ML041170375

From kanterella
Jump to navigation Jump to search
Fire Area PT-1 Summary Table E. F & G Tunnels
ML041170375
Person / Time
Site: River Bend Entergy icon.png
Issue date: 04/09/2004
From:
Entergy Operations
To:
Office of Nuclear Reactor Regulation
References
FOIA/PA-2003-0358
Download: ML041170375 (79)
v  d  e


Text

FIRE AREA PT-1

SUMMARY

TABLE E, F, & G Tunnels A fire in Fire Area PT-I could potentially affect systems and components necessary to provide Essential Mechanical/Environmental Support. Mitigating features are not required to ensure at least one system remains available to achieve safe shutdown. This area is a Division I shutdown area and the systems assured to remain available to achieve safe shutdown are identified below. In this area only, Normal Service Water is credited for cooling the required safe shutdown loads. Calculation G13.18.3.6*12, the post-fire safe shutdown analysis for PT-1, determined that Normal Service Water and its required support systems and components (including portions of the Off-Site Power Distribution System), remain free of fire damage. This calculation includes a Safe Shutdown Equipment List and System Logic Diagrams pertaining to Normal Service Water and Off-Site Power. The information in this calculation applies only to Fire Area PT-i, and these systems can not be credited in any other fire area. As discussed below, plant modifications were required to ensure the required components remain free of fire damage. The equipment assured available is identified below.

Safety Function System Essential Electrical Support Division I/III Essential Power Off-Site Power (Normal Service Water support only)

RPV Level Control High Pressure Core Spray Reactor Core Isolation Cooling Low Pressure Core Spray RPV Pressure Control Division I MSIV/PLC Main Steam Safety Relief Valves Decay Heat Removal Suppression Pool Cooling- Train A RHR (Hot Shutdown)

Decay Heat Removal Alternate Shutdown Cooling- Train A RHR (Cold Shutdown)

Essential Mechanical/ Normal Service Water Environmental Support Division I Control Building Chilled Water Division I Control Building HVAC Division I Auxiliary Building HVAC Division I/Ill Diesel Generator Building HVAC Division I Containment Monitoring Division I RPV Level and Pressure Monitoring

/K5 i

FIRE AREA PT-1

SUMMARY

TABLE (Con't.)

Component Manual Action None Exemptions/Deviations Summary None Modifications Modification # 96-0023 routed an additional control cable in dedicated conduit for valve 1SWP*AOV599. This valve must remain closed to support Normal Service Water System operation.

Prior to the performance of this modification and Calculation G13.18.3.6*12, the Division I Standby Service Water System was credited. The cables required for Division I Standby Service Water operation were previously protected with a Thermo-Lag fire barrier enclosure.

Modification # 96-0024 re-routed control cables ISWPARC002 and 1SWPBBC005 for I SWP*MOV55A and I SWP*MOV55B in dedicated conduit. These two valves must remain closed to support Normal Service Water System operation. Fire induced damage to these control cables could cause their respective valve to spuriously open. The cable for 1SWP*MOV55A was previously protected with a Thermo-Lag fire barrier enclosure to support Division I SSW operation. Addendum I to Calculation G13.18.3.6*12 demonstrated that routing the subject cables in dedicated conduit provides the required separation to preclude spurious operation.

Modification 96-0052 added and replaced fuses in 125V DC and 120V AC control circuits. Installation

/ replacement of specific fuses was required to correct potential common power supply and common enclosure concerns. This modification was required as a result of crediting Off-Site Power to support the use of Normal Service Water in lieu of Standby Service Water, and ensures the required power supplies will remain free of fire damage.

ii

I Compliance Assessment Table Fire Area: PT-I Logic Diagram RBS-SSD-LOG-101 12-Afar-OO Page I of /2 Equipment ID: Equipment

Description:

Fire Zone: Cable Number: Component/PS/ CS Code Compliance Strategy Inst. Tubing I E22'l.TN054C CONDENSATE STORAGE TANK rr-/z7-1 Component CS-IA To provide make-up water to support RPV lcvel control, the l.l.VEI. Suppression Pool remains available from the Control Room.

Tubing I CSI 1NOX409 I E22'1.TNO54C CONI)IENSATE STORAGE TANK Component CS-IA To provide make-up water lo support RPV level control, the LEVEL Suppression Pool remains available from the Control Room.

Tubing ICSIINOX410

I Compliance Assessment Table Fire Area: PT-I Logic Diagram RBS-SSD-LOG-102 12-AJfar-OO Page 2 of 12 Equipment ID: Equipment Deseriplion: Fire Zone: Cable Number: Component/PS/ CS Code Compliance Strategy Inst. Tubing IESI'.TN035A CONDENSATE STORAGE TANK Irr- l/z- I Component CS-IA To provide make-up water to support RPV level control, the LEVEL Suppression Pool remains available rrom the Control Room.

Tubing I ICSNRX408 IESILTN035E CONDENSATE STORAGE TANK Vr-lIz-I Component CS-IA To provide make-up water to support RrV Icvcl control, the LEVEL Suppression Pool remains available rrom the Control Room.

Tubing I ICSNRX409

I Compliance Assessment Table Fire Area: PT-I Logic Diagram RBS-SSD-LOG-201 12-Afar-ne) /'age3 of 12 Equipment ID: Equipment

Description:

Fire Zone: Cable Number: Component/PS/ CS Code Complianet Strategy Inst. Tubing ISWP'MOV40A STANDBY SERVICE WATER PUMP 2A PIlIQ-I ISWPARC020 CS-IA To provide cooling to required sate shutdown loads. Normal Service DISCI IARGE Water remains available trom the Control Room. See Area Summary.

ISWPARC02 1 ISWP*MOV40C STANDBY SERVICE WATER PUMP 2C `11-i/I-I ISWPCOCoo3 CS-IA To provide cooling to required sate shutdown loads. Normal Service DISCI IARGE Water remains available from the Control Room. See Area Summary.

ISWPCOC602 CS-IA To provide cooling to required sate shutdown loads. Normal Service Water remains available from the Control Room. See Area Summary.

1SWPCOKoo0 CS-IA To provide cooling to required safe shutdown loads. Nonnal Service Water remains available trom the Control Room. Sec-Area Summary.

ISWP'MOV501A RPCCW IIEAT EXCIIANGE SUPPLY PT-l/Z-I 'Component CS-IA To provide cooling to required safe shutdown loads. Normal Service Water remains available trom the Control Room. See Area Summary.

I SWPARC032 ISWPrMOVSIIA RPCCW IIEAT EXCIIANGE SERVICE Pr-l/Z-I Component CS-IA To provide cooling to required sate shutdown loads. Normal Service WATER RETURN Water remains available from the Control Room. See Area Summary.

I SWPARC039 ISWP*NMOVSI In RPCCW IIEAT EXCIIANGE SERVICIE PT-l/Z-I Component CS-IA To provide cooling to required sate shutdown loads, Normal Service WATER RETURN Water remains available from the Control Room. See Area Summary.

ISWPrnCo39 ISWPBBCo40 ISWPBrIKo21 ISWP'MOV55A STANDBY SERVICE WATER RETURN PT-l/Z-I Component CS-IA To provide cooling to required sate shutdown loads. Normal Service VALVE Water remains available trom the Control Room. MR 96-0024 precludes spurious opening of thc valve. See Area Summary.

I SWPARC002 ISWPARC003 ISWPARK019 I SWPNRC72 1 ISWPMNIOV96A NORMAL SERVICE RETURN AB-7/Z-1 ISWPNRC721 CS-IA 'To provide cooling tn required sate shutdown loads, Normal Scr ice ISOLATION VALVE Waler remains available from the Conlrol Ronm Sce Area Sulmoary.

ISWPP2A STANDBY SERVICE WATER PUMP PIl-liZ.-I ISWPARC3n2 CS-IA To provide cooling to required sal'e shutdos n 1lods, Normal Sen ice Water remains available from the Control Room See Area Sumniaty.

ISWPAR113t)0 ISWI'NR7 121

Compliance Assessment Table Fire Arca: PT-1 Logic Diagram RBS-SSD-LOG-201 12-Alar-00 Page 4 of 12 Equipment ID: Equipment I)escription: Fire Zone: ('able Number: Component/PS/ CS Code Compliance Strategy Inst. Tubing ISWPP2C STANDBY SERVICE WATER PUMP PIl InZl ISWPCOC31 I CS-IA To provide cooling to required safe shutdown loads. Normal ServiceI Water remains available from the Control Room. See Area Summary.

ISWPCo01300

Compliance Assessment Table Fire Area: PT-I Logic Diagram RBS-SSD-LOG-202 12-Afar-O Page S of 12 Equipment ID): Equipment l)estription: Fire Zone: Cable Number: ComponentlPSl CS Code Compliance Strategy Inst. Tubing ISWP'FNIA STAN)lBY C(X)LING TOWER lAN 1'11-5/7 -1 I SWPARC074 CS-IA To provide cooling to required safe shutdown loads. Normal Service Water remains availabie from the Control Room. See Area Suminmary.

ISWP'FNill STANDBY COOLING TOWER FAN 1114-Z-1 ISWInIBCo04 CS-IA To provide cooling to required safe shutdown loads, Normal Service Water remains available From the Control Room. See Area Summary.

ISWI'lIlCo74 ISWPrnIK01o7 ISWPIFNIC STANDBY COOLING TOWER FAN 'll-5/7-1 I SWPARC074 CS-IA To provide cooling to required safe shutdown loads, Normal Service Water remains available from the Control Room. See Area Summary.

ISWP'FNID STANDBY COOLING TOWER FAN Pl-41Z-1 ISWPBBCo74 CS-IA To provide cooling to required safe shutdown loads. Normal Service Water remains available from the Control Room. See Area Summary.

ISWpIBCoIo ISWPD)BKoo3 ISWP'FNIE STANDBY COOLING TOWER FAN Pll-5QZ-I ISWPARC074 CS-IA To provide cooling to required safe shutdown loads, Normal Service Water remains available from the Control Room. See Area Summary.

ISWP'FNIF STANDBY COOl.ING TOWER FAN PI1-41Z-I ISWPBIIICo74 CS-IA To provide cooling to required safe shutdown loads, Normal Service Water remains available from the Control Room. See Area Summary.

ISWPI:BCoUI ISWPIZB;OOI ISWP rNIG STANDBY COOI.ING TOWER FAN P11-n51-I ISWPARC074 CS-IA To provide cooling to required safe shutdown loads. Normal Service Water remains available from the Control Room. See Area Summary.

ISWP'FNIII STANDBY COOLING TOWER FAN P141-4I ISWPIIBCo74 CS-IA To provide cooling to required safe shutdown loads. Normal Service Water remains available from the Control Room. See Area Summary.

ISWPIIBCOOI IS WPIIIIKtOO ISWP'FNIJ STANDBY COOLING TOWER FAN P11-s517I I SWPARC074 CS-IA To provide cooling to required safe shutdown loads, Normal Service Water remains availahle fIrom the Control Room See Area Sumimary.

ISWPINNI K STANDBY COOLING TOWER FAN P11-4/7-1 ISWPIIIIC074 C'S-I A l o provide cooling to required safe shutduiwn loads. Normal Sen ic Water remains available from the Control Room. See Area Summary.

I SWPKBICOO I ISWI'KIIKt(tl

I Compliance Assessment Table Fire Area: PT-I Logic Diagram RBS-SSD-LOG-202 12-A farOO IPage 6 of 12 Equipment It): Equipment l)Desription: Fire Zone: Cable Number: Component/PSI CS Code Compliance Strategy Inst. Tubing ISWPFNII. STAN[I)Y CO()I.ING lOWER FAN PI1-517-1 ISWPARC077 ' CS-IA To provide cooling to required safe shutdown loads, Normal Servicc Water remains available from thc Control Room. See Area Summary.

ISWPrFNI STANDBY COOI.ING TOWER FAN ISWPIIBCo77 CS-IA To provide cooling to required safe shutdown loads, Normal Service Water remains available from the Control Room. See Area Summary.

ISWPMI1COO2 ISWPMNIKOOI ISWP FNIN STANDBY COOLING TOWER FAN Pl-5/1-I ISWPARC077 CS-IA To provide cooling to required safe shutdown loads. Nonnal Service Water remains available from the Control Room. See Area Summary.

ISWPrNIP STANDBY COOLING TOWER FAN PI 1.A7-1 ISWPBBCo77 CS-IA To provide cooling to required sate shutdown loads, Normal Service Water remains available from the Control Room. See Area Summary.

ISWPPBCoo2 ISWPPI3Ko0I ISWPFNIQ STANDBY COOLING TOWER FAN PI 1-5/7-I I SWPARC077 CS-IA To provide cooling to required safe shutdown loads. Normal Service Water remains available from the Control Room. See Area Summary.

ISWPOFNIR STANDBY COOLING TOWER FAN PII4/Z-l ISWPrDBICo77 CS-IA To provide cooling lo required sate shutdown loads. Normal Service Water remains available from the Control Room. See Area Summary.

ISWPRBlCO02 ISWPRIIKOOI ISWPrFNIS STANDBY COOLING TOWER FAN P1-5/r-I I SWPARC077 CS-IA To provide cooling to required safe shutdown loads, Normal Service Water remains available from the Control Room. See Area Summary.

ISWPF1lNIT STANDBY COOLING TOWER FAN PI1417.-1 ISWPrlICo77 CS-IA To provide cooling to required sate shutdown loads. Normal Service Water remains available from the Control Room. See Area Summary.

IswrPlIIC0o2 iswPTIKooI ISWP*FNIU STANDBY COOLING TOWER IAN PI1-517-1 I SWPARC077 CS-IA To provide cooling to required safc shutdown toads, Normal Service Water remains available from the Control Room. See Area Suniunay.

1SWP*FNIV STANl)llY COOLING TOWER FAN PII447-I ISWPr13HC077 CS-IA To provide cooling to required safe shutdown loads, Normal Service Water remains available rrom the Control Room. See Area Summary.

ISWPVIICn0w2 ISWI'VMIK001

I Compliance Assessment Table Fire Area: PT-I Logic Diagram RBS-SSD-LOG-202 I 12-Afar-0lO I'age 7 of 12 Equipment ID): Equipment

Description:

Fire Zone: Cable Number: ('omponcnt/PS/ CS Code Compliance Strategy Inst. Tubing ISWI`*MOV40BI STANDBY Sl'RVICI' WATrIR PUMP 211 '111-2/7-1 I SWI'IIIIC02 1 CS-IA To providc cooling to required sate shutdown loads. Normal Servicc I)ISCI IARGE Water remains available from the Control Room. Sec Arca Summary.

ISWPIrnCo22 ISWPIrIiCos6 ISWPBBKOI9 ISWP'MOV40D STANDBY SERVICE WATER PUMP 2D Pi1-2/Z-1 ISWPIr)COOI CS-IA To provide cooling to required sate shutdown loads. Normal Service DISCI IARGE Water remains available trom the Control Room. Sec Area Summary.

ISWPDrCoo2 ISWPr)nCoo3 I SWPDBKO04 ISWP'MOV505A DIVISION /I)IDVISION I1CROSSOVER Pll-l/Z-l ISWPARC034 CS-IA To provide cooling to required sate shutdown loads, Normal Service Water remains available trom the Control Room. See Area Summary.

ISWP'MOVS05B DIVISION I/DIVISION I1CROSSOVER PT-l/Z-l Component CS-IA To provide cooling to required sare shutdown loads. Normal Service Water remains available trom the Control Room. See Area Summary.

ISWPrIICo34 ISWP*MOVssB STANDBY SERVICE WATER RETURN PT-l/Z-I Component CS-IA To provide cooling to required sate shutdown loads, Normal Service VALVE Water remains available from the Control Room. NMR 96-0024 precludes spurious opening orthe valve. See Area Summary.

ISWPBlIC002 ISWPBBCoo3 ISWPIIIICoo5 ISWPrBKo20 ISWP'P2B STANDBY SERVICE WATER PUMP PI1-2/Z-1 ISWPDBlC302 CS-IA To provide cooling to required sare shutdown loads, Normal Service Water remains available from the Control Room. See Area Summary.

ISWPIIIII1300 ISWPr2D STANDBY SERVICE WATER PUMP Pi 1-2/Z-1 ISWPDIIC301 CS-IA To providc cooling to required safe shutdown loads, Normal Service Water remains availahle from ihe Control Room. See Area Summary.

ISWPDIII1300

I Compliance Assessment Tab le Fire Area: PT-I Logic DiagramI RBS-SSD-LOG-203 12-A Iar.OO Page 8 of /2 Equipment ID: Equipment

Description:

Fire Zone: Cable Number: Component/PS/ I('S Code Compliance Strategy Inst. Tubing ISWP'P3A CONTROL IIlJLDING Clilt.l.ER C.13W/7-1 ISWPNRCS02 CS-IA To provide cooling to required sare shutdown loads, Normal Service RlECIRC PUMP P3A Water remains available from the Control Room. See Area Summary.

ISWP'P3C CONTROL. BUIl.DING CIIILLER C.13W/%-1 ISWPNRCS02 CS-IA To provide cooling to required safe shutdown loads. Normal Service RECIRC PUMP P3C Water remains available rrom the Control Room. See Area Summary.

I Compliance Assessment Table Fire Area: PT-1 Logic Diagram RBS-SSD-LOG-210 /12-at ar-111 Page 9 of 12 Equipment ID: Equipment

Description:

Fire Zone: Cable Number: ComponentlPS/ CS Code Compliance Strategy Inst. Tubing IIIVY'FE21A IIIVYFrN2A SUCTION FLOW P1-t/7-2 II IVYARC508 NA-I This cable Is not routed through this lire area. It appears due to data ELEMENT (SWITCII) field links within PDMS.

IIIVY'FNIA STANDBY SERVICE WATER PUMP Pl11n-1 11IVYARC00 I CS-IA To provide cooling to required sare shutdown loads, Normal Service I IOUSE PUMP ROOM -A' Water remains available from the Control Room. See Area Summary.

VENTILATION F IIIVYARC515 I IIVY'FN2A SSW PUMP!lOUSE STANDBY P t-I/Zn2 II IVYARC003 CS-IA To provide cooling to required safe shutdown loads, Normal Service COOLING TOWER SWITCIIGEAR Water remains available from the Control Room. See Area Summary.

ROOM A VENT II IVYARC004 NA-I This cable is not routed through this fire area. It appears due to data field links within PDMS.

11IVYARC515 CS-I A To provide cooling to required sare shutdown loads, Normal Service Water remains available from the Control Room. See Area Summary.

II IVYARK002 IIIVY*FS21A I IIVY*FN2A SUCTION FLOW P11-1/7-2 II IVYARC004 NA-I These cables are not routed through this fire area. It appears due to ELEMENT (SWITChI) data field links within PDMS.

II IVYARC508 NA-I These cables are not routed through this fire area. It appears due to data field links within PI)MS.

I Compliance Assessment Table Fire Area: PT-I Logic Diagram RBS-SSD-LOG-21 1 12-Afar-0(1 Page 10 of 12 Equipment ID: Equipment l)esription: Fire Zone: Cable Number: Component/Ps/ CS Code Compliance Strategy Inst. Tubing IIIVY'FI 1711 II IVY'FN I1 DISClIARGI. I'lOW P11.2r1l- II IVYBI)1C507 CS-IA To provide cooling to required safe shutdown loads, Normal Service

  • l.lEMENT Waler remains available from the Control Room. See Area Summary.

IiiVY'FE2i B IIIVYFrN2B DISCIIARGE FLOW P1-2rl-2 II IVYIBBIC50O CS-IA To provide cooling to required sarc shutdown loads, Normal Service ELEMENT Water remains available from the Control Room. See Area Summary.

II IVYiIIlX407 lIlVY'FNlB STANDBY SWITCII PUMP IIOUSE P I-21Z-1 IiIVYIjIBCOOI CS-IA To provide cooling to required sare shutdown loads, Normal Service VENTILATION FAN Water remains available rrom the Control Room. See Area Summary.

IIVYI3BC002 IIIVY13K002 IIIVY'FN2i3 STANDBY SERVICE WATER PUMP PII-2/Z-2 IIwIVYDBCOo3 CS-IA To provide cooling to required sare shutdown loads. Normal Service IIOUSE SWITCIIGE.AR ROOM SUPPLY Water remains available rrom the Control Room. See Area Summary.

FAN IIIVYiBiC004 lIIVYBBCo0 I II IVYBBKO03 IIIVYrFSl7B IIIVYFNili3 DISCIIARGE FLOW PI1-2/Z-I IIIVYBBCoo2 CS-IA To provide cooling to required sare shutdown loads, Normal Service SWITCI I Water remains available from the Control Room. See Area Summary.

IIIVYB3tCS07 IIIVY'FS21D IIIVY*FN2B DISCIIARGE FLOW P1i-2/7.-2 IIIVYunBCoo4 CS-IA To provide cooling to required sare shutdown loads. Nonnal Service SWITCI I Water remains available rrom the Control Room. See Area Summary.

IIIVYIIBCSo0 IIVYBIIX407

I Compliance Assessment Table Fire Area: PT-I Logic Diagram RBS-SSD-LOG-215 12-A tar-OO Page 11 of 12 Equipment ID: Equipment

Description:

Fire Zone: ('able Number: Component/PS/ (S Code Compliance Strategy Inst. Tubing I EJSOX3A STANDBY 480 VAC TRANSFORMER 1`I.I Z-2 I E.NSARI 1308 CS-IA The Division I Electrical Distribution System and OlT-Site Pocr remain available rrom the Control Room.

I Compliance Assessment Tab le Fire Area: PT-I Logic Diagrat I RBS-SSD-LOG-216 12-Afar-00 Page 12 of 12 Equipment ID: Equipment l)escription Fire Zone: Cable Number: C(omponent/PS/ ICS Code Compliance Strategy Inst. Tubing IEJS'X3B STANDBY 480 VAC TRANSFORMN1ER P1 1-2/Z-2 I ENSIlII 1308 CS-IA The l)ivision I Electrical I)isribution Systcm and OWi-Sitc Powecr remain available from the Control Room.

ISCV*XI)16111 STANDBY 120 VAC POWIER PI1 -2/7-2 I SCVNIiKO06 CS-IA The Division I Electrical Distribution System and OfT-Silc Powcr TRANSrORMrER remain available from the Control Room.

TABLE OF CONTENTS VOLUME 1: SEPARATION ANALYSIS Pane

1.0 INTRODUCTION

5 1.1 Purpose 5 1.2 Report Organization 5

2.0 REFERENCES

7 3.0 DEFINITIONS 10 4.0 SHUTDOWN ASSUMPTIONS AND POSITIONS 16 4.1 Fire Damage to Plant Equipment 17 4.1.1 Electfical Cable Fire Damage 17 4.1.2 Mechanical Component Damage 17 4.1.3 Instrument Damage 18 4.2 Smoke and Toxic Gases 18 4.3 Manpower Availability and Manual Operation 18 4.4 Repairs 19 4.5 Fire Duration and Brigade Activity 19 240.201 A Rev. 2 Page I of 65

TABLE OF CONTENTS (Continued) 5.0 SAFE SHUTDOWN ANALYSIS BASIS 21 5.1 Safe Shutdown Performance Goals 21 5.2 Safe Shutdown Functions 21 5.3 Shutdown Methodology 26 5.4 Description of Safe Shutdown System 27 5.5 Associated Circuits of Concern 43 5.5.1 Circuits Associated by Common Power Supply 44 5.5.2 Circuits Associated by Spurious Operation Potential 46 5.5.3 Circuits Associated by Common Enclosure 47 5.6 Postulated Multiple High-Imipedance Faults 48 5.7 Effects of Inadvertent Fire Suppression System Actuation 50 5.8 Communications 57 6.0 SHUTDOWN ANALYSIS METHODOLOGY 58 6.1 Overview 58 6.2 Phase 1: Component Selection and Flow Path Identification Criteria 58 6.3 Phase 2: Electrical Cable Identification, Fire Area/Zone Location 60 of Components, Raceways, and Cables 6.4 Phase 3: Analysis of Cable-Component Fire Area/Zone Tabulations 61 240.201 A Rev. 2 Page 2 of 65

TABLE OF CONTENTS (Continued)

APPENDICES Appendix Volume Description A 1 Spurious Actuation Analysis B 1,2,3 Safe Shutdown Separation Analysis by Fire Area (Fire Area Compliance Assessment)

C 4 10CFR50 Appendix R Safe Shutdown Equipment List and Logic Diagrams D 4 Safe Shutdown Flow Diagrams E 4,5 Circuit Analysis for RBS IOCFR50 Appendix R SSEL Components F 5 Fire Area/Zone Maps G 5 Process Instrument Tubing Analysis H 5 Emergency Lighting Note:

The information which previously existed, as documented in Revision 1 of this document, in Volume 3, Safe Shutdown Component Index, Volume 4, Safe Shutdown Cables by Component, Volume 5, Safe Shutdown Cable Schedules with Fire Areas, and Volume 6, List of Safe Shutdown Cables, Raceways, and Components now resides in the Plant Data Management System.

240.201A Rev. 2 Page 3 of 65

Summary of Revisions Revision Description 0 1. Initial Issue 1 1. Enhance the level of detail of the methodology and basis in Rev. 0 of this analysis for ease of document maintenance and the implementation of its results.

2 1. Incorporate results of the Thermo-Lag Fire Barrier Resolution Project. (EW00007253 FERC 529, MIL 94/012)

2. Incorporate MR-93-0124.

240.201A Rev. 2 Page 4 of 65

1.0 INTRODUCTION

1.1 PURPOSE The purpose of this study was to perform and document a revalidation of the River Bend Station (RBS) separation between redundant safe shutdown components and cables in the context of post-fire safe shutdown system separation requirements defined by BTP SRP 9.5.1 and 10CFR50, Appendix R. This analysis supersedes Revision 1 of the existing Safe Shutdown Analysis Criterion 240.201A in its entirety. This analysis will continue to be updated to reflect the change in plant configuration as it relates to compliance with 10CFR50, Appendix R. The methodologies applied in resolving the issues of associated circuits of concern and spurious actuation are also presented in Section 5.0 and Appendix A respectively. The analysis methodology is described in Section 6.0, followed by the process used to define essential shutdown components and to perform an Appendix R separation analysis. The results of the separation analysis for each fire area are presented in Appendix B, "Safe Shutdown Fire Area Compliance Assessment".

1.2 REPORT ORGANIZATION This report is organized into five volumes as follows:

Volume 1: Separation Analysis Text. Spurious Actuation Analysis, and Safe Shutdown Fire Area Compliance Assessment This volume contains the safe shutdown analysis basis, methodology, shutdown function definitions, safe shutdown systems description, associated circuits of concern, spurious actuation analysis, and safe shutdown compliance assessment by fire area.

Volume 2. 3: Safe Shutdown Fire Area Compliance Assessment Thes volumes contain the safe shutdown compliance assessment by fire area.

Volume 4: Safe Shutdown Equipment List (SSEL) and Logic Diagrams. Safe Shutdown Flow Diagrams. Circuit Analysis for RBS I OCFR50 Appendix R SSEL Component The Safe Shutdown Equipment List contains the Appendix R safe shutdown components sorted by equipment identification tag number. The applicable Safe Shutdown Logic Diagram for each component listed is identified. Components which were not depicted on a Logic Diagram were provided with a reason code which identifies the basis for exclusion from the Logic Diagrams. This list includes all components previously identified as safe shutdown for Revision 1 of this document.

240.201A Rev. 2 Page 5 of 65 -

The Safe Shutdown Logic Diagrams depict the system and component relationships necessary to achieve the Appendix R performance goals identified in Section 5.1 of this document. These Diagrams also depict instniment interlocks with safe shutdown components in addition to the instrument combinations required to achieve automatic initiation or isolation of safe shutdown RPV injection systems. Althoug(h not credited for post-fire safe shutdown, fire induced spurious instrument signals may inadvertently generate an automatic system initiation or isolation signal.

The safe shutdown flow diagrams are shown for systems credited for post-fire safe shutdown. These flow diagrams will depict only the credited flowpaths and boundaries as well as the instruments which provide an interlock function or safe shutdown system automatic initiation or isolation signal. In addition, these flow diagrams also contain one line electrical diagrams for credited power source The circuit analysis effort established the Appendix R cables for the safe shutdown components listed in the SSEL and evaluated in Appendix B.

Volume 5: Circuit Analysis for RBS IOCFR50 Appendix R SSEL Component. Fire Area/Zone Maps. Process Instrument Tubing Analysis, and Emergency Lighting Analysis The circuit analysis effort established the Appendix R cables for the safe shutdown components listed in the SSEL and evaluated in Appendix B.

The Process Instrument Tubing Analysis includes a list of safe shutdown instruments, their panels, instrument tube line and pipe numbers, shield and drywell penetrations, azimuth and elevation of tubing, and fire areas for each item, as appropriate.

The Emergency Lighting Anaalysis includes a list of the emergency lighting units used for post fire safe shutdown. The list provides the location, purpose, component or access/egress path illuminated, and the fire area which requires the light to support post fire safe shutdown.

The information which previously, as documented in Revision 1 of this document, existed in Volume 3, Safe Shutdown Component Index, Volume 4, Safe Shutdown Cables by Component, Volume 5, Safe Shutdown Cable Schedules with Fire Areas, and Volume 6, List of Safe Shutdown Cables, Raceways, and Components now resides in the Plant Data Management System.

240.201 A Rev. 2 Page 6 of 65

2.0 REFERENCES

2.1 Code of Federal Regulations, Title 10, Part 50, Appendix R. "Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979".

2.2 Memorandum to All Power Licensees with Plants Licensed Prior to January 1, 1979 from Darrell G. Eisenhut,

SUBJECT:

"Fire Protection Rule (45 FR 76602, November 19, 1980) - Generic Letter 81-12," February 20, 1981.

2.3 Memorandum to Darrell G. Eisenhut,

SUBJECT:

"Fire Protection Rule (45 FR 76602, November 19, 1980) - Clarification of Generic Letter 81-12," March 22, 1982.

2.4 Generic Letter 86-10,

SUBJECT:

Implementation of Firc Protection Rcqu'ircnicnts, 4/24/S6 2.5 RBS Technical Specifications RBS Docket No. 50-458, Appendix A to License No. NPF-47 with revisions of effective pages through 3/25193.

2.6 RBS Updated Safety Analysis Report, Revision No. 7, January 1995.

2.7 EOI Calculation G13.18.14.0*29, Rev. No. 0, Reactor level response to a fire in the Control room.

2.8 EOI Calculation G13.18.14.0* 16, Rev. No. 0, Number of SRV's cycles expected for isolation event.

2.9 EOI Calculation G13.18.12.2*1 1, Rev. No. 0, Evaluation of safe shutdown related systems for "Water Solid" Conditions Resulting from Spurious Operations (Main Steam Lines &

MSIVs).

2.10 EOI Calculation G13.18.2.8*6, Rev. No. 0, Containment storage pool temp. increases on loss of fuel pool cooling with 200 bundles.

2.11 EOI Calculation E-180 dated 1/25/85, Fire hazards analysis-electrical.

2.12 EOI Calculation G13.18.3.6*5, Rev. No. 1, Coordination study of Appendix R and Class IE low voltage protective devices.

2.13 EOI Calculation G13.18.3.6*07, Rev. No. 1, Appendix R Common Enclosure Analysis.

2.14 EOI Calculation PM-239 dated 9/18/85, Drywell and Containment unit cooler combined flows following LOOP.

2.15 GE Design Document 22A7193, Rev. No. 0, Mechanical equipment separation for engineered safety feature 240.201A Rev. 2 Page 7 of 65

2.16 GE Design Document 22A3743, Rev. No. 2, Emergency Core Cooling System Network 2.17 Abnormal Operating Procedure AOP-0031, Rev. No. 10, Shutdown From Outside Main Control Room 2.18 EDP-AA-7S, Rev. No. 0, Long Tenn Compliance for Appcnidix R 2.19 OSP-0019, Rev. No. 4, Electrical Bus Outages; Enclosure 316.

2.20 RBS Calculation G.13.18.2.6*34, Rev. No. 0, No. of SRV Actuations from LSV Air Receiver Tank ILSV*TK6A, *TK6B.

2.21 RBS Calculation G.13.IS.10.2*44, Rev. No. 0, Evaluation of Mlain Stcam Loop A,B,C, &

D Piping for Alternate Shutdown Cooling.

2.22 GE Design Document 22A4622AT, Rev. No. 12, Nuclear Boiler System.

2.23 CR 95-0569, Corrective Action Item 2.

2.24 NRC Information Notice 83-14, "Actuation of Fire Suppression System Causing Inoperability of Safety-Related Equipment" (June 22, 1983).

2.25 Memorandum NE-PM-93-0637; April 29, 1993: Condensate storage tank in RCIC and HPCS operation.

2.26 NRC Information Notice 92-18, "Potential for Loss of Remote shutdown Capability During a Control Room Fire" (February 28, 1992).

2.27 EOI Calculation G.13.18.3.6* 12, "1 OCFR50 Appendix R Analysis of Fire Area PT-1",

Revision 0.

2.28 NRC letter from David Wigginton to John McGaha, "Deviation From Technical Requirements for Fire Protection, Fire Area C-1 7", dated 10/4/95, RBC-46297, G 9.5, ICL-95-176.

2.29 VECTRA Report No. 0103-00203-R-01, "Thermo-Lag Reduction", Revision 0.

2.30 RBS Letter No. ED-95-0535 dated January 16, (SIC) 1995 from M.A. Stein to Paul Sicard regarding SE&A Fire PRA Insights.

2.31 NUREG-0050, Recommendations Related to Browns Ferry Fire, 2/76.

2.32 Branch Technical Position CMEB 9.5-1, Guidelines for Fire Protection For Nuclear Power Plants, Revision 2.

240.201A Rev. 2 Page 8 of 65

2.33 RBS calculation 12210-PB-3 15 Rev. 2, Air accumnuilator tanks sizing for Category I: Air Operated Dampers.

2.34 Enginccring Request (ER) 96-0672 "Spurious High RPV Pressure Signal Indication on SRV'S."

2.35 RBS calculation G13.18.14.0*171 Rev 1, Determine if Post-fire Safe Shutdown SSW loads can be satisfied with one SSW pump.

2.36 RBS calculation G13.18.14.1*07 Rev 3, Containment Temperature Following Shutdown Without Unit Cooler Operation.

2.37 Eng-incering Evaluation And Assistance Rcquest (EEAR) 93-E-0059, Coniunuication For Fire Protection 2.38 National Fire Protection Association(NFPA), Fire Protection Handbook, 16th Edition.

2.39 IE Information Notice 83-41, Actuation of Fire Suppression System Causing Inoperability of Safety Related Equipment, dated 6/22/83 2.40 IE Information Notice 87-50, Potential LOCA at HI- and LO- Pressure Interface From Fire Damage, dated 10/9/87 2.41 IE Information Notice 90-69, Adequacy of Emergency and Essential Lighting, dated 10/31/90 2.42 EOI Calculation G13.18.12.2-22, Rev. No. 2, Combustible Loading 2.43 Not Used 2.44 Adnormal Operating Procedure-0052, Fire Outside the Main Control Room (In areas Containing Safety Realted Equipment) 2.45 Specification 247.000, Specification for Installation of Instrument and Instrument Lines, Rev. No. 9 2.46 Perry's Chemical Engineering Handbook, 6th Edition 2.47 Stone and Webster Calculations filed under 7214.400-273 Series (Flood levels due to inadvertant suppression system actuation) 2.48 NRC Information Notice 94-12, "Insights Gained From Resolving Generic Issues 57:

Effects of Fire Protection System Actuation On Safety-Related Equipment" (February 9, 1994).

240.201A Rev. 2 Page 9 of 65

3.0 DEFINITIONS This section establishes the definition of terms used in the safe shutdown analysis of Rivcr Bend Station. These terns arc based on industry standards and/or regulatory criteria.

3.1 ASSOCIATED CIRCUITS OF CONCERN Safety-related and non-safety-related cables that have a separation from the fire area less than that required by 10CFR50, Appendix R. Section Ill.G.2 and:

(1) Share a common power source wvith the shutdowvn equipmlient, and the power source is not electrically protected from the post-firc shultdown circuits of concern by coordinatdc circuit breakers, fuses, or similar d1viccs.

(2) Share a common enclosure with the shutdown cables, such as a raceway, panel, or junction box, where the circuits are either not electrically protected from the post-fire shutdown circuits of concern by circuit breakers, fuses, or similar devices, or will allow propagation of fire into the common enclosure.

(3) Are circuits that, due to the effects of a fire, can cause the spurious operation of a safe shutdown component or the spurious operation of a component not required for safe shutdown but could disrupt safe shutdown and are not provided with isolation and/or a transfer device.

The principal basis for this definition is a letter from Mr. D.G. Eisenhut (NRRIDL) to all nuclear power licensees with plants licensed prior to January 1, 1979, titled "Fire Protection Rule (45 FR 76602, November 19, 1980); Generic Letter 81-12 ", dated February 20, 1981; and Clarification of Generic Letter 81-12 dated March 22, 1982.

3.2 ACTIVE SAFE SHUTDOWN COMPONENTS These components are defined as being required to achieve safe shutdown, and their operating state or position must change from their normal position or operating state.

3.3 ALTERNATIVE SHUTDOWN Alternative shutdown is defined in this report as a post-fire shutdown approach requiring utilization of nonstandard operational practices or plant system or component modifications as discussed below.

(1) Operations:

a. Other than normal safe shutdown activities from the Main Control Room (MCR);
b. Operations from designated alternative control systems or from outside the MCR.

240.201A Rev. 2 Page 10 of 65

Similarly, it may be necessary to operate different combinations of equipment to achieve safe shutdown.

c. Manual operation at equipment location.

(2) Modifications:

Rerouting, relocation, or alteration of existing safc shutdown systems outside of a spccific fire area to ensure the capability of achieving and maintaining safe shutdown conditions.

This definition recognizes that alternative shUtdowni may require deviation from normal operational practices and shutdown equipment. Ill this context, procedURal guidelinies for post-firC shullLtd1ow\-n must address operation Of shUtdown1 CqUiplMnLt ill aln LUnLusLIUl llailllCr or from outside the MCR. Similarly, it may be necessary to operate different combinations of equipment to achieve safe shutdown.

The NRC's definition for alternative shutdown is provided in I OCFR50 Appendix R.

Section llI.L focuses on plant modifications. This analysis encompasses the Commission's definition and extends it to include the associated procedural aspects of post-fire shutdown in an environment where plant equipment may be damaged.

3.4 BOUNDARY PATHS Boundary paths are those paths contiguous to primary flow paths, which must be isolated to prevent system flow diversion or inventory loss. Boundary paths include those portions of the system which constitute part of the system pressure boundary but are not required safe shutdown flow paths.

Boundary paths do not include:

  • Instrument taps/lines
  • System vent and drain paths isolated by manual valves
  • Portions of closed loop cooling water systems that are not required for safe shutdown, provided that the flow diversion does not degrade system operation.

3.5 ISOLATION DEVICE An isolation device is a device in a circuit which prevents malfunctions in one section of an electrical circuit from causing unacceptable effects in other sections of the circuit or other circuits. Acceptable isolation devices for power circuits are single isolation devices actuated by fault currents (breakers and fuses). For low energy control and instrumentation circuits, acceptable isolation devices are those actuated by fault currents (e.g., fuses or 240.201A Rev. 2 Page I11 of 65

circuit breakers), relays, control switches, transducers, isolation amplifiers, current transformers, diodes, and fiber couplers.

3.6 PASSIVE SAFE SHUTDOWN COMPIIONNENTS These components arc defined by their normal operating position being identical to their required safe shutdown position (or status), but where a change of position (or status) is detrimental to safe shutdown. Passive components may be affccted by firc-induced failures in their power or control circuits which could lead to the passive component adopting an undesired position (or status) due to spurious operation.

3.7 PRIMNARY PATHS Primary paths are system flow paths required to perform safe shutdown functions. In addition to main flow loops, these include internal recirculation, minimum flow, and process cooling flow paths.

3.8 POST-FIRE This period is defined as the time period following the identification of a fire. This term is generally used in reference to the shutdown activities following a postulated fire.

3.9 PRE-FIRE This period is defined as the time period preceding the identification of a fire (e.g., normal operation). This is generally used in the context of actions implemented during normal plant operation to provide protection against potential spurious actuations (that may lead to unacceptable plant conditions) in the event of fire-induced damage to electrical cables.

Typical examples include pre-fire rackout of certain circuit breakers, pre-fire tripping and tagging out of certain MCC starter circuit breakers, and pre-fire positioning of designated valves in locked closed status.

3.10 RACEWAY A raceway is defined as any channel that is designed and used expressly for supporting or enclosing wires, cable, or bus bars. Raceways consist primarily of, but are not restricted to, cable trays and conduit.

240.201A Rev. 2 Page 12 of 65

3.11 SAFE SHUTDOWN Safe shutdowvn is a condition which exists when the plant is being maintained in a hot shutdown, transition to cold shutdown, or cold shutdown mode. Thlc defillition for safe shutdown used in this analysis assumes the plant to be in one of three states at any moment: two stable conditions (hlot and cold shutdown) and a transient condition whclnc the unit is undergoing a change of mode from hot to cold shutdown. Hot and cold shutdow'n conditions arc defined primarily by Section fLI.L to Appendix R and the RBS Technical Specifications. Transition to cold shutdown includes the combination of systems necessary to maintain hot shutdown while achieving cold shutdown.

Htio slulld(ow\n exists \\VllCn tile plant Meets thC folloi\\nigl critcria:

(1) The reactor is subcritical with an effective multiplication factor (Keff) of less than or equal to 0.99; (2) The reactor coolant makeup function is capable of maintaining the reactor coolant level above the top of the active fuel; (3) Reactor decay heat is being removed at a rate approximately equal to its generation rate; (4) The primary system temperature is greater than 200 0F; and (5) The reactor mode switch is in the shutdown position.

Hot shutdown equipment is defined as that equipment necessary to maintain the plant in a stable condition of hot shutdown as defined above. Hot shutdown equipment must be capable of operating until the systems needed to achieve and maintain cold shutdown are available (Reference GL 86-10 Enclosure 2, Section 5.3.3 Hot Shutdown Equipment).

Equipment which is required to make the transition from Hot Shutdown to Cold Shutdown, but is not required to maintain the plant in a stable hot shutdown condition, is defined as Cold Shutdown Equipment. Conservatively, most of this equipment is still labeled as Hot Shutdown Equipment in this analysis.

The difference between hot shutdown and transition to cold shutdown is in the relative matching of decay heat generation and removal rates. In the transition state, heat removal exceeds heat generation thus allowing for a cooldown of the plant. Cold shutdown differs from transition in that the reactor coolant system temperature is reduced below 200TF.

240.201A Rev. 2 Page 13 of 65

3.12 SAFE SHUTDOWN EQUIPMENT Equipment (i.e., systems, components, cables, piping, valves) wvhich may be used for achieving and maintainiing safe shutdown in tile cvnt of a fire in a plant arCa is defined as safe shutdown equipment. There are several bases for this definition. Redundant methods of achieving safe shutdown are available to the operator in the cvcnt of a fire. Appendix R,Section III.G, recognizes this inherent redulldancy and requires that at least One such method be sufficiently protected to remain free of damage (this is applicable to hot shutdownn, transition to cold shutdown, and cold shutdown) or be repairable to allow for timely achievement of cold shutdown in the event of a fire. Verification that at least one path of safe shutdown systems is free of fire damage for each fire area demonstrates compliance with the rule. Wherc a safe slultdownl path canilot b)C showni to ilmeCt tile requirements of Appendix R, Section l1I.G, With thle existilln plnllt con11figUration aiid where the technical basis to support an exemption request cannot be demonstrated, fire protection and/or safe shutdown system modifications are implemented to ensure availability of a safe shutdown success path.

3.13 SAFE SHUTDOWN FUNCTIONS The distinction between safe shutdown functions and systems should be recognized. Safe shutdown functions are hardware/operational capabilities organized into those logical groups required to accomplish corresponding Appendix R shutdown performance goals.

Safe shutdown functions include features from one or more plant systems, as described in Section 5.0.

3.14 SPURIOUS OPERATION Spurious operation consists of the maloperation of electrical or electromechanical components caused by circuits energized or de-energized as a result of fire damage.

This definition recognizes that electrical cables may be damaged by a fire. This cable damage may prevent operation of safe shutdown components or may result in maloperation of non-safe shutdown equipment which may preclude attaining safe shutdown. The effects of spurious operation have been analyzed as follows:

(1) Maloperation of safe shutdown equipment due to control circuit interlocks between safe shutdown circuits and other circuits; and (2) Maloperation of equipment which is not defined as active or passive safe shutdown, but which could prevent the achievement of a safe shutdown function and thus has been included as required for safe shutdown.

(3) Maloperation of high-low pressure interface valves due to damage to control circuits or hot shorts to AC or DC power cables.

240.201A Rev. 2 Page 14 of 65

3.15 HIGH-LOW PRESSURE INTERFACE A High Pressure/Low Pressure Interface (high-low pressure interface) exists when a low pressure system interfaces with a high pressure primary coolant system. Per GL 81-1, "Fire Protection Rule," and its clarification letter dated March 22, 1982, a high-low pressure interface must be evaluated if it consists of two redundant and independent motor operated valves, and the motor operated valves or their associated cables may be subject to a single fire hazard. The concern is that a single fire could cause the two valves to open resulting in a fire-initiated Loss of Coolant Accident (LOCA) through the subject high-low pressure system interface.

As used in this context, and per 10CFR50.46 and IOCFR50 Appendix A Definitions, Loss-of-Coolant Accidents (LOCAs) are the hypothetical accidents that would result from the loss of reactor coolant, at a rate in excess of the capability of the reactor coolant makeup system, from breaks in pipes in the reactor coolant pressure boundary up to and including a break equivalent in size to the largest pipe in the reactor coolant system. Although fires are not postulated to cause a pipe rupture (Section 4.1.2), fire induced cable damage may cause spurious operation of components relied upon to maintain the integrity of the reactor coolant pressure boundary (RCPB). The loss of this RCPB integrity due to fire induced spurious operation of one or more components shall not result in a loss of reactor coolant at a rate in excess of the capability of the reactor coolant makeup system. All such interfaces have been evaluated in Reference 5.7.14 to Appendix C. As a result of this evaluation, two components have been identified as high-low pressure interface components, lE12*MOVF008 (Shutdown Cooling Outboard Isolation valve) and lE12*MOVF009 (Shutdown Cooling Inboard Isolation valve). These two motor operated valves are not subject to a single exposure fire such that fire induced failures will cause both of them to open. The fire area separation analysis (Appendix B) results indicate that the only fire area in which cables for both of these valves are routed through is the Control Room. However, lE12*MOVFO09 is maintained closed with its power supply breaker locked open. Thus, spurious operation of this valve due to fire induced cable damage during a Control Room fire is not possible and the integrity of the high-low pressure interface boundary is maintained for an exposure fire in any single fire area.

It should be noted that several other valves function as high-low pressure interface components; however, these valves are check valves and are identified in Appendix A, Table A-1. As such, these check valves are not subject to fire damage per Section 4.1.2.

240.201A Rev. 2 Page 15 of 65

4.0 SHUTDOWN ASSUMPTIONS AND POSITIONS This analysis considers the effects of fire on plant equipment and identifies the systems and components available for achieving safe shutdown. The fundamental assumptions made in this analysis are identified below:

4.0.1 Equipment required for safe shutdown is available.

Basis: Any maintenance, surveillance, or testing activities are governed by technical specifications and/or Technical Requirements Manual.

4.0.2 Off-site power may or may not be available at the time of the postulated fire.

Basis: 10CFR50 Appendix R, Section Ill.L.

4.0.3 An exposure fire involving either transient or in situ combustibles is assumed to occur in only one plant fire area at a time.

Basis: 10CFR5O Appendix R, Introduction and Scope.

4.0.4 Design basis fires are not assumed to occur concurrently with non-fire related failures in safety systems, plant accidents or the most severe natural phenomena.

Basis: Branch Technical Position CMEB 9.5-1, Section C.l.b.

Other positions were taken in the course of this analysis to ensure that the study closely reflects the impact of a fire. These positions pertain to the following major categories:

(1) Fire damage to plant equipment (2) Fire duration and brigade activity (3) Manpower availability and manual operations (4) Repairs Each category is discussed in the subsections that follow.

240.201A Rev. 2 Page 16 of 65

4.1 FIRE DAMAGE TO PLANT EQUIPMENT This subsection describes the basic assumptions made with regard to fire damage.

4.1.1 Electrical Cable Fire Damage The integrity of insulation and external jacket material for electrical cables is susceptible to fire damage. Damage may assume several forms including deformation, loss of structure, cracking, and ignition. The relationship between exposure of electrical cable insulation to fire conditions, the failure mode, and time before failure may vary with the configuration and cable type. To accommodate these uncertainties in a consistent and conservative manner, this analysis, except where fire protection features exist, assumed that the fire induced damage to all cables in the fire area would render the affected components inoperable or cause spurious operation. Electrical cable failures are limited by the following considerations:

(1) The fire damage occurs throughout the area under consideration.

(2) The fire damage results in an unreliable cable with regard to proper safe shutdown function.

(3) The fire-damaged cable conductors will either short to other conductors in the same cable or an adjacent cable, or short to ground through the enclosure (raceway, panel etc.), or separate, thus causing an open circuit.

This analysis reflects the NRC position concerning hot shorts as expressed by the staff in Enclosure 2 to Generic Letter 86-10 (Reference 2.4). This position excludes the following combinations of cable-to-cable hot shorts based on the low probability of occurrence except for any cases involving High-Low pressure interfaces as defined in section 3.15 of this document:

(1) 3-phase AC power circuits (4.16 kV and 480V voltage levels);

(2) 2-wire DC power circuits (125V voltage level);

(3) 2-wire DC ungrounded power circuits (125V voltage level) 4.1.2 Mechanical Component Damage Fire damage to valves, piping, and noncombustible tubing is not assumed to adversely impact their ability to function as pressure boundaries or as safe shutdown components.

Materials of construction for plant systems is primarily carbon steel or stainless steel, which have melting points of approximately 2500'F or higher, which exceeds the maximum temperature of the worst case ASTM E-1 19 test fire. Due to the defense-in-depth inherent in nuclear plant design, a fire approaching the magnitude of the E-l 19 test 240.201A Rev. 2 Page 17 of 65

fire is not expected to occur. Therefore, a fire is not assumed to cause a valve or other mechanical component to change position unless the fire also affects the electrical equipment or circuit associated with the component. Tn addition, it was assumed that exposure to a fire will not prevent the manual stroking of the valve following fire extinguishment. All motor operated valves have been evaluated with respect to NRC IE notice 92-18 and found to be acceptable. (reference 2.26)

This assumption reflects the fact that nuclear power plant fires are sufficiently limited in magnitude and duration to preclude the potential of significant damage to mechanical equipment. Damage which is assumed to occur as a result of a fire would involve discoloration and other such superficial manifestations of exposure to a high temperature oxi]diz iig environment.

Since these effects would be localized and of short duration, mechanical and overall structural integrity is considered not impaired.

4.1.3 Instrument Damage Instruments (e.g., resistance temperature detectors, thermocouples, pressure transmitters, and flow transmitters) are assumed to suffer damage in a manner similar to electrical cables. If these devices are exposed to a fire, only associated cables are damaged. The instrument fluid boundary remains undamaged. Per Specification 247.000, instrument lines are constructed of Type 316 stainless steel, which has a melting point in excess of 2500'F, exceeding the maximum temperature reached by an ASTM E-1 19 test fire. Due to the fire protection defense-in-depth capabilities inherent in nuclear power plant design, a fire of this magnitude is not expected to occur, so it is reasonable to conclude that the instrument tubing will remain intact. Similarly, sight-glasses and mechanically linked tank-level indicators are assumed to be unaffected by fire. However, the density changes of fluid contained in instrument tubing caused by a fire may cause erroneous indication and control signals. Therefore, the effect of this fire induced phenomenon was considered in this analysis. The component impact as a result of fire damage to instrument tubing was dispositioned in a similar manner as for electrical cable.

4.2 SMOKE AND TOXIC GASES The relatively short burn duration of the postulated fire is assumed to preclude the buildup of sufficient concentrations of such gases to cause failure of electrical and mechanical components. Consequently, concentrations of such gases within fire areas and deposition of chlorides on plant components are not considered in this analysis.

The postulated corrosive gas buildup from a fire in a small area and chloride deposition within a general plant area would not be sufficient to adversely affect plant equipment while safe shutdown is achieved and maintained. This conclusion is further supported by the NRC in its analysis of the Browns Ferry fire as documented by NUREG-0050.

240.201A Rev. 2 Page 18 of 65

4.3 MANPOWER AVAILABILITY AND MANUAL OPERATION This analysis recognizes the manual operation of some safe shutdown equipment as a part of the shutdown process for specific fire areas. Operators and fire brigade members are drawn from on-site personnel based on the minimum staffing level specified by technical specifications and current operating practices. Although additional manpower can be activated at the shift supervisor's discretion to perform manual operations after a fire, this analysis does not take credit for additional staffing.

The activities requiring Operations personnel intervention in the event of a fire include fire fighting and plant operation. To plan the allocation of personnel, the basic fire scenario is combined with the shutdowvn scenario to ensure the proper coordination of activities. A timeline/manpower concept is utilized in this analysis to establish that sufficient time is available for achievement of the safe shutdown system function.

Appendix H of this criterion document addresses manual actions required following fires.

This appendix addresses the feasibility of operator actions looking at the following five items for each action:

1. Component opeation can be perfomred
2. Adequate time is available to perform the action
3. Communications are available for those components which require them.
4. Emergency lighting is available
5. Actions requireing entry into an fire area are evaluated based on combustible loading, location of combustibles, availablity of detection and suppression and physical properties of the components AOP-0052 and AOP-0031, references 2.44 and 2.17, address maual actions required following fires in the plant and in the control room, respectively.

4.4 REPAIRS This analysis further assumes that off-site power would be restored 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> following fire initiation. The repair of cables or controls for cold shutdown related equipment which may be affected by a fire could be accomplished during this extended time period using established plant procedures.

4.5 FIRE DURATION AND BRIGADE ACTIVITY Fire duration / combustible loading has been calculated for each fire area and is documented in calculation G13.18.12.2-22, "Combustible Loading Calculation". The fire severity is determined through a review of the combustible loading. The fire severity is a time duration for a fire in a specific fire area to burn. The fire severity is calculated by dividing the combustible loading by the room floor area to determine the area loading.

Then the area loading is divided by a factor of 80,000 BTU / sq ft to arrive at the fire severity. The 80,000 BTU / sq ft / hour is a standard exposure fire ratio relating 240.201A Rev. 2 Page 19 of 65

combustible loading to a fire corresponding to the standard time-temperature curve (ref.

2.38).

The River Bend Station fire brigade is trained and equipped to ensure an adequate manual fire fighting capability for protection of structures, systems and components important to safety. The fire brigade is composed of at least five menmbers on each shift. The fire brigade leader understands the effects of fire and fire suppressants on safe shutdown components. Fire areas generally contain only one division of electrical equipment which might be involved in a fire or be inadvertently sprayed by the fire brigade. Fire brigade usage of suppression fog nozzles has been evaluated. The safe shutdown analysis shows that there is at least one other set of systems, equipment, and cables located outside the fire area of fire damage or protected by an approved Method or described in fire brigade procedures to ensure safe shutdown.

240.201A Rev. 2 Page 20 of 65

5.0 SAFE SHUTDOWN ANALYSIS BASIS 5.1 SAFE SHUTDOWN PERFORMANCE GOALS The safe shutdown performance goals of Appendix R. Section 1l.L establish the criteria for defining systems and components requiring protection. These goals are:

(1) Reactivity Control - Insert sufficient negative reactivity to achieve and maintain cold shutdown conditions.

(2) Reactor Coolant Makeup - Maintain the reactor inventory and control reactor coolant system pressure.

(3) Decay Heat Removal - Remove decay heat through cold shutdown conditions.

(4) Process Monitoring - Provide direct reading of safe shutdown process variables.

(5) Support Functions - Provide electrical power, cooling water, chilled water, and HVAC, etc., as required to achieve all of the above performance goals.

These five goals are accomplished in this analysis through the successful performance of the following safe shutdown functions:

(1) Reactivity Control (2) Reactor Pressure and Level Control (3) Reactor Overpressure Protection (4) Suppression Pool Cooling (5) Shutdown Cooling (6) Plant Monitoring Instrumentation (7) Safe Shutdown Support The following sections identify each function and its relationship to the safe shutdown performance goals.

240.201A Rev. 2 Page 21 of 65

5.2 SAFE SHUTDOWN FUNCTIONS

1. Reactivity Control Function: Provide sufficient negative reactivity to achieve and maintain cold shutdown reactivity conditions.

Appendix R Performiance Goal: Reactivity Control Safe Shutdown Mode: Hot, transition to cold, and cold Safe Shutdown Systemis: None This function is accomplished by the hydraulic insertion of control rods as a result of the de-energization of the SCRAM solenoid valves. Once inserted, control rods are latched in the inserted position. Fire does not affect the ability to scram.

2. Reactor Pressure and Level Control Function: Provide the capability to restore and maintain reactor vessel level and control pressure.

Appendix R Performance Goal: Reactor Coolant Makeup Safe Shutdown Mode: Hot, transition to cold, and cold Safe Shutdown Systems: 1. Reactor Core Isolation Cooling System (RCIC)

2. High Pressure Core Spray System (HPCS)
3. Low Pressure Core Spray System (LPCS)
4. Residual Heat Removal System (RHR A,B, and C) in the Low Pressure Coolant Injection (LPCI) mode
5. Safety Relief Valves (SRV) including the Automatic Depressurization System (ADS)
6. Penetration Valve Leakage Control System HPCS and RCIC systems normally take suction from the condensate storage tank; once the tank inventory is expended, the suction is realigned to the suppression pool. The Residual Heat Removal (RHR) System (RHR A, B, and C) in LPCI mode and LPCS System draw water from the suppression pool. These systems are capable of maintaining the reactor vessel water inventory in the event of the reactor vessel isolation.

A minimum of one SRV is required to reduce reactor pressure during cooldown using HPCS or RCIC. The ADS reduces the reactor pressure by activating seven safety relief valves (SRVs) to rapidly reduce pressure to support LPCS or LPCI operation. Air to operate an SRV is stored in its respective air accumulator and Penetration Valve Leakage 240.201A Rev. 2 Page 22 of 65

Control System air receiver tank (lLSV*TK6A or *TK6B). This stored air capacity is sufficient to operate the SRVs to support cooldown. Backup air is supplied by the Penetration Valve Leakage Control System Compressors to support maintaining the appropriate number of SRVs open for the Alternate Shutdown Cooling mode of RHR.

3. Reactor Oveipressure Protection Function: Provide a means to prevent reactor vessel ovelpressurization.

Appendix R Performance Goal: Reactor Coolant Makeup Safe Shutdown Mode: Hot, transition to cold Safe Shutdown Systems: Main Steam Safety/Relief Valve System The safety/relief valves are located on the main steam lines upstream of the inboard Main Steam Isolation Valves and are required to open to vent steam to the suppression pool and reduce reactor pressure. The Main Steam Safety Relief System consists of 16 SRVs, and all 16 SRVs are available to perform the safety function.

4. Suppression Pool Cooling Function: Remove decay heat from the suppression pool.

Appendix R Performance Goal: Decay Heat Removal Safe Shutdown Mode: Hot, transition to cold Safe Shutdown Systems: 1. Division I Residual Heat Removal System

2. Division II Residual Heat Removal System Placing the RHR system in the suppression pool cooling mode provides the means to transfer decay heat from the suppression pool to the ultimate heat sink.

For the safe shutdown analysis, it is necessary to have one operating RHR pump and heat exchanger loop in the Suppression Pool Cooling mode. The Standby Service Water System provides the cooling water for the RHR heat exchanger.

5. Shutdown Cooling Function: Provide a means for removing decay heat, maintain reactor coolant temperature below 200 TF, and provide reactor coolant makeup water.

Appendix R Performance Goal: Reactor Coolant Makeup, Decay Heat Removal 240.201A Rev. 2 Page 23 of 65

Safe Shutdown Mode: Cold Normal Shutdown Cooling Safe Shutdown Systems: 1. Suction from Reactor Vessel

2. Cooling using Train A or B RHR
3. Injection into RPV thru IE12*MOVF053A or lE12*MOVF053B for RHR A or B respectively.
4. Exit RPV thlru open RHR Shutdown Cooling Isolation Valves IE12*MOVFOO8 and IE 12-'MOVF009.

The cold shutdown decay heat removal performance goal is fulfilled by manually initiated Normal Shutdown Cooling mode. This mode is exclusively used for safe shutdown following Control Room Evacuation. It is necessary to have one operating RHR pump and heat exchanger loop in the normal shutdown cooling mode. The Standby Service Water System provides the cooling water for the RHR heat exchanger.

Alternate Shutdown Cooling Using SRV's Safe Shutdown Systems: 1. Suction from Suppression Pool

2. Cooling using Train A or B RHR
3. Injection into RPV thru 1E12*MOVF042A or MOVF042B for RHR A or B respectively
4. Exit RPV thru open SRVs into Suppression Pool.

The cold shutdown decay heat removal performance goal is fulfilled by the Alternate Shutdown Cooling using flow through the SRVs. This function is initiated after the reactor pressure is reduced to 110 PSIG or below. Makeup water is provided by the RHR system in the LPCI mode as required.

For this safe shutdown analysis, it is necessary to have one operating RHR pump and heat exchanger loop in the alternate shutdown cooling mode and its associated standby service water loop to ensure stable cold shutdown conditions.

Additionally, one Penetration Valve Leakage Control System (LSV) air compressor must be available to support maintaining the appropriate number of SRVs open.

240.201A Rev. 2 Page 24 of 65

6. Plant Monitoring Instrumentation Function: Provide a means for monitoring process variables.

Appendix R Perfonnance Goal: Process Monitoring Safe Shutdown Mode: Hot, transition to cold, and cold.

Safe Shutdown Systems: Division I or II Instruments for reactor pressure, reactor level, suppression pool level, and suppression pool temperature.

In order to achieve and maintain safe shutdown conditions, the operator must be able to monitor various plant parameters. These parameters provide the information required by the operator in order to perform required system transitions and essential operator actions. This function ensures that the instrumentation required to monitor reactor vessel level, reactor vessel pressure, suppression pool level, and suppression pool temperature is available following any fire.

7. Safe Shutdown Support Function:
1. Provide AC and DC power to switchgear, load centers, and motor control centers supplying power to safe shutdown components.
2. Provide cooling water to the emergency diesel generators, RHR heat exchangers, RHR pumps, LSV air compressors, auxiliary building unit coolers, and control building chillers.
3. Provide Heating Ventilation and Air Conditioning to the Control Building, Auxiliary Building, Standby Cooling Tower, and Diesel Generator Building.

Appendix R Performance Goal: Support Functions Safe Shutdown Mode: Hot, transition to cold, and cold Safe Shutdown Systems: 1. Standby AC and DC power distribution

2. Standby Service Water
3. Control Building Chilled Water 240.201A Rev. 2 Page 25 of 65
4. Heating Ventilation and Air Conditioning (HVAC) for Control Building, Auxiliary Building, Standby Cooling Tower, and Diesel Generator Building.

For a postulated fire involving a loss of off-site power, the Standby AC Power Supply and Distribution System is the ultimate source of AC electrical power for the safe shutdown systems. Essential components of this system include the diesel generators and supporting equipment (control power, air start system, diesel fuel supply, etc.), the 4.16kV emergency switchgear, 480V emergency switchgear, and motor control centers supplied by the emergency switchgear.

Safe shutdown also requires the availability of the 125V DC power supplies and distribution system for 125V DC power. Stored battery energy supplying 125V DC power is sufficient to support the needs of safe shutdown equipment until AC on-site power and battery charging capabilities are restored.

The Standby Service Water Subsystem removes heat from the various components credited for post-fire safe shutdown and delivers it to the ultimate heat sink.

The Normal Service Water Subsystem which is credited for Fire Area PT-I removes heat from the various components credited for post-fire safe shutdown and delivers it to plate heat exhangers.

The Control Building chilled water system supplies chilled water to the Control Building air conditioning system and transfers all system heat loads to the Service Water System.

The HVAC Systems serving the Control Building, Auxiliary Building, Standby Cooling Tower, and Diesel Generator Building provide cooling for the areas containing components credited for post-fire safe shutdown so that they can function without failure in the event of a fire.

5.3 SHUTDOWN METHODOLOGY In accordance with the provisions of 10CFR50, Appendix R, Section TII.G, at least one success path to achieve and maintain safe shutdown conditions must remain available in the event of a fire in any fire area. The key factor in achieving this provision is the availability of electrical power from the onsite Electrical Distribution System for at least one safe shutdown success path. There exists three divisions of electrical power at RBS.

However, the Division mII Electrical Distribution System only supplies power to HPCS System components and one Standby Service Water pump (1SWP*P2C) and associated discharge valve (ISWP*MOV40C). Thus, this Electrical Distribution System alone cannot support safe shutdown. Therefore, the shutdown methods are categorized according to the available Division I or II Electrical Distribution System. A Division I or II shutdown area utilizes systems and components which receive power from the Division I or II Electrical Distribution System. A Division I shutdown area includes the Division III Electrical 240.201A Rev. 2 Page 26 of 65

Distribution System to support both Standby Service Water pumps unless otherwise noted.

More than one RPV level control system (HPCS, RCIC, LPCS, LPCI) may be available for either method of safe shutdown. In Appendix B of this analysis, the Summary Table at the beginning of each fire area compliance assessment identifies the available divisions or systems as well as the required manual actions to achieve and maintain safe shutdown conditions.

In the event of evacuation of the Control Room due to a fire, alternate shutdown capability is provided which meets the criteria of Appendix R Sections E[I.G.3 and L.

Instrumentation and Controls are provided at the Division I Remote Shutdown Panel for systems and equipment that require continuous control and monitoring during shutdown outside the Control Room.

5.4 DESCRIPTION

OF SAFE SHUTDOWN SYSTEMS The following describes the systems and components required to attain safe shutdown in case of a fire.

Reactor Core Isolation Cooling System

(

Reference:

Shutdown Flow Diagram RBS-SSD-FD-102; Safe Shutdown Logic Diagram RBS-SSD-LOG-102.)

The Reactor Core Isolation Cooling (RCIC) System provides post-fire core cooling by maintaining sufficient reactor water inventory in the reactor vessel when the vessel is isolated from its primary heat sink and the main condenser and maintained in the hot standby condition. The principal components of the RCIC system consist of a steam driven turbine-pump unit, associated valves, and piping which deliver high pressure make up water to the reactor vessel from the suppression pool. The RCIC pump suction is normally aligned to the condensate storage tank; once the tank inventory is expended, the suction is re-aligned to the suppression pool. Although RCIC is initiated automatically by a reactor vessel low-water-level (Level 2, -43" RPV water level) signal, only manual initiation is credited for safe shutdown. The appropriate combination of RPV level instruments required to automatically initiate the RCIC System is shown on Safe Shutdown Logic Diagram RBS-SSD-LOG-303.

The RCIC turbine receives reactor steam from the "A" main steam line upstream from the inboard main steam isolation valve (MSIV). The steam from the RCIC turbine exhausts to the suppression pool. The exhaust line is equipped with vacuum breakers to prevent suppression pool water from being drawn into the exhaust line when the steam condenses following turbine operation. However, this function is not required for safe shutdown.

Because the turbine exhaust is not airtight (leakage to atmosphere through turbine glands),

any water drawn into the exhaust line following turbine operation will not remain indefinitely. Additionally, the admission of exhaust steam following turbine restart will break the remaining vacuum and eliminate the water column in the exhaust line.

240.201A Rev. 2 Page 27 of 65

The RCIC system is equipped with a discharge line fill pump that operates to maintain the pump discharge line in a filled condition when the system is in the standby mode.

Maintaining the discharge line filled reduces the lag time between pump startup and attainment of full flow to RPV and also prevents water hammer in the system. However, this function is not required for safe shutdown since post-fire operation of the RCIC System will maintain the discharge line full. A minimum flow recirculation line directs flow from the pump discharge piping to the suppression pool in order to prevent pump overheating. This valve is required to open automatically during initial RCIC System startup and automatically re-close after pump flow is above the minimum setpoint. The ability of the RCIC System to adequately maintain RPV level with the minimum flow valve open has not been analyzed and therefore this valve is included as a safe shutdown component. Cooling water to the turbine lube oil cooler is supplied from the RCIC pump discharge.

RCIC pump discharge flow can be monitored at the trip unit in the Control Room for 1E5 1*FTNO03. However, RPV level indication provides the credited Appendix R indication for RCIC flow. The turbine speed control system positions the steam inlet valve to control the RCIC pump discharge flow. The turbine control logic provides automatic shutdown of the RCIC turbine upon receipt of turbine overspeed, turbine high exhaust pressure, pump low suction pressure, reactor vessel high water level, or auto isolation signals(Shutdown Logic Diagram RBS-SSD-LOG-304).

High Pressure Core Spray System

(

Reference:

Shutdown Flow Diagram RBS-SSD-FD-101; Safe Shutdown Logic Diagram RBS-SSD-LOG-101.)

The High Pressure Core Spray (HPCS) system is capable of maintaining the reactor vessel water inventory in the event of reactor vessel isolation and concurrent fire induced failure of the RCIC system. The principal components of the HPCS system consist of a high pressure core spray pump, associated valves, piping, and instrumentation which deliver spray water to the reactor core. The HPCS pump suction is normally aligned to the condensate storage tank; once the tank inventory is expended, the suction is realigned to the suppression pool.

Although the HPCS system is automatically initiated by either RPV low water level (Level 2, -43" RPV water level) or high drywell/containment differential pressure (1.68 PSID),

only manual initiation is credited for safe shutdown. The appropriate combination of RPV level or drywell pressure instruments required to automatically initiate the HPCS System is shown on Safe Shutdown Logic Diagram RBS-SSD-LOG-302. The HPCS pump motor and injection valve are provided with manual override controls. These controls permit the operator to control the system manually following automatic initiation.

A discharge line fill pump is provided to maintain the pump discharge line in a filled condition. Keeping the discharge line filled reduces the lag time between pump startup and attainment of full flow to the RPV and also prevents water hammer in the system.

240.201A Rev. 2 Page 28 of 65

However, this fmnction is not required for safe shutdown since post-fire operation of the HPCS System will maintain the discharge line full. A minimum flow recirculation line directs flow from the pump discharge piping to the suppression pool in order to prevent pump overheating. This valve is required to open automatically during initial HPCS System startup and automatically close after pump flov is above the minimum setpoint.

The ability of the HPCS System to adequately maintain RPV level with the minimum flow valve open has not been analyzed and therefore this valve is included as a safe shutdown component.

HPCS pump discharge flow and pressure may be obtained at the Control Room trip units for IE22*FTNO56 and lE22*PTNO51; however, these instruments are credited for proper autoimatiC operation of the HPCS minimum flowSl\ valve. RPV level and pressure are the Appendix R credited indications of proper HPCS System operation.

Low Pressure Core Spray System

(

Reference:

Shutdown Flow Diagram RBS-SSD-FD- 103, Safe Shutdown Logic Diagram RBS-SSD-LOG-103.)

The Low Pressure Core Spray (LPCS) System is capable of maintaining the reactor vessel water inventory following RPV depressurization in the event of reactor vessel isolation and concurrent fire induced failure of the HPCS and RCIC system. The principal components of the LPCS system consist of a low pressure core spray pump, associated valves, piping, and instrumentation which deliver spray water to the reactor core. The LPCS pump draws suction from the suppression pool. Although the LPCS system is automatically actuated upon detection of either a low RPV level (Level 1, -143 "RPV water level) or high drywell pressure (1.68 PSID), only manual initiation is credited for safe shutdown. The appropriate combination of RPV level or drywell pressure instruments required to automatically initiate the LPCS System is shown on Safe Shutdown Logic Diagram RBS-SSD-LOG-303. The LPCS pump and injection valve are provided with manual override controls. These controls permit the operator to manually control the system subsequent to automatic initiation.

The discharge line fill pump is provided to maintain the pump discharge line in a filled condition. Keeping the discharge line filled reduces the lag time between pump startup and attainment of full flow to the RPV and also prevents water hammer in the system.

However, this function is not required for safe shutdown since post-fire operation of the LPCS System will maintain the discharge line full. A minimum flow bypass line is provided to protect the LPCS pump from overheating. This valve is required to open automatically during initial LPCS System initiation and automatically close after pump flow is above the minimum setpoint. The ability of the LPCS System to adequately maintain RPV level with the minimum flow valve open has not been analyzed and therefore this valve is included as a safe shutdown component.

LPCS pump discharge flow and pressure may be obtained at the Control Room trip units for 1E21 *FTNO51 and IE21 *PTNO50; however, these instruments are credited for proper 240.201A Rev. 2 Page 29 of 65

automatic operation of the LPCS minimum flow valve and manual handswitch operation of the LPCS injection valve respectively. RPV level and pressure are the Appendix R credited indications of proper LPCS System operation.

The LPCS System is required for RPV level control during the transition period from hot shutdown to cold shutdown plant conditions and during cold shutdown until RHR shutdown cooling is established.

Residual Heat Removal System

(

Reference:

Shutdown Flow Diagrams RBS-SSD-FD-104, -105, -106, Safe Shutdown Logic Diagrams RBS-SSD-LOG-104, -105, -105A, -106.)

The objective of the Residual Heat Removal (RHR) System is to remove decay heat from the reactor at a greater rate than it is produced, to supply low pressure coolant makeup to the reactor vessel and remove heat from the suppression pool. The following three modes of RHR operation are credited for safe shutdown:

1. Low Pressure Coolant Injection (LPCI)
2. Suppression Pool Cooling
3. Shutdown Cooling- i.) Normal Shutdown Cooling, ii.) Alternate Shutdown Cooling The RHR system contains three independent loops, A, B, and C. Each loop contains its own motor-driven pump (1E12*PCO02A, B, and C), piping, valves, instrumentation, and controls. Loops A and B also contain two heat exchangers (1E12*EBOOLA and C for Loop A and IE12* EBOOlB and D for loop B), which are cooled by standby service water. All three loops have a suction source from the Suppression Pool and are capable of injecting water into the reactor vessel by means of a separate nozzle. In addition, loops A and B have a suction source from the RPV and are capable of injecting back to the suppression pool by means of a full-flow test return line. Each RHR loop has a discharge line fill pump which maintains the pump discharge line in a filled condition. Keeping the discharge line filled reduces the lag time between pump startup and attainment of full flow to the RPV and also prevents water hammer in the system. However, this function is not required for safe shutdown since post-fire operation of the RHR System will maintain the discharge line full. Up to 5800 gpm of cooling water to each pair of the RHR heat exchangers can be provided by the Standby Service Water System for all modes of operation requiring use of the heat exchangers. Capability is provided for remote manual start and stop of the RHR pumps from the Main Control Room (MCR).

Low Pressure CoolantInjection (LPCI)

The LPCI mode is required for RPV level control following RPV depressurization until RHR Shutdown Cooling is established.

The LPCI subsystem is automatically activated by Emergency Core Cooling System initiation signals when either the drywell pressure equals or exceeds 1.68 PSID or the RPV 240.201A Rev. 2 Page 30 of 65

water level is 1 foot or less above the top of active fiuel. However, only manual initiation is credited for safe shutdown. The LPCI mode of RHR can be manually initiated by a single initiation switch from the Control Room. The appropriate combination of RPV level or drywell pressure instruments required to automatically initiate the LPCI mode of RHR is shown on Safe Shutdown Logic Diagram RBS-SSD-LOG-3 03. During this mode, water is drawn from the suppression pool at a rate of 5050 GPM per loop using the RHR pump.

Discharge from the RHR pump is routed around the heat exchangers (train A and B) into the core region of the reactor vessel through separate lines, LPCI injection valves lE12*MOVF042A/B/C and injection nozzles.

Suppressionl Pool Coolinig The Suppression Pool Cooling mnode is required for reactor decay heat removal dluring hot shutdown and transition to cold shutdown until RHR Shutdown Cooling is established.

During the Suppression Pool Cooling mode of RHR operation, water is drawn from the Suppression Pool and pumped by the RHR pump through the RHR heat exchangers (loops A and B only) and then back to the suppression pool through the system loop test line.

This operating mode transfers the reactor decay heat deposited into the Suppression Pool via the Main Steam Safety Relief Valves (SRVs) to the ultimate heat sink or plate heaters using the Standby Service Water Subsystem or the Normal Service Water Subsystem for fire area PT-1, respectively. The Suppression Pool Cooling subsystem is designed:

1. To ensure that the temperature in the suppression pool prior to an RPV blow- down is sufficiently low so that immediately after a blowdown the pool temperature is not greater than 170 0F when the reactor pressure is above 135 psig.
2. To ensure that the temperature in the suppression pool prior to a blowdown is sufficiently low so that any time after a blowdown the suppression pool temperature does not exceed 185 OF.

Shutdown Cooling RHR shutdown cooling is required to maintain RPV level and remove reactor decay heat during cold shutdown conditions. There are two modes credited for post fire safe shutdown: i.) Normal Shutdown Cooling and ii.) Alternate Shutdown Cooling.

During the Normal Shutdown Cooling mode of RHR operation, water is drawn from the RPV and pumped by the RHR pump through the RHR heat exchangers (loops A and B only) and then returned to the RPV through the loop injection line and the feedwater mixing tee and feedwater injection line.

The Alternate Shutdown Cooling mode is not a separate mode of the RHR system; rather it is an extension of the LPCI mode, wherein the Suppression Pool water is returned to the RPV through the LPCI injection valve after first passing through the loop heat exchangers (loops A and B only), where it is cooled by transferring heat to standby service water. A 240.201A Rev. 2 Page 31 of 65

minimum of four Main Steam Line SRVs are maintained open. The RPV is flooded and reactor decay heat transferred to the Suppression Pool via the flooded SRV discharge lines to complete the loop.

Thus the reactor decay heat is transferred to the Suppression Pool where it is removed from the reactor water by means of the RHR heat exchangers and standby service water system.

Actuation of this subsystem is manual and shall be at an RPV pressure less than or equal to 1 0 psig. The subsystem removes enough residual heat from the reactor vessel to cool it from 344 'F to 125 'F within 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> after the control rods are inserted.

Main Steam Safety/Relief Valve System (RfeferenIce; Shutdown Flow Diagrams RBS-SSD-FD-107,-109, Safe SIuLtLdow n Logic Diagrams RBS-SSD-LOG-107,-109)

The purpose of the Main Steam Safety/Relief Valve (SRV) system is to prevent overpressurization of the nuclear system and to provide automatic depressurization of the reactor vessel.

Four main steam lines originate at the RPV and are routed through the containment, drywell, and to the turbine building. Each steam line consists of one inboard and one outboard isolation valve (lB21*F022A through D and 1B21*F028A through D respectively).

The Main Steam Safety/Relief System consists of 16 SRVs which are mounted on the four main steam lines in the drywell as follows:

Line A -2 Safety/Relief Valves Line B-5 Safety/Relief Valves Line C-6 Safety/Relief Valves Line D-3 Safety/Relief Valves The safety/relief valves support post-fire safe shutdown in either of the three modes of operation: 1.) automatically, using a pneumatic power activator (pressure relief mode), 2.)

manually using the pneumatic power activator, and 3.) self-activation in the spring lift mode (safety mode).

The relief function of the SRV system is to relieve high pressure conditions in the nuclear system that could lead to the failure of the reactor coolant pressure boundary. The system activates the SRVs to vent steam to the suppression pool and reduce reactor pressure. The appropriate combination of RPV pressure instruments required to automatically initiate the SRVs for overpressure protection is shown on Safe Shutdown Logic Diagram RBS-SSD-LOG-302. However, only the self-activated spring lift mode is credited for overpressure protection during post-fire safe shutdown. A minimum of one SRV is required to control plant pressure during cooldown when either the HPCS or RCIC System is used for RPV level control. A minimum of four SRVs are required for both plant depressurization to 240.201A Rev. 2 Page 32 of 65

support RHR-LPCI or LPCS System operation, and for Alternate Shutdown Cooling mode of RHR.

The Automatic Depressurization System (ADS) is designed to provide automatic depressurization of the reactor vessel by activating seven of the sixteen SRVs. This rapid depressurization is required wvhen only the low pressure RPV level control systems are available (RHR-LPCI, LPCS). Although the ADS system is automatically activated by Emergency Core Cooling System initiation signals, only manual initiation is credited for safe shutdown. Remote switches for manual operation of the ADS are installed in the main control room. The ADS reduces reactor pressure to a level such that the RBR-LPCI and LPCS systems can operate and inject water into the RPV. The appropriate combination of i Istruments required to autoILmatically inlitiate the ADS system is sho.n on Safe Shutdown Logic Diagram RES-SSD-LOG-3 03.

Each SRV is provided with a dedicated pneumatic accumulator. Air to operate the SRVs is normally supplied by the SVV system. However, when required, backup supply from the Penetration Valve Leakage Control System (PVLCS) compressors is credited for safe shutdown. The accumulator capacity is sufficient to provide at least one valve actuation; subsequent actuation for an overpressure protection event can be spring actuated (safety mode) to limit reactor pressures to acceptable levels. In addition to the air stored in each dedicated pneumatic accumulator, stored air is available from the Penetration Valve Leakage Control System Accumulator Tanks, ILSV*TK6A and *TK6B. The quantity of stored air in these tanks is sufficient to provide for approximately 83 SRV actuations (TK6A) and 28 SRV actuations (TK6B) (Ref. 2.20). The anticipated number of post-fire SRV actuations is approximately 15 (Ref. 2.8). Thus, the quantity of stored air is adequate to support post-fire safe shutdown without the need for backup air from the PVLCS air compressors. However, the air compressors will be required to maintain adequate air pressure (because of air system pressure loss due to leakage) to maintain the SRVs open to support sustained operation of the RHR System in the Alternate Shutdown Cooling mode.

Each SRV is provided with two independently powered solenoid air valves. Actuation (energization) of either solenoid causes the SRV to open. Therefore, loss of either Electrical Distribution System division will not prevent SRV operation.

Reactor Pressure Vessel Vent Path

(

Reference:

Shutdown Flow Diagram RBS-SSD-FD-109, Safe Shutdown Logic Diagram RBS-SSD-LOG-1 09)

The RPV contains two normally closed reactor head vent valves in series lB21*MOVFOO1, MOVF002. This vent path is not credited to achieve post fire safe shutdown. As noted in Section 3.15, this vent path is not considered a High/Low pressure interface and therefore these two valves are not subject to the special spurious operation and cable failure considerations associated with High/Low pressure interface components (see Section 4.1.1 and Section 3.1 .a in Appendix A). However, control cables for both of these valves are routed through several fire areas. This condition requires consideration of 240.201A Rev. 2 Page 33 of 65

one-at-a-time spurious operation (opening) and would require a compensatory manual action to de-power these valves at their respective MCCs (INHS-MCC2A and MCC2B respectively). The two MCCs are located in the same room which, given a fire in the room, would preclude entry into the room to take the manual action for approximately I hour. Additionally, Appendix R emergenicy lights are not provided to support this manual action given a fire in any plant fire area which affects both valves. Therefore, to disposition the effects of fire induced cable damage to the control cables for these two valves, at least one must be administratively maintained closed with its breaker open.

Penetration Valve Leakage Control System

(

Reference:

Shutdown Flow Diagrams RBS-SSD-FD-108A, 108B;, Shutdown Logic Dia-raijg R'LS-SSD-LOG-l OS)

The Penetration Valve Leakage Control System (LSV) is a piping system for air pressurization to prevent the release of fission products through closed main steam isolation valves and drain lines following design basis accidents. The LSV system provides piping, valves, tanks, and compressors supplying clean air to the MSIV and drain network, preventing the release of fission products through lines penetrating the containment. Two independent systems, one for the inboard MSIVs and one for the outboard MSIVs, maintain clean air at 50 psig, thus ensuring that contaminants will not be transmitted beyond the containment following an accident. This system is manually initiated post-accident and this function is not credited for post-fire safe shutdown.

To support post-fire safe shutdown, the LSV System provides for stored air to support operation of the SRVs and backup air supply to maintain the SRVs open to support sustained RHR System operation in the Alternate Shutdown Cooling mode.

Plant Monitoring Instrumentation Plant monitoring instrumentation, in the context of post-fire safe shutdown operation, consists of those instruments or local gauges/indicators which are necessary to monitor the operation of primary safe shutdown system parameters and the operation of those systems or components that provide required support functions.

Containment Atmosphere Monitoring and Nuclear Boiler Instrumentation Systems are credited for monitoring primary system parameters. These primary system parameters are reactor vessel level, reactor vessel pressure, suppression pool level, and suppression pool temperature. Plant monitoring instrumentation for the systems or components that provide support functions are described in each safe shutdown system description.

240.201A Rev. 2 Page 34 of 65

Nuclear Boiler Instrumentation System

(

Reference:

Shutdown Flow Diagrams RBS-SSD-FD-3 02A-C, Shutdown Logic Diagram RBS-SSD-LOG-301A)

Nuclear Boiler Instrumentation System provides instrumentation for monitoring primary system reactor vessel level and reactor vessel pressure.

The system provides readings for the following:

  • Reactor Vessel Pressure
  • Reactor Vessel Range Inidicatioll
  • Reactor Vessel Pressure/Level Recording The system consists of instrumentation tubing, valves, pressure reducers, transmitters, condensing chambers and various other support equipment.

The system operates continuously with full redundancy, and these parameters are recorded in the control room or at the remote shutdown panel depending upon the location of the fire.

Containment Atmosphere Monitoring System

(

Reference:

Shutdown Flow Diagrams RBS-SSD-FD-301A-C, Safe Shutdown Logic Diagram RBS-SSD-LOG-301)

To support post-fire safe shutdown, the Containment Atmosphere Monitoring System (CMS) provides measurement, indication, and recording, of Suppression Pool level and temperature.

The monitoring instrumentation credited for post-fire safe shutdown is as follows:

The Suppression Pool level: lCMS*LT23A, B and lE51*LTNO36A, E The Suppression Pool temperature: 1CMS*RTD24A through K and ICMS*RTD40A through D The system operates continuously with full redundancy, and these parameters are indicated in the MCR or at the Remote Shutdown Panel.

Service Water System

(

Reference:

Shutdown Flow Diagrams RBS-SSD-FD-201A-C, -202A-C, -203A, -203B, Shutdown Logic Diagrams RBS-SSD-LOG-201, -202, -203)

The Service Water (SWP) System is a cooling water system consisting of a closed loop Normal Service Water (NSW) Subsystem and an open loop Standby Service Water (SSW)

Subsystem. The SSW subsystem is credited for post-fire safe shutdown for all fire areas 240.201A Rev. 2 Page 35 of 65

except Fire Area PT-1 in which the NSW subsystem is credited (Ref.2.27). Cooling is provided to the following credited post-fire safe shutdown components:

  • RHR Heat Exchangers 1E12*EBOOlA through D
  • Auxiliary building unit coolers IHVR*UC4, *UC5, *UC6, *UC7, *UC9,*UC 10,

'UCI A, *UCll B.

  • Control building chillers IHVK*CHLIA through D
  • Standby Diesel Jacket Coolers lEGT*ElA and B
  • HPCS Diesel Jacket Cooler lE22*ESOOl
  • RHR pump A and B Bearing Coolers.

The credited components of the Standby Service Water subsystem are as follows:

  • Four control building chiller recirculation pumps, lSWP*P3A, B, C, and D
  • Associated piping, valves, and instrumentation Four 50 percent SSW pumps, 1 SWP*P2A, B, C, and D, two for each redundant SSW division, take suction from the water storage basin sump area and discharge into two 30-inch headers which run through the piping tunnels west of the fuel and auxiliary buildings.

Individual sets of redundant lines branch off the main headers to provide cooling water to the above mentioned components. Returning SSW is collected in two redundant 30-inch return headers which run back through the same pipe tunnels to the standby cooling towers, where it is sprayed over the tower and cooled. Cold water cascading down through the fill is collected in the basin located beneath the tower structure.

A Division I SSW subsystem configuration is available to support single SSW pump operation to eliminate the need for raceway thermal barrier protection to support two SSW pump operation. For single SSW pump cooldown, additional flowpaths must be isolated/restricted to ensure adequate flow to components critical for safe shutdown. The following actions must be taken to support single SSW pump cooldown:

i. Isolate flow to RPCCW heat exchangers- This flow is not required since SSW flow directly to the critical load (RHR Pump A bearing cooler) is relied upon.

ii. Isolate flow to Spent Fuel Pool Cooling Heat Exchanger- This function is not required to achieve and maintain cold shutdown conditions for an Appendix R fire.

iii. Isolate flow to Drywell Unit Coolers- Flow to the Drywell Unit Coolers is automatically isolated upon a LOCA signal. The temperature transient in containment is more severe for this accident than for a normal shutdown following a fire. Therefore, flow to these coolers is not required since the isolation of these coolers during a LOCA condition bounds the Appendix R fire scenario.

240.201A Rev. 2 Page 36 of 65

Additionally, the results of calculation ES-1 86, Rev I (File No. G13.2.7), indicate Drywell cooling is not required to achieve safe shutdown following an Appendix R fire.

iv. Isolate flow to Containment Unit Coolers- Flow to these coolers is not required to support postfire safe shutdown. Refer to Appendix C for more infornmation.

v. Throttle SSW flow to the Train A RHR Heat Exchanger using the SSW outlet valve lE12*MOVF068A.

Of concern regarding single SSW pump operation is the worst case scenario for transition froimi normal lplailt operation w'ilit Normal Servicc WXater (NSW) on line to single SSW' P UMP operation. If Division I single SSW pULimp operation were to be established withOut Division I SSW flow to the RPCCW heat exchangers isolated, pump runout would occur.

The SSW flow to the RPCCW heat exchangers is isolated by any one of three actions:

1. Manual initiation of the Division I SSW subsystem
2. Low RPCCW pressure signal from ICCP-PTIA, PT1C, PT1E, PT1G (one out of two taken twice) 3 Handswitch operation from the Control Room of the appropriate isolation valves Manual initiation of the SSW subsystem is currently credited for Appendix R. However, automatic initiation of SSW may still occur from either a low NSW or RPCCW system pressure signal.

Division I SSW is automatically initiated by low NSW pressure signal from 1SWP-PT21A, 21E, 21C, and 21G (one out of two taken twice). However, this signal does not isolate the SSW flow to RPCCW exchangers. Therefore, single SSW pump operation will not be credited for areas in which a fire induced spurious signal from these pressure transmitters could occur.

Additionally, situations which could cause low RPCCW header pressure (LOOP, cable damage to the RPCCW system components) need to be detected to ensure SSW flow to the RPCCW heat exchangers will be isolated when SSW is automatically initiated. Therefore, the RPCCW low pressure transmitters must be available in areas which credit single SSW pump operation.

240.201A Rev. 2 Page 37 of 65

The standby cooling tower, SWP*TWRl, is a safety-related tower designed to cool 16,500 gpm of standby service water from 116 OF to 93 0F with an 81 0F designed ambient wet bulb temperature.

Standby Diesel Jacket Cooler IEGT*EIA and B Two jacket coolers, one on each standby diesel skid, are provided a nominal 700 gpm each at all times to ensure that cooling water is available immediately on diesel emergency start.

HPCS Diesel Jacket Cooler 1E22*S001 One jackct cooler requires a nominal 800 gpmll dUrillg diesel operation. Water is provided from both redundant SSW trains to ensure availability.

RHR Heat Exchangers 1E12*EB0OlA through D Two parallel trains each consisting of two heat exchangers in series are provided a nominal 5,800 gpm each.

Control Building Chillers lHVK*CHLI A through D Each chiller recirculation pump (i.e., lSWP*P3A, B, C, and D) is designed to circulate 530 gpm around the recirculation loop for the control building chillers IHVK*CHL1A through D. The recirculation control valves lSWP* PVY32 A through D are gagged fully open in response to Condition Report 95-0280.

Spent Fuel Pool Cooling System This function was identified during the original Appendix R analysis as required for post-fire safe shutdown. Subsequent re-analysis and evaluation has determined this function is not required for post-fire safe shutdown. This position is documented in Reference 5.7.16 to Appendix C. However, this system may be used during modes 4 and 5, when both RHR trains A and B are out of commission, to remove reactor decay heat.

Reactor Plant Component Cooling Water System

(

Reference:

Shutdown Flow Diagrams RBS-SSD-201D, -202D, Shutdown Logic Diagrams RBS-SSD-LOG-201, -202)

The Reactor Plant Component Cooling Water System (RPCCW) is a closed loop cooling system. A portion of the system is isolated during post-fire safe shutdown such that the SSW subsystem can provide cooling water to the RHR pump 1E12*PCO02A or lE12*PC002B bearing cooler. Manual initiation of SSW or a RPCCW low header pressure signal from 1CCP*PT1A through 1H, will initiate isolation of non-essential portions of the RPCCW and NSW subsystems from the SSW subsystem. However, initiation of SSW subsystem from the RPCCW low header pressure transmitters is not credited for post fire safe shutdown.

240.201A Rev. 2 Page 38 of 65

During post-fire shutdown operation, the SSW subsystem is aligned to directly cool RHR pump bearing coolers 1E12*PCO02A and 2B by opening valves lSWP*MOV504A/B and lSWP*MOV510A/190/510 B. The RI-IR pulp bearing coolers require cooling whenever the pump suction exceeds 212 OF. Therefore, cooling is not required for the LPCI or Alternate Shutdown Cooling Modes of RHR.

Diesel Generator Building Ventilation Systemn

(

Reference:

Shutdown Flow Diagrams RBS-SSD-FD-209A, -209B, Shutdown Logic Diagram RBS-SSD-LOG-209)

The Diesel Genrcrator Building HVAC Systemi (HTV7P) provides vrentilation for each of the three diesel ernerator rooms and also routes the combustion and exhaust air to and front the emergency diesels.

The HVP system consists of the following principal components:

  • Diesel generator IA, B, and C control room supply fans IHVP*FN6A, B, and C.
  • Diesel generator control room inlet air filters IHVP*FLT2A, B, and C.
  • Associated dampers, instrumentation, and controls The HVP system maintains air temperature below 104 0F in the control room area.

Outside air is pulled into each of the three diesel generator control room supply fans after passing through louvers and filters. The air is distributed to each diesel generator control room and excitation cabinets. The exhaust air from each room flows into the respective diesel generator room.

When the diesels are operating or when the room temperatures are greater than or equal to 100 'F, the diesel rooms are ventilated at much higher flow rates because of the increased heat loads. The diesel generator rooms exhaust fans will exhaust air from the respective diesel generator rooms.

The standby ventilation system for each diesel generator room is redundant.

Control Building Chilled Water System

(

Reference:

Shutdown Flow Diagrams RBS-SSD-FD-204, -205, Shutdown Logic Diagrams RBS-SSD-LOG-204, -205) 240.201A Rev. 2 Page 39 of 65

The objective of the Control Building Chilled Water System (HVK) is to remove heat generated within the Control Building to maintain the required environmental conditions.

This is a closed loop cooling water system consisting of chillers, piping, and circulating pumps that supply chilled water to the Control Building Air Conditioning System and transfer all system heat loads to the service wvater system.

The HVK system is redundant and each division consists of twvo 100 percent capacity water chillers, two 100 percent capacity service \vater system condenser cooling water pumps, two 100 percent capacity chilled water pumps, and a chilled water compression tank.

Cooling water is supplied to/from the chiller condensers by service water during post-fire shutdown. The makeup water is provided to each chilled water system loop by the service xater dur-inig a postulated fir-e scenario.

During post-fire operation, a chilled water system loop is started manually fi-om the main control room and operates continuously. Control switches are provided in the main control room for manual operation of chilled water pumps and chiller condenser cooling pumps.

A heat load analysis has been performed for the control building, and it showed that one chiller could handle the total control building heat load during post-fire safe shutdown.

Control Building Air Conditioning System

(

Reference:

Shutdown Flow Diagrams RBS-SSD-FD-206, -207A, -207B, Shutdown Logic Diagrams RBS-SSD-LOG-206, -207)

The Control Building Ventilation and Air Conditioning System (HVAC) provides cooling and ventilation for the main control room, standby switchgear rooms, HVAC equipment rooms, cable vault, and general areas within the control building.

The HVC system consists of the following subsystems credited for post-fire safe shutdown:

  • Main Control Room Air Conditioning
  • Standby Switchgear Rooms Air Conditioning
  • Chiller Equipment Room Air Conditioning The principal components of the HVC system are as follows:
  • Control Room Air Conditioning Units IHVC*ACUIA and ACUlB
  • Standby Switchgear Rooms Air Conditioning Units lHVC*ACU2A and 2B
  • Chiller Equipment Room Air Conditioning Units lHVC*ACU3A and 3B
  • Standby Switchgear Return Air Fans IHVC*FN2A and B 240.201A Rev. 2 Page 40 of 65

The local outside air intake is used to supply outside fresh air to the control room areas.

Each control room air handling unit consists of a filter, chilled water cooling coils, a fan, and electric heating coils. The cooling coils are supplied with chilled water by the control building chilled water system. After being processed in the air-handling unit, the air is distributed throughout the control room area by numerous ducts and manual dampers. The main control room air conditioning subsystem functions to maintain Control Room habitability during post-fire safe shutdown.

Similarly, the standby switchgear room air conditioning subsystem maintains air temperature between 40 'F and 104 TF for the switchgear rooms and cable vault, and between 40 'F and 90 'F for the general areas. The chiller equipment room air conditioning subsystem maintains air temperature between 60 "E and 90 'F.

The Battery Room Exhaust Fans are not required to support safe shutdown. Refer to Table C- I of Appendix C of this document.

Instrument Air System All components which require instrument air fail to their required safe shutdown position with the exception of Control Room and Standby Switchgear HVAC dampers 1HVC*AOD5A,5B, 6A,6B, 7A,7B, 12A,12B, 38A, and 38B. These dampers are required to remain open to provide Control Room and Standby Switchgear room cooling but fail closed on loss of instrument air. Backup air tanks lIAS*TK 5A,5B, associated air bottles 1IAS*Bank 5A1,5A2 and *Bank 5B1,5B2 and air supply root valves are provided to maintain air supply to these dampers should the Instrument Air System become unavailable. Each divisional air bank and tank combination will provide a minimum of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> of air, ( Reference 2.34 ). This time duration is sufficient to take manual action as necessary to maintain these dampers open to support safe shutdown.

Yard Structure Ventilation System

(

Reference:

Shutdown Flow Diagrams RBS-SSD-FD-210, -211, Shutdown Logic Diagrams RBS-SSD-LOG-210, -211)

The Yard Structure Ventilation System (HVY) provides ventilation for Standby Service Water Pump House Cooling Tower No. 1 pump rooms and switchgear rooms.

The principal components credited for post-fire safe shutdown are as follows:

  • Standby Service Water Pump House Cooling Tower No. 1 Switchgear Rooms Ventilation Supply Fans lHVY*FN2A and 2B 240.201A Rev. 2 Page 41 of 65

For either level of the Cooling Tower structure supply, air is supplied through an intake plenum feeding the Division I or II fans. The air is exhausted through exhaust plenums of the SSW switchgear rooms A or B via floor dampers.

Reactor Plant Ventilationi System

(

Reference:

Shutdown Flow Diagrams RBS-SSD-FD-212A, -212B, Shutdown Logic Diagram RBS-SSD-LOG-212)

The objective of the Reactor Plant Ventilation System (HVR) is to control building air temperature, humidity, and movement of potential airborne radioactivity and to maintain a negative pressure in the annulus and the auxiliary building. The system provides an environment \Vhich ensures the operability during the post-fire safc slhtitowvi.

The principal components of the HVR system are as follows:

  • Auxiliary Building Unit Coolers IHVR*UC4, 5, 6, 7, 9, 10, 1A, and lIB Unit Coolers are provided for removal of heat dissipated from equipment for the following:
  • RHR Pump Room and Heat Exchanger Cubicles
  • East and West General Areas
  • RPCCW Area
  • RCIC Pumps and Turbine Cubicle
  • General Areas Standby AC and DC Power Distribution System

(

Reference:

Single Line Electrical Diagrams RBS-SSD-FD-213,-214, 215,-216, -217A, -

217B, Shutdown Logic Diagrams RBS-SSD-LOG-213, -214, -215, -216, -217)

This system provides the support to ensure that the electrical components identified in the other systems will be operating as required to achieve safe plant shutdown. The safe shutdown electrical distribution system has been configured per simplified one line electrical diagrams RBS-SSD-FD-215,-216, and -217B to provide the necessary power in the event of loss of off-site power.

The Standby AC Power Distribution System consists of three 4.16kV AC buses, four 480V AC load centers, miscellaneous 480V motor control centers, and three diesel generators.

The diesel generators can supply the necessary power requirements should a total loss of off-site power occur. Each diesel-driven generator unit is equipped with its own auxiliary components. These include a self-contained, individual starting air system, fuel oil, lube oil, cooling water, voltage regulator, and controls. Cooling water is provided by the diesel generator cooling water function of the standby service water system.

240.201A Rev. 2 Page 42 of 65

Power is distributed within the plant at 4.16kV and supplied to major loads at that voltage.

The electrical output from the diesel generators is supplied at 4.16kV to three class IE buses which supply the loads required for safe shutdown. Unit substations, consisting of transforners and switchgear, are provided within the plant to step the voltage down to 4SOV and supply loads at that voltage. 120V AC electrical power is supplicd for instruments, controls, and lighting. The diesel gencerators and standby AC buses can be operated either from the control room or locally.

The 125V DC Standby Power Distribution System supplies power for operation of HPCS, LPCS, RCIC, ADS, RHR, 4.16kV standby switchgear, diesel generator logic and control circuits, and essential instrumentation. The 125V DC Standby Power Distribution System consists of batteries, battery chargers, 1\V DC sacitchgears, and DC distrib utionl pal1els.

There are three class IE batteries, consisting of Division I and II and the Division III (HPCS battery) rated at 125VDC. There are three standby battery chargers.

The 125V DC system provides power for 120 VAC uninterruptible power supplies.

5.5 ASSOCIATED CIRCUITS OF CONCERN The separation and protection requirements of 10CFR50, Appendix R apply not only to safe shutdown circuits but also to "associated" circuits, i.e., those circuits which could prevent operation or cause maloperation of safe shutdown components. The identification of these associated circuits of concern was performed for RBS in accordance with NRC Generic Letter 81-12 and the subsequent clarification to the Generic Letter. The latter document refined the definition of these associated circuits of concern to those circuits which have a physical separation less than that required by Section ll.G.2 of Appendix R and have one of the following:

a. A common power source with the shutdown equipment and whose power source is not electrically protected from the circuit of concern by coordinated breakers, fuses, or similar devices.
b. A connection to circuits of equipment whose spurious operation would adversely affect the shutdown capability.
c. A common enclosure with the shutdown cables, and
  • is not electrically protected by circuit breakers, fuses, or similar devices, or
  • will allow propagation of the fire into the common enclosure.

240.201A Rev. 2 Page 43 of 65

_ F

These criteria were applied to the network of safe shutdown circuits identified from review of the elementary diagrams to deternmine those additional circuits requiring analysis. The analysis of such circuits is described in the following subsections.

5.5.1 Circuits Associated by Common Pow r Supvld 5.5.1.1 Generic Concern: Protective Device Coordination Typically, electrical circuits fault protection is designed to provide protection for plant electric circuits through the use of protective relaying, circuit breakers, and fuses. This protective cquipm1enCt is designed and applied to ensuLre adequate protection of all electrical distribution eqtipmiient from electric faults aind overload conditions in the circuits. Whlen power cables are affected by fire-induced failures, the operation of these protective devices will result in isolation of the affected electrical circuits and, thus, will prevent the propagation of the fault to other portions of the electrical system.

An integral part of electrical system protection is the proper coordination of all these devices. Such coordination ensures that the protective device nearest to the fault will operate prior to the operation of any "upstream" devices and limits interruption of electrical service to a minimal number of loads. These design practices provide reasonable assurance that circuits having common power supplies with safe shutdown circuits will be sufficiently protected to ensure that fire damage does not result in a loss of safe shutdown power source.

If a safe shutdown power supply does not demonstrate proper coordination, the four most plausible methods of obtaining compliance are as follows:

a. Provide protective device coordination between the associated circuit load protective device and the common power supply incoming line protective device.
b. Relocate the nonconforming non safe shutdown associated circuit(s) to a nonsafe shutdown power supply or isolate the associated circuit of concern from the safe shutdown bus via post-fire procedural steps.
c. Relocate the safe shutdown circuit(s) to another safe shutdown power supply (same train).
d. Provide protection between the associated circuit(s) and the safe shutdown circuit(s) from the common power supply per 10CFR50, Appendix R, Section HI.G.2.

240.201A Rev. 2 Page 44 of 65

5.5.1.2 Common Power Supply Coordination Calculations E-200, "Overcuirent Devices Setpoints" and E-201, "Protective Relaying Setpoints" establish and document electrical protective device coordination for 480V load centers,'MCC's and above. To establish ti at the Electrical Distribution System11 coenplies with Section 5.5.1.1 for equipment below 480V, a coordination study (reference 2.12) was conducted to evaluate the existing electrical circuit protection and coordination for 12OVac and 125Vdc safe shutdown power supplies. Four assumptions were employed in this review:

a. No single failure criterion is applied to electrical protection devices.

Electrical protection devices are assumed to operate properly in accordance with their corresponding time-culrrent characteristics, unless their failure is directly attributable to a fire (See Section 4.0.4).

b. Only one fire-induced electrical fault at any given time is assumed to affect a common power supply feeder branch. The largest load side feeder circuit breaker or fuse is used for that purpose and coordination verified against the line side protection. Electrical faults may be considered bolted, phase-to-phase, or phase-to-ground.
c. Loss of electrical power (either motive or control) to passive safe shutdown devices is not considered detrimental to safe shutdown devices since these devices are assumed to be in their normal position or status pre-fire and thus are assumed to fail "as-is" on loss of power. Loss of electrical power (either motive or control power) to passive safe shutdown devices, by definition, would not have an impact on safe shutdown capability by spurious operations unless that condition had been clearly identified in the Safe Shutdown Analysis. Likewise, the Analysis establishes that loss of electrical power to circuits associated with high-low pressure boundary components would not result in spurious operations affecting those devices.
d. Those circuits which normally supply power for operation of a safe shutdown component which has been determined to be manually operable or may be repaired via a post-fire repair procedure are not considered safe shutdown circuits, since loss of power is not determined to be a limiting factor of the component's operation.

Calculation G13.18.3.6*5 (reference 2.12) was developed in support of the resolution of the "Common Power Supply" associated circuit issue for 12OVac and 125Vdc circuits.

The objective of this study was to establish the adequacy of protective device coordination for safe shutdown-related power sources to ensure the continued availability of adequate electrical power distribution in the event of faults on branch or feeder circuits caused by a fire in any single fire area.

240.201A Rev. 2 Page 45 of 65

In compiling the data necessary to perform this study, it was deemed appropriate to verify that design infonnation describing the protective devices, ratings, and settings was valid and current. Consequently, an effort was undertaken to document the protective devices installed on 12OVac and 125Vdc safe slhutdown-related power sources.

Based on the analysis in calculations E-200, E-201 and G13.18.3.6*05, the following conclusion was drawn:

  • The existing level of overcurrent protective device coordination for circuits fed from safe shUtdown-rclated buses, distribution panels, control panels, and MCCs is adequalte.

5.5.2 Circuits Associated by Spurious Operation Potenitial 5.5.2.1 Overview This analysis, performed in conjunction with the Safe Shutdown Analysis, identified the circuits which present potential spurious operation concerns and placed them into one of the following two categories:

a. Circuits capable of causing spurious operations which could adversely affect proper safe shutdown operation; and
b. Circuits capable of causing spurious operations which could cause an uncontrolled loss of primary coolant (high-low pressure interfaces).

Circuits in the first category are addressed by including the connected devices on the safe shutdown equipment list for the affected safe shutdown system and analyzing them as safe shutdown components.

Circuits in the second category have been analyzed on a case-by-case basis. Refer to Section 3.15 for a discussion regarding high-low pressure interface.

5.5.2.2 Analysis Description and Results Appendix A of this document describes the methodology utilized to identify the spurious actuation concerns, and the results of the analysis.

240.201A Rev. 2 Page 46 of 65

5.5.3 Circuits Associated by Common Enclosure 5.5.3.1 Definitions 5.5.3.1.1 Common Enclosure - Associated Circuits Circuits associated by common enclosure arc those circuits that have an enclosure (C.g.,

raceways, panels, or junction boxes) in common with safe shutdown cables. This poses the potential for fire damage to safe shutdown cables due to overheating of the associated circuit cables under fault conditions.

5.5.3.1.2 Enclosure Within the context of this evaluation, an enclosure has been defined as any raceway, panel, junction/pull box, or other structure that is used to contain electrical cables.

5.5.3.2 Basis for Evaluation 5.5.3.2.1 Propagation of Cable Fires Cable fires initiated in one fire area will not propagate to an adjacent fire area, by virtue of three-hour-rated fire barriers and penetration seals or equivalent at fire area boundaries.

Consequently, it is not essential to credit any retardation of fire propagation within an area.

However, the propagation of fire within a fire area will be limited based on the use of flame retardant (IEEE 383) cable.

Any raceway originating from a wrapped enclosure is wrapped 18" beyond the enclosure and therefore, the fire originating in the area containing the wrapped enclosure will not propagate into the enclosure.

5.5.3.2.2 Cable Protection Resolution of the common enclosure associated circuit concern requires the demonstration that the plant electrical system design will preclude damage to safe shutdown cables from non safe shutdown cables by the self-heating and subsequent self-ignition of cables resulting from short circuit or overload currents. It must, therefore, be demonstrated that:

a. Circuits are provided with short circuit and overload current interrupting devices.
b. Cable sizing/selection criteria provide for sufficient margin to accommodate short circuit and overload currents for a sufficient length of time until the protective device (fuse, breaker) actuates to de-energize the circuit before the conductor is heated to the point where it damages the cable insulation (and potentially generates a secondary fire).

240.201A Rev. 2 Page 47 of 65 1-_-- -____-__'_ ------

5.5.3.3 Common Enclosure Analysis Calculation G.13.18.3.6*07 (reference 2.13) was developed in support of the "Common Enclosure" associated circuit issue. Based on the assessment of protective device/cable data collected, the following conclusions wvere drawn:

  • Fire initiated within a given fire arca will not propagate to another fire area as a result of fault-current-induced cable heating leading to ignition of cable insulation or adjacent combustibles.

v Enclosures containing safe shutdown cables may also contain cables originating from non-safe shutdown power sources. This calculation provides assurance that the design criteria applied in configuring the nion safe shutdown-related power sources have provided for adequate overcurrent protection for circuits originating from those sources.

  • The protective device selection criteria applied are adequate to preclude cable insulation self-ignition as a result of short-circuit or overload fault currents.

5.6 POSTULATED MULTIPLE HIGH-IMPEDANCE FAULTS 5.6.1 Basis As established by NRC Generic Letter 86-10, consideration shall be given to the potential occurrence of multiple, fire-induced, high-impedance faults on safe shutdown power sources. The concern is that a single fire may cause faults on multiple circuits connected to the same safe shutdown power source; each of these faults would (potentially) result in a fault current just below the value required to trip the branch circuit protective device.

Consequently, the total fault current resulting from the multiple uncleared faults would (potentially) exceed the trip setting of the protective device serving as the source/feeder to the panellbus/MCC in question, tripping the source offline and de-energizing safe shutdown components.

5.6.2 Mitigating Actions or Features Recovery from the postulated condition requires one of the following:

a. Demonstration that the loss of the safe shutdown power source (as the result of high-impedance faults) will not disable the safe shutdown capability, to the extent that a redundant source remains available.

240.201A Rev. 2 Page 48 of 65

b. Demonstration that a post-fire operating procedure is in place, providing for a methodical, sequential process of load shedding for safe shutdown power sources, to allow the clearing of postulated multiple faults, and resetting of source breakers, to reestablish power supplies to safe shutdown equipment.

5.6.3 Applicability/Effects on RBS Safe Shutdown Equipenent Operability The power sources credited for post-fire shutdowvni operation are summarized in Appendix C (RBS-SSD-LOG-218) of this criterion document. Although the occurrence of multiple hiigh-impedance faults is not considered credible (as described hereinl), the actions to be taken for recovery of safe shutdown lowver sources in the event of this fire-inLduced condition are definied as an integral prt of thos-fire Stdown shul-U prceCdurel-.

Active safe shutdown components designated for post-fire operation are selected in accordance with the Safe Shutdown Analysis, and the operation of these components is supported by AOP-0031 and AOP-0052. Accordingly, the availability of power sources supplying these components (where required) has been verified by analysis prior to crediting the operability of the safe shutdown components. In addition, through Calculations E-200, E-201 and G13.18.3.6*5, it has been demonstrated that branch circuits from each of the required sources are in fact coordinated with the main feeder breaker/fuse supplying the respective bus, MCC, or panel. Consequently, low-impedance faults on non-safe shutdown branch circuits will be cleared without affecting power source operability.

The potential for high-impedance arcing-type faults is acknowledged, with emphasis on 480V circuits, which are particularly susceptible to arcing-type faults. However, it is not clear that a technical basis exists for postulating the occurrence of faults of this type at the 120V AC/125V DC levels. Accordingly, the position is taken that:

1. 480V AC safe shutdown power sources are not subject to exposure to multiple high-impedance faults (by virtue of cable routing).
2. High-impedance faults are not credible at the 120V AC/125V DC voltage levels; although the postulated fault(s) may exhibit arcing-type effects momentarily, they will develop rapidly into low-impedance faults, generating sufficient current to ensure that the respective branch protective device is tripped.

However, as an additional measure of conservatism, the clearing of such faults on associated circuits which may affect safe shutdown will be accomplished by manual breaker trips in accordance with written procedures, where appropriate. Depending upon the severity and extent of the fire, some safe shutdown power sources listed in Appendix C (RBS-SSD-LOG-218) of this criterion document may be stripped of non-safe shutdown loads by tripping breakers feeding these loads, in accordance with Operations Section Procedure (OSP) 0019, "Electrical Bus Outages", Enclosure 316 (reference 2.19). In the event the safe shutdown power source has been tripped off line (feeder breaker has been 240.201A Rev. 2 Page 49 of 65

tripped) as the result of multiple high-impedance faults, all branch breakers on the affected source will be tripped, the feeder breaker will be reset, and the safe shutdowns loads will be sequentially re-energized by reclosing the appropriate breakers. By stripping non-safe shutdown loads in a systematic, comprehensive manner, assurance is provided that all potential high-impedance faults will be cleared, elinimnating the need for extensive troubleshooting during post-fire shutdown operation.

5.7 EFFECTS OF INADVERTENT FIRE SUPPRESSION SYSTEM ACTUATION Where it is determined that a single inadvertent sprinkler or water spray system actuation could affect redundant safe shutdown electrical equipment, an analysis is performncd to establish that safe shutdown could be achieved. The resultiang flood levels are verified to be loss tlhiai tLhC rCeqUircd Cquipncnt i ctoi olevCitiolls, nd drInp sliieldls trie ifu lilsodlid .\rc required to ensure continued operation of the equipment of at least one safety-related division. Table 5.7-1 lists assumptions, system number, equipment or area affected, floor area, fire water flow rate, and resulting water levels.

Based on the Table 5.7-1 data, the greatest conservatively calculated water depth in a Seismic Category I area is 9.5 in. Electrical cables are qualified including a water immersion test. Motor operated valves and instrumentation are located typically 4.5 ft.

above floors. Continuously operating motors for fans and pumps are located above the flood levels. Motors are totally enclosed and dripproof. For the above reasons inadvertent suppression system actuation does not prevent safe shutdown.

Inadvertent spray by the fire brigade was evaluated. The safe shutdown analysis shows that there is at least one method of safe shutdown located outside the fire area free of fire damage, or protected from fire and spray by an approved method.

The methodology used to determine the flooding level is as follows:

1. Determine flowrate from the sprinkler systems. This value can be obtained from the Stone and Webster Calculations filed under 7214.400-273 Series.
2. Mutiply the flow rate by a time factor of 10 minutes to obtain the total gallon flow into the areas. It is assumed the inadvertant actuation can be secured within this time frame.
3. Convert the flow amount to a cubic foot measurement utilizing a conversion faction of .1337 ft3 /gal.
4. Divide the flow amount (volume) by the room area. This will yield the water height.
5. Convert the final height to inches by mutiplying by 12in/Ilft.

240.201A Rev. 2 Page 50 of 65

TABLE 5.7-1 HEIGHT OF WATER IN THE EVENT OF ACTUATION OF THE FIRE SUPPRESSANT SYSTEM Assumptions

1. No credit is taken for floor drain systems.
2. No credit is taken for water spread through doors and openings.

Mannnl

3. hose system \w'ater flowsis not consider-ed.
4. Pads for equipment, sumps, and pits are not considered.
5. Water flow for filter protection is not considered.
6. For automatic sprinkler (AS) systems, except in turbine building, it is assumed that all sprinkler heads are open; in the turbine building, the maximum flow is based on 10,000-sq ft. area.
7. For pre-action automatic sprinkler (PS) systems, it is assumed that all sprinkler heads are open.
8. No credit is taken for spread of fire water from one sprinkler/spray system to another system.
9. Spray systems WS-3A through 3D for turbine building protection flow is less than 220 gpm and will spread over the entire building floor. Flooding is insignificant.
10. For nonhydraulically designed systems AS-4 and AS-5 in the radwaste and fuel buildings, respectively, it is assumed that 10 sprinkler heads will open (industrial experience), with an approximate flow of 330 gpm. Since systems AS-4 and AS-5 cover multiple floors in their respective buildings, 330 gpm is assumed for each floor.
11. Fire flow is assumed for 10 min.
12. System No. WS-20 is the water curtain on el 141'-0" of the auxiliary building. Height of water shown for actuation of this system is conservatively assumed to collect on auxiliary building el 70'-0".

240.201A Rev. 2 Page 51 of 65

Height of Water Due Fire-water to Fire-Floor Area Flow in water Flowv I tern System in ft. 2 gpm in Inches It0o. No. Equipment or Area (A)

. . (F)

. . (H)

I AS-1A Turbine building- Mezzanine north 18,760 1,309 1.1 fl el 95'-O" AS-lB Turbine building- Mezzanine south 18,264 2,945 2.6 fl cl 95'-O" 3 AS-2A Turbine building- Basement north 19,640 2,S66 2.3 el fl 67'-6" 4 AS-21B TUrbine building- Bascmect soutLl 20,70S 2,587 2.0 fl el 67'-6" 5 AS-3 Turbine building- Condensate pit 10,496 1,585 2.42 fl el 67'-6" 5 AS-4 Turbine building-baling area, laundry area, truck pit, and drum storage area fl el 106'-0" 1,534 336 3.5 fl el 136'-O" 1,000 336 5.4 I7 AS-5 Fuel building - new fuel receiving area fl el 70'-0" 2,664 336 2.0 fl el 95'-0" 1,508 336 3.6 fl el 113'-O" 2,880 336 1.9 8 AS-6A Control building- cable chases 1,710 414 3.9 fl el 116'-0" I9 AS-6B Control building- cable chases 1,710 296 2.8 fi el 98'-0" 10 AS-6C Control building- cable chases 2,421 525 3.5 fl el 70'-0" 11 WS-17 Turbine building- hydrogen seal oil 180 114 10.2 unit fl el 67'-6" 12 WS-I Turbine building- turbine oil storage 1,056 360 5.5 room fl el 67'-6" 13 WS-2 Turbine building- lube oil system 952 351 5.9 room fl el 95'-0" 14 WS-3A Turbine building- Turbine generator (See 220 Insignifi-240.201A Rev. 2 Page 52 of 65

Height of Water Due Fire-water to Fire-Floor Area Flowv in water Flowv Item System in fl.2 gpm ill Inches No. No. Equipment or Area (A) (F) (H) bearing Nos. I and 2 and oil piping Assump 9) cant (see fl cl 123'-6" Assumption 9) 15 WS-3B Turbine building- Turbine generator (See 143 Insignifi-bearing Nos. 3 and 4 and oil piping Assump 9) cant (see fi el 123'-6" Assumption 9) 16 WS-3C Turbine building- Turbine generator (See 143 Insignifi-bearing Nos. 5 and 6 and oil piping Assump 9) cant (see fl el 123'-6" Assumption 9) 17 WS-3D Turbine building- Turbine generator (See 72 Insignifi-bearing Nos. 7 and 8 and oil piping Assump 9) cant (see fl el 123'-6" Assumption 9) 18 WS-6A Control building-cable vault 720 244 5.4 flel70'-0" 19 WS-6B Control building- cable vault 1,280 210 2.6 fl el 70'-O" 20 WS-6C Control building- cable vault 2,950 1,103 6.0 fl el 70'-0" 21 WS-8A Cable tunnel 2,240 1,065 7.6 fl el 67'-6" 22 WS-8B Cable tunnel 2,000 1,264 10.1 fl el 67'-6" 23 WS-8C Cable tunnel 1,152 728 10.1 fl el 67'-6" 24 WS-8D Cable tunnel 2,728 1,430 8.4 fl el 67'-6" 25 WS-8E Cable tunnel 1,876 814 7.0 fl el 67'-6" 240.201A Rev. 2 Page 53 of 65

Height of Water Due Fire-vater to Fire-Floor Area Flowv in water Flowv Item System ill ft. 2 ,pm ill Inches No. No. Equipment or Area (A) (F) (H) 26 WS-SF Cable tunnel 1,792 869 7.S fl el 67'-6" 27 WS-SG Cable tunnel 1,408 606 6.9 n el 67'-6" 28 WS-8H Cable tunnel 4,800 1,393 4.7 fl el 70'-0" 29 WS-8I Cable tunnel 2,700 809 4.8 fl el 67'-6" 30 WS-8J Corr. tunnel 1,504 358 3.8 fl el 95'-0" 31 WS-8K Pipe tunnel 3,928 392 1.6 fl el 70'-O" 32 WS-8L Pipe tunnel 1,960 86 0.7 fl el 67'-6" 33 WS-8M Pipe tunnel 1,920 411 3.4 fl el 67'-0" 34 WS-8N Pipe tunnel 5,232 1269 3.9 fl el 67'-6" 35 WS-9A Main transf lMTX-XMI 2,204 867 6.3 36 WS-9B Main transf 1MTX-XM2 4,060 955 3.8 37 WS-1OA Preferred station service transformer 1,156 460 6.4 1RTX-XSRlA 38 WS-10C Preferred station service transformer 1,344 296 3.5 IRTX-XSRIC 39 WS-1 IA Normal station service transformer 748 268 5.7 ISTX-XNS1A 240.201A Rev. 2 Page 54 of 65

Height of Water Due Fire-water to Fire-Floor2 Area Flow in water Flow Item System. illnft. . gpi in Inches No. No. Equipment or Area (A) (F) (T-I) 40 WS-I lB Normal station service transformcr 1,156 299 4.2 I STX-XNS lB 41 WVS-1 C Normal station service transforner 1,156 222 3. 1 ISTX-XNS I C 42 WS-14A Normal switchgear building cable 2,520 2,316 14.7 vault fi el 67'-6" 43 WS-14B Normal switchgear building cable 2,772 2,316 13.4 vault fl el 67'-6" 44 WS-18A Transformer lRCS-XlA 288 134 7.5 45 WS-18B Transformer lRCS-XlB 364 134 5.9 46 WS-8AA Cable tunnel fl el 67'-6" 1,312 939 11.5 47 WS-8BB Cable tunnel fl el 67'-6" 3,000 1,014 5.4 48 PS-1 Auxiliary building RCIC pump 578 302 8.4 room fl el 70'-0" 49 PS-2A Diesel generator building 1,620 659 6.5 fl el 98'-0" 50 PS-2B Diesel generator building 1,459 631 6.9 fl el 98'-0" 51 PS-2C Diesel generator building 1,620 646 6.4 fl el 98'-0" 52 WS-19 Auxiliarybuilding 3,305 243 1.2 el 70'-0" 240.201A Rev. 2 Page 55 of 65

Height of Water Due Fire-water to Fire-Floor Area Flow in water Flow Item System in fl.2 gpllm ill Inches No. No. Equipment or Area (A) (F) (H) 53 WS-20 Auxiliary building 3,305 691 3.4 el 141'-O" (See Note 12)

REFERENCE

1. iMarked-llu) Drawing Nos. EB-3B, 3C, 3D, and 3E (located in S%\WEC lob File No. 214.10()
2. LEGEND WS - Water Supply AS - Automatic wet pipe sprinkler PS *- Preaction dry pipe system 240.201A Rev. 2 Page 56 of 65

5.8 COMMUNICATIONS There are several permanent communications systems installed throughout the plant:

1. COP Plant Paging and Public Address System (Gaitronics).
2. COS The Portable Intercom Jack System (intcrcom).
3. COT Standard Telephone.
4. The Distributed Antenna System (radio).

During a Main Control Room fire, the Gaitronics system is assumed to be lost because it is powered from IVBN-PNLOIBI which is located in the Main Control Room In this event, communication between the DIV I Remote Shutdown Room and the 141 East crescent area may be established using telephone ICOT-T232 located near the Aux building elevator and telephone ICOT-T30 in the shutdown room. Alternately, intercom jack ICOS-JK56 located in the shutdown room may be connected to any number ofjacks located in the Aux Building 141 East area including ICOS-JK244, JK281, JK243, and JK247. Such a connection can be niade using the switching equipment located in the Aux Control Room.

The Distributed Antenna System is not routed to the Main Control Room and is unaffected by a Main Control Room fire. Portable radios could still be used for communication between the Remote Shutdown Room anjd any plant location (except the Main Control Room or inside the Containment Building) in this event.

240.201A Rev. 2 Page 57 of 65

6.0 SHUTDOWN ANALYSIS METHODOLOGY 6.1 OVERVIEW This analysis was conducted in three phases. In the first phase, the functional capabilities of the plant systems were compared to the shutdown function requiremcnts, and a minimum set of components for which protection must be provided was definled. As part of this effort, the safe shutdown flow diagrams, logics and equipment list were developed.

In the second phase of the analysis, elementary diagrams for all required electrically operated components were analyzed to identify those cables critical to the operation of the component and/or capable of introducing a spurious actuation concern as the result of Fire-illIduCCed cable dainagc. 'Fic second phase is dtCa1iled In Appicidix E.

The third phase 3 of the analysis consisted of the generation of cable/component summary tables (Appendix B) by fire area and zone, using the information developed during Phases I and 2. For each area/zone the information was then analyzed to determine whether separation discrepancies existed, and a resolution was developed to disposition each discrepancy identified. The third phase is detailed in Appendix B.

6.2 PHASE 1: Component Selection and Flowpath Identification Criteria In this phase, the functional capability of the plant systems as described by their respective flow diagrams and system descriptions was compared to the functional requirements for safe shutdown discussed in Section 5.0 and a list was developed to identify the systems and equipment that must be protected in order to ensure safe shutdown. Components in the flow paths that require operation/repositioning to allow the system to function, and components which could spuriously operate and impair safe shutdown were identified.

Although the shutdown functional requirements served as the primary basis for the selection of shutdown components, other factors were also considered. These factors served as both supplemental selection criteria and as guidance in the development of recommended modifications. The considered factors follow.

  • Power Source As a result of the assumed plant condition of a sustained loss of off-site power, it was necessary to select components that could be powvered by on-site power sources. Fire Area PT-I is an exception to this criteria. The use of off-site power arid the Normal Service Water subsystem is credited in this area only.

240.201A Rev. 2 Page 58 of 65

. Redundancy Redundant Shutdown methods using different combinations of on-site power sources wvere developed and credited on an area by area basis depending upon the fire damage which could occur in the area.

As the flow paths for each shutdown function were finalized, a second analysis was conducted to identify any components, inClUdilng those not direCtly ill thie flOw paIth, whose spurious operation could disnipt the shutdown function. The concern was that spurious operation could result in one or more of the following:

  • A diversion of flow.

A blockage of low.

  • An uncontrolled cooldown.
  • An uncontrolled loss of reactor coolant/depressurization.
  • A release of radioactive liquid or gas in excess of I OCFRO00 limits.
  • An uncontrolled increase in the reactor water level A third level of analysis was then conducted to define the need for support services among the components selected and to identify the components required to provide these services.

The services considered were cooling water, HVAC, electrical power, and fuel oil.

Components identified as required to support post-fire safe shutdown are considered in the Safe Shutdown Equipment List (SSEL) contained in Appendix C and identified in the Plant Data Management System (PDMS) to aid in the tracking and sorting of data related to the selected shutdown components. PDMS consolidates in a single document information about the component that is normally found scattered among a variety of plant design documents.

For each component the following fields exist in PDMS:

  • Component number.
  • Component name/description.

Whether component is required for hot shutdown and/or cold shutdown operation.

Normal power source, whether electrical motive power is supplied or device is air operated.

  • Alternate power source.
  • Control power source.
  • Alternate control power source.
  • Fire area in which the component is located.
  • Pre-fire normal operating position or status of the component.
  • Post-fire required operating position or status of the component.

240.201A Rev. 2 Page 59 of 65

  • Whether the component is considered to be active or passive.
  • Whether the component is subject to potential spurious actuation effects that could adversely affect shutdown operations.
  • Wlhetlher the component (v alvec) is nornially locked in the rcquLirCd position.
  • Whether the component requires direct 1an11uill Oj)cratiOll (c.,., motor operalcd valve handwheel operation) followving a postulatcd fire.
  • Applicable reference docutmrents.

6.2.1 Safe Shutdown Equipment List Criteria The criteria utilized to select components %withina selected safe shutdown systemil, identified ill SectionI 5.4, whVich irillict tlimC abil ity of thle system [V accoIlliplisln its sa li shutdLloNvnI fuLnction is described in Appendix C.

6.2.2 10CFR50 Appendix R Safe Shutdown Logic Diagrams The IOCFR50 Appendix R Safe Shutdown Logic Diagrams for the required systems were developed. This series of Logic Diagrams includes System and Component Level Logic Diagrams. The System Logic depicts the plant system relationships necessary to achieve post-fire safe shutdown. Each identified system is modeled on Component Logic Diagrams. The methodology used to develop these logic diagrams is contained in Appendix C.

6.3 PHASE 2: Electrical Cable Identification, Location of Components and Routing of Cables 6.3.1 Component and Elementary Diagram Selection On completion of Phase 1, the SSEL was reviewed to identify all safe shutdown components provided with any electrically operated functions. Components identified by this review included:

  • Pumps

. Fans

  • Motor-operated valves
  • Pilot solenoid-operated, air-operated valves
  • Instrument loops and cabinets
  • Electrical buses, motor control centers, and distribution panels For each component identified as electrically operated or having an electrical interface, the applicable RBS drawings and documents were obtained for further analysis.

240.201 A Rev. 2 Page 60 of 65

6 3.2 Cable Selection Criteria and Failure Modes Considered 6.3.2.1 Initial Cable Screening and Identification Initial cable screcning criteria and identification of safc shultdown cables is 1-c^sentdcd in Appendix E. Associated circuits of the "common power source" and "common enclosure" categories arc fully addressed in Calculations G13.lS.3.6*5 and GI3.1S.3.6*07 respcctively.

6.3.2.2 Raceway and Fire Area/Zonc Routin-For each electrical circuit, a11l circuit cables rCquired ror the coniponent to pCrforni :is required were identificd as being lAppendix R (sale slutdown) aind identifled ill the Plant Data Base Management System (PDMS). PDMS was utilized to identify physical routing of individual cables. The fire area/zone for safe shutdown raceways and components were identified by utilizing the RBS electrical raceway drawings along with Fire Area/Zone maps. This information was compiled to produce the Appendix R Fire Area Compliance Assessments (Appendix B).

Plant walkdowns were performed as needed to verify the location of the safe shutdown components and raceways as stated in PDMS.

6.4 PHASE 3: Analysis of Cable-Component Fire Area/Zone Tabulations 6.4. 1 Overview The cable and component data compiled in Phases 1 and 2 of this analysis were integrated to produce the cable-component fire area/zone summary tables (Appendix B), which provided the basis for the separation analysis. The objective of the analysis is to establish the adequacy of safe shutdown equipment protection by installed passive and active fire protection features. This analysis attempted to the extent possible to minimize reliance on installed thermal fire barrier enclosures. Several changes were made to the previous RBS Appendix R compliance strategy as documented in Revision 1 to this document to enhance the analysis and reduce the reliance on Thermo-Lag fire barrier raceway enclosures. Refer to Reference 2.29 for identification of previously identified Appendix R raceways and cables credited as protected by a Thermo-Lag fire barrier enclosure and the proposed options to eliminate the need for' such protection. The changes are discussed in the following paragraphs.

240.201 A Rev. 2 Page 61 of 65

6.4.1.1 Fire Area Consolidation Numerous fire areas adjacent to each other employed the iden tical safe shlltdown methodology. Accordingly, these areas were consolidated into a sillelc arca.

Fire Areas Consolidated Fire Area C-IS, C-26 C-l S C-19, C-23 C-19 C-20, C-21 C-21 C-IA, C-IB, C-IC C-I C-2A, C-2B, C-2C C-2 FD- I ,FP3-4 F71B-lI Fire Area C-13 employed redundant trains of safe shutdown systems on opposite sides of the area. Therefore, this area was divided into two fire zones, C-13E and C-13W.

6.4.1.2 Standby Service Water (SSW) Subsystem Configuration Substantial Thermo-Lag fire barrier raceway protection had been provided in Fire Areas C-2, C-6 and C-14 to ensure the availability of the Division III electrical distribution system for the sole purpose to supply power to one of the two Division I SSV pumps (1SWP*P2C). Therefore, a Division I SSW subsystem configuration was identified to support safe shutdown with only one SSW pump thereby eliminating the need for the Division m electrical distribution system. This configuration was also used in Fire Areas C-1, C-5 and C-21 to eliminate the manual action for these areas to supply SSW cooling for the Division III Diesel Generator Heat Exchanger, IE22*SOO1.

6.4.1.3 Fire Area C-17 Compliance Strategy It was determined that for a fire in this fire area, Control Room HVAC would be lost.

Therefore, the safe shutdown compliance methodology was changed to incorporate the need to evacuate the Control Room after a given time period and continue shutdown from areas outside the Control Room. Thus, this area became subject to the separation criteria of Appendix R Section Ill.G.3 and III.G.L.

6.4.1.4 Safe Shutdown Functions Drywell Temperature Monitoring and Spent Fuel Pool Cooling, Drywell Cooling were determined not to be required for safe shutdown. Refer to Appendix C.

6.4.1.5 Fire Area PT-I The Normal Service Water (NSW) subsystem and Off-site Power were credited to achieve post-fire safe shutdown in this area. Reference 2.27 documents the results of an "exclusionary" analysis which demonstrated the viability of utilizing these systems. This 240.201A Rev. 2 Page 62 of 65

option was pursued because in the previous Appendix R compliance strategy, as documented by Rev. I to this document, a significant quantity of Thermo-Lag fire barrier raceway protection had been afforded in this fire area to cnsure that the SS\' subsystcem was available. It should be noted that due to the methodology) cmilployed by Rcferciicc 9.27, the results arc applicable to safe shutdowv n followving, a Fire inl FirC area PT- I onily.

6.4.2 Safe Shutdown Equipment Protection The criteria used for evaluation of shutdowvn equipment separation/protcction arc those set forth in 10CFR50, Appendix R.Section III.G, which arc reproduced here for reference.

6.4.2.1 Equiplmenit Outside Contai11nmenCt For fire areas outside of primary containment, one of the following means of Censuring that no more than one of the redundant trains is damaged by a single fire shall be provided:

1. Separation by cables and equipment and associated non-safety circuits of redundant trains of a fire barrier having a three-hour rating. Structural steel forming a part of or supporting such fire barriers shall be provided with fire resistance equivalent to that required of the barrier; or
2. Separation of cables and equipment and associated non-safety circuits of redundant trains by a horizontal distance of more than 20 feet with no intervening combustibles or fire hazards. In addition, fire detectors and an automatic fire suppression system shall be installed in the fire area; or
3. Enclosure of cable and equipment and associated non-safety circuits of one redundant train in a fire barrier having a one-hour rating. In addition, fire detectors and an automatic fire suppression system shall be installed in the fire area.

6.4.2.2 Equipment Inside Containment Inside the containment, one of the fire protection means specified above or one of the following fire protection means shall be provided:

1. Separation of cables and equipment and associated non-safety circuits of redundant trains by a horizontal distance of more than 20 feet with no intervening combustibles or fire hazards; or
2. Installation of fire detectors and an automatic fire suppression system in the fire area; or
3. Separation of cables and equipment and associated non-safety circuits or redundant trains by a noncombustible radiant energy shield.

240.201A Rev. 2 Page 63 of 65

6.4.3 Analvtical Procedure Following comipletion of the safc shutdowvn circuit analyses and comnpilation of data, the information was integrated to form the Fire Area *Compliatncc Assessment tables

(;Appcnldix B). The infornmationi was u1patcd to inlcluCdC insllltrLUment tubinll. Atc  !; G was used to identify the instrument tubing fire area routing. Instruments affected by their tubing were identified in the "Componenlt/PS/Inst. Tubing" columni by the word "Tubing".

The density changes of the fluid contained in the tubing caused by a fire may cause erroneous indication and control signals. Therefore, the impact of this fire induced phicnoiCenon was also considered in the compliance assessment.

The tables wecrc also updated to rCaLily idles i f th9osC compon1)0olzntls which nrd physicall.

located in a fire area. The word "Componient" was listed in the "Comiponient/TS/Inst.

Tubing" column when the component was physically located in the fire area.

6.4.3.1 Compliance Assessment Process An analysis package was prepared for each fire area reviewed. Each package consisted of the compiled Appendix R information (Compliance Assessment Tables in Appendix B) sorted by Logic Diagram and a complete set of the Safe Shutdown Logic Diagrams in Appendix C. The following information is presented on the Complialncc Assessment Tables for each affected component in a given fire area:

  • Equipment ID- Equipment associated with cables located in the fire area
  • Equipment Description- PDMS description of Equipment ID
  • Fire Zone- Physical location of Equipment ID
  • Cable Number- Identification of safe shutdown cables located in the fire area
  • Component/PS/Inst. Tubing- Identification of equipment, equipment power supply (PS) or instrument tubing affected in fire area

. CS Code- Compliance Strategy identification code regarding similiar compliance strategies

  • Compliance Strategy- Disposition of affected component/system regarding compliance with Appendix R safe shutdown separation criteria (redundant available, manual action, separation etc.)

The Logic Diagrams were used in conjunction with the Appendix R component and cable information to identify the available (unaffected) safe shutdown system or Division success paths which could be relied upon to accomplish post-fire safe shutdown, in the fire area.

The desired electrical distribution Division(s) (Divisions I and m or II) was (were) identified as the least affected Division(s), consistent with the available Divisions for other safe shutdown systems. Electrical Distribution Division m cannot by itself support post-fire safe shutdown. The Compliance Assessment Table was updated to identify components which were affected by fire induced damage to their respective power supply, but only for components within the available or credited safe shutdown systems or Divisions. The affected power supply was listed in the "Component/PS/Inst. Tubing" 240.201 A Rev. 2 Page 64 of 65

column. Thus, the impact of power supply failure on the available safe shutdown systems or Divisions was assessed. Passive and fail safe components wvele not considered to be adveresly affected by power supply losses.

The compliance assessement initially assumned fire indutced damage to all cables in tlie Fire area which would either render the affected components inoperable or cause spurious operation as bounded by Appendix A. Accordingly, a compliance strategy was entered into the appropriate column to disposition the component and/or system losses. It should be noted that more than one compliance strategy may be applicable to a given component or system. To maintain consistency regarding comipliancc stratcgy application, compliance strategy (CS) codes were developed. The various CS codes are summarized below. It shlould bI noted thlart not afll oftlhz f;loiag *.odolc:c Ils-cd.

CS Code ApLplicabilit\

CS-lA Redundant success path/component available for a single performance goal CS-lB Power supplies within the credited Electrical Distribution System CS-IC Components used to satisfy multiple performance goals CS-2A Component available following operation of the Remote Transfer Switch CS-2B Component which provides an automatic control function which is bypassed following operation of the Remote Transfer Switch CS-3 Outside containment 20 foot separation CS-4 Cold shutdown repairs CS-5 Components excluded from fire damage through a deviation CS-6 Intra-area thermal fire barrier enclosure CS-7 Intra-area thermal fire barrier enclosure for which a plant modification has been identified which will alleviate the need for the enclosure CS-8 Inside containment 20 foot separation CS-9 Inside containment non-combustible radiant energy shield CS-lo Manual valves and passive valves (no cables in area)

CS-i1 Valves administratively maintained in required position (locked open/closed, breaker racked out, etc.)

CS-12 Circuit analysis reveals cable damage will not affect safe shutdown CS-13 Safe shutdown Auto-initiation signal CS-14 Loss of component within credited system M-1 Manual action of motor operated valve M-2 Manual action of AOVs, dampers, solenoid valves M-3 Local operation of a pump NA-i PDMS data field links erroneously identify cable routed in the Fire Area.

The available components and systems to achieve safe shutdown and required manual actions were then listed in the summary table for each fire area analyzed in Appendix B.

240.201A Rev. 2 Page 65 of 65

Retrieved from "https://kanterella.com/w/index.php?title=ML041170375&oldid=2683948"