Latest revision as of 10:09, 12 December 2024

Text

Forwards Response to RAI Re Conditional Containment Failure Probability Distribution in Chapter 42 of AP600 Probalistic Risk Assessment
	ML20132C608
Person / Time
Site:	05200003
Issue date:	12/09/1996
From:	Mcintyre B; WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:	Quay T; NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
	NSD-NRC-96-4904, NUDOCS 9612180411
	Download: ML20132C608 (42)
	v • d • e

- -.. -.....

(O)

(

1 1

Westinghouse Energy Systerns Ba 355 Electric Corporation Pittsburgh Pennsylvania 15230-0355 i

NSD-NRC-96-4904 i

DCP/NRC0674 l

Docket No.: STN-52-003 i

December 9,1996 l

Document Control Desk l

U.S. Nuclear Regulatory Commission Washington, D. C., 20555 ATTENTION:

T.R. QUAY

SUBJECT:

AP600 RESPONSE TO REQUESTS FOR ADDITIONAL INFORMATION, AND AP600 PRA PAGE MARKUPS

Dear Mr. Quay:

Enclosure i provides Westinghouse responses to NRC requests for additional information pertaining to i

the conditional containment failure probability distribution used in Chapter 42 of the AP600 Probabilistic Risk Assessment (PRA). Specifically, the responses to the following RAls are included:

480.190 through 480.192,220.95 through 220.99. These responses close, from a Westinghouse perspective, the addressed questions. The NRC technical staff should review these responses. The i

status of these RAls will be changed to " Action N" in the OITS on January 2,1997.

I provides the draft responses to NRC requests for additional information pertaining to the AP600 at-power fire PRA. These responses are being provided to the NRC for discussion purposes at the December 18,19% NRC and Westinghouse AP600 fire PRA meeting. The staff is expected to review these draft responses and be prepared to discuss them at the meeting. contains markup page changes to the AP600 PRA. These markups primarily fix typos found in the report since the issuance of Revision 8. These changes will be included in the next revision to the PRA. The staff reviewers should include these markup pages with their PRA report.

A listing of the NRC requests for additional information responded to in this letter is contained in ll Attachment A.

Please contact Cynthia L. IIaag on (412) 374-4277 if you have any questions concerning this

<~[

T transmittal.

f g

i i

A. McIntyre, h nager

(-

Ads iced Plant Safety and Licensmg 9612190411 961209 PDR ADOCK 05200003 A

PDR

I

't i

d T. R. Quay Page DCP-NRC0674 December 9,' 1996 f

i Enclosures I

cc:

J. Sebrosky, NRC (enclosures) j J. Kudrick, NRC (w/o enclosures)

J. Flack, NRC (w/o enclosures)

N. J. Liparulo, Westinghouse (w/o enclosures) d i

t d

I j

3013A

. ~, - - <

a f

f I

r 1

l to Westinghouse n

l Letter NSD-NRC-96-4904 December 9,1996 l..

l e

4 e

l 4

4 I

i l

8 r

I 1011 4

NRC REQUEST FOR ADDITIONAL INFORMATION f

?

Question: 220.95 l

In PRA Chapter 42, dated December 1,1995, a coefficient of variance (COV) of 0.06 for random material uncertainty for SA537, Class 2 is used. This does not seem to be appropriate. The staff could not find where your Reference 42-2 recommends a COV between 0.06 and 0.08 for random material uncertainty. On page 77 in Reference 42-2, the material yield strength mean and standard deviation were taken as 1.1 and 0.11 times the specified c, for the uncertainty analysis of the five containments.

1 Based on " Development of a Probability Based Load Criterion for American National Standard A58," National j

Bureau of Standards Special Publicatic,n 577, US Government Printing Office, Washington,1980, the use of 1.1 and 0.11 for the median and the COV, respectively, for material property is more appropriate. Figure I shows the probability of failure differences between the random material uncertainty COVs of 0.06 and 0.11.

Response

As discussed in Revision 8 of Chapter 42, a coefficignt of variation (COV) equal to 0.11 is used to represent the '

random uncertainty in material properties for all failure locations. This is based on the reference provided in RAI 220.95 (" Development of a Probability Based Load Criterion for American National Standard A58" and " Reliability of Containment Under Overpressure").

PRA Revision: None h

4 220.95-1 W Westinghouse

i o

=

l NRC REQUEST FOR ADDITIONAL INFORMATION

==

m i

l Question: 220.96 In PRA Subsection 42.4.1, a COV of 0.1 for modeling error for containment cylindrical shell is used. This does not seem to be appropriate. The COV of 0.1 seems to come from the average of 0.12 (limit pressure calculations) and O.08 (axisymmetric finite element analysis) in Reference 42-1. However, the COV of 0.08 is not directly applicable to AP600 since Reference 42-1 uses ANSYS with STIF 82 elements for six closed-end smooth cylinders which are different from that of the AP600. The COV of 0.12 is obtained after calibrating with respect to the Gnite element method in Reference 42-1. In this calibration, Reference 42-1 treats the von Mises yield criterion as a constant (15 percent increase). The use of COV of 0.12 for the constant von Mises yield criterion is acceptable. However, based on test data, the von Mises yield criterion should be treated as a random variable. For the complete modeling error COV determination, provide the median and its COV values with the legitimate distribution information for the von Mises yield criterion.

Response

As discussed in Revision 8 of Chapter 42, a coefficient of variation (COV) equal to 0.12 is used to represent the subjective uncertainty associated with modelling of the ultimate containment failure pressure for all failure locations.

This is based on the Greiman reference " Reliability of Steel Containment Strength."

PRA Revision: None h

22 m W Westinghouse

4 NRC REQUEST FOR ADDITIONAL INFORMATION g

7 g

Ouestion: 220.97 In letter NTD-NRC-96-4617, dated January 4,1996, the response to RAI 2 (NRC letter dated September 14, 1995) stated that " Distribution is primarily influenced by imperfection. Measured imperfection must be less than the American Society of Mechanical Engineers (ASME) specified limit. Use of lognormal distribution is appropriate, similar to its use for material yield which must also exceed a minimum ASME specification." Is the lognormal distribution applicable here if it exceeds the ASME minimum specifications? The distribution should come from the existing test data and not be assumed. Clarify these statements.

Response

The equipment hatch cover will be constructed within the ASME forming tolerance requirements for vessel shells as defined in Subsection NE (NE-4220). Buckling is significantly influenced by imperfection. The maximum imperfection defined by the ASME Code will determine code buckling capacity. The imperfections in the as-built conditions will be equal to or smaller than the ASME specified values, and therefore, the as-built buckling capacity will be higher.

No as-built measurements of the AP600 containment vessel are available. There is not that much existing test data (see RAI 230.32)in the public domain that can be used to make meaningful conclusions with respect to statistical distributions for the AP600 containment. This has been noted by L Greimann and F. Fanous in Reference 220.97-1:

They state:

p.839 "Again, as-built geometry of the containment would be very useful. Unfortunately, no as-built measurements of containment vessels exist. However; fabrication and erection tolerances were' established and (presumably) met during the construction process."

p.847

" Uncertainty in structural analysis.. is very difficult to quantify. A usual procedure is to describe statistically the ratio of experimental results to analytical results. Hehce, if therg are a number of experimental results, one can approximate the distribution of this ratio. Most typically, however, enough tests are not available to give sufficient statistical confidence.

The use of a lognormal distribution to represent uncertainty is, and has been, the accepted practice in structural analysis as well as risk analysis for a number of years. Many papers have been published on this subject, indicating the general acceptability of the lognormal distribution for the purposes used in the AP600 containment analyses.

Two notable papers are References 220.97-1 and 220.97-2.

Both of these documents describe the use of the lognormal distribution for probabilistic and reliability analyses of steel containments. In NUREG/CR-3127 (Table 2.1) imperfection parameters are defined as lognormally distributed, and in the paper (Tables 6 and 7) and NUREG (Table 2.1) the analysis error is stated to be lognormally distributed.

Another consideration is the potential differences in the results if a different distribution was used. Although it is possible to show different results for any (less than infinite) data set through the use of a particular distribution.

W Westinghouse

j

\\

NRC REQUEST FOR ADDITIONAL INFORMATION giii assuming a reasonable choice of shaping parameters used with a distribution other than a lognormal one, the resulting failure probability is still expected to be very small.

It is important to note that the controlling failure mode is not buckling, but membrane yield of the cylindrical shell.

In Chapter 42, results of the conditional containment failure probability distributions have been presented. In Tables 42-3 and 42-4, and Figures 42-1 and 42-2, it is seen that the cumulative containment failure probability is similar to that associated with cylinder yield. Therefore, cylinder yield is the dominant contributor to containment failure, and buckling does not control containment failure probability.

From the above discussion it can be concluded that a lognormal distribution is recommended in the literature for j

imperfections. Further, buckling does not control the cumulative failure probability, and the distribution used has little effect on containment failure probability.

References:

220.97-1

" Reliability of Containments Under Overpressure," L. Greimann and F. Fanous, Pressure Vessel and Piping Technology, A Decade of Pro'gress, Paper 8.7,1985, pp. 835 856.

220.97-2 NUREG/CR-3127. "Probabilistic Seismic Resistance of Steel Containments" prepared by L Greimann, F. Fanous, et al, Ames Laboratory, January 1984.

l PRA Revision: None 4

220,97-2 W Westinghouse t

l

NRC REQUEST FOR ADDITIONAL INFORMATION

%5 nci i

.=

Question: 220.98 In PRA subsection 42.4.3, a COV of 0.14 is used for equipment hatch modeling error. However, this modeling error calculation in Reference 42-2 is based on internal pressure cases. Provide thejustification that this COV can be used for the external pressure case.

Response

The purpose of the PRA Chapter 42 analysis is to evaluate overpressure containment fragility for use in the AP600 PRA. A COV of 0.12 was used for internal limit pressure, which is consistent with analysis errors per Reference 220.98-1. External pressure does not apply for this evaluation.

Reference:

4 220.98-1

" Reliability of Containments Under Overpressure," L Greimann and F. Fanous, Pressure Vessel and Piping Technology, A Decade of Progress, Paper 8.7, pp. 8'35-856.

PRA Revision: None 4

8 9

6 4

9 22 m W Westinghouse

O NRC REOUEST FOR ADDITIONAL INFORMATION IE.

i g

Question: 220.99 In PRA Section 42.1, it is stated that " Failures of the mechanical penetration bellows, and leakage of the quipment hatches due to ovalization, do not occur prior to general yielding of the cylinder." This implies that after the yield pressure is reached, the bellows will fail and the equipment hatches start to leak without restriction. Therefore, the probability of failure for bellows and leakage through equipment hatches due to ovalization beyond yield pressure should be given in PRA.

Response

It is true as stated in the RAI that for the conditional containment failure probability analyses performed, it is assumed that once general yielding of the cylinder occurs, the bellows may fail and the equipment hatches may start to leak. However, it is not necessary to provide the probability of failure for bellows and leakage through equipment hatches due to ovalization since the sum of the probabilities of these specific mechanisms plus others that might occur, such as failure of other penetrations, is equal to or smaller than that given for the general yielding of the cylinder in the analyses performed.

PRA Revision: None t

a W Westinghouse

B s

\\

NRC REQUEST FOR ADDITIONAL INFORMATION

ty.

Ouestion: 480.190 Containment Pressure Capacity Describe how the impact of corrosion of the containment shellis accounted for in estimating the containment ultimate pressure capacity, i.

l

Response

Corrosion protection of the containment vessel is described in SSAR subsection 3.8.2.6 and 6.1.2. Performance monitoring of the coating is described in subsection 6.1.2. This monitoring is intended to preclude significant corrosion of the containment vessel. Therefore, the impact of corrosion is not accounted for in estimating the ultimate capacit'y, PRA Revision: None.

4 h

t 480.190-1

[ Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION 4E!.E

.E..E Question: 480.191 Containment Pressure Capacity Provide an assessment of the pressure capability of the main steam line and main feedline bellows, and a corresponding failure probability distribution curve.

Response

The pressure capability of the main steam line and main feedline bellows are discussed in SSAR subsection 3.8.2.4.5.

The pressure capability exceeds the pressure at which the containment vessel cylinder yields. It is assumed that once general yielding of the cylinder occurs, the bellows may fait due to the large deflection of the cylinder. However, it is not necessary to provide the probability of failure for bellows separate from the probability of cylinder yield.

The probability of failure of the bellows due to large deformation of the cylinder is a part of the probability given in PRA Chapter 42 for vessel failure due to the general yielding of the cylinder.

PRA Revision: None.

o e

e 4

U l

l l

W Westinghouse i

i

~

i e

l s

NRC REQUEST FOR ADDITIONAL INFORMATION Hiit EF=

=-

Question: 480.192 Containment Pressure Capacity Provide further information regarding the ability of containment piping penetrations to accommodate the lateral motion of the containment shell anticipated in late over-pressure failures. For key penetrations, including the main steam and feedwater lines, provide an estimate of the extent to which the bellows would be compressed at containment pressures corresponding to (a) Service Level C and (b) the ultimate pressure capacity. This can be presented in terms of the percent of full compression, as described in NUREG/CR-6154.

Response

The radial deflection of the containment vessel at 144 psig is 1.6 inches as given in SSAR subsection 3.8.2.4.2.1.

This pressure is greate'r than the pressure corresponding to Service Level C and is well within the capability of the bellows. The bellows are expected to be fully compressed at the ultimate pressure capacity since the ultimate capacity is defined as the pressure at which there is gross yield of the cylinder.

PRA Revision: None.

e 0

l 480.192-1 T Westingtiouse i

' to Westinghouse Letter NSD-NRC-96-4904 December 9,1996 1

l r

+

0 0

9 O

4 9

i 9

4 B

a 4

0 4-9 0

0 4

4 1011 A

DRAFT Question:

720.334 The information documented in the submittal (Chapter 57, August 9,1996, Internal Fire Analysis Draft Markup) does not state clearly the major assumptions made in modeling containment fires. The containment is a single l

fire area which is made up of several compartments, called fire " zones" (see Table 57-5). It appears that the l

several fire zones, included in the single containment fire area, are treated in the analysis similarly to the fire l

areas for fires outside the coritainment. However, it is not clear whether and how fire propagation between fire zones is modeled and what is the technical basis for distinguishing the different fire scenarios. Please provide this information, including relevant assumptions, in Chapter 57 of the PRA.

Response

In the AP600 internal fire analysis, fire propagation across containment fire zone boundary has been judged not to be credible. Fire scenarios have been developed only based on the potential impact on safe shutdown function that could be caused by damaging components and cabling located in the fire exposing zone. The technical justification for this judgement is provided below.

In the AP600 internal fire analysis (consistent with the state-of-the-art methodology), fire propagation across a barrier has been judged not to be credible if the deterministic fire protection assessment had credited the barrier as being capable of preventing fire propagation, unless:

i.

the barrier's integrity had been compromised by a barrier element failure (e.g. penetration seal failure)

AND-ii.

if the fire suppression activities in the exposing location were to fail to contain the fire within the area.

For example, fire propagation across a fire area boundary which consists of a solid wall without any sealed openings (doors, vent louvers, cable penetrations, etc.) has been judged not to be credible, where as fire propagation across a barrier with any sealed openings has been considered to be credible and the barrier failure probability has been assessed based on the type of barrier elements.

i

' As stated in, the RAI, the containment fire area is a single fire area which is divided into several fire zones.

Based on the AP600 SSAR's Appendix 9A, fire zones are physically separated from other fire zones such that fire propagation across a fire zone boundary can be dismissed. None of the containment inter-zone barriers are designed to contain sealed openings (e.g. doors or penetration seals). Therefore, fire propagation is not credible and no probabilistic treatment is needed.

It is worthwhile to repeat that in the current fire PRAs, including those performed using the EPRI FIVE methodology, generally the containment building is excluded from the analysis (i.e., it is screened out at the qualitative level). The basis for this exclusion includes the following justifications which are presented in the FIVE methodology:

the unlikelihood of a hot gas layer forming in areas that would damage cabling; industry-wide improvements in RCP oil collection system design improvements, which has essentially e

eliminated this primary cause of past containment fires; a low frequency of containment fires in operating plant experience.

1

DRAFT That is, it is generally accepted that containment fires do not pose a significant safety threat due to the lack of fire ignition sources in the area in combination with the limited amount of combustible materials in the l

l containment and significant space available for spread of the energy which would be generated by a fire. These justifications are applicable to the AP600 design. Therefore, it is judged that there are no significant fire propagation mechanisms in the AP600 containment design (e.g., features that would allow formation of a hot gas layer) that would facilitate fire spread across a containment fire zone boundary, i

Additionally, from the overall risk point of view, the AP600 design has an additional level of defense (i.e.

nonsafety-related equipment) which are mainly located outside the containment and would be free of damage from fires in the containment.

l 1

l'.

i

\\

i s

S b

j

=

l' l

be 4

1 1

5 r

2

DRAFT Question:

720.335 One item of concern in the certification of advanced reactor designs is the impact of smoke, hot gases, and fire suppressants on safe shutdown equipment (especially due to sensitive electronics) and on operator actions. The issue is amplified when these elements migrate into other fire areas. Please address this issue in the internal fire PRA.

Response

j The impact of hot gases, fire suppression, and smoke has been addressed in the AP600 internal fire analysis

)

either implicitly or explicitly as follows:

impact on eauipment j

In all plant locations other than the control room, the components (of all types) and cabling located in an area where the fire originates or to which it propagates have been assumed lost independent of the hazard (i.e.

independent of smoke, formation of hot gas layer, fire suppression activities, etc.). Note that, consistent with BTP CMEB 9.5-1 and NFPA recommendations, the AP600 ventilation systems are designed to confine smoke, hot gases, and fire suppressants within the fire area of fire origin.

In the control room, based on the available data and the fact the control room would be continuously occupied, it has been judged that the im* act of fire-generated or fire-induced lyazards (i.e. smoke / heat or water) would be p

limited if the fire did not, or was not allowed, to fully develop. For fully developed fires, all the equipment in i

the control roora have been assumed lost (due to heat or smoke-induced damage) and no operator' action from the control room has been credited. Additionally, in all fire areas, the impact of fire-induced spurious actuation (such as those that ct.n be caused by smoke / soot or cable hot short) have been explicitly modeled.

Impact on Operators in the AP600 internal fire analysis, other than in the control room, no' local manual action has been credited.

Therefore, the impact of fire-generated or fire-induced hazards on the local operator action did not need to be addressed. For the control room, the level of smoke which would impair the effectiveness of the operators and the time available to suppress the fire before the smoke concentrarb.. reih-s the level of visual Impairment have been evaluated based on available experimental data, the,Ar600-design specific control room features and assessments made in other fire PRAs. Since only very localir~J'small fires have been assessed to have limited impact (i.e. large fires have been assumed to disable all the equipment) and the damage caused by such fires, based on available data, were assessed to be limited, it was judged that fire suppression activities related to such small fires would not significantly impede or adversely affect opdrators actions.

d 3

DRAFT 1

l Question:

720.336 4

Burning liquids in the AP600 turbine building could fall on the floor at elevation 100 feet. It is not clear where they would go. Is it possible that the oil could enter the Auxiliary Building? Experience (the Vandellos turbine building fire) has shown that burning oil can spread away from the point of origin. Is it possible that an important scenario, which involves damage to other fire areas within the Auxiliary Building, was not analyzed because of the analysis groundrule preventing treatment of scenarios involving fire spread to multiple zones?

Please explain and identify the specific design features that prevent this from happening.

Response

In general terms, in the AP600 internal fire analysis, the ground rules followed in assessing the impact of fire propagation included the following:

Fires originating in a fire area (exposing fire area) could only propagate to an adjacent fire area a.

(exposed fire area), and no further propagation beyond the exposed fire area was considered to be credible.

b.

Simultaneous fire propagation from the exposing fire area to more than one adjacent fire area was not considered credible.

That is,. fire propagation to more than one fire area was considered but sequential fire propagation (from a' fire area to an unconnected fire area via an intermediatory fire area) or simultaneous fire propagation to more than one fire area were judged not to be credible.

Specifically, fire propagation from the AP600 turbine building to the auxiliary building has been considered credible where a mechanism to allow for fire propagation (e.g. a door) had been identified. More specifically, l

fire propagation from the AP600 turbine building (including oil-fueled fires) to fire area 1201 AF 04 located in the auxiliary building was considered to be credible and its consequences has been analyzed in the internal fire analysis.

i l

a 4

l l

DRAFT Question:

720.337 Westinghouse claims that a conservative " bounding" assessment of the impact of fire-induced " hot shorts" was l

performed. The staff, however, cannot conclude that Westinghouse's analysis is bounding (based on the

)

information pro' ided in the submittal) because (a) the probability of a hot short (from NUREG/CR-2258) is v

based on judgment, (b) it is assumed that the probability of multiple hot short events is state-of-knowledge independent, and (c) the analysis does not refer to the specific AP600 PRA I&C models and logic diagrams to l

recognize any important features, and/or operational requirements, that are incorporated into the design to prevent l

fire-induced hot shorts from causing spurious actuations which in turn could have a significant impact on plant safety. Please explain the mechanism of fire-induced spurious actuations using the AP600 PRA I&C models, the j

l location of the various I&C cabinets, the location of power source interfaces and assumptions made on cable l

characteristics and routing. Also, please list important design features, and/or operational requirements, that l-prevent fire-induced hot shorts from causing spurious actuations.

Response

The AP600 internal fire analysis considers the effects of fire-related damage to safety equipment and associated instrumentation, control, and power cabling. Both open shorts an'd hot shorts in I&C and power circuits are considered. With respect to hot shorts, the internal fire analysis explicitly considers hot short-induced actuation of ADS valves, resulting in loss of coolant, for both at-power and shutdown conditions. Other potential hot short

)

equipment actuations result in either less' adverse events or in favorable conditions, such as have been 2

documented elsewhere (Ref. 720.337-1). Potential fire-induced hot-short actuation of the automatic l

depressurization system (ADS) is the only fire-induced fault with potential to adversely affect the ability of the plant to achieve safe shutdown, and is treated in a limiting manner in the internal fire analysis, as described

below, i

i The AP600 design is not susceptible to single hot short actuations of lines of ADS stages I through 3. Each j

such line has two normally-closed valves in series, and separate actuations are required for each valve in stages 1

(

through 3. The cabinets providing the actuation signal will have temperature monitoring and protection, in

. addition to software for detection of anomalous signals, to eliminate any significant probability of a single common fire-induced fault resulting in generation of a stage 1 ADS actuation signal.

j Therefore, the fire analysis assumed that opening of ADS stages I through 3 requires multiple hot shorts for each

' ADS line. It has been assumed that these could occur in either the PMS or DAS actuation circuits. However, opening of the stages I through 3 valves was not explicitly considered in the fire analysis, because: ADS stage 4 actuations were modeled as resulting from,sjngh hot shorts (see below); opening of a single stage 4 valve n

produces a plant transient equivalent to a medium LOCA; and the focused PRA conditional core damage probability (CCDP) for medium LOCA is significantly higher than the CCDP for smaller LOCAs, such as would result from multiple hot-short-induced opening of both stage 1,2, or 3 ADS valves in a given line. Multiple hot-short-induced ADS valve openings were modeled as large LOCAs.

Each of the four lines of ADS stage 4 has one normally open MOV and one squib valve, with each squib valve receiving actuation signals from two divisions, either of which can actuate the valve. Therefore, a single hot short somewhere between a final output cabinet and a squib valve could be postulated to result in valve actuation. Each output cabinet is pr~ected as described above, such that a common single spurious signal to actuate both stage 4 valves powerra Sy any particular division is unlikely. In addition, the actuation of each ADS stage 4 valve has two series control circuits in each division. This further reduces the chance that a fire in a cabinet could cause a spunous actuation.

t l

l l

5

l*.

t

~

DRAFT It was assumed that there would be a " hot" power source of sufficient capacity to actuate the ADS valves. Squib

.va ve actuat on requ res re at ve yl high current, i.e., greater than expected to be available from most hot short i

l i

i li

- sources, so that, depending on the power and control circuitry used, it might not be possible to achieve a hot

(

short that would result in valve actuation. The possibility of hot shorts might also be negated by the type of cabling used. However, since these design details of the ADS actuation cabling are not final, it was assumed that hot short ADS stage 4 valve actuation could occur.

The fire analysis assumed that there could be a single hot short in either the PMS or the DAS actuation circuits that could result in opening of a sjngle line of ADS stage 4 (i.e., a medium LOCA), and also that there could be r

j-multiple hot shorts that could result in opening of more than one line of ADS stage 4 (i.e., a large LOCA).

1 l

Reference:

720.337-1 WCAP-14477, "The AP600 Adverse System Interactions Evaluation Report."

1 4

4 4

8 f

9 6

t a

t 0

4 h

4 4

9 4

0 l

l F

i

?

6

I i

l DRAFT Question:

720.338 Successful injection of core makeup tanks (CMTs) requires trip of all reactor coolant pumps (RCPs). Please address in your analysis the impact of an inadvertent RCP start (after initial trip) and whether this can occur in the same scenario with other fire-induced failures of safety equipment, such as spurious actuation of ADS valves, l

and/or with fire-induced control room indications.

Response

l The internal fire analysis models a fire in any fire area as resulting in failure of all equipment in that area. Thus, a fire in an area containing CMT valves or actuation circuitry was assumed to cause failure of the associated CMT train, so that potential RCP restart (or failure to trip) has no further adverse effect.

Restaning of the RCPs would require a hot-short actuation of the RCP start logic. The control wiring used to control the RCPs runs from the Protection Logic Cabinets located in the I&C Equipment Rooms to the Class IE l

Feeder Breakers which power the Motor Control Centers for the RCPs. Each RCP has two IE feeder breakers associated with it. One of the circuit breakers is controlled by PMS division B while the second breaker is controlled by PMS division C. Therefore, restart of an RCP would require a hot short on each of two PMS divisions for which, in general, the wiring is routed through separate fire zones.

The RCP trip signal, once generated, is " sealed in" such that subsequent loss of either the CMT actuation or the RCP trip signal source does not result in restarting of the RCPs. Restan of the RCP through the manual actuation circuits requires that the " scal-in" in each of the two divisions be cleared. Since the " seal-in" is done on a divisional basis, there is no single point in which the " scal-in" for ea'ch of the two divisions can be cleared.

In addition, restart of the pumps requires that the soft control template be requested by the operators, that the control action be selected, and that the control action then be confirmed. There is no significant possibility that a fire can cause these specific actions to occur.

The PRA analyses assume that successful injection of core makeup tanks (CMTs) requires trip of all reactor coolant pumps (RCPs) except for events which cause a rapid depressurization of the RCS, such as medium and large LOCAs. For such breaks, tripping of the RCPs is not necessary for CMT injection. Since the fire analysis results are dominated by medium and large LOCA scenarios, spurious / inadvertent RCP restart, if this were possible, would not have a significant effect on the core damage frequency results.

Any potential impact of liCP restart (i.e., an assumed inability for CMT injection) would be for slower events,

~

such as small.LOCAs and transients with loss of decay heat removal. No fire-initiated small LOCA scenarios 1

were identified in the internal fire analysis (spurious ADS valve actuations result in either medium or large LOCA as a result of the valve sizes), but it ha been assumed that transients could result. In the focused PRA, for RCP trip to be of concern in transient scenasios, it is necessary that failure of passive residual heat removal (PRHR) first occur, resulting in a need for depressurization and CMT injection. (In the PRA, it would also first be necessary that main and startup feedwater also fail.) Logic train separation would preclude defeating PRHR actuation via a single fire for all but the final actuation cabling. Fire-induced failure of PRHR as a result of a fire affecting the final actuation cabling would require a hot short to prevent actuation, since this system actuates on loss of support or control. Subsequent inadvertent RCP restart would require additional fire-induced hot shorts to reclose the RCP breakers (see discussion above). In addition, for transients that progress relatively slowly, there would likely be sufficient time for operator response to recognize the inadvertent RCP restart and manually stop the pumps. This scenario is judged to be sufficiently unlikely that it need not be explicitly l

considered in the quantification. It would not contribute significantly to the fire core damage frequency results.

i For these reasons, the contribution to core damage due to fire-induced RCP restart is judged to be sufficiently small that explicit modeling is not necessary.

l 7

DRAFT Questioq:

720.339 Fire-induced failure of containment isolation valves was not treated in the analysis. It was assumed that such failure has no effect on core damage frequency (see item h, page 57-15) because "the PRA core damage success criteria are specified assuming failure of containment isolation." However, based on information presented in Appendix A of the AP600 PRA, it does not appear that containment isolation failure was assumed in determining success criteria for sump recirculation. Furthermore, the frequency of a core damage scenario with containment isolation failure should be investigated to determine its contribution to offsite consequences. Please explain.

Response

The AP600 PRA success criteria for sump recirculation do not specify a requirement for containment isolation.

There'is a set of large LOCA break sizes identified for which containment isolation is required in order to. void the need for ADS actuation in order to achieve IRWST injection. However, the large LOCA of concern for the internal fire analysis is fire-induced opening of the ADS valves. The success criteria for the internal fire analysis are the same as for the rest of the PRA regarding status of containment isolation.

More importantly, the AP600 is designed suct. that redundant safe shutdown components (i.e., redundant containment isolation valves in a given line) are located in separate fire areas or zones and served by different electrical divisions. 'Ihus, the possibility of a fire that would cause failure of both isolation components in lines penetrating containment is judged to be sufficiently small that there would be no significant contribution to plant risk.

4 h

9 i

l i

8 i

~ ~ -

=

l DRAFT 3

i Question:

720.340 4

The barrier failure probabilities used in the analysis (see Table 57-3) assume certain inspection program for the barriers, which includes a sampling scheme and timing. Please include this information in Chapter 57 (internal fires) of the AP600 PRA.

Response

3 The failure probabilities for fire barriers and fire barrier penetration seals, including electrical and mechanical seals, fire doors, and fire dampers are dependent on installation and maintenance practices followed for such equipment. The barrier failure probabilities used in the analysis are based on industry data that reflect current standard industry practices and requirements for such installation and maintenance. It has been assumed in the l

analysis that the AP600 will be subject to requirements and practices similar in effectiveness to those used in existing plants.

}

e 4

9 e

)

e 1

4

\\

l e

1 i

i 9

DRAFT l

Question:

720.341 The first paragraph of Section 57.2 implies that probabilistic criteria allow screening of compartments with high fuel loading which do not contain PRA-credited equipment. regardless of propagation potential. However. the analysis does consider rooms where the only concern appears to be fire spread (e.g., the tube oil room in the turbine building). Is the statement in Section 57.2 correct? Please explain.

Response

The statement presented in the first paragraph of section 57.2 does not accurately represent the methodology followed in the analysis. As stated on page 57-4 of the submittal, a fire area was not screened out from further analysis if a fire originating in the area created a demand for safe shutdown under normal plant ope.ating conditions or was assessed to damage any PRA-credited equipment. The postulated consequences could occur eith?r as a result of damage to the equipment located in the area or due to damage caused by propagation to c min area. The report text will be revised to reflect this clarification.

e 0

e i

e l

j I

i l

10

DRAFT 9

Question:

720.342 The basis for defining the fire scenarios in Table 57-4 is not always clear, given the groundrules established in qualitative analysis Step 10. For example, what is the basis for distinguishing between scenarios I and 2 for Fire Area 1200 AF 017 Both do not seem to involve spurious signals. Does one involve propagation out of the area? Scenarios involving propagation out of the fire area should indicate explicitly which adjacent fire area is being treated (especially since the second bullet on page 57-4 states that simultaneous propagation to multiple areas is not treated). Please explain.

Response

In general, in the AP600 internal fire analysis, four scenarios were considered for each fire area: two dealing with the consequences of fires which would be confined in the area, and two considering the consequences of fires propagating outside the area (if propagation had been found to be credible). In each set of propagating and non propagating scenarios, in turn, the potential consequences of different cable failure modes (open and short) were evaluated. In summary, for each fire area the following scenarios were considered:

o Scenario 1 - Fire is confined in the area and disables all the equipment located in the area (i.e. only open circuit failure modes were considered).

o Scenario 2 - Fire is confined in the area, disables all the equipment in the area and causes safety significant hot short events.

o Scenario 3 - Fire propagates outside the area (if pr6pagation was found to be credible) and disables all the equipment in the exposing and the exposed fire areas.

o Scenario 4 - Fire propagates outside the area, disables all the equipment in the exposing and the exposed fire areas, and causes safety significant hot short events.

Based on the equipment located in each area and the fire propagation potential, one or more of the above scenarios were dismissed from further considerations. For example, for fire area 1200 AF 01, only the first, third, and fourth above listed scenarios were considered to merit fu-ther analysis. That is, based on the equipment and cabling located in the area, a fire-induced hot short in the area was not considered to be safety significant. Additionally, fire propagation was considered to all fire areas with interconnecting pathway to the 4

1200. AF 01 fire area. However, only the consequences of fires propagating to an area with the potential to cause the niost severe damage were found to merit further consideration. These consequences are represented by fire damage stmes I AB2 and 1 AB3.

O J

I l

11 1

DRAFT Question:

720.343 Note 2 in Table 57-8 indicates that some components modeled in the focused PRA are failed for some initiators.

Does this refer to the damage listed in the 4th column of the table, or are there additional component losses not explicitly identified? Please explain.

Response

Note 2 in Table 57-8 was intended to be an explanation of the notation "(degraded)" that is used in column 3 of that table. The " degraded" notation was added as an indicator for the analysts that the focused PRA models listed (which already ine jude no credit for nonsafety-related equipment) were to be further modified to remove credit for safety-related equipment listed in column 4 of the table. There may be several entries in column 3 for which the degraded label is missing, but the appropriate equipment losses appear in column 4 and were included in the modeling.

There are no additional component losses not listed in column 4 for scenarios involving safety-related equipment.

However, for some of the scenarios resulting in transients, there is no entry in column 4, since these were all modeled using the focused PRA models, which take no nonsafety-related equipment credit.

O 1

e 12

DRAFT Question:

720.344 Does the Remote Shutdown Workstation (RSW) panel have identical controls and displays of plant status information needed during accidents as the Main Control Room (MCR) panels? If the answer is no, please list the major differences and explain how they affect safety system redundancy and reliability, including operator actions.

Response

As noted in AP600 SSAR Section 7.4.3, the remote shutdown workstation equipment is similar to the operator workstations in the main control room, and is designed to the same standards. The RSW contains controls and monitoring for the safety-related equipment required to establish and maintain safe shutdown conditions. 'Ihere are no differences between the MCR and RSW controls and monitoring that would be expected to affect safety system redundancy and reliability. All important MCR operator actions credited in the PRA that might be required following a MCR fire (e.g., actuation of PRHR, CMTs, ADS, IRWST gravity injection, containment recirculation) can be accomplished from the RSW. However, as noted in the response to RAI 720.345, the MCR fire scenario quantifications include cases with no credit for any operator actions, in order to demonstrate that the results are not sensitive to possible changes in human error probabilities related to transfer of control and operation of equipment from the RSW.

4 e

9 9

9 h

1 13

l DRAFT l

l i

Question:

720.345 Could a fire in the Main Control Room (MCR) affect the transferring of control to the Remote Shutdown Workstation (RSW) panel? Could control be inadvertently transferred back to the MCR? If the answer to these questions is no, please explain by referring to design features and characteristics (e.g., fiber optic switches and location of power sources to the light transmitters and receivers) and to emergency operating procedares and criteria for transferring control to the RSW. If the answer to any of the above two questions is yes, [' ease model the failure to transfer control in the PRA.

l-

Response

A fire in the Main Control Room does not affect the transfer of control to the Remote Shutdown Workstation.

The RSW transfer switch set (multiple transfer switches, one per safety-related division) is located in a fire area outside the MCR. The MCR/RSW transfer will utilize separate multiplexers for control inputs which originate in the MCR and RSW. The.multiplexers will be enabled and disabled by the control transfer switches. There will be separate multiplexer sets associated with each of the four PMS divisions so that a single failure can not result in the transfer (or return) of more than one division.

Transfer is a manual operation initiated by the operators in the MCR, who would follow MCR evacuation procedures. Procedures will establish the decision-making authority and responsibility for MCR evacuation, specify the ex-control room responsibilities for the various on-shift operations personnel, and note the location (s) of equipment, controls, and instrumentation require,d for safe shutdown.

Inadvertent transfer of control from the RSW back to the MCR would not occur as a result of the fire in the MCR. It is possible to transfer control from the RSW back to the MCR by de-energizing the RSW multiplexer cabinets in the instrumentation and control rooms. This allows the operators to restore control to the MCR in the event that a fire damages the transfer set, resulting in inadvertent transfer ' f control to the RSW. However, the o

I&C rooms are in fire areas separate from both the MCR and RSW. Therefore, neither fire-induced nor random-failure-induced de-energization of the multiplexer cabinets would result in significant fire core damage frequency scenarios. Inadvertent manual repositioning of the RSW transfer switch set without rapid recognition and recovery is judged to be sufficiently unlikely that it need not be explicitly considered.

Note that the effects of potential failure to transfer control to the RSW (or loss of control from the RSW) can be seen in existing scenarios evaluated in the AP600 internal fire analysis. As an alternative to attempting to quantify a human error probability for an ex-control room action for which timing, stress, physical layouts, and other relevant factors are uncertain, MCR fire scenarios CR2A, CR3, and CR4A were all quantified assuming no credit for operator actions. This is equivalent to assuming a failure probability of unity for the action to transfer control from the MCR to the RSW. Similarly, RSW area 1232 AF 01 scenarios were also quantified assuming no credit for operator actions. This is equivalent to assuming unity failure probability for operator action to restore control to the MCR (further assuming that MCR control had been lost due to multiple fire-induced faults causing transfer of control away from the MCR). The results are presented in Table 57-15 of the Internal Fire Analysis.

l 14

_._.. _ ~ _ _ _

DRAFT Question:

72"0.346 The Main Control Room (MCR) evacuation scenario related to fire in the overhead mimic panel (scenario CRS) l appears to be relevant for all control room panels, not just the overhead mimic panel, if all panels are included, the contribution from CR5-like scenarios should be around a factor of 30 higher Please explain why fires in 4

other control room panels are not postulated to lead to MCR evacuation and plant shutdown via the Remote Shutdown Workstation.

Response

I The contribution of the other cabinets to the main control room evacuation scenario is already included in other scenarios postulated for the control room. For example, scenario 3 postulates that a fire in the Dedicated Control

[

i'*

panel grows beyond the incipient stage, causing the loss of all functions in this panel and evacuation of the control room due to effects of smoke or the operator interpretation of the evacuation procedures.

O l

S e

a e

e 1

i e

9 0

0 5

4 a

15

DRAFT 4

Question:

720.347 The frequency of fires in the AP600 Main Control Room (MCR) was assumed to be a factor of 10 smaller than the frequency of fires in a conventional control room. This was based on the observation that most of the cables in the AP600 MCR are low voltage as compared with conver.tional control room cables.- Although it appears 4

reasonable to postulate some reduction in fire frequency as compared with conventional control rooms, is there any data to support the reduction factor used? It is mentioned (page 57-26) that Westinghouse cable heatup calculations have shown that ignition is very improbable because low-voltage cables do not produce enough I

energy to heat up the cables. Do, the above mentioned Westinghouse calculations, account for insulation aging or the presence of dust? How many of the 12 MCR fires in the NSAC/178L database were initiated by electrical faults leading to ignition of tiie insulation? Please provide a breakdown of causes. Also, for each event, please provide: an event description, the basis for determining that the fire was not severe and the suppression time.

' Response:

The reduction factor used in the analysis is purely a judgmental factor based on talking with experts in the fire protection field and electrical engineers.

Table 720347-1 presents a break down of control room fires. Column I presents the fire event number as assigned in the NSAC/178L database. The database lists 12 control room fires. One fire occurring outside the control room (9D/85) and one recurring fire were excluded from this table. It is noted that out of the eight electrical cabinet-induced fires with known cause,7 were fir.es starting due to an electrical fault (relay or circuit board failures). It is not known whether these fires actually ignited cable insulation or not but it is judged that for a fire in ad electrical cabinet inside a control room, cable insulation is the most likely source of the fuel.

It should be noted that none of the database events report the use of hose stations. Fire suppression method for two are unknown, two fires self extinguished, and six were suppressed with portable extinguishers.

I B

4 4

-g G

l 16

DRAFT i

l TABLE 720.347-1 ELECTRICAL CABINET INDUCED FIRES IN THE CONTROL ROOM Fire Event Initiating Detection Suppression Description Comments

(Date)

Component Means Time < 10 Min.

Implies a severe fire 163 Circuit Personnel Yes No Some damage to (7/12/79)

Board components outside the i

ignition source. However panel still in use after the fire. Thus, this is a potentially significant event.

329 Cable Personnel Yes No Due to a wire that shorted (8/11/82) when pinched in the door.

Quickly identified and distinguished.

369 Relay Personnel No No RPS relays remained (3/12/83) &

information operable after each fire.

374 (3/30/83) l 425 (6/3/84)

Relay No Yes No Only a few relays were information affected.

464 Oven No Yes No (3/29/85) grease information l

480 Circuit card Personnel Yes (assumed)

No No suppression time is (7/14/85) given but it is stated that it was suppressed quickly.

481 No No No No

-No desenption is (7/26/85) information information information available

~

537 (9/4/86)

Circuit ca'rd Personnel /

Yes No smoke detector 659 Relay Personnel /

Yes No Only a few relays were (12/30/87) smoke damaged.

detector 756 Relay Personnel Yes Maybe Four relays plus wiring (10/14/88) damaged. Potentially significant.

l L

17

v DRAFT

i.,

\\

I Question:

720.348 The analysis of scenarios CR4 and CR4A (which treat the spurious actuation of both divisions of the ADS Stage 1 valves due to a fire in the Dedicated Control Panel) and Scenario CR4B (which treats the spurious opening of the Stage 4 valves) does not explain the mechanisms of spurious actuation using PRA I&C models and SAR l

I&C logic diagrams and does not state assumptions made. Furthermore, this analysis does not identify important features, and/or operational requirements, that are incorporated into the design.o prevent fire-induced hot shorts from causing spurious actuations which in turn could have a significant impact on plant safety. Please provide this information. In your response please include answers to the following questions:

Is Scenario CR4B properly labeled as a sensitivity case? Or should its results be added into the total CDF for the MCR?

l Can a fire that has grown past the incipient stage in the papel affect all ADS valves? If so, is there a technical basis for analyzing only a subset of fire effects?

The effective spurious actuation probability for all three MCR scenarios (CR4, CR4A and CR4B) is 0.01 On the other hand, for scenarios outside the MCR, a value of 0.06 is used for a single spurious actuation of an ADS Stage 4 valve (leading to an medium LOCA) and a value of 0.0036 is used for the spurious actuation of both ADS Stage 4 valves (leading to a large LOCA). Is there a difference between the MCR and e*x-MCR scenarios necessitating the different approaches to quantify the likelihood of spurious actuations?

Response

In the final results, scenario CR4B is not treated as a sensitivity case. With reference to Table 57-15 of _the submittal, the contribution of CR4B is added to the total core damage frequency for the main control room.

A discussion of spurious ADS actuation mechanisms and analysis assumptions is provided in the response to RAI 720.337, It may be possible that a fire in a single MCR panel could affect all ADS valve stages in a given safety-related division. However, consistent with the modeling in the internal events PRA, the effects of plant response to vari 6us numbers of ADS valves opening correspond to different sizes of LOCA. A' discussion.of which LOCA models were used for different cases of ADS opening is provided in the response to RAI 720.337.

The difference in the likelihood of fire-induced spurious actuation of ADS valves between fires impacting the MCR and those impacting ex MCR areas is as follows:

Difference in Cable Function. In the control room there are no ADS-related power cables whereas outside the control room there are. It was assumed in the analysis that only one hot short in power-related cabling (external or internal) would be required to cause spurious actuation of an ADS valve. However, two hot shorts in control-related cabling are needed to cause a hot short since an ADS valve requires the appropriate 2 out of 4 logic signals in the correct sequence to open. These conclusions were made based on a review of the Functional Diagrams for the automatic RCS Depressurization valve sequencing (SSAR Figure 7.2-1, sheet 15) and discussion with design engineers.

Difference in approach. In the control room analysis it was assumed that the fraction of fires that will result in hot shorts leading to the opening of a single ADS valve is 0.1 (i.e. conditional probability of hot short is assumed to be 0.1) as opposed to 0.06 which was assumed for ex-MCR fires. The 0.1 value is a conservative judgement whereas 0.06 value is based on the value provided in the referenced NUREG. Also,in the control room analysis it was assumed that the conditional probability of a second hot short (i.e. causing the two spurious signals) is 0.1 whereas in the ex-MCR areas this conditional probability is assumed to be 0.06.

18

_.m.

&a DRAFT

)

Question:

720.349 5

l-The analysis assumes that MCR fires will not affect multiple cabinets, at least until control is transferred to the l

remote shutdown workstation. What design features are provided to ensure that fires do not propagate from one cabinet / panel to another?

Response

- In the AF600 internal fire analysis, it was generally assumed that cabinet fires in the control room will not spread from the confines of the cabinet in which they originate if the cabinet has solid metal or fire resistant l

boundaries. This supposition is supported by the results of the Sandia cabinet fire tests, in which all test fires were self-extinguished, and by the reports of control room fires in the data base. The Sandia tests indicate that i

fire spread to an adjacent cabinet was prevented if the cabinets were separated by a double wall.

i' i

e i

O 4

i e

I r

i t

I r

i e

4 9

h I

l I

l i

I 1

19

. ~. -

... - - -. -. - - - ~...

1.

v DRAFT l

Question:

720.350 lt is not clear which model was used to estimate the non-suppression probability. The analysis text refers to j

EPRI's HCR model, but the reference supplied is for ASEP (see p. 57-33, Ref. 57-6).

l l

a)

Please explain how the non-suppression probability of 0.0034.(used in the analysis) was obtained.

l b)

Aside from questions of its applicability to the analysis of fire suppression activities, the ASEP l

model deals with diagnosis (and non-response), as does EPRI's HCR model. Some time is l

required to actually extinguish the fire. Analysis of suppression time data indicates a mean suppression time of about 8 minutes. Does the AP600 analysis address the time required to extinguish the fire? Please explain.

c)

Westinghouse's interpretation of the Sandia cabinet fire tests appears to differ from Sandia's i

j' interpretation. In questions to the utility regarding the South Texas fire risk assessment, the j '.

Sandia team stated that "Sandia sponsored large scale enclosure tests have shown that cabinet fires i

generate such intense smoke that within 6-8 minutes control of the plant from the control room would be virtually impossible. These tests were conducted with control room ventilation rates of up to t.en room changes per hour." Please explain the basis for selecting a 15 minute time window i,

(before control room evacuation is required).

d)

Are there procedures dealing with control room evacuation? If so, what are the criteria used for l

determining when evacua' tion should/must take place?

Response

I a.

The general philosophy for evaluation of AP600 control room fires follows the approach suggested in NSAC-181L. Per page 2-11 of NSAC-181L,15 minutes is available before obscuration of the main control panel (leading to the control room evacuation). Also per page 2-11 of the NSAC-181L, the probability of non-suppression of a control room fire as a function of time was obtained from control room fire durations in the EPRI fire events database. Per page 3-23 of the NSAC report, the probability of non-suppression fo'r a fifteen minbte time window is estimated as 3.4E-3.

b&c The general philosophy for evaluation of AP600 control room fires follows the approach suggested in NSAC-181L. It is believed that the NSAC 181L approach (which includes the HEP calculation and interpretation of the Sandia fire tests) is reasonable and the most appropriate method available presently.

d.

Procedures for dealing with main control room evacuation are expected to be prepared by the COL.

Additional details regarding such procedures are discussed in the response to RAI 720.345. Such procedures for current plants rely on the Shift Supervisor (or similarly responsible position) to decide when conditions require transfer of control to the RSW. In general, it is undesirable and impractical to set prescriptive criteria specifying when a MCR evacuation must take place. The operators will be aware of the conditions in the MCR and of their option to transfer control to the RSW should conditions warrant this.

L 20

i i

DRAFT

\\.

Question:

720.351 A fire in the MCR might cause spurious indications as well as spurious equipment operation. Such spurious indications could prompt incorrect operator actions (" errors of commission"). Please discuss the likelihood and potential consequences of such fire-induced errors. In your discussion please list important design features and operational requirements which help prevent such " errors of commission."

I

Response

i The results of the MCR fire scenarios from the internal fire analysis confirm that core damage frequency from such scenarios, assuming credit only for passive features and with no credit for operator actions, is very low for both at-power and shutdown initial conditions. Consistent with the state of the art approach for fire PRA, errors of commission were not explicitly addressed in this analysis. The probability that the operators would attempt to i-defeat automatic actuations because the fire was causing contrary indications is judged to be very small, because the operators would be expected and able to rely on confirmatory information available through the various displays. The displays used by the AP600 plant operators are video display units. Plant data is generated in either a digital or analog format. Data generated in an analog format is converted to a digital data format before being processed for the displays. Fires in the MCR may cause the loss of the display function; however there is no real possibility that the fire can cause the data to be altered such that incorrect data would be displayed. Fires outside the MCR could affect analog signals before processing and could result in the display of incorrect information in the MCR. However, signal redundancy and separation of cabling, along with the diversity of signals available to the operators, make it un%ely that fire damage would cause indications that would be sufficiently misleadir.g to the operators that tL.y would manually defeat automatic actuation of safety systems.

These features help ensure that any risk associated with operator errors of commission are minimized.

If a fire were to cause spurious indications it is unlikely that the operators would be unaware that the fire was j

the source of such indications. If the spurious indications were such that they would be misinterpreted by the l

operators as a requirement for operation of a mitigating system, actuation of the mitigating system by the operators (e.g., SFW, PRHR, CMTs, ADS) would eventually lead to a safe condition. The fire analysis already models the effects of large and medium LOCAs caused by ADS valve opening, which have been assumed to occur directly as a result of a fire but could also be postulated to occur as a resuh of operator actions. The AP600 Adverse System Interactions Evaluation Report (WCAP-14477) provides discussions of the plant features that address various active and passive system interactions. If the spurious indications were such'that they would be misinterpreted by the operators that no mitigating system actuation were required when such actuation was

' required, the automatic actuation features would initiate operation of the systems.

l l

l 21 l

DRAFT l

l Question:

720.352 The Auxiliary Building contains the MCR as well as various I&C, battery and electrical equipment areas. Do any of the later areas share a common ventilation system and/or air intake system with the control room? If the 1

answer is yes, please explain what barriers (including operator actions) prevent smoke, hot gases and fire suppressants from reaching the MCR and how such barriers can be defeated.

Response

The Nuclear Island Nonradioactive Ventilation System (VBS), as described in AP600 SSAR Section 9.4.1, serves the Class IE I&C, battery, and electrical equipment areas and the main control room. The VBS consists of several independent subsystems, including a main control room / technical support center HVAC subsystem and a Class IE electrical room HVAC subsystem. The MCR is a separate fire area from the various electrical l

equipment room fire areas.

The MCR/TSC' subsystem supplies outside air to the main control room and technical support center areas, and

]

the supply and return air ducts that penetrate the MCR envelope include redundant safety-related seismic Category I' isolation dampers located within the MCR envelope. The Class IE electrical room HVAC subsystem i

serves the Class IE electrical rooms. Class IE instrumentation and control rooms Class IE electrical penetration rooms, Class IE and spare Class IE battery rooms, remote shutdown area, and reactor coolant pump trip switchgear rooms. The outside supply air intake enclosure for the portion of the Class IE electrical room HVAC subsystem serving the division A and C electrical equipment areas is common to the MCR/TSC. intake, but the intake serving the division B and D equipment is in a separate enclosure.,

As noted in AP600 SSAR subsection 9.4.1.2.1.1, the MCR/TSC HVAC subsystem is designed so that smoke, hot j

gases, and fire suppressant will not migrate from one fire area to another to the extent that they could adversely affect safe shutdown capabilities, including operator actions. Fire or combination fire and smoke dampers are provided to isolate each fire area from adjacent fire areas during and following a fire in accordance with NFPA 1

90A requirements. These combination smoke / fire dampers close in response to smoke detector signals or in response to the heat from a fire.

As noted in SSAR subsection 9.4.1.2.1.2, the Class IE electrical room HVAC subsystem is designed so that smoke, hot gases, and fire suppressant will not migrate from one fire area to another to the extent that they could adversely affect safe shutdown capabilities, including operator actions. Separate ventila' tion subsystems are provided to serve the electiical division A and C equipment rooms and the electrical division B and D rooms.

j The use of separate HVAC distribution subsystems for the redundant trains of electrical equipment prevents smoke and hot gases from migrating from one distribution division to the other through the ventilation system ducts. In addition, combination fire / smoke dampers are provided for Class IE equipment rooms, including the remote shutdown workstation room, to isolate each fire area and block the migration of smoke and hot gases to or from adjacent fire areas in accordance with NFPA 90A requirements. These combination fire / smoke dampers close in response to smoke detector signals or in response to the heat from a fire.

j The smoke / fire dampers on each Class IE electrical room and on the MCR provide sufficient automatic protection against entry of smoke, hot gas, and fire suppressants into the MCR.

The degree of separation and redundancy in ventilation systems makes it unlikely that smoke, hot gases, or fire suppressants from fires outside the MCR would reach the MCR.

22

e e

\\

i to Westinghouse Letter NSD-NRC-96-4904 December 9,1996 9

1 l

I I

I

)

e 1

l i

t=

l wnr r

3. Modeling of Special Initiat:rs interlock would initiate a spurious actuation of the automatic depressurization system event. Both of these double failures are unlikely, given that the test conditions are 2

normal (e.g., not emergency); performed in the control room; operators are aware of the implications of opening automatic depressurization system valves (e.g., causing a reactor trip and shutting the plant down); and supervision and other operators are present in the control room to observe the test (e.g., the operator would not likely skip the step of bringing up the in-service test soft controls). Additionally, the hardware failure of the interlock is small (passive system with a failure probability of IE-3 or less).

Failure of each operator action is independent and is estimated to be on the order of IE-03 (similar to omission or commission error with no stress factor, from THERP).

Considering a recovery factor of 0.1 for the supervisor for the first error, the total expected error is estimated to be in the range of IE-06 to IE-07 (IE-03

IE-03

IE-01).

Based on the above discussion, the failure modes leading to the above scenarios are not further evaluated quantitatively.

Results of Spurious Actuation of Automatic Depressurization System ne yearly frequencies of the spurious actuation of the automatic depressunzation system categories are calculated as shown in Table 3.3 L / rr S= 32fne calculated

}

3 initiating event frequencies are as follows:

Spurious automatic depressurization system classified as intermediate loss-of-coolant accident 7.16E-07/yr Spurious automatic depressurization system classified as medium loss-of-coolant accident 1.45E-06/yr 1:

Spurious automatic depressunzation system classified as large loss-of-coolant accident 5.4E-05/yr 3.6 References 3-1 AP600 Probabilistic Risk Assessment Fault Trees, WCAP-13275, Revision 2.

Revision: 7 ENE.

W June 28,1996 Etsb.

mvm,rawv 7 c3.wytm2396 3-8

2 6.

S ccess Criteria Analysis l

l 63.1.5 Containment Isolation l

Analyses (documented in Appendix A) were conducted to show that sufficient water for long-l term tecirculation cooling of the core will be retained in contamment even if containment integrity is unsuccessful. Therefore, sequences in which core damage has been avoided with successful in-containment refueling water storage tank (IRWST) injection and recirculation represent success (i.e., no core damage) regardless of the status of containment integrity or l

PCS water. Fr.ilure of PCS may result in exceeding the containment design pressure,but does not result in exceeding the containment ultimate pressure.

As a result, with one exception, neither containment integrity nor PCS are addressed on the core damage event trees. The status of containment integrity and PCS water are factored into the success criteria where they result in conditions affecting systems operation. Appendix A contains additional details of assumptions regarding PCS and containment isolation as used in the analyses.

The one exception to this. is in the large LOCA modeling. For certain large LOCAs with break size close to that selected as the cutoff between medium and large LOCA, if l

containment isolation is not successful, the pressure in the RCS could prevent IRWST gravity injection. 'Iherefore, the PRA large LOCA event tree requires the following, if containment isolation fails: CMT injection is required in order to generate both the automatic ADS actuation signal and the automatic IRWST squib valve actuation signals; and opening of ADS valves is required in order to reduce RCS pressure to the point at which gravity injection occurs.

Containment isolation is addressed in the contamment event trees for core damage sequences in which IRWST injection fails, in order to determine long-term water availability in the reactor cavity. Success criteria for contamment systems are provided in Chapter ["D]. '

43.

63.2 Timing of Events and Key Operator Actions Specific criteria for timing of important events within the various accident sequences are discussed in the following paragraphs.

6.3.2.1

'Ihne to Respond to Loss of Decay Heat Removal For events involving a loss of main and startup feedwater to the steam generators, the Passive RHR system would be expected to remove decay heat. If passive RHR failed to automatically actuate, the operators would be expected to manually actuate this function. If this were unsuccessful, the operators could initiate RCS depressunzation using the ADS, in order to

~

actuate core makeup tank or accumulator injection (i.e., feed and bleed).

l l

'Ibe limiting loss of decay beat remcyal events are those that result in a loss of waa4y side heat sink. A loss of offsite power (resulting in a loss of all main feedwater) without startup feedwater (resulting from either station blackout or failure of SFW) is analyzed, since this Revision: 7 Arygg,d,,

T MIR@W88 June 28,1996 mur m:www.nsec6.wpe.ib 6-8

~

I

26. Protection and Saf;ty Monitoring System l

which reduces to:

J

)

P(f: system) = (A,

T) + (b

T) h 1

7, Thus, for any intennediate single. point failure nodes of the tree, this modeling method implie; that j

1 any failure of these parts at any time during the full mission time T will cause loss of the

.] !

intermediate function being assessed. Therefore, application of this method correctly models single Jg point failures that can lead to the undesired system event.

-o i

_] $

For AND gates in the tree, the same method is applied. For combinations of failures, resultant output effectively equals results that would have been obtamed by using component input values based on P(f) = AT for initial part detectable failures and P(f) = A

2R for subsequent redundant o

I part detectable faihues For an example two-part redundant system, the AND relationship where both failures are detectable can be expressed as follows:

4.o

$3 P(f: system) = P(f:Part 1)

P(f:Part 2)

.e a

".3 j i f 1.

.t-3

+

Substituting the values per the method presented above:

I P(f: system) = ((4

2R) * (b

2R))

T/2R

{1 h 3

'h the resulting equation is:

j

?5

1. e; P(f: system) = (A

T) * (4

2R)

A ep

<<, J i[g This method implies that a loss of function requires two failures: faihue of part I during full mission time T, and the subsequent failure of part 2 during twice the repair time of part 1. His j(.3$

result is consistent with the discussion of modeling repairable redundant systems presented above.

For the spurious ADS model, T = 8760 hours0.101 days 2.433 hours 0.0145 weeks 0.00333 months , and R = 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Thus, all input faihue rates used g

in the tree are multiplied by 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months (2R where R = 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ), and the final tree result is multiplied

' 8 i

94 4 by,1095 hours0.0127 days 0.304 hours 0.00181 weeks 4.166475e-4 months (T/2R where T = 8760 hours0.101 days 2.433 hours 0.0145 weeks 0.00333 months , and 2R = 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months ). His produces the probability F

of a spurious event over mission time T, which is then converted to a failure rate per mission time T, giving the number of spurious ADS events per yearp_' ;f5.4E-) events / year.JJ o

/

{

,Y A msa au n.

26.5.4 Common Cause Failures

1*T "#

j "S

Several common cause failures within the PMS are considered credible and accounted for explicitly during construction of fault trees. Mamly two common cause failures are identified:

hardware common cause failures due to the use of the same type of boards for many subsystems, and software common cause failures.

The hardware common cause falhue evaluations are based on the multiple greek leuer method, which uses beta, gamma, and delta factors to repet the conditional probabilities of second,

Revision: 7 gg June 28,1996 mang.

m W vev_ h :26.wpr:nos2496 26-24

- * =

e

+__;

36. Reactor Coolant Systm Depressurizatio2 I

the reactor coolant system and water covering the faulted steam generator tubes. Rese I

sequences are not considered to be bypass sequences.

I For the steam generator tube rupture cases where the passive residual heat removal system is I

successful, followed by successful automatic depressurization system actuation and I

in-contamment refueling water storage tank injection, and the failure of recirculation, core I

damage is assumed in the level 1 analysis. With these cimumstances, the loss of reactor I

coolant system fluid to the secondary side would be stopped due to the low primary-side I

pressure and the high water level in the faulted steam generator. His scenario assumes that the I

faulted steam generator would be kept filled, covering the tubes. Any release of fission products I

through 'the broken tube would be decontaminated by the['rr x _i; hese I

sequences are not considered to be bypass sequences.

gree.i hb n e8 4ke. bim p

I 36.7 References 7.hh ic. ut W 6 dt'.

l 36-1 Heofanous, T. G., et. al. "In-Vessel Coo! ability And Retention of a Core Melt,"

l DOFJID-10460, July 1995.

l 36-2 " Creep Rupture Failure of "Iluce Components of the Reactor Pnmary Coolant System i

Dunng the TMLB Accident," EGG-EA-7431, EG&G Idaho, November 1986.

1 36-3 neofanous, T. G. et. al., " Lower Head Integrity Under In-Vessel Steam Explosion l

Loads," DOF/ID-10541, issued for peer review, July 1996.

9 e

l l

Revision: 8 ENEL S'Ptember 30,1996

= W wv. w

36-6

4

a w

l Table 52-5 (Sheet I of 2) l AT POWER FOCUSED PRA SENSITIVITY STUDY CORE DAMAGE CONTRIBUTION BY Y

l INITIATING EVENT f

f l

Baseline PRA Focused PRA Initiating

{

l CDF CDF Percent Event c

l Contribution Contribution Initiating Event Contribution Frequency k

f l

1 QOE-091 4.9E-06 AlWS percursors with MFW 64.06 1.17E+00 l

2 2.0E-06 ATWS percursors without MFW 26.27 4.81 E-01 T

gg R

I 3

3.2E-08 1.8E-07 Intermediate LOCA 2.38 7.70E-04 E

3.

l 4

3.8E-10 8.6E-08 ATWS percursors with SI signal 1.I2 2.05E-02 l

5 1.lE-09 8.lE-08 Transients with MFW l.06 1.40E+00 k

l 6

5.6E-10 6.lE-08 PRHR tube rupture 0.79 2.50E-04 3

l 7

5.0E-08 5.8E-08 Large LOCA 0.75 1.05E-04 b

l 8

3.8E-08 5.7E-08 Safety injection line break 0.74 1.04E-04 l

9 6.2E-09 3.8E-08 Medium LOCA 0.50 1.62E-04

~

l 10 3.0E-10 3.0E-08 Loss of main feedwater 0.38 3.35E-01 l

11 4.lE-09 2.4E-08 Small LOCA 0.31 1.01 E-04 l

12 3.5E-09 2.2E-08 CMT line break 0.28 8.94 E-05 l

13 1.8E-10 1.7E-08 Loss of MFW to one steam generator 0.22 1.92E-01 R

I 14

6. lE-09 1.7E-08 Steam generator tube rupture 0.22 5.20E-03 l

15 2.3E-09 1.2E-08 RCS leak 0.15 5.02E-05 w

((

l 16 1.8E-09 1.lE-08 Core power excursion 0.14 4.50E-3

{$

l 17 1.0E-09 1.lE-08 Loss of offsite power 0.14 1.20E-01 t

58E II

-o

,5 - e E$

es g 8

Attachment A to NSD-NRC-96-4904 Enclosed Responses to NRC Requests for Additional Information Re: Conditional Containment Failure Probability 220.95 220.%

~

220.97 220.98 220.99 480.190 480.191 480.192 Re: Fire PRA (draft responses) 720.334 720.335 720.336.

720.337 720.338 720.339 720.340 720.341 720.342 720.343 720.344 720.345 720.346 720.347 720.346 720.349 720.350 720.351 720.352 f

8 9

NSD-NRC-96-4904, Forwards Response to RAI Re Conditional Containment Failure Probability Distribution in Chapter 42 of AP600 Probalistic Risk Assessment: Difference between revisions

Latest revision as of 10:09, 12 December 2024

Contents

Text

SUBJECT:

Dear Mr. Quay:

Response

Response

Response

References:

Response

Reference:

Response

Response

Response

Response

Response

Response

Response

Response

Reference:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Navigation menu

@@ Line 16: / Line 16: @@
 =Text=
-{{#Wiki_filter:- - .. - . . . . .                 .          -.                 . . -     -          ._
+{{#Wiki_filter:- -.. -.....
-(O)                                                                                         (
+(O)
+(
 1
-Westinghouse                         Energy Systerns                               Ba 355                                     :
+Westinghouse Energy Systerns Ba 355 Electric Corporation Pittsburgh Pennsylvania 15230-0355 i
-Pittsburgh Pennsylvania 15230-0355 Electric Corporation i
+NSD-NRC-96-4904 i
-NSD-NRC-96-4904                                         i DCP/NRC0674                                           '!
+DCP/NRC0674 l
-l                                                                                              Docket No.: STN-52-003                                  i December 9,1996 l                         Document Control Desk l
+Docket No.: STN-52-003 i
-U.S. Nuclear Regulatory Commission Washington, D. C., 20555 ATTENTION:                       T.R. QUAY
+December 9,1996 l
+Document Control Desk l
+U.S. Nuclear Regulatory Commission Washington, D. C., 20555 ATTENTION:
+T.R. QUAY
 ==SUBJECT:==
@@ Line 29: / Line 33: @@
 ==Dear Mr. Quay:==
+Enclosure i provides Westinghouse responses to NRC requests for additional information pertaining to i
-Enclosure i provides Westinghouse responses to NRC requests for additional information pertaining to                         i the conditional containment failure probability distribution used in Chapter 42 of the AP600 Probabilistic Risk Assessment (PRA). Specifically, the responses to the following RAls are included:
+the conditional containment failure probability distribution used in Chapter 42 of the AP600 Probabilistic Risk Assessment (PRA). Specifically, the responses to the following RAls are included:
-.190 through 480.192,220.95 through 220.99. These responses close, from a Westinghouse                                    ;
+.190 through 480.192,220.95 through 220.99. These responses close, from a Westinghouse perspective, the addressed questions. The NRC technical staff should review these responses. The i
-perspective, the addressed questions. The NRC technical staff should review these responses. The                             i status of these RAls will be changed to " Action N" in the OITS on January 2,1997.                                           I Enclosure 2 provides the draft responses to NRC requests for additional information pertaining to the AP600 at-power fire PRA. These responses are being provided to the NRC for discussion purposes at the December 18,19% NRC and Westinghouse AP600 fire PRA meeting. The staff is expected to review these draft responses and be prepared to discuss them at the meeting.
+status of these RAls will be changed to " Action N" in the OITS on January 2,1997.
-Enclosure 3 contains markup page changes to the AP600 PRA. These markups primarily fix typos found in the report since the issuance of Revision 8. These changes will be included in the next revision to the PRA. The staff reviewers should include these markup pages with their PRA report.
+I provides the draft responses to NRC requests for additional information pertaining to the AP600 at-power fire PRA. These responses are being provided to the NRC for discussion purposes at the December 18,19% NRC and Westinghouse AP600 fire PRA meeting. The staff is expected to review these draft responses and be prepared to discuss them at the meeting. contains markup page changes to the AP600 PRA. These markups primarily fix typos found in the report since the issuance of Revision 8. These changes will be included in the next revision to the PRA. The staff reviewers should include these markup pages with their PRA report.
-A listing of the NRC requests for additional information responded to in this letter is contained in Attachment A.
+A listing of the NRC requests for additional information responded to in this letter is contained in ll Attachment A.
-Please contact Cynthia L. IIaag on (412) 374-4277 if you have any questions concerning this                          .
+Please contact Cynthia L. IIaag on (412) 374-4277 if you have any questions concerning this
-ll    '
+<~[
-transmittal.                                                                                                         <~[T    '
+T transmittal.
 f g
-i   A. McIntyre, h nager
+i i
+A. McIntyre, h nager
 (-
-i Ads iced Plant Safety and Licensmg
+Ads iced Plant Safety and Licensmg 9612190411 961209 PDR ADOCK 05200003 A
-!                        9612190411 961209
+PDR
-!                        PDR       ADOCK 05200003 A                                PDR
 I
-        't     ,;
+'t i
-     '*                            ,                                                                             i d
+d T. R. Quay Page DCP-NRC0674 December 9,' 1996 f
-T. R. Quay Page                   DCP-NRC0674                                                                                    :
-December 9,' 1996 f
 i Enclosures I
-cc:      J. Sebrosky, NRC (enclosures)                                                         j J. Kudrick, NRC (w/o enclosures)                                                      ;
+cc:
+J. Sebrosky, NRC (enclosures) j J. Kudrick, NRC (w/o enclosures)
 J. Flack, NRC (w/o enclosures)
 N. J. Liparulo, Westinghouse (w/o enclosures) d i
 t d
 I j
-A 1
+A
-_ ---_-_ . ~ , - - <
+. ~, - - <
 a f
 f I
 r 1
-l n
+l to Westinghouse n
-Enclosure 1 to Westinghouse l                                                 Letter NSD-NRC-96-4904 December 9,1996 l..
+l Letter NSD-NRC-96-4904 December 9,1996 l..
 l e
 e
 l 4
+I
-            .                                                                                              I i
+i l
-l 8
+r
-r I
+I 1011 4
-!                     1011 4
-NRC REQUEST FOR ADDITIONAL INFORMATION f      ?
+NRC REQUEST FOR ADDITIONAL INFORMATION f
+?
 Question: 220.95 l
-In PRA Chapter 42, dated December 1,1995, a coefficient of variance (COV) of 0.06 for random material uncertainty for SA537, Class 2 is used. This does not seem to be appropriate. The staff could not find where your Reference 42-2 recommends a COV between 0.06 and 0.08 for random material uncertainty. On page 77 in Reference 42-2, the material yield strength mean and standard deviation were taken as 1.1 and 0.11 times the        l specified c, for the uncertainty analysis of the five containments.                                                 l
+In PRA Chapter 42, dated December 1,1995, a coefficient of variance (COV) of 0.06 for random material uncertainty for SA537, Class 2 is used. This does not seem to be appropriate. The staff could not find where your Reference 42-2 recommends a COV between 0.06 and 0.08 for random material uncertainty. On page 77 in Reference 42-2, the material yield strength mean and standard deviation were taken as 1.1 and 0.11 times the specified c, for the uncertainty analysis of the five containments.
-      -                                                                                                                                   1 Based on " Development of a Probability Based Load Criterion for American National Standard A58," National          j Bureau of Standards Special Publicatic,n 577, US Government Printing Office, Washington,1980, the use of 1.1 and    1 0.11 for the median and the COV, respectively, for material property is more appropriate. Figure I shows the        I probability of failure differences between the random material uncertainty COVs of 0.06 and 0.11.
+Based on " Development of a Probability Based Load Criterion for American National Standard A58," National j
-                             '                                                                                                            l l
+Bureau of Standards Special Publicatic,n 577, US Government Printing Office, Washington,1980, the use of 1.1 and 0.11 for the median and the COV, respectively, for material property is more appropriate. Figure I shows the probability of failure differences between the random material uncertainty COVs of 0.06 and 0.11.
-               -      Response:                                                                        -
-As discussed in Revision 8 of Chapter 42, a coefficignt of variation (COV) equal to 0.11 is used to represent the ' l random uncertainty in material properties for all failure locations. This is based on the reference provided in RAI l 220.95 (" Development of a Probability Based Load Criterion for American National Standard A58" and " Reliability of Containment Under Overpressure").         ,
+===Response===
+As discussed in Revision 8 of Chapter 42, a coefficignt of variation (COV) equal to 0.11 is used to represent the '
+random uncertainty in material properties for all failure locations. This is based on the reference provided in RAI 220.95 (" Development of a Probability Based Load Criterion for American National Standard A58" and " Reliability of Containment Under Overpressure").
 PRA Revision: None h
-220.95-1 W Westinghouse                                                         ,
+220.95-1 W Westinghouse
-i o     *                                                                                                                          !
+i o
-         =
+=
 l NRC REQUEST FOR ADDITIONAL INFORMATION
-                                                                                                                          ==     :m   I i
-l Question: 220.96                                                                                                         l l
+==
-In PRA Subsection 42.4.1, a COV of 0.1 for modeling error for containment cylindrical shell is used. This does not seem to be appropriate. The COV of 0.1 seems to come from the average of 0.12 (limit pressure calculations) and          l O.08 (axisymmetric finite element analysis) in Reference 42-1. However, the COV of 0.08 is not directly applicable       I to AP600 since Reference 42-1 uses ANSYS with STIF 82 elements for six closed-end smooth cylinders which are different from that of the AP600. The COV of 0.12 is obtained after calibrating with respect to the Gnite element method in Reference 42-1. In this calibration, Reference 42-1 treats the von Mises yield criterion as a constant (15 percent increase). The use of COV of 0.12 for the constant von Mises yield criterion is acceptable. However, based on test data, the von Mises yield criterion should be treated as a random variable. For the complete modeling error COV determination, provide the median and its COV values with the legitimate distribution information for the von
+:m i
-.            Mises yield criterion.
+l Question: 220.96 In PRA Subsection 42.4.1, a COV of 0.1 for modeling error for containment cylindrical shell is used. This does not seem to be appropriate. The COV of 0.1 seems to come from the average of 0.12 (limit pressure calculations) and O.08 (axisymmetric finite element analysis) in Reference 42-1. However, the COV of 0.08 is not directly applicable to AP600 since Reference 42-1 uses ANSYS with STIF 82 elements for six closed-end smooth cylinders which are different from that of the AP600. The COV of 0.12 is obtained after calibrating with respect to the Gnite element method in Reference 42-1. In this calibration, Reference 42-1 treats the von Mises yield criterion as a constant (15 percent increase). The use of COV of 0.12 for the constant von Mises yield criterion is acceptable. However, based on test data, the von Mises yield criterion should be treated as a random variable. For the complete modeling error COV determination, provide the median and its COV values with the legitimate distribution information for the von Mises yield criterion.
 ===Response===
@@ Line 97: / Line 102: @@
 m W Westinghouse
-l l
+NRC REQUEST FOR ADDITIONAL INFORMATION g
-            * ,'                                                                                                                          l 4
+g
-NRC REQUEST FOR ADDITIONAL INFORMATION g    - . -
+Ouestion: 220.97 In letter NTD-NRC-96-4617, dated January 4,1996, the response to RAI 2 (NRC {{letter dated|date=September 14, 1995|text=letter dated September 14, 1995}}) stated that " Distribution is primarily influenced by imperfection. Measured imperfection must be less than the American Society of Mechanical Engineers (ASME) specified limit. Use of lognormal distribution is appropriate, similar to its use for material yield which must also exceed a minimum ASME specification." Is the lognormal distribution applicable here if it exceeds the ASME minimum specifications? The distribution should come from the existing test data and not be assumed. Clarify these statements.
-     g Ouestion: 220.97 In letter NTD-NRC-96-4617, dated January 4,1996, the response to RAI 2 (NRC {{letter dated|date=September 14, 1995|text=letter dated September 14, 1995}})            l stated that " Distribution is primarily influenced by imperfection. Measured imperfection must be less than the American Society of Mechanical Engineers (ASME) specified limit. Use of lognormal distribution is appropriate, similar to its use for material yield which must also exceed a minimum ASME specification." Is the lognormal distribution applicable here if it exceeds the ASME minimum specifications? The distribution should come from the existing test data and not be assumed. Clarify these statements.
-Response:                                                                                                                l The equipment hatch cover will be constructed within the ASME forming tolerance requirements for vessel shells as defined in Subsection NE (NE-4220). Buckling is significantly influenced by imperfection. The maximum imperfection defined by the ASME Code will determine code buckling capacity. The imperfections in the as-built conditions will be equal to or smaller than the ASME specified values, and therefore, the as-built buckling capacity     I will be higher.
+===Response===
-l 1
+The equipment hatch cover will be constructed within the ASME forming tolerance requirements for vessel shells as defined in Subsection NE (NE-4220). Buckling is significantly influenced by imperfection. The maximum imperfection defined by the ASME Code will determine code buckling capacity. The imperfections in the as-built conditions will be equal to or smaller than the ASME specified values, and therefore, the as-built buckling capacity will be higher.
 No as-built measurements of the AP600 containment vessel are available. There is not that much existing test data (see RAI 230.32)in the public domain that can be used to make meaningful conclusions with respect to statistical distributions for the AP600 containment. This has been noted by L Greimann and F. Fanous in Reference 220.97-1:
 They state:
-p.839          "Again, as-built geometry of the containment would be very useful. Unfortunately, no as-built measurements of containment vessels exist. However; fabrication and erection tolerances were' established and (presumably) met during the construction process."
+p.839 "Again, as-built geometry of the containment would be very useful. Unfortunately, no as-built measurements of containment vessels exist. However; fabrication and erection tolerances were' established and (presumably) met during the construction process."
-p.847        " Uncertainty in structural analysis . . is very difficult to quantify. A usual procedure is to describe
+p.847
-  ,                             statistically the ratio of experimental results to analytical results. Hehce, if therg are a number of experimental results, one can approximate the distribution of this ratio. Most typically, however, enough tests are not available to give sufficient statistical confidence.    ."
+" Uncertainty in structural analysis.. is very difficult to quantify. A usual procedure is to describe statistically the ratio of experimental results to analytical results. Hehce, if therg are a number of experimental results, one can approximate the distribution of this ratio. Most typically, however, enough tests are not available to give sufficient statistical confidence.
 The use of a lognormal distribution to represent uncertainty is, and has been, the accepted practice in structural analysis as well as risk analysis for a number of years. Many papers have been published on this subject, indicating the general acceptability of the lognormal distribution for the purposes used in the AP600 containment analyses.
 Two notable papers are References 220.97-1 and 220.97-2.
 Both of these documents describe the use of the lognormal distribution for probabilistic and reliability analyses of steel containments. In NUREG/CR-3127 (Table 2.1) imperfection parameters are defined as lognormally distributed, and in the paper (Tables 6 and 7) and NUREG (Table 2.1) the analysis error is stated to be lognormally distributed.
 Another consideration is the potential differences in the results if a different distribution was used. Although it is possible to show different results for any (less than infinite) data set through the use of a particular distribution.
-W-Westinghouse
+W Westinghouse
 j
-      ,'     .'                                                                                                                           \
+\\
-l l
+NRC REQUEST FOR ADDITIONAL INFORMATION giii assuming a reasonable choice of shaping parameters used with a distribution other than a lognormal one, the resulting failure probability is still expected to be very small.
-NRC REQUEST FOR ADDITIONAL INFORMATION giii     !!!
-assuming a reasonable choice of shaping parameters used with a distribution other than a lognormal one, the resulting l
-failure probability is still expected to be very small.
-l l
 It is important to note that the controlling failure mode is not buckling, but membrane yield of the cylindrical shell.
 In Chapter 42, results of the conditional containment failure probability distributions have been presented. In Tables 42-3 and 42-4, and Figures 42-1 and 42-2, it is seen that the cumulative containment failure probability is similar to that associated with cylinder yield. Therefore, cylinder yield is the dominant contributor to containment failure, and buckling does not control containment failure probability.
-                                                                                                                                          )
+From the above discussion it can be concluded that a lognormal distribution is recommended in the literature for j
-l From the above discussion it can be concluded that a lognormal distribution is recommended in the literature for          j imperfections. Further, buckling does not control the cumulative failure probability, and the distribution used has little effect on containment failure probability.                                              .
+imperfections. Further, buckling does not control the cumulative failure probability, and the distribution used has little effect on containment failure probability.
 ==References:==
-.97-1       " Reliability of Containments Under Overpressure," L. Greimann and F. Fanous, Pressure Vessel and          i Piping Technology, A Decade of Pro'gress, Paper 8.7,1985, pp. 835 856.                                    l 220.97-2       NUREG/CR-3127. "Probabilistic Seismic Resistance of Steel Containments" prepared by L Greimann, F. Fanous, et al, Ames Laboratory, January 1984.
+.97-1
-I l
+" Reliability of Containments Under Overpressure," L. Greimann and F. Fanous, Pressure Vessel and Piping Technology, A Decade of Pro'gress, Paper 8.7,1985, pp. 835 856.
-PRA Revision: None 4
+.97-2 NUREG/CR-3127. "Probabilistic Seismic Resistance of Steel Containments" prepared by L Greimann, F. Fanous, et al, Ames Laboratory, January 1984.
-,97-2 t
+l PRA Revision: None 4
-W Westinghouse l
+,97-2 W Westinghouse t
+l
 NRC REQUEST FOR ADDITIONAL INFORMATION
-                                                                                                                                 ;%5 nci i:     .=
+;%5 nci i:
+.=
 Question: 220.98 In PRA subsection 42.4.3, a COV of 0.14 is used for equipment hatch modeling error. However, this modeling error calculation in Reference 42-2 is based on internal pressure cases. Provide thejustification that this COV can be used for the external pressure case.
 ===Response===
-The purpose of the PRA Chapter 42 analysis is to evaluate overpressure containment fragility for use in the AP600 PRA. A COV of 0.12 was used for internal limit pressure, which is consistent with analysis errors per Reference
+The purpose of the PRA Chapter 42 analysis is to evaluate overpressure containment fragility for use in the AP600 PRA. A COV of 0.12 was used for internal limit pressure, which is consistent with analysis errors per Reference 220.98-1. External pressure does not apply for this evaluation.
-    ,                220.98-1. External pressure does not apply for this evaluation.
 ==Reference:==
+220.98-1
-220.98-1      " Reliability of Containments Under Overpressure," L Greimann and F. Fanous, Pressure Vessel and Piping Technology, A Decade of Progress, Paper 8.7, pp. 8' 35-856.                                      -
+" Reliability of Containments Under Overpressure," L Greimann and F. Fanous, Pressure Vessel and Piping Technology, A Decade of Progress, Paper 8.7, pp. 8' 35-856.
 PRA Revision: None 4
 9
@@ Line 157: / Line 158: @@
 It is true as stated in the RAI that for the conditional containment failure probability analyses performed, it is assumed that once general yielding of the cylinder occurs, the bellows may fail and the equipment hatches may start to leak. However, it is not necessary to provide the probability of failure for bellows and leakage through equipment hatches due to ovalization since the sum of the probabilities of these specific mechanisms plus others that might occur, such as failure of other penetrations, is equal to or smaller than that given for the general yielding of the cylinder in the analyses performed.
 PRA Revision: None t
-a    #
+a W Westinghouse
-W-Westinghouse                                                      -
 B s
-\
+\\
 NRC REQUEST FOR ADDITIONAL INFORMATION
-                                                                                                                           ;ty.
+;ty.
-Ouestion: 480.190          Containment Pressure Capacity Describe how the impact of corrosion of the containment shellis accounted for in estimating the containment ultimate pressure capacity, i .
+Ouestion: 480.190 Containment Pressure Capacity Describe how the impact of corrosion of the containment shellis accounted for in estimating the containment ultimate pressure capacity, i.
-l                 Response:
+l
-Corrosion protection of the containment vessel is described in SSAR subsection 3.8.2.6 and 6.1.2. Performance monitoring of the coating is described in subsection 6.1.2. This monitoring is intended to preclude significant corrosion of the containment vessel. Therefore, the impact of corrosion is not accounted for in estimating the ultimate capacit'y,
-          ,       PRA Revision: None.
+===Response===
-I l
+Corrosion protection of the containment vessel is described in SSAR subsection 3.8.2.6 and 6.1.2. Performance monitoring of the coating is described in subsection 6.1.2. This monitoring is intended to preclude significant corrosion of the containment vessel. Therefore, the impact of corrosion is not accounted for in estimating the ultimate capacit'y, PRA Revision: None.
-l 4
+h
-h t
+t 480.190-1
-.190-1
 [ Westinghouse
-NRC REQUEST FOR ADDITIONAL INFORMATION
+NRC REQUEST FOR ADDITIONAL INFORMATION 4E!.E
-                                                                                                                           .E..E 4E!.E Question: 480.191           Containment Pressure Capacity Provide an assessment of the pressure capability of the main steam line and main feedline bellows, and a corresponding failure probability distribution curve.
+.E..E Question: 480.191 Containment Pressure Capacity Provide an assessment of the pressure capability of the main steam line and main feedline bellows, and a corresponding failure probability distribution curve.
-    -          Response:
+===Response===
 The pressure capability of the main steam line and main feedline bellows are discussed in SSAR subsection 3.8.2.4.5.
 The pressure capability exceeds the pressure at which the containment vessel cylinder yields. It is assumed that once general yielding of the cylinder occurs, the bellows may fait due to the large deflection of the cylinder. However, it is not necessary to provide the probability of failure for bellows separate from the probability of cylinder yield.
 The probability of failure of the bellows due to large deformation of the cylinder is a part of the probability given in PRA Chapter 42 for vessel failure due to the general yielding of the cylinder.
-PRA Revision: None.                ,
+PRA Revision: None.
 o e
 e 4
@@ Line 188: / Line 188: @@
 i
-                                                                                                                                          ~
+~
 i e
-l               .
+l s
-s NRC REQUEST FOR ADDITIONAL INFORMATION Hiit
+NRC REQUEST FOR ADDITIONAL INFORMATION Hiit EF=
-                                                                                                                              =-
+=-
-EF=
+Question: 480.192 Containment Pressure Capacity Provide further information regarding the ability of containment piping penetrations to accommodate the lateral motion of the containment shell anticipated in late over-pressure failures. For key penetrations, including the main steam and feedwater lines, provide an estimate of the extent to which the bellows would be compressed at containment pressures corresponding to (a) Service Level C and (b) the ultimate pressure capacity. This can be presented in terms of the percent of full compression, as described in NUREG/CR-6154.
-Question: 480.192            Containment Pressure Capacity Provide further information regarding the ability of containment piping penetrations to accommodate the lateral motion of the containment shell anticipated in late over-pressure failures. For key penetrations, including the main steam and feedwater lines, provide an estimate of the extent to which the bellows would be compressed at containment pressures corresponding to (a) Service Level C and (b) the ultimate pressure capacity. This can be presented in terms of the percent of full compression, as described in NUREG/CR-6154.
 ===Response===
 The radial deflection of the containment vessel at 144 psig is 1.6 inches as given in SSAR subsection 3.8.2.4.2.1.
 This pressure is greate'r than the pressure corresponding to Service Level C and is well within the capability of the bellows. The bellows are expected to be fully compressed at the ultimate pressure capacity since the ultimate capacity is defined as the pressure at which there is gross yield of the cylinder.
-PRA Revision: None.                                 ,
+PRA Revision: None.
 e 0
-l
+l 480.192-1 T Westingtiouse i
-!                                                                                                                            480.192-1 i                     T Westingtiouse
-Enclosure 2 to Westinghouse
+' to Westinghouse Letter NSD-NRC-96-4904 December 9,1996 1
-;                                                  Letter NSD-NRC-96-4904 December 9,1996 1
 l r
 +
 0
 O
-* 4 9
+9
 i 9
 B
@@ Line 218: / Line 215: @@
 1011 A
-                                                      .                           DRAFT Question:       720.334 The information documented in the submittal (Chapter 57, August 9,1996, Internal Fire Analysis Draft Markup) does not state clearly the major assumptions made in modeling containment fires. The containment is a single l                        fire area which is made up of several compartments, called fire " zones" (see Table 57-5). It appears that the l                        several fire zones, included in the single containment fire area, are treated in the analysis similarly to the fire l
+DRAFT Question:
-areas for fires outside the coritainment. However, it is not clear whether and how fire propagation between fire
+.334 The information documented in the submittal (Chapter 57, August 9,1996, Internal Fire Analysis Draft Markup) does not state clearly the major assumptions made in modeling containment fires. The containment is a single l
-!                        zones is modeled and what is the technical basis for distinguishing the different fire scenarios. Please provide this information, including relevant assumptions, in Chapter 57 of the PRA.
+fire area which is made up of several compartments, called fire " zones" (see Table 57-5). It appears that the l
+several fire zones, included in the single containment fire area, are treated in the analysis similarly to the fire l
+areas for fires outside the coritainment. However, it is not clear whether and how fire propagation between fire zones is modeled and what is the technical basis for distinguishing the different fire scenarios. Please provide this information, including relevant assumptions, in Chapter 57 of the PRA.
 ===Response===
-        -                In the AP600 internal fire analysis, fire propagation across containment fire zone boundary has been judged not to be credible. Fire scenarios have been developed only based on the potential impact on safe shutdown function that could be caused by damaging components and cabling located in the fire exposing zone. The technical justification for this judgement is provided below.
+In the AP600 internal fire analysis, fire propagation across containment fire zone boundary has been judged not to be credible. Fire scenarios have been developed only based on the potential impact on safe shutdown function that could be caused by damaging components and cabling located in the fire exposing zone. The technical justification for this judgement is provided below.
-In the AP600 internal fire analysis (consistent with the state-of-the-art methodology), fire propagation across a barrier has been judged not to be credible if the deterministic fire protection assessment had credited the barrier
+In the AP600 internal fire analysis (consistent with the state-of-the-art methodology), fire propagation across a barrier has been judged not to be credible if the deterministic fire protection assessment had credited the barrier as being capable of preventing fire propagation, unless:
-              .         as being capable of preventing fire propagation, unless:
+i.
-: i. the barrier's integrity had been compromised by a barrier element failure (e.g. penetration seal failure)                                        .
+the barrier's integrity had been compromised by a barrier element failure (e.g. penetration seal failure)
-AND-ii. if the fire suppression activities in the exposing location were to fail to contain the fire within the area.
+AND-ii.
-For example, fire propagation across a fire area boundary which consists of a solid wall without any sealed openings (doors, vent louvers, cable penetrations, etc.) has been judged not to be credible, where as fire propagation across a barrier with any sealed openings has been considered to be credible and the barrier failure probability has been assessed based on the type of barrier elements.                                   i
+if the fire suppression activities in the exposing location were to fail to contain the fire within the area.
-                      ' As stated in, the RAI, the containment fire area is a single fire area which is divided into several fire zones.
+For example, fire propagation across a fire area boundary which consists of a solid wall without any sealed openings (doors, vent louvers, cable penetrations, etc.) has been judged not to be credible, where as fire propagation across a barrier with any sealed openings has been considered to be credible and the barrier failure probability has been assessed based on the type of barrier elements.
+i
+' As stated in, the RAI, the containment fire area is a single fire area which is divided into several fire zones.
 Based on the AP600 SSAR's Appendix 9A, fire zones are physically separated from other fire zones such that fire propagation across a fire zone boundary can be dismissed. None of the containment inter-zone barriers are designed to contain sealed openings (e.g. doors or penetration seals). Therefore, fire propagation is not credible and no probabilistic treatment is needed.
 It is worthwhile to repeat that in the current fire PRAs, including those performed using the EPRI FIVE methodology, generally the containment building is excluded from the analysis (i.e., it is screened out at the qualitative level). The basis for this exclusion includes the following justifications which are presented in the FIVE methodology:
-* the unlikelihood of a hot gas layer forming in areas that would damage cabling; e         industry-wide improvements in RCP oil collection system design improvements, which has essentially eliminated this primary cause of past containment fires;
+the unlikelihood of a hot gas layer forming in areas that would damage cabling; industry-wide improvements in RCP oil collection system design improvements, which has essentially e
-                       .*          a low frequency of containment fires in operating plant experience.
+eliminated this primary cause of past containment fires; a low frequency of containment fires in operating plant experience.
-DRAFT                                                                '
+DRAFT That is, it is generally accepted that containment fires do not pose a significant safety threat due to the lack of fire ignition sources in the area in combination with the limited amount of combustible materials in the l
-That is, it is generally accepted that containment fires do not pose a significant safety threat due to the lack of fire ignition sources in the area in combination with the limited amount of combustible materials in the                     l l
+l containment and significant space available for spread of the energy which would be generated by a fire. These justifications are applicable to the AP600 design. Therefore, it is judged that there are no significant fire propagation mechanisms in the AP600 containment design (e.g., features that would allow formation of a hot gas layer) that would facilitate fire spread across a containment fire zone boundary, i
-containment and significant space available for spread of the energy which would be generated by a fire. These justifications are applicable to the AP600 design. Therefore, it is judged that there are no significant fire propagation mechanisms in the AP600 containment design (e.g., features that would allow formation of a hot gas                :
-layer) that would facilitate fire spread across a containment fire zone boundary, i
 Additionally, from the overall risk point of view, the AP600 design has an additional level of defense (i.e.
-nonsafety-related equipment) which are mainly located outside the containment and would be free of damage from fires in the containment.                                                                                                l 1
+nonsafety-related equipment) which are mainly located outside the containment and would be free of damage from fires in the containment.
-l' .                                                                                                                                            i
+l 1
-\
+l'.
+i
+\\
 i s
 S b
-j                                                                                                              .                       =
+j
+=
 l' l
 be 4
 1
 r
-I 2
+DRAFT Question:
+.335 One item of concern in the certification of advanced reactor designs is the impact of smoke, hot gases, and fire suppressants on safe shutdown equipment (especially due to sensitive electronics) and on operator actions. The issue is amplified when these elements migrate into other fire areas. Please address this issue in the internal fire PRA.
-                                                .                           DRAFT Question:        720.335 One item of concern in the certification of advanced reactor designs is the impact of smoke, hot gases, and fire suppressants on safe shutdown equipment (especially due to sensitive electronics) and on operator actions. The issue is amplified when these elements migrate into other fire areas. Please address this issue in the internal fire PRA.
+===Response===
-Response:                                                                                                            j The impact of hot gases, fire suppression, and smoke has been addressed in the AP600 internal fire analysis          )
+j The impact of hot gases, fire suppression, and smoke has been addressed in the AP600 internal fire analysis
+)
 either implicitly or explicitly as follows:
-impact on eauipment                                                                                                  j In all plant locations other than the control room, the components (of all types) and cabling located in an area where the fire originates or to which it propagates have been assumed lost independent of the hazard (i.e.           ;
+impact on eauipment j
-independent of smoke, formation of hot gas layer, fire suppression activities, etc.). Note that, consistent with BTP CMEB 9.5-1 and NFPA recommendations, the AP600 ventilation systems are designed to confine smoke,                l hot gases, and fire suppressants within the fire area of fire origin.
+In all plant locations other than the control room, the components (of all types) and cabling located in an area where the fire originates or to which it propagates have been assumed lost independent of the hazard (i.e.
-In the control room, based on the available data and the fact the control room would be continuously occupied,
+independent of smoke, formation of hot gas layer, fire suppression activities, etc.). Note that, consistent with BTP CMEB 9.5-1 and NFPA recommendations, the AP600 ventilation systems are designed to confine smoke, hot gases, and fire suppressants within the fire area of fire origin.
-              . it has been judged that the im*pact of fire-generated or fire-induced lyazards (i.e. smoke / heat or water) would be l limited if the fire did not, or was not allowed, to fully develop. For fully developed fires, all the equipment in   i the control roora have been assumed lost (due to heat or smoke-induced damage) and no operator' action from the control room has been credited. Additionally, in all fire areas, the impact of fire-induced spurious actuation (such as those that ct.n be caused by smoke / soot or cable hot short) have been explicitly modeled.                 l Impact on Operators in the AP600 internal fire analysis, other than in the control room, no' local manual action has been credited.
+In the control room, based on the available data and the fact the control room would be continuously occupied, it has been judged that the im* act of fire-generated or fire-induced lyazards (i.e. smoke / heat or water) would be p
+limited if the fire did not, or was not allowed, to fully develop. For fully developed fires, all the equipment in i
+the control roora have been assumed lost (due to heat or smoke-induced damage) and no operator' action from the control room has been credited. Additionally, in all fire areas, the impact of fire-induced spurious actuation (such as those that ct.n be caused by smoke / soot or cable hot short) have been explicitly modeled.
+Impact on Operators in the AP600 internal fire analysis, other than in the control room, no' local manual action has been credited.
 Therefore, the impact of fire-generated or fire-induced hazards on the local operator action did not need to be addressed. For the control room, the level of smoke which would impair the effectiveness of the operators and the time available to suppress the fire before the smoke concentrarb.. reih-s the level of visual Impairment have been evaluated based on available experimental data, the,Ar600-design specific control room features and assessments made in other fire PRAs. Since only very localir~J'small fires have been assessed to have limited impact (i.e. large fires have been assumed to disable all the equipment) and the damage caused by such fires, based on available data, were assessed to be limited, it was judged that fire suppression activities related to such small fires would not significantly impede or adversely affect opdrators actions.
 d 3
-                                                       ,                               DRAFT 1
+DRAFT 1
-l
+l Question:
-!                           Question:       720.336 4
+.336 4
 Burning liquids in the AP600 turbine building could fall on the floor at elevation 100 feet. It is not clear where they would go. Is it possible that the oil could enter the Auxiliary Building? Experience (the Vandellos turbine building fire) has shown that burning oil can spread away from the point of origin. Is it possible that an important scenario, which involves damage to other fire areas within the Auxiliary Building, was not analyzed because of the analysis groundrule preventing treatment of scenarios involving fire spread to multiple zones?
 Please explain and identify the specific design features that prevent this from happening.
 ===Response===
-In general terms, in the AP600 internal fire analysis, the ground rules followed in assessing the impact of fire
+In general terms, in the AP600 internal fire analysis, the ground rules followed in assessing the impact of fire propagation included the following:
-                   .       propagation included the following:
+Fires originating in a fire area (exposing fire area) could only propagate to an adjacent fire area a.
-: a.        Fires originating in a fire area (exposing fire area) could only propagate to an adjacent fire area
+(exposed fire area), and no further propagation beyond the exposed fire area was considered to be credible.
-                 ,                   (exposed fire area), and no further propagation beyond the exposed fire area was considered to be credible.                                                                            >
+b.
-: b.        Simultaneous fire propagation from the exposing fire area to more than one adjacent fire area was not considered credible.
+Simultaneous fire propagation from the exposing fire area to more than one adjacent fire area was not considered credible.
 That is,. fire propagation to more than one fire area was considered but sequential fire propagation (from a' fire area to an unconnected fire area via an intermediatory fire area) or simultaneous fire propagation to more than one fire area were judged not to be credible.
-Specifically, fire propagation from the AP600 turbine building to the auxiliary building has been considered credible where a mechanism to allow for fire propagation (e.g. a door) had been identified. More specifically,                                   l fire propagation from the AP600 turbine building (including oil-fueled fires) to fire area 1201 AF 04 located in                                  l the auxiliary building was considered to be credible and its consequences has been analyzed in the internal fire l
+Specifically, fire propagation from the AP600 turbine building to the auxiliary building has been considered credible where a mechanism to allow for fire propagation (e.g. a door) had been identified. More specifically, l
-analysis.                                                                                                                                         i l
+fire propagation from the AP600 turbine building (including oil-fueled fires) to fire area 1201 AF 04 located in the auxiliary building was considered to be credible and its consequences has been analyzed in the internal fire analysis.
-l
+i l
-                                                                                       .                                          a 4
+a 4
+l l
+DRAFT Question:
+.337 Westinghouse claims that a conservative " bounding" assessment of the impact of fire-induced " hot shorts" was l
+performed. The staff, however, cannot conclude that Westinghouse's analysis is bounding (based on the
+)
+information pro' ided in the submittal) because (a) the probability of a hot short (from NUREG/CR-2258) is v
+based on judgment, (b) it is assumed that the probability of multiple hot short events is state-of-knowledge independent, and (c) the analysis does not refer to the specific AP600 PRA I&C models and logic diagrams to l
+recognize any important features, and/or operational requirements, that are incorporated into the design to prevent l
+fire-induced hot shorts from causing spurious actuations which in turn could have a significant impact on plant safety. Please explain the mechanism of fire-induced spurious actuations using the AP600 PRA I&C models, the j
+l location of the various I&C cabinets, the location of power source interfaces and assumptions made on cable l
+characteristics and routing. Also, please list important design features, and/or operational requirements, that l-prevent fire-induced hot shorts from causing spurious actuations.
-l
+===Response===
-         .                                                                                                                                          l DRAFT Question:        720.337
+The AP600 internal fire analysis considers the effects of fire-related damage to safety equipment and associated instrumentation, control, and power cabling. Both open shorts an'd hot shorts in I&C and power circuits are considered. With respect to hot shorts, the internal fire analysis explicitly considers hot short-induced actuation of ADS valves, resulting in loss of coolant, for both at-power and shutdown conditions. Other potential hot short
-;                     Westinghouse claims that a conservative " bounding" assessment of the impact of fire-induced " hot shorts" was                l l                     performed. The staff, however, cannot conclude that Westinghouse's analysis is bounding (based on the                         )
+)
-information pro'vided in the submittal) because (a) the probability of a hot short (from NUREG/CR-2258) is l
+equipment actuations result in either less' adverse events or in favorable conditions, such as have been 2
-based on judgment, (b) it is assumed that the probability of multiple hot short events is state-of-knowledge                  :
+documented elsewhere (Ref. 720.337-1). Potential fire-induced hot-short actuation of the automatic l
-independent, and (c) the analysis does not refer to the specific AP600 PRA I&C models and logic diagrams to                   I l                     recognize any important features, and/or operational requirements, that are incorporated into the design to prevent            l l                     fire-induced hot shorts from causing spurious actuations which in turn could have a significant impact on plant               .
+depressurization system (ADS) is the only fire-induced fault with potential to adversely affect the ability of the plant to achieve safe shutdown, and is treated in a limiting manner in the internal fire analysis, as described
-;                     safety. Please explain the mechanism of fire-induced spurious actuations using the AP600 PRA I&C models, the                  j l                     location of the various I&C cabinets, the location of power source interfaces and assumptions made on cable                   l l                     characteristics and routing. Also, please list important design features, and/or operational requirements, that l-                    prevent fire-induced hot shorts from causing spurious actuations.
+: below, i
-Response:                                                                                                                     ;
+i The AP600 design is not susceptible to single hot short actuations of lines of ADS stages I through 3. Each j
-The AP600 internal fire analysis considers the effects of fire-related damage to safety equipment and associated              !
+such line has two normally-closed valves in series, and separate actuations are required for each valve in stages 1
-     ,                instrumentation, control, and power cabling. Both open shorts an'd hot shorts in I&C and power circuits are           ,       ,
+(
-considered. With respect to hot shorts, the internal fire analysis explicitly considers hot short-induced actuation
+through 3. The cabinets providing the actuation signal will have temperature monitoring and protection, in
-* l
+. addition to software for detection of anomalous signals, to eliminate any significant probability of a single common fire-induced fault resulting in generation of a stage 1 ADS actuation signal.
-         ,            of ADS valves, resulting in loss of coolant, for both at-power and shutdown conditions. Other potential hot short             )
+j Therefore, the fire analysis assumed that opening of ADS stages I through 3 requires multiple hot shorts for each
-equipment actuations result in either less' adverse events or in favorable conditions, such as have been                  -
+' ADS line. It has been assumed that these could occur in either the PMS or DAS actuation circuits. However, opening of the stages I through 3 valves was not explicitly considered in the fire analysis, because: ADS stage 4 actuations were modeled as resulting from,sjngh hot shorts (see below); opening of a single stage 4 valve n
-documented elsewhere (Ref. 720.337-1). Potential fire-induced hot-short actuation of the automatic                             l l
+produces a plant transient equivalent to a medium LOCA; and the focused PRA conditional core damage probability (CCDP) for medium LOCA is significantly higher than the CCDP for smaller LOCAs, such as would result from multiple hot-short-induced opening of both stage 1,2, or 3 ADS valves in a given line. Multiple hot-short-induced ADS valve openings were modeled as large LOCAs.
-depressurization system (ADS) is the only fire-induced fault with potential to adversely affect the ability of the plant to achieve safe shutdown, and is treated in a limiting manner in the internal fire analysis, as described below,
+Each of the four lines of ADS stage 4 has one normally open MOV and one squib valve, with each squib valve receiving actuation signals from two divisions, either of which can actuate the valve. Therefore, a single hot short somewhere between a final output cabinet and a squib valve could be postulated to result in valve actuation. Each output cabinet is pr~ected as described above, such that a common single spurious signal to actuate both stage 4 valves powerra Sy any particular division is unlikely. In addition, the actuation of each ADS stage 4 valve has two series control circuits in each division. This further reduces the chance that a fire in a cabinet could cause a spunous actuation.
-                                                                                                                                              ,     )
+t l
-l i
-i The AP600 design is not susceptible to single hot short actuations of lines of ADS stages I through 3. Each                   j
-;                     such line has two normally-closed valves in series, and separate actuations are required for each valve in stages 1           ;
-(                     through 3. The cabinets providing the actuation signal will have temperature monitoring and protection, in
-                     . addition to software for detection of anomalous signals, to eliminate any significant probability of a single                ,
-common fire-induced fault resulting in generation of a stage 1 ADS actuation signal.                                          j l
-Therefore, the fire analysis assumed that opening of ADS stages I through 3 requires multiple hot shorts for each             l
-                     ' ADS line. It has been assumed that these could occur in either the PMS or DAS actuation circuits. However, l
-opening of the stages I through 3 valves was not explicitly considered in the fire analysis, because: ADS stage 4 actuations were modeled as resulting from ,sjnghn         hot shorts (see below); opening of a single stage 4 valve produces a plant transient equivalent to a medium LOCA; and the focused PRA conditional core damage probability (CCDP) for medium LOCA is significantly higher than the CCDP for smaller LOCAs, such as would result from multiple hot-short-induced opening of both stage 1,2, or 3 ADS valves in a given line. Multiple hot-short-induced ADS valve openings were modeled as large LOCAs.
-'-                    Each of the four lines of ADS stage 4 has one normally open MOV and one squib valve, with each squib valve receiving actuation signals from two divisions, either of which can actuate the valve. Therefore, a single hot short somewhere between a final output cabinet and a squib valve could be postulated to result in valve actuation. Each output cabinet is pr~ected as described above, such that a common single spurious signal to actuate both stage 4 valves powerra Sy any particular division is unlikely. In addition, the actuation of each ADS stage 4 valve has two series control circuits in each division. This further reduces the chance that a fire in a cabinet could cause a spunous actuation.
-t                                                                                                                                                    l l
 l l
-l 5
-l*.                 ~
+l*.
-t DRAFT It was assumed that there would be a " hot" power source of sufficient capacity to actuate the ADS valves. Squib
+t
-!                         .val ve actuati on requi res reli at ve yl high current, i.e., greater than expected to be available from most hot short          i
+~
-!                        - sources, so that, depending on the power and control circuitry used, it might not be possible to achieve a hot
+DRAFT It was assumed that there would be a " hot" power source of sufficient capacity to actuate the ADS valves. Squib
-(                           short that would result in valve actuation. The possibility of hot shorts might also be negated by the type of cabling used. However, since these design details of the ADS actuation cabling are not final, it was assumed that hot short ADS stage 4 valve actuation could occur.                                                                       ,
+.va ve actuat on requ res re at ve yl high current, i.e., greater than expected to be available from most hot short i
-The fire analysis assumed that there could be a single hot short in either the PMS or the DAS actuation circuits that could result in opening of a sjngle line of ADS stage 4 (i.e., a medium LOCA), and also that there could be              r j-                          multiple hot shorts that could result in opening of more than one line of ADS stage 4 (i.e., a large LOCA).                   ;
+l i
+i li
+- sources, so that, depending on the power and control circuitry used, it might not be possible to achieve a hot
+(
+short that would result in valve actuation. The possibility of hot shorts might also be negated by the type of cabling used. However, since these design details of the ADS actuation cabling are not final, it was assumed that hot short ADS stage 4 valve actuation could occur.
+The fire analysis assumed that there could be a single hot short in either the PMS or the DAS actuation circuits that could result in opening of a sjngle line of ADS stage 4 (i.e., a medium LOCA), and also that there could be r
+j-multiple hot shorts that could result in opening of more than one line of ADS stage 4 (i.e., a large LOCA).
 l
 ==Reference:==
+.337-1 WCAP-14477, "The AP600 Adverse System Interactions Evaluation Report."
-.337-1       WCAP-14477, "The AP600 Adverse System Interactions Evaluation Report."
 4
-4                                                                                                 8 f
+4
-6                                                         t a
+f
+6
+t a
 t 0
 h
 4
-4        0 l
+4
+l
 l F
 i
-?                                                                                                         -
+?
-l I           .
+I i
-i
+l DRAFT Question:
-* l
+.338 Successful injection of core makeup tanks (CMTs) requires trip of all reactor coolant pumps (RCPs). Please address in your analysis the impact of an inadvertent RCP start (after initial trip) and whether this can occur in the same scenario with other fire-induced failures of safety equipment, such as spurious actuation of ADS valves, l
-                                              .                            DRAFT Question:        720.338 Successful injection of core makeup tanks (CMTs) requires trip of all reactor coolant pumps (RCPs). Please address in your analysis the impact of an inadvertent RCP start (after initial trip) and whether this can occur in the same scenario with other fire-induced failures of safety equipment, such as spurious actuation of ADS valves, l
+and/or with fire-induced control room indications.
-l and/or with fire-induced control room indications.                                                                     '
 ===Response===
 l The internal fire analysis models a fire in any fire area as resulting in failure of all equipment in that area. Thus, a fire in an area containing CMT valves or actuation circuitry was assumed to cause failure of the associated CMT train, so that potential RCP restart (or failure to trip) has no further adverse effect.
-Restaning of the RCPs would require a hot-short actuation of the RCP start logic. The control wiring used to            I control the RCPs runs from the Protection Logic Cabinets located in the I&C Equipment Rooms to the Class IE l                 Feeder Breakers which power the Motor Control Centers for the RCPs. Each RCP has two IE feeder breakers
+Restaning of the RCPs would require a hot-short actuation of the RCP start logic. The control wiring used to control the RCPs runs from the Protection Logic Cabinets located in the I&C Equipment Rooms to the Class IE l
-, ,               associated with it. One of the circuit breakers is controlled by PMS division B while the second breaker is
+Feeder Breakers which power the Motor Control Centers for the RCPs. Each RCP has two IE feeder breakers associated with it. One of the circuit breakers is controlled by PMS division B while the second breaker is controlled by PMS division C. Therefore, restart of an RCP would require a hot short on each of two PMS divisions for which, in general, the wiring is routed through separate fire zones.
-            ,     controlled by PMS division C. Therefore, restart of an RCP would require a hot short on each of two PMS                 l divisions for which, in general, the wiring is routed through separate fire zones.
 The RCP trip signal, once generated, is " sealed in" such that subsequent loss of either the CMT actuation or the RCP trip signal source does not result in restarting of the RCPs. Restan of the RCP through the manual actuation circuits requires that the " scal-in" in each of the two divisions be cleared. Since the " seal-in" is done on a divisional basis, there is no single point in which the " scal-in" for ea'ch of the two divisions can be cleared.
 In addition, restart of the pumps requires that the soft control template be requested by the operators, that the control action be selected, and that the control action then be confirmed. There is no significant possibility that a fire can cause these specific actions to occur.
-The PRA analyses assume that successful injection of core makeup tanks (CMTs) requires trip of all reactor coolant pumps (RCPs) except for events which cause a rapid depressurization of the RCS, such as medium and large LOCAs. For such breaks, tripping of the RCPs is not necessary for CMT injection. Since the fire analysis results are dominated by medium and large LOCA scenarios, spurious / inadvertent RCP restart, if this were possible, would not have a significant effect on the core damage frequency results.                    *
+The PRA analyses assume that successful injection of core makeup tanks (CMTs) requires trip of all reactor coolant pumps (RCPs) except for events which cause a rapid depressurization of the RCS, such as medium and large LOCAs. For such breaks, tripping of the RCPs is not necessary for CMT injection. Since the fire analysis results are dominated by medium and large LOCA scenarios, spurious / inadvertent RCP restart, if this were possible, would not have a significant effect on the core damage frequency results.
-    ~
+Any potential impact of liCP restart (i.e., an assumed inability for CMT injection) would be for slower events,
-Any potential impact of liCP restart (i.e., an assumed inability for CMT injection) would be for slower events,         l such as small.LOCAs and transients with loss of decay heat removal. No fire-initiated small LOCA scenarios             1 were identified in the internal fire analysis (spurious ADS valve actuations result in either medium or large LOCA as a result of the valve sizes), but it ha been assumed that transients could result. In the focused PRA, for RCP trip to be of concern in transient scenasios, it is necessary that failure of passive residual heat removal (PRHR) first occur, resulting in a need for depressurization and CMT injection. (In the PRA, it would also first        l' be necessary that main and startup feedwater also fail.) Logic train separation would preclude defeating PRHR actuation via a single fire for all but the final actuation cabling. Fire-induced failure of PRHR as a result of a       i fire affecting the final actuation cabling would require a hot short to prevent actuation, since this system actuates on loss of support or control. Subsequent inadvertent RCP restart would require additional fire-induced hot              l shorts to reclose the RCP breakers (see discussion above). In addition, for transients that progress relatively          l slowly, there would likely be sufficient time for operator response to recognize the inadvertent RCP restart and         !
+~
-manually stop the pumps. This scenario is judged to be sufficiently unlikely that it need not be explicitly l                 considered in the quantification. It would not contribute significantly to the fire core damage frequency results.
+such as small.LOCAs and transients with loss of decay heat removal. No fire-initiated small LOCA scenarios 1
-i For these reasons, the contribution to core damage due to fire-induced RCP restart is judged to be sufficiently
+were identified in the internal fire analysis (spurious ADS valve actuations result in either medium or large LOCA as a result of the valve sizes), but it ha been assumed that transients could result. In the focused PRA, for RCP trip to be of concern in transient scenasios, it is necessary that failure of passive residual heat removal (PRHR) first occur, resulting in a need for depressurization and CMT injection. (In the PRA, it would also first be necessary that main and startup feedwater also fail.) Logic train separation would preclude defeating PRHR actuation via a single fire for all but the final actuation cabling. Fire-induced failure of PRHR as a result of a fire affecting the final actuation cabling would require a hot short to prevent actuation, since this system actuates on loss of support or control. Subsequent inadvertent RCP restart would require additional fire-induced hot shorts to reclose the RCP breakers (see discussion above). In addition, for transients that progress relatively slowly, there would likely be sufficient time for operator response to recognize the inadvertent RCP restart and manually stop the pumps. This scenario is judged to be sufficiently unlikely that it need not be explicitly l
-!                 small that explicit modeling is not necessary.
+considered in the quantification. It would not contribute significantly to the fire core damage frequency results.
+i For these reasons, the contribution to core damage due to fire-induced RCP restart is judged to be sufficiently small that explicit modeling is not necessary.
 l 7
-DRAFT Questioq:       720.339 Fire-induced failure of containment isolation valves was not treated in the analysis. It was assumed that such failure has no effect on core damage frequency (see item h, page 57-15) because "the PRA core damage success criteria are specified assuming failure of containment isolation." However, based on information presented in Appendix A of the AP600 PRA, it does not appear that containment isolation failure was assumed in determining success criteria for sump recirculation. Furthermore, the frequency of a core damage scenario with containment isolation failure should be investigated to determine its contribution to offsite consequences. Please explain.
+DRAFT Questioq:
-    ,               Response:
+.339 Fire-induced failure of containment isolation valves was not treated in the analysis. It was assumed that such failure has no effect on core damage frequency (see item h, page 57-15) because "the PRA core damage success criteria are specified assuming failure of containment isolation." However, based on information presented in Appendix A of the AP600 PRA, it does not appear that containment isolation failure was assumed in determining success criteria for sump recirculation. Furthermore, the frequency of a core damage scenario with containment isolation failure should be investigated to determine its contribution to offsite consequences. Please explain.
+===Response===
 The AP600 PRA success criteria for sump recirculation do not specify a requirement for containment isolation.
-There'is a set of large LOCA break sizes identified for which containment isolation is required in order to . void the need for ADS actuation in order to achieve IRWST injection. However, the large LOCA of concern for the internal fire analysis is fire-induced opening of the ADS valves. The success criteria for the internal fire analysis are the same as for the rest of the PRA regarding status of containment isolation.
+There'is a set of large LOCA break sizes identified for which containment isolation is required in order to. void the need for ADS actuation in order to achieve IRWST injection. However, the large LOCA of concern for the internal fire analysis is fire-induced opening of the ADS valves. The success criteria for the internal fire analysis are the same as for the rest of the PRA regarding status of containment isolation.
-More importantly, the AP600 is designed suct. that redundant safe shutdown components (i.e., redundant containment isolation valves in a given line) are located in separate fire areas or zones and served by different electrical divisions. 'Ihus, the possibility of a fire that would cause failure of both isolation components in lines penetrating containment is judged to be sufficiently small that there would be no significant contribution to plant risk.                            .
+More importantly, the AP600 is designed suct. that redundant safe shutdown components (i.e., redundant containment isolation valves in a given line) are located in separate fire areas or zones and served by different electrical divisions. 'Ihus, the possibility of a fire that would cause failure of both isolation components in lines penetrating containment is judged to be sufficiently small that there would be no significant contribution to plant risk.
 h
 i
@@ Line 366: / Line 385: @@
 i
-      . .           .-              . .. .         ..      ..              . - - ~ ~ -         - - - -                         =    . . - - . - . . - - - -
+~ ~ -
-l                                                -
+=
-                                                         .                             DRAFT 3
+l DRAFT 3
-i Question:         720.340 4
+i Question:
+.340 4
 The barrier failure probabilities used in the analysis (see Table 57-3) assume certain inspection program for the barriers, which includes a sampling scheme and timing. Please include this information in Chapter 57 (internal fires) of the AP600 PRA.
 ===Response===
-The failure probabilities for fire barriers and fire barrier penetration seals, including electrical and mechanical seals, fire doors, and fire dampers are dependent on installation and maintenance practices followed for such equipment. The barrier failure probabilities used in the analysis are based on industry data that reflect current standard industry practices and requirements for such installation and maintenance. It has been assumed in the l                            analysis that the AP600 will be subject to requirements and practices similar in effectiveness to those used in existing plants.
+The failure probabilities for fire barriers and fire barrier penetration seals, including electrical and mechanical seals, fire doors, and fire dampers are dependent on installation and maintenance practices followed for such equipment. The barrier failure probabilities used in the analysis are based on industry data that reflect current standard industry practices and requirements for such installation and maintenance. It has been assumed in the l
-e
+analysis that the AP600 will be subject to requirements and practices similar in effectiveness to those used in existing plants.
 }
+e 4
+e
+)
+e 1
-* 9 e
+\\
-e
-                                                                                                                                                              )
-4                                                                                                                                                             ,
-      ,*                                                                                                                                                      \
-   **                                                                                                                                                         l 1
 l e
 i
-l
+i 9
-* I i
-.                                                                                          9
-                                         -                                   DRAFT l
+DRAFT l
-Question:       720.341 The first paragraph of Section 57.2 implies that probabilistic criteria allow screening of compartments with high fuel loading which do not contain PRA-credited equipment. regardless of propagation potential. However. the analysis does consider rooms where the only concern appears to be fire spread (e.g., the tube oil room in the turbine building). Is the statement in Section 57.2 correct? Please explain.
+Question:
+.341 The first paragraph of Section 57.2 implies that probabilistic criteria allow screening of compartments with high fuel loading which do not contain PRA-credited equipment. regardless of propagation potential. However. the analysis does consider rooms where the only concern appears to be fire spread (e.g., the tube oil room in the turbine building). Is the statement in Section 57.2 correct? Please explain.
 ===Response===
@@ Line 396: / Line 414: @@
 e 0
 e i
-l e
+e l
-l j
+j I
-l l
+i l
-l l
-l I
-i i
-l 10
-                                                      ,                          DRAFT 9
+DRAFT 9
-Question:        720.342 The basis for defining the fire scenarios in Table 57-4 is not always clear, given the groundrules established in qualitative analysis Step 10. For example, what is the basis for distinguishing between scenarios I and 2 for Fire Area 1200 AF 017 Both do not seem to involve spurious signals. Does one involve propagation out of the area? Scenarios involving propagation out of the fire area should indicate explicitly which adjacent fire area is being treated (especially since the second bullet on page 57-4 states that simultaneous propagation to multiple areas is not treated). Please explain.
+Question:
+.342 The basis for defining the fire scenarios in Table 57-4 is not always clear, given the groundrules established in qualitative analysis Step 10. For example, what is the basis for distinguishing between scenarios I and 2 for Fire Area 1200 AF 017 Both do not seem to involve spurious signals. Does one involve propagation out of the area? Scenarios involving propagation out of the fire area should indicate explicitly which adjacent fire area is being treated (especially since the second bullet on page 57-4 states that simultaneous propagation to multiple areas is not treated). Please explain.
 ===Response===
-In general, in the AP600 internal fire analysis, four scenarios were considered for each fire area: two dealing
+In general, in the AP600 internal fire analysis, four scenarios were considered for each fire area: two dealing with the consequences of fires which would be confined in the area, and two considering the consequences of fires propagating outside the area (if propagation had been found to be credible). In each set of propagating and non propagating scenarios, in turn, the potential consequences of different cable failure modes (open and short) were evaluated. In summary, for each fire area the following scenarios were considered:
-        -.               with the consequences of fires which would be confined in the area, and two considering the consequences of fires propagating outside the area (if propagation had been found to be credible). In each set of propagating and non propagating scenarios, in turn, the potential consequences of different cable failure modes (open and short) were evaluated. In summary, for each fire area the following scenarios were considered:
+o Scenario 1 - Fire is confined in the area and disables all the equipment located in the area (i.e. only open circuit failure modes were considered).
-o         Scenario 1 - Fire is confined in the area and disables all the equipment located in the area (i.e. only open circuit failure modes were considered).
+o Scenario 2 - Fire is confined in the area, disables all the equipment in the area and causes safety significant hot short events.
-* o         Scenario 2 - Fire is confined in the area, disables all the equipment in the area and causes safety significant hot short events.
+o Scenario 3 - Fire propagates outside the area (if pr6pagation was found to be credible) and disables all the equipment in the exposing and the exposed fire areas.
-o         Scenario 3 - Fire propagates outside the area (if pr6pagation was found to be credible) and disables all the equipment in the exposing and the exposed fire areas.
+o Scenario 4 - Fire propagates outside the area, disables all the equipment in the exposing and the exposed fire areas, and causes safety significant hot short events.
-o         Scenario 4 - Fire propagates outside the area, disables all the equipment in the exposing and the exposed fire areas, and causes safety significant hot short events.
+Based on the equipment located in each area and the fire propagation potential, one or more of the above scenarios were dismissed from further considerations. For example, for fire area 1200 AF 01, only the first, third, and fourth above listed scenarios were considered to merit fu-ther analysis. That is, based on the equipment and cabling located in the area, a fire-induced hot short in the area was not considered to be safety significant. Additionally, fire propagation was considered to all fire areas with interconnecting pathway to the 4
-Based on the equipment located in each area and the fire propagation potential, one or more of the above
+. AF 01 fire area. However, only the consequences of fires propagating to an area with the potential to cause the niost severe damage were found to merit further consideration. These consequences are represented by fire damage stmes I AB2 and 1 AB3.
-  -                      scenarios were dismissed from further considerations. For example, for fire area 1200 AF 01, only the first, third, and fourth above listed scenarios were considered to merit fu-ther analysis. That is, based on the equipment and cabling located in the area, a fire-induced hot short in the area was not considered to be safety 4
+O J
-significant. Additionally, fire propagation was considered to all fire areas with interconnecting pathway to the 1200. AF 01 fire area. However, only the consequences of fires propagating to an area with the potential to cause the niost severe damage were found to merit further consideration. These consequences are represented by fire damage stmes I AB2 and 1 AB3.
+I l
-l
+1
-  ,       O J
-I l                                                                                    11 1
-DRAFT Question:       720.343 Note 2 in Table 57-8 indicates that some components modeled in the focused PRA are failed for some initiators.
+DRAFT Question:
+.343 Note 2 in Table 57-8 indicates that some components modeled in the focused PRA are failed for some initiators.
 Does this refer to the damage listed in the 4th column of the table, or are there additional component losses not explicitly identified? Please explain.
 ===Response===
-Note 2 in Table 57-8 was intended to be an explanation of the notation "(degraded)" that is used in column 3 of that table. The " degraded" notation was added as an indicator for the analysts that the focused PRA models listed (which already ine jude no credit for nonsafety-related equipment) were to be further modified to remove   !
+Note 2 in Table 57-8 was intended to be an explanation of the notation "(degraded)" that is used in column 3 of that table. The " degraded" notation was added as an indicator for the analysts that the focused PRA models listed (which already ine jude no credit for nonsafety-related equipment) were to be further modified to remove credit for safety-related equipment listed in column 4 of the table. There may be several entries in column 3 for which the degraded label is missing, but the appropriate equipment losses appear in column 4 and were included in the modeling.
-credit for safety-related equipment listed in column 4 of the table. There may be several entries in column 3 for which the degraded label is missing, but the appropriate equipment losses appear in column 4 and were included    ;
+There are no additional component losses not listed in column 4 for scenarios involving safety-related equipment.
-in the modeling.
-l There are no additional component losses not listed in column 4 for scenarios involving safety-related equipment.
 However, for some of the scenarios resulting in transients, there is no entry in column 4, since these were all modeled using the focused PRA models, which take no nonsafety-related equipment credit.
-i I
 O 1
-e 1
+e 12
-    --                                                                                                                               l 12
-DRAFT Question:       720.344 Does the Remote Shutdown Workstation (RSW) panel have identical controls and displays of plant status information needed during accidents as the Main Control Room (MCR) panels? If the answer is no, please list the major differences and explain how they affect safety system redundancy and reliability, including operator actions.
+DRAFT Question:
+.344 Does the Remote Shutdown Workstation (RSW) panel have identical controls and displays of plant status information needed during accidents as the Main Control Room (MCR) panels? If the answer is no, please list the major differences and explain how they affect safety system redundancy and reliability, including operator actions.
 ===Response===
@@ Line 442: / Line 454: @@
 9
 h
-l 1
+13
-l                                            .                           DRAFT l
+l DRAFT l
 l i
-Question:       720.345 Could a fire in the Main Control Room (MCR) affect the transferring of control to the Remote Shutdown Workstation (RSW) panel? Could control be inadvertently transferred back to the MCR? If the answer to these questions is no, please explain by referring to design features and characteristics (e.g., fiber optic switches and location of power sources to the light transmitters and receivers) and to emergency operating procedares and criteria for transferring control to the RSW. If the answer to any of the above two questions is yes, [' ease model the failure to transfer control in the PRA.
+Question:
-l-                Response:
+.345 Could a fire in the Main Control Room (MCR) affect the transferring of control to the Remote Shutdown Workstation (RSW) panel? Could control be inadvertently transferred back to the MCR? If the answer to these questions is no, please explain by referring to design features and characteristics (e.g., fiber optic switches and location of power sources to the light transmitters and receivers) and to emergency operating procedares and criteria for transferring control to the RSW. If the answer to any of the above two questions is yes, [' ease model the failure to transfer control in the PRA.
+l-
+===Response===
 A fire in the Main Control Room does not affect the transfer of control to the Remote Shutdown Workstation.
-The RSW transfer switch set (multiple transfer switches, one per safety-related division) is located in a fire area outside the MCR. The MCR/RSW transfer will utilize separate multiplexers for control inputs which originate in the MCR and RSW. The.multiplexers will be enabled and disabled by the control transfer switches. There will be separate multiplexer sets associated with each of the four PMS divisions so that a single failure can not result in the transfer (or return) of more than one division.                -
+The RSW transfer switch set (multiple transfer switches, one per safety-related division) is located in a fire area outside the MCR. The MCR/RSW transfer will utilize separate multiplexers for control inputs which originate in the MCR and RSW. The.multiplexers will be enabled and disabled by the control transfer switches. There will be separate multiplexer sets associated with each of the four PMS divisions so that a single failure can not result in the transfer (or return) of more than one division.
 Transfer is a manual operation initiated by the operators in the MCR, who would follow MCR evacuation procedures. Procedures will establish the decision-making authority and responsibility for MCR evacuation, specify the ex-control room responsibilities for the various on-shift operations personnel, and note the location (s) of equipment, controls, and instrumentation require,d for safe shutdown.
-Inadvertent transfer of control from the RSW back to the MCR would not occur as a result of the fire in the MCR. It is possible to transfer control from the RSW back to the MCR by de-energizing the RSW multiplexer cabinets in the instrumentation and control rooms. This allows the operators to restore control to the MCR in the event that a fire damages the transfer set, resulting in inadvertent transfero ' f control to the RSW. However, the I&C rooms are in fire areas separate from both the MCR and RSW. Therefore, neither fire-induced nor random-failure-induced de-energization of the multiplexer cabinets would result in significant fire core damage frequency scenarios. Inadvertent manual repositioning of the RSW transfer switch set without rapid recognition and recovery is judged to be sufficiently unlikely that it need not be explicitly considered.
+Inadvertent transfer of control from the RSW back to the MCR would not occur as a result of the fire in the MCR. It is possible to transfer control from the RSW back to the MCR by de-energizing the RSW multiplexer cabinets in the instrumentation and control rooms. This allows the operators to restore control to the MCR in the event that a fire damages the transfer set, resulting in inadvertent transfer ' f control to the RSW. However, the o
+I&C rooms are in fire areas separate from both the MCR and RSW. Therefore, neither fire-induced nor random-failure-induced de-energization of the multiplexer cabinets would result in significant fire core damage frequency scenarios. Inadvertent manual repositioning of the RSW transfer switch set without rapid recognition and recovery is judged to be sufficiently unlikely that it need not be explicitly considered.
 Note that the effects of potential failure to transfer control to the RSW (or loss of control from the RSW) can be seen in existing scenarios evaluated in the AP600 internal fire analysis. As an alternative to attempting to quantify a human error probability for an ex-control room action for which timing, stress, physical layouts, and other relevant factors are uncertain, MCR fire scenarios CR2A, CR3, and CR4A were all quantified assuming no credit for operator actions. This is equivalent to assuming a failure probability of unity for the action to transfer control from the MCR to the RSW. Similarly, RSW area 1232 AF 01 scenarios were also quantified assuming no credit for operator actions. This is equivalent to assuming unity failure probability for operator action to restore control to the MCR (further assuming that MCR control had been lost due to multiple fire-induced faults causing transfer of control away from the MCR). The results are presented in Table 57-15 of the Internal Fire Analysis.
 l 14
-__ . -.-             ..         .. _ _ _.._. _              _._ . . _ ~ _ _ _                 .             - - - . _ - _ . -   - . - . - - - - -. .
+_._.. _ ~ _ _ _
-                                                             ,                              DRAFT                                                                    !
+DRAFT Question:
-Question:       72"0.346 The Main Control Room (MCR) evacuation scenario related to fire in the overhead mimic panel (scenario CRS) l                              appears to be relevant for all control room panels, not just the overhead mimic panel, if all panels are included, 4
+"0.346 The Main Control Room (MCR) evacuation scenario related to fire in the overhead mimic panel (scenario CRS) l appears to be relevant for all control room panels, not just the overhead mimic panel, if all panels are included, the contribution from CR5-like scenarios should be around a factor of 30 higher Please explain why fires in 4
-the contribution from CR5-like scenarios should be around a factor of 30 higher Please explain why fires in                           ,
 other control room panels are not postulated to lead to MCR evacuation and plant shutdown via the Remote Shutdown Workstation.
-Response:                                                                                                                             '
-I The contribution of the other cabinets to the main control room evacuation scenario is already included in other scenarios postulated for the control room. For example, scenario 3 postulates that a fire in the Dedicated Control                    [
+===Response===
+I The contribution of the other cabinets to the main control room evacuation scenario is already included in other scenarios postulated for the control room. For example, scenario 3 postulates that a fire in the Dedicated Control
+[
 i'*
 panel grows beyond the incipient stage, causing the loss of all functions in this panel and evacuation of the control room due to effects of smoke or the operator interpretation of the evacuation procedures.
 O l
-S e                                                                        a e
+S e
+a e
 e 1
 i e
@@ Line 475: / Line 492: @@
 DRAFT 4
-Question:         720.347 The frequency of fires in the AP600 Main Control Room (MCR) was assumed to be a factor of 10 smaller than the frequency of fires in a conventional control room. This was based on the observation that most of the cables in the AP600 MCR are low voltage as compared with conver.tional control room cables.- Although it appears             ,
+Question:
-                             reasonable to postulate some reduction in fire frequency as compared with conventional control rooms, is there any data to support the reduction factor used? It is mentioned (page 57-26) that Westinghouse cable heatup I
+.347 The frequency of fires in the AP600 Main Control Room (MCR) was assumed to be a factor of 10 smaller than the frequency of fires in a conventional control room. This was based on the observation that most of the cables in the AP600 MCR are low voltage as compared with conver.tional control room cables.- Although it appears 4
-calculations have shown that ignition is very improbable because low-voltage cables do not produce enough energy to heat up the cables. Do, the above mentioned Westinghouse calculations, account for insulation aging or the presence of dust? How many of the 12 MCR fires in the NSAC/178L database were initiated by electrical faults leading to ignition of tiie insulation? Please provide a breakdown of causes. Also, for each event, please provide: an event description, the basis for determining that the fire was not severe and the suppression time.
+reasonable to postulate some reduction in fire frequency as compared with conventional control rooms, is there any data to support the reduction factor used? It is mentioned (page 57-26) that Westinghouse cable heatup calculations have shown that ignition is very improbable because low-voltage cables do not produce enough I
-               .             ' Response:
+energy to heat up the cables. Do, the above mentioned Westinghouse calculations, account for insulation aging or the presence of dust? How many of the 12 MCR fires in the NSAC/178L database were initiated by electrical faults leading to ignition of tiie insulation? Please provide a breakdown of causes. Also, for each event, please provide: an event description, the basis for determining that the fire was not severe and the suppression time.
+' Response:
 The reduction factor used in the analysis is purely a judgmental factor based on talking with experts in the fire protection field and electrical engineers.
 Table 720347-1 presents a break down of control room fires. Column I presents the fire event number as assigned in the NSAC/178L database. The database lists 12 control room fires. One fire occurring outside the control room (9D/85) and one recurring fire were excluded from this table. It is noted that out of the eight electrical cabinet-induced fires with known cause,7 were fir.es starting due to an electrical fault (relay or circuit board failures). It is not known whether these fires actually ignited cable insulation or not but it is judged that for a fire in ad electrical cabinet inside a control room, cable insulation is the most likely source of the fuel.
 It should be noted that none of the database events report the use of hose stations. Fire suppression method for two are unknown, two fires self extinguished, and six were suppressed with portable extinguishers.
 I B
+4
-                                              .                                                                                                      l 1
+-g G
+l 16
-  -g       G 1
-l l
-                                .                                   DRAFT i
+DRAFT i
-l TABLE 720.347-1 ELECTRICAL CABINET INDUCED FIRES IN THE CONTROL ROOM Fire Event    Initiating     Detection       Suppression    Description            Comments
+l TABLE 720.347-1 ELECTRICAL CABINET INDUCED FIRES IN THE CONTROL ROOM Fire Event Initiating Detection Suppression Description Comments
-                      # (Date)    Component         Means        Time < 10 Min. Implies a severe fire 163          Circuit        Personnel       Yes             No             Some damage to
+# (Date)
-;                  (7/12/79)     Board                                                         components outside the i
+Component Means Time < 10 Min.
-     ,                                                                                         ignition source. However panel still in use after the fire. Thus, this is a potentially significant event.
+Implies a severe fire 163 Circuit Personnel Yes No Some damage to (7/12/79)
-         Cable           Personnel       Yes             No             Due to a wire that shorted (8/11/82)                                                                   when pinched in the door.
+Board components outside the i
+ignition source. However panel still in use after the fire. Thus, this is a potentially significant event.
+Cable Personnel Yes No Due to a wire that shorted (8/11/82) when pinched in the door.
 Quickly identified and distinguished.
-         Relay           Personnel       No              No             RPS relays remained (3/12/83) &                                  information                    operable after each fire.
+Relay Personnel No No RPS relays remained (3/12/83) &
-(3/30/83)                                                                                                     l 425 (6/3/84) Relay           No              Yes             No   ,         Only a few relays were information                                    affected.
+information operable after each fire.
-         Oven            No              Yes             No (3/29/85)    grease          information l
+(3/30/83) l 425 (6/3/84)
-         Circuit card    Personnel
+Relay No Yes No Only a few relays were information affected.
-                                                      '         Yes (assumed)   No             No suppression time is            l (7/14/85)                                                                   given but it is stated that it was suppressed quickly.
+Oven No Yes No (3/29/85) grease information l
-         No              No              No              No             -No desenption is (7/26/85)    information     information     information                    available
+Circuit card Personnel Yes (assumed)
-   ~
+No No suppression time is (7/14/85) given but it is stated that it was suppressed quickly.
-(9/4/86) Circuit ca'rd   Personnel /     Yes             No smoke detector 659          Relay           Personnel /     Yes             No             Only a few relays were (12/30/87)                   smoke                                          damaged.
+No No No No
-detector 756          Relay           Personnel       Yes             Maybe           Four relays plus wiring          l (10/14/88)                                                                   damaged. Potentially significant.
+-No desenption is (7/26/85) information information information available
+~
+(9/4/86)
+Circuit ca'rd Personnel /
+Yes No smoke detector 659 Relay Personnel /
+Yes No Only a few relays were (12/30/87) smoke damaged.
+detector 756 Relay Personnel Yes Maybe Four relays plus wiring (10/14/88) damaged. Potentially significant.
 l L
-v     ,
+v DRAFT
-: i. ,
+: i.,
-                                     -                                   DRAFT
+\\
-\                                            .
+I Question:
-I Question:        720.348 The analysis of scenarios CR4 and CR4A (which treat the spurious actuation of both divisions of the ADS Stage 1 valves due to a fire in the Dedicated Control Panel) and Scenario CR4B (which treats the spurious opening of the Stage 4 valves) does not explain the mechanisms of spurious actuation using PRA I&C models and SAR l                 I&C logic diagrams and does not state assumptions made. Furthermore, this analysis does not identify important features, and/or operational requirements, that are incorporated into the design .o prevent fire-induced hot shorts from causing spurious actuations which in turn could have a significant impact on plant safety. Please provide this information. In your response please include answers to the following questions:
+.348 The analysis of scenarios CR4 and CR4A (which treat the spurious actuation of both divisions of the ADS Stage 1 valves due to a fire in the Dedicated Control Panel) and Scenario CR4B (which treats the spurious opening of the Stage 4 valves) does not explain the mechanisms of spurious actuation using PRA I&C models and SAR l
+I&C logic diagrams and does not state assumptions made. Furthermore, this analysis does not identify important features, and/or operational requirements, that are incorporated into the design.o prevent fire-induced hot shorts from causing spurious actuations which in turn could have a significant impact on plant safety. Please provide this information. In your response please include answers to the following questions:
 Is Scenario CR4B properly labeled as a sensitivity case? Or should its results be added into the total CDF for the MCR?
-l
+l Can a fire that has grown past the incipient stage in the papel affect all ADS valves? If so, is there a technical basis for analyzing only a subset of fire effects?
-* Can a fire that has grown past the incipient stage in the papel affect all ADS valves? If so, is there a technical basis for analyzing only a subset of fire effects?
 The effective spurious actuation probability for all three MCR scenarios (CR4, CR4A and CR4B) is 0.01 On the other hand, for scenarios outside the MCR, a value of 0.06 is used for a single spurious actuation of an ADS Stage 4 valve (leading to an medium LOCA) and a value of 0.0036 is used for the spurious actuation of both ADS Stage 4 valves (leading to a large LOCA). Is there a difference between the MCR and e*x-MCR scenarios necessitating the different approaches to quantify the likelihood of spurious actuations?
 ===Response===
 In the final results, scenario CR4B is not treated as a sensitivity case. With reference to Table 57-15 of _the submittal, the contribution of CR4B is added to the total core damage frequency for the main control room.
-A discussion of spurious ADS actuation mechanisms and analysis assumptions is provided in the response to RAI 720.337,
+A discussion of spurious ADS actuation mechanisms and analysis assumptions is provided in the response to RAI 720.337, It may be possible that a fire in a single MCR panel could affect all ADS valve stages in a given safety-related division. However, consistent with the modeling in the internal events PRA, the effects of plant response to vari 6us numbers of ADS valves opening correspond to different sizes of LOCA. A' discussion.of which LOCA models were used for different cases of ADS opening is provided in the response to RAI 720.337.
-* It may be possible that a fire in a single MCR panel could affect all ADS valve stages in a given safety-related division. However, consistent with the modeling in the internal events PRA, the effects of plant response to
-  ,              vari 6us numbers of ADS valves opening correspond to different sizes of LOCA. A' discussion.of which LOCA models were used for different cases of ADS opening is provided in the response to RAI 720.337.
 The difference in the likelihood of fire-induced spurious actuation of ADS valves between fires impacting the MCR and those impacting ex MCR areas is as follows:
 Difference in Cable Function. In the control room there are no ADS-related power cables whereas outside the control room there are. It was assumed in the analysis that only one hot short in power-related cabling (external or internal) would be required to cause spurious actuation of an ADS valve. However, two hot shorts in control-related cabling are needed to cause a hot short since an ADS valve requires the appropriate 2 out of 4 logic signals in the correct sequence to open. These conclusions were made based on a review of the Functional Diagrams for the automatic RCS Depressurization valve sequencing (SSAR Figure 7.2-1, sheet 15) and discussion with design engineers.
@@ Line 529: / Line 550: @@
-           . _ , ___._..__.                         _._..___   _.m.         .. _ . _ _ _ .. _ . _ _ . _ -.. _ _ _. _ _ __. . _ . ..
+_.m.
-            .       &a      '
+&a DRAFT
-l
+)
-          *
+Question:
-* I DRAFT                                                         '
+.349 5
-                                                                                                                                                              )
+l-The analysis assumes that MCR fires will not affect multiple cabinets, at least until control is transferred to the l
-Question:        720.349 5
+remote shutdown workstation. What design features are provided to ensure that fires do not propagate from one cabinet / panel to another?
-l-                               The analysis assumes that MCR fires will not affect multiple cabinets, at least until control is transferred to the l                                remote shutdown workstation. What design features are provided to ensure that fires do not propagate from one                ;
-:                                cabinet / panel to another?
 ===Response===
-                                - In the AF600 internal fire analysis, it was generally assumed that cabinet fires in the control room will not l                                spread from the confines of the cabinet in which they originate if the cabinet has solid metal or fire resistant boundaries. This supposition is supported by the results of the Sandia cabinet fire tests, in which all test fires          ;
+- In the AF600 internal fire analysis, it was generally assumed that cabinet fires in the control room will not spread from the confines of the cabinet in which they originate if the cabinet has solid metal or fire resistant l
-!                                were self-extinguished, and by the reports of control room fires in the data base. The Sandia tests indicate that           i fire spread to an adjacent cabinet was prevented if the cabinets were separated by a double wall.
+boundaries. This supposition is supported by the results of the Sandia cabinet fire tests, in which all test fires were self-extinguished, and by the reports of control room fires in the data base. The Sandia tests indicate that i
+fire spread to an adjacent cabinet was prevented if the cabinets were separated by a double wall.
 i' i
-e                                                                                                                                                      i O
+e i
-e
+O 4
-i I
+i e
-r                                                                                            .                    .
+I r
 i t
 I r
 i e
-9                                    h                       I
+9
-:                                                                                                                                                           l l
+h I
-I                                                                                                                                                             l l
+l I
-    .                                                                                                                                                         I i
+l i
 I 1
-                               .     .    .                     --                -      -    -      . ~ . -      . . . - - - . - . - - - ~ . . .
+. ~. -
-: 1.         v
+... - - -. -. - - - ~...
-                                                     .                            DRAFT l                      Question:        720.350 lt is not clear which model was used to estimate the non-suppression probability. The analysis text refers to j                      EPRI's HCR model, but the reference supplied is for ASEP (see p. 57-33, Ref. 57-6).                                            l l
+.
-a)    Please explain how the non-suppression probability of 0.0034.(used in the analysis) was obtained.             ,
+v DRAFT l
-l                                 b)    Aside from questions of its applicability to the analysis of fire suppression activities, the ASEP            -
+Question:
-l                                       model deals with diagnosis (and non-response), as does EPRI's HCR model. Some time is l                                       required to actually extinguish the fire. Analysis of suppression time data indicates a mean suppression time of about 8 minutes. Does the AP600 analysis address the time required to extinguish the fire? Please explain.
+.350 lt is not clear which model was used to estimate the non-suppression probability. The analysis text refers to j
-;                                 c)    Westinghouse's interpretation of the Sandia cabinet fire tests appears to differ from Sandia's                i j'                                      interpretation. In questions to the utility regarding the South Texas fire risk assessment, the j '.                                    Sandia team stated that "Sandia sponsored large scale enclosure tests have shown that cabinet fires i
+EPRI's HCR model, but the reference supplied is for ASEP (see p. 57-33, Ref. 57-6).
-generate such intense smoke that within 6-8 minutes control of the plant from the control room
+l l
-    ,                                   would be virtually impossible. These tests were conducted with control room ventilation rates of
+a)
-!                                       up to t.en room changes per hour." Please explain the basis for selecting a 15 minute time window i,                                      (before control room evacuation is required).
+Please explain how the non-suppression probability of 0.0034.(used in the analysis) was obtained.
-!                                 d)    Are there procedures dealing with control room evacuation? If so, what are the criteria used for l                                       determining when evacua' tion should/must take place?                                                         ,
+l b)
+Aside from questions of its applicability to the analysis of fire suppression activities, the ASEP l
+model deals with diagnosis (and non-response), as does EPRI's HCR model. Some time is l
+required to actually extinguish the fire. Analysis of suppression time data indicates a mean suppression time of about 8 minutes. Does the AP600 analysis address the time required to extinguish the fire? Please explain.
+c)
+Westinghouse's interpretation of the Sandia cabinet fire tests appears to differ from Sandia's i
+j' interpretation. In questions to the utility regarding the South Texas fire risk assessment, the j '.
+Sandia team stated that "Sandia sponsored large scale enclosure tests have shown that cabinet fires i
+generate such intense smoke that within 6-8 minutes control of the plant from the control room would be virtually impossible. These tests were conducted with control room ventilation rates of up to t.en room changes per hour." Please explain the basis for selecting a 15 minute time window i,
+(before control room evacuation is required).
+d)
+Are there procedures dealing with control room evacuation? If so, what are the criteria used for l
+determining when evacua' tion should/must take place?
 ===Response===
-I                      a.         The general philosophy for evaluation of AP600 control room fires follows the approach suggested in NSAC-181L. Per page 2-11 of NSAC-181L,15 minutes is available before obscuration of the main control panel (leading to the control room evacuation). Also per page 2-11 of the NSAC-181L, the
+I a.
-                     .            probability of non-suppression of a control room fire as a function of time was obtained from control room fire durations in the EPRI fire events database. Per page 3-23 of the NSAC report, the probability of non-suppression fo'r a fifteen minbte time window is estimated as 3.4E-3.
+The general philosophy for evaluation of AP600 control room fires follows the approach suggested in NSAC-181L. Per page 2-11 of NSAC-181L,15 minutes is available before obscuration of the main control panel (leading to the control room evacuation). Also per page 2-11 of the NSAC-181L, the probability of non-suppression of a control room fire as a function of time was obtained from control room fire durations in the EPRI fire events database. Per page 3-23 of the NSAC report, the probability of non-suppression fo'r a fifteen minbte time window is estimated as 3.4E-3.
 b&c The general philosophy for evaluation of AP600 control room fires follows the approach suggested in NSAC-181L. It is believed that the NSAC 181L approach (which includes the HEP calculation and interpretation of the Sandia fire tests) is reasonable and the most appropriate method available presently.
-: d.         Procedures for dealing with main control room evacuation are expected to be prepared by the COL.
+d.
-    ,.                            Additional details regarding such procedures are discussed in the response to RAI 720.345. Such procedures for current plants rely on the Shift Supervisor (or similarly responsible position) to decide
+Procedures for dealing with main control room evacuation are expected to be prepared by the COL.
-  ,                               when conditions require transfer of control to the RSW. In general, it is undesirable and impractical to set prescriptive criteria specifying when a MCR evacuation must take place. The operators will be aware of the conditions in the MCR and of their option to transfer control to the RSW should conditions warrant this.
+Additional details regarding such procedures are discussed in the response to RAI 720.345. Such procedures for current plants rely on the Shift Supervisor (or similarly responsible position) to decide when conditions require transfer of control to the RSW. In general, it is undesirable and impractical to set prescriptive criteria specifying when a MCR evacuation must take place. The operators will be aware of the conditions in the MCR and of their option to transfer control to the RSW should conditions warrant this.
 L 20
-i
+i i
-           .  .   .                                                                                                                           1 i               .                                                                                                                            ;
+DRAFT
-                                                    .                          DRAFT I
+\\.
-\.
+Question:
-l Question:       720.351                                                                                                l l
+.351 A fire in the MCR might cause spurious indications as well as spurious equipment operation. Such spurious indications could prompt incorrect operator actions (" errors of commission"). Please discuss the likelihood and potential consequences of such fire-induced errors. In your discussion please list important design features and operational requirements which help prevent such " errors of commission."
-A fire in the MCR might cause spurious indications as well as spurious equipment operation. Such spurious indications could prompt incorrect operator actions (" errors of commission"). Please discuss the likelihood and potential consequences of such fire-induced errors. In your discussion please list important design features and operational requirements which help prevent such " errors of commission."
+I
-I                      Response:
-i The results of the MCR fire scenarios from the internal fire analysis confirm that core damage frequency from such scenarios, assuming credit only for passive features and with no credit for operator actions, is very low for both at-power and shutdown initial conditions. Consistent with the state of the art approach for fire PRA, errors i-of commission were not explicitly addressed in this analysis. The probability that the operators would attempt to defeat automatic actuations because the fire was causing contrary indications is judged to be very small, because
+===Response===
-            ,          the operators would be expected and able to rely on confirmatory information available through the various displays. The displays used by the AP600 plant operators are video display units. Plant data is generated in either a digital or analog format. Data generated in an analog format is converted to a digital data format before being processed for the displays. Fires in the MCR may cause the loss of the display function; however there is no real possibility that the fire can cause the data to be altered such that incorrect data would be displayed. Fires
+i The results of the MCR fire scenarios from the internal fire analysis confirm that core damage frequency from such scenarios, assuming credit only for passive features and with no credit for operator actions, is very low for both at-power and shutdown initial conditions. Consistent with the state of the art approach for fire PRA, errors of commission were not explicitly addressed in this analysis. The probability that the operators would attempt to i-defeat automatic actuations because the fire was causing contrary indications is judged to be very small, because the operators would be expected and able to rely on confirmatory information available through the various displays. The displays used by the AP600 plant operators are video display units. Plant data is generated in either a digital or analog format. Data generated in an analog format is converted to a digital data format before being processed for the displays. Fires in the MCR may cause the loss of the display function; however there is no real possibility that the fire can cause the data to be altered such that incorrect data would be displayed. Fires outside the MCR could affect analog signals before processing and could result in the display of incorrect information in the MCR. However, signal redundancy and separation of cabling, along with the diversity of signals available to the operators, make it un%ely that fire damage would cause indications that would be sufficiently misleadir.g to the operators that tL.y would manually defeat automatic actuation of safety systems.
-        .              outside the MCR could affect analog signals before processing and could result in the display of incorrect
-    .                  information in the MCR. However, signal redundancy and separation of cabling, along with the diversity of signals available to the operators, make it un%ely that fire damage would cause indications that would be sufficiently misleadir.g to the operators that tL.y would manually defeat automatic actuation of safety systems.
 These features help ensure that any risk associated with operator errors of commission are minimized.
-If a fire were to cause spurious indications it is unlikely that the operators would be unaware that the fire was     j the source of such indications. If the spurious indications were such that they would be misinterpreted by the        l operators as a requirement for operation of a mitigating system, actuation of the mitigating system by the            I' operators (e.g., SFW, PRHR, CMTs, ADS) would eventually lead to a safe condition. The fire analysis already models the effects of large and medium LOCAs caused by ADS valve opening, which have been assumed to occur directly as a result of a fire but could also be postulated to occur as a resuh of operator actions. The         ,
+If a fire were to cause spurious indications it is unlikely that the operators would be unaware that the fire was j
-AP600 Adverse System Interactions Evaluation Report (WCAP-14477) provides discussions of the plant features            l that address various active and passive system interactions. If the spurious indications were such'that they would be misinterpreted by the operators that no mitigating system actuation were required when such actuation was          ,
+the source of such indications. If the spurious indications were such that they would be misinterpreted by the l
-                    ' required, the automatic actuation features would initiate operation of the systems.                                     l l
+operators as a requirement for operation of a mitigating system, actuation of the mitigating system by the operators (e.g., SFW, PRHR, CMTs, ADS) would eventually lead to a safe condition. The fire analysis already models the effects of large and medium LOCAs caused by ADS valve opening, which have been assumed to occur directly as a result of a fire but could also be postulated to occur as a resuh of operator actions. The AP600 Adverse System Interactions Evaluation Report (WCAP-14477) provides discussions of the plant features that address various active and passive system interactions. If the spurious indications were such'that they would be misinterpreted by the operators that no mitigating system actuation were required when such actuation was
-l l                    .
+' required, the automatic actuation features would initiate operation of the systems.
+l l
 l l
-l
+l 21 l
+DRAFT l
+l Question:
+.352 The Auxiliary Building contains the MCR as well as various I&C, battery and electrical equipment areas. Do any of the later areas share a common ventilation system and/or air intake system with the control room? If the 1
+answer is yes, please explain what barriers (including operator actions) prevent smoke, hot gases and fire suppressants from reaching the MCR and how such barriers can be defeated.
-                                              ,                          DRAFT                                                           '
+===Response===
-l l
+The Nuclear Island Nonradioactive Ventilation System (VBS), as described in AP600 SSAR Section 9.4.1, serves the Class IE I&C, battery, and electrical equipment areas and the main control room. The VBS consists of several independent subsystems, including a main control room / technical support center HVAC subsystem and a Class IE electrical room HVAC subsystem. The MCR is a separate fire area from the various electrical l
-l Question:      720.352                                                                                                l The Auxiliary Building contains the MCR as well as various I&C, battery and electrical equipment areas. Do any of the later areas share a common ventilation system and/or air intake system with the control room? If the       1 answer is yes, please explain what barriers (including operator actions) prevent smoke, hot gases and fire            l suppressants from reaching the MCR and how such barriers can be defeated.                                             l l
+equipment room fire areas.
-Response:                                                                                                      .      I The Nuclear Island Nonradioactive Ventilation System (VBS), as described in AP600 SSAR Section 9.4.1, serves the Class IE I&C, battery, and electrical equipment areas and the main control room. The VBS consists of several independent subsystems, including a main control room / technical support center HVAC subsystem and a Class IE electrical room HVAC subsystem. The MCR is a separate fire area from the various electrical l                 equipment room fire areas.
 The MCR/TSC' subsystem supplies outside air to the main control room and technical support center areas, and
-                                                                                                                                         ]
+]
-the supply and return air ducts that penetrate the MCR envelope include redundant safety-related seismic              l
+the supply and return air ducts that penetrate the MCR envelope include redundant safety-related seismic Category I' isolation dampers located within the MCR envelope. The Class IE electrical room HVAC subsystem i
-           .       Category I' isolation dampers located within the MCR envelope. The Class IE electrical room HVAC subsystem            i serves the Class IE electrical rooms. Class IE instrumentation and control rooms Class IE electrical penetration      i rooms, Class IE and spare Class IE battery rooms, remote shutdown area, and reactor coolant pump trip                 l switchgear rooms. The outside supply air intake enclosure for the portion of the Class IE electrical room HVAC subsystem serving the division A and C electrical equipment areas is common to the MCR/TSC. intake, but the intake serving the division B and D equipment is in a separate enclosure.,
+serves the Class IE electrical rooms. Class IE instrumentation and control rooms Class IE electrical penetration rooms, Class IE and spare Class IE battery rooms, remote shutdown area, and reactor coolant pump trip switchgear rooms. The outside supply air intake enclosure for the portion of the Class IE electrical room HVAC subsystem serving the division A and C electrical equipment areas is common to the MCR/TSC. intake, but the intake serving the division B and D equipment is in a separate enclosure.,
-As noted in AP600 SSAR subsection 9.4.1.2.1.1, the MCR/TSC HVAC subsystem is designed so that smoke, hot              j gases, and fire suppressant will not migrate from one fire area to another to the extent that they could adversely    l affect safe shutdown capabilities, including operator actions. Fire or combination fire and smoke dampers are         i provided to isolate each fire area from adjacent fire areas during and following a fire in accordance with NFPA       1 90A requirements. These combination smoke / fire dampers close in response to smoke detector signals or in response to the heat from a fire.
+As noted in AP600 SSAR subsection 9.4.1.2.1.1, the MCR/TSC HVAC subsystem is designed so that smoke, hot j
-As noted in SSAR subsection 9.4.1.2.1.2, the Class IE electrical room HVAC subsystem is designed so that smoke, hot gases, and fire suppressant will not migrate from one fire area to another to the extent that they could   l adversely affect safe shutdown capabilities, including operator actions. Separate ventila' tion subsystems are        l provided to serve the electiical division A and C equipment rooms and the electrical division B and D rooms.          j The use of separate HVAC distribution subsystems for the redundant trains of electrical equipment prevents            ;
+gases, and fire suppressant will not migrate from one fire area to another to the extent that they could adversely affect safe shutdown capabilities, including operator actions. Fire or combination fire and smoke dampers are provided to isolate each fire area from adjacent fire areas during and following a fire in accordance with NFPA 1
-smoke and hot gases from migrating from one distribution division to the other through the ventilation system ducts. In addition, combination fire / smoke dampers are provided for Class IE equipment rooms, including the         l remote shutdown workstation room, to isolate each fire area and block the migration of smoke and hot gases to         i or from adjacent fire areas in accordance with NFPA 90A requirements. These combination fire / smoke dampers close in response to smoke detector signals or in response to the heat from a fire.                                   j The smoke / fire dampers on each Class IE electrical room and on the MCR provide sufficient automatic protection against entry of smoke, hot gas, and fire suppressants into the MCR.
+A requirements. These combination smoke / fire dampers close in response to smoke detector signals or in response to the heat from a fire.
+As noted in SSAR subsection 9.4.1.2.1.2, the Class IE electrical room HVAC subsystem is designed so that smoke, hot gases, and fire suppressant will not migrate from one fire area to another to the extent that they could adversely affect safe shutdown capabilities, including operator actions. Separate ventila' tion subsystems are provided to serve the electiical division A and C equipment rooms and the electrical division B and D rooms.
+j The use of separate HVAC distribution subsystems for the redundant trains of electrical equipment prevents smoke and hot gases from migrating from one distribution division to the other through the ventilation system ducts. In addition, combination fire / smoke dampers are provided for Class IE equipment rooms, including the remote shutdown workstation room, to isolate each fire area and block the migration of smoke and hot gases to or from adjacent fire areas in accordance with NFPA 90A requirements. These combination fire / smoke dampers close in response to smoke detector signals or in response to the heat from a fire.
+j The smoke / fire dampers on each Class IE electrical room and on the MCR provide sufficient automatic protection against entry of smoke, hot gas, and fire suppressants into the MCR.
 The degree of separation and redundancy in ventilation systems makes it unlikely that smoke, hot gases, or fire suppressants from fires outside the MCR would reach the MCR.
-          .  **    e                                          l e
+e e
-         . ,                                                  1
+\\
-                         .                                    \
+i to Westinghouse Letter NSD-NRC-96-4904 December 9,1996 9
-I l
-l i
-l Enclosure 3 to Westinghouse Letter NSD-NRC-96-4904        l December 9,1996 9
-l l
 l
-                             .                                1 1
-I 1
 I I
 I I
-                                                             ),
+I
+)
-  .                                                        e  1 1
+e 1
-1
+l i
-1
+t=
-l 1
+l wnr r
-i t=
-l                    wnr r
 : 3. Modeling of Special Initiat:rs interlock would initiate a spurious actuation of the automatic depressurization system event. Both of these double failures are unlikely, given that the test conditions are 2
 normal (e.g., not emergency); performed in the control room; operators are aware of the implications of opening automatic depressurization system valves (e.g., causing a reactor trip and shutting the plant down); and supervision and other operators are present in the control room to observe the test (e.g., the operator would not likely skip the step of bringing up the in-service test soft controls). Additionally, the hardware failure of the interlock is small (passive system with a failure probability of IE-3 or less).
-Failure of each operator action is independent and is estimated to be on the order of
+Failure of each operator action is independent and is estimated to be on the order of IE-03 (similar to omission or commission error with no stress factor, from THERP).
-    .                                     IE-03 (similar to omission or commission error with no stress factor, from THERP).
 Considering a recovery factor of 0.1 for the supervisor for the first error, the total expected error is estimated to be in the range of IE-06 to IE-07 (IE-03
-* IE-03 *
+* IE-03
-;                                         IE-01).                                                               .
+* IE-01).
 Based on the above discussion, the failure modes leading to the above scenarios are not further evaluated quantitatively.
-Results of Spurious Actuation of Automatic Depressurization System
+Results of Spurious Actuation of Automatic Depressurization System ne yearly frequencies of the spurious actuation of the automatic depressunzation system categories are calculated as shown in Table 3.3 L / rr S= 32fne calculated
-;                                         ne yearly frequencies of the spurious actuation of the automatic depressunzation system categories are calculated as shown in Table 3.3 L / rr S= 32fne calculated 3                                }
+}
-initiating event frequencies are as follows:                                                  ,
+initiating event frequencies are as follows:
-                                           .        Spurious automatic depressurization system classified as intermediate loss-of-coolant accident              7.16E-07/yr
+Spurious automatic depressurization system classified as intermediate loss-of-coolant accident 7.16E-07/yr Spurious automatic depressurization system classified as medium loss-of-coolant accident 1.45E-06/yr 1:
-                                            .        Spurious automatic depressurization system classified as medium loss-of-coolant accident                    1.45E-06/yr         l 1:                                                                                                                                        l
+Spurious automatic depressunzation system classified as large loss-of-coolant accident 5.4E-05/yr 3.6 References 3-1 AP600 Probabilistic Risk Assessment Fault Trees, WCAP-13275, Revision 2.
-                                            .        Spurious automatic depressunzation system classified as large loss-of-coolant accident                     5.4E-05/yr 3.6         References                                                                                            !
+Revision: 7 ENE.
-     .                             3-1 AP600 Probabilistic Risk Assessment Fault Trees, WCAP-13275, Revision 2.
+W June 28,1996 Etsb.
-Revision: 7 June 28,1996 ENE.
+mvm,rawv 7 c3.wytm2396 3-8
-Etsb.             W mvm,rawv 7 c3.wytm2396                                     3-8
-                            '
+6.
-: 6. S ccess Criteria Analysis l
+S ccess Criteria Analysis l
-l 63.1.5      Containment Isolation l
+l 63.1.5 Containment Isolation l
-Analyses (documented in Appendix A) were conducted to show that sufficient water for long-l                              term tecirculation cooling of the core will be retained in contamment even if containment integrity is unsuccessful. Therefore, sequences in which core damage has been avoided with successful in-containment refueling water storage tank (IRWST) injection and recirculation represent success (i.e., no core damage) regardless of the status of containment integrity or l                              PCS water. Fr.ilure of PCS may result in exceeding the containment design pressure,but does not result in exceeding the containment ultimate pressure.
+Analyses (documented in Appendix A) were conducted to show that sufficient water for long-l term tecirculation cooling of the core will be retained in contamment even if containment integrity is unsuccessful. Therefore, sequences in which core damage has been avoided with successful in-containment refueling water storage tank (IRWST) injection and recirculation represent success (i.e., no core damage) regardless of the status of containment integrity or l
-As a result, with one exception, neither containment integrity nor PCS are addressed on the core damage event trees. The status of containment integrity and PCS water are factored into
+PCS water. Fr.ilure of PCS may result in exceeding the containment design pressure,but does not result in exceeding the containment ultimate pressure.
-    .                           the success criteria where they result in conditions affecting systems operation. Appendix A contains additional details of assumptions regarding PCS and containment isolation as used in the analyses.                                                                                   ,
+As a result, with one exception, neither containment integrity nor PCS are addressed on the core damage event trees. The status of containment integrity and PCS water are factored into the success criteria where they result in conditions affecting systems operation. Appendix A contains additional details of assumptions regarding PCS and containment isolation as used in the analyses.
 The one exception to this. is in the large LOCA modeling. For certain large LOCAs with break size close to that selected as the cutoff between medium and large LOCA, if l
 containment isolation is not successful, the pressure in the RCS could prevent IRWST gravity injection. 'Iherefore, the PRA large LOCA event tree requires the following, if containment isolation fails: CMT injection is required in order to generate both the automatic ADS actuation signal and the automatic IRWST squib valve actuation signals; and opening of ADS valves is required in order to reduce RCS pressure to the point at which gravity injection occurs.
 Containment isolation is addressed in the contamment event trees for core damage sequences in which IRWST injection fails, in order to determine long-term water availability in the reactor cavity. Success criteria for contamment systems are provided in Chapter ["D]. '
 .
-.2        Timing of Events and Key Operator Actions Specific criteria for timing of important events within the various accident sequences are discussed in the following paragraphs.
+.2 Timing of Events and Key Operator Actions Specific criteria for timing of important events within the various accident sequences are discussed in the following paragraphs.
-.3.2.1      'Ihne to Respond to Loss of Decay Heat Removal
+.3.2.1
-     .                             For events involving a loss of main and startup feedwater to the steam generators, the Passive RHR system would be expected to remove decay heat. If passive RHR failed to automatically actuate, the operators would be expected to manually actuate this function. If this were
+'Ihne to Respond to Loss of Decay Heat Removal For events involving a loss of main and startup feedwater to the steam generators, the Passive RHR system would be expected to remove decay heat. If passive RHR failed to automatically actuate, the operators would be expected to manually actuate this function. If this were unsuccessful, the operators could initiate RCS depressunzation using the ADS, in order to
-      ~
+~
-unsuccessful, the operators could initiate RCS depressunzation using the ADS, in order to actuate core makeup tank or accumulator injection (i.e., feed and bleed).
+actuate core makeup tank or accumulator injection (i.e., feed and bleed).
-l l                                   'Ibe limiting loss of decay beat remcyal events are those that result in a loss of waa4y side heat sink. A loss of offsite power (resulting in a loss of all main feedwater) without startup feedwater (resulting from either station blackout or failure of SFW) is analyzed, since this Revision: 7 June 28,1996                                                        Arygg,d,,
+l l
-mur                T MIR@W88 m:www.nsec6.wpe.ib                                   6-8
+'Ibe limiting loss of decay beat remcyal events are those that result in a loss of waa4y side heat sink. A loss of offsite power (resulting in a loss of all main feedwater) without startup feedwater (resulting from either station blackout or failure of SFW) is analyzed, since this Revision: 7 Arygg,d,,
+T MIR@W88 June 28,1996 mur m:www.nsec6.wpe.ib 6-8
-                                       ~
+~
-I                                                                26. Protection and Saf;ty Monitoring System l
+I
+: 26. Protection and Saf;ty Monitoring System l
 which reduces to:
 J
-          )                              P(f: system) = (A,
+)
+P(f: system) = (A,
 * T) + (b
-* T) h                                                                                                                               1 7,                     Thus, for any intennediate single. point failure nodes of the tree, this modeling method implie; that     j 1               '
+* T) h 1
-any failure of these parts at any time during the full mission time T will cause loss of the               l
+, Thus, for any intennediate single. point failure nodes of the tree, this modeling method implie; that j
-.]Jg!                           intermediate function being assessed. Therefore, application of this method correctly models single point failures that can lead to the undesired system event.
+any failure of these parts at any time during the full mission time T will cause loss of the
-     -o   i For AND gates in the tree, the same method is applied. For combinations of failures, resultant
+.] !
-_] $;                        output effectively equals results that would have been obtamed by using component input values o                      based on P(f) = AT for initial part detectable failures and P(f) = A
+intermediate function being assessed. Therefore, application of this method correctly models single Jg point failures that can lead to the undesired system event.
-* 2R for subsequent redundant       ,
+-o i
-I                     part detectable faihues For an example two-part redundant system, the AND relationship where             )
+_] $
-both failures are detectable can be expressed as follows:                                                l 4.
+For AND gates in the tree, the same method is applied. For combinations of failures, resultant output effectively equals results that would have been obtamed by using component input values based on P(f) = AT for initial part detectable failures and P(f) = A
-o                                                                                         *
+* 2R for subsequent redundant o
-    .e
+I part detectable faihues For an example two-part redundant system, the AND relationship where both failures are detectable can be expressed as follows:
-          $3   a P(f: system) = P(f:Part 1)
+.o
+$3 P(f: system) = P(f:Part 1)
 * P(f:Part 2)
- .t-3       f 1.
+.e a
-               +
+".3 j i f 1.
-      ".3 j i
+.t-3
-* Substituting the values per the method presented above:
++
-I                         P(f: system) = ((4
+Substituting the values per the method presented above:
+I P(f: system) = ((4
 * 2R) * (b
 * 2R))
 * T/2R
-{1 h                          .
+{1 h 3
-j 3      'h                 the resulting equation is:
+'h the resulting equation is:
-l
+j
-      *?5
+*?5
-: 1. e;                              P(f: system) = (A
+: 1. e; P(f: system) = (A
 * T) * (4
 * 2R)
-A ep                                             .
+A ep
-This method implies that a loss of function requires two failures: faihue of part I during full
+<<, J i[g This method implies that a loss of function requires two failures: faihue of part I during full mission time T, and the subsequent failure of part 2 during twice the repair time of part 1. His j(.3$
-     <<, J i[g                    mission time T, and the subsequent failure of part 2 during twice the repair time of part 1. His result is consistent with the discussion of modeling repairable redundant systems presented above.
+result is consistent with the discussion of modeling repairable redundant systems presented above.
-j(.3$ ,
+For the spurious ADS model, T = 8760 hours, and R = 4 hours. Thus, all input faihue rates used g
-                   ,              For the spurious ADS model, T = 8760 hours, and R = 4 hours. Thus, all input faihue rates used
+in the tree are multiplied by 8 hours (2R where R = 4 hours), and the final tree result is multiplied
-       ' 8                        in the tree are multiplied by 8 hours (2R where R = 4 hours), and the final tree result is multiplied g                                                                                                                           i l
+' 8 i
-4                      by ,1095 hours (T/2R where T = 8760 hours, and 2R = 8 hours). His produces the probability F                          of a spurious event over mission time T, which is then converted to a failure rate per mission time T, giving the number of spurious ADS events per yearp_' ;f5.4E-) events / year.JJ
+4 by,1095 hours (T/2R where T = 8760 hours, and 2R = 8 hours). His produces the probability F
-                                                                                  ,Y A msa au n.            o              /            {
+of a spurious event over mission time T, which is then converted to a failure rate per mission time T, giving the number of spurious ADS events per yearp_' ;f5.4E-) events / year.JJ o
-.5.4      Common Cause Failures
+/
-* 1*T "# *       "S               j 1
+{
-Several common cause failures within the PMS are considered credible and accounted for
+,Y A msa au n.
-..                                 explicitly during construction of fault trees. Mamly two common cause failures are identified:
+.5.4 Common Cause Failures
+* 1*T "#
+* j "S
+Several common cause failures within the PMS are considered credible and accounted for explicitly during construction of fault trees. Mamly two common cause failures are identified:
 hardware common cause failures due to the use of the same type of boards for many subsystems, and software common cause failures.
-The hardware common cause falhue evaluations are based on the multiple greek leuer method, which uses beta, gamma, and delta factors to repet the conditional probabilities of second ,
+The hardware common cause falhue evaluations are based on the multiple greek leuer method, which uses beta, gamma, and delta factors to repet the conditional probabilities of second,
-Revision: 7                                                          -
+Revision: 7 gg June 28,1996 mang.
-gg June 28,1996                                                           mang.
+m W vev_ h :26.wpr:nos2496 26-24
-m W vev_ h :26.wpr:nos2496                            26-24
-   ** * =    e      +__;
+** * =
+e
++__;
 : 36. Reactor Coolant Systm Depressurizatio2 I
-the reactor coolant system and water covering the faulted steam generator tubes. Rese I            sequences are not considered to be bypass sequences.
+the reactor coolant system and water covering the faulted steam generator tubes. Rese I
+sequences are not considered to be bypass sequences.
 I For the steam generator tube rupture cases where the passive residual heat removal system is I
 successful, followed by successful automatic depressurization system actuation and I
@@ Line 728: / Line 766: @@
 pressure and the high water level in the faulted steam generator. His scenario assumes that the I
 faulted steam generator would be kept filled, covering the tubes. Any release of fission products I
-I            through sequences are'the    broken not considered     tube to be bypasswould sequences. be decontaminated byhese              the['rr x _i; 9 gree.i p   hb n e8 4ke. bim I 36.7 References 7.hh ic. ut W 6 dt'.
+through 'the broken tube would be decontaminated by the['rr x _i; hese I
-l            36-1 Heofanous, T. G., et. al . "In-Vessel Coo! ability And Retention of a Core Melt,"
+sequences are not considered to be bypass sequences.
-l                   DOFJID-10460, July 1995.                                                                            I l                                                                                                                       !
+gree.i hb n e8 4ke. bim p
--2 " Creep Rupture Failure of "Iluce Components of the Reactor Pnmary Coolant System i                   Dunng the TMLB Accident," EGG-EA-7431, EG&G Idaho, November 1986.
+I 36.7 References 7.hh ic. ut W 6 dt'.
-1
+l 36-1 Heofanous, T. G., et. al. "In-Vessel Coo! ability And Retention of a Core Melt,"
--3 neofanous, T. G. et. al., " Lower Head Integrity Under In-Vessel Steam Explosion                      l l                   Loads," DOF/ID-10541, issued for peer review, July 1996.                                             l 9
+l DOFJID-10460, July 1995.
-e                           l l
+l 36-2 " Creep Rupture Failure of "Iluce Components of the Reactor Pnmary Coolant System i
+Dunng the TMLB Accident," EGG-EA-7431, EG&G Idaho, November 1986.
+36-3 neofanous, T. G. et. al., " Lower Head Integrity Under In-Vessel Steam Explosion l
+Loads," DOF/ID-10541, issued for peer review, July 1996.
+e
 l l
-l
+Revision: 8 ENEL S'Ptember 30,1996
-<                 Revision: 8 ENEL S'Ptember 30,1996                                                  *
+= W wv. w
-                  = W wv. w
 * 36-6
+* 4
-                                                                                                                                                                                                                           *4
 : a w
-l                                                                                                                    Table 52-5 (Sheet I of 2)
+l Table 52-5 (Sheet I of 2) l AT POWER FOCUSED PRA SENSITIVITY STUDY CORE DAMAGE CONTRIBUTION BY Y
-AT POWER FOCUSED PRA SENSITIVITY STUDY CORE DAMAGE CONTRIBUTION BY                                                                                                                               Y f
+l INITIATING EVENT f
-l l                                                                                                                     INITIATING EVENT f                                                                                                                                                                                         Initiating l     Baseline PRA                    Focused PRA                                                                                                                                                             {
+f l
-c l         CDF                              CDF                                                                                                                            Percent       Event l    Contribution                    Contribution                                                                            Initiating Event                           Contribution Frequency               k l  1 QOE-091                            4.9E-06                                                       AlWS percursors with MFW                                            64.06 26.27 1.17E+00 4.81 E-01 fT gg   l  2                                      2.0E-06                                                       ATWS percursors without MFW                        ,
+Baseline PRA Focused PRA Initiating
-R I  3     3.2E-08                           1.8E-07                                                      Intermediate LOCA                                                    2.38      7.70E-04              E 3.
+{
-.8E-10                          8.6E-08                                                       ATWS percursors with SI signal                                       1.I2      2.05E-02 l  4 l  5      1.lE-09                         8.lE-08                                                       Transients with MFW                                                  l.06      1.40E+00              k 5.6E-10                          6.lE-08                                                       PRHR tube rupture                                                   0.79      2.50E-04 l  6 5.8E-08                                                       Large LOCA                                                          0.75       1.05E-04 l  7     5.0E-08 3
+l CDF CDF Percent Event c
-b       l  8     3.8E-08                          5.7E-08                                                       Safety injection line break                                         0.74       1.04E-04 3.8E-08                                                       Medium LOCA                                                         0.50       1.62E-04 l  9     6.2E-09
+l Contribution Contribution Initiating Event Contribution Frequency k
-                                                                                                                                                     ~
+f l
-.0E-08                                                       Loss of main feedwater                                              0.38      3.35E-01 l  10    3.0E-10 Small LOCA                                                          0.31      1.01 E-04 l   11    4.lE-09                          2.4E-08 2.2E-08                                                       CMT line break                                                      0.28      8.94 E-05 l   12    3.5E-09 1.7E-08                                                       Loss of MFW to one steam generator                                  0.22      1.92E-01 l   13    1.8E-10 R                6. lE-09                         1.7E-08                                                       Steam generator tube rupture                                        0.22      5.20E-03 I   14 1.2E-08                                                       RCS leak                                                            0.15      5.02E-05 w
+QOE-091 4.9E-06 AlWS percursors with MFW 64.06 1.17E+00 l
-   $   l   15    2.3E-09 1.lE-08                                                       Core power excursion                                                0.14      4.50E-3 l   16    1.8E-09
+2.0E-06 ATWS percursors without MFW 26.27 4.81 E-01 T
-((                                                                                                              Loss of offsite power                                              0.14       1.20E-01 1.0E-09                          1.lE-08
+gg R
-{$  l   17 58E t
+I 3
--o                                                                                                                                                                                                                        II
+.2E-08 1.8E-07 Intermediate LOCA 2.38 7.70E-04 E
+.
+l 4
+.8E-10 8.6E-08 ATWS percursors with SI signal 1.I2 2.05E-02 l
+1.lE-09 8.lE-08 Transients with MFW l.06 1.40E+00 k
+l 6
+.6E-10 6.lE-08 PRHR tube rupture 0.79 2.50E-04 3
+l 7
+.0E-08 5.8E-08 Large LOCA 0.75 1.05E-04 b
+l 8
+.8E-08 5.7E-08 Safety injection line break 0.74 1.04E-04 l
+6.2E-09 3.8E-08 Medium LOCA 0.50 1.62E-04
+~
+l 10 3.0E-10 3.0E-08 Loss of main feedwater 0.38 3.35E-01 l
+4.lE-09 2.4E-08 Small LOCA 0.31 1.01 E-04 l
+3.5E-09 2.2E-08 CMT line break 0.28 8.94 E-05 l
+1.8E-10 1.7E-08 Loss of MFW to one steam generator 0.22 1.92E-01 R
+I 14
+: 6. lE-09 1.7E-08 Steam generator tube rupture 0.22 5.20E-03 l
+2.3E-09 1.2E-08 RCS leak 0.15 5.02E-05 w
+((
+l 16 1.8E-09 1.lE-08 Core power excursion 0.14 4.50E-3
+{$
+l 17 1.0E-09 1.lE-08 Loss of offsite power 0.14 1.20E-01 t
+E II
+-o
 ,5 - e E$
-      . es g 8
+es g 8
-Attachment A to NSD-NRC-96-4904 Enclosed Responses to NRC Requests for Additional Information Re: Conditional Containment Failure Probability
+Attachment A to NSD-NRC-96-4904 Enclosed Responses to NRC Requests for Additional Information Re: Conditional Containment Failure Probability 220.95 220.%
 ~
-.95        220.%
+.97 220.98 220.99 480.190 480.191 480.192 Re: Fire PRA (draft responses) 720.334 720.335 720.336.
-.97        220.98 220.99        480.190 480.191       480.192 Re: Fire PRA (draft responses) 720.334       720.335         720.336 .                               ,
+.337 720.338 720.339 720.340 720.341 720.342 720.343 720.344 720.345 720.346 720.347 720.346 720.349 720.350 720.351 720.352 f
-.337       720.338         720.339                                             -
+9}}
-.340       720.341         720.342 720.343 720.344         720.345 720.346       720.347     ,   720.346                                           *
-                     .       720.349       720.350         720.351 720.352                 .
-f
-                                                         .                                                 8 9}}

NSD-NRC-96-4904, Forwards Response to RAI Re Conditional Containment Failure Probability Distribution in Chapter 42 of AP600 Probalistic Risk Assessment: Difference between revisions

Latest revision as of 10:09, 12 December 2024

Text

SUBJECT:

Dear Mr. Quay:

Response

Response

Response

References:

Response

Reference:

Response

Response

Response

Response

Response

Response

Response

Response

Reference:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Navigation menu

Search