Office for Nuclear Regulation An agency of HSE Generic Design Assessment – New Civil Reactor Build Step 4 Fault Studies – Design Basis Faults Assessment of the Westinghouse AP1000® Reactor Assessment Report: ONR-GDA-AR-11-004a Revision 0 21 November 2011 PROTECTIVE MARKING IF APPLICABLE PROTECTIVE MARKING IF APPLICABLE Office for Nuclear Regulation Report ONR-GDA-AR-11-004a Revision 0 An agency of HSE COPYRIGHT © Crown copyright 2011 First published December 2011 You may reuse this information (excluding logos) free of charge in any format or medium, under the terms of the Open Government Licence. To view the licence visit www.nationalarchives.gov.uk/doc/open-government-licence/, write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email [email protected]. Some images and illustrations may not be owned by the Crown so cannot be reproduced without permission of the copyright owner. Enquiries should be sent to [email protected]. Unless otherwise stated, all corporate names, logos, and Registered® and Trademark™ products mentioned in this Web site belong to one or more of the respective Companies or their respective licensors. They may not be used or reproduced in any manner without the prior written agreement of the owner(s). For published documents, the electronic copy on the ONR website remains the most current publicly available version and copying or printing renders this document uncontrolled. Page (i) PROTECTIVE MARKING IF APPLICABLE Office for Nuclear Regulation Report ONR-GDA-AR-11-004a Revision 0 An agency of HSE PREFACE The Office for Nuclear Regulation (ONR) was created on 1st April 2011 as an Agency of the Health and Safety Executive (HSE). It was formed from HSE's Nuclear Directorate (ND) and has the same role. Any references in this document to the Nuclear Directorate (ND) or the Nuclear Installations Inspectorate (NII) should be taken as references to ONR. The assessments supporting this report, undertaken as part of our Generic Design Assessment (GDA) process, and the submissions made by Westinghouse relating to the AP1000® reactor design, were established prior to the events at Fukushima, Japan. Therefore, this report makes no reference to Fukushima in any of its findings or conclusions. However, ONR has raised a GDA Issue which requires Westinghouse to demonstrate how they will be taking account of the lessons learnt from the events at Fukushima, including those lessons and recommendations that are identified in the ONR Chief Inspector’s interim and final reports. The details of this GDA Issue can be found on the Joint Regulators’ new build website www.hse.gov.uk/newreactors and in ONR’s Step 4 Cross-cutting Topics Assessment of the AP1000® reactor. Page (ii) PROTECTIVE MARKING IF APPLICABLE Office for Nuclear Regulation Report ONR-GDA-AR-11-004a Revision 0 An agency of HSE EXECUTIVE SUMMARY This report presents the findings of the Fault Studies assessment of the design-basis fault analyses for the AP1000 reactor undertaken as part of Step 4 of the Health and Safety Executive’s (HSE) Generic Design Assessment (GDA). The assessment has been carried out on the European Design Control Document (EDCD) and the supporting documentation submitted by Westinghouse during Step 4. This assessment has followed a step-wise approach in a claims-argument-evidence hierarchy. In Step 2 the claims made by Westinghouse were examined, and in Step 3 the arguments that underpin those claims were examined. The scope of the Step 4 assessment was to review the safety aspects of the AP1000 reactor in greater detail, by examining the evidence, supporting arguments and claims made in the safety documentation, building on the assessments already carried out for Steps 2 and 3, and to make a judgement on the adequacy of the design-basis fault analyses contained within the EDCD and the supporting documentation. It is seldom possible, or necessary, to assess a safety case in its entirety, therefore sampling is used to limit the areas scrutinised, and to improve the overall efficiency of the assessment process. Sampling is done in a focused, targeted and structured manner with a view to revealing any topic- specific, or generic, weaknesses in the safety case. The areas identified for sampling in Step 4 were set out in advance in an assessment plan based upon the findings of the Step 3 report. My assessment has focussed on:  The design-basis analyses performed in support of the AP1000. The assessment has been subdivided into a number of individual fault areas covering faults where the integrity of the primary circuit is maintained (such as steamline break faults, loss of feed faults, loss of flow faults, and reactivity faults), and Loss of Coolant Accidents (LOCA), where the integrity of the primary circuit is lost due to a break occurring somewhere on the primary circuit. Faults occurring during shutdown conditions or faults occurring away from the reactor in the spent fuel pool have also been considered.  The validation of the computer codes which are used to model design-basis faults. In addition to assessing the validation evidence provided by Westinghouse, independent confirmatory analysis has been commissioned in selected cases from technical support contractors using alternative computer codes and analysts. This work, which is valuable for reaching judgements on the adequacy of the Westinghouse’s codes and analysis, is summarised in this report. It should be noted that the assessment of the fuel and core design, a technical area closely related to Fault Studies, is reported separately. As a result, the justification of the fuel safety limits during accident conditions, including assessment of the critical heat flux correlations needed to demonstrate fuel integrity during many of the fault transients, is not discussed in any detail in this report. The design-basis thermal-hydraulic analysis of the containment environment during fault conditions, such as a large-break loss of coolant accident or a main steamline break, is also reported separately; the assessment of the severe accident analyses performed by Westinghouse is covered by the same report. It has been agreed with Westinghouse that it is more appropriate to assess the proposed Technical Specifications, the emergency operating procedures, and the site-specific radiological consequence assessments during the site licensing process. Hence these items are outside the scope of the GDA process and are not discussed within this assessment. Page (iii) PROTECTIVE MARKING IF APPLICABLE Office for Nuclear Regulation Report ONR-GDA-AR-11-004a Revision 0 An agency of HSE In some areas lack of detailed information has limited the extent of my assessment. As a result HSE-ND will need additional information to underpin my judgements and conclusions: these are identified as Assessment Findings to be carried forward as normal regulatory business and are listed in Annex 1. Some of the findings identified within this report are of particular significance and will require resolution before the HSE would agree to the commencement of the nuclear safety related stage of construction of an AP1000 reactor in the UK. These are identified in this report as GDA Issues and each one will require an associated Resolution Plan proposed by Westinghouse. The range of faults considered to be within the design basis within the EDCD does not meet UK requirements. A number of drafts of a Pre-construction Safety Report (PCSR) were provided during GDA but these too did not meet the UK requirements for a design-basis safety case. Westinghouse recognises this and has responded by producing a substantially revised PCSR in March 2011. However, this has arrived too late for assessment during Step 4. For this reason, HSE-ND has raised a cross-cutting GDA Issue requiring Westinghouse to submit the revised PCSR for assessment. This assessment will need to be completed before Consent will be granted for the commencement of safety-related construction of the nuclear island. Nevertheless, in my judgement the information provided in the EDCD, supplemented with the supporting documents provided in response to Regulatory Observations (RO) and Technical Queries (TQ) raised during Step 4, is adequate to enable a characterisation of the fault conditions on the AP1000 for the purposes of this Step 4 assessment. From my assessment, I have concluded that:  Westinghouse has improved the design basis safety case for the AP1000 through the additional analysis performed in response to the regulatory observations raised in my Step 3 report. It has been able to extend the design basis to demonstrate that the design is tolerant to passive single failures at the functional level. Westinghouse has also extended the design basis to cover complex situations in which a combination of events may initiate a fault sequence, although this is an area where there is further work still to be done and a number of GDA Issues has been raised in respect of this.  The analytical work performed by Westinghouse has been aided by a number of important design changes to the reactor protection system on the AP1000 that in my opinion will significantly improve the safety of the design. These changes have been proactively identified by Westinghouse. The design changes identified are: o An upgrading of the following active systems to Category A Class 2 safety systems: the Diverse Actuation System (DAS), the Start-up Feedwater system (SFW), the normal Residual Heat Removal system (RNS), the Component Cooling Water system (CCS), the essential service water system, and the stand-by diesel generators. In particular, the RNS has been upgraded from a single train to a two-train system at the point of injection into the Direct Vessel Injection (DVI) lines; the DAS has been upgraded from a 2-out-of-2 to a more fault tolerant architecture involving dual 1-out-of-2 and partial 2-out-of-3 system. o Implementation of a modification to alter the set-point for the isolation of the SFW and the Chemical and Volume Control system (CVS) on High Steam Generator (SG) level alarm signal to improve protection against a Steam Generator Tube Rupture (SGTR) fault by increasing the margin to overfill on the affected Steam Generator (SG). o Implementation of a reactor trip signal on the DAS to trip the reactor on high hot-leg temperature. o Implementation of a reactor trip signal to mitigate the effects of an inadvertent actuation of the Passive Residual Heat Removal (PRHR) Heat Exchanger. Page (iv) PROTECTIVE MARKING IF APPLICABLE Office for Nuclear Regulation Report ONR-GDA-AR-11-004a Revision 0 An agency of HSE o Implementation of a modification to enable the P-17 interlock to prohibit rod withdrawal following a spurious drop fault of one or more rods.  In addition, Westinghouse has committed to the implementation of a blocker device on the Automatic Depressurisation System (ADS) to reduce the likelihood of spurious actuation. There is also a commitment to improvements in the design of the spent fuel pool although the safety cases justifying these design changes have still to be developed. The full list of GDA Issues I have identified during my assessment requiring additional work from Westinghouse is:  Completion of the safety case is required for the spent fuel pool setting out the claims identified during Step 4 of GDA and providing the supporting arguments and evidence for those claims. The design-change process needs to be followed to incorporate the various physical modifications identified and all the affected documents need to be updated.  Westinghouse is to demonstrate that, for all design basis faults, the submitted design basis analysis is appropriate for the agreed GDA design reference point and that all safety claims are supported by the analysis. If this cannot be done with pre-existing analysis, new analysis could be required. The final PCSR produced for GDA is to summarise this analysis for all design basis faults. A complete and consistent set of core design limits reflecting the design basis fault analysis is required.  Westinghouse to implement design modifications and provide further analysis to demonstrate functional diversity for faults with an initiating frequency greater than 1 x 10-3 per year.  Westinghouse need to examine the feasibility of enhancing the flux protection on the AP1000 to provide automatic and diverse protection against frequent adverse power distribution faults possibly using the current design of in-core instrumentation.  Westinghouse is to examine whether it is reasonably practicable to enhance the design of the RNS system in its role as the diverse safety injection system on the AP1000.  Westinghouse is to provide validation evidence that the In-containment Refuelling Water Storage Tank (IRWST) is functionally capable of cooling the PRHR system during intact circuit faults for 72 hours.  Westinghouse is required to complete a fully integrated design basis safety case for shutdown faults in the PCSR.  Westinghouse is to present its updated fault schedule. In my opinion, based upon the information provided in the EDCD and supporting documentation submitted as part of the GDA process, there are no fundamental reasons for believing that a satisfactory safety case cannot be made for the generic AP1000 reactor design, subject to satisfactory progression and resolution of GDA Issues during the forward work programme for this reactor. A major item of work will be to assess the revised PCSR. It must also be recognised that some of these GDA Issues may ultimately require changes to the plant design. It is therefore too early to rule out the need for changes to plant layout or the provision of additional safety systems. Page (v) PROTECTIVE MARKING IF APPLICABLE Office for Nuclear Regulation Report ONR-GDA-AR-11-004a Revision 0 An agency of HSE LIST OF ABBREVIATIONS ADS Automatic Depressurisation System AFCAP Advanced First Core Analysis Programme ALARP As Low as Reasonably Practicable ANSI American National Standards Institute ATWT Anticipated Transient without Trip BMS (Nuclear Directorate) Business Management System BOC Beginning of Cycle BSL Basic Safety Level (in SAPs) BSO Basic Safety Objective (in SAPs) C&I Control and Instrumentation CAMP Code and Maintenance Programme CCS Component Cooling Water System CHF Critical Heat Flux CMF Common Mode Failure CMT Core Make-up Tanks CSARP Cooperative Severe Accident Research Project CVCS Chemical and Volume Control System (Sizewell B) CVS Chemical and Volume Control System DAS Diverse Actuation System DCD Design Control Document DDS Data Display and Processing System DNB Departure from Nucleate Boiling DNBR Departure from Nucleate Boiling Ratio DVI Direct Vessel Injection EBS Emergency Boration System ECS Emergency Charging System EDCD European Design Control Document EOC End of Cycle FPS Fire Protection System GDA Generic Design Assessment GRS Gesellschaft fűr Anlagen- und Reaktorsicherheit HHSI High Head Safety Injection HSE The Health and Safety Executive HVAC Heating, Ventilation, Air Conditioning IAEA The International Atomic Energy Agency ICRP International Commission on Radiological Protection Page (vi) PROTECTIVE MARKING IF APPLICABLE Office for Nuclear Regulation Report ONR-GDA-AR-11-004a Revision 0 An agency of HSE LIST OF ABBREVIATIONS IRS Incident Reporting System IRWST In-containment Refuelling Water Storage Tank LBLOCA Large Break Loss of Coolant Accident LCO Limits and Conditions for Safe Operation LOCA Loss of Coolant Accident MAAP Modular Accident Analysis Program MBLOCA Medium Break Loss of Coolant Accident MDEP Multi-National Design Evaluation Programme MFW Main Feedwater System MOV Motor Operated Valve MOX Mixed Oxide Fuel MSIV Main Steam Isolation Valve MSSV Main Steam Safety Valve ND The (HSE) Nuclear Directorate NII Nuclear Installations Inspectorate (now the Office for Nuclear Regulation) OECD-NEA Organisation for Economic Cooperation and Development – Nuclear Energy Agency ONR Office for Nuclear Regulation OSU Oregon State University PCCWST Passive Containment Cooling Water Storage Tank PCI Pellet-Clad Interaction PCS Passive Containment Cooling System PCSR Pre-construction Safety Report PIRT Phenomena Identification and Ranking Table PLS Plant Control System PMS Protection and Monitoring System PORV Power Operated Relief Valve POSRV Pilot Operated Safety Relief Valve PPS Primary Protection System PRHR Passive Residual Heat Removal Heat Exchanger PSA Probabilistic Safety Analysis PSV Pressuriser Relief Valves PWR Pressurised Water Reactor PXS Passive Core Cooling System RAPFE Radial Averaged Peak Fuel Enthalpy RCCA Rod Cluster Control Assembly RCP Reactor Coolant Pump RCS Reactor Coolant System Page (vii) PROTECTIVE MARKING IF APPLICABLE Office for Nuclear Regulation Report ONR-GDA-AR-11-004a Revision 0 An agency of HSE LIST OF ABBREVIATIONS REA Rod Ejection Accident RNS Normal Residual Heat Removal System RO Regulatory Observation RPV Reactor Pressure Vessel SAP Safety Assessment Principle SBLOCA Small Break Loss of Coolant Accident SFS Spent Fuel Cooling System SFW Start-up Feedwater System SG Steam Generator SGTR Steam Generator Tube Rupture SPS Secondary Protection System SSC Structures, Systems and Component SWS Service Water System TAG Technical Assessment Guide TQ Technical Query TSC Technical Support Contractor US NRC United States Nuclear Regulatory Commission Page (viii) PROTECTIVE MARKING IF APPLICABLE Office for Nuclear Regulation Report ONR-GDA-AR-11-004a Revision 0 An agency of HSE TABLE OF CONTENTS 1 INTRODUCTION......................................................................................................................1 2 NUCLEAR DIRECTORATE’S ASSESSMENT STRATEGY FOR DESIGN BASIS FAULT ANALYSIS................................................................................................................................2 2.1 Assessment Plan............................................................................................................2 2.2 Standards and Criteria....................................................................................................2 2.3 Assessment Scope.........................................................................................................2 2.3.1 Findings from GDA Step 3.............................................................................................3 2.3.2 Additional Areas for Step 4 Assessment.......................................................................4 2.3.3 Use of Technical Support Contractors...........................................................................5 2.3.4 Cross-cutting Topics......................................................................................................6 2.3.5 Integration with Other Assessment Topics....................................................................6 2.3.6 Out of Scope Items........................................................................................................7 3 WESTINGHOUSE’S SAFETY CASE.......................................................................................8 4 GDA STEP 4 NUCLEAR DIRECTORATE ASSESSMENT FOR DESIGN BASIS FAULT ANALYSIS..............................................................................................................................11 4.1 General Aspects of AP1000 Safety Case.....................................................................12 4.1.1 Fault Categorisation.....................................................................................................12 4.1.2 Diversity and Common Mode Failure..........................................................................12 4.1.3 Redundancy and the Single Failure criterion...............................................................14 4.1.4 Categorisation and Classification of Structures, Systems and Components..............15 4.1.5 Controlled and Safe Shutdown States.........................................................................17 4.1.6 Structure of the Safety Case.......................................................................................18 4.1.7 Fault Identification........................................................................................................19 4.2 Fault Sequences...........................................................................................................21 4.2.1 Reactor Trip Faults......................................................................................................22 4.2.2 Increase in Heat Removal Faults................................................................................23 4.2.3 Decrease in Heat Removal Faults...............................................................................39 4.2.4 Electrical Supply Faults...............................................................................................62 4.2.5 Decrease in Reactor Coolant System Flow Rate Faults.............................................63 4.2.6 Reactivity and Power Distribution Anomalies..............................................................68 4.2.7 Increase in Reactor Coolant Inventory Faults.............................................................78 4.2.8 Decrease in Reactor Coolant Inventory Faults............................................................80 4.2.9 Support System Faults (Including Loss of Cooling Chain)........................................109 4.2.10 Control and Protection System Faults.......................................................................110 4.2.11 Spent Fuel Pool Faults..............................................................................................114 4.2.12 Shutdown Faults........................................................................................................118 4.2.13 Internal Hazards........................................................................................................126 4.2.14 External Hazards.......................................................................................................130 4.3 Assessment of Validation Evidence for Passive Safety Systems for Non-LOCA Faults ....................................................................................................................................131 4.3.1 Component Sizing.....................................................................................................131 4.3.2 Scaling Analysis.........................................................................................................132 Page (ix)