ML15223A890

From kanterella
Jump to navigation Jump to search
Safety Evaluation Re Standby Shutdown Facility.Design Acceptable Except on Availability of Source Range Flux Monitor & Steam Generator Pressure Indication
ML15223A890
Person / Time
Site: Oconee  Duke Energy icon.png
Issue date: 04/28/1983
From:
Office of Nuclear Reactor Regulation
To:
Shared Package
ML15223A889 List:
References
NUDOCS 8305200106
Download: ML15223A890 (17)
v  d  e


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION OCO1EE NUCLEAR STATION STANDBY SHUTDOWN FACILITY DUKE PO4ER COMPANY DOCKETS NOS. 50-269, 50-270 AND 50-287 1.0 Introduction By letter dated February 1, 1978, Duke Power Company (DPC or the licensee) proposed a standby shutdown system for the Oconee Nuclear Station (ONS), Units Nos.

1, 2 and 3. Such a system would augment existing plant capabilities relative to mitigating postulated occurrences such as fires, turbine building flodding and security incidents. Additional information describing the conceptual design of the standby shutdown system was received by letter dated June 19, 1978; subsequent staff approval of the conceptual desian was transmitted to the licensee on December 29, 1978..

In accordance with the conceptual design evaluation, the licensee pro vided a final design peoposal for the system, the standby shutdown facility (SSF), in a March 28, 1930 submittal.

Our review of the March 28, 1980 submittal identified areas where additional information cohcerning the *conformance with the NRC Standard Review Plans (NUREG-75/087) Sections 3.7.3, 3.9.2, 3.9.3 and 3.9.6 was requested by letter dated October 27, 1980. In response to our letter, the licensee submitted its response in letters dated February 16 and March 31, 1981, April 13, September 20 and December 23, 1982.

At the time of the March 28, 1980 submittd, Appendix R was not effective.

On February 19, 1981, the fire protection rule for nuclear power plants, Appendix R to 10 CFR 50 became effective. This rule required all licensees of plants licensed prior to January 1, 1979, to submit by March 19, 1981:

(1) plans and schedules for meeting the applicable requirements of Appendix R, (2) a design description of any modifications proposed to provide alternative safe shutdown capability pursuant to Paragraph III.G.3 of Appendix R, and (3) exemption requests for which the tolling provisions of Section 50.48(c)(6) was to be invoked.

Section III.G of Appendix R is a retrofit item to all pre-1979 plants regardless of previous SER positions and resolutions. Subsequently, DPC provided submittals regarding the use of the SSF to meet 830520106i83042 PDR ADOCK 05000269 P

PDR

DPC

-2 Appendix R requirements for the ONS.

The licensee addressed the ONS's post-fire shutdown capability in six letters dated January 25, February 1 and June 19, 1978, March 28, 1980, and March 18 and April 30, 1981.

Additional information was provided in the letters dated January 25, September 20 and December 23, 1982. These submittals discuss the various means used to achieve and maintain safe shutdown conditions, determine whether safe shutdown could be achieved without equipment or cabling in any one fire area, and identify any modifications required due to unacceptable interactions caused by a fire.

2.0

System Description

The SSF is a "bunkered" facility which houses the systems and components necessary to provide an alternate and independent means to achieve and maintain a hot shutdown condition for one. or more of the three Oconee units.

The SSF was designed to resolve the safe shutdown requirement for fire protection, turbine building flooding and physical security.

The SSF is to have the capability of maintaining hot shutdown conditions in all three units for approximately three days following a loss of normal AC power. The subsystems that make up the SSF are described below.

2.1 Reactor Coolant (RC) Makeup Subsystem The SSF RC makeup subsystem is designed to supply makeup to the reactor coolant system (RCS) in the event that normal makeup systems are un available. The capacity of this subsystem is sized to account for normal RCS leakage and shrinkage which results from going from a hot power operating condition to hot shutdown.

The primary component of each SSF RC makeup subsystem is the 26 gpm high head makeup pumps. One pump is provided for each of the three units; each pump will be located in its respective reactor building..The design capacity is sufficient to maintain RCS inventory during the transition from power operations to hot shutdown.

The makeup source is either Unit 1 and 2's or Unit 3's spent fuel pool, thus ensuring a large supply of borated water. Letdown, when required, is returned to the spent fuel pool.

The letdown valve is powered from the SSF power system and is controlled from the SSF control roqm. Capability to operate one bank of pressurizer heaters per unit allow pressure control of the RCS by the pressurizer.. Overpressuriza tion protection is provided by the existing relief valves. This subsystem is designed to seismic Category I and Quality Group B requirements.

Failure of the SSF RC makeup subsystem components will not affect the operation of the normal "in plant" components. The SSF RC makeup subsystem is operated and/or tested only from the SSF control room.

2.2 Auxiliary Service Water Subsystem The SSF auxiliary service water subsystem (SSFASW) is a high head, high volume system designed to provide sufficient steam generator inventory for adequate decay heat removal for all three units during a loss of normal AC power in.

conjunction with the loss of the normal and emergency feedwater systems.

DPC

-3 The SSFASW pump is the major.component of the system, and is housed in the SSF building. The single motor driven pump, powered from the SSF power supply, has a design output of 2250 gpm. A non-isolated 500 gpm recirculation line is provided to protect the pump. This leaves 580 gpm at full system pressure to each of the three units for approximately three days. This is above the calculated 500 gpm required to remove decay heat from a shutdown unit.

The water contained in the buried condenser circulating water (CCW) piping for Unit No. 2 serves as the water supply. The buried portion of the CCW piping is designed to withstand the effects of a seismic event. The SSFASW is designed to seismic Category I and Quality Group B and C requirements.

Failure of the SSFASW components will not affect the operation of the normal "in-plant" components. The SSFASW is operated and/or tested only from the SSF control room.

2.3 Electrical Power Supply The SSF power supply is designed to provide normal and independent emergency sources of AC and DC electrical power, their associated electrical distribution systems and various support systems.

The SSF diesdl generator would be operated only in the event installed normal power systems are'inoperable. Manual operator action is required to actuate this system.

The SSF power supply includes onsite 4160VAC, 600VAC, 208VAC, 120VAC and.

125VDC power. This system supplies power necessary for the hot shutdown of the reactor in the event of loss of power from all other power systems. It consists of switch-gear, a load center, ten motor control centers, panelboards, remote starters, batteries, battery. chargers, two in"erters, a diesel powered electrical generator unit, relays, control devices, and interconnecting cable supplying the appropriate loads.

The inverter supplied 120VAC power system supplying the security system circuits in conjunction with the 120VDC instrumentation and control power system supplies continuous control power to all loads that are required for a hot shutdown of the reactor.

2.3.1 Normal AC Power Supply The 4160 volt SSF power system is provided for normal and backup service and is normally energized from plant switchgear B2T with all breakers r

the bus in the closed position Upon loss of the normal power supply, the 4160 VAC SSF power syster will :rovide power to the necessary loads to safely shutdown the unit by an onsite iesel-electric generator (see Section 2.3.2 for further discussion) which is independent of the normal power distribution system. All of the loads required for hot shutdown of the reactor are supplied power during loss of the normal distribution system from the 4160 VAC SSF power system, either directly (for the high head auxiliary service water pump) or through transformer(s) if at a lower voltage.

-4 DPC The 600VAC SSF load center is normally energized from the 4160 buses.

Power to three of the 600VAC motor control centers is supplied from a double-ended bus normally supplied from unit load centers of the 600VAC normal auxiliary power system and alternately fed from the SSF power system. The motor control center supply bys cannot be connected to either source unless the other source breaker is open. Upon loss of power to the normal source breaker, transfer to the SSF source will be initiated manually. The remaining 600VAC loads, which require power for hot shutdown of the reactor, are connected to the motor control centers.

Normal power to the pressurizer heaters and necessary primary system.

isolation valves is supplied from their.respective unit normal auxiliary power system. When their normal sources are lost, one bank for each unit is transferred to the 600VAC SSF power supply.

Three 208VAC unit-related motor control centers are provided to supply the SSF loads uniquely associated with their respective Oconee unit. These centers are normally energized from their respective unit's normal distribution system.

Upon loss of the normal power, these 208VAC centers will be manually transferred to the 600VAC SSF load centers where they can be powered from the SSF diesel generator.

The 120VAC power supply cons sts of a static inverter, a panelboard, a manual transfer switch ana interconnecting cables. The system is designed such that normal power is provided from the battery-backed 125VDC distribution center to the static inverter, through the manual transfer switch and to the panelboard which, in turn, supplies power to the shutdown system circuits. Upon loss of the static inverter.

or the DC power system, the SSF 120VAC power system panelboard is manually transferred to its alternate source, the 600VAC SSF power system.

2.3.2 Standby Power Supply The SSF standby power supply consists of an independent diesel-electric generating unit, which'is rated at 3500 kW, 0.8PF, 4160 volts.

The auxiliaries required to assure proper operation of the diesel-generator unit are supplied with power from the appropriate buses (600VAC,

208VAC, 120VAC or 125VDC) of the SSF power system. The diesel-electric generating unit is rated for continuous operation at 3500 KW. The design load level for the system does not exceed the 3500 KW continuous rating of the diesel electric generating unit. The unit has an independent air starting system with storage to provide at least ten successive emergency starts from both storage tanks.

An independent fuel system, complete with a separate underground storage tank and a one hour day.tank, is supplied for the diesel-electric generating unit. The underground storage tank is sized to operate the required SSF power system for a period of seven days.

The day tank is sized based upon the fuel oil storage required to successfully start the unit and to allow for orderly shutdown of the diesel unit upon loss offiuel oil from the main storage tank.

Following lcss of normal power, the diesel-electric generating unit is manually started and connected to the 4160 VAC SSF power system bus.

By manually closing the 4160VAC generator breaker, the high head auxiliary service water pump motor breaker, and the 4160/600VAC and the 600/208VAC transformer breakers, the entire SSF power system is provided with its backup source of power.

DPC

-5 2.3.3 DC Power Supply The 125VDC SSF Power System consists of two 125VDC batteries and associated chargers, two DC distribution centers, and a DC power panelboard. This system is designed to provide an interruptable source of power for the SSF equipment controls and instrumentation.

Normally, one 125VDC battery and its associated charger are connected to the 125VDC distribution center to supply the 125VDC loads. In this alignment, the battery is floated on the distribution center and is available to assume load without interruption upon loss of its associated battery charger or AC power source. The other 125VDC battery and its associated charger are in a standby mode and are not normally connected to the 125VDC distribution center.

However, they are available via manual connection to the 125VDC distribution center to supply SSF loads, if required.

Backup lighting is provided from the 120VAC security power system. The DC power system is designed to operate ungrounded and is provided with a ground detection system set to indicate the first ground.

Both battery chargers are identical and are fed from the shared 600VAC motor control center. Normally, one of the chargers is connected to float charge the battery while carrying the continuous load, with the other charger available to float on the other battery disconnected from the DC distribution center. The standby charger and battery would also be available as a backup for the normal charger and battery. Each charger is designed to prevent the battery from discharging back into any internal charger circuits in the event of an AC power supply failure or a charger malfunction.

The DC distribution center receives power from a battery charger or battery depending on AC power system status, and in turn feeds power to a DC power panelboard and two static inverters. The 125VDC distribution centers are metalclad free-standing steel structures of NEMA Type 1A construction with gasketed doors, cover plates, and contain molded circuit breakers and voltage monitoring devices. The battery bus voltage is monitored by voltmeters located on the 125VDC distribution center.

2.4 Support Subsystems The SSF support subsystems are designed to provide lighting, fire protection, fir.e detection, service water, heating/ventilation/air conditioning, sump drainage and potable water. The main subsystems are described below.

.2.4.1 Service Water Subsystems The SSF service water subsystem is comprised of the HVAC service water system and the diesel engine service water system. The HVAC service water system, which operates continuously, contains two 100% capacity

DPC 6

pump and

ppl Ie cooing water to the HVAC conde e n

pump operates at a given time; the other pump serves a a backup via manual operal'o".

The diesel engine service water system, which operates only when the diesel is operating, contains one pump and provides service water to the diesel engine jacket water heat exchangers.

All three pumps take their suction from the buried CCUI piping and return the flow to the CCW piping after passing through their respective system. The piping and.components of the SSF service water subsystems are designed to withstand the effects of a seismic event. All pumps are powered from the SSF power supply.

2.4.2 SSF HVAC System The SSF HVAC subsystem is to provide filtered and conditioned ventilation for the SSF structure, and to maintain the environmental conditions within the limits set for personnel occupancy and equipment operability.

The combustion air and diesel engine exhaust systems are independent of the ventilation systems.

The HVAC system consists of six ventilation fans, (-three supply and three exhaust), and one air conditioning refrigeration unit. All components and ductwork which service areas which contain equipment needed for safe shutdown are designed to withstand the effects of a seismic event.

All components can be powered from the SSF power supply.

2.4.3 Building Sump.Subsystem The SSF sump subsystem is to provide a means of collecting and discharging drainaqe from equipment and floor drains. Two sump pumps, both of which can.be powered from the SSF power system, discharge the effluent to the yard drainage system.

The discharge line will be designed to prevent back flow into the sump from outside sources.

Level switches located in the sump are used to automatically start and stop the pumps.

The sump system is a nonseismic system as its failure will not adversely affect equipment needed for safe shutdown.

2.4.4 Potable Water Subsystem The SSF potable water subsystem provides potable water for sanitation and potable services. Water is provided from a 200 gallon storage tank located in the SSF building. The tank is fed from the plant potable water system and is isolable from the plant. When isolated, the tank is ve-ted and then serves as the sole potable water supply. for the SSF In areas where this system may adversely affect equipmiint acUQco tu

Cii; shutdown, it is seismically supported.. Otherwise, this system is desiined to nohseismic requirements since its failure will not adversely affect equipment needed for safe shutdown.

2.5 Instrumentation and Controls The SSF control panel is to provide instrumentation and controls needed to assure safe plant operations and shutdown conditions for the three units. Monitoring capability is provided for plant parameters such as primary coolant temperature and pressure, pressurizer pressure and level,

DPC

-7 incore thermocouple, and steam generator level, and diagnostic capabilities for mechanical and electrical component performance. All electrical equipment necessary for hot shutdown is designed to withstand the effects of a seismic event. Electrical power is provided by the SSF power supply.

3.0 Review Bases The design of the SSF was reviewed to the requirements of Appendix R to 10 CFR 50, Sections III.G.3 and III.L, and those requirements applicable for flooding and seismic events.

The licensee has stated that the SSF, the associated mechanical and electrical systems and power supplies meet or exceed the applicable criteria contained in the Oconee FSAR. Additionally, ASME and IEEE codes are utilized as appropriate, in the design of various subsystems and components.

The SSF and systems/components needed for safe shutdown are designed to withstand the Safe Shutdown Earthquake (SSE).

The SSF systems required for safe shutdown are designed with adequate capacity to ensure safe hot shutdown conditions of all three Oconee units.

The SSF power system is designed with adequate capacity and capability to supply the necessary loads, and is physically and electrically independent from the main shutdown system power supply (station power).

Additionally, the AC and DC power systems and equipment required for the SSF essential functions have-been designed and installed consistent with the Oconee QA program of Class 1E equipment.

The systems are not designed to meet the single failure criterion, but are designed such that failures in the systems do not cause failures or inadvertent operations in existing plant systems.

The systems in the SSF are manually initiated, that is, multiple actions must be performed to provide flow to existing safety systems.

4.0 Discussion and Evaluation The SSF, which is categorized as a Seismic Category I structure, is designed to mitigate the consequences of postulated fire, flooding or sabotage.

It is designed to provide an alternate and independent means to achieve hot shutdown conditions.

The SSF is approximately 160 ft. long, 40 ft. wide and equivalent of two stories high. It is a reinforced concrete structure con sisting of a diesel generator room, electrical equipment room, mechanical pump room, control room, central alarm station, security computer room, and ventilation equipment room.

It is Duke Power Company's intentions to make the final tie-ins to the existing systems during the next scheduled refueling outages for each unit.

These refueling outages are currently scheduled for July and October 1983 and May 1984 for Oconee, Units Nos. 1, 2 and 3, respectively.

We find this schedule acceptable.

DPC

-8 4.1 Structure Design The SSF has a seismic classification of Category I.- The loads considered were dead loads, equipment and live loads, normal wind and tornado wind loads generated from tornado and high pressure pipe break.

The design wind specified has a velocity of 95 mph with a recurrence interval of 100 years. The SSF is designed to resist the effects of tornado generated missiles in combination with other loadings listed above.

All the postulated missiles are in accordance with NRC SRP 3.5.1.4 Rev. 1 and Regulatory Guide 1.76. Penetration depths are calculated in accordance with the modified NDRC formula (Amerikam, A., "Design of Protective Structures" Bureau of Yards and Docks, Department of the Navy, NAVDOCKS, P. 51. 1950) and the modified Petry Formula (Stevenson, J. D., "Structural Analysis and Design of Nuclear Plant Facilities" Committee on Nuclear Structures and Materials of the Structural Division of the American Society of Civil Engineers, 1976).

For reinforced concrete, ACI 318-71 is used while reinforcing steels are in conformance with ASTM A615-72.

For structural steel, ASTM-A-36 and AISC 7th edition are used.

The design response spectra are developed in accordance with the procedure in Regulatory Guide 1.60. It corresponds to the expected maximum bedrock acceleration of 10%g. The dynamic analysis is based on the STRUDL-DYNAL computer program. With the geometry and properties of the model defined, the model's influence coefficients (the flexibility matrix) are determined. The contributions of flexure as well as shearing deformations are considered. The resulting matrix is inverted to obtain the stiffness matrix, which is used together with the mass matrix to obtain the eigen values.and associated eigen vectors by solving the resultant characteristic equations.

Having obtained the frequencies and mode shapes and employing the appropriate damping factors, the spectral acceleration for each mode can be obtained from design ground motion response spectra curves.,

Shear and moments of each mode are obtained from inertial forces. The structural response is obtained by combining the modal contributions of all the modes considered.

The combined effect is represented by the square root of the sum.of the squares.

The structural aspects of the SSF have been evaluated. The design is in accordance with NRC Standard Review Plan and applicable industry codes and standards. Based on our review of the design, the staff concludes that the structure will withstand the specified design condi tions without'impairment of structural integrity or safety function.

4.2 Seismic Subsystem Analysis The scope of review of the seismic subsystem analysis included the seismic analysis method of all Category I systems, components equipment and their supports. It included review of procedures for modeling, inclusion of torsional effects, seismic analysis of Category I piping systems, seismic analysis of multiply-supported equipment and components

DPC

-9 with distinct inputs, justification for the use of constant vertical static factors and determination of composite damping. The review has included design criteria and procedures fqr evaluation of the -inter action of non-Category I piping with Category I piping.

The seismic analysis of Category I pipe is performed using dynamic modal analysis techniques.

No static seismic analysis is used for SSF ASME Code piping. Modal response spectrum methods are used and the governing response parameters are combined by the square-root-of-the sum-of-the-square rule. An adequate number of masses or degrees of freedom are included in the model to determine the response of signifi cant modes.

Closely spaced modes are combined by absolute sum. The response due to each of three components of earthquake motion is combined by the square-root-of-the-sum-of-the-square rule as described in Regulatory Guide 1.92. Pipe supported from multiple levels or structure is designed for an envelop of the response spectra for all supporting structures. Constant vertical static factors are not used.

Vertical response is obtained from a dynamic modal analysis. Modal damping ratios are consistent with Regulatory Guide 1.61.

We find the licensee's analysis methods to be acceptable.

The location of the SSF non-Category I piping has been reviewed to determine those areas of proximity to Category I piping or safety related equipment. Where Category I piping or safety related equipment is in the proximity area, the non-Category I piping has been seismically qualified and supported or rerouted out of the problem area. We find the licensee's approach to be acceptable.

The SSF auxiliary service water buried piping is seismically designed for stresses resulting from SSE and OBE events. The design and analysis are based on the current state-of-the-art as given in References* 8 and 9.

These papers reference the recommended procedures noted in SRP Section 3.7.3 for initial effects and the effects of static resistance of the surrounding soil.

We find the licensee's procedures to be acceptable.

4.3 Dynamic Testing and Analysis of Mechanical Components The review performed under SRP Section 3.9.2 included the licensee's criteria and testing procedures used for monitorinq the thermal motion and vibration of the piping systems in the SSF.

Procedures are being established for the.startup testing of the Class B and C piping in the SSF to verify the following information under different operating modes:

Physical Compliance with Piping Design: An "as built" verification procedure is utilized to verify that piping, components and support/

restraints have been erected with design tolerance.

DPC

-10

  • Thermal Motion Monitoring to Verify Adequate Clearance and Restrictions to Movements:

The purpose of this monitoring program is to confirm that no unacceptable restraint of normal thermal motion occurs within the ability to test under non-accident conditions.

Vibration Monitoring for Equipment:

The purpose of this monitoring program is to verify that vibration levels for system components are within acceptance criteria. Pump vibration is monitored during initial testing in accordance with IWP-3210 to verify vibrations are less than or equal to the maximum allowable per the specific vendor's requirements.

We find the licensee's approach to be acceptable.

4.4 ASME Code Class 1, 2 and 3 Components, Component Supports and Core Support Structures The scope of review of SRP Section 3.9.3 included the load combinations methodology and allowable stress limits, design and installation of pressure relief devices and component supports.

Piping systems for the SSF are designed in accordance with the appropriate ASME Code based on the Quality Group classifications outlined in Regulatory Guide 1.26. The SSF RC Makeup System is under Quality Group B and is designed in accordance with ASME Code Section III Class 2.

The SSFASW system has a portion (crossover between emergency feedwater lines) in each reactor building that is under Quality Group B and is designed to ASME Code Section III Class 2. The remainder of the SSFASW system is under Quality Group C and is designed in accordance with ASME Code Section III Class 3 or ANSI B31.7, 1969.

The 1974 Edition of the ASME Boiler and Pressure Vessel Code with addenda though the Summer of 1975 addenda is used. In Reference 4, the licensee stated that the load combinations and stress limits contained in the requirements of SRP 3.9.3.11 and referenced in Regulatory Guide 1.48 are met, except Code Case 1606 is used for the faulted load combination. We find the licensee's approach.to be acceptable.

Another area of our review is the design and installation of pressure relief devices. The loads from pressure relief valves with an open discharge are evaluated in accordance with Code Case 1569, "Design of Piping for Pressure Relief Valve Station", assuming multiple valves on the same pipe open in the.most conservative, sequence. A dynamic load factor of two is used to determine the transient loads unless a lower value is justified by analysis.

DPC Relief valves discharging into a closed system or a system with long discharge piping are reviewed to identify any significant transient loadings. -Any significant loading is analyzed using dynamic analyses to include the effects of changes in momentum due to fluid flow changes of direction and any potential water slugs.

The piping will be adequately supported such that piping stresses associated with any transient loads satisfy applicable Code requirements.

Based upon our review of information submitted, we conclude that the licensee has met SRP requirements for design and installation of overpressure relief devices.

We have also reviewed the information pertaining to the criteria used by the licensee in the design of ASME Class 2 and 3 component supports and find them to be acceptable. The loading combinations and stress limits contained in the requirements of SRP 3.9.3.11.4 and referenced in Regulatory Guide 1.48 are met. However, ASME Code Section III Subsection NF did not provide.faulted condition allowable stress limits for.Class 2 and 3 component supports until the 1977 edition.

The licensee utilizes the allowables for Class 1 components in the 1974 edition of Subsection NF and subsequent applicable addenda for its Class 2 and 3 component supports faulted stress allowables.

4.5 Inservice Testing of Pumps and Valves All inservice testing of pumps and valves will be done in accordance with the provision of ASME Section XI,. Subsections IWP and IWV. Based on the information provided, we find the licensee's approach to be acceptable.

4.6 Seismic and Dynamic Qualification of Category I Electrical Equipment The adequacy of the program for qualification of safety-related electrical equipment for seismic and dynamic loads is evaluated by:

(1) determining the acceptability of the procedures used, standards followed, and the completeness of the program in general, and (2) an on-site audit of selected equipment items to develop the basis for the judgment on the completeness and adequacy of the implementation of the entire seismic and dynamic qualification program. The evaluation is to determine the extent to which the qualification of equipment as installed in the SSF meets the current licensing criteria as described in IEEE 344-1975, Regulatory Guides 1.61, 1.89, 1.92, 1.100 and 1.148 and the SRP Section 3.10 (NUREG-0800). Conformance with these criteria is required to satisfy the applicable portions of the General Design Criteria in 1, 2, 4, and 30 of Appendix A to 10 CFR Part 50 and paragraphs XI of Appendix B to 10 CFR 50 and VI(a) (1) and (2) of Appendix A to 10 CFR 100 as they relate to equipment qualification.

The staff has reviewed the submittals from Duke Power Company for the SSF.

In addition, Sections 3.9.2.2 and 3.10 of the Oconee FSAR were re-examined.

DPC

-12 Based on the above review, the staff concludes that Duke Power Company has given a description of the applicable procedures, methodologies, and industrial standards, and the staff finds the program (Itemi1 above) acceptable.

However, the detailed in-depth review which would determine the completeness and adequacy of the implementation of the program and whether it adheres to the current criteria (Item 2 above) will be performed during the implementation phase of USI A-46, "Seismic Qualification of Equipment in Operating Plants". 'This issue is being resolved on a generic basis for all operating power reactors.

4.7 Fire Protection To preclude a single fire from affecting redundant trains of a system, each safety train mjust, meet minimum separation/protection requirements.

In the licensee's "Fire Hazards and Response to BTP 9.5-1".dated December 31, 1976, and in subsequent responses to requests for addi tional information, the licensee identified various areas of the plant which did not meet the required separation/protection requirements.

To eliminate the deficiencies, a dedicated safe shutdown system (named the SSF) independent of the existing plant systems which would be used to achieve safe shutdown was proposed.

The use of the SSF as a means of achieving compliance to Sections III.G.3 and III.L of Appendix R to 10 CFR 50 is premised upon the acceptability of the SSF design as a whole. Whenever possible, the existing plant systems will be used to achieve hot shutdown. The SSF will be used when the existing plant systems or facilities of one of the three units are unavailable due to a fire. The SSF is not designed to bring the reactor from hot shutdown to cold shutdown. Cold shut down will be achieved and maintained through the use of existing plant systems and equipment as discussed below.

No repairs or modifications are required to effect hot shutdown utilizing the dedicated shutdown method. Repairs for cold shutdown may be required depending upon the fire area.

4.7.1 Safe Shutdown Systems Safe shutdown of the reactor is initially performed by the insertion of control rods from the control room.

Insertion can also be accomplished by removing power to the control rod drive mechanisms. When normal and emergency systems are not available, reactor coolant inventory and reactor shutdown margin are maintained by the SSF makeup pump taking suction from the spent fuel pool.

Primary system pressure can be maintained by the pressurizer heaters and pressurizer spray or by use of charging combined with letdown. Should the pressurizer heaters be unavailable (caused by fire inside containment), progression towards cold shutdown will be initiated as soon as hot shutdown is achieved. Decay heat removal can be accomplished by releasing steam from the steam generators via the atmospheric main steam code relief valves.

Makeup to the steam generators can be provided by the SSFASW

DPC

-13 system which takes suction from the buried CCW system piping.

Depressurization to cold shutdown can be achieved by bypassing steam to the turbine (since CCW is not lost in the event of a loss of offsite power), use of pressurizer spray, or use of auxiliary pressurizer spray via the high pressure injection (HPI) pump. The low pressure injection (LPI) pumps will be used to remove decay heat. As a backup to the LPI pumps, the HPI pump can be used to maintain flow for decay heat removal.

Any damage to either the HPI or LPI power cabling or pump motors can be repaired or replaced with 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Also required for cold shutdown are the low pressure service water (LPSW) pumps. Only the pump per unit is required for normal and emergency plant operations. Five LPSW pumps of equal capacity are provided - three for Units 1 and 2, and two for Unit 3. These pumps are separated such that a single fire cannot affect all pumps. The piping are.separated such that a single fire cannot affect all pumps.

The piping for these pumps are interconnected so that they may feed any of the three units. Any damage to the pump motors or associated power cabling can be repaired, or if necessary, replaced within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

4.7.2 Areas Where Dedicated Shutdown is Required DPC has provided dedicated shutdown capability independent of the cabling and equipment in the control room, cable spreading.room, and those areas identified in the staff's August 22, 1978 SER on fire protection. The dedicated shutdown method will be accomplished by the use of the SSF, and actions performed locally at the equipment. Electrical isolation will be provided such that a fire at the SSF will not. prevent safe shutdown of the plant from the.control. room, and vice versa.

4.7.3 Remaining Plant Areas The staff's August 22, 1978 SER identified many areas of the ONS that did not meet various fire protection safe shutdown requirements.

Rather than correcting the individual deficiencies by modifications to the already installed components, a dedicated shutdown system (the SSF) was proposed. The intent of the use of the SSF along with the undamaged systems in the fire affected unit is to meet the require ments of Sections III.G.3 and III.L of Appendix R.

4.7.4 Performance Goals The performance goals for post fire safe shutdown can be met using the systems and equipment listed above with the exception of meeting the capability of achieving cold shutdown within '72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> when the LPI, HPI and LPSW pumps and/or cabling are affected by fire. The control of these functions can be accomplished using the SSF or the control room in conjunction with the undamaged systems, in the fire affected unit, depending on the location of the fire. The transfer of control capability

DPC

-14 between the control room and the SSF will be accomplished via a keyed interlock. Annunciation will occur in the SSF control room upon transfer of control.

The process monitoring instruments to be used for a post fire shutdown include reactor hot leg and cold leg temperatures, reactor coolant pressure and pressurizer level, steam generator level, SSF makeup pump flow and SSFASW system pump suction and discharge pressure, However, an electrically independent source range flux monitor and steam generator pressure indicator have not been provided. Our basis for requiring these monitoring channels at the Oconee units is as follows.

4.7.4.1 Source Range Flux Monitoring of core flux provides the only direct indication of the reactor shut down condition.

The monitoring of any other process variable would provide an inferred answer only.

With regard to the fission process, changes in neutron flux provide the quickest and only direct means of assessing reactor -eriticality conditions.

Dilution events caused by the postulated spurious operation of valves could result in.power excursion which would not be readily detected by inter preting the changes in other process variables (such as reactor coolant tempera ture or pressure).

Periodic sampling of the reactor coolant for boron concentra tion is considered inadequate for determining "real-time" boron requirements.

Additionally, should the operators fail to detect a loss of negative reactivity in a timely manner, the capability to prevent a criticality is indeterminate since components needed for such actions may.be unavailable due to fire.

Thus, provi sions for post fire source range flux monitoring are necessary to meet Section III.L.2 of Appendix R.

4.7.4.2 Steam Generator Pressure During non-power modes of operation, "control" is effected principally by adjusting secondary system parameters (the parameter usually specified by procedures is pres sure) to compensate for variances in primary system performance. Maintenance of level in the steam generators may not be sufficient in itself to control the heat removal rate and thereby maintain a "hot standby" or "hot shutdown" mode, or translate from a "hot shutdown" mode to a "cold shutdown" mode. Improper pressure control may cause an imbalance in heat removal-which could result inI excessive depressurization, the result of which could,be generation of an undesired bubble in the primary system (e.g., upper head for all PWRs or candy cane for B&W designs) or rapid cooldown and potential for violation of vessel pressure/temperature limits.

For complete monitoring of secondary system heat removal, three secondary system parameters should be known: level (inventory), pressure, and temperature. Thus, provisions for post fire steam generator pressure monitoring are necessary for meeting Section III.L.2 of Appendix R.

DPC

-15 4.7.4.3 Instrumentation GuidelinesSection III.L.6.requires that, "Shutdown systems installed to ensure post-fire shutdown capability need not be designed to meet seismic Category I criteria, single failure criteria, or other design basis accident criteria, except where required for other reasons, e.g.,

because of interface with or impact on existing safety systems, or because of adverse valve actions due to fire damage."

Since the monitors for the above listed parameters will not interface with or impact.on existing safety systems, the monitors need not be "safety grade".

Section III.G.3 requires that, "Alternate or dedicated shutdown capability and its associated circuits, independent of cables, systems or components in the area, room or zone under consideration, shall be provided."

For a postulated fire, an electrically independent monitoring capability for.the above listed parameters should be provided outside the control room.

4.7.5 Repairs/72 Hour Peguirement The license states that use of the dedicated shutdown method for he shutdown permits the capability of achieving all necessary repairs to proceed to cold shutdown within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after a fire event.

Repairs, including replacement of power cabling or pump motors associated with LPI, HPI or LPSW. may be required for cold shutdown.

They have stored onsite all components necessary to achieve.all repairs to proceed to cold shutdown within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of the fire.

Procedures are available to implement the required repairs/replacements.

Our interpretation of Appendix R is that.all necessary repairs can be made and cold shutdown.achieved in a 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> period. Since 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are normally required for cooldown.and depressurization, DPC's proposal can be stated as repairing necessary equipment and achieving cold shutdown in 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />. It must be remembered that the licensee s commitments were documented before Appendix R was published. In recent conversations with.the DPC staff, they have agreed to review their commitment on the 72-hour requirement of Appendix R,Section III.L.5 and modify their positions or request an exemption from this specific regulation.

4.7.6 Associated Circuits and Isolation All circuitry, indicators, instruments and power. supplies associated with the SSF are independent from those identified fire zones for which alternative shutdown capability is required. DPC has stated that nonsafety related circuits do not run from one redundant train to another and thus negates the possibility of propagating a fire between redundant circuits. The licensee's methods of protecting the safe shutdown capability are consistent with the guidelines provided by the staff.

-16 The SSF instrumentation has a dedicat a power source and its. cabling is separated from those associated w;tn the normal shutdown instru mentation. All of the normal power and control circuits are provided isolation via electrically coordinated circuit breakers or fuses.

The power sources needed for the SSF equipment and instrumentation, and switchgear and motor control centers for required components are not located in the postulated fire.zones needing alternate shutdown capabilities. Nonsafety related circuits do not run from one redundant train to another. Further, all cables of concern are protected by circuit breakers or fuses.

The devices whose inadvertent opera :ion by spurious signals could adversely affect safe shutdown have beer identified.

The cabling required for hot shutdown via the SSF as well as one redundant train of the normal shutdown system are routed to contain ment through the west penetration rooms for each unit.

Cabling for the.other independent normal shutdown system is ro.uted to containment through the east penetration rooms.

The penetration rooms are separated at each unit by a three hour fire barrier.

The licensee has stated that the cabling routed through the west penetration rooms is separated to the extent practical from existing safety system cabling, and that suitable isolation is provided between the SSF and existing safety system cabling. Since one independent shutdown train will be available regardless of a fire in either penetration room, the cable routing design satisfies the requirements of III.G and is therefore acceptable.

DPC has shown-that the cable routing of each division (including the SSF cabling) is such that degradation of the redundant shutdown division will not occur, nor will spurious valve actuation occur which might cause an inadvertent depressurization of the primary system in the event of associated circuit interactions. The cabling for the RHR isolation. valves is routed such that the reactor coolant pressure boundary integrity will be maintained.

4.7.7 Safe Shutdown Procedures and.Manpower The licensee. has committed to develop. and implement detailed written procedures for obtaining a safe shutdown condition given.a fire event..

These procedures will.be in place prior to the SSF'becoming operational.

The manpower necessary for accomplishing the operations. required for the alternate shutdown will be available at the plant at all times.

The manpower to operate the SSF will be exclusive of minimum operating shift requirements for the control -room and the minimum manpower require ments fo: the fire brigade.

-17 4.7.8 Conclusion Based on our review, we concluded that the ONS design will provide one train of systems necessary to achieve and maintain safe.shutdown conditions by utilizing either the control room or the SSF in con junction with undamaged systems in the fire affected unit, and thus will meet the requirements of Appendix R to 10 CFR 50, Sections III.G.3 and III.L with respect to safe shutdown in the event of a fire, with the exceptions of the availability of a source range flux monitor and steam generator pressure indication at.the SSF.

4.8 Flooding Review DPC has concluded that the most likely reason for flooding of the turbine building would be from a condenser circulating water pipe break resulting from a seismic event. The licensee thprefore decided that the SSF would be a seismic Category I structure (which implies it is designed to withstand the effects of tornadoes).

The missile spectrum upon which their analysis is based, is in conformance with the quidelines of the SRP Section 3.5.1.4, Revision 1, for a tornado Zone 1 site. The grade level entrance elevation of the SSF is 797.0 feet above mean sea level (msl). This elevation is below Keowee full pond elevation of 800 ft. as well'as the maximum lake elevation of 808 ft. However, in the event of flooding due to a break in the non-seismic condenser circulating water (CCW) system piping located in the turbine building, the maximum expected water level within the site boundary is 796.5 ft. Since the maximum expected water level is below the elevation of the-grade level entrance to the SSF, the structure will not be flooded by such an incident. In addition, the structure will be water proofed to prevent infiltration of normal ground water. Thus, the structure meets the requirements of GDC 2, and the guidelines of Regulatory Guide 1.102 with respect to pro tection against flooding.

4.9 Security Review The licensee submitted physical security, contingency planning, and guard training and qualification plans in accordance with the requirements of 10 CFR Part 73, Section 73.55 and Appendices B and C. We have deter mined that these plans satisfy regulatory requirements and accordingly have been approved. The acceptability of the licensee's identification of vital areas required to be protected by 10 CFR 73.55(c).is contingent upon a confirmatory analysis to be performed by the NRC staff at a future date.

The SSF, with its capability to'independently bring the reactor to safe shutdown, increases significantly the defense-in-depth characteristics of the.facility and provides incremental protection against both internal and external sabotage.

Dated: April 28, 1933 The following NRC personnel have contributed to this SE:

T. Chan, C. Gaskin, S. Kim, Y. Li, R. Wright, E. Conner.

Retrieved from "https://kanterella.com/w/index.php?title=ML15223A890&oldid=5186309"