Search Options
Index | Site Map | FAQ | Facility Info | Reading Rm | New | Help | Glossary | Contact Us

SECY-98-161

July 1, 1998

PURPOSE:

To inform the Commission of the staff's approach in dealing with the issues of fire protection and spent fuel pool (SFP) cooling systems as they relate to the Westinghouse Electric Company's AP600 passive design. The staff's approach to the review and approval of these systems is presented in this paper and in the advanced final safety evaluation report for the AP600 design submitted to the Commission on May 1, 1998.

BACKGROUND:

In its staff requirements memorandum (SRM) of July 21, 1993, the Commission directed the staff to review passive plants against the enhanced fire protection criteria approved in the Commission's SRM dated June 26, 1990. The fire protection criteria for the AP600 are specified in SECY-90-016, "Evolutionary Light-Water Reactor (ALWR) Certification Issues and Their Relationship to Current Regulatory Requirements"; SECY-93-087, "Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs"; and SECY-94-084, "Policy and Technical Issues Associated With the Regulatory Treatment of Non-Safety Systems in Passive Plant Designs."

In SECY-96-128, "Policy and Key Technical Issues Pertaining to the Westinghouse AP600 Standardized Passive Reactor Design," the staff informed the Commission that the design of the AP600 did not meet the guidance provided in Standard Review Plan (SRP) Section 9.1.3, "Spent Fuel Pool Cooling and Cleanup System." In accordance with the SRP, the spent fuel pool (SFP) cooling system should be designed to seismic Category I, Quality Group C, requirements, or the makeup water system and its source and the fuel pool building and its ventilation and filtration system must be seismic Category I. The makeup, ventilation, and filtration systems must also be capable of withstanding a single active failure.

DISCUSSION:

The staff has completed its review of the AP600's fire protection and SFP cooling system. Review of these two systems were complicated by the fact that the AP600 design incorporates passive safety features. Straightforward application of the SRP sections for these systems was not possible because the SRP was based on the staff review experience for "traditional" PWR and BWR designs which incorporate active safety systems. In the attachment to this paper, the staff discusses its review of these systems and how they meet the Commission's acceptance criteria. These discussions are consistent with the staff's review and evaluation presented in the advanced FSER for the AP600 design, dated May 1, 1998.

Because of the unique passive features of the AP600, the staff developed the following definitions of safe and cold shutdown to evaluate the fire protection system against the criteria identified in SECY-90-016 and SECY-93-087. Safe shutdown following a fire is defined as the ability to achieve and maintain the reactor coolant system (RCS) temperature below 215.6° C (420° F) without venting of the primary coolant from the RCS and cold shutdown is defined as the ability to achieve and maintain the RCS below 93.3° C (200° F). The definitions of safe shutdown and cold shutdown were approved by the Commission in an SRM dated June 30, 1994, related to SECY-94-084. Based on its review, the staff has determined that the AP600 meets the requirements of 10 CFR 50.48 and General Design Criterion (GDC) 3 and, with the exception of one area, meets the enhanced fire protection criteria identified in SECY-90-016 and SECY-93-087. A deviation from the enhanced criteria that prohibits an applicant from taking credit for entry of personnel into an affected fire area to repair or operate equipment to achieve and maintain cold shutdown has been accepted by the staff. The staff's decision to allow credit for this deviation is based upon the unique capability of the AP600 to remain in safe shutdown using only passive systems for an extended period.

With regard to the SFP cooling system, the staff had informed the Commission in SECY-96-128 that the AP600 design for the SFP cooling system did not conform to the guidance of the SRP nor the requirements of GDC 2. At the time SECY-96-128 was issued, the staff was still reviewing the AP600 SFP cooling system. Westinghouse has since revised the AP600 design and provided additional analysis to demonstrate compliance with the guidance of the SRP and the requirements of GDC 2. As a result of the revised design and analysis, the staff has determined that the AP600 design provides a seismic Category I makeup system, and that a seismic ventilation and filtration system is not necessary to meet the dose limits of 10 CFR Part 20, Appendix B. Therefore, the design meets the guidance of SRP Section 9.1.3, "Spent Fuel Pool Cooling and Cleanup Systems," and the requirements of GDC 2.

CONCLUSIONS:

The staff has found the AP600 fire protection system and the SFP cooling system acceptable. The basis for this conclusion is presented in the attachment to this paper and in the advanced FSER for the AP600 design submitted to the Commission on May 1, 1998.

COORDINATION:

The Office of the General Counsel (OGC) has reviewed this paper and has not identified any concerns that raise a legal objection. However, a final determination regarding any legal objections is not expected until issuance of the AP600 FSER and final design approval. To the extent practicable, clarifications requested by OGC have been incorporated in the attachment.

DOCUMENT AVAILABILITY

The staff intends to make this paper publicly available within 3 working days from the date of this paper.

Attachments: As stated

ATTACHMENT

AP600
FIRE PROTECTION
AND
SPENT FUEL POOL COOLING SYSTEMS

Fire Protection System

The fire protection criteria for the AP600 are specified in SECY-90-016, "Evolutionary Light-Water Reactor (ALWR) Certification Issues and Their Relationship to Current Regulatory Requirements"; SECY-93-087, "Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs"; and SECY-94-084, "Policy and Technical Issues Associated With the Regulatory Treatment of Non-Safety Systems in Passive Plant Designs." In addition, 10 CFR 52.48 specifies that the design will comply with the requirements specified in 10 CFR 50.48, "Fire Protection," and General Design Criterion (GDC) 3, "Fire Protection," of Appendix A to 10 CFR Part 50. Conformance with the SRP is addressed in 10 CFR 50.34(g), which specifies that applications include an evaluation of the facility against the SRP. The fire protection guidance for nuclear power plants specified in the Standard Review Plan (SRP) is provided in BTP CMEB 9.5-1, "Guidelines for Fire Protection for Nuclear Power Plants." In addition to the guidance specified in the Branch Technical Position (BTP), which is consistent with the technical position stated in SECY-90-016 and SECY-93-087, the staff specified that the advanced light-water reactors (ALWR) shall provide an enhanced level of fire protection to ensure that safe shutdown can be achieved assuming all equipment in any one fire area is rendered inoperable as a result of fire damage and that re-entry into the fire area by plant personnel for repairs or operator actions is not possible. The control room and the containment are excluded from this criterion, provided an independent alternative shutdown capability is provided in the event of a control room fire and that fire protection for redundant divisions located inside containment is provided to ensure that one shutdown division will be free of fire damage following a fire inside the containment. The design must also ensure that smoke, hot gases, and fire suppressants do not migrate into other fire areas to the extent that they could adversely affect safe-shutdown capabilities, including operator actions. The NRC staff interpretations and positions related to fire protection that are published in generic communications were used, as applicable, in the review of the AP600. In addition, the applicable National Fire Protection Association codes, standards, and recommended practices that have been endorsed by the NRC were applied to the fire protection systems and features provided in the AP600 design.

Because of the unique passive features of the AP600, the NRC staff developed criteria for the protection of the safe shutdown and the cold-shutdown capability following a single fire in any fire area of the AP600. The following definitions are consistent with the Commission's guidance provided in an SRM dated June 30, 1996, related to SECY-94-084:

• Safe shutdown following a fire is defined for the AP600 as the ability to achieve and maintain the reactor coolant system (RCS) temperature below 215.6° C (420° F) without venting of the primary coolant from the RCS. This measure is a departure from the criteria applied to the evolutionary plant designs and the existing plants in which safe shutdown for fires applies to both the hot- and the cold-shutdown capability.
• Cold-shutdown for the AP600 is defined as the ability to achieve and maintain the RCS below 93.3° C (200° F) consistent with the criteria applicable to the evolutionary designs and existing plants.

For the AP600, safe shutdown is a secure, stable condition that can be maintained indefinitely with the reactor subcritical and the reactor coolant pressure at a small fraction of its design pressure. This condition is achieved automatically using the safety-related passive systems. The passive residual heat removal heat exchanger transfers heat to the in-containment refueling water storage tank (IRWST). After the water in the IRWST begins to boil, steam from this tank enters the containment, which is cooled by the passive containment cooling system. These systems reduce the reactor temperature and pressure to less than 215.6° C (420° F) and 4137 kPa (600 psia) in 36 hours. The containment heats up to less than 107.2° C (225° F) and pressurizes to less than 252 kPa (22 psig) during this time.

The normal shutdown method is to cooldown the reactor using the steam generators being fed by the startup feedwater system until the normal residual heat removal system can be put into service at 176.7° C (350° F) and 2758 kPa (400 psig). The normal residual heat removal system then continues the cool down, rejecting heat to the service water system through the component cooling water system to reach cold shutdown. RCS makeup is from the chemical and volume control system (CVCS).

The use of the non-safety-related normal shutdown systems and/or the safety-related passive systems is acceptable to the staff to achieve and maintain safe shutdown following a fire. The safety-related passive systems are considered an alternate/dedicated shutdown method for fire areas when the normal shutdown systems have not been protected in accordance with the guidance prescribed in BTP CMEB 9.5-1. Consistent with the fire protection criteria for the ALWRs specified in SECY-90-016 and SECY-93-087, redundant divisions of these systems are separated such that a fire in any fire area outside the containment or the main control room will not impair the plant's capability to achieve and maintain safe shutdown as previously defined, assuming a loss of all equipment in the affected fire area.

To enhance the survivability of the normal safe shutdown and cold-shutdown capability in the event of a fire, and to reduce the reliance on the infrequently utilized safety-related passive systems, automatic suppression is provided in those fire areas outside containment in which a fire could damage the normal shutdown capability, or result in a spurious operation of equipment that could result in a venting of the RCS. SECY-90-016 prohibited entry of personnel into the affected fire area to repair or operate equipment to achieve safe shutdown (previously hot- and cold-shutdown). However, the staff has accepted personnel entry into the affected fire area to repair or operate equipment necessary to achieve and maintain cold shutdown of the AP600 as a result of the unique capability of the AP600 to remain in safe shutdown using only passive systems for an extended period. The criteria concerning repair and entry of personnel into certain fire areas to achieve cold-shutdown deviate from the criteria applied to the evolutionary reactor designs but are consistent with the criteria applicable to existing plants.

In the event that the CVCS is not available, RCS pressure will be reduced by manually opening and throttling one of the first-stage automatic depressurization system (ADS) valves until the conditions for initiation of the normal residual heat removal system are met. The use of the first-stage ADS results in a controlled venting of the RCS to the IRWST and does not result in an increase in containment pressure or temperature. The use of the first-stage ADS as previously described is acceptable as an alternative shutdown method.

As a result of the inability of the fire brigade to rapidly enter the AP600 containment in the event of a fire and the potential for damage to safety-related and normal shutdown equipment, in addition to potential spurious actuation(s) resulting in a venting of primary coolant from the RCS, the staff determined that the protection of circuits and equipment inside containment should be enhanced beyond the criteria specified in BTP CMEB 9.5-1 for existing plants. Westinghouse provided enhanced fire protection of the equipment and circuits located inside containment that are required for safe shutdown to provide reasonable assurance that one division of safety-related equipment will remain free of fire damage, in accordance with the criteria specified in SECY-90-016 and SECY-93-087. Hose stations for manual suppression are provided inside containment; however, because of the potential hazard associated with the entry of personnel into containment during a plant transient, the response of the plant fire brigade may be significantly delayed. Therefore, no credit for manual suppression of fires inside containment during power operations is considered acceptable by the staff. Westinghouse provided a manually actuated water spray system over the non-safety-related open cable trays in one zone of the containment. Both divisions of the passive residual heat removal (PRHR) control valves and the PRHR flow transmitters are located in this zone in close proximity to each other. These valves are separated by a noncombustible steel or steel-composite barrier and there are no exposed cables in the adjacent fire zone. Therefore, the staff found that Westinghouse has provided reasonable assurance that one division of the normal or passive safe-shutdown capability located inside containment will be kept free of fire damage.

To address hot shorts resulting from a fire, Westinghouse included the reactor head vents for consideration as a high/low pressure interface in accordance with the guidance provided in Generic Letter 81-12, "Fire Protection Rule." Inside containment the cables for the control of one head vent valve in each flow path are routed in conduits to prevent a spurious actuation of both valves in the flow path. In areas outside containment, the control room, and the remote shutdown workstation, the power and control circuits are located in separate fire areas. The soft controls located in the control room and remote work stations are not susceptible to fire induced spurious actuation. The dedicated switches located in the control room are located on separate panels, such that a fire may short the switches on one panel, but the unaffected panel will be deenergized before spurious actuation of two valves in the same flow path. Westinghouse also addressed the spurious actuation of ADS resulting from of hot shorts of control circuits of motor operated valves from a fire in the MCR, remote shutdown workstation, DC equipment rooms and Class 1E penetration rooms. Even though actuation of ADS does not result in an unrecoverable plant configuration, separation and operator actions minimize the potential for spurious actuation of ADS. Therefore, the staff determined that protection from hot shorts is acceptable.

As a result of the unique aspects of the AP600 design, the staff has accepted a combination of safety-related passive systems to reach and maintain safe shutdown and non-safety-related normal shutdown systems to reach and maintain cold shutdown.

Spent Fuel Pool Cooling

In SECY-96-128, "Policy and Key Technical Issues Pertaining to the Westinghouse AP600 Standardized Passive Reactor Design," the staff informed the Commission that the design of the AP600 did not meet the guidance provided in SRP Section 9.1.3, "Spent Fuel Pool Cooling and Cleanup System." In accordance with the SRP, the SFP cooling system should be designed to seismic Category I, Quality Group C, requirements, or the makeup water system and its source and the fuel pool building and its ventilation and filtration system must be seismic Category I. The makeup, ventilation, and filtration systems must also be capable of withstanding a single active failure.

The staff's finding was based on Westinghouse's design at that time of a non-safety-related system that was not required to operate following events such as earthquake, fire, passive failures, or multiple active failures. The design provided passive heat removal by allowing the SFP to boil with no makeup for the first 72 hours. After 72 hours, makeup was provided through a safety-related connection using water brought in from off site. The fuel-handling area ventilation subsystem was not safety-related.

Westinghouse has since revised its design and provided additional analyses to demonstrate compliance with the guidance of the SRP.

The SFP cooling system is a non-safety-related system and is located in the seismic Category I auxiliary building. The safety-related function of cooling and shielding the fuel in the SFP is performed by the water in the pool. The SFP cooling system consists of two mechanical trains of equipment. Each train consists of one SFP pump, one SFP heat exchanger, one SFP demineralizer, and one SFP filter. The two trains of equipment share common suction and discharge headers. In addition, the SFP cooling system contains piping, valves, and instrumentation necessary for system operation. Either train of equipment can be operated to perform any of the functions required of the SFP cooling system independently of the other train. The SFP cooling system pumps are automatically loaded on the respective onsite standby diesel generator in the event of a loss of offsite power.

During normal operation, one train is continuously cooling and purifying the SFP while the other train is available for water transfers, IRWST purification, or is aligned as a backup to the operating train of equipment. The system is designed to maintain the SFP temperature less than or equal to 48.4° C (120° F) following a partial (1/3) core fuel shuffle with one train operating and an SFP temperature of less than or equal to 60° C (140° F) following a full-core offload with both trains operating. In the event that one train is inoperable following a full-core offload, the SFP cooling can be performed by one train of the normal residual heat removal system.

In the event of an extended loss of the SFP cooling system, SFP cooling is provided by the heat capacity of the water in the pool. Under worst-case conditions, boiling in the SFP will begin in 4.6 hours. The SFP cooling system performs the safety-related function of providing containment isolation and safety-related connections for temporary emergency makeup to the SFP for cooling. SFP makeup for a long-term station blackout can be provided through seismically qualified, safety-related makeup connections from the cask washdown pit and the passive containment cooling system. Alignment of these sources of makeup water is accomplished by positioning manual valves located in an area of the auxiliary building that can be accessed without exposing operating personnel to excessive levels of radiation or adverse environmental conditions during boiling of the pool. The SFP is designed such that using only safety-related makeup, water is maintained above the spent fuel assemblies for at least 7 days following a loss of the SFP cooling system. In accordance with the design, the minimum water level required to achieve sufficient cooling is the sub-cooled, collapsed level (without vapor voids) required to cover the top of the fuel assemblies.

Steam resulting from SFP boiling is vented to the outside environment through an engineered relief panel. The vent path maintains the fuel-handling area at near atmospheric conditions. Activity releases as a result of pool boiling were analyzed by Westinghouse, and the analysis indicated that release concentrations at the site boundary are small fractions of the limits specified in 10 CFR Part 20, Appendix B, with no credit given for removal of activity by building ventilation systems, which include filters. The equipment in the fuel-handling area, in the rail car bay/filter storage area, and in the spent resin equipment and piping areas exposed to elevated temperature and humidity conditions as a result of pool boiling does not provide safety-related mitigation of the effects of SFP boiling or station blackouts. These areas do not have connecting ductwork with other areas of the radioactively controlled area of the auxiliary building, and connecting floor drains have a water seal that prevents steam migration. Therefore, the environment in these other areas during SFP boiling is mild with respect to safety-related equipment qualification and affords access for post-accident actions. On the basis of these analyses, the staff determined that a seismic Category I ventilation and filtration system was not necessary.

The amount of safety-related makeup required to provide the 7-day capability depends on the decay heat level of the fuel in the SFP. When the calculated decay heat level in the SFP is less than 2.15 MWt, no makeup is required for at least 7 days. If the calculated decay heat level is greater than or equal to 2.15 MWt and is less than or equal to 2.77 MWt, makeup from either the cask washdown pit or the passive containment cooling water storage tank is sufficient for at least 7 days. A minimum water level of 4.2 m (13.75 ft) in the cask washdown pit or a minimum of 1515 m³ (400,000 gal) in the passive containment cooling water storage tank is provided for this purpose. For calculated heat loads greater than 2.77 MWt, makeup from the passive containment cooling water storage tank is sufficient for at least 7 days. A minimum of 1515 m³ (400,000 gal) in the passive containment cooling water storage tank is provided for this purpose. Decay heat levels greater than 2.77 MWt correspond to refueling operations when the decay heat level in the reactor is less than 6 MWt, at which time the passive containment cooling storage water tank is not needed for containment cooling. On the basis of this analysis, the staff determined that the AP600 had provided a seismic Category I makeup system.

The passive containment cooling water storage tank can be refilled from the passive containment cooling ancillary water storage tank, which also contains a minimum of 400,000 gallons using the recirculation pumps powered by ancillary diesel generators. Also, in its review of the post-72 hour issues, the staff determined that it is reasonable to credit replenishment of consumables after 7 days.

As a result of the redesign and reanalysis of the SFP cooling system, the staff determined that the AP600 design meets the guidance of SRP Section 9.1.3, and the requirements of GDC 2.