ML14100A289
| ML14100A289 | |
| Person / Time | |
|---|---|
| Site: | Palisades  |
| Issue date: | 09/14/1979 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML14100A290 | List: |
| References | |
| TASK-07-03, TASK-7-3, TASK-RR TAC-48143, NUDOCS 7910170580 | |
| Download: ML14100A289 (7) | |
Text
AFF POSITION SAFEHUTDOWN CAPABILITY Staff Concern During the staff's evaluation of fire protection programs at operating plants, one or more specific plant areas may be identified in which the staff does not have adequate assurance that a postulated fire will not damage both redundant divisions of shutdown systems.
This lack of assurance in safe shutdown capability has resulted from one or both of the following situations:
Case A:
The licensee has not adequately identified the systems and components required for safe shutdown and their location in specific fire areas.
Case B:
The licensee has not demonstrated that the fire protection for specific plant areas will -prevent damage to both redundant divisions of safe shutdown components identified in these areas.
For Case A, the staff has required that an adequate safe shutdown analysis be performed.
This evaluation includes the identification of the systems required for safe shutdown and the location of the system components in the plant.
Where it is determined by this evaluation that safe shutdown components of both redundant divisions are located in the same fire area, the licensee is required to demonstrate that a postulated fire will not damage both divisions or provide alternate shutdown capability as in Case B.
For Case 8, the staff may have required that an alternate shutdown capability be provided with is independent of the area of concern or the licensee may have proposed such a capability in lieu of certain additional fire protection modifications in the area.
The specific modifications associated with the area of concern along with other systems apd equipment already independent of the area form the alternate shutdown capability. For each plant, the modifications needed and the combinations of systems which provide the shutdown functions may be unique for each critical area; however, the shutdown functions provided should maintain plant parameters within the bounds of the limiting safety consequences deemed acceptable for the design basis event.
Staff Position Safe shutdown capability should be demonstrated (Case A) or alternate shutdown capability provided (Case B) in accordance with the guidelines provided below:
- 1. Design Basis Event The design basis event for considering the need for alternate shutdown is a postulated fire in a specific fire area containing redundant safe shutdown cables/equipment in close proximity where it has been determined that fire protection means cannot assure that safe shutdown capability will be preserved. Two cases should be considered:
(1) offsite power is available; and (2) offsite power is not available.
- 2. Limiting -Safety Consequences and Required Shutdown Functions 2.1 No fission product boundary integrity shall be affected:
- a. No fuel clad damage;
- b. No rupture of any primary coolant boundary;
- c.
No rupture of the containment boundary.
2.2 The reactor coolant system process variables shall be within those predicted for a loss of normal ac power.
2.3 The alternate shutdown capability shall be able to achieve and maintain subcritical conditions in the reactor, maintain reactor coolant inventory, achieve and maintain hot standby* conditions (hot shutdown* for a BWR) for an extended period of time, achieve cold shutdown* conditions within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and maintain cold shutdown conditions thereafter.
As defined in the Standard Technical.Specifications.
- 3. Performance Goals 3.1 The reactivity control function shall be capable of achieving and maintaining cold shutdown reactivity conditions.
3.2 The reactor coolant makeup function shall be capable of maintaining the reactor coplant level above the top of the core for BWR's and in the pressurizer for PWR's.
3.3 The reactor heat removal function shall be capable of achieving and maintaining decay heat removal.
3.4 The process monitoring function shall be capable of providing direct readings of the process variables necestary to perform and control the above functions.
3.5 The supporting function shall be capable of providing the process cooling, lubrication, etc. necessary to permit the operation of the equipment used for safe shutdown by the systems identified in 3.1 -
3.4.
3.6 The equipment and systems used to achieve and maintain hot standby conditions (hot shutdown for a BWR) should be (1) free of fire damage; (2) capable of maintaining such conditions for an extended time period longer than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> if the equipment required to achieve and maintain cold shutdown is not available due to fire damage; and (3) capable of being powered by an onsite emergency power system.
3.7 The equipment and systems used to achieve and maintain cold shutdown conditions should be either free of fire damage or the fire damage to such systems should be limited such that repairs can be'made and cold shutdown conditions achieved within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
Equipment and systems used prior to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after the fire should be capable of being powered by an onsite emergency power system; those used after 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> may be powered by
-3 offsite power.
3..8 These systems need not be designed to (1) seismic category I criteria; (2) single failure criteria; or (3) cope with other plant accidents such as pipe breaks or stuck valves
'Appendix A BTP 9.5-1), except those portions of these systems which interface with or impact existing safety systems.
- 4. PWR Equipment Generally Necessary For Hot Standby (1) Reactivity Control Reactor trip capability (scram).
Boration capability e.g.,
charging pump, makeup pump or high pressure injection pump taking suction from concentrated borated water supplies, and letdown system if required.
(2) Reactor Coolant Makeup Reactor coolant makeup capability, e.g., charging pumps or the high pressure injection pumps.
Power operated relief valves may be required to reduce pressure to allow use of the high pressure injection pumps.
(3) Reactor Coolant System Pressure Control Reactor pressure control capability, e.g., charging pumps or pressurizer heaters an8 use of the letdown systems if required.
(4) Decay Heat Removal Decay heat removal capability, e.g., power operated relief valves,(steam generator) or safety relief valves for heat removal with a water supply and emergency or auxiliary feedwater pumps for makeup to the steam generator.
Service water or other pumps may be required to provide water for auxiliary feed pump suction if the condensate storage tank capacity is not adequate for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
(5) Process Monitoring Instrumentation Process monitoring capability e.g., pressurizer pressure and level, steam generator level.
(6) Suoport.
The equipment required to support operation of the above described shutdown equipment e.g., component cooling water service water, etc. and onsite power sources (AC, DC) with their associated electrical distribution system.
- 5. PWR Equipment Generally Necessary For Cold Shutdown*
(1) Reactor Coolant System Pressure Reduction to Residual Heat R emoval System (RHR)
Capabilit Reactor coolant system pressure reduction by cooldown using steam generator power operated relief valves or atmospheric dump valves.
(2) Decay Heat Removal Decay heat removal capability e.g., residual heat removal system, component cooling water system and service water system to removal heat and maintain cold shutdown.
(3) Support Support capability e.g., onsite power sources (AC & DC) or offsite after 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and the associated electrical distribution system to supply the above equipment.
Equipment necessary in addition to that already provided to maintain hot standby.
- 6. BWR Equipment Generally Necessary For Hot Shutdown (1) Reactivity Control Reactor trip capability (scram).
(2) Reactor Coolant Makeup Reactor coolant inventory makeup capability e.g., reactor core isolation cooling system (RCIC) or the high pressure coolant injection system (HPCI).
(3) Reactor Pressure Control and Decay Heat Removal Depressurization system valves or safety relief valves for dump to the suppression pool.
The residual heat removal system in steam condensing mode, and service water system may also be used for heat removal to the ultimate heat sink.
(4) Suppression Pool Cooling Residual heat removal system (in suppression pool cooling mode) service water system to maintain hot shutdown.
(5) Process Monitoring Process monitoring capability e.g., reactor vessel level and pressure and suppression pool temperature.
(6) Support Support capability e.g., onsite power source (AC & DC) and their associated distribution systems to provide for the shutdown equipment.
- 7. BWR Equipment Generally Necessary For Cold Shutdown*
At this point the equipment necessary for hot shutdown has reduced the primary system pressure and temperature to where the RHR system may be placed in service in RHR cooling mode.
(1) Decay Heat Removal Residual heat removal system in the RHR cooling mode, service water system.
(2) Support Onsite sources (AC & DC) or offtite after 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and their associated distribution systems to provide for shutdown equipment.
Equipment provided in addition to that for achieving hot shutdown.
- 8. Information Required For Staff Review (a) Description of the systems or portions thereof used to provide the shutdown capability and modifications required to achieve the alternate shutdown capability if required.
(b) System design by drawings which show normal and alternate shutdown control and power circuits, location of components, and that wiring which is in the area and the wiring which is out of the area that required the alternate system.
(c) Demonstrate that changes to safety systems will not degrade safety systems.
(e.g., new isolation switches and control switches should meet design criteria and standards in FSAR for electrical equipment in the system that the switch is to be installed; cabinets that the switches are to be mounted in should also meet the same criteria (FSAR) as other safety related cabinets and panels; to avoid inadvertent isolation from the control room, the isolation switches should be keylocked, or alarmed in the control room if in the "local" or "isolated" position; periodic checks should be made to verify switch is in the proper position for normal operation; and a single transfer switch or other new device should not be a source for a single failure to cause loss of redundant safety systems).
(d) Demonstrate that wiring, including power sources for the control circuit and equipment operation for the alternate shutdown method, is independent of equipment wiring in the area to be avoided.
o6 (e) Demonstrate that alternate shutdown power sources, including all breakers, have isolation devices on control circuits that are routed through the area to be avoided, even if the breaker is to be operated manually.
(f) Demonstrate that licensee procedure(s) have been developed which describe the tasks to be performed to.effect the shutdown method. A summary of these procedures should be reviewed by the staff.
(g) Demonstrate that spare fuses are available for control circuits where these fuses.may be required in supplying power to control circuits used for the shutdown method and may be blown by the effects of a cable spreading room fire. The spare fuses should be located convenient to the existing fuses.
The shutdown procedure should inform the operator to check these fuses.
(h)
Demonstrate that the manpower required to perform the shutdown functions using the procedures of (f) as well as to provide fire brigade members to fight the fire is available as required by the fire brigade technical specifications.
(i) Demonstrate that adequate acceptance tests are performed.
These should verify that: equipment operates from the local control station when the transfer or isolation switch is placed in the "local" position and that the equipment cannot be operated from the control room; and that equip ment operates from the control room but cannot be operated at the local control station when the transfer or isolation switch is in the "remote" position.
Technical Specifications of the surveillance requirements and limiting conditions for operation for that equipment not already covered by existing Tech. Specs. For example, if new isolation and control switches are added to a service water system, the existing Tech. Spec. surveillance require ments on the service water system should add a statement similar to the following:
"Every third pump test should also verify that the pump starts from the alternate shutdown station after moving all service water system isolation switches to the local control position."
(k) Demonstrate that the systems available are adequate to perform the necessary shutdown functions. The functions required should be based on previous analyses, if possible (e.g.,
in the FSAR), such as a loss of normal a.c. power or shutdown on a Group I isolation (BWR)-
The equipment required for the alternate capability should be the same or equivalent to that relied on in the above analysis.
(1)
Demonstrate that repair procedures for cold shutdown systems are developed and material for repairs is maintained on site.