ML20100R107
| ML20100R107 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 02/21/1996 |
| From: | Lindgren D, Mcintyre B WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML20100R082 | List: |
| References | |
| WCAP-14477, WCAP-14477-R, WCAP-14477-R00, NUDOCS 9603120263 | |
| Download: ML20100R107 (85) | |
Text
['
l WESTINGHOUSE NON-PROPRIETARY CLASS 3 i
l i 1
WCAP-14477 t i !
l l
l l i l
THE AP600 ADVERSE )
SYSTEM INTERACTIONS EVALUATION REPORT Febniary 1996 I
i C. Brockhoff M. Corletti D. Lindgren T. Rowell <
i S. Sancakar I
l WESTINGHOUSE ELECTRIC CORPORATION Energy Systems Business Unit Nuclear Technology Division P.O. Box 355 Pittsburgh, Pennsylvania 15230-0355 C19% Westinghouse Electric Corporation a n via.- "eserved 9603120263 960305 PDR ADOCK 05200003 A PDR m:u63&uon:Ib-o228% REVISION: 0
, - - - . ..- .. .-...- ....- .. . . - . _ _ . - _ ~ . . - , - ~ . . ~ . . - . - - . _ - . .
{
' AP600 DOCUMENT COVER SHEET ;
TDC: IDS: I S
- Form 58202G(5/94)
AP600 CENTRAL FILE USE ONLY:
- 0058.FRM RFS#
- RFS ITEM #:
} AP600 DOCUMENT NO. REVISION NO. ASSIGNED TO '
t GW-GLR 003 0 Page 1 of {11
, ALTERNATE DOCUMENT NUMBER: . WORK BREAKDOWN #: 3.3.28.0 DESIGN AGENT ORGANIZATION: WESTINGHOUSE TITLE: THE AP600 ADVERSE SYSTEM INTERACTIONS EVALUATION REPORT i
4 i
ATTACHMENTS: N/A DCP #/REV. INCORPORATED IN THIS DOCUMENT REVISION: N/A i
I CALCULATION / ANALYSIS
REFERENCE:
522 i
- ELECTRONIC FILENAME ELECTRONIC FILE FORMAT ELECTRONIC FILE DESCRIPTION M
- \2630w.WPF Wordperfect 5.1 WINDOWS DOCUMENT TEXT AND FIGURES U:\1262.FRM Wordperfect 5.1 WINDOWS COVER SHEET (C) WESTINGHOUSE ELECTRIC CORPORATION 199E.
. O WESTINGHOUSE PROPRIETARY CLASS 2 This document contains information proprietary to Westinghouse Electric Corporation: it is submitted in conAdence and is to be used solely for the purpose for which it is fumished and retumed upon request. This document and such informahon is not to be reproduced, transmitted, disclosed or used otherwise in whole or in part without prior written authorization of Weennghouse Electric Corporation, Energy Systems Business Unit, subsect to the legends contained hereof.
. O WESTINGHOUSE PROPRIETARY CLASS 20 This document is the property of and contains Proprietary Information owned by Westmghouse Electric Corpormhon and/or its subcontractors and suppliers. It is transmitted to you in confidence and trust, and you agree to treet this document in strict accordance with the terms and condibons 4
of the agreement under which it was provided to you.
l @ WESTINGHOUSE CLASS 3 (NON PROPRIETARY) j COMPLETE 1 IF WORK PERFORMED UNDER DESIGN CERTIFICATION ~OR COMPLETE 2 IF WORK PERFORMED UNDER FOAKE.
1 @ DOE DESIGN CERTIFICATION PROGRAM - GOVERNMENT LIMITED RIGHTS STATEMENT [See page 2]
[
1
. Copyright statement: A license is reserved to the U.S. Govemment under contract DE-AC03-90SF18495.
O DOE CONTRACT DELIVERABLES (DELIVERED DATA)
Subject to specited excephons, disclosure of this data is restricted unni September 30,1995 or Design Cert:Acetion under DOE contract DE-AC03-j ,
90SF18495, whichever is later.
f EPRI CONFIDENTIAL: NOTICE: 1 2 334 5 CATEGORY: A Q BO C D E F0 i 2 O ARC FOAKE PROGRAM - ARC LIMITED RIGHTS STATEMENT [See page 2)
- Copyright statement
- A license is reserved to the U.S. Govemment under contract DE-FC02-NE34267 and subcontract ARC-93 3-SC-001.
1 O ARC CONTRACT DELIVERABLES (CONTRACT DATA)
} Subject to specrRed excepsons, disclosure of this data is restricted under ARC Subcontract ARC-93 3-SC-001, j ORIGINATOR SIG ,R TE- ," -
I AP600 RESPONSIBLE MANAGER
/ '
~
/ ha ~~
>c? f CAPPROV D' ATE
~'"'v~ SLiTURE*AA 1
=
. ~/a
'A,,,,,vvel of the responsible manager signihes that documeht is complet6(all regiadreviews are compiefs, elqEtronic file is attached and document is
, released for use.
4
AP600 DOCUMENT COVER SHEET Pige 2 Form 58202G(s/94) LIMITED RIGHTS STATEMENTS DOE GOVERNMENT LIMITED RIGHTS STATEMENT (A) These data are submitted with limited rights under govemment contract No. DE-AC03-90SF18495. These data may be reproduced and used by the govemmerit with the express limitation that they will not, without written permission of the contractor, be used for purposes of manufacturer nor disclosed outside the govemment; except that the govemment may disclose these data outside the govemment for the following purposes, if any, provided that the govemment makes such disclosure subject to prohibition against further use and disclosure:
(1) This
- Proprietary Data
- may be disclosed for evaluation purposes under the restrictions above.
(11) The ' Proprietary Data' may be disclosed to the Electric Power Research Institute (EPRI), electric utility representatives and their direct consultants, excluding direct commercial competitors, and the DOE National Laboratories under the prohibitions and restrictions above.
(B) This notice shall be marked on any reproduction of these data, in whole or in part.
ARC LIMITED RIGHTS STATEMENT: I
)
1 This proprietary data, fumished under Subcontract Number ARC-93-3-SC-001 with ARC may be duplicated and used by the govemment and ARC, subject to the lirnitabons of Article H-17.F. of that subcontract, with the express limitations that the proprietary data may not be disclosed outside the government or ARC, or ARC's Class 1 & 3 members or EPRI or be used for purposes of manufacture without prior permission of the Subcontractor, except that further disclosure or use may be made solely for the following purposes:
This proprietary data rnay be disclosed to other than commercial competitors of Subcontractor for evaluation purposes of this subcontract under the restricbon that the proprietary data be retained in confidence and not be further disclosed, and subject to the terms of a non-disclosure agreement between the Subcontractor and that organization, excluding DOE and its contractors.
I
- DEFINITIONS
' CONTRACT / DELIVERED DATA - Consists of docurnents (e.g. specifications, drawings, reports) which are generated under the DOE or ARC contracts which contain no background proprietary data.
EPRI CONFIDENTIALITY / OBLIGATIONNOTICES NOTICE 1: The data in this document is subject to no confidenbality obligations.
NOTICE 2: The data in this document is proprietary and confidential to Westinghouse Electric ation and/orits Contractors. Itis forwarded to recipient under an obligation of Confidmce and Trust for limited purposes only. Any use, di ure to unauthorized persons, or copying of f
l this document or parts thereof is prohibited except as agreed to in advance by the Electric Power Research institute (EPRI) and Westin house i Electric Corporation. Recipient of this data has a duty to inquire of EPRI and/or Westinghouse as to the uses of the information con ' herein that are permitted.
I NOTICE 3: The data in this document is proprietary and confidential to Wesanghouse Electric Corporation and/orits Contractors. It is forwarded i to recipient under an obligation of Confidence and Trust for use only in evaluaton tasks specifically authorized by the Electric Power Research Institute (EPRI). Any use, disclosure to unauthorized persons, or copying this document or parts thereof is prohibe~ted except as agreed to in advance by EPRI and Westinghouse Electne Corporanon. Recipient of this data has a duty to inquire of EPRI and/or Westinghouse as to the uses of the information contained herein that are permitted. This document and any copies or excerpts thereof that may have been generated are to be returned to Westinghouse, directly or through EPRI, when requested to do so.
NOTICE 4: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. It is being revealed in confidence and trust only to Ernployees of EPRI and to certain contractors of EPRI for limited evaluation tasks authorized by EPRf.
Any use, disclosure to unauthorized persons, or copying of this document or parts thereof is prohibited. This Document and any copies or excerpts thereof that may have been generated are to be retumed to Westinghouse, directty or through EPRI, when requested to do so.
1 NOTICE 5: The data in this document is p rietary and confidential to Westinghouse Electric Corporation and/or its Contractors. Access to this data is given in Confidence and Trust on at Westinghouse facilities for limited evaluation tasks assigned by EPRI. Any use, disclosure to unauthorized persons, or copying of this document or parts thereof is prohibited. Neither this document nor any excerpts therefrom are to be removed from Westinghouse facilities.
EPRI CONFIDENTIALITY / OBLIGATION CATEGORIES CATEGORY "A" -(See Delivered Data) Consists of CONTRACTOR Foreground Data that is contained in an issued reported.
CATEGORY *B" - (See Delivered Data) Consists of CONTRACTOR Foreground Data that is not contained in an issued report, except for -
computer programs.
CATEGORY "C"- Consists of CONTRACTOR Background Data except for computer programs.
CATEGORY 'D* - Consists of computer programs developed in the course of performing the Work.
CATEGORY 'E'- Consists of computer programs developed prior to the Effective Date or after the Effective Date but outside the scope of the Work.
CATEGORY *F" - Consists of administrative plans and administrative reports.
TABLE OF CONTENTS Section Title Page
1.0 INTRODUCTION
1-1 1.1 Background 1-1 1.2 Scope 1-1 2.0 FUNCTIONAL INTERACTIONS 2-1 2.1 Methodology 2 2.2 Evaluations of Active-Passive Interactions 2-7 2.3 Passive-Passive Interactions 2-30 3.0 EVALUATION OF POTENTIAL HUMAN COMMISSION ERRORS 3-1 3.1 Objectives and Method 3-1 3.2 Identification of Poter.tial Commission Errors 3-3 3.3 Commission Error Related to Economic Consequences 3-15 3.4 Results of Analysis 3-15 3.5 Conclusions 3-17 4.0 SPATIAL INTERACTIONS 4-1
5.0 CONCLUSION
S 5-1
6.0 REFERENCES
6-1 m:us3ow.non:it> 022m6 iii REVISION: 0
LIST OF TABLES Section Title P_a..ge 2-1 Potential Adverse System Interactions Matrix-Active-Passive Interactions 2-5 2-2 Matrix Summary of Relevant Nonsafety-Related Systems' Assumptions 2-19 3-1 Table of Assessment of Potential Adverse Human Commission Errors 3-4 m:us3ow.non: b-022096 iv REVISION: 0
. __ . -.. - . - . - . - - . . - ~ __ . - . - - - . -.
I 4
1.0 INTRODUCTION
l 5
The purpose of this repon is to summarize Westinghouse Electric Corporation's evaluation of the
- AP600 for potential adverse system interactions. This repon documents the systematic approach used to evaluate systems' interactions and their impact on plant safety. This repon also describes how these j interactions have been considered in the analyses and evaluations presented in the AP600 Standard '
j Safety Analysis Repon (SSAR) and Probabilistic Risk Assessment (PRA) (References I and 2).
l* .-
1.1 Background
The design, analysis, and testing of the AP600 systems have been conducted with consideration for j potential adverse system's interactions. The AP600 incorporates a number of design features that j
prevent or limit adverse system interactions. This repon describes the systematic and thorough j
approach used to evaluate system interactions and demonstrates that potential adverse system j interactions have been addressed.
s
) The requirement for an evaluation of potential adverse system interactions was identified during
} discussions between Westinghouse and the United States Nuclear Regulatory Commission (U.S. NRC)
{
i on the regulatory treatment of nonsafety systems (RTNSS) for the AP600 design. The emphasis was on the effect that operating active nonsafety-related systems had on the function of passive, safety- I related systems. The process used to address adverse systems' interactions was also discussed with the NRC staff. The NRC staff agreed that Westinghouse's approach to address potential adverse systems'
- interactions for the AP600 safety systems would be acceptable (Reference 3).
i
- 1.2 Scope
.i
- Three categories of adverse system interactions have been identified and are discussed in this repon, j- The three types of interactions include functional interactions, spatial interactions, and human-intervention interactions.
2
! l
- . Functionalinteractions are those system performance interactions attributed to the sharing of common j systems or components, or physical connections between systems including electrical, hydraulic, j j pneumatic, or mechanical connections. Spatial interactions include fire, flood, missile hazard, pipe j
break, and effects of seismic events. Human-intervention interactions involve the effects of operator 4 actions.
l 1
4 i
i m:us3ow.non:ib-022096 1-1 REVISION: 0
,- w,
2.0 FUNCTIONAL INTERACTIONS Functional interactions are interactions between systems or subsystems that result from a common interface. A functional interaction exists if the operation of one system can affect the performance of another system or subsystem. An adverse system interaction exists if the operation, or lack thereof, causes a negative impact on the performance of a safety-related system during plant operation or during the mitigation of an accident.
e 4
j Section 2.1 discusses the methodology used to identify potential adverse systems' interactions between l
. nonsafety-related and safety-related systems, and between safety-related and other safety-related systems in performing their safety-related missions. Section 2.2 evaluates each potential adverse i systems' interaction outlined in Section 2.1. Section 2.2 also discusses how these interactions are j captured in the various AP600 licensing submittals.
2.1 Methodology l i
3 Westinghouse has developed a methodology to systematically identify and evaluate potential adverse
- systems interactions. An approach has been taken to identify adverse system interactions between i active, nonsafety-related systems, and passive safety-related systems (active-passive interactions) as well as adverse system interactions between passive safety-related systems (passive-passive interactions).
! An adverse system interaction is defined as when the operation and/or performance of an (initiating) !
l system adversely affects the operation and/or performance of a safety-related (affected) system as it !
l' performs its safety-related function. The systematic evaluation of functional interactions began by j examining and identifying the potential affected systems or structures based on consideration of the j AP600 critical safety functions, including:
J i
- Suberiticality i
- Core cooling
- i.
- Reactor coolant system (RCS) pressure boundary integrity
'
- RCS inventory
!
- Heat sink i
- Containment integrity
! The systems, structures, or components that perform or maintain these safety functions were identified i'
and categorized as potential affected systems as follows:
I j
- Core
] RCS (pressure boundary) I
- Steam generator system (pressure boundary)
- Containment system s
m:us30w.non:n-022m6 2-1 REVISION: 0
- .- - - - . ~ _ - . - - . -- - - . - _ . . . - - . . - . - .-
- Core makeup tanks (CMTs) )
- Accumulators 1 In-containment refueling water storage tank (IRWST)
Containment recirculation {
Passive residual heat removal heat exchanger (PRHR HX) !
Passive containment cooling system (PCS) '
- pH adjustment of containment recirculation ,
In addition, other systems, such as the main control room habitability system, that perform safety-- -
related functions, were identified and categorized as potential affected systems. i Potential initiating systems were then identified by examination of the affected systems above, and !
systematically evaluating each system as a potential initiating system. This began with the reactor
- coolant system (RCS) and subsystems. For purposes of this evaluation, the RCS was divided into the {
~
following subsystems or components: '
i Reactor coolant pumps (RCPs)
RCS pressure control (pressurizer heaters and spray) ;
- ADS valves j
Reactor vessel head vent
.l These systems are listed in the left-hand column of Table 2-1 as potential initiating systems that could l cause an adverse system interaction. Additional potential initiating systems were identified by examining the systems that interfaced with the RCS and steam generator system (SGS), as shown on i the RCS and SGS piping and instrumentation diagram (SSAR Figures 5.1-5 and 10.3.2-1, respectively). These auxiliary systems or subsystems include the following:
l Chemical and volume control system (CVS) makeup pumps
- CVS purification loop :
- CVS letdown line e i
- CVS hydrogen addition line I
- CVS makeup control system ;
Normal residual heat removal system (RNS) pumps ;
- Primary sampling system (PSS)
- Liquid waste processing system (WLS) !
Component cooling water system (CCS) i
- I Steam generator system Main feedwater pumps
- Startup feedwater pumps
- Steam generator blowdown lines i
mxt630w.non:it>eo96 2-2 REVISION: 0
4 :
I Additional potential initiating systems were identified by examining of the passive safety-related systems including the passive core cooling system (PXS) and the passive containment cooling system j (PCS), and the systems that interfaced with these systems as shown on the PXS and PCS piping and l instrumentation diagram (SSAR Figures 63-2 and 6.2-122, respectively). These systems and/or
) subsystems include the following potential initiating systems:
t Core makeup tanks (CMTs)
{*
, In-containment refueling water storage tank (IRWST)
Passive residual heat removal heat exchanger (PRHR HX)
- l
! Passive containment cooling system (PCS)
=
} Spent fuel pool cooling system j
- Containment recirculation a pH adjustment of containment recirculation i
i 3 Additional potential initiating systems were identified by considering safety-related structures such as
< the containment, the spent fuel pool, and the main control room. These systems include the following l potential initiating systems:
i a Containment fan coolers i
j
- Spent fuel pool cooling system Nuclear island nonradioactive ventilation system l
1 i These systems form the basis for the evaluation of potential adverse system interactions considered for
- the AP600 Table 2-1 is a matrix of the potential initiating systems and the potential affected systems. l 1
1' Section 2 includes a discussion on the interactions for each combination of the systems and features
- listed above. Each section briefly describes the potential interactions between the systems considered
- in this evaluation. The discussions in each section identify the important interactions and any adverse j interactions, and confirm that any adverse interactions have been identified, addressed, and evaluated t . as part of the plant design process, through the various design, analysis, and testing mechanisms
, discussed later.
4 There are two principal types of system interactions that have been considered in completing this evaluation. They are:
}
\
- Process fluid interactions that include the design interactions expected between the various q features, such as steam discharged from the ADS sparger and the water in the IRWST that is 1
used to quench this steam.
2 j Actuation interactions, such as the CMT low-low level actuating the fourth stage ADS valves and the IRWST discharge isolation valves.
1 1
4 m:U630w.non:Ib-022096 2-3 REVISION: 0
. _ _ _ . _ _ . - _ _ _ _ _ __ _ . . . _ _ _ _ . _ . _ _ _ _ _ _ _ . . _ ~ _ _ _ _
1 i
l 1
l In each discussion, the most important interactions are identified. The important interactions for each of the systems or components are generally related to the safety-related functions that the system is i designed to perform.
l The less important interactions are included in the discussions for completeness, but they are not significant in comparison to the important interactions. These other interactions are considered secondary interactions, which are not important to the safety-related passive systems for several '
different reasons, which could include any of the following:
l
- I There may be some interactions between the systems or components, but the effects of these -
interactions are insignificant. t 1
=
The operation of the initiating systems may affect the affected system, but the timing of the interaction is such that interaction is not important for accident mitigation.
Some systems have no interactions because there may be no physical interaction between the initiating system and the affected system and therefore, the components are essentially unrelated.
Operation of the various active nonsafety-related systems and passive safety-related systems, and the potential interactions between these systems have been evaluated through a vr.riety of mechanisms as ;
part of the AP600 design process. These mechanisms include the following:
l Detailed design work including analyses, calculations, and evaluations Basic research testing at University of Wisconsin, University of Tennessee, and Westinghouse Science and Technology Center .
Separate effects testing at Columbia University, VAPORE Italy test facility, Westinghouse Science and Technology Center, and Waltz Mill sites Integral system testing at Oregon State University, SPES-2, and Westinghouse Science and Technology Center Design basis safety analyses provided in Chapter 15 of the AP600 SSAR PRA success criteria analyses
- Supporting Emergency Response Guidelines (ERGS) analyses l
\
1 i
I l
l I
l 1
'ne-mms 2-4 REVISION: 0 )
1 I
E is TABLE 2-1
.f
, POTENTIAL ADVERSE SYSTEM INTERACTIONS MATRIX - ACTIVE - PASSIVE INTERACTIONS RCS SGS k Pressure Pressure Cent. ADS ADS Cent.
Affected System Core Boundary Boundary Boundary (I-3) CMT Q (4 Accum. IRWST Rectre. PRHR PCS VES
$ s initi. inns yneem RCPs 2.2.1 2.2. I 2.2. I PZR lleaters - -
2.2.2 -
2.2.2 -
2.2.2 - - -
2.2.2 - -
CVS Makeup 2.23 2.23 2.23 - -
2.23 - - -
2.23 - -
Pumps CVS Purification - - - - - - - - - -
2.2.4 - -
Loop Makeup Control 2.2.5 2.2.5 - - - -
2.2.5 - - -
2.2.5 - -
System CVS Letdown Line 2.2.6 2.2.6 -
2.2.6 - - - - - - - - -
flydrogen Addition - - - - - -
2.2.7 - - -
2.2.7 - -
Line p MFW Pumps - -
2.2.8 2.2.8 - - - - - -
2.2.8 - -
- SFW Pumps - -
2.2.9 2.2.9 - - - - - -
2.2.9 - -
RNS Pumps - - - - -
2.2.10 2.2.10 -
2.2.10 2.2.10 - - -
Containment Fan - - -
2.2.12 2.2.12 2.2.12 - -
2.2.12 2.2.12 -
2.2.12 -
Coolers SG Blowdown - -
2.2.11 - - - - - - - - - -
System WLSRCDT - - - -
2.2.I4 - - - - - - - -
WLS Containment - - -
2.2.15 - - - - -
2.2.15 - - -
Sump Pumps Gutter Drain - - - - - - - - - -
2.2.!6 - -
CCS -
2.2.17 - - - - - - - - - - -
PSS -
2.2.18 - - - - - - - - - - -
SFS - - - - - - - -
2.2.19 - - - -
VBS - - - - - - - - - - - -
2.2.20 G
b 3
o
4 9 7 6 7 5 4 3 S 6 1 2 4 3 C 5 6 7 R 3 3 3 3 3 3 3 2 2 2 2 2 3
2 2 2 S
8 6 6 5 4 4 3 2 1 E 1 2 3 4 3 6 6 7 8 V 3 3 3 3 3 3 3 3 3 X 2 2 2 2 2 2 2 2 2 7 5 5 4 3 2 2 1 S 2 3 S G I. 4 3 6 6 7 S 3 3 3 3 5 3 X -
N 2 2 1 2 2 2 3
2 3
2
- O I
T C
A R
E S 6 4 4 3 2 1 1 T C I 2 3 4 5 6 6 X - -
N P 3 2
3 1
3 2
3 2
3 2
3 3 I 2 2 E
V I
S S 4
)
5 5 A (
3 2 1 P S I.
3 1
3 4 5 X X - - -
- D 2 3 3 3 3 A 2 2 2 2 E
V I
S S )
3-A 5 5 3 2 P I
( I. 1 3 4 I.
5
. S 3 3 3 3 3 X X - - -
).X D 2 2 2 2 2 t I n A oR cT
( A 1 M R 4 I.
H I. - -
4 X - - -
2S R 3 3 N P 2 2 E
LIO BT AC A e r
3 TR i c
e 1
3
- - X - - - - - -
E R 2 r
f f
I M T 2 S
E W 1
- X - - - - -
T R 3
S I 2
Y S
E S
R m. 1 E uc 1
X - - - - - - -
V c 3 -
D A 1 A
L s A
I T s T
N M X - - - - - - - - -
E C T
O .
P m
te n s
y io t
S a d luc e r t
c e
ice f
f s R A r o
t n
ta e lu m T n s m S i
a R T u t H S M c c W n o R D S
C S
C S S E
C A R C P A G I R P S V d
B img ,8g g Ya WmbEO3 o
l 2.2 Evaluations of Active-Passive Interactions This section discusses potential adverse system interactions between the active nonsafety-related l
systems and passive safety-related systems identified in Table 2-1. Each evaluation includes a '
discussion of the potential adverse interactions and discussions of how such interactions have been accounted for in the AP600 SSAR and PRA. !
2.2.1 Reactor Coolant Pump Interactions
. The reactor coolant pumps (RCPs) are part of the reactor coolant system (RCS) and are described in SSAR subsection 5.1.3.3. They circulate coolant through the reactor vessel (RV), com and steam generators (SGs). The potential adverse systems' interactions associated with the RCPs have been identified. These include interactions with the reactor core, the core makeup tanks (CMTs), and the passive residual heat removal heat exchanger (PRHR HX). A summary of these interactions follows.
Reactor Coolant Pump - Core Operation of the RCPs enhances cooling of the core during operation, during a transient, or following an accident. However, during loss-of-coolant accidents (LOCAs), operation of the RCPs can mask the severity of an event by misguiding the operators that sufficient coolant inventory is present. In the ;
.Three Mile Island event, RCP operation masked a condition of high voiding in the reactor coolant ;
system (RCS). Subsequently, the RCPs were lost and the void collapse in the RCS resulted in core j uncovery and fuel damage. This ' phenomena prompted the incorporation of RV level and RCS void I instrumentation in current plants. This instrumentation aids the operator in determining when to trip the RCPs following a LOCA by monitoring RCS void content and RV level. In current plants, the l operator must decide when and if to trip the RCPs following a LOCA when specified criteria are met in order to prevent subsequent core uncovery due to a failure of the RCPs.~
The AP600 design precludes this adverse system interaction. Following safeguard actuation signal (S-signal), the RCPs automatically trip. Furthermore, as presented in the AP600 Emergency Response Guidelines (ERGS) (Reference 4), restart of the RCPs requires core subcooling and pressurizer level to be indicated.
Reactor Coolant Pump - Core Makeup Tank Operation of the RCPs can also affect the performance of the CMTs. As shown in SSAR Figure 6.3-5, the CMTs discharge to the RV via a direct vessel injection (DVI) line and connect to the RCS cold legs via a cold-leg balance line. This enables the core makeup tanks to recirculate and/or inject into the RCS to mitigate an accident. The CMT flow rate is therefore a function of the pressure ;
in the cold leg and the pressure in the downcomer at the outlet of the DVI nozzle.
m:u63ow.non: b-022096 2-7 REVISION: 0
)
l When the RCPs are running, the pressure in the downcomer is increased by the change in velocity 3
^
between the cold leg and the downcomer (approximately 45 ft/sec. and 15 ft/sec. respectively). This static head tends to reduce the resulting CMT flow rate by causing higher local pressure at the DVI l connection to the downcomer. I When the RCPs are tripped, this static head is substantially reduced and the pressure at the DVI ,
connection to the downcomer is approximately the same as cold leg pressure, increasing available AP , (
to drive CMT injection. I The AP600 has addressed this interaction by providing a safety-related automatic trip of the RCPs on -
CMT =mmion. In addition, as stated earlier, restart of the RCPs is not performed unless the CMT termination criteria can be met. '
Reactor Coolant Pump - Passive Residual Heat Removal Heat Exchanger The passive residual heat removal heat exchanger (PRHR HX) is connected to the RCS to promote ,
natural circulation cooling. When the RCPs operate, forced flow through the PRHR HX enters the top I and exits the bottom where it returns to the RCP suctions. If the RCPs are tripped, natural circulation flow develops in the same direction. Earlier design sensitivity calculations were performed that '
connected the outlet of the PRHR HX to the cold legs. For this configuration, when the RCPs j operated, reverse flow was developed through the PRHR HX. Following this, when the RCPs were l tripped, PRHR HX natural circulation flow would slow down and eventually stop, but never move in a j forward direction. This was unacceptable because for a loss-of-heat sink event, if the RCPs were not
)
immediately tripped, the PRHR HX effectiveness would be degraded rendering it insufficient to mitigate the event.
As shown in SSAR Figure 6.3-6, the PRHR HX retum connection is located on the suctions sides of the RCPs. This ensures a forward flow through the PRHR HX when the RCPs operate and when they are tripped. When the RCPs operate, a higher flow rate develops through the PRHR HX, increasing the heat transfer performance of the PRHR HX Although this is usually not an adverse interaction, it can be adverse in accidents where RCS overcooling is a concern, such as in large steam line breaks.
In the analysis of such events, the RCPs are assumed to operate at least until a CMT actuation signal is generated, causing the RCPs to trip. Due to the importance of tripping the RCPs in response to an ,
accident, the AP600 implements this function with safety-related equipment, and can perform this function assuming a single failure.
It was also noted in the design of the AP600 that if the two RCPs in the loop opposite the PRHR HX were to opemte in conjunction with the PRHR HX, reverse flow could develop through the PRHR HX.
To avoid this adverse interaction, the power supply to the RCPs is designed so that the loss of a single electrical bus will not result in the loss of power to two RCPs, in the same SG. This prevents l simultaneous PRHR HX operations with the two RCPs in the opposite loop on the PRHR HX, thus preventing reverse flow through the PRHR HX.
)
l ma2630wun:iw22096 2-8 REVISION: 0 I
i 4
- 2.2.2 Post Accident Interactions involving the Pressurizer Heaters i
l The pressurizer heaters functior, as part of the RCS pressure control subsystem and are described in i
SSAR subsection 5.13.5. They operate to maintain pressure in the RCS pressurizer by maintaining a j steam bubble-water interface in the pressurizer. Their operation following a loss-of-coolant accident j d
(LOCA) can create an adverse system interaction by adding energy to the primary system. '
4 Such an adverse interaction can occur during a steam generator tube rupture (SGTR) event. For these events, the CMTs and PRHR HX automatically operate to reduce the pressure in the RCS below the 'I pressure of the secondary system, and therefore terminate the leak of reactor coolant to the secondary side. Operation of the pressurizer heaters in such an event would counteract or prevent the CMTs and PRHR HX from equalizing primary to secondary pressures, and would increase the amount of primary !
coolant that was discharged to the secondary side, thus increasing potential radioactive releases following such an accident. Ultimately, continued operation of the pressurizer heaters for hours (assuming no operator actions) would cause the CMTs to drain to the ADS setpoint, resulting in actuation of the ADS. ADS actuation in this scenario would be acceptable and would prevent further release of radioactivity to the environment, but it does result in a significant plant transient.
The AP600 has addressed the potential adverse system interactions caused by the operation of the heaters during some events by tripping the heaters on an S-signal actuation. The safety analysis provided in Chapter 15 of the SSAR is performed assuming the pressurizer heaters are tripped following S-signal actuations.
2.2.3 Chemical and Volume Control System Makeup Pump Interactions As shown in SSAR Figure 93.6-1, the chemical and volume control system (CVS) contains two makeup pumps that maintain pressurizer water level within its normal operating band. These are nonsafety-related components controlled by the nonsafety-related plant control system (PLS).
However, operation of the makeup pumps can cause adverse systems' interactions during some accident scenarios.
Non-LOCA Events During non-LOCA events, the normal pressurizer level control program can cause the makeup pumps to operate. During such events, the CMTs can operate in a recirculation mode, and their operation in conjunction with the makeup pumps can cause an increase in coolant inventory. Therefore, in events ,
such as loss-of-feedwater or feedline break, if the makeup pumps were to operate without level I control, the pressurizer water level would increase until the pressurizer became filled with water.
i l
mA2630w.non:Ib-022096 2-9 REVISION: 0
i 4
The AP600 has addressed this adverse interaction by incorporating logic in the PLS and safety-related logic in the Protection and Safety Monitoring System (PMS) to prevent pressurizer overfill during ;
transient events. This logic includes:
Stopping the makeup pumps on high pressurizer level (PLS)
Lowering the setpoints for makeup pump operation following an S-signal as follows: start at ,
10 percent level; stop at 20 percent level (PLS)
L Close the makeup line isolation valves on 67 percent pressurizer level and/or 35 percent -
pressurizer level following an S-signal (PMS)
This logic prevents the makeup pumps from overfilling the pressurizer during design-basis events. -
A description of this analysis can be found in Chapter 15 of the SSAR. ;
SGTR Events During SGTR events, continued makeup pump operation would maintain a primary- to secondary-side leak and could cause the SG to become filled, thus potentially causing water relief through the SG safety valve. Therefore, to prevent this adverse interaction, the CVS makeup line receives a safety-
)
related signal to isolate on high SG water level (PMS), precluding the possibility of the makeup pumps !
continuing to operate and overfilling the SGs. A description of the SGTR analysis can be found in Chapter 15 of the SSAR.
2.2.4 CVS Purification Loop As shown in SSAR Figures 9.3.6-1 and 9.3.6-2, the AP600 has a high-pressuit purification loop that takes suction from the discharge of an RCP, and discharges to the suction of an RCP. In this manner, I purification flow of approximately 100 gpm is maintained when the RCPs are operating. The purification retum line to the RCS is shared with the PRHR HX retum line and is shown in SSAR Figure 5.1-1.
- Operation of the purification loop can affect the temperature distribution in the PRHR HX retum line. .
The temperature distribution affects the thermal center of the PRHR HX loop and the initial driving force for the PRHR HX flow rate. To maximize the PRHR HX initial driving force, the outlet piping of the PRHR HX should be kept as cold as possible.
The layout of the purification loop and connection to the PRHR HX return line has been selected to minimize the amount of PRHR HX discharge piping that could be heated by the purification loop. In I addition, temperature instrumentation has been incorporated to measure both the PRHR HX outlet and inlet piping to verify that these lines are maintained at temperatures that ensure natural circulation through the PRHR HX when required. Finally, the SSAR safety analyses have assumed a temperature mu63ow.non:ib-022096 2-10 REVISION: 0 !
gradient that conservatively bounds the initial driving head available to the PRHR HX by assuming lower than expected inlet temperatures, and higher than expected outlet temperatures.
- 2.2.5 Makeup Control System The makeup control system is a subsystem of the nonsafety-related plant control system (PLS) that
- controls the operation of the makeup pumps, makeup flow rate, and makeup boric acid concentration.
Potential adverse interactions can occur if the makeup control system malfunctions in such a manner j
as to inject makeup at incorrect boron concentrations. This can resuh in reactivity transients that can
- j. cause temperature excursions and affect the interactions of the passive systems with the RCS.
4 Unexpected borations at-power will result in a reduction in RCS temperature, and can thus aggravate
- condition II cooldown events or events that result in an increase in reactor coolant invento;y, such as
' CVS malfunction (see SSAR subsection 15.5.2). Sensitivity studies performed to support this analysis demonstrated the sensitivity of overfilling the RCS to makeup concentration mismatches. If the l '
makeup pumps injected makeup at a higher boron concentration than expected, the RCS would shrink slightly, and additional mass would be added. Eventually, if an S-signal were generated on either low T-cold or low steam line pressure, the CMTs and PRHR HX would be initiated. However, due to the higher RCS initial mass, and the lower RCS temperatures, which in turn reduces the heat transfer capabilities of the PRHR HX, the recirculation of the CMTs could cause an overfill of the pressurizer.
Because of this phenomenon, CVS isolation setpoints have been selected to preclude the possibility of overfilling the RCS for any condition II event including the CVS malfunction event.
Unexpected boron dilutions can also occur if the makeup control system malfunctions. The analysis of boron dilution accidents caused by the makeup control system is included in SSAR subsection 15.4.6.
This section includes evaluations of boron dilution events in Modes I through 5. Boron dilution scenarios are terminated by isolation of the clean water source to the CVS makeup pumps. This safety-related function is accomplished by redundant safety-related isolation valves in the CVS. This function can be performed assuming single-failure criteria. These isolation valves then receive automatic signals to close on a reactor trip, safeguards actuation, source range neutron flux doubling
+
signal, and indications of a loss-of-offsite power. This minimizes the potential of an unexpected boron dilution due to a malfunction of the makeup control systems.
2.2.6 Letdown Line Interactions The AP600 does not use continuous makeup and letdown for chemistry control, but instead uses a high-pressure purification loop inside containment. The AP600 employs a letdown line for various operations such as degassing of the reactor coolant, and for reactor coolant boron concentration adjustments. SSAR Figure 9.3.6-2 shows the CVS purification loop and letdown line.
For letdown operations, the letdown line is automatically aligned by the plant control system (PLS) to discharge coolant to the liquid waste processing system. The letdown line is also used to reduce the ntu630w.non:1b-022096 2-11 REVISION: 0
coolant inventory during shutdown for midloop operations. Consequently, the letdown line can potentially adversely interact with the RCS and the passive safety-related systems during mitigation of an accident. The letdown line represents a potential bypass of the reactor coolant pressure boundary and the containment pressure boundary. If an accident would occur during letdown operation, reactor coolant and safety injection flow could be diverted outside containment, and ultimately challenge the passive recirculation phase of core cooling.
l The letdown line receives numerous automatic isolation signals to prevent unwanted or excessive letdown. The letdown isolation valves (CVS-V045 and V047) receive signals from the PLS to close {
on low pressurizer level. These valves are also containment isolation valves and close automatically *
}
on a containment isolation signal. In addition, the purification stop valves (CVS-V001 and V002) l provide RCS pressure boundary isolation. They close automatically on low-low pressurizer level and l on en S-signal. These safety-related functions are accomplished in accordance with single failure criteria, and protect the reactor coolant pressure boundary, as well as the containment boundary.
These features prevent potential adverse system interactions between the letdown line and the passive safety-related systems.
The AP600 has also addressed overdraining of the RCS by the letdown line during midloop operations. The letdown line is used to drain the water in the RCS. To achieve this, the isolation signals that isolate letdown on low pressurizer level must be blocked. However, to prevent overdraining, the letdown line is also isolated on indication of low hot leg water level. The hot leg .
level instruments provide redundant safety-related indication of the RCS water level. '
2.2.7 Hydrogen-Addition Line The AP600 reduces occupational radiation exposure (ORE) and minimizes the potential for radioactive l crud formation with RCS chemistry control by excluding oxygen from the coolant. This is achieved by maintaining a concentration of hydrogen in solution in the coolant. Unlike pressurized water '
reactors (PWRs) that maintain hydrogen in the coolant via the volume control tank, the AP600 coolant hydrogen concentration is maintained by batch addition of hydrogen via a connection in the CVS. The hydrogen addition line, as shown in SSAR Figure 9.3.6-2, connects to a limited supply of hydrogen.
As required, the operator aligns the hydrogen injection line to add hydrogen to the high-pressure, purification retum line. .
The design of the hydrogen injection line promotes mixing of the hydrogen in the purification stream so that hydrogen is efficiently dissolved into solution. Due to the high pressure of the reactor coolant and the relatively low concentrations of hydrogen in solution, the hydrogen will be very soluble in the coolant.
)
A potential adverse interaction could occur if large amounts of undissolved hydrogen would enter the primary loop and collect in the high points of the PRHR HX line and CMT lines. It has been !
postulated that this phenomenon could potentially degrade and/or prevent natural circulation of the )
l nu630-iw22096 2-12 REVISION: 0
. ~ _ _ _ _ _ . - _ _ _ _ . _ . _ _ _ . . . -
PRHR HX or CMTs. Therefore, injection of a large amount of undissolved hydrogen should be avoided.
This interaction is not a concern for the AP600 for the following reasons:
The solubility of hydrogen at RCS operating pressure is much greaa:r than the hydrogen concentration in the coolant.
The maximum amount of hydrogen that can be physically injected via the hydrogen line is
. small.
- Hydrogen should dissolve in the CVS line.
Undissolved hydrogen that enters the RCS will be dissolved into solution as the gas passes l
through the RCP and before it gets to the CMT and PRHR connections. l The configuration of the RCS loop and connection to the PRHR HX and CMT minimize the potential for undissolved hydrogen to collect in the PRHR HX or CMT lines.
Hydrogen is maintained in solution at concentrations ranging from approximately 20-50 cc/kg. At the RCS operating pn.ssure of 2250 psia, the saturation concentration of hydrogen in water is over 10,000 cc/kg. Therefore, provided there is sufficient mixing, hydrogen gas will quickly go into solution in the primary coolant.
The second reason that this interaction is not a concem is that the maximum amount of hydrogen that can be injected is very small because the hydrogen line connects to a single bottle. Calculations performed show that one hydrogen bottle (6000 psi,550 scf STP) will increase the RCS concentration less than 25 cc/kg. In addition, the rate of addition has been selected to preclude undissolved hydrogen from entering the RCS primary loop.
Even in the unlikely event that undissolved hydrogen should enter the RCS via the purification return line, the turbulence of the RCP suction breaks up the hydrogen bubbles and causes them to go into solution.
The AP600 layout minimizes the potential for undissolved hydrogen to collect in the PRHR HX or CMT lines. Hydrogen enters the RCS via the purification retum line that connects to SG-1, the CMTs connect to the cold legs in the opposite loop. Therefore, undissolved hydrogen that entemd SG-1 would have to remain undissolved while travelling through the RCPs, through the RV, through the opposite SG and RCPs, and into the cold-leg balance lines to the CMT. This scenario is not credible.
For undissolved hydrogen to collect in the PRHR HX inlet, it would travel a similar path through the RCPs and RV, and into the PRHR HX inlet line. This is not considered to be a credible mechanism.
a626mw.non:ib-022096 2-13 REVISION: 0 1
i In addition, the design of the PRHR HX and CMT inlet piping have provisions to detect collections of noncondensible gasses in the high points of these lines. Each CMT inlet line as well as the PRHR HX f inlet line contain a collection standpipe that is instrumented with redundant level indication to alert the operator in the event that noncondensible gasses accumulate in the inlet of the line. Although this ,
condition is not expected, technical specifications require the operator to vent these lines should it ;
happen.
l A direct path to the PRHR HX inlet line could exist because the purification return line shares a connection with the PRHR HX retum line. The orientation of the purification return piping has been configured so that any undissolved hydrogen entering this line would flow into the SG instead of ~ '
going into the PRHR HX discharge piping. This line connects between the PRHR HX low point and !
the SG channel head so that undissolved hydrogen gas that entered the PRHR HX line would rise ;
directly into the SG. If the connection had been made upstream of the low point in this line, then
{'
hydrogen gas could migrate into ti.e PRHR HX discharge piping. Ultimately, this gas could then migrate through the heat exchanger (HX) and into the PRHR HX inlet piping. Therefore, the selected +
piping layout prevents this adverse interaction scenario.
I 2.2.8 Main Feedwater Pumps i
L As described in SSAR Sections 10.3 and 10.4.7, the main feedwater pumps supply the SGs with [
sufficient feedwater to meet the power generation steam flow rates. Feedwater flow to each SG is i controlled by feedwawr flow control valves that control the flow rate based on the water level in the l
SG. Although the operation of the main feedwater pumps during a plant transient is typically a benefit ;
for transients by providing a heat sink for the RCS, during certain transients or accidents, feedwater j
operation can result in an adverse system interaction by overcooling the RCS.
Continued operation of the main feedwater pumps following a reactor trip could lead to the 4
unnecessary actuation of an S-signal due to low cold-leg temperature. The AP600 prevents this s potential adverse system interaction as follows:
i a '
To prevent overcooling to the low T-cold setpoint the main feedwater flow control valves are closed on a low-l Tavg signal.
- a. To prevent overcooling to the low T-cold setpoint the feedwater pumps are tripped and the i main feedwater isolation valves are closed on a lower, low-2 Tavg signal. i This logic serves to avoid this potential adverse system interaction caused by the operation of the main i feedwater pumps. In addition, main feedwater is isolated on a high steam generator water level. This t precludes the possibility of overfilling a SG. Feedwater is also isolated on a safeguards actuation signal to mitigate mass and energy released following a steam line break. If this were not isolated, the t fluid entering the SGs would be boiled and released to containment, potentially overpressurizing containment.
mM=lN 2-14 REVISION: 0
2.2.9 Startup Feedwater Pumps I As described in SSAR subsection 10.4.9, the startup feedwater pumps are part of the main and startup feedwater system (FWS) and are shown in SSAR Figure 10.4.7-1. The startup feedwater pumps typically operate at no-load conditions when the main feedwater pumps are unavailable. The startup feedwater pumps can also operate during transient and accident events if the main feedwater pumps are lost.
- Startup feedwater (SFW) flow is automatically controlled and the pumps are automatically started on a low SG water level.
As mentioned above, feedwater is isolated on a safeguards signal to terminate mass and energy releases to containment on a steam line break. In addition, SFW is isolated on a low RCS cold leg temperature to prevent the need for operators to throttle SFW during accident events.
The operation of the startup feedwater pumps can interact with the operation of the PRHR HX and can also affect radioactivity released following a postulated SGTR event.
1 Startup Feedwater - Passive Residual Heat Removal Heat Exchanger On a loss-of-feedwater event, the SFW pumps would be actuated on low water level in either SG.
The SFW would automatically operate to maintain water level in the normal SG level span. If the levels in both SGs fall to below the low narrow range SG level setpoint, and the SFW flow is less than a set value, the PRHR HX will be actuated to cool the plant. If, however, the SFW pumps are :
delivering flow, then the PRHR HX is not actuated unless the level in either SG falls to below the low wide range level setpoint. This actuation logic provides the SFW pumps the opportunity to remove core decay heat and maintain an RCS heat sink by providing feed flow to one or both SGs. If SFW is unable to match decay heat, the SG water level will fall, and the PRHR HX will automatically be actuated to mitigate the event.
In the SSAR Chapter 15 accident analyses, no credit is taken for the SFW to feed the SGs and remove decay heat. Therefore, these events conservatively found loss-of-heat sink events where the SFW system operates and possibly delays PRHR HX actuation.
, Therefore, following a loss-of-feedwater to the SGs, operation of the SFW pumps prevents the unnecessary operation of the PRHR HX. This interaction is not considered adverse, but rather reflects the AP600 design philosophy of the defense-in-depth systems. If the nonsafety-related system is available, its operation can obviate the need for actuating the safety-related systems. If the nonsafety-related SFW pumps do not operate, the safety-related PRHR HX is automatically activated. In addition, the AP600 ERGS specify that PRHR HX termination criteria can not be met until the SFW pumps are operational and available, and water level in both SGs is recovered, thereby maintaining a heat sink for the RCS.
mA263ow non:lb-o.t2096 2-15 REVISION: 0
1 Startup Feedwater - Steam Generator Tube Rupture ;
During SGTR events, operation of SFW pumps can aggravate the event by filling the SGs, thus potentially causing a the SG PORVs and/or safety valves to lift, and bypassing the SG pressure boundary. Therefore, to preclude this possibility, the SFW flow is automatically isolated on a high SG water level from the protection and safety monitoring system (PMS). This safety-related function can be accomplished in accordance with single-failure criteria. .
i 2.2.10 Normal Residual Heat Removal System !
As described in SSAR subsection 5.4.7, the normal residual heat removal system (RNS) return line to j the RCS connects to each passive core cooling system (PXS) DVI line. This shared connection can result in interactions with the PXS as described below.
Normal Resident Heat Removal System - Core Makeup Tank During the recosery from a loss-of-coolant accident, the operators are instructed to align the RNS l'
pumps to inject from the IRWST to the RCS via the DVI lines if the CMT water level begins to decrease. Operation in this mode provides additional injection flow to the RCS, thereby providing additional core cooling margin.
I Furthermore, for small break LOCAs or in cases of spurious ADS operation, the operation of the RNS pumps in this mode can prevent the ADS-4 valves from actuating. This occurs because the RNS pumps incresse the backpressure on the CMTs and prevent the CMTs from draining to the ADS-4 actuation setpoint, thereby preventing the ADS-4 valves that are connected to the hot legs from opening and flooding the loop compartments. Operation of the RNS pumps will refill the RCS and recover the water level in the pressurizer.
I This interaction is beneficial because it minimizes the consequences of a spurious ADS or a small l LOCA without jeopardizing the safety of the plant. If the event is not a spurious ADS or a small LOCA, but is a larger break, the capacity of the RNS pumps will not be sufficient to prevent the i CMTs from draining, and subsequent ADS-4 actuation. Its operation will then only provide additional safety injection and core cooling. Operation of the RNS pumps is not credited in the SSAR -
Chapter 15 accident analyses, but is modeled in the PRA.
Normal Residual Heat Removal System - In-Containment Residual Water Storage Tanks !
As described previously, the RNS pumps can be aligned to inject water from the IRWST into the RCS via the DVI lines. This capability provides additional core cooling and adds to the overall reliability of the AP600 ms63ownon:it,-022096 I 2-16 REVISION: 0 i
. - . - - . . - ,. - - . - . . _ _ _ - - - - - - ~ _
i i
l During loss-of-coolant accident (LOCA) events, continued long. term operation of the RNS pumps could potentially cause the IRWST to drain at a faster rate than if the RNS pumps were not operating.
This is not a concern as long as the RNS pumps continue to operate. However, if the RNS pumps were to fail, the available gravity head for safety injection (either via the IRWST or via the containment recirculation path) could be less than would have been available if the pumps had not operated at all. Design calculations performed have verified that the venting capacity of the ADS
, assuming the worst single failure is sufficient to provide adequate containment recirculation flow in the most limiting scenario where the RNS pumps operate and subsequently fail. Therefore, this potential 3
adverse system interaction does not impact plant safety.
1 j 2.2.11 Steam Generator Blowdown Steam generator blowdown from the secondary side of each steam generator is provided to help control secondary side water chemistry. This continuous blowdown is normally routed to the i
condenser, but can also be discharged from the plant via the waste water system. There are two j potential adverse system interactions involving steam generator blowdown, f
9 Steam generator blowdown during a loss of heat sink event (such as loss of feedwater or feedwater line breaks) will decrease the available RCS heat sink. The PRHR HX is designed to mitigate these i
loss of heat sink events. The PRHR HX performance requirements are determined assuming a
- . minimum initial steam generator water inventory. Analysis provided in the SSAR takes credit for the i secondary side inventory available in the steam generator. A significant reduction in steam generator inventory would reduce the available heat sink for these events.
l j Another potential adverse interaction associated with blowdown is related to off-site doses during an SGTR event. For these events, SG blowdown could cause an increase in radioactive releases ersulting i from the tube rupture.
i The AP600 has addressed these potential interactions by providing safety-related isolation of the steam generator blowdown lines on safety-related signals including low steam generator water level, PRHR actuation, and containment isolation as well as indication of high blowdown temperature, pressure, or radiation. These signals protect the steam generator water inventory as a heat sink, and prevents the
, potential release of radioactivity via the blowdown line during tube rupture events.
2.2.12 Contalament Fan Coolers he AP600 containment fan coolers provide containment cooling during normal operations. A potential adverse system interaction was postulated regarding the ability of the fan coolers, acting in conjunction with the safety-related passive containment cooling system (PCS) to reduce the containment pressure and challenge the integrity of the containment structure. De results of the extemal pressure analysis (SSAR subsection 6.2.1.1.4) shows that a loss of all ac power sources during extreme cold ambient conditions has the potential for creating the most limiting external pressure load ,
l m:u63owmon:iba22096 2-17 REVISION: 0
I I
on the containment vessel. Operation of the containment fan coolers is not assumed for the following reasons:
The loss of ac power prevents the fan coolers from operating. :
The low ambient temperatures (-40 F) and high containment temperature (120 F) can only .
occur if the fan coolers are aligned to the hot water system for the purposes of heating the , l containment; therefore their operation in this alignment would add heat to the containment, and would result in a less severe containment temperature and pressure reduction.
i Derefore, adverse system interactions involving the containment fan coolers and the PCS are bounded ;
by the extemal pressure scenario described above.
2.2.13 Plant Control System k The AP600 plant control system (PLS) provides for the control and operation of the nonsafety-related systems. Therefore, numerous interactions between safety-related and nonsafety-related systems as a result of the normal and abnormal operations of the PLS must be considered in the Chapter 15 SSAR '
analyses.
j 1
A systematic review of the Chapter 15 design basis analyses (Sections 15.1 through 15.6) has been '
performed to determine the treatment of the most relevant nonsafety-related systems for each event.
Table 2-2 presents the results of this systematic review in a matrix format. In the left hand column.,
each Chapter 15 event is listed; along the top, each nonsafety-related system is listed. - An "a" :
indicates that the nonsafety-related system was assumed operable in the analysis of that event. An "n" :
indicates that the nonsafety-related system was not assumed. Table 2-2.a provides the rationale behind the decisions to assume nonsafety-related systems available. Table 2-2.n provides the rationale behind the decisions not to assume the nonsafety-related systems available.
mA2630w.non:Ib422096 2-18 REVISION: 0
l l
i TABLE =
MATRIX
SUMMARY
OF RELEVANT NONSACd l
Main Sta$
Feedwater Main Feeds SSAR Chapter 15 Control Feedwater Cod Event System Pump Trip SM 15.1.1 Feedwater System Malfunctions That Result in an increase in Feedwater Temperature Bounded by increase in feedwad 15.1.2 Feedwater System Malfunctions That Result in an increase in Feedwater Flow n.2 a.5 d 15.1.3 Excessive Increase in Secondary Steam Flow a.2 n.10 d 15.1.4 Inadvertent Opening of a Steam Generator Relief or Safety Valve a.2 n.10 s 15.1.5 Steam System Piping Failure a.2 n.10 t 15.1.6 Inadvertent Operation of the Passive Residual Heat Removal System a.2 n.10 h 15.2.1 Steam Pressure Regulator Malfunction or Failure that Results in Decreasing Steam Flow There are no steam pressure red 15.2.2 Loss of External Electrical Load Bounded by turbine trip event (!
15.2.3 Turbine Trip n.15 n.15 .d I
15.2.4 Inadvertent Closure of the Main Steam Line Isolation Valves Bounded by turbine trip eventf 15.2.5 Loss of Condenser Vacuum and Other Events Resulting in Turbine Trip Bounded by turbine trip event (;
15.2.6 Loss of AC Power to Plant Auxiliaries n.2 n.15 nd 15.2.7 Loss of Normal Feedwater ANGTEC n.2 n.15 ni APERTURE 15.2.8 Feedwater System Pipe Break -
UAHD n.i6 n. i6 n:
15.3.1 Partial Loss of Forced Reactor Coolant Flow UDIO 00 a.2 n.15 a Apenure Card 15.3.2 Complete Loss of Reactor Coolant Flow a.2 n.15 n 15.3.3 Reactor Coolant Pump Shaft Seizure (Locked Rotor) a.2 n.15 ru 15.3.4 Reactor Coolant Pump Shaft Break Bounded by locked rotor event 15.4.1 Uncontrolled RCCA Bank Withdrawal from a Suberitical or Low-Power Startup Condition Thermal-hydraulic codes not u%
then DNBR is calculated.
mi2630.non.lbw22096
t Y RELATED SYSTEMS' ASSUMPTIONS Chemical ip and Automatic Turbine Main Steam
.ter Volume Pressurizer Rod Stop and Branch of Control Pressurizer Pressurizer Heater Steam Control Control Isolation SG J System Sprays Heaters Block Dump System Valves Valves PORVs flow event (Section 15.1.2) and increase in secondary steam flow event (Section 15.1.3).
n.5 a.8 n.9 n. I 1 n.5 a.1 a.5 a.5 n.5 n.5 a.8 n.9 n.11 a.3 a.6 n.5 n.5 n.5 n.12 n.5 n.9 n.1 I n.5 n.13 a.5 a.5 a.3 n.12 n.5 n.9 n.1 I n.5 n.13 a.5 a.5 n.5 n.12 a.8 n.9 n. I 1 n.5 n.1 n.5 n.5 n.5 i
p.s in the AP600 whose failure or malfunction cause a steamflow transient.
l etion 15.2.3) l n.5 a.6 n.25 n. I 1 n.4 n.7 a.3 a.4 n.4 ption 15.2.3) ction 15.2.3) n.2 n.2 n.2 n. I 1 n.2 n.2 a.4 a.4 n.2
{ n.3 a.1 n.6 a.5 n.4 n.7 a.4 a.4 n.4 l
n.3 n.I8 n. I 7 n.1 I n.4 n.7 a.4 a.4 n.4 n.5 n.19 n.19 n.11 n.4 n.7 a.4 a.4 n.4 n.5 n.19 n.19 n.11 n.4 n.7 a.4 a.4 n.4 l n.5 n.19 n.19 n.11 n.4 n.7 a.4 a.4 n.4 mion 15.3.3) to analyre plant transient response. Core nuclear power transient and core heat flux transient are calculated, toD'6' o21 1 0, REVISION: 0 2-19
TABLE 2-2 MATRIX
SUMMARY
OF RELEVANT NONSA Main 5 Feedwater Main Fe, SSAR Chapter 15 Control Feedwater (
Event System Pump Trip b 15.4.1 Uncontrolled RCCA Bank Withdrawal from a Suberitical or Low-Power Startup Condition Thermal-hydraulic codes not then DNBR is calculated.
15.4.2 Uncontrolled RCCA Bank Withdrawal at Power Mbbb a.2 n.10 APFRTi me 15.4.3 One or more dropped RCCAs (same group)
CARD a.2 n.i0 15.4.3 . Statically misaligned RCCA Thermal-bydraulic codes not l AISO AvaHah!O 00
. Withdrawal of a Single RCCA A P0ftu ro C ard (and/or number of rods in Db 15.4.4 Startup of an inactive Reactor Coolant Loop at an Incorrect Temperature a.2 n.10 15.4.5 A malfunction or Failure of the Flow Controller in a BWR Reactor Loop Does not apply to AP600.
I 15.4.6 CVS Malfunction 'Ihat Results in a Decrease in the RCS Boron Concentration Inadvertent boron dilution ev.
Inadvertent boron dilution evt Following reactor trip, autom.
15.4.7 Inadvertent Loading and Operation of a Fuel Assembly in an Improper Position Thermal hydraulic codes not ;
30 percent rated thermal pow 15.4.8 Spectrum of RCCA Ejection Accidents Thermal-hydraulic codes not ;
over which the core response 15.5.1 Inadvertent Operation of the Core Makeup Tanks During Power Operation a.2 n.10 15.5.2 CVS Malfunction That Increases Reactor Coolant Inventory a.2 n.10 15.5.3 BWR Transients Does not apply to AP600.
15.6.1 Inadvertent Opening of a Pressurizer Safety Valve or Inadvertent Operation of the ADS a.2 n.10 15.6.2 Failure of a Small Lines Carrying Primary Coolant Outside Containment Thermal-hydraulic codes not :
This is a non-limiting primary 15.6.3 Steam Generator Tube Rupture (for offsite doses) a.2 n.10 15.6.3 Steam Generator Tube Rupture (for SG overfill) a.2 n.10 15.6.4 Spectrum of BWR Steam System Piping Failures Outside of Containment Does not apply to AP600.
15.6.5 Small Break LOCA a.2 n.10 Large Break LOCA mV630 non:lb\022096 e- %
Continued)
ETY-RELATED SYSTEMS' ASSUMITIONS Cbeanical artup and .
Main Stenen dwiter Voluaie .
Pressuriser Autonistic Turbine Stop Branch merel Control Pressuriser Pressuriser Hester Steam Rod Control and Control Isolation SG rates Systeen Sprays Heaters Block Dunip System Valves - Valves PORVs sed to analyn plant transient response. Core nuclear power transient and core heat flux transient are cc.lculated, n.5 n.5 a.8 n.9 n.11 n.4 n.7 a.4 a.4 n.4 n.5 n.5 a.8 n.9 n.11 n.4 n.7 a.4 a.4 n.4 sed to analym plant transient response. Steady-state power distributions are used to calculate minimum DNBR B).
n.5 n.5 n.5 n.9 n.11 n.4 n.7 a.4 a.4 n.4 nts are prevented during refueling and automatically terminated during cold shutdown, hot shutdown, and hot standby modes.
nts during start-up or power operation, if not detected and tenninated by the operators, result in an automatic reactor trip.
de termination of the dilution occurs and any post-trip return to criticality is prevented.
sed to analyn plant transient response. Steady-state power distributions in the x-y pane of the core are calculated at i r insing a two-dimensional few group diffusion code.
sed to analyn plant transient response. The operation of non-safety-related systems have little effect on this <3 second transient is c.ntlyzed.
n.14 n.3 n.18 n.6 a.5 n.4 n.8 a.4 a.4 n.4 n.1 a.3 n.1 n.6 a.5 n.4 n.1 a.4 a.4 n.4 n.5 n.20 n.5 n.9 n.11 n.4 n.7 a.4 a.4 n.4 sed to antlyn plant transient response. Offsite doses are calculated based on break flow isolation after 30 minutes.
system transient.
n.21 a.9 - n.5 a.9 a.5 n.22 n.23 a.5 a.5 a.10 a11 a.9 n.5 a.9 a.5 n.24 n.23 a.5 a.5 a.10 n.5 n.20 n.5 n.6 n.11 n.4 n.7 a.4 a.4 n.4 REVISION: 0 2 21 .. .
LEGEND FOR TABLE 2 2 a = nonsafety-related system assumed available in safety analysis a.1 Sensitivity studies were performed and showed that operation of this non-safety system results !
, in a more limiting transient.
^
a.2 Nonsafety-related system operation is assumed because a detectable and non-consequential random, independent failure must occur in order to disable the system. t a.3 Spurious operation of this non-safety-related system is the initiating event.
a.4 Steam generators are conservatively assumed to be bottled up to maximize their stored energy and minimize their heat removal capability Only safety-related SG safety valves are assumed for steam relief after reactor trip.
a.5 Nonsafety-related equipment credited as backup protection. Equipment is included in the in-service testing (IST) program.
a.6 Cases with and without this non-safety-related system are preented in SSAR.
a.7 Startup feedwater increases secondary side heat removal capability and worsens the severity of a cooldown event.
a.8 Nonsafety-related system operation is assumed, because it reduces primary system pressure and thereby minimizes the calculated values of DNBR.
a.9 Nonsafety-related equipment which maintains primary pressure is conservatively assumed for the SGTR event in order to maximize break flow, a.10 Assuming'the SG PORVs to be operable results in a higher primary-secondary AT, which maximizes break flow during the SGTR event.
l a.11 Maximum startup feedwater is assumed to add inventory to the SGs and reduce steaming; both of these effects minimize margin to SG overfill.
m:u63owmon:ib-a:2096 2-23 REVISION: 0
- . . - - . _ - . - - - - - - . . - - - - . _ . - ~ . - .. .. _ ... - . -
LEGEND FOR TABLE 2 2 (Continued)
L a = nonsaferv-related system not assumed available in safety analysis n.1 Sensitivity studies were performed and showed that operation of this non-safety system results !
in a less limiting transient. ~
t n.2 Not available as a consequence of the initiating event.
n.3 Isolated on an S-signal coincident with high pressurizer level of 30% span. CVS contribution only significant during post S-signal portion of transient. ,
n.4 Steam generators are conservatively assumed to be bottled up to maximize their stored energy and minimize their heat removal capability. Only safety-related SG safety valves are assumed ;
for steam relief after reactor trip. ,
n.5 Not actuated during transient.
n.6 The pressurizer heaters are blocked on an S-signal. Heaters contribution only significant during I
post "S"-signal portion of transient. '
n.7 Provides additional shutdown prior to reactor trip. ,
n.8 Reactor is tripped on S-signal at initiation of event.
n.9 It is conservative to neglect heat addition from pressurizer heaters; this reduces primary system l pressure and thereby minimizes the calculated values of DNBR.
n.10 Redundant safety-related functions are available for MFW isolation without MFW pump trip.
n.11 Pressurizer heater block is met since heater operation is not assumed.
- t i
l n.12 _ CVS is not credited. Shutdown is accomplished via the passive, safety-related core makeup j tanks. '
i 1
n.13 Analysis performed at HZP. Reactor is in manual rod control at HZP.
i n.14 Startup feedwater is not credited to minimize secondary side heat removal capability. ;
l t
i m:u630w.non: ibm 2096 2-24 REVISION: 0
LEGEND FOR TABLE 2 2 (Continued) l n = nonsafety-related system not assumed available in safety analysis n.15 Non necessary to assume nonsafety-related MFW pump trip. MFW is assumed to be lost at the time of event initiation; this minimizes the secondary side heat removal capability.
n.16 MFW is assumed to spill out the break.
n.17 It is conservative to neglect heat addition from pressurizer heaters; heaters maintain primary system pressure and margin to saturation.
n.18 The pressurizer sprays are disabled when the RCPs trip. RCPs are tripped upon receipt ,
of an S-signal. Sprays contribution only significant during post S-signal portion of transient.
n.19 Pressurizer pressure control systems not assumed for transient analysis. A conservatively low initial pressurizer pressure is transmitted with statepoints used for steady-state DNBR calculations.
n.20 It is conservative to neglect the make-up capability of the CVS for this decrease in reactor coolant inventory event.
n.21 Startup feedwater is not credited to maximize the amount of steaming and offsite doses released during the SGTR event.
n.22 'Ihe steam dump system is assumed to be inoperable; this maximizes the amount of steam released through the SG PORVs to the atmosphere.
I n.23 As a result of an SGTR, primary pressure decreases until the low pressurizer pressure i
reactor trip signal is reached. No siFnificant power excursion occurs during the initial l
part of the transient, so the operability of the automatic rod control system has a negligible effect on the transient. l I
n.24 The steam dump system is assumed to be inoperable; this reduces the ability of the SGs to cool down the primary and reduces the amount of steam inventory leaving the SGs, both of these effects minimize the margin to SG overfill.
3 n.25 Pressurizer heaters have a negligible effect on the peak pressure which occurs within 11 seconds of the transient initiation.
m:u630w.non:Ib.022096 2-25 REVISION: 0
i i
2.2.14 Liquid Waste Processing System As described in SSAR Section 11.2, the liquid waste processing system (WLS) collects and processes radioactive waste from the RCS. These effluents are generated from RCS borations and dilutions, RCS sampling, RCS loop draining, and components including vessel and RCP flange leakoffs, safety l valve leakage, and ADS valve leakage. Leakage from the ADS valves is collected and routed to the l
WLS reactor coolant drain tank (RCDT). The 1-inch drain line from the ADS valve discharge header .
to the RCDT contains a remotely-operated valve that closes on a safeguards actuation signal or on high RCDT tank pressure. The purpose of this isolation valve is to prevent ADS operation from overpressurizing the RCDT. This isolation function is not safety-related, but is provided for ~
equipment protection.
An adverse system interaction could occur if the isolation valve (RCS-V241) failed to close on demand prior to ADS operation. Actuation of the ADS valves connected to the pressurizer could cause the drain line to become pressurized and lift the relief valve on the RCDT, and/or damage the tank due to excessive pressurization. However, this is not a safety concern because of the following:
The ADS function of depressurizing the RCS is not degraded; the total ADS flow would actually be slightly increased due to the increased flow area.
The drain line is small (1-inch) and the amount of ADS flow that could be diverted from the I IRWST to the RCDT is minimal; therefore the impact to the IRWST injection driving head is negligible.
The ADS flow that is diverted from the IRWST is discharged to the RCDT (volume -
900 gallons). If the RCDT relief valve opens, the ADS flow is diverted to the containment sump that eventually floods up for long-term containment recirculation. The maximum amount of inventory that could be lost from the volume that provides containment recirculation is 900 gallons, which is negligible.
Therefore, this potential adverse system interaction involving the RCDT does not affect the overall safety of the AP600
. 1 2.2.15 Liquid Weste Processing System Containment Sump Pumps l
As discussed in SSAR Section 11.2, the WLS contains two redundant containment sump pumps that automatically operate to pump out the contents of the containment sump to the WLS effluent holdup tanks for processing. As these pumps operate automatically on sump water level, their operation during a loss-of-coolant accident (LOCA) could result in a containment bypass scenario. Their operation could diminish the coolant inventory available to flood the containment and provide j long-term, post-accident containment recirculation. To avoid this interaction, the containment sump pumps' discharge line is automatically isolated on a containment isolation signal. A containment i m:u63ow.non:1b-022096 2-26 REVISION: 0
isolation signal will result from a safeguards actuation signal that actuates the core makeup tanks (CMTs) and passive residual heat removal heat exchanger (PRHR HX). Therefore, this potential adverse system interaction is avoided for the AP600.
2.2.16 In-Containment Refueling Water Storage Tank Gutter l
l
, As discussed in SSAR subsection 6.3.2.1.1, the PXS contains an IRWST gutter that functions to retum condensate that collects on the containment shell. During normal power operations, this gutter directs the condensate collected to the containment sump for inclusion in the measurement of RCS leakage. l Following actuation of the PRHR HX, the gutter is aligned to direct the condensate to the IRWST, to sustain a heat sink for the PRHR HX for a very long time. Even without recovery of the condensate from the IRWST gutter, the IRWST inventory is sufficient to provide a heat sink for the PRHR HX for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
The IRWST gutter is nonsafety-related, therefore no credit for condensate return via the gutter is taken in the SSAR Chapter 15 design basis accident analyses.
2.2.17 Component Cooling Water System The AP600 component cooling water system (CCS) is a nonsafety-related system and is described in SSAR subsection 9.2.2. It performs no safety-related functions with the exception of the containment boundary isolation. The CCS provides component cooling water to various components on the nuclear island including the reactor coolant pumps (RCPs). An adverse system interaction associated with the CCS and the RCS results from the failure of the CCS to supply cooling water to the RCPs.
If component cooling water were lost to any RCP, the RCP bearing water temperature would increase, eventually leading to a failure of the RCP. The worst pump failure postulated would be an RCP locked rotor, which is evaluated in the SSAR Chapter 15 accident analyses (see SSAR 4
subsection 15.3.3).
Since the CCS supplies each RCP with cooling water, a complete loss of CCS could lead to multiple RCP failures including multiple locked rotor scenarios. To preclude this possibility, the AP600
, , protection and safety monitoring system (PMS) (see SSAR Chapter 7) has incorporated automatic features to trip the reactor on a high bearing water temperature in any RCP. Each RCP has four safety-related temperature sensors that measure bearing water temperature. They provide a signal to the PMS (on a two-out-of-four voting logic) to trip the reactor on high temperature. They also provide a signal to trip the affected RCP after the reactor has been tripped.
2.2.18 Primary Sampling System The primary sampling system (PSS) is connected to the primary system and provides normal and post-accident sampling of the RCS, PXS and containment as required (see SSAR subsection 9.3.3). 'lle m:u630w.non:Ib-022096 2-27 REVISION: 0
system is connected to the RCS and penetrates the containment boundary. It represents, therefore, a potential containment bypass path that could lead to a loss of reactor coolant and/or containment recirculation fluid outside containment.-
To preclude potential containment bypass scenarios post-accident, the PSS sample lines that penetrate containment are automatically isolated on a containment isolation signal. These lines would be manually re-opened eight hours post-accident to permit the post-accident sampling required (see SSAR .
subsection 9.3.3.1.2.2). The sampling volumes taken at this time are very small and would not impact the volumes of reactor coolant and containment recirculation fluid necessary to maintain long-term
~
containment recirculation. Therefore, adverse system interactions associated with the primary sampling l system are avoided.
2.2.19 Spent Fuel Pool Cooling System The AP600 spent fuel pool cooling system (SFS) is a nonsafety-nlated system and is described in l SSAR subsection 9.1.3. It performs no active safety-related functions with the exception of the 3
containment boundary isolation. It also provides a safety-related path for long-term (post-72 hours) l '
spent fuel pool makeup in the event of a loss-of-spent fuel pool cooling. The SFS functions to provide cooling of the spent fuel pool during all modes of operation. The safety-related means of t cooling the spent fuel is provided by the inventory of water in the spent fuel pool. To achieve this, the spent fuel pool itself is safety-related and is seismic category I. The SFS can also function to purify the refueling water when it is in the IRWST (during power operation), and when it is in the 3 refueling cavity (during refueling operations). It also functions to transfer the refueling water between ;
the IRWST and the refueling cavity to facilitate refueling operations.
i ;
The SFS is shown in SSAR Figure 9.1-8. Due to the various interconnections of the nonsafety-related SFS to the various safety-related pools and tanks (spent fuel pool, IRWST, refueling cavity), special ;
} design considerations have been incorporated to preclude adverse system interactions involving the SFS. These design considerations are discussed in the following paragraphs.
i '
The spent fuel pool is designed to provide the safety-related means of spent fuel pool cooling. The SFS connections to the spent fuel pool are located at an elevation sufficient to maintain spent fuel cooling and prevent uncovery of the spent fuel for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> following the loss-of-spent fuel .
pool cooling. SSAR Table 9.1-4 provides the times before boiling would occur and minimum fuel pool inventory for various postulated loss-of-spent fuel pool cooling scenarios. These scenarios include ones where the initial fuel pool inventory is reduced to the level of the SFS connection ;
) immediately prior to the loss-of-fuel pool cooling that could occur if the SFS line to the fuel pool was severed.
'Ihe SFS connection to the spent fuel pool is located 4 feet below the normal water level in the pool.
As discussed in SSAR subsection 9.3.6, the CVS makeup pumps can also take suction from the SFS as a backup emergency boration water source. To preclude adverse system interactions involving the mr63ow.non:ite.2096 2-28 REVISION: 0
l CVS and the SFS, the CVS connection to the spent fuel pool is located 2 feet below the normal water level in the pool, and 2 feet above the SFS connection. Therefore, CVS operation cannot drain the spent fuel pool, which could result in a loss of normal fuel pool cooling.
i l The SFS also contains connections to the IRWST to transfer refueling water to the refueling cavity.
These lines are safety-related and are administratively controlled to prevent inadvenent draining of the
, IRWST. IRWST level is monitored and is included in the AP600 technical specifications (SSAR Chapter 16, subsection 3.5.4). In the event of the mispositioning of the manual valves that connect the IRWST to the refueling cavity, the administratively controlled drain of the refueling cavity, aligned to the containment sump during power operations, would cause the IRWST to drain to the containment sump. This prevents the IRWST inventory from being lost (that is, held-up) in the refueling cavity, !
causing it to be unavailable for post-accident contaimnent recirculation.
The SFS contains a line that connects the IRWST and the refueling cavity to the SFS pumps and therefore penetrates the containment boundary. The containment isolation valves close automatically on a containment isolation signal to preclude the possibility of draining the IRWST during an accident.
These valves also close on a low spent fuel pool level to pn:clude the possibility of draining the refueling cavity and/or spent fuel pool during refueling operations.
De SFS also contains a connection to the bottom of the fuel transfer canal to permit draining of the canal for maintenance operations. This line is safety-related and seismic category I up to and including the normally closed manual isolation valve (SFS-V040). This valve is administratively locked-closed to ensure that inadvertent draining of the spent fuel pool cannot occur. It is opened only when the gate between the fuel transfer canal and the spent fuel pool is closed, thereby preventing its opening from draining the spent fuel pool. !
Dese design features have been incorporated to avoid potential adverse system interactions involving the SFS and the safety-related pools and tanks that it services.
1 2.2.20 Habitability Systems SSAR Section 6.4 discusses the design of the AP600 habitability systems, including the nuclear island i
, non-radioactive ventilations system (VBS) and the main control room emergency habitability system l (VES). The VBS provides main control room (MCR) HVAC during all normal and abnormal j conditions with the exceptions of a loss-of-all ac power, and for conditions of high radioactivity in the
{
MCR. The VES provides safety-related HVAC for the MCR in the event of a loss-of-ac power or !
high radioactivity in the MCR. Adverse system interactions between these systems is avoided by ;
segregating the operation of the two systems. Funhermore, the nonsafety-related VBS has safety-related isolation upon actuation of the VES, as described in SSAR Section 6.4.
mA263ow.noo:1t>eo96 2-29 REVISION: 0
r l
l l
2.3 Passive - Passive Interactions This section discusses the various interactions, including the adverse systems interactions, associated with the operation of passive safety-related systems and components. Also described are the passive L
safety-related ' system and component operations and their effect on the operations and performance of other passive safety-related features.
t l Interactions between the following passive safety-related systems and components are included in this l evaluation of adverse system interactions:
- j. Passive core cooling system l -
Core makeup tanks (CMTs)
Accumulators In-containment refueling water storage tank (IRWST) l-Containment recirculation Passive residual heat removal heat exchanger (PRHR HX)
Automatic depressurization system (ADS) valves Passive containment cooling system (PCS)/ Containment Main control room habitability system
= Steam generator system (SGS) l
=
l Reactor coolant system (RCS)
The reactor coolant and steam generator systems are also included in the list of passive safety-related components that must perform safety-related functions. The functions for these two systems are
_ primarily related to maintaining sufficient system integrity to support the passive injection and core cooling mechanisms.
The RCS includes interactions with both the reactor core and the RCS pressure boundary. The RCS must provide the following important flow paths to support safety injection and core decay heat removal after any accident:
~
l Injection from the various passive injection sources such as CMTs, accumulators, the IRWST, and containment recirculation. .
Natural circulation heat transfer of both decay heat from the core and sensible heat from the system components for safety-related heat removal by the PRHR HX or nonsafety-related heat removal by the steam generators.
Steam venting through the ADS valves in the pressurizer and the hot legs.
The steam generators (SGs) are also discussed as part of this evaluation for two important interactions.
'Ihey pe: form a safety-related function to maintain RCS integrity, which is lost following a steam m:u63ow.non:nm2096 2-30 REVISION: 0 l
generator tube rupture event (SGTR). They also impact the reactor coolant system heat removal processes. Following events where heat removal is provided by the passive safety-related systems only, the steam generators and the secondary side water inventory can provide heat input to the reactor coolant system (RCS). However, the heat input becomes less significant to the RCS for those events where there is reduced RCS flow or significant voiding of the RCS and the heat transfer is through vapor on the primary side of the steam generator. The SGS secondary system integrity is also
- important since a loss of this pressure boundary can release steam to containment, thereby affecting
!, containment pressure and passive decay heat removal.
d J -
The interactions between the various passive components and the PCS also directly affect the containment since steam generation following an event results in an increase in containment pressure l
that can challenge containment integrity. In addition, actuation of the PCS removes ste an from the l l containment atmosphere and results in condensate formation on the inside of the containment vessel I
shell, which drains back to either the IRWST or the containment recirculation aren, depending on the i status of the condensate return isolation valves. Therefore, in the following discussions, the I interactions between the various components and the PCS also implicitly address the containment and containment integrity. 'Ihere is one important difference in the interactions between the safety-related passive components and containment that is different from the interaction with containment and nonsafety-related systems and components. The passive components are generally located within containment and do not have containment penetration.:, while the nonsafety-related systems generally
! penetrate containment and have containment isolation valves in their process lines. Therefore, the l passive component interaction discussions focus primarily on how the passive components impact l containment pressure, which could challenge containment integrity, and the related actuation of PCS
! that mitigates the pressure transients and provides long term decay heat removal.
Approach 3
This section includes a discussion on the interactions for each combination of the passive systems and components listed above. Each section briefly describes the various interactions between the specific j components, including how the first component affects the second one, and vice versa. The
- )
discussions in each section identify the important interactions and any adverse interactions, and confirm that any adverse interactions have been identified, addressed, and evaluated as part of the
, , plant design process, through the various design, analysis, and testing mechanisms discussed later. :
l There are three principal types of component interactions that have been considered in completing this j evaluation:
1 Process fluid interactions that include the design interactions expected between the various passive components, such steam discharged from the ADS sparger and the water in the
, IRWST that is used to quench this steam.
mA263ow.non:ib4n2096 2-31 REVISION: O
1 I
i .
Actuation interactions, such as the CMT low level actuating the fourth stage ADS valves and the IRWST discharge isolation (explosive) valves.
9 Other physical interactions that may not normally be expected, such as the IRWST inventory I flooding the CMT compartment and cooling the CMT that may be at high temperatures following recirculation operation.
?
' In each discussion, the most important interactions are identified. The important interactions for each of the components are generally related to the specific safety-related functions that the component was i designed to perform. ~
1' The less important interactions ara beluded in the discussions for completeness, but they are not i significant in comparison to the impoitant interactions. These other interactions are considered as secondary interactions, not important o the safety-related passive systems for several different reasons, which could include any of the following:
]
There may be no physical interaction between the specific passive system components, rendering the components essentially unrelated.
9
=
There may be some interactions between the components, but the effects of these interactions are second-order, i
The operation of the first component may affect the second component, but when the interaction occurs, the operation of the second component is not important for accident !
mitigation.
I
- The following examples help to clarify the distinction in interactions between the safety-related passive ;
components.
The following is an example of an important system interaction:
- The ADS has an important impact on the IRWST, significantly affecting the tank temperature once ADS actuates. The water temperature primarily affects the IRWST quenching capability, .
although it is a consideration for both the water injection temperature and the PRHR HX heat 4
sink temperature. In an opposite sense, the IRWST level and water temperature have an important impact on ADS, affecting the tank's ability to quench the ADS steam discharge and ;
i the ADS (stages one to three) backpressure due to the ADS sparger submergence in the IRWST.
W i
i m:u630. man:tb422096 2-32 REVISION: 0
The following is an example of a secondary interaction:
The ADS impact on the PRHR HX heat removal capability when the IRWST heats up appears to be important. However, this is a secondary interaction since ADS heat removal is much more important than PRHR HX heat removal for events where ADS occurs. In this case, there are interactions between these two components, but they are not considered important.
, Another second-order effect is the impact of the higher temperature water on the IRWST gravity injection.
The following is an example of two components that do not interact:
The effect of ADS operation on the main control room habitability system is insignificant since their operations are not related. The habitability system actuates on high radiation, which requires significant multiple failures of various safety-related passive systems to cause radiation levels that would actuate this system. Therefore, this system is not significantly impacted by any other single passive, safety-related system component, and is expected to only be a concem following a severe accident.
2.3.1 Core Makeup Tanks 2.3.1.1 Core Makeup Tanks - Accumulators The core makeup tanks and accumulators are both designed as safety injection sources to maintain !
inventory for the reactor coolant system, but they have different safety injection functions, as discussed in Section 6.3 of the AP600 Standard Safety Analysis Report (SSAR). Their injection capabilities complement each other and they are designed to interact with each other since each core makeup tank shares a common direct vessel injection line with an accumulator. The general design philosophy for safety injection following an event is that the CMTs can inject at full RCS pressure, followed by the accumulators (at lower pressures), the IRWST (at very low pressures), and finally by containment recirculation as the reactor coolant system depressurization continues and containment floodup progresses.
, The CMTs, which are designed to provide safety injection to maintain RCS inventory at the existing RCS pressure, preclude the need for accumulators for most non-LOCA events except main steam line breaks, where the resulting cooldown of the reactor coolant system (RCS) reduces system pressure below the accumulator pressure. The accumulators are designed to provide rapid reflood and refilling of the reactor vessel following larger LOCA events. I One specific interaction is relatively important in the design of these two components. The accumulator injection stalls CMT injection (as described below), which reduces the CMT injection water that is lost out the break early in the event when pressure is higher. This additional CMT water is then available after the accumulator injection ends, extending the duration of CMT injection and ms63ow.non:itm2096 2-33 REVISION: 0
-. - . - _ . - ~ - - - _ .. . _ . - - - .. - - - - - - _ - -
l delaying the actuation of ADS depressurization. For non-LOCA events, ADS is not expected and, therefore, accumulator actuation is also not expected, except as noted above. ,
During the injection phase for LOCAs with a break size about 2 inches or greater, the accumulator injection flow stalls the CMT injection flow due to the higher driving head available to the accumulators when the reactor coolant system pressure decreases significantly below the static accumulator pressure. This phenomena can be seen in the analysis of an inadvertent ADS actuation . ,
provided in Rev. O of the AP600 SSAR. As discussed in SSAR subsection 15.6.5, CMT recirculation f
begins immediately upon actuation of the CMTs. Maximum CMT injection occurs approximately '
~
500 seconds into the event, and slowly decreases until approximately 1000 seconds. During this time, the RCS pressure is slowly reduced to the operating pressure of the accumulators, and they begin to -
inject.
At approximately 1000 seconds, the second stage ADS valves are actuated, and the RCS pressure is significantly reduced. At this point, the accumulator flow is si;;nificantly increased, thus effectively shutting off CMT flow. This lasts until the accumulators empty, and CMT injection flow begins again
(~1300 seconds).
The potential benefits of this interaction were identified early in the system design process before the safety analyses were performed, and this interaction has been evaluated in the SSAR analyses provided ,
in Chapter 15, and in the Oregon State University and SPES-2 tests.
The potentially adverse interaction between the accumulator nitrogen and the CMT is insignificant.
Nitrogen cannot be discharged from the accumulators until the RCS is almost fully depressurized to ;
less than about 100 psig. Accumulator nitrogen interactions are not important to CMT operation in ;
this plant condition due to either the timing or volume of the nitrogen release. The Oregon State University and SPES-2 test results confirm this conclusion. Operator action can be taken to isolate the +
accumulator by closing the motor-operated discharge isolation valve after the accumulator has ,
discharged most of its injection water, but before the tank is completely empty and nitrogen is injected ,
into the RCS.
- 3 2.3.1.2 Core Makeup Tanks -In-Containment Refueling Water Storage Tank The core makeup tanks (CMTs) and IRWST are both designed as safety injection sources to maintain inventory for the reactor coolant system, but they have different safety injection functions, as discussed ;
in SSAR Section 6.3. Their injection capabilities complement each other and they are designed to interact with each other since each core makeup tank shares a common direct vessel injection line with one of the IRWST gravity. r l
The CMTs, which are designed to provide safety injection to maintain RCS inventory at the existing ,
RCS pressure, initiate the transition to IRWST gravity injection by actuating ADS as the CMT levels l
m:\2630w.non:1b-022096 2-34 REVISION: 0 l
1 i
l I
I decrease. The IRWST is designed to provide a long-term injection source following reactor coolant system depressurization.
l Although the CMTs share a common injection line with the IRWST, IRWST injection does not occur until later in an event during or after the opening of the fourth stage ADS valves. This does not occur until the CMTs are nearly empty. Depending on the event and the specific component failures that
, occurred, the timing and rate of the RCS depressurization will vary. For most LOCA events, there is not a significant amount of injection overlap between these two injection sources. Flow rates from these sources are relatively low, and interactions between these two components are not considered significant. In the PRA success criteria analyses, the CMT is generally empty when the IRWST begins to inject.
The CMTs actuate ADS stages one to three, which discharge into the IRWST. ADS directly impacts IRWST conditions by adding heat to the IRWST inventory as the ADS discharge is quenched. The interactions between the ADS and the IRWST are discussed in subsection 2.3.3.3 of this report.
One specific interaction is relatively important in the design of these two components, but it is a valve actuation signal and not a process fluid interaction. The CMTs actuate the fourth stage ADS valves, and this same signal opens the IRWST injection isolation (explosive) valves. Valve actuation results in IRWST injection, reducing the IRWST water level, once RCS pressure has decreased sufficiently to initiate IRWST gravity injection.
Since there is little overlap between IRWST and CMT injection, the IRWST does not have any
]
significant effect on the CMT from the perspective of process fluid interactions. l 2.3.1.3 Core Makeup Tanks - Containment Recirculation The core makeup tanks (CMTs) and containment recirculation are both designed as safety injection sources to maintain inventory for the RCS, but they have different safety injection functions, as discussed in Section 6.3 of the SSAR. Their injection capabilities complement each other and they are designed to interact with each other since each CMT shares a common direct vessel injection line with one of the containment recirculation lines.
The CMTs, which are designed to provide safety injection to maintain RCS inventory at the existing RCS pressure, initiate the transition to IRWST gravity injection, and eventually containment recirculation, by actuating ADS as the CMT levels decrease. The containment recirculation is designed to provide a long-term injection source, in conjunction with the IRWST, following RCS depressurization.
Although the CMTs share a conunon injection line with containment recirculation, the latter does not occur until later in an event after the fourth stage ADS valves open and the IRWST is almost empty.
Typically, this does not occur until long after the CMTs are empty. Therefore, there are no periods of mA263owman:1b.022096 2-35 REVISION: 0
common injection flow expected, so there are no significant interactions between these two 4
components. In the PRA success criteria analyses, the CMT is empty when containment recirculation 2
begins.
The CMTs actuate the stage four ADS valves, which discharge into the containment loop compartments, and the resulting RCS mass loss can contribute to the containment floodup and recirculation inventory. The interactions between the ADS and containment recirculation are discussed .
in subsection 2.3.4.2 of this report.
2.3.1.4 Core Makeup Tanks - Passive Residual Heat Removal
- Non-LOCA Events During non-LOCA events, operation of the CMTs can degrade the performance of the PRHR HX.
This occurs because the operation of the CMTs removes heat from the RCS, and cause the temperature in RCS hot leg to be reduced. Since the effectiveness of the PRHR HX heat removal is proportional to the inlet temperature to the PRHR HX, the heat transfer capability of the PRHR HX is reduced and the RCS temperature is reduced. However, if CMT operation serves to remove heat from the RCS during non-LOCA events, the required heat transfer from the PRHR HX is therefore reduced. This phenomena is presented in the SSAR Chapter 15 analysis of non-LOCA events. These analyses model the operation of the PRHR HX in conjunction with recirculating CMTs.
l PRHR HX operation can result in CMT actuation by reducing RCS temperature during en event, which reduces the pressurizer water level. This is a beneficial interaction and for most significant plant events, when CMT actuation occurs, the PRHR HX is also actuated, and their operation 1 complements one another as demonstrated in plant analysis and testing. PRHR HX operation also reduces the potential for RCS overfill following a spurious CMT actuation.
LOCA Events The interaction between these two components is considered as a secondary effect, which is not significant, since CMT injection flow does not directly interact with PRHR HX heat removal flow.
The CMT injection flowpath is from the CMT into the direct vessel injection nozzle in the reactor .
vessel, with balance flow back to the CMT through the co'd leg pressure balance line. The PRHR HX heat removal flow path is from the reactor vessel, through the hot leg, through the PRHR HX piping and heat exchanger piping, returning to the reactor through the steam generator cold leg channel head and the cold leg.
l The CMTs can indirectly impact PRHR HX heat removal capabilities in two ways following LOCA i event. First, they provide cold makeup water to RCS, which maintains the reactor coolant system !
inventory; for LOCA events, the PRHR HX heat removal process, which is only significant prior to ADS actuation, may be either liquid phase heat conduction or steam condensation heat transfer, mA26w-ib-022096 2 36 REVISION: 0 )
depending on the leak rate. For non-LOCA events with the exception of a main steam line break, the CMTs will provide sufficient water to keep the PRHR HX piping water-filled. Also, the CMTs initiate ADS stages one to three that discharge into the IRWST and increase IRWST water temperature. However, during LOCA events, once ADS actuates, the PRHR HX heat removal is small compared to ADS heat removal. Therefore, this CMT interaction with the PRHR HX is a secondary interaction which is not important.
2.3.1.5 Core Makeup Tanks / Accumulators - Automatic Depressurization System One important interaction for the CMTs is the actuation of the automatic depressurization system (ADS). Stage one is actuated after CMT level has decreased to a specific level set point and the stage four ADS valves actuate at a second level set point before the CMTs are empty.
The accumulators can indirectly impact ADS actuation, but not the ADS ability to depressurize the RCS, since the accumulators can temporarily delay the need for CMT injection, as described in subsection 2.3.1.1 of this report. This interaction is only important for LOCA events where the
, accumulators provide injection flow. I ADS actuation can affect CMTs and accumulators by opening the reactor coolant system (RCS) and I
removing RCS inventory, requiring safety injection from these two sources. Inventory removed ;
{ provide IRWST gravity injection. After ADS stage four actuation, the steam that vents from this stage is condensed on the containment shell and returns to the IRWST through the condensate return lines
- for subsequent re-injection into the RCS.
, There is the potential for an adverse impact on the automatic depressurization system capability to sufficiently depressurize the RCS when the CMTs or accumulators inject. Maximizing safety injection is generally beneficial in mitigating LOCAs, as shown by the analysis of design basis events provided in Chapter 15 of the SSAR. However, in sensitivity studies performed to verify PRA success criteria,
!* a phenomena was evaluated for cases of multiple failures in the ADS, where additional injection 4 resulted in a higher (although acceptable) peak clad temperature. Ultimately, these multiple ADS
- failures were not credited as success in the PRA.
- As documented in Appendix A of the PRA, additional CMTs or accumulators do not adversely impact the ability of the ADS to depressurize the RCS and initiate IRWST gravity injection for the success i criteria assumed. Sensitivity analyses varying the number of CMTs and accumulators credited in the accident scenarios show that the minimum tank availability produces the most limiting results. This conclusion is true for all ADS success criteria that are credited in the AP600 PRA.
s
! l l
- m:u63ow.non;ib-ce:096 REVISION: 0 2-37 2
]
2.3.1.6 Core Makeup Tanks - Passive Containment Cooling / Containment There are no direct interactions between the CMTs and the PCS. The PCS actuates on high containment pressure resulting following steam releases to containment from either breaks such as a LOCA or main steam line break and from IRWST steaming due to PRHR HX or ADS actuation. The CMTs indirectly affect PCS operation by actuating ADS discharge to the IRWST and to containment.
The ADS interaction with the PCS is discussed in subsection 2.3.5.2 of this report. .
The PCS affects passive injection indirectly through control of containment pressure, which affects the RCS pressure and therefore, the ability of the passive RCS injection sources. However, containment
- steaming does not initiate until later in most events after either the IRWST temperature increases or the stage four ADS valves actuate. Therefore, the PCS impact on the CMTs is a relatively insignificant secondary interaction.
2.3.1.7 Core Makeup Tanks - Steam Generator System As discussed in Section 2.3 of this report, the focus of the CMT and SGS interactions is related to the effects on the integrity of the reactor coolant system pressure boundary. A break in the SGS secondary system pressure boundary can discharge steam to containment, but this interaction is not significant.
I The CMTs do not directly interact with the SGS since CMT injection flow and pressure balance line flow does not pass through the steam generators. The CMTs provide safety injection flow to the RCS following a steam generator tube rupture (SGTR).
These design interactions have been confirmed as part of the testing and plant analyses.
2.3.1.8 Core Makeup Tanks - Main Control Room Habitability
'Ihere are no significant interactions between the CMTs and the main control room habitability system.
2.3.1.9 Core Makeup Tanks - Reactor Coolant System The core makeup tanks (CMTs) are designed as safety injection sources to maintain inventory for the RCS at the existing RCS pressure, as discussed in SSAR Section 6.3.
Spurious operation of the core makeup tanks can result in an adverse system interaction with the RCS.
Actuation of the CMTs when the RCS inventory is near normal results in CMT operation in a ]
recirculation mode as described in Section 6.3 of the SSAR. The CMTs will inject cold borated water ,
into the reacter coolant system that will heat and expand once it enters the RCS. The cold water in the CMT is replaced by high temperature water from the RCS cold legs.
1 mA2630waon:lb-o22096 2-38 REVISION: 0
Spurious CMT actuation during full power operation results in a reactor trip and subsequent cooldown of the reactor coolant system. The effects of this transient are discussed in SSAR Chapter 15. In addition, design transients have been performed for the purposes of component design that bound the thermal transient on the primary components as a result of spurious CMT actuation. Therefore, the AP600 design has addressed this adverse system interaction.
, 2.3.2 Accumulators 2.3.2.1 Accumulators -In. Containment Refueling Water Storage Tank The accumulators and IRWST are both designed as safety injection sources to maintain inventory for the RCS, but they have different safety injection functions, as discussed in SSAR Section 6.3. Their injection capabilities complement each other and they are designed to interact with each other since each accumulator shares a common direct vessel injection line with one of the IRWST gravity injection lines.
The accumulators are designed to provide safety injection to maintain RCS inventory wnen RCS pressure decreases below the static accumulator gas pressure. The accumulators function as an intermediate pressure safety injection source, with one of the more important functions to refill the reactor vessel and reflood the core following larger LOCAs.
Although the accumulators share a common injection line with IRWST IRWST injection does not occur until later in an event during or after the opening of the fourth stage ADS valves. The IRWST does not provide gravity injection until the RCS is completely depressurized and the accumulators are empty when RCS pressure is approximately 80 psig. Therefore, there are no intervals of significant injection overlap between these two components so that sharing c common injection line does not result in any significant interactions.
For the same reason, the IRWST does not have any significant effect on the accumulator, from the perspective of process fluid interactions.
2.3.2.2 Accumulators - Containment Recirculation The accumulators and containment recirculation are both designed as safety injection sources to maintain inventory for the RCS, but they have different safety injection functions, as discussed in SSAR Section 6.3. Their injection capabilities complement each other and they are designed to interact with each other since each accumulator shares a common direct vessel injection line with one of the containment recirculation lines. The general design philosophy for safety injection following an event is that the CMTs inject first, followed by the accumulators, the IRWST, and finally by containment recirculation as the reactor coolant system depressurization continues and containment floodup progresses.
m:us3owmon:n>-o22w6 2-39 REVISION: 0
- _- . ~ - --- .. - - ~ - - - - . . - - --. - - - .
I 1
1 The accumulators are designed to provide safety injection to maintain RCS inventory when RCS pressure decreases below the static accumulator gas pressure. The accumulators function as an intermediate pressure safety injection source, with one of the more important functions to refill the reactor vessel and reflood the core following larger LOCAs. The containment recirculation is designed to provide a long-term injection source, in conjunction with the IRWST, following RCS depressurization.
Although the accumulators share a common injection line with containment recirculation, recirculation does not occur until later in an event after the fourth stage ADS valves open and the IRWST is almost empty. Containment recirculation does not occur until long after the accumulators are empty.
Therefore, there are no periods of common injection flow expected, so there are no significant interactions between these two components.
The accumulators can also directly contribute to water mass lost to containment during a LOCA, either indirectly after the water passes through the RCS and out the break, or directly into containment during a DVI lirie break LOCA. However, this water may or may not be available for containment recirculation depending on the break location, since the accumulators are located in a compartment in containment that is not normally flooded. Inventory retained within the accumulator compartment due to a pipe break in that compartment will not be available for containment recirculation unless the piping penetration seals in the compartment wall leak. The accumulator floodup interaction is
)
insignificant since the accumulator inventory contribution is insignificant, when compared to the IRWST inventory.
Since there is no injection overlap between containment recirculation and accumulator injection, containment recirculation does not have an effect on the accumulator, from the perspective of process fluid interactions.
2.3.2.3 Accumulators - Passive Residual Heat Removal Heat Exchanger The interaction between these two components is considered as a secondary effect, which is not j significant, since accumulator injection flow does not directly interact with PRHR HX heat removal i flow. The accumulator injection flowpath is from the accumulator into the dimet vessel injection ;
nozzle in the reactor vessel. 'Ihe PRHR HX heat removal flow path is from the reactor vessel, . !
through the hot leg, through the PRHR HX piping and heat exchanger piping, retuming to the reactor through the steam generator cold leg channel head and the cold leg.
l The accumulators also indirectly impact the PRHR HX heat removal capabilities through the impact on RCS inventory following LOCA event. The accumulators provide cold makeup water to the RCS, which subcools the core and maintains the reactor coolant system inventory. However, when accumulator injection occurs following a LOCA, the RCS has significant voiding and PRHR HX l
operation is in a steam-condensation mode. Since the accumulator injection does not fill the PRHR '
HX, the accumulator operation does not impact PRHR HX operation. In addition, once ADS actuation i l
m:u630wmon:ttm2096 2 40 REVISION: 0 j l
1
occurs, the PRHR HX contribution to heat removal is not important. Therefore, the accumulator interaction with PRHR HX is a secondary interaction which is not important. !
PRHR HX operation can result in RCS cooling and the resulting coolant contraction reduces RCS pressure and pressurizer level. But PRHR HX operation by itself is not expected to initiate accumulator injection. In general, the PRHR HX impact on accumulator operation is a secondary
, interaction that is not significant. '
The adverse interaction between the accumulator nitrogen and the PRHR HX is insignificant.
Nitrogen cannot be discharged from the accumulators until the RCS is almost fully depressurized to less than about 100 psig. This is only expected for events where ADS operation is also expected and PRHR HX operation is not required for heat removal. Therefore, the accumulator nitrogen interactions ,
are not important to PRHR HX operation in this plant condition. The Oregon State University and SPES-2 test results support this conclusion.
2.3.2.4 Accumulators - Passive Containment Cooling / Containment There are no direct interactions between the accumulators and the PCS. The PCS actuates on high containment pressure resulting following steam releases to containment from either breaks such as a LOCA or main steam line break and from IRWST steaming due to PRHR HX or ADS actuation. The accumulators provide RCS injection for larger LOCAs and in conjunction with ADS actuation for other LOCAs. For these events, the accumulators indirectly affect PCS operation since they help to maintain the RCS inventory and some of the accumulator volume can contribute to containment steaming. However, this is a secondary effect that is not significant.
The PCS affects passive injection indiiectly thmugh control of containment pressure, which affects the RCS pressure and, therefore, the ability of the passive RCS injection sources. However, containment steaming does not initiate until later in most events after either the IRWST temperature increases or the stage four ADS valves actuate. For events that depressurize the RCS very rapidly, the accumulator
{
injection is complete before the PCS operation has any significant impact on containment conditions.
Therefore, the PCS impact on the accumulators is a relatively insignificant secondary interaction. !
, 2.3.2.5 Accumulators - Steam Generator System j
1 As discussed in Section 2.3 of this document, the focus of the accumulator and SGS interactions is I related to the effects on the integrity of the reactor coolant system pressure boundary. A break in the SGS secondary system pressure boundary can discharge steam to containment, but this interaction in not significant.
The r.ccumulators do not directly interact with the SGS since accumulator injection flow does not pass through the steam generators. Accumulator injection is not expected following an SGTR, and l
m:u63owmoe:itm2096 2-41 REVISION: 0
. .. . . .. - . . . - . . -.~. .- -.- - . - - . - . - . -.- -..- --
accumulator injection can not cause steam generator overfill since they do not inject until RCS pressure is much lower than steam generator pressure. Therefore, this is not a significant interaction.
The SG is not expected to initiate accumulator injection following a steam generator tube mpture since !
the RCS v4 not lose sufficient inventory to depressurize to accumulator static pressure and ADS is f
not expecx1 to be actuated. Therefore, this is not an important interaction. However, the initiation of i accumulator injection following any decrease in RCS inventory is' a beneficial design interaction. . !
1 2.3.2.6 Accumulators - Main Control Room Habitability '
There are no significant interactions between the accumulators and the main control room habitability I system. i 2.3.2.7 Accumulators - Reactor Coolaat System The accumulators are designed to provide safety injection to maintain RCS inventory when RCS pressure decreases below the static accumulator gas pressure, as discussed in Section 6.3 of the SSAR.
The general design philosophy for safety injection following an event is that the CMTs inject first, followed by the accumulators, the IRWST, and finally by containment recirculation as the RCS !
depressurization continues and containment floodup progresses. The accumulators function as an (
~ intermediate pressure safety injection source, with one of the more important functions to refill the l
reactor vessel and reflood the core following larger LOCAs. !
The RCS pressure determines accumulator injection. Once the RCS pressure decreases below static accumulator pressure, the discharge check valves open and accumulator injection initiates. The rate of accumulator injection is based on the change in RCS pressure. This important design interaction has !
been confirmed as part of the testing and plant analyses.
The adverse interaction between the accumulator nitrogen and the RCS is not significant. Nitrogen cannot be discharged from the accumulators until the RCS is almost fully depressurized to less than about 100 psig. This is only expected for events where a larger LOCA has occurred or where ADS actuation occurs, resulting in RCS depressurization. The accumulator nitrogen interactions are not important to RCS operation in this plant condition. The Oregon State University and SPES-2 test .
results support this conclusion. Operator action can be taken to isolate the accumulator by closing the motor-operated discharge isolation valve after the accumulator has discharged most of its injection water, but before the tank is completely empty and nitrogen is injected into the RCS.
i s
i l
l m:\2630wmon:Ib-022096 2-42 REVISION: 0
2.3.3 In-Containment Refueling Water Storage Tank 2.3.3.1 In-Containment Refueling Water Storage Tank - Containment Recirculation The IRWST and containment recirculation are both designed as long-term safety injection sources to maintain inventory for the RCS, but they have different safety injection functions, as discussed in
, SSAR Section 6.3. Their injection capabilities complement each other and they are designed to interact with each other, since each IRWST gravity injection line shares a common direct vessel injection line with one of the containment recirculation lines. The IRWST and containment recirculation also interact because the containment recirculation isolation valves are automatically opened on low IRWST level signals. The general design philosophy for safety injection following an event is that the CMTs inject first, followed by the accumulators, the IRWST, and finally by containment recirculation as the RCS depressurization continues and containment floodup progresses.
The important design interactions have been confirmed as part of the testing and plant analyses.
The IRWST is designed to provide safety injection to maintain RCS inventory later in an event, after the RCS has been depressurized. This normally does not occur until after the fourth stage ADS valves are open. Containment recirculation is also designed to provide long-term RCS injection. As the IRWST becomes nearly empty, the containment has flooded up sufficiently to provide recirculation flow, and the RCS is depressurized. These two injection sources complement each other to provide continuous long-term injection.
The interaction of these two components is important to long-term RCS injection. The IRWST provides the initial gravity injection following RCS depressurization. Once the low IRWST level actuation signal opens the containment recirculation isolation valves, containment recirculation initiates in parallel with injection of the remaining IRWST inventory, the IRWST establishes an equilibrium injection head with the contain' ment recirculation inventory, based on the injection line flow resistance from the two sources. There is the potential for water flow between the two sources to establish and maintain this equilibrium, once containment recirculation is actuated.
Both the IRWST and the containment recirculation areas are exposed to the same containment overpressure. As the IRWST water temperature increases due to PRHR HX or ADS actuation,
, steaming to containment frora the IRWST is possible, which could cause a small increase in the pressure due to the steam venting through the air space above the IRWST, but this is not significant.
With significant steaming to containment following a LOCA or a main steam line break, the PCS actuates and the condensate that collects on the containment vessel shell is returned to the IRWST. If the condensate return valves remain open instead of failing closed, the condensate return flows directly to the containment recirculation areas. However, after containment recirculation actuation, the IRWST is connected to the containment recirculation areas through the shared injection lines and the condensate return is shared between these two components.
.m u m ib-022 w 6 2-43 REVISION: O d
l The IRWST can also directly impact containment recirculation following a DVI line break. In this case, the IRWST provides injection through the intact injection line and drains directly to containment' '
through the broken line, increasing the containment floodup rate and decreasing the time until i containment recirculation is actuated. At the same time, the IRWST provides gravity injection through the intact injection line, where LOCA break flow and ADS fourth stage discharge flow increases the
{
containment recirculation inventory.
- 4 Therefore, the overall interaction between the IRWST and containment recirculation is very important, '
as shown by the testing and plant analyses, and the two injection sources work closely together to provide continuous long-term RCS injection.
- An adverse interaction can occur due to spurious opening of the containment recirculation isolation '
valves. This occurs if the line with the motor-operated valve and explosive valve is opened and the IRWST starts to gravity drain to containment, causing floodup of containment. This event does not I result in any plant transient, but it does have some adverse effects if the IRWST is allowed to drain !
significantly. The spurious opening of these valves is prevented by the instrumentation and control l
design. The response to spurious opening of the containment recirculation isolation valves is to confirm that the actuation is spurious and then to take operator actions to close the motor-operated valve. This is not a significant interaction since it does not cause a plant transient and there is sufficient time, alarms, and indications to allow the operators to diagnose the problem and take the !
corrective actions required. l 3
2.3.3.2 In-Containment Refueling Water Storage Tank - Passive Residual Heat Removal Heat >
Exchanger The interaction between the IRWST and PRHR HX is important for non-LOCA events where the .
PRHR HX provides the primary heat removal mechanism for the RCS, as shown in the testing and ,
plant analyses. The IRWST provides the heat sink for the PRHR HX, with IRWST level and water temperature significantly impacting the PRHR HX heat transfer capability. 'Ihe impoitant design interactions have been confirmed as part of the testing and plant analyses.
~
1 Initially following PRHR HX actuation, the IRWST maintains the PRHR HX completely covered with water, and the IRWST water temperature is expected to be relatively cold (close to the containment .
ambient temperature). Following PRHR HX actuation, the IRWST temperature increases and after the containment saturation temperature is reached, the IRWST begins to steam to containment. The
{
containment pressure determines the lindting IRWST water temperature, within a relatively small temperature range.
t For events such as LOCA or other events where ADS actuates, the interaction between the IRWST and PRHR HX is only significant early in the event prior to ADS actuation when PRHR HX operation i is pmviding the primary heat removal mechanism. For larger LOCAs where the break provides '
significant heat removal, PRHR HX heat removal is generally not expected to be important when I i
mA2630w.non:Ib 022096 2-44 REVISION: 0
J i
l 4 I
- I i
compared to heat removal from the break and from ADS, and the interactions between the IRWST and PRHR HX are not important for these events.
For very small LOCAs (0.5 inch or less), PRHR HX operation will heat the IRWST up to saturation temperature prior to ADS actuation. ADS operation at this time will then add energy to a saturated j IRWST, which limits the steam condensation capability. This PRHR HX operation results in :
significant venting of steam from the IRWST. ;
The importat difference between PRHR HX heating and ADS heating of the IRWST is that the
' PRHR HX heats the entire tank depth, while the ADS discharges heat to the upper part of the IRWST,
^
at and above the ADS sparger elevation. In addition, the ADS spargers and the PRHR HX are located on opposite ends of the IRWST, ADS tank heating generally results in subcooled IRWST gravity injection, followed by saturated injection flow. For non-LOCA events, PRHR HX heating of the '
- IRWST is r.o
- expected to be followed by gravity injection since ADS actuation is not expected. But heated gravity injection can occur for events such as a small break LOCA, where PRHR HX heating i initiates shortly after the event, followed eventually by ADS actuation and the initial gravity injection i I
flow is much hotter. The difference in injection temperature has no significant effect on gravity 4
injection capability, but subcooled injection flow has a quenching effect in the core region.
' )
1 2.3.3.3 In-Containment Refueling Water Storage Tank - Automatic Depressurization System :
The ADS valves are designed to provide a controlled RCS depressurization when safety injection from i
the accumulators, IRWST, and containment recirculation is needed. The ADS stage one to three valves that connect to the top of pressurizer steam space discharge two-phase flow into the IRWST through the spargers that are located about ten feet below the norman IRWST water surface. The purpose of this arrangement is for the IRWST to condense the ADS steam discharge and collect the j condensate for return to the RCS, once the RCS is depressurized and gravity injection flow is initiated.
t This arrangement also minimizes the potential for discharging steam to containment following ADS l actuation. The important design interactions have been confirmed as part of the testing and plant i analyses.
1 i The IRWST water temperature controls the capability of the IRWST to condense the ADS steam j, '
discharge. Once the IRWST water heats up and reaches saturation temperature for the existing containment pressure, the ADS steam discharge passes up through the water without condensing and discharges directly to the containment atmosphere.
The IRWST water level and temperature also control the backpressure on ADS stages I to 3, which affects the discharge flow rate. The backpressure is not significant for the early stages of an ADS discharge. However, it becomes more important late in the depressurization process, when RCS pressure is nearly equal to the containment pressure. At very low RCS pressures, the IRWST water m u63ow.nonso22w6 2-45 REVISION: 0
l 1
backpressure can significantly reduce the stage one to three ADS discharge flow. The long-term backpressure contribution from IRWST level can be reduced by several important processes: !
Early IRWST heat additions, such as PRHR HX heating prior to ADS, cause steaming to i
occur sooner.
i A LOCA break location, such as a DVI line break can drain the IRWST much faster. .
l Condensate retum from the containment shell maintains the IRWST level. -
i e Gravity injection slowly drains the IRWST.
f The IRWST water can be heated by both the PRHR HX and the ADS discharge, as discussed in subsection 23.3.2 of this report. The important difference between PRHR HX heating and ADS i
heating of the IRWST is that the PRHR HX heats the entire tank depth, while ADS discharges heat to f the upper part of the IRWST, at and above the ADS sparger elevation. In addition, the ADS spargers l and the PRHR HX are located on opposite ends of the IRWST.
/
)
{ ADS heating of the IRWST generally results in a transition from subcooled IRWST gravity mjection i
to saturated injection flow, once the subcooled layer below the ADS sparger is injected. For non- l LOCA events, PRHR HX heating of the IRWST is not expected to be followed by gravity injection !
since ADS actuation is not expected. But heated gravity injection can also occur without ADS heating l
of the IRWST for events such as a small break LOCA. In this case, PRHR HX heating initiates shortly after the event, followed eventually by ADS actuation and the initial gravity injection flow is
- much hotter since there is not a subcooled layer that injects first. The difference in injection
} temperature has no significant effect on gravity injection capability, but subcooled injection flow has a j quenching effect in the core region.
l !'
j 2.33.4 IRWST - Passive Containment Cooling / Containment -
3 i
~
i The PCS actuates on high containment pressure resulting following steam releases to containment from
{
l either breaks such as a LOCA or main steam line break and from IRWST steaming due to PRHR HX
{ or ADS actuation. The IRWST water level and temperature control the amount of steaming to .
I containment, for both ADS discharges and PRHR HX operation. He rate of steaming to containment determines when PCS is actuated. The impact of IRWST conditions on PCS actuation is most
- important for non-LOCA events and for smaller LOCAs. He IRWST has insignificant impact on i PCS actuation for larger LOCAs and main steam line breaks inside containment, since the break flow
- rapidly pressurizes containment, regardless of IRWST conditions.
f The IRWST configuration also has some effect on the steam venting to containment, since steam must j pass through the IRWST vents. The IRWST vents are designed to prevent pressurization of the IRWST, so this interaction is not significant to the steam venting process.
i m:u63ow.non:ib422096 2-46 REVISION: 0 4
4
l PCS operation controls the pressure in containment by the condensatic,n of steam from the containment atmosphere. This interaction affects the resulting containment floodup liquid temperatures, the IRWST saturation temperature reached following PRHR HX or ADS heating. The condensate retum temperature from the containment shell and the RCS temperatures. However, the range ofIRWST and containment recirculation water temperature changes are relatively small.
, PCS operation also affects IRWST inventory since the condensation on the containment shell provides condensate return to either the IRWST or the containment recirculation areas, depending upon the status of the condensate return isolation valves.
These design interactions have been confirmed as pan of the testing and plant analyses.
2.3.3.5 In-Containment Refueling Water Storage Tank - Steam Generator System As discussed in Section 2.3 of this document, the focus of the IRWST and SGS interactions is related to the effects on the integrity of the reactor coolant system pressure boundary. A break in the SGS secondary system pressure boundary can discharge steam to containment, which results in an increase in containment pressure and condensate return to the IRWST, similar to the interaction effects discussed in subsection 2.3.3.4 of this report.
The IRWST does not directly interact with the SGS since IRWST gravity injection flow does not pass through the steam generators. The IRWST is designed to provide safety injection to maintain RCS inventory later in an event, after the RCS has been depressurized. This normally does not occur until after the fourth stage ADS valves are open, except for larger LOCA events. Herefore, IRWST injection is not expected following a steam generator tube rupture since ADS does not occur.
These design interactions have been confirmed as part of the testing and plant analyses.
2.3.3.6 In-Containment Refueling Water Storage Tank - Main Contral Room Habitability There are no significant interactions between the IRWST and the main control room habitability system.
2.3.3.7 In.Conta'nment Refueling Water Storage Tank - Reactor Coolant System The IRWST is designed as a long-term safety injection source to maintain inventory for the RCS, as discussed in Section 6.3 of the AP600 SSAR. The general design philosophy for safety injection following an event is that the CMTs inject first, followed by the accumulators, the IRWST, and finally by containment recirculation as the RCS depressurization continues and containment floodup progresses. The important design interactions have been confirmed as part of the testing and plant analyses.
I m:u63ow.non:n.022096 2-47 REVISION: 0
d 1
~
The IRWST is designed to provide sufficient gravity injection flow to keep the core covered and to remove core decay heat, in conjunction with ADS venting. The IRWST maintains the RCS inventory at lower levels within the RCS than exist during power operation, since the fourth stage valve elevations and the gravity injection head elevations limit the amount that the RCS can be filled.
i The IRWST does not provide gravity injection until after the fourth stage ADS valves are open. Two-
- phase flow is primarily discharged out through the fourth stage ADS valves late in an event when .
)
IRWST gravity injection initiates. When gravity injection first initiates, the highest expected IRWST >
water level is at about the 128-foot elevation. The hot leg centerline elevation is at about the 101-foot
{ elevation, and the fourth stage ADS valves discharge at about the ll2-foot elevation.
In addition, the RCS affects the IRWST temperature conditions through heat additions from both 1
PRHR HX and ADS operation. The specific interactions are discussed in subsections 2.33.2 and i 2.3.3.3 of this report, respectively.
2.3.4 Containment Recirculation i
2.3.4.1 Containment Recirculation - Passive Residual Heat Removal Heat Exchanger i
The interaction between these two components is not significant since containment recirculation flow does not interact with PRHR HX heat removal flow.
PRHR HX heat removal occurs either for non-LOCA events or early in smaller LOCA events before the initiation of ADS. After the RCS is depressurized, PRHR HX heat removal is not ir~nportant.
Containment recirculation does not occur until the RCS is fully depressurized, RCS temperatures are relatively close to the IRWST temperatures, the PRHR HX is voided, the IRWST is essentially drained, and the PRHR HX is mostly uncovered.
Therefore, when PRHR HX operation occurs, containment recirculation cannot occur because the RCS pressure is too high and when containment recirculation initiates, the PRHR HX is unable to provide decay heat removal.
PRHR HX operation does not significantly impact containment recirculation. PRHR HX operation can reduce RCS pressure and temperature and, therefore, somewhat affect the time that it takes to reach containment recirculation. However, RCS depressurization following a larger LOCA or ADS operation is required to initiate containment recirculation and the resulting recirculation temperatures are a result of the containment saturation conditions and not significantly impacted by PRHR HX operation.
m:u630w.non:ib-022096 2-48 REVISION: 0
23.4.2 Containment Recirculation - Automatic Depressurization System The ADS valves are designed to provide a controlled RCS depressurization when safety injection from the accumulators, IRWST, and containment recirculation is needed. Therefore,' ADS operation is very
. important to containment recirculation.
, The ADS stage four valves connected to the top of the RCS hot legs discharge two-phase flow directly to containment inside the RCS loop compartments, at an elevation above the normally flooded areas used for containment recirculation. The purpose of this arrangement is to have the minimal ADS backpressure at the completion of the RCS depressurization. The steam from the fourth stage ADS discharge condenses on the containment shell and retums to either the IRWST or the containment recirculation areas, depending upon the status of the IRWST condensate retum isolation valves.
The containment recirculation inventory has no impact on the ADS discharge flow, from the perspective of affecting outlet conditions. The fourth stage ADS valves discharge above the maximum '
containment floodup elevation. The containment recirculation area floodup elevation and the IRWST water surface elevations are interrelated following recirculation actuation since these volumes are cross-connected through the common gravity injection lines. However, the IRWST elevations at this i time are well below the ADS Stage one to three sparger elevation and the sparger is uncovered, j
Therefore, the containment recirculation has no effect on the ADS discharge backpressure. l The containment recirculation inventory does have an indirect impact on the generation of the ADS flow within the RCS. Recirculation provides the long-term injection that maintains the RCS inventory and that subsequently is needed to generate the ADS discharge flow. However, without recirculation, ADS flow would still continue until the available RCS inventory was depleted and core uncovery l occurred.
These important design interactions have been confirmed as part of the testing and plant analyses.
23.43 Containment Recirculation - Passive Containment Cooling / Containment Containment recirculation has no significant impact on the actuation of the PCS. The PCS actuates on
, high containment pressure resulting from steam releases to containment from breaks such as a LOCA or main steam line break, and from IRWST steaming due to PRHR HX or ADS actuation. The containment recirculation floodup elevation does not get high enough to affect the discharge of any of the ADS stages by providing a backpressure on the ADS discharge, and the containment recirculation temperatures are at saturation for containment pressure, so that the recirculation inventory could not condense the ADS steam discharge.
Containment recirculation does indirectly impact continuing PCS operation in that it indirectly impacts the generation of the ADS flow within the RCS. Recirculation provides the long-term injection that maintains the RCS inventory and that subsequently is needed to generate the ADS discharge flow, m:u630w.non:itwo22096 ' 2 49 REVISION: 0
.._. ~ . . . - - . . . . -. _- .. -- - - .
l However, without recirculation, ADS flow would still continue until the available RCS inventory were depleted and core uncovery occurred. !
PCS operation controls the pressure in containment by the condensation of steam from the containment atmosphere. This interaction affects the resulting containment floodup liquid temperatures, the IRWST saturation temperature reached following PRHR HX or ADS heating. The condensate return temperature from the containment shell, and, indirectly, the RCS temperatures. However, the range of .
IRWST and containment recirculation water temperature changes are relatively small. i PCS operation also results in condensation on the containment shell, which provides the condensate '
return that either passes directly to the containment recirculation inventory or indirectly to both the IRWST and containment recirculation inventories, depending upon the status of the condensate return isolation valves.
These design interactions have been confirmed as part of the testing and plant analyses.
2.3.4.4 Containment Recirculation - Steam Generator System As discussed in Section 2.3 of this document, the focus of the containment recirculation and SGS interactions is related to the effects on the integrity of the reactor coolant system pressure boundary.
A break in the SGS secondary system pressure boundary can discharge steam to containment, which
)'
results in an increase in containment pressure and condensate return to the containment recirculation area, similar to the interaction effects discussed in subsection 2.3.4.3 of this report. l Containment recirculation does not directly interact with the SGS since recirculation flow does not- :
pass through the steam generators. Containment recirculation is designed to provide safety injection to maintain RCS inventory later in an event, after the RCS has been depressurized. This normally does not occur until after the fourth stage ADS valves are open, except for larger LOCA events.
Containment recirculation is not expected following a steam generator tube rupture since ADS does not occur. If the RCS is subsequently depressurized following a steam generator tube rupture to i facilitate repairs, the containment recirculation can not cause steam generator overfill. Therefore, this is not a significant interaction.
1 These design interactions have been confirmed as part of the testing and plant analyses.
2.3.4.5 Containment Recirculation - Main Control Room Habitability There are no significant interactions between containment recirculation and the main control room '
habitability system.
1 l
l m:\2630w.non:Ib-022096 2-50 REVISION: 0
1 2.3.4.6 Containment Recirculation - Reactor Coolant System Containment recirculation is designed as a long-term safety injection source to maintain inventory for the RCS, as discussed in Section 6.3 of the SSAR. The general design philosophy for safety injection following an event is that the CMTs inject first, followed by the accumulators, the IRWST, and finally by containment recirculation as the RCS depressurization continues and containment floodup progresses.
I Containment recirculation is designed to provide sufficient gravity injection flow to keep the core a
covered and to remove core decay heat, in conjunction with ADS venting. Containment recirculation maintains the RCS inventory at lower levels within the RCS than those that exist during power operation, since the fourth stage valve elevations and the gravity injection head elevations limit the j amount that the RCS can be filled. Containment recirculation does not provide gravity injection until
{
after the fourth stage ADS valves are open. Two-phase flow is primarily discharged out through the l fourth stage ADS valves late in an event when containment recirculation initiates.
The maximum containment floodup clevation is to about the 107-foot elevation. When containment !
recirculation initiates, the highest expected IRWST water level is at about the 107. foot elevation and the IRWST will establish equilibrium levels with the containment floodup inventory, which varies slightly based on the specific event. The hot leg centerline elevation is at about the 101-foot elevation, j and the fourth stage ADS valves discharge at about the 112-foot elevation.
The RCS affects containment recirculation floodup level since the gravity injection flow depends on the existing RCS pressure.
These design interactions have been confirmed as part of the testing and plant analyses.
2.3.5 Passive Residual Heat Removal Heat Exchanger 2.3.5.1 Passive Residual Heat Removal Heat Exchanger - Automatic Depressurization System There are several important design interactions between the PRHR HX and ADS. First, both components use the IRWST as a heat sink, as described in subsections 2.3.3.2 and 2.3.3.3 of this report. In addition, both components are connected to the RCS, and the PRHR HX inlet piping shams a common section of piping with the fourth stage ADS valves connected to that RCS hot leg. PRHR HX cooling prior to ADS operation can also impact the initial RCS pressure when ADS actuates.
These design interactions have been confirmed as part of the testing and plant analyses.
When PRHR HX actuates, the IRWST temperature will increase and depending upon the duration of the PRHR HX operation, some IRWST inventory may be lost due to steaming. These two effects tend to reduce the backpressure for ADS stages one to three, which is not significant in the early stages of the depressurization, but affects flow through these stages more toward the end of the depressurization m:u630w.non:1b-022096 2-51 REVISION: 0
1 l l I
l process when RCS pressures are low. However, this is not a significant effect since the fourth stage ADS valves provide the most significant venting contribution at the end of the RCS depressurization.
PRHR HX operation also tends to heat the IRWST closer to saturation temperatures, which allows the i ADS discharge to vent from the IRWST without being condensed. This effect does not significantly impact ADS performance, but as discussed in subsection 2.3.3.4 herein, it does contribute to earlier PCS actuation.
The heating of the IRWST from ADS operation is not significant to the PRHR HX because for those j
- events that initiate ADS depressurization, the primary heat removal occurs due to ADS venting, along 1
with any break flow that may exist for LOCA events, and PRHR HX heat removal is not important.
l Although the PRHR HX and one of the fourth stage ADS valve groups share a common section of l piping, this is not significant since the ADS and PRHR HX are not simultaneously required to operate.
PRHR HX heat removal is only important prior to ADS actuation; when fourth stage ADS actuates, the RCS is significantly voided and at temperature and pressure conditions where the PRHR HX is not important to heat removal.
2.3.5.2 Passive Residual Heat Removal Heat Exchanger - Passive Containment Cooling / Containment There are no direct interactions between these two components. PRHR HX operation indirectly affects the PCS through the PRHR HX heating of the IRWST. The PCS impacts PRHR HX operation by l
controlling the saturation temperature that the IRWST can reach during an event. The interactions between the IRWST and the PCS are discussed in subsection 2.3.3.4, earlier in this document. These design interactions have been confirmed as part of the testing and plant analyses.
l 2.3.5.3 Passive Residual Heat Removal Heat Exchanger - Steam Generator System l l
l As discussed in Section 2.3 of this document, the focus of the PRHR HX and SGS interactions is a
related to the effects on the integrity of the RCS pressure boundary. A break in the SGS secondary system pressure boundary can discharge steam to containment, which results in an increase in containment pressure and condensate retum that indirectly affect the PRHR HX through IRWST .
interactions discussed in subsection 2.3.3.4 of this report.
The PRHR HX does not directly interact with the SGS since PRHR HX flow does not pass through the steam generators. However, PRHR HX affects the SGS through changes in the RCS due to PRHR HX cooldown and depressurization of the RCS. The PRHR HX provides decay heat removal for non-LOCA events, including a steam generator tube rupture, by transferring the core decay heat to the IRWST. PRHR HX actuation is very important following a steam generator tube rupture (SGTR) since its operation reduces RCS temperature and pressure, which helps prevent steam generator overfill and precludes the need for ADS actuation to mitigate this event.
m:u63ow.nonso22096 2-52 REVISION: 0
I l
t These design interactions have been confirmed as part of the testing and plant analyses.
! 2.3.5.4 Passive Residual Heat Removal Heat Exchanger - Main Control Room Habitability There are no significant interactions between the PRHR HX and the main control room habitability system.
~
l 2.3.5.5 Passive Residual Heat Removal Heat Exchanger - Reactor Coolant System
- l. .
The PRHR HX is designed as the primary heat removal mechanism for non-LOCA events. i The PRHR HX is actuated when the normal heat removal systems are unavailable. RCS integrity and fluid conditions affect the PRHR HX operation. PRHR HX actuation with the reactor coolant pumps operating provides the most effective single-phase heat removal. However, PRHR HX operation with l natural circulation flow can effectively remove core decay heat. As the RCS cools down and contracts, RCS voiding may occur, which can eventually change the PRHR HX heat transfer process to steam condensation heat transfer that increases the PRHR HX heat removal effectiveness. As the RCS temperatures continue to decrease and the IRWST water temperatures increase, the PRHR HX l heat transfer capability decreases.
For events that result in extensive RCS voiding and subsequent ADS actuation, such as a LOCA, the PRHR HX heat removal is not important following ADS actuation.
Spurious actuation of the PRHR HX results in an adverse system interaction with the RCS. Spurious actuation of the PRHR HX during power operation will result in a reactor power increase due to cooling of the reactor coolant that passes through the PRHR HX. The effects of this transient are discussed in SSAR Chapter 15. In addition, design analyses have been performed for the purposes of component design that bound the thermal transient on the primary components as a result of spurious PRHR actuation. Therefore, the AP600 design has addressed this potential adverse systems interaction.
D These design interactions have been confirmed as part of the testing and plant analyses.
4 2.3.6 Automatic Depressurization System 1
2.3.6.1 Automatic Depressurization System - Passive Containment Cooling / Containment The ADS valves are designed to provide a controlled RCS depressurization when safety injection from the accumulators, IRWST, and containment recirculation is needed.
The ADS stage one to three valves, which connect to the top of pressurizer steam space, discharge i
two-phase flow into the IRWST through the spargers that are located about 10 feet below the normal m:u63ow.non:ibe.2096 2-53 REVISION: 0
I I
IRWST water surface. The purpose of this arrangement is for the IRWST to condense the ADS steam discharge and collect the condensate for return to the RCS, once the RCS is depressurized and gravity injection flow is initiated.
The ADS stage four valves, which connect to the top of the RCS hot legs, discharge two-phase flow directly to containment inside the RCS loop compartments, at an elevation above the normally flooded areas used for containment recirculation. The purpose of this arrangement is to have the minimal ADS .
backpressure at the completion of the RCS depressurization. The steam from the fourth stage ADS discharge condenses on the containment shell and retums to either the IRWST or the containment recirculation areas, depending upon the status of the IRWST condensate return isolation valves. ~
This ADS arrangement minimizes the potential for discharging steam to containment during the early part of the RCS depressurization using ADS, and then enhances ADS performance when the RCS is nearly depressurized.
Therefore, ADS contributes to containtnent pressurization and PCS actuation through two flow paths.
During the ADS stage one to three depressurization, the ADS discharges to the IRWST and contributes I to PCS actuation, once the IRWST heats up to saturation, as described in subsection 2.3.3.4 of this report. During the ADS stage four actuation, ADS directly discharges steam to containment. By the time the fourth stage ADS valves are opened following ADS actuation during LOCA events, it is expected that PCS will already be operating.
)
His ADS and PCS interaction is designed to provide the long term passive heat removal mechanism j for those events where ADS actuation is expected, such as LOCA. I l
The PCS affects ADS performance by impacting containment backpressure and as containment pressure increases, this tends to initially reduce ADS flow. However, core decay heat tends to increase RCS pressure in this case until sufficient ADS steam can be vented. So the PCS operation does affect j ADS flow, but core decay heat also has an important effect on ADS flow.
~
These important design interactions have been confirmed as part of the testing and plant analyses.
2.3.6.2 Automatic Depressurization System - Steam Generator System .
As discussed in Section 2.3 previously in this document, the focus of the ADS and SGS interactions is related to the effects on the integrity of the reactor coolant system pressure (RCS) boundary. A break in the SGS secondary system pressure boundary can discharge steam to containment, which results in an increase in containment pressure and condensate return that indirectly affect the ADS through IRWST interactions discussed in subsection 2.3.3.4 of this WCAP and by increasing fourth stage ADS backpressure, as described in subsection 2.3.6.1, herein.
I m:u63ow. mon:nw22096 2-54 REVISION: 0 i
I The ADS does not directly interact with the SGS since ADS flow does not pass through the steam generators, although ADS does impact the RCS pressure that exists on the primary side of the steam generators. During a steam generator tube rupture, ADS is not expected to actuate to mitigate the event. If the ADS were to actuate following a steam generator tube rupture, the ADS operation would reduce the RCS temperature and pressure, reducing break flow into the steam generator, helping to prevent steam generator overfill. Following such on AIM actuation, some steam generator secondary
- water from the faulted steam generator could dom back into the RCS as the depressurization continues, potentially causing a reduction ir. RCS boron concentrations. This flow is limited by the pressure equalization which occurs, thus .naintaining the RCS reactivity within shutdown limits.
He ADS is not required following a steam generator tube rupture since PRHR HX operation helps to reduce break flow into the steam generator, preventing the CMTs from actuating ADS. Therefore, the SGS does not impact ADS operation following a steam generator tube rupture in design basis events.
For beyond design basis SGTR events where multiple failures in the safety-related systems occur, ADS operation will successfully reduce the RCS pressure, thereby terminating the primary to secondary leak. The use of the ADS in mitigating an SGTR event is modeled in the PRA (Reference 2).
The AP600 Emergency Response Guidelines (ERGS) (Reference 3) also address the use of the first 'I stage ADS valve to manually terminate an SGTR event. Section AE-3 of the AP600 ERG Background Information demonstrate the successful use of a first stage ADS valve by the operator to mitigate the consequences of an SGTR event.
These design interactions have been confirmed as part of the testing and plant analyses.
l 2.3.6.3 Automatic Depressurization System - Main Control Room Habitability There are no significant interactions between the ADS and the main control room habitability system.
2.3.6.4 Automatic Depressurization System - Reactor Coolant System
{
, The ADS valves are designed to provide a controlled RCS depressurization when safety injection from the accumulators, IRWST, and containment recirculation is needed.
l l
The ADS stage one to thme valves, which connect to the top of pressurizer steam space, discharge two-phase flow into the IRWST through the spargers that are located about ten feet below the normal IRWST water surface. The purpose of this arrangement is for the IRWST to condense the ADS steam l discharge and collect the condensate for return to the RCS, once the RCS is depressurized and gravity 1
injection flow is initiated. This arrangement also minimizes the potential for discharging steam to j containment following ADS actuation.
i m:0630w.nonibE2096 2-55 REVISION: 0
i l
}
The ADS stage four valves, which connect to the top of the RCS hot legs, discharge two-phase flow directly to containment inside the RCS loop compartments, at an elevation above the normally flooded areas used for containment recirculation. 'Ihe purpose of this arrangement is to have the minimal ADS backpressure at the completion of the RCS depressurization. The steam from the fourth stage ADS discharge condenses on the containment shell and returns to either the IRWST or the containment recirculation areas, depending upon the status of the IRWST condensate return isolation valves. {
The RCS affects ADS operation since RCS pressure controls the ADS flow rate and the RCS conditions affect the ADS discharge (such single-phase versus two-phase flow and fluid enthalpy).
The ADS and RCS interactions are designed to provide the long-term passive heat removal mechanism for LOCA events.
5 Spurious operation of the ADS results in an adverse system interaction with the RCS. Spurious actuation of the ADS valves during power operation will result in a reactor trip on low pressure, followed by depressurization of the RCS. The effects of this transient are discussed in SSAR I Chapter 15. Therefore, the AP600 design has addressed this potential adverse systems interaction. 3 These design interactions have been confirmed as part of the testing and plant analyses.
2.3.7 Passive Containment Cooling / Containment Spurious operation of the PCS results in an adverse system interaction with the containment. This occurs if either PCS isolation valve is opened and causes the PCS storage tank to drain water onto the outside of the containment vessel. This event does not result in any plant transient. The spunous i opening of these valves is prevented by the instrumentation and control design. This is not a i significant in:eraction since it does not cause a plant transient and there is sufficient time, alarms, and ;
indications to allow the operators to diagnose the problem and take the corrective actions required.
The effects of this transient are bounded by the analysis presented in Chapter 6 of the AP600 SSAR. ;
, Therefore, the AP600 design has addressed this potential adverse systems interaction.
i 2.3.7.1 Passive Containment Cooling / Containment - Steam Generator System I
i As discussed in Section 2.3 in this WCAP, the focus of the PCS and SGS interactions is related to the
]
effects on the integrity of the RCS and SGS pressure boundaries. The PCS is designed to maintain long-term heat removal by condensing steam that is released to containment from either PRHR or ADS actuation.
A steam generator tube rupture does not direct 1 afect PCS operation, although it indirectly interacts with the PRHR HX and IRWST following this event, based on the interactions discussed in subsections 2.3.3.4, 2.3.3.5, 2.3.5.2, and 2.3.5.3 of this document.
m:u63onon:ibano96 2-56 REVISION: 0
A break in the SGS secondary system pressure boundary can discharge steam to containment, which results in an increase in containment pressure that directly affects the PCS actuation. The PCS actuates, condensing the steam that is discharged from the steam generator.
These design interactions have been confirmed as part of the testing and plant analyses.
, 2.3.7.2 Passive Containment Cooling / Containment - Main Control Room Habitability There are no significant interactions between the PCS and the main control room habitability system.
2.3.7.3 Passive Containment Cooling / Containment - Reactor Coolant System The PCS is designed to provide long-term passive heat removal by condensing steam that is released to containment from breaks such as a LOCA or main steam line break, and from IRWST steaming due to PRHR HX or ADS actuation. The PCS actuates on high containment pressure resulting from these steam releases to containment. The PCS is responsible for removing both sensible and decay heat from the RCS, and PCS operation impacts the containment pressure by condensing the steam and retuming the condensate to either the IRWST or the containment recirculation area for subsequent injection into the RCS.
Since the PCS controls the containment pressure, it indirectly affects RCS pressure, which is affected by either PRHR HX operation for non-LOCA events or from break flow and ADS flow, which removes core decay heat and sensible heat as the RCS depressurizes, for LOCA events.
The RCS affects PCS operation since core decay heat affects the ADS flow required to remove this decay heat, along with sensible heat as the RCS depressurizes. RCS conditions affect how fast and how much total heat is released to the PCS over time. For non-LOCA events that do not result in RCS depressurization, the core decay heat transferred to the IRWST by PRHR HX operation affects the PCS heat transfer rate. In addition, for LOCA events, the break size and location significantly affect the PCS heat addition rate.
These design interactions have been confirmed as part of the testing and plant analyses.
2.3.8 Steam Generator System j 1
2.3.8.1 Steam Generator System - Main Control Room Habitability There are no significant interactions between the accumulators and the main control room habitability system.
m:u63ow.non:ib-ono96 2-57 REVISION: 0
I l
t 1
2.3.8.2 Steam Generator System - Reactor Coolant System '
The interactions between the RCS and the SGS are divided into two categories. The first category.
l that is not important for the purposes of this report, includes normal system functions to maintain system integrity and support normal system operation and power generation.
The second category of interactions is related to the interactions between the RCS and SGS and the ,
associated safety-related passive systems following an accident. A loss of integrity for either the RCS or the SGS initiates an accident, such as a LOCA, SGTR, or steam break from the secondary system. t The various interactions between these two systems and each of the safety-related passive components * '
are discussed in the appropriate discussions throughout Section 2.3 of this document. '
These design interactions have been confirmed as part of the testing and plant analyses.
l 2.3.9 Main Control Room Habitability System The main control room habitability systen. only interacts with the main control room and not directly ;
with any of the safety-related passive systems discussed in this Section 2.3, herein.
Spurious actuation of the main control room habitability system is an adverse system interaction that i only affects the future operability of the main control room if the system were needed. Spurious !
actuation has no significant consequences on the main control room operation.
Actuation of this system occurs if either main control room habitability system isolation valve is opened and causes the main control room habitability system emergency air storage tanks to vent compressed air into the main control room. The spurious opening of these valves is prevented by the instrumentation and control design. This is not a significant interaction since it does not cause a plant transient and there is sufficient time, alarms, and indications to allow the operators to diagnose the problem and take the corrective actions required. The effects of this transient are discussed in Chapter 15 of the AP600 SSAR. Therefore, the AP600 design has addressed this potential adverse
~
systems interaction.
?
i m:u63ow.nons 022096 2-58 REVISION: 0
1 I
i l
I l
3.0 EVALUATION OF POTENTIAL HUMAN COMMISSION ERRORS 3.1 Objectives and Method
'Ihe adverse systems interactions are already studied from a functional point of view in Section 2.0 of ;
this report. In this section, these interactions are examined from the point of view of potential human l
, errors that may cause the same adverse interactions. Since the AP600 plant is designed to minimize the reliance on operator actions to mitigate accident, cognitive operator actions are deemed to be the l source of potential adverse system interactions, as opposed to omission errors that are routinely ,
1 modeled in the AP600 Probabilistic Risk Assessment (PRA)(Reference 2). l l
Cognitive commission errors involve human errors in the decision-making process in dealing with I l
event sequences studied in the PRA models. These errors may include the starting or stopping of safety systems that are neither called for nor include prematurely performed actions, and actions performed out of sequence in following procedures. Normally, the failure probabilities of such errors are very difficult to quantify. On the other hand, other actions such as non-response to a cue, l omission, unable to complete an action due to lack of time, and commission errors associated with
! manipulation are routinely modeled and are quantified in the AP600 PRA model. This section, the potential for cognitive commission errors as they relate to the potential adverse system is studied l qualitatively.
The most likely sources of cognitive commission errors are as follows: I 1
An accident sequence where there is a goal conflict that is not resolved by the procedure Too little or too much information that would either mislead or confuse the operator Procedures that allow or lead operators to make knowledge-based decisions l
To avoid cognitive commission errors, the AP600 design has placed requirements in task analysis, Emergency Response Guidelines (ERGS) (Reference 3) and Function Restoration Guidelines (FRG).
l, The AP600 man-machine interface design process discussed in the AP600 Standard Safety Analysis l Report (SSAR) (Reference 1) Chapter 18 includes the development of the following for this purpose:
-
- Function-based task analysis
- Symptom-based ERGS and FRGs The function-based task analysis results identify the hierarchy of instrumentation for operator use and present it logically to the operators. ;
t The emergency operating procedures address resolution of conflicting indications between nonsafety-4 related and safety-related instrumentation. Moreover, the ERG /FRGs are symptom-based, thus they do l
m:\2630-1.non:ltA022096 3-1 REVISION: 0
_ . - __ ._ . _ . _ . . _ _ . _ . _ . - _ . _ _.m . . _ m _ . _ .
k l
. i' not allow the operator make knowledge-based decisions. The ERG /FRGs are computerized to providej case of access and self-checking.
Another design feature that provides a diverse path to prevent cognitive commission errors is the status trees that are monitored by an independent plam staff member, usually an engineer who is not a -
member of the routine control room team. This engineer monitors the status trees, and when a red path is reached, instructs the operators to follow the FRG associated with that red path. Thus, the -
f
" operators, regardless of the decisions made and actions taken to that point, go to a separate procedure to handle the current plant status. This allows recovery from, or mitigation of cognitive errors that might have lead to the current plant status, by breaking the operator team away from the path they have been following.
To provide a systematic evaluation of potential human commission errors that may cause adverse systems interactions, each of the adverse system interactions already identified in Section 2.0 of this report are examined from a human commission error point of view. In this examination, three questions are asked for each candidate adverse system interaction:
Is there an opportunity for a commission error? '
Namely, is there a procedure that the operators are following, in which the operator is l supposed to manipulate the system causing the adverse interaction while the affected system is operational?
Are there safeguards against a commission error?
Namely, are there:
Proceduralized steps to avoid a specific commission error, or recovery steps to recover from such an error if it happens?
Only automatic actuation of both systems involved?
- ~
Automatic termination of a system function, when the adverse system interaction happens?
Is the effect of adverse system interaction already modeled in the PRA?
Namely, is the effect modeled:
As a part of system models?
As a part of establishing success criteria basis?
mA26301.non:lbw22096 3-2 REVISION: 0
The responses to these questions allow the adverse system interaction to be classified as follows:
- 1. There is no credible concern for human commission error for this adverse system interaction to occur.
- 2. There is a credible way for this humr.n commission error to occur, but there is sufficient time
, to recover. Thus, the overall effect is not significant.
- 3. The error is credible and is already modeled in the PRA or is bounded by other failures or success criteria modeled in the PRA.
- 4. The error is credible and is not modeled in the PRA.
In Section 4.0 of this report, each adverse system interaction identified in Section 2.0 is assigned one of the above classifications. One of the main objectives of this work is to identify if any human commission errors of type 4 exist for the AP600 plant.
Section 3.3 discusses those conunission errors where the operator may be reluctant to actuate a safety system due to potential adverse economic consequences to the plant.
3.2 Identification of Potential Commission Errors Each of the potential adverse system interactions identified in Section 2.0 of this WCAP is examined in this section from the point of view of human errors of commission. For each interaction, the method described in subsection 3.3.1 is applied. The answers to the three questions in the method are then evaluated to reach a conclusion about each interaction from a human commission error point of view. Finally, each item is classified in one of the four categories described in Section 3.1 of this document. Table 31 contains all of these steps. The results are summarized later on in Section 3.4 m:u6301.non:lbVr4096 33 REVISION: 0
9
$ TABLE 3-1
$ TABLE OF ASSESSMENT OF POTENTIAL ADVERSE HUMAN COMMISSION ERRORS i
u Adverse Interaction Does opportunity for Are there safeguards Is adverse interaction Conclassons I.uman error exist in against human error? already modeled in the [i] = ith category of Section Description procedures? PRA?
$ classification Number 2.2.1 RCP - Core No; RCP trip is auto- Yes: RCPs are No. There is no credible restic and there is no automatically stopped. concern for human LOC A related procedure commission error for this where 6e operators are adverse system inter-instructed to restart action to occur.
RCPs if CMTs required. [1]
2.2.1 RCP - CMT Same as above (RCP - Same as above (RCP - Yes, this potential Here is no credible Core). Core). adverse interaction is concern for human modeled in the PRA in commission error for this terms of failure of RCP adverse system inter-y pur.1p breakers to open. action to occur. More-Thus, this failure mode over, RCP breaker is captured in plant risk " failure to open" failure profile as a mechanism mode captures the concern that reduces CMT in the PRA model.
success probability. [1]
2.2.1 RCP - PRHR No; RCP trip is Same as above (RCP - No, this potential %ere is no credible (during large steam line automatic and these is no Core). adverse interaction is not concern for human break accidents only). event related precedure modeled in the PRA. commission error for this where the operators are However, it is observed adverse system inter-instructed to restart l'CP. that large steam line action to occur.
break events are not [1]
important contributors to the plant risk.
De E
v; b
o
B Si TABLE 3-1 (Continued)
$ TABLE OF ASSESSMENT OF POTENTIAL ADVERSE HUMAN COMMISSION ERRORS w
$ Adverse Interaction Does opportunity for Are there safeguards Is adverse interaction Conclusions human error exist in against human error? already modele
- in the [i] = ith category of L@ Section Description procedures? PRA? classification
$ Number 2.2.2 Pressurizer Heater - No; pressurizer heaters Yes, automatic tripping No, this potential Here is no credible CMT and PRHR (during are tripped on a logic exists. adverse interaction is not concern for human SG tube rupture event). safeguards actuation modeled in the PRA. If commission error for this signal; there are no the automatic tripping of adverse system inter-procedure steps to turn pressure heaters fails, a action to occur. However, them on. potential adverse inter- if the auto trip fails, the action exists. However, functional adverse inter-the failure probability of action would still be valid.
automatic signal is small. [1]
Procedures instruct the
, operator to trip the heater dn if automatic trip fails.
2.2.3 CVS Makeup Pump Yes, there are procedural Yes, auto tripping logic No, this potential adverse Dere is no credible interaction with non- steps for operator to by PLS and PMS exits. interaction is not modeled concern for human LOCA events control CVS pumps to in the PRA. If the auto- commission error for this maintain pressurizer matic tripping of CVS adverse system inter-level. makeup pumps fails, a action to occur. However, potential adverse inter- if the auto trip fails, the action exists. However, functional adverse inter-t!e failure probability of action would still be valid.
automatic signal is small. [l]
Procedures instruct the operator to trip CVS pumps if automatic trip fails.
E b
.O.
O
a
$ TABLE 3-1 (Continued) 5 TABLE OF ASSESSMENT OF POTENTIAL ADVERSE HUMAN COMMISSION ERRORS I
a Adverse Interaction Does opportunity for Are there safeguards Is adverse interaction Conclusions g human error exist in against human error? already modeled in the
" Section Description [i] = ith category of procedures? PRA?
5 Number classification 2.2.3 CVS Makeup Pump Yes, step 4 of ERG Yes, CVS pumps are Yes. %e automatic trip Dere is the potential for interaction with SGTR AE-3 instructs operator automatically tripped on of the CVS pumps via human commission error.
to start one CVS pump. high SG water level. PMS is modeled for high However, this error Rus, there is potential SG level. Procedures would be neutralized by for a commission error, instruct the operator to the auto SG high level trip CVS pumps if auto- signal. Dus the overall matic trip fails. effect is negligibly small.
De failure of the auto trip signal is already modeled in the PRA.
w Iil 2.2.4 CVS Purification Lop No operator action Not applicable, since No need to model in %ere is no credible needed. there is no operator PRA. adverse operator action.
action.
[l1 2.2.5 Makeup Control System 2.2.6 Letdown Line No. I om -mf ated Yes. Line is automatically No. Here is no credible Interactions procedi- uct the isolated. adverse operator action.
operator to open the
[1]
letdown line 2.2.7 Hydrogen Addition Line Operator action does not Yes. Amount of hydrogen No. Here is no credible contribute to this adverse that can be introduced adverse operator action.
instruction. into RCS is liraited. [Il 5
b
.O.
C e o G S
..--c
R 9 TABLE 3-1 (Continued)
$ TABLE OF ASSESSMENT OF POTENTIAL ADVERSE HUMAN COW'ISSION ERRORS Adverse Interaction Does opportunity for Are there safeguards Is adu a interaction Conclusions E human error exist in against human error? miready modeled in the M [i] = ith category of Section Description procedures?
5 PRA? classification Number 2.2.8 Main Feedwater Pumps Yes. Potential operator Yes, MFW is automat- No. Potential for human commission error exists ically isolated. Also step commission error can be in step 3 of ERG AES-0.1. 3 clearly states objective; postulated but it is instructs closure of MFW deemed to be highly control valves before unlikely due to the establishing feedwater safeguards discussed in flow to the SG. column 4. Even if the unlikely failure occurs, it will lead to a transient with a spurious SI signal y which is not a dominant 43 risk contributor.
[2]
2.2.9 Startup Feedwater Operator is expected to Not needed. Not modeled. Here is no concern.
Pumps - PRilR utilize SFW if MFW is [1]
not available, as a preferred heat removal means after transients.
Bus there is no concem.
2.2.9 SFW - SGTR Yes. With an SI event, Yes. Automatic Yes, failure of automatic Modeled in the PRA.
the operator is instructed termination of SFW flow SFW termination is [3]
to start SFW pumps on a high SG water level. modeled in the PRA.
(step 14 of AE-0).
E 0
O
R ft TABLE 3-1 (Continued)
$ TABLE OF ASSESSMENT OF POTENTIAL ADVERSE HUMAN COMMISSION ERRORS 9
!'. Adverse Interaction Does opportunity for Are there safeguards Is adverse interaction Conclusions
@ human error exist in against human error? already modeled in the [i] = ith category of L Section Description procedores? PRA? classification 5 Number 2.2.10 RNS-IRWST (drain Operator is expected to No. No. Operators are instructed IRWST faster; if then start RNS. to start RNS. If RNS RNS pumps fail, SI fails to continue injection gravity head operating, the gravity will be less). head would be less for SI injection. This is a property of the design; not a commission error.
[1]
2.2.11 SG Blowdown No. Auto isolation of SG No. Not a credible human
[ blowdown. interaction concern.
[1]
2.2.12 Containment Fan No operator action. Not applicable, since there No need to model in Not a credible human Coolers is no operator action. PRA. interaction concern.
Ill 2.2.13 Plant Control System No operator actions. Not applicable, since there No need to model in Not a credible human is no operator action. PRA. interaction concern.
til 2.2.15 Liquid Waste Processing No operator actions. Automatic isolation of Not modeled. Not a humani interaction System / Containment discharge line. concern.
Sump Pumps
[1]
s m
O
a e e .
B
$ TABLE 3-1 (Continued)
$ TABLE OF ASSESSMENT OF POTENTIAL ADVERSE HUMAN COMMISSION ERRORS i
- c. Adverse Interaction Does opportunity for Are there safeguards Is adverse interaction Conclusions 5 hunnan error exist in against human error? miready niedeled in the - [i] = ith category of I Section Description procedures? PRA? classification Number 2.2.16 IWRST Gutter As explamed in sulxsection 2.2.16, this is not a safety concem for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
2.2.17 CCS/RCPs No operator actions. Auto reactor trip on loss Yes. Failure of RCP(s) Not a human interaction of CCS cooling to RCPs leading to transient concern.
(measured in terms of events is modeled in the [1]
temperature).
Since the RCPs are canned motor type, RCP y seal LOCA due to loss of CCW cooling is not a concem for the AP600 design.
2.2.18 Primary Sampling No operator actions. Auto isolation on Yes. Evaluated in Not a human interaction System /RCS inventory until 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> post- containment isolation modeling of containment concern.
accident. signal. isolation failure. [1}
E O.
O
1 l
9 TABLE 3-1 (Continued)
$ TABLE OF ASSESSMENT OF POTENTIAL ADVERSE HUMAN COMMISSION ERRORS b
$ Adverse Interaction Does opportunity for Are there safeguards Is adverse interaction Conclusions E human error exist in against human error? already modeled in the M Section Description [i] = ith category of procedures? PRA? classification
$ Number 2.2.19 Spent Fuel Pool Cooling As discussed in System /CVS, IRWST, subsection 2.2.19, the Containment isolation. design prevents CVS from overdraining SFS.
II)
IRWST connections are administratively controlled and IRWST level is monitored. Since y
- there are two levels of a defense, it is adequate to prevent or mitigate inadvertent opening.
[1]
No. Yes, automatically Considered for contain- Containment penetrations isolated on containment ment isolation model. are automatically isolation signal. isolated. There are no operator actions to open them.
Ill E
E O.
O e
R R
TABLE 3-1 (Continued) 5 i:, TABLE OF ASSESSMENT OF POTENTIAL ADVERSE HUMAN COMMISSION ERRORS O
u Adverse Interaction Does opportunity for Are there safeguards Is adverse Interaction Conclusions
% human ermr exist in against human error? already modeled in the C Section Description [i] = ith category of pmeedores? PRA?
$ Number classification 2.2.19 Spent Fuel Pool Cooling Yes, for maintenance No. No. The SFS to fuel transfer System / Fuel transfer operations.
cana;. canal connection is administratively controlled. Since there is i
a single line of defense a ;
cognitive operator error potential can be postulated.
However, spent fuel pool accidents are not deemed to be of risk significance.
y
- (4)
~
Passive-Passive System Interactions
- 2. '.5 CMT/Accum. and ADS No. CMTs are expected No. Yes, this adverse system Not a credible human !
to actuate before ADS. interaction is considered interaction concern. !
Accum. not actuated by in the MAAP4 analyses [1]
the operator. Hus, there that support the PRA is no operator commission success criteria.
error expected.
, 4 lc E
E o
3 O
R 9
5 TABLE 3-1 (Continued) 1 TABLE OF ASSESSMENT OF POTENTIAL ADVERSE IIUMAN COMMISSION ERRORS u Adverse Interaction Does opportunity for Are there safeguards Is adverse interaction Conclusions
@ human error exist in against human error? already modeled in the g' Section Description procedures? [i] = ith category of
, 3 Number PRA? classification Passive-Passive System Interactions (Continued) 2.3.1.9 CMT and RCS No. There are no Yes. There are procedures No, the effect of such a procedures for main This interaction is (per AES-I.1) to isolate transient is bounded by conservatively classified control room operators CMTs when spurious the risk from the as category to manipulate CMT to CMT actuation is transients in AP600 lead to spurious CMT [3].
confirmed. PRA: the risk from actuation during power transients is not operation. However, Also, if soft controls are dominant for AP600.
even if one is postulated, used, MMis will have it will lead to a transient features to confirm the a
" event, which is analyzed component to be actuated.
in Chapter 15 of AP600 SSAR.
2.3.2.3 Accum. and PRHR Classified as insignificant in subsection 2.3.2.3. It is not pursued any further here.
[1]
2.3.2.7 Accum. and RCS Classified as insignificant in Section 2.3.2.7. It is not pursued any further here.
[IJ E
s e
.O.
O
o a B
di TABLE 3-1 (Continued) 5 TABLE OF ASSESSMENT OF POTENTIAL ADVERSE HUMAN COMMISSION ERRORS i
u Adverse Interaction Does opportunity for Are there safeguards Is adverse interaction Conclusions
- g. human error exist in against human error? already modeled in the [i] = ith category of Section Description procedures?
$ Number PRA? classification Passive-Passive System Interactions (Continued) 2.3.3.1 IRWST and No. Yes. Even if the operator No. Not a credible human Containment opens the containment Recirculation interaction concern.
recirculation isolation
[1]
valves during power operation, no reactor trip occurs. There is sufficient time, alarms, and indi-cations to allow the operators to diagnose the
- 1. problem and take the to conective actions required.
2.3.5.5 PRHR HX and RCS No. There are no No. I&C design is No. However, a This interaction is operation procedures that expected to minimize the spurious actuation of conservatively classified would require the main spurious signal causing PRHR HX during power as category.
control room crew to actuation; however, no operation would lead to manipulate PRHR HX.
[3]
credit is taken for it in the a transient event, already Most likely cause for present discussion. analyzed in SSAR. The human error would be a effect of such a transient spurious signal during an is bounded by the risk I&C test. from the transients in AP600 PRA: the risk from transients is not dominant for AP600.
E!
.O.
O
s
$ TABLE 3-1 (Continued)
$ TABLE OF ASSESSMENT OF POTENTIAL ADVERSE HUMAN COMMISSION ERRORS i
a Adverse Interaction Does opportunity for Are there safeguards Is adverse interaction Conclusions 5 human error exist in against human error? already modeled in the [i] = ith category of M Section Description procedures? PRA? classification
$ Number Passive-Passive System Interactions (Continued) 2.3.6.4 ADS and RCS Yes. Spurious ADS Yes. ADS LOCA event Yes. De risk of The event is modeled in actuation during power can be terminated. Here spuricus ADS actuation PRA.
operation would lead to is sufficient time, alarms, is factored into the a LOCA event. He and indications to allow LOCA events in the There may be a potential most likely human error the operators to diagnose PRA model. human error to may be related to test or the problem and take the inadvertently actuate maintenance of corrective actions ADS during power instrumentation. required. operation. Procedures exist to terminate the a event.
[3]
2.3.7 PCS and Containment No. Moreover, spurious Yes. No. This interaction is opening caused by insignificant from a operator during power safety point of view.
operation is
[1]
inconsequential (does not cause a transient). After reactor trip, it is either insign ficant, or beneficial.
2.3.9 MCR Habitability This interaction is System insignificant from a safety point of view.
$ Ill 5
se O.
O e , e e
_._ m _ - _ _ _ _ _ _ _ _
3.3 Comm*ssion Error Related to Economic Consequences Another set of potential commission errors is related to economic consequences. In some event sequences, the operators may be reluctant to actuate a safety-related system since it may have adverse economic consequences to the plant. An example of such an action often cited is reluctance to start feed and bleed in conventional plants since it would lead to cleanup; the operators may continue to try
, to recover secondary cooling, rather than go to feed and bleed until it is too late.
In the AP600, the counterpart to feed and bleed operation is related to ADS actuation. He AP600 plant has been designed to minimize the consequences to the containment from ADS actuation. Unlike in current plants, where even limited feed and bleed can result in rupturing the pressurizer selief tank and causing reactor coolant to be spilled into containment, the first three stages of ADS discharge to spargers located in the IRWST. His minimizes the consequences of the first three stages of ADS operation to the containment environment. As discussed in Section 2.0 of this report, following a spurious ADS, if the normal residual heat removal pumps were to operate in conjunction with the first three stages of ADS, then the CMTs will not drain to the fourth stage ADS setpoint, and significant containment flooding will not occur. Even in the event of a full ADS (i.e., fourth stage ADS valves opening), the RCS loop compartments would fill with water, but significant flooding elsewhere in containment would be avoided.
Manual ADS actuation in the AP600 is only required ii' the actuation setpoints are met, but automatic actuation has not occurred. In this case, the ERGS instruct the operators to manually actuate ADS.
Manual actuation is also called for in the Function Restoration Guidelines (FRGs), where an indication of a significant inadequate core cooling has occu md. Ewever, in these cases, automatic and manual actuation should have already occurred. In situations such as this, the operator's failure to actuate ADS would be a clear violation of the procedures. The probability that the operator would deliberately violate procedures and fail to take the actions necessary to manually actuate ADS is not credible.
3.4 Resuhs of Analysis
, In this section, the potential adverse interactions discussed in Section 2.0 are evaluated systematically from a human commission error point of view. Table 3-1 shows the evaluation item by item. The last column in the table provides the conclusion as to the credibility and risk significance of any potential cognitive commission error that would lead to an adverse system interaction.
From Table 3-1, it is concluded that six human actions can be classified as impacting adverse system interactions. These are discussed below:
2.2.3 CVS pump interaction with SGTR event Operators are instructed in the ERGS to start one CVS pump (step 4 of ERG AE-3). Since the operator is following the ERG, this is technically not a commission error. The potential adverse m:\263o-l.non:lbw22096 3-15 REVISION: 0
interaction with overfilling the faulted steam generator (SG) is prevented by the design, that is, by automatic CVS pump trip on high SG level.
However, if the operator overrides the automatic CVS pump trip on high SG level, the adverse interaction would occur. There are no instructions in the procedures for overriding this auto trip.
Thus, this kind of commission error is not deemed credible.
In conclusion, this operator action is a part of the expected response to the event.
2.2.8 .
MFW pump - continued operation may lead to spurious SI signal due to RCS overcooling during transients During a transient event, step 3 of ERG AES-0.1, substep b, instructs the operator to close the MFW flow control valves, followed by substep c, which instructs the operator to verify feed flow to SG (with SFW). It is conceivable that operators may provide this feed flow by MFW: thus a potential
- commission error could occur. However, this is unlikely since substep b clearly implies termination of MFW. Moreover, MFW flow to RCS is automatically terminated when a low RCS Tavg signal is generated.
In conclusion, operator action to maintain MFW flow is highly unlikely, and would be automatically overridden, leading only to a spurious SI event, which would then be handled by the passive safety systems.
2.2.9 SFW pump interaction with a SG tube rupture event During an SGTR event, the operators are instmeted to start SFW pumps (step 14 of AE-0). His may have an adverse system interaction on the faulted SG later in the event. This has been anticipated, in that the AP600 design provides automatic termination of SFW flow on a high SG level.
This is already modeled in the AP600 PRA and its consequences are quantified. A potential failure to a stop SFW pumps is not a dominant contributor to AP600 plant risk.
2.2.19 Spent fuel pool cooling system interaction with connection to fuel transfer canal
- The SFS to fuel transfer canal connection (normally closed manual valve SFS-V040) is administratively controlled. Since there is a single line of defense, a cognitive operator error potential can be postulated. However, spent fuel pool accidents are not deemed to be of risk significance (they are not studied in the PRA since their effect would develop slowly and involves a lesser fission product source than that of the RCS).
m:u630-1.non:ibw22096 3-16 REVISION: 0
2.3.1.9 CMT actuation during power operation A spurious actuation of the CMT during power operation would lead to a transient event, already analyzed in the SSAR. During such a transient, the operators would follow ERG AE-0 (response to reactor trip or safety injection). Step 26 of this ERG would direct the operators to ERG AES 1.1 (passive safety systems termination), which would allow tennination of CMT in step 3.
In the AP600 PRA, the occurrence of one transient per year is postulated and its risk is calculated to
' be not dominant. A spurious CMT actuation will be covered by this PRA model and would only be a small fraction of 6e postulated transient initiating event frequency.
2.3.5.5 Passive residual heat removal heat exchanger actuation during power operation A spurious actuation of PRHR HX during power operation would lead to a transient event, already analyzed in the SSAR. During such a transient, the operators would follow ERG AE-0 (response to reactor trip or safety injection), which instructs operators to verify / actuate PRHR HX in step 8. Later on, step 26 of this ERG directs operators to ERG AES 1.1 (passive safety systems termination), which would allow termination of PRHR HX in step 6.
In the AP600 PRA, the occurrence of one transient per year is postulated and its risk is calculated to be not dominant. A spurious PRHR HX actuation will be covered by this PRA model and would only be a small fraction of the postulated transient initiating event frequency.
2.3.6.4 ADS actuation during power operation A spurious actuation of the ADS during power operation would lead to a LOCA event. This event is explicitly modeled in the AP600 PRA. The contribution of such an event to large, medium, and intermediate LOCA initiating event frequencies is calculated in the PRA. Although this spurious ADS LOCA is a terminable LOCA event, operators are not instructed to terminate ADS.
No specific cognitive human failure that would lead to a spurious ADS actuation during power operation is identified. Thus, such a human failure is deemed to be of low frequency, that is, not expected during the lifetime of the plant.
3.5 Conclusions Based on the results discussed in Sections 3.3 and 3.4 of this document, no cognitive human error that might cause significant systems interactions and might be of significant concern to plant risk has been identified.
m:us30-i.non:ibo22096 3-17 REVISION: 0
4.0 SPATIAL INTERACTIONS Spatial interactions are interactions resulting from the presence of two or more systems in proximate locations. The spatial interactions considered include the effects of fire, flood, pipe break, missile hazard, and seismic events. These interactions are addressed in the SSAR in Sections 9.5,3.4,3.6, 3.5, and 3.7. The protection required for safety-related systems and the potential for spatial interactions from nonsafety-related systems are largely independent of whether or not a nonsafety-related system is operating.
Safety-related systems are required to be protected from the effects of failures in safety-related and nonsafety-related systems. Safety-related systems are limited in location to within the containment, containment shield building, and the auxiliary building. The restricted extent of the safety-related systems and components limits the number of nonsafety-related systems that need to be considered as possible sources of adverse interactions. In addition to separation of safety-related and nonsafety-related systems, one of the important features providing protection is the exterior and interior structural walls, floors and roof of the auxiliary building and the stmeture of the containment shield building.
Nonsafety-related systems, including systems with RTNSS missions and defense-in-depth missions, are generally not required to be protected from the effects of failures in nearby systems.
Specific considerations for the spatial interactions are provided in the following paragraphs.
Fire The key method of addressing fire hazard is the use of fire barriers (walls, floors, and fire-rated doors) between fire zones in the auxiliary building. Redundant trains of safety-related equipment are located in separate fire zones so that the effects of a fire or fire fighting efforts do not hinder shutdown or accident mitigation capability. Automatic fire suppression systems are not provided in the containment or auxiliary buildings. This minimizes the potential for adverse effects of flooding or water spray due to fire fighting efforts on safety related systems.
Significant quantities of combustible materials such as diesel fuel and hydrogen are not located in the buildings containing safety-related systems. This also minimizes the potential for a fire-related adverse system interaction.
Flood Safety-related systems and components in containment are located above the maximum flood-up level or are designed to operate when under water. The wproach of using water stored inside containment for the safety-related core cooling and safety injectma limits the amount of water available to flood the containment to a known finite amount.
ma2630-1.non:1bw22096 4-1 REVISION: 0
1 Two primary sources were evaluated for potential flooding in the auxiliary building. The first was water in pipes routed through compartments containing safety-related systems and components. In these areas, drains, vents, and other means quickly conduct water and steam out of the auxiliary building and away from the safety-related systems and components. The second significant source of potential flooding evaluated was water used for fire fighting. Fire fighting is provided by hand-held hoses connected to a water supply. The water for these hoses from the PXS tank above containment provides sufficient volume and water head. Water from fire fighting efforts flows through drains, - I under doors and down stairwells to the lowest level of the auxiliary building. The amount of water available for fire fighting is limited. If all the water remains in the auxiliary building, the result could be several inches of water on the floor in the lowest level.
Pipe Break Safety-related systems are protected from the dynamic effects of pipe breaks and cracks in safety related and nonsafety-related, high-energy piping systems. Dynamic effects include pipe whip, jet impingement, and subcompartment pressurization. Moderate energy line breaks are evaluated for spray wetting and environmental effects. The separation of safety-related from most nonsafety-related piping systems minimizes the potential for adverse interaction between safety-related and nonsafety-related systems.
A number of the safety-related high energy lines inside containment are shown to have :
leak-before-break characteristics. Dynamic effects of pipe breaks in these lines did not have to be evaluated. The portions of nonsafety-related, high-energy lines that are not constructed to the criteria of the ASME Boiler and Pressure Vessel Code are not qualified as leak-before-break lines.
The portion of piping adjacent to containment penetrations is in a break exclusion zone. Piping within f the break exclusion zone is subject to additional limits on pipe stress, and the effects of pipe break did not have to be evaluated. An exception to this exclusion was the main steam and feedwater piping in the steam tunnel subcompartment adjacent to the main control room complex. He main steam and feedwater lines in this area do qualify as break exclusion zone piping. Because of the importance of -
the function of the main control room and a safety-related battery room below, the wall and floor are l evaluated for the effect of pipe whip, jet impingement, and subcompartrnent pressurization. High-energy line breaks in the turbine building were also evaluated for dynamic effects on the control room.
Missile Hazard Safety-related systems and components are protected from the effects of potential missiles by separation from missile sources, the building structure, system and component design, and if necessary, barriers. Missile sources may include fragments from failures of rotating elements including pump and fan impellers, failure of pressurized components, and explosions. Because of the design requirements m:u6301.non:1bw22096 4-2 REVISION: 0
and construction codes used, safety-related components are not considered to be credible sources of missiles due to impeller failures or failure of pressurized components.
The exterior and interior structural walls, floors and roof of the auxiliary building and the structme of I the containment shield building provide protection from potential sources not located in the same !
l subcompartment for the safety-related systems and equipment. Where nonsafety-related equipment is
, located in the same compartment as safety-related systems and components, the equipment is built to requirements similar to safety-related equipment to preclude the generation of missiles or is located inside an enclosure constructed to retain missiles.
s The AP600 turbine is oriented to preclude the impact of low trajectory turbine missiles in areas containing safety-related systems and components. The design, metallurgy, and fabrication methods used for the AP600 turbine result in such a low probability of rotor failure that the impact of high trajectory missiles did not have to be evaluated.
Seismic Events Safety-related structures, systems, and components are designed, analyzed, and constructed to withstand the effects of a safe shutdown earthquake. These structures, systems, and components are
, classified as seismic category I. Nonsafety-related structures, systems, and components whose failure could have an adverse impact on a seismic category I structure, system, and component are classified as seismic category II. Seismic category II structures, systems, and components are designed and evaluated to provide that the failure of the seismic category II structure, system, or component does not result in a failure of a seismic category I stmeture, system, or component.
1 e
i m:u630-1.non:Ibe22096 43 REVISION: 0
5.0 CONCLUSION
S This report summarizes the systematic and thorough approach that has been used to evaluate the AP600 for potential adverse system interactions. Potential adverse system interactions that reduce the capability or degrade the performance of the safety-related systems to perforrn their safety-related missions are identified. This report also documents that the AP600 Standard Safety Analysis Report (Reference 1) and the Probabilistic Risk Assessment (Reference 2) have properly considered these adverse system interactions.
O Insights to the regulatory treatment of nonsafety-related systems have been obtained by identifying the important interactions between nonsafety-related systems and the safety-related systems in the AP600 By understanding the important interactions and potential adverse system interactions, the operation of the nonsafety-related systems can be properly accounted for in the pertinent AP600 licensing submittals.
Insights to the AP600 Emergency Response Guidelines (Reference 3) and man-machine interface system (MMIS) design have been obtained from this report. By identifying important adverse system interactions, the AP600 emergency operating procedures and MMIS can be developed to avoid potential operaw errors that result in unintended adverse interaction that leads to degradation of the plant safety during an accident.
J A
m:u6301.non:ibw22096 5-1 REVISION: 0
6.0 REFERENCES
- l. AP600 Standard Safety Analysis Report, Revision 4, May 1995
- 2. AP600 Probabilistic Risk Assessment, Revision 6, November 1995
- 3. AP600 Emergency Response Guidelines, Revision I, July 1995 4
m:usso l.non:ibw22m6 6-1 REVISION: 0