the atmosphere. The following are some important aspects of the SWS as represented in the PRA: 720.434F(RI)-55

         ~

e NRC FSER OPEN ITEM mM+L

  • The SWS is arranged into two trains. Each train includes one pump, one strainer, and one cooling tower cell.
  • During normal operation, one SWS train of equipment is operating. The standby train is aligned to automatically start in case of a failure of the operating SWS pump.
  • The SWS pumps and coohng tower fans are auto natically loaded onto their associated diesel bus in the event of a loss of normal ac power. Both pumps and cooling tower fans automatically start after power from the diesel generator is available.

l 2 Response: The staff's statements on SWS are covered by item 8 of PRA Table 59 29. Per the 2/17/98 WINRC l telecon, NRC agreed the statements are covered by item 8 of Table 59 29. Chemical and Vajume Control System (CVS) The chemical and volume control system (CVS) provides a safety related means to terminate inadvertent RCS boron , dilution. In addition, the CVS provides a nonsafety relued means to (1) provide makeup water to the RCS during normal plant operation,(2) provide boration following a failure of reactor trip (3) provide coolant to the pressurizer auxiliary spray line, (4) safety related portions of the CVS provide inadvertent boron dilution protection, and (5) safety related portions of the CVS provide isolation of normal CVS letdown during shutdown operation on low hot leg level. W Response: The staf's above statement on CVS is covered by item 9 of PRA Tnble 59 29 with supportfrom SSAR subsection 9.3.6. Note the second sentence begins by discuning nonsafety related means, l but items (4) and (5) stat < safety related portions. It emrid+e is a confusing sentence. Also note. l item (4) is a repeat of the first sentence. Per the 2/12/98 W/NRC meeting, Westinghouse agreed

             \                           to address item 5from the staff's statement within item 9 of PRA Table 59 29. Specsfically, the

, l adled statem '*:t to item 9 will read: "Two safety related air operated valves provide isolation of l normal CVS ietdown during shutdown operation on low hot leg level" (dL,.osition = SSAR 9.3.61 (see item #9 of Table 720.434F.I) De following are some important aspects of CVS as represented in the PRA:

  • The CVS has two makeup pumps and each pump is capable of providing normal makeup.

i W Response: This statement is covered by item 9 of PRA Table 59 29. Per the 2/17/98 WINRC telecon, NRC agreed the statement is covered by item 9 of Table 59 29.

  • One CVS pump is configured to operate on demand while the other CVS pump is in standby. The operation of these pumps will alternate periodically (mcnthly).

E Response: The staff's statement is accurate per PRA assumptions. The first sentence is true. The second sentence's monthly statement is an assumption of the PRA: however, good operating practices I would callfor the COL to periodically alternate the pumps. Per the 2/17/98 WINRC telecon,

o s F NRC FSER OPEN ITEM j . . .

                                                                                                                       .l l                   H'estinghouse ogreed to add the staff's statement, minus the word "(monthly)." (disposition a
         '                   PRA Chapter 15] (see item #70 of Table 720.434F.I)
  • On low hot leg level, the safety related PMS signals three safety related CVS AOVs to close automatically to isolate letdown during Mode 4 (when RNS is in operation), Mode 5, and Mode 6 (with the upper internals m place and the refueling cavity less than half full) as required by AP600 TS.

W Response: Only two of the AOVs are safety related, the third is norsafety-related. Exceptfor this error, the l above statement is true per the ESF Technical Specification. At the 2/12/98 %INRC meeting, the l staff agreed it is not necessary to include this statement as an insight.

  • The safety related PMS boron dil;; tion signal automatically re-aligns CVS pump suction tc the boric acid tank.

His same signal also closes the two safety-relt.ted CVS demineralized water supply valves. This signal actuates on any reactor trip signal, source range flux multiplication signal, Icw input voltage .o the Class IE DC power system battery chargers, or a safety injection signal. W Recponse: This is an accurate statement. Per the 2/12/98 %'/NRC meeting, %'estinghouse agreed to include the staff's statement as an item in PRA Table 59 29. Note that thJ words in the second sentence l for the insight of Table 59 29 have been modyled to reflect the exact wording in SSAR section

        \                    7.3, (disposition a SSAR 7.3] (see item #70 of Table 720.434F 1)
  • ne COL applicant will maintain procedures to respond to low hot leg level alarms.

I W Response: The shutdown ERGS cover the procedure to respond to low hot leg level alarms. Per the 2/12/98 l n'/NRC meeting, n'estinghouse agreed to include the staff's statement as an item in PRA Table

        !                    $9 29. (disposition a Emergency Response Guidelines] (see item #71 of Table 720.434F 1) 720.434F(RI).57

4. t . NRC FSER OPEN ITEM

g. Og.j a

I i ATTACHMENT 720.434F-2 l Insert the information below into PRA Appendix C, Table C-1. l l System Description of Change Patential impact on PRA Results l Automatic Stage 1,2, and 3 MOV test Does not significantly affect the PRA results. Since l Depressurization frequency changed from every the ADS stage 1/2/3 MOVs are not being cycled at I System (ADS) 6 months to every cold power, it reduces the chances of spurious actuation I shutdown. of ADS. From the success criteria point of view, l ADS stages 1/2/3 are not sufficient by themselves to I achieve gravity injection -- Stage 4 lines are

            !                                                                 required. From PRA Table 5015 the importance of l                                                                 ADS stages 1/2/3 is low. Based on the change to l                                                                 the test frequency, the failure probability of ADS stage 1/2/3 is only slightly different than what was modeled in the PRA. Specifically, the failure probability was based on a 6-month test frequency.

l Now, the valves test frequency is every cold I shmdown/ refueling. Assuming cold l shutdown / refueling outage frequency is consistent I with the shutdown PRA (2.2 events per year which I averages to approximately every 4.5 months), the l ADS stage 1/2/3 test frequency actually increases I (from 6 months to an average of 4-5 months); thus i ADS reliability is slightly better. Finally, assuming i no shutdowns between refueling outages, the ADS

              !                                                                    I/2/3 test frequency would be longer (every 2 years).

I De ADS 1/2/3 MOVs failure probability would increase, and the common cause failure probability of these MOVs (basic event ADX MV-GO) changes from 1.lE-3/d to 4.4E-3/d. This change in common i cause failure probability of ADS 1/2/3 MOVs only i changes the a:-power CDF by less than i E 720.434F(RI) 58 l.

                                                                                                                              . _ _ _ _ _ _ _ . _ . _ _ _ _ _ _ _ . _ . _ _ _}}