Text

William Reckley - Re: Review of AP1000 DCD for sensitive information Page 1 From: Lawrence Burkhart To: Samuel Miranda 7 Date: 4/30/02 7:14AM

Subject:

Re: Review of AP1000 DCD for sensitive information Sam, Thanks for your efforts and quick turnaround.

Larry.

>>> Samuel Miranda 04/29/02 04:06PM >>>

I looked at the Design Control Document for API 000 and haven't found anything in it that I think ought to be withheld from the public at this time.

By the way, I used to work for Westinghouse, in accident analysis, and I recognized some of my words, now more than a decade old, in this submittal. I also noticed one of the referenced WCAPs is attributed to someone who had no part in is production.

I have included (below) some notes and observations regarding the content of this document.

Please contact me i you have any questions regarding my review.

AP1000 Design Control Document Notes and Observations:

1. An AP1000 plant does yet not exist, and might not ever exist. Therefore, the kind of plant-specific details, that are likely to convey sensitive information, are not expected to exist at this time.

2. If an API 000 plant is built, it won't be for at least a decade. By then, it is likely that some details of the systems descriptions, in the Design Control Document, will be modified or deleted. Other systems or components could be added.

3. The Design Control Document contains tag numbers. Containment penetrations for various safety system lines are also identified by valve/hatch number. Electrical diagrams indicate panel numbers and locations (e.g., aux bldg, UPS dist pnl EDS2-EA-13). By themselves, tag numbers are not useful; but when combined with layout drawings and accident scenarios, the tag numbers could identify specific targets (components) for sabotage.

4. Certain external events, such as airplane crashes, are considered as postulated accidents, with low probabilities of occurrence. Perhaps some of these events should also be considered as postulated terrorist threats, with higher probabilities of occurrence. Other terrorist scenarios could include boat or truck-based explosions.

5. Some events are not evaluated, since they are not considered credible. This judgment, that an event is not credible, is based upon traditional accident probabilities of occurrence, and equipment reliability experience. Certain scenarios, that are not considered credible (e.g., catastrophic failure of nonsafety-related rotating equipment), should be re-evaluated to verify that they are still not credible, after the possibility of attack-initiated failures are considered. For example, the probability of missile impact in safety-related areas is less than 10-7; not a credible event. What would be the overall probability if aimed, military weapons were included, as well as randomly-generated turbine blades?

6. A distinguishing feature of the AP1000 design is the passive containment cooling system water tank, which sits atop the containment building, and drops water along the outside surface of the steel containment vessel. This is an easily identifiable target. Should postulated terrorist threat scenarios include the destruction or demolition of this tank?

[ William Reckley - Re: Review of API 000 DCD for sensitive information Page 22 William Reckley Re: Review of AP1000 DOD for sensitive information Page

7. The passive core cooling containment recirculation subsystem contains explosively-actuated isolation valves. Does this mean that the API 000 plant would have explosives, on site, in or for these valve actuators?

8. -Which features of the control room HVAC design (or control room emergency habitability system) would be effective in protecting against chemical or biological assaults?

9. Radiological access control diagrams In Chapter 12 may be considered sensitive.

10. Physical barrier descriptions and requirements in Chapter 13 may be considered sensitive in a specific ANi 000 application, with plant design details. The specification of bullet resistance (level 4) requirement may be sensitive.

11. Some plant-specific API 000 PRA scenarios (Chapter 19), could be sensitive if layout drawings are also provided. Should the PRA include a set of terrorist scenarios?

Sam Miranda, NRR/DLPMIPDIII-l (301) 415-2303 CC: CC: Lyons;

~~JamesLakshminaras Raghavan; William Reckley