ML083110485

From kanterella
Jump to navigation Jump to search
Draft Rg 1.189 Chapter 5 and Glossary
ML083110485
Person / Time
Site: Nuclear Energy Institute
Issue date: 10/16/2008
From: Brian Metzger
NRC/NRR/DRA/AFPB
To: Klein A
NRC/NRR/DRA/AFPB
Shared Package
ML083110683 List:
References
RG-1.189
Download: ML083110485 (8)
v  d  e


Text

5. Safe-Shutdown Capability When considering the consequences of a fire in a given fire area during the evaluation of safe-shutdown capabilities of the plant, it should be demonstrated that one success path of SSCs that can be used to bring the reactor to hot shutdown/standby conditions, remains free of fire damage. It should also be demonstrated that fire damage to one success path of SSCs needed for achieving cold shutdown will be limited so that a success path will be returned to an operating condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, or for areas requiring alternative or dedicated shutdown, the licensee should demonstrate that cold shutdown capability can be restored and cold shutdown achieved within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. For reactor designs that cannot safely remain in hot standby/shutdown for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, it should be demonstrated that a cold shutdown condition can be achieved and maintained within the required period of time.

For existing reactor plants, the success path should be capable of meeting Regulatory Positions 5.1 or 5.2 of this guide and performing the necessary shutdown functions. The capability of the required shutdown functions should be based on a previous analysis, if possible (e.g., those analyses in the FSAR). The equipment required for alternative or dedicated shutdown should have the same or equivalent capability as that relied on in the above-referenced analyses.

The FPP should include an analysis to demonstrate that the SSCs important to safety can accomplish their respective post-fire safe-shutdown functions. The safe-shutdown analysis should demonstrate that redundant safe-shutdown systems and components, including electrical circuits for which fire-induced failure remain free of fire damage in the event of postulated fires.

This protection should be provided by fire barriers, physical separation with no intervening combustibles, and/or automatic detection and suppression, as required by applicable regulations.

Where one redundant success path cannot be adequately protected, an alternative or dedicated shutdown success path should be identified and protected to the extent necessary to ensure post-fire safe-shutdown.

The safe-shutdown analysis for new reactor designs must demonstrate that safe shutdown can be achieved, assuming that all equipment in any one fire area (except for the control room and containment) will be rendered inoperable by fire and that reentry into the fire area for repairs and operator actions is not possible. (See Regulatory Position 8.2 of this guide.) Consequently, new reactors should not credit physical separation or local fire barriers (e.g., electrical raceway fire barrier systems) within these fire areas as providing adequate protection. The control room is excluded from this approach, provided that the design includes an independent alternative shutdown capability that is physically and electrically independent of the control room. New reactors must provide fire protection for redundant shutdown systems in the reactor containment building that will ensure, to the extent practicable, that at least one post-fire shutdown success path will be free of fire damage.

The safe-shutdown analysis should evaluate a fire in each fire area containing SSCs important to safety and identify a post-fire safe-shutdown success path. The analysis also identifies all fire-induced circuit failures that could directly or indirectly (e.g., by causing a spurious actuation) prevent safe shutdown.

October 16, 2008 DRAFT FOR INFORMATION 1

5.1 Post-Fire Safe-Shutdown Performance Goals Licensees should ensure that fire protection features are provided for SSCs important to safe shutdown that are capable of limiting fire damage so that one success path necessary to achieve and maintain hot shutdown conditions from either the control room or emergency control station(s) is free of fire damage.

The post-fire safe-shutdown performance goal is that the plant achieve and maintain hot shutdown or hot standby as defined by the technical specifications.Section III.L of Appendix R provides the following specific performance goals to achieve the post-fire safe-shutdown goals for alternative/dedicated shutdown capability in accordance with Section III.G.3 of Appendix R:

a. The reactivity control function should be capable of achieving and maintaining cold shutdown reactivity conditions.
b. The reactor coolant makeup function should be capable of maintaining the reactor coolant level above the top of the core for boiling-water reactors (BWRs) and within the level indication of the pressurizer for pressurized-water reactors (PWRs).
c. The reactor heat removal function should be capable of achieving and maintaining decay heat removal.
d. The process monitoring function should be capable of providing direct readings of the process variables necessary to perform and control the above functions.
e. The supporting functions should be capable of providing the process cooling, lubrication, and other activities necessary to permit the operation of the equipment used for safe-shutdown functions.

GL 81-12 (Ref. 13) describes the systems and instrumentation that are generally necessary for achieving post-fire safe-shutdown for existing PWRs and BWRs. The systems and instrumentation required for specific plants is included in the plant licensing basis and the operating parameters that determine post-fire safe-shutdown are included in the plant Technical Specifications.

5.2 Fire Protection of Safe-Shutdown Capability The post-fire safe-shutdown analysis must ensure that one success path of shutdown SSCs remains free of fire damage for a single fire in any single plant fire area. The NRC acknowledges Chapter 3 of industry guidance document, NEI 00-01 when applied in conjunction with the information below. All circuits for which fire-induced failure could prevent safe shutdown by affecting components important to safe shutdown must be addressed in the analysis, and appropriate protection must be provided.

5.2.1 Identification and Evaluation of Post-Fire Safe-Shutdown Circuits There are two classifications of equipment important to safe shutdown in the plant during and following a fire. The first is described below in section 5.2.1.1 as success path of systems necessary to achieve and maintain hot shutdown conditions. This equipment is a subset of the second and more general set of structures, systems and components important to safe shutdown described in section 5.2.1.2. This does not include circumstances in which alternative or October 16, 2008 DRAFT FOR INFORMATION 2

dedicated shutdown systems are required. Alternative or dedicated shutdown is discussed in Section 5.3 below.

The post-fire safe-shutdown circuit analysis must address all possible fire-induced failures that could affect the safe shutdown success path, including multiple spurious actuations.

Although some licensees have based this analysis on the assumption that multiple spurious actuations will not occur simultaneously or in rapid succession, cable fire testing performed by the industry had demonstrated that multiple spurious actuations occurring in rapid succession (without sufficient time to mitigate the consequences) may have a relatively high probability of occurring based on multiple factors including cable insulation/jacketing materials and cable configurations. The success path SSCs and the components important to safe shutdown must be protected from fire damage that the capability to safely shut down the plant safely is ensured.

5.2.1.1 Protection for Safe Shutdown Success Path For the success path of systems necessary to achieve and maintain hot shutdown conditions Fire barriers or automatic suppression, or both, should be installed as necessary to protect redundant systems or components necessary for safe shutdown. Except in those circumstances in which alternative or dedicated shutdown systems are required, or where equipment or cables (including electrical circuits that could prevent operation or cause maloperation due to hot shorts, open circuits, or shorts to ground) of redundant success paths necessary to achieve and maintain hot shutdown conditions are located within the same fire area outside of primary containment, the licensee should provide for currently operating reactor plants one of the following means of ensuring that one of the success paths (of SSCs for hot shutdown) is free of fire damage (Regulatory Position 8.2 of this guide provides the protection requirements for redundant post-fire safe-shutdown success paths in new reactor plants):

a. Separation of redundant post-fire safe-shutdown success paths by a fire barrier having a 3-hour rating should be achieved. Structural steel forming part of or supporting the fire barrier should be protected to provide fire resistance equivalent to that of the barrier.
b. Separation of redundant post-fire safe-shutdown success paths by a horizontal distance of more than 6.1 m (20 ft) with no intervening combustible or fire hazards should be achieved. In addition, fire detectors and an automatic fire suppression system should be installed in the fire area.

Insulation of electrical cables, including those with fire-resistive coatings, should be considered as intervening combustibles in other than negligible quantities (i.e., isolated cable runs) as determined by engineering and fire hazards analysis. Cables in conduit are not considered intervening combustibles.

c. Enclosure of one redundant post-fire safe-shutdown success path in a fire barrier having a 1-hour rating should be achieved. In addition, fire detectors and an automatic fire suppression system should be installed in the area where the fire is postulated.

In meeting the provisions of items b and c above, the installation of fire suppression and detection in a fire area should be sufficient to protect against the hazards of the area. In this regard, detection and suppression providing less than full area coverage may be evaluated as adequate to comply with the regulation. (See Regulatory Position 1.8.3.)

October 16, 2008 DRAFT FOR INFORMATION 3

Inside non-inerted containments, the licensee should provide fire protection that is in accordance with the criteria above or as specified in Regulatory Position 6.1.1 of this guide.

For this classification of equipment, there is no allowance for manual actions, or methods other than combinations of options above. See section 5.2.1.3 for a discussion of examples of types of equipment that are included in this classification.

For plants licensed before January 1979, the methods described below under section 5.2.1.2 are not available for the protection of the safe shutdown success path without the approval of an exemption under 10 CFR 50.12. For pre-1979 licensees, a staff decision in an SER that approves the use of operator manual actions, in lieu of one of the means specified in Section III.G.2 of Appendix R, does not eliminate the need for an exemption. Pre-1979 licensees that have SERs, but not a corresponding exemption that approves operator manual actions, must request an exemption under 10 CFR 50.12, citing the special circumstances of 10 CFR 50.12(a)(2)(ii); citing the SER as the safety basis; and confirming that the safety basis established in the SER remains valid.

If permitted by the plant license, plants that were licensed after January 1979 may credit protection other than a., b., and c. above if it can be shown that the use of the use of the protection does not adversely affect safe shutdown. Additional ways of demonstrating protection are provided in section 5.2.1.2 below. Note that the omission or elimination of these capabilities in an area containing SSCs (including circuits) important to safety may be considered an adverse effect on safe shutdown since it would reduce, at a minimum, fire protection defense-in-depth.

Where an adverse effect on safe shutdown would occur due to a reduction in the protection discussed above, a license amendment should be submitted to the NRC for review and approval.

5.2.1.2 Protection for Components Important to Safe Shutdown The same prescriptive requirements as listed in Section 5.2.1.1 do not apply to broader category of structures, systems and components, including circuits important to safe shutdown.

The protection options available as part of 5.2.1.1 are also available but not required for the protection of the components important to safe shutdown. For example, manual actions and fire modeling analysis may be used to demonstrate safe shutdown capability for the components important to safe shutdown that are not part of the safe shutdown success path.

5.2.1.2.1 Operator Manual Actions When one of the safe shutdown success paths in a fire area is maintained free of fire damage by one of the specified means in section 5.2.1.1, then the use of operator manual actions, or other means necessary, to mitigate fire-induced operation or maloperation of the second success path may be considered in accordance with the licensee=s FPP and license condition because the safe shutdown success path is protected. Operator manual actions may also be credited when alternative or dedicated shutdown capability is provided as described in section 5.3 below.

October 16, 2008 DRAFT FOR INFORMATION 4

All post-fire operator manual actions should be feasible and reliable. NUREG-1852 (Ref. 48) provides technical bases in the form of criteria and technical guidance that should be used for justifying that operator manual actions are feasible and can reliably be performed under a wide range of plant conditions that an operator might encounter during a fire. The use of feasible and reliable manual actions alone may not be sufficient to address all levels of defense-in-depth. Therefore, consideration of fire prevention, detection and suppression should be considered in addition to operator manual action feasibility and reliability.

Because the fire protection requirements, including the protection of safe-shutdown capability and the prevention of radiological release, can be integrated in the planning and design phase, a new reactor plant should have minimal reliance on operator manual actions and alternative/dedicated shutdown systems (protection for fires in the main control room will require alternative shutdown capability).

5.2.1.2.2 Fire Modeling Section 1.8.7 of this Regulatory Guide provides information regarding fire modeling.

When fire modeling is used to demonstrate that components important to safe shutdown are protected from fire damage the analysis should consider in situ and transient fire sources in the area and all targets that involve components important to safe shutdown. The fire models should be used within the bounds of their capability. The fire modeling analysis should show that the components important to safe shutdown will not be affected by the largest expected fire considering expected room configurations (doors open, closed, etc.). In addition, the analysis should include safety margin in the form of effective automatic suppression in the fire area, significant margin between the expected fire and the damage threshold of the target, or other appropriate margin.

October 16, 2008 DRAFT FOR INFORMATION 5

5.2.1.3 Examples of Safe Shutdown Success Path Components and Components Important to Safe Shutdown The following table provides general examples of which components should be considered part of the safe shutdown success path, and which are components important to safe shutdown.

Safe Shutdown Success Path Components The reactivity control function shall be capable of achieving and maintaining cold shutdown reactivity conditions. (10 CFR 50, Appendix R, III.L)

The reactor coolant makeup function shall be capable of maintaining the reactor coolant level above the top of the core for BWRs and be within the level indication in the pressurizer for PWRs. (III.L)

The reactor heat removal function shall be capable of achieving and maintaining decay heat removal. (III.L)

The process monitoring function shall be capable of providing direct readings of the process variables necessary to perform and control the above functions. (III.L)

The supporting functions shall be capable of providing the process cooling, lubrication, etc., necessary to permit the operation of the equipment used for safe shutdown functions. (III.L)

Significant diversion paths from flow path - Full flow, bypass A common power source with the alternative shutdown equipment and the power source is not electrically protected from the post-fire shutdown circuit of concern by coordinated circuit breakers, fuses or similar devices (Generic Letter 81-12)

A common enclosure, e.g., raceway, panel, junction box, with alternative shutdown cables and are not electrically protected from the post-fire shutdown circuits of concern by circuit breakers, fuses or similar devices (Generic Letter 81-12)

Power Supplies Components Important to Safe Shutdown Supply tank spurious drain or bypass RHR type valves, when not part of safe shutdown success path HVAC Systems PORVs, SRVs when not part of safe shutdown success path Spurious start of equipment not relied upon for safe shutdown success path, which could cause overfill conditions Small diversion paths from flow path - sample lines, instrument taps, drain valves that could not affect safe shutdown success path A connection to circuits of equipment whose spurious operation will adversely affect the shutdown capability, e.g., RHR/RCS Isolation Valves (Generic Letter 81-12) 5.2.2 High/Low-Pressure Interface The licensee should evaluate the circuits associated with high/low-pressure interfaces for the potential to adversely affect safe shutdown. For example, the residual heat removal (RHR) system is generally a low-pressure system that interfaces with the high-pressure primary October 16, 2008 DRAFT FOR INFORMATION 6

coolant system. Thus, the interface most likely consists of two redundant and independent motor-operated valves. Both of these two motor-operated valves and their power and control cables may be subject to damage from a single fire. This single fire could cause the two valves to spuriously open, resulting in an interfacing system loss-of-coolant accident (LOCA) through the subject high/low-pressure system interface. To ensure that this interface and other high/low-pressure interfaces are adequately protected from the effects of a single fire, the licensee should perform an evaluation, as follows:

a. Identify each high/low-pressure interface that uses redundant electrically controlled devices (such as two series motor-operated valves) to isolate or preclude rupture of any primary coolant boundary.
b. For each set of redundant valves identified, verify that the redundant cabling (power and control) has adequate physical separation as stated by Regulatory Position 5.3 or 6.1.1.1 of this guide, as applicable.
c. Where adequate separation is not provided, demonstrate that fire-induced failures (multiple hot shorts, open circuits, and shorts to ground) of the cables will not cause maloperation and result in an interfacing systems LOCA.

5.3 Alternative and Dedicated Shutdown Capability 5.3.1 General Guidelines Appendix R to 10 CFR Part 50 (Ref. 1) defines alternative shutdown capability as being provided by rerouting, relocating, or modifying existing systems, whereas dedicated shutdown is defined as being provided by installing new structures and systems for the function of post-fire shutdown. Since post-fire repairs cannot be credited for achieving and maintaining hot shutdown, the licensee should implement the required rerouting, relocating, or modifying of the existing system for alternative shutdown capability in existing plants when the need for additional alternative shutdown capability is identified.

Where alternative or dedicated shutdown capability is required, the licensee should provide fixed fire suppression and detection for the fire area/zone containing the redundant success paths (detection and suppression are not necessarily required for the area/zone containing the alternative/dedicated shutdown system except where required by the fire hazards analysis).

The safe-shutdown analysis must demonstrate that alternative or dedicated shutdown systems, components, including electrical circuits, necessary to achieve and maintain hot shutdown are free of fire damage and capable of performing the necessary safe-shutdown functions or prevented from causing actions that prevent safe shutdown.

The alternative/dedicated shutdown capability for specific fire areas may be unique for each such area, or it may be one unique combination of systems for all such areas. In either case, the alternative shutdown capability should be independent of the specific fire areas and should accommodate post-fire conditions when offsite power is available and when offsite power is not available for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The licensee should provide procedures to implement the alternative/dedicated shutdown capability, as described in Regulatory Position 5.5 of this guide.

5.3.2 Associated Circuits of Concern October 16, 2008 DRAFT FOR INFORMATION 7

When alternative or dedicated shutdown systems are credited for achieving post-fire safe-shutdown, a specific category of circuits has been defined (referred to as Aassociated circuits of concern@) and acceptable approaches to mitigating the consequences of fire-induced failure of these circuits have been identified. These circuits are nonsafety or safety circuits that could adversely affect the identified shutdown equipment by feeding back potentially disabling conditions (e.g., hot shorts or shorts to ground) to power supplies or control circuits of that equipment and should be evaluated. Such disabling conditions should be prevented to provide assurance that the identified safe-shutdown equipment will function as designed.

Associated circuits of concern are defined as those cables (safety-related, nonsafety-related Class 1E and non-Class 1E) outside containment that have a physical separation less than that specified in Regulatory Positions 5.3.aBc of this guide (or less than that specified in Regulatory Position 6.1.1.1 for cables inside a non-inerted containment), and have one of the following:

a. a common power source with the shutdown equipment (redundant or alternative) that is not electrically protected from the circuit of concern by coordinated breakers, fuses, or similar devices
b. a connection to circuits of equipment that would adversely affect the shutdown capability if spuriously operated (e.g., RHR/reactor coolant system isolation valves, automatic depressurization system valves, power-operated relief valves, steam generator atmospheric dump valves, instrumentation, steam bypass)

For consideration of spurious actuations, the licensee should evaluate all possible functional failure states, that is, the component could be energized or deenergized by one or more circuit failure modes (i.e., hot shorts, open circuits, and shorts to ground).

Therefore, valves could fail open or closed, pumps could fail running or not running, or electrical distribution breakers could fail open or closed. For three-phase ac circuits, the probability of getting a hot short on all three phases in the proper sequence to cause spurious actuation of a motor is considered sufficiently low as to not require evaluation except for any cases involving high/low-pressure interfaces. For ungrounded dc circuits, if the licensee can show that at least two hot shorts of the proper polarity without grounding are required to cause spurious actuation, no further evaluation is necessary except for any cases involving high/low-pressure interfaces.

Hot short conditions are assumed to exist until action has been taken to isolate the circuit from the fire area or other actions as appropriate have been taken to negate the effects of the spurious actuation.

c. a common enclosure (e.g., raceway, panel, junction) with the shutdown cables (redundant or alternative) that (1) is not electrically protected by circuit breakers, fuses, or similar devices, or (2) will allow propagation of the fire into the common enclosure October 16, 2008 DRAFT FOR INFORMATION 8

5.3.3 Protection of Associated Circuits of Concern The shutdown capability may be protected from the adverse effect of damage to associated circuits of concern by the separation and protection guidelines of Regulatory Position 5.2 of this guide (or Regulatory Position 6.1.1.1 for cables inside a non-inerted containment) or, alternatively, by the following methods as applied to each type of associated circuit of concern. The decision of which section of Section 5.2 applies depends on if the equipment affected is part of the safe shutdown success path or if the equipment is a component important to safe shutdown. Where the safe shutdown success path is affected, protection should meet section 5.2.1, and where components important to safe shutdown could be affected protection should meet section 5.2.2.

5.3.3.1 Common Power Source A load fuse/breaker (i.e., interrupting devices) to feeder fuse/breaker coordination to prevent loss of the redundant or alternative shutdown power source may be necessary. IEEE Standard 242, AIEEE Recommended Practices for Protection and Coordination of Industrial and Commercial Power Systems@ (Ref. 123), provides detailed guidance on achieving proper coordination.

To ensure that the coordination criteria are met, the following should apply:

a. The associated circuit of concern interrupting devices (breakers or fuses) time-overcurrent trip characteristic for all circuit faults should cause the interrupting device to interrupt the fault current before initiation of a trip of any upstream interrupting device that will cause a loss of the common power source.
b. The power source should supply the necessary fault current for sufficient time to ensure the proper coordination without loss of function of the shutdown loads.

The acceptability of a particular interrupting device is considered demonstrated if the following criteria are met:

a. The interrupting device design should be factory tested to verify overcurrent protection as designed in accordance with the applicable UL, ANSI, or National Electrical Manufacturers Association standards.
b. For low- and medium-voltage switchgear (480V and above), circuit breaker/protective relay periodic testing should demonstrate that the overall coordination scheme remains within the limits specified in the design criteria. This testing may be performed as a series of overlapping tests.
c. Molded case circuit breakers should periodically be manually exercised and inspected to ensure ease of operation. On a rotating refueling outage basis, a sample of these breakers should be tested to determine that breaker drift is within that allowed by the design criteria. Breakers should be tested in accordance with an accepted QC testing methodology.

October 16, 2008 DRAFT FOR INFORMATION 9

d. Fuses, when used as interrupting devices, do not require periodic testing because of their stability, lack of drift, and high reliability. Administrative controls should ensure that replacement fuses with ratings other than those selected for proper coordinating are not accidentally used.

5.3.3.2 Spurious Actuation Circuits Spurious actuation is considered mitigated if one of the following criteria are met:

a. A means to isolate the equipment and components from the fire area before the fire (i.e., remove power, open circuit breakers) is provided.
b. Electrical isolation that prevents spurious actuation is provided. Potential isolation devices include breakers, fuses, amplifiers, control switches, current transformers, fiber optic couplers, relays, and transducers.
c. A means to detect spurious actuations and develop procedures to mitigate the maloperation of equipment (e.g., closure of the block valve if a power-operated relief valve spuriously operates, opening of the breakers to remove spurious actuation of safety injection) is provided.

5.3.3.3 Common Enclosures Appropriate measures to prevent propagation of the fire should be provided.

Electrical protection (e.g., breakers, fuses, or similar devices) should also be provided.

5.3.4 Control Room Fires The control room fire area contains the controls and instruments for redundant shutdown systems in close proximity. (Separation is usually a few inches.) Alternative/dedicated shutdown capability for the control room and its required circuits should be independent of the cables, systems, and components in the control room fire area.

The damage to systems in the control room for a fire that causes evacuation of the control room cannot be predicted. The licensee should conduct a bounding analysis to ensure that safe conditions can be maintained from outside the control room. This analysis is dependent on the specific design. The following assumptions usually apply:

a. The reactor is tripped in the control room.
b. Offsite power is lost as well as automatic starting of the onsite ac generators and the automatic function of valves and pumps with control circuits that could be affected by a control room fire.

The analysis should demonstrate that the capability exists to manually achieve safe-shutdown conditions from outside the control room by restoring ac power to designated pumps, ensuring that valve lineups are correct, and assuming that any malfunctions of valves that permit the loss of reactor coolant can be corrected before unrestorable conditions occur.

October 16, 2008 DRAFT FOR INFORMATION 10

The only operator action in the control room before evacuation for which credit is usually given is reactor trip. For any additional control room actions deemed necessary before evacuation, a licensee should be able to demonstrate the capability of performing such actions.

Additionally, the licensee should provide assurance that such actions could not be negated by subsequent spurious actuation signals resulting from the postulated fire. The design basis for the control room fire should consider one spurious actuation or signal to occur before control of the plant is achieved from the alternate or dedicated shutdown system. Following control of the plant from the alternative or dedicated shutdown system, single or multiple spurious actuations that could occur in the fire affected area must be considered in accordance with the plants approved fire protection program. 1 Post-fire return to the control room should be governed by those procedures and conditions described in Regulatory Position 5.5.2.

After returning to the control room, the operators can take any actions compatible with the condition of the control room. Controls in any area (cabinet where the fire occurred) may not be available. Smoke and fire suppressant damage in other areas (cabinets) should also be assessed and corrective action taken before controls in such cabinets are deemed functional.

Controls in undamaged areas (cabinets) may be operated as required. Repairs inside the control room may be performed to reach cold shutdown.

5.4 Post-Fire Safe-Shutdown Procedures Procedures for effecting safe shutdown should reflect the results and conclusions of the safe-shutdown analysis. Implementation of the procedures should not further degrade plant safety functions. Time-critical operations for effecting safe shutdown identified in the safe-shutdown analysis and incorporated in post-fire procedures should be validated.

5.4.1 Safe-Shutdown Procedures Post-fire safe-shutdown operating procedures should be developed for those areas where alternative or dedicated shutdown is required. For other areas of the plant, shutdown would normally be achieved using the normal operating procedures, plant emergency operating procedures, or other abnormal operating procedures. (See also Regulatory Position 5.3.3 for discussion on feasibility and reliability of operator manual actions.)

5.4.2 Alternative/Dedicated Shutdown Procedures Procedures should be in effect that describe the tasks to implement alternative/dedicated shutdown capability when offsite power is available and when offsite power is not available for 1

Licensees have Safety Evaluation Reports for their alternate and dedicated shutdown strategies outlining the specific considerations needed in response to a Control Room fire scenario. These Safety Evaluation Reports are referenced in each plants fire protection license condition.

October 16, 2008 DRAFT FOR INFORMATION 11

72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. These procedures should also address necessary actions to compensate for spurious actuations and high-impedance faults if such actions are necessary to effect safe shutdown.

Procedures governing return to the control room should consider the following conditions:

a. The fire has been extinguished and so verified by appropriate fire protection personnel.
b. The control room has been deemed habitable by appropriate fire protection personnel and the shift supervisor.
c. Damage has been assessed and, if necessary, corrective action has been taken to ensure that necessary safety, control, and information systems are functional (some operators may assist with these tasks), and the shift supervisor has authorized return of plant control to the control room.
d. Turnover procedures that ensure an orderly transfer of control from the alternative/dedicated shutdown panel to the control room have been completed.

5.4.3 Repair Procedures The licensee should develop procedures for performance of repairs necessary to achieve and maintain cold shutdown conditions. For alternative shutdown, procedures should be in effect to accomplish repairs necessary to achieve and maintain cold shutdown within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

For plants that must proceed to cold shutdown prior to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the procedures should support the required time for initiation of cold shutdown.

The performance of repair procedures should not adversely impact operating systems needed to maintain hot shutdown.

5.5 Cold Shutdown and Allowable Repairs For normal safe shutdown, redundant systems necessary to achieve cold shutdown may be damaged by a single fire, but damage should be limited so that at least one success path can be repaired or made operable within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> using onsite capability or within the time period required to achieve a safe-shutdown condition, if less than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

For alternative or dedicated shutdown, equipment or systems that are the means to achieve and maintain cold shutdown conditions should not be damaged by fire or the fire damage to such equipment and systems should be limited so that the systems can be made operable and cold shutdown achieved within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (or less, if required) using only onsite power. Systems and components used for safe shutdown after 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (or less, if required) may be powered from offsite power only.

Cold shutdown capability repairs (e.g., the replacement of fuses and the replacement of cabling) are permitted. Selected equipment replacement is also allowed if practical. Procedures should be prepared for repairing damaged equipment (see Regulatory Position 5.5.3 of this guide), and dedicated replacement equipment should be stored on site and controlled. Repairs should be of sufficient quality to ensure safe operation until the normal equipment is restored to an operating condition. Repairs not permitted include the use of clip leads in control panels (i.e.,

October 16, 2008 DRAFT FOR INFORMATION 12

hard-wired terminal lugs should be used) and the use of jumper cables other than those fastened with terminal lugs.

When repairs are necessary in the fire area, the licensee should demonstrate that sufficient time is available to allow the area to be reentered, that expected fire and fire suppressant damage will not prevent the repairs from taking place, and that the repair procedures will not adversely impact operating systems.

5.6 Shutdown/Low-Power Operations Safe-shutdown requirements and objectives are focused on achieving shutdown conditions for fires occurring during normal at-power operations. During shutdown operations (i.e., maintenance or refueling outages), fire risk may increase significantly as a result of work activities. In addition, redundant systems important to safety may not be available as allowed by plant technical specifications and plant procedures. The FPP should be reviewed to verify that fire protection systems, features, and procedures will minimize the potential for fire events to impact safety functions (e.g., reactivity control, reactor decay heat removal, spent fuel pool cooling) or result in the unacceptable release of radioactive materials, under the differing conditions that may be present during shutdown operations.

October 16, 2008 DRAFT FOR INFORMATION 13

GLOSSARY (Change)

Success Path The minimum set of structures, systems (including power, instrument, and control circuits and instrument-sensing lines), and components that must remain free of fire damage in order to achieve and maintain safe shutdown in the event of a fire. Success path is synonymous with the safe-shutdown train free of fire damage and includes electrical circuits whose fire-induced failure could prevent operation or cause maloperation of redundant trains necessary to achieve and maintain hot shutdown conditions. In the context of Appendix R,Section III.G, redundant train (Section III.G.2) and alternative/dedicated system (Section III.G.3) are both success paths and this definition is applicable.

October 16, 2008 DRAFT FOR INFORMATION 14

Retrieved from "https://kanterella.com/w/index.php?title=ML083110485&oldid=2151707"