Lessons Learned from the ACRS Review of the AP600 Design

March 22, 1999

Dr. William D. Travers
Executive Director for Operations
U.S. Nuclear Regulatory Commission
Washington, D.C. 20555-0001

Dear Dr. Travers:

SUBJECT: LESSONS LEARNED FROM THE ACRS REVIEW OF THE AP600 DESIGN

During the 460th meeting of the Advisory Committee on Reactor Safeguards, March 10-13, 1999, we completed deliberations regarding lessons learned from our review of the AP600 passive plant design. As noted in our July 23, 1998 report, issues on the safety aspects of the AP600 application were resolved to our satisfaction. In the course of our review, however, we identified some lessons learned that could affect reviews of future applications or that could be relevant to operating plants.

Recommendations

1. Guidelines on the acceptable quality of documentation submitted by the applicant and on the lead times necessary for staff reviews should be established and enforced.
2. Safety evaluation reports should include more of the technical rationale leading to the regulatory decision.
3. The NRC research program to improve and consolidate thermal-hydraulic codes should be continued.
4. Guidance for acceptable scaling methods, such as the Code Scaling, Applicability, and Uncertainty (CSAU) evaluation methodology, and for acceptable utilization of integral test data for the validation of computer codes should be developed.
5. The development of technical and policy guidelines for approving requests for reducing the main control room staffing levels below present regulatory limits should be considered.
6. More experts.

Quality and Timeliness of Material Submitted

Our review was made particularly difficult because the associated documentation was submitted piecemeal, was sometimes of poor quality, and contained technical errors. For future applications, the staff shouliments and analyses will be required before in-vessel core debris retention can be credited as part of the licensing basis.

7. Better standards for qualification of catalytic hydrogen recombiners should be required before approving these recombiners for use as safety-related equipment in nuclear power pland establish and enforce guidelines on the acceptable quality of documentation and on the lead times necessary for staff reviews.

The section of the safety evaluation report (SER) related to the AP600 test and analysis program lacked sufficient technical rationale for us to judge the quality of the staff's review. Our Thermal-Hydraulic Phenomena Subcommittee had to perform a much more exhaustive review than should have been necessary in order to become convinced of the adequacy of the staff review. Future SERs should include more of the technical rationale used to make regulatory decisions.

Thermal-Hydraulic Code Development

Our review identified deficiencies in the existing suite of NRC thermal-hydraulic codes and databases. In order to ensure that the staff has an acceptable thermal-hydraulic analysis capability for confirmatory review of license applications and amendments, the NRC research program to improve and consolidate thermal-hydraulic codes should be continued.

Code Validation Process

The scope of the Westinghouse test and analysis program in support of the AP600 certification was extensive. However, the test program was completed prior to both the scaling analyses and the phenomena identification and ranking process. Because of this, we had considerable difficulty in evaluating both the quality of the data used to validate the computer codes and the scaling of the test results to AP600 conditions. The staff should develop guidance for acceptable methods for scaling and uncertainty evaluation, such as the CSAU evaluation methodology, and for acceptable utilization of integral test data for the validation of computer codes. This is especially crucial as we make more use of best-estimate models for emergency core cooling system requirements.

Main Control Room Staffing Levels

The AP600 is designed to allow the reactor safety systems to remove decay heat without any required operator actions for up to 72 hours after the onset of a severe accident. In addition, the instrumentation and control systems and the human factors design of the main control room provide improved access to information on plant operating parameters. This facilitates and speeds the operator's ability to diagnose problems. Based on these developments and the results of current human factors research, the staff should consider developing technical and policy guidelines for reviewing and approving licensee and applicant requests for reducing the main control room staffing levels below present regulatory limits.

In-Vessel Retention of Core Debris

The AP600 design contains provisions to flood the reactor cavity to cover a significant portion of the reactor vessel. It was argued that this design provision could result in the removal of sufficient heat to prevent core debris from penetrating the vessel. Although this strategy was not part of the AP600 licensing basis, such a strategy might be included in future license amendment requests.

The staff identified weaknesses in the in-vessel core debris retention study used to support the AP600 application. The staff found that the results were quite sensitive to assumptions concerning the mass of metallic core debris in the vessel plenum and the magnitude of upward heat flux induced by vaporization of volatile constituents of core debris. In addition, analyses by the staff questioned assumptions made in the study concerning material properties. There are also unresolved questions about materials interactions, such as intermetallic reactions between molten Zircaloy cladding and the reactor vessel.

More experiments and analyses are needed before in-vessel core debris retention can be credited as part of the licensing basis. At this time, we believe in-vessel core debris retention should only be considered as a severe accident management strategy.

Catalytic Hydrogen Recombiners

The design of the AP600 utilizes hydrogen recombiners to control the accumulation of hydrogen in the reactor containment following a design-basis accident. The AP600 design also contains hydrogen igniters to prevent hydrogen accumulation in the event of more serious beyond- design-basis accidents. The possible use of catalytic processes to control hydrogen concentrations in reactor containments is gaining popularity throughout the world.

The catalytic recombiners that are proposed for use in the AP600 are based on palladium or platinum dispersed on alumina. There is lacking, however, a good understanding of the vulnerabilities of these devices to the environment expected to exist following either design basis or severe accidents. There is not yet a good understanding of what would constitute persuasive qualification of a catalytic recombiner. We believe that the staff should establish better standards for the qualification of these devices.

Dr. Thomas S. Kress did not participate in the Committee's deliberation regarding external reactor vessel cooling.

Dr. Dana A. Powers did not participate in the Committee's deliberation regarding the results of Sandia National Laboratories' tests on qualification of passive autocatalytic recombiners.

Dr. George Apostolakis did not participate in the Committee's deliberation regarding the analyses performed by the Idaho National Engineering and Environmental Laboratory concerning external reactor vessel cooling.

Sincerely,

/s/

Dana A. Powers
Chairman

Reference:

Report dated July 23, 1998, from R. L. Seale, Chairman, ACRS, to Shirley Ann Jackson, Chairman, NRC, Subject: Report on the Safety Aspects of the Westinghouse Electric Company Application for Certification of the AP600 Passive Plant Design.