ML17258A890
| ML17258A890 | |
| Person / Time | |
|---|---|
| Site: | Ginna  |
| Issue date: | 03/31/1981 |
| From: | ROCHESTER GAS & ELECTRIC CORP. |
| To: | |
| Shared Package | |
| ML17258A889 | List: |
| References | |
| NUDOCS 8103200598 | |
| Download: ML17258A890 (122) | |
Text
U.S. NUCLEAR REGULATORY COMMISSION QQCKET NQ. 50-244 LICENSE NQ. QPR-18 SAFE - SHUTDOWN CAPABII ITY ASSESSMENT AND PROPOSED MODIFICATIONS 1 0 CFR BO, APPENDIX R A. E. SINNA UNIT NO. 1 RQCHESTER GAS AND ELECTRIC CQ RPQ ROTI QN RQCHESTER, NEW YORK MARCH 1 981 K[lilNlIINIIlli'i(PI:II.( IIFF.
Decket~i'o- 2 "+
gPIItII) g 8/d Sadb 5$ '7 Oste~<<- af DccumNtt:
RKSQTORY DOtIKET Hl.E sxossoo 50$
lC ~
f
~
p$
I) 'I i'
TABLE OF CONTENTS Pacae
- l. 0 Introduction 2.0 Fire Areas 2-1 3.0 Method of Analysis 3-1 4.0 General Shutdown Methods H
4.1 Normal Shutdown and Cooldown Offsite Power Available 4.2 Normal Shutdown and Cooldown Offsite Power Not Available 4-2 4.3 Shutdown and Cooldown - No Steam Dump, Offsite Power Available 4-3 4.4 Shutdown and Cooldown No Steam Dump, Offsite Power Not Available 4-3 4.5 Shutdown and Cooldown No Instrument Air, Offsite Power Available 4-3 4.6 Shutdown and Cooldown No Instrument Air, Offsite Power Not Available 4.7 Shutdown and Cooldown No Instrument Air to Containment, Offsite Power Available 4-4 4.8 Shutdown and Cooldown No Instrument Air to Containment, Offsite Power Not Available
~
5
~
~
~
~
~
~
fI
~
~
l
TABLE OF CONTENTS Continued)
Pacae 4.9 Shutdown and Cooldown Solid Steam Generators, No RHR, Offsite Power Available 4.10 Shutdown and Cooldown Solid Steam Generators, No RHR, Offsite Power Not Available 4-6 4.11 Shutdown and Cooldown - Inoperable RHR Valves, Offsite Power Available 4-6 4.12 Shutdown and Cooldown Inoperable RHR Valves, Offsite Power Not Available 4-7 4.13 Shutdown and Cooldown No Charging Pumps, Offsite Power Available 4-7 4.14 Shutdown and Cooldown - No Charging Pumps, Offsite Power Not Available 4-8 5.0 Systems and Components Required for Safe Shutdown 5-1 5.1 Reactor Coolant System 5-6 5.2 Reactivity Monitoring 5-9 5.3 Main and Reheat Steam System 5-10 5.4 Safety Injection System 5-13 5.5 Chemical and Volume Control System 5-17 5.6 Service Water System 5-21
~
~
I L
t l
~
I 0'
I
($
~
TABLE OF CONTENTS Continued Pacae 5.7 Instrument Air System 5-24 5.8 Heating, Ventilation and Air Conditioning System 5-26 5.9 Condensate System 5-27 5.10 Normal/Emergency Power Distribution System 5-28 5.11 Residual Heat Removal System 5-30
- 5. 12 Main Auxiliary Feedwater System 5-33 5.13 Standby Auxiliary Feedwater System 5-35 5.14 Component Cooling Loop 5-37 5.15 Remote Shutdown Control System 5-40 I
6.0 Summary of Modifications Required to Ensure Safe Shutdown and Cooldown Capability 6-1 7.0 References 7-1
~
~
~
t l
N
~
~
I
~
~
~
~
~
~
I
~
~
LIST OF TABLES Pa<ac Functional and Hardware Requirements for Achieving and Maintaining Cold Shutdown Conditions 5-2 Modifications to Enhance Safe Shutdown and Cooldown Capability 6-3
1.0 INTRODUCTION
This report has been prepared in response to the requirements for fire protection of Ginna Stat ion as expressed in 10 CFR Part 50.48 and Appendix R to 10 CFR Part 50. Consistent with the regulations, the current .analysis does not take credit for fire detection or suppression systems currently installed nor for trained fire bri-gades in preventing damage to redundant shutdown equipment located in a single fire area.
This study is based upon an earlier fire protection safe shutdown report which was submitted to the NRC by letter from RGGE dated December 28, 1979. The study evaluates cable and equipment loca-tions for equipment which could be used for plant shutdown. Both failure of the equipment to function when called upon and inadvert-ent operation have been postulated in order to address all possible scenarios. The pressure boundary integrity of valves, pumps, pump casings, pipes and tanks are assumed to be unaff'ected by postu-lated fires.
The report identifies the installation of a number of plant modi-fications including a remote shutdown control system to provide additional assurance of ability to bring the Ginna Station to a
.cold shutdown following an unmitigated fire within any fire area.
Abbreviations AVT All Volatile Treatment CC Component Cooling CVCS Chemical and Volume Control System HVAC Heating Ventilation and Air Conditioning HX Heat Exchanger MAFIA Main Auxiliary Feedwater MDP Motor Driven Pump MSIV Main Steam Isolation Valve MS Main and Reheat Steam
if i
PORV Power Operated Relief Valve RC System Reactor Coolant System RHR System- Residual Heat Removal System RHR Pump RMW Reactor Makeup Water RWST Refueling Water Storage Tank RS Remote Shutdown RSCS Remote Shutdown Control System SBAFW Standby Auxiliary Feedwater SG Steam Generator SX Safety Xnjection SISP SZ System Pump SW Service Water TAFWP Turbine Driven Auxiliary Feedwater Pump 1-2
2.0 FIRE AREAS In the submittal of December 28, 1979, the entire plant was divided into fire areas. Each building was assumed to be a separate fire area because they are separated by fire barriers or distance. Each floor within a building was examined indi-vidually and in many cases divided into smaller fire areas within the floor zone. In general, these areas were delineated by walls or column lines and were primarily designed to ease the gathering of data as to the contents of a given area. The fire areas are illustrated in the drawings which were previ-ously submitted on December 28, 1979.
This study has employed the earlier fire zones in defining re-quirements for plant modifications including the addition of rated fire barriers to provide more formal separation between fire areas.
2-1
3.0 METHOD OF ANALYSIS The information from all applicable plant circuit schedules was placed in a computer file. This information initially included the connected equipment, cable tray and conduit, but not physical location. The file was then supplemented with the physical lo-cation of the cable trays and conduit and was coded to indicate the associated fire zones. At this point it was possible for the computer to identify all systems and equipment which would potentially be affected by a fire in any particular fire zone.
The computer also provided a cross-indexing by circuit schedule number of all fire zones that contained the circuit.
A systems analysis was then performed to determine the comple-ment of equipment normally available to bring the plant to a safe (cold) shutdown condition. The equipment complement was then compared with 'tTie list of equipment which could potentially be affected by a fire in each zone. The equipment that could potentially be lost was then reviewed with respect to the con-sequences of actual fire effects. Conservative assumptions were made for fire induced effects on the circuits. Effects due to shorts, opens, and impressed voltages equal to the high-est voltage carried in the tray system were evaluated and the "worst case" was used for the analysis.
The system level consequences of these circuit effects were then evaluated on a "worst case" basis. It was assumed that all active components (MOVs, solenoid-operated valves, circuit breakers, etc.) could fail in any position (state), or spuri-ously change state due to the fire. No credit was taken for physical separation within the fire zone although in many cases the physical separation exceeds the requirements of IEEE-384.
Shutdown methods for each fire zone were then developed based on this analysis and recommendations for system functional modi-fications made.
3-1
I g
A specific set of equipment hardware modifications is proposed to implement the recommended functional modifications. In cases where the design approach for a proposed modification has not been finalized, alternative approaches presently being evaluated are identified.
3-2
l 1
- 4. 0 GENERAL SHUTDOWN METHODS The following, is a series of shutdown and cooldown methods that can be used at the Ginna Station to achieve cold shutdown. Both normal and abnormal general shutdown methods are presented. The abnormal methods reflect the unavailability of offsite power and/or major system elements (e.g., steam dump valves or the in-strument air syst'm) . Section 4.0 does not address any restric-tions on plant operation or access due to the effects of a fire; however, it establishes the baseline from which the fire-initiated shutdown scenarios were generated.
4.1 NORMAL SHUTDOWN AND COOLDOWN OFFSITE POWER AVAILABLE Turbine load and reactor power are reduced automatically at a pre-scribed rate dependent upon the rate selected on the E-H governor control. Normal boron addition may take place before and during load reduction. At 50 MW of generator load, the main feedwater valves are closed, one feedwater pump is removed from service, and the feedwater valve bypass valves are used for feedwater control.
As generator load is removed, steam dump to the condenser is ini-tiated and the "hot standby" condition is achieved.
If a faster power decrease is desired the reactor may be manually tripped. If the steam dump controller is set on auto, automatic steam dump will occur. If the steam dump controller is set on manual, steam pressure will be regulated. At this time all con-trol rods are fully inserted, the turbine governor and throttle valves are closed, and the main feedwater valves are open. Soon (5 minutes) after reactor trip, hot shutdown conditions are achieved.
At this point, normal boration and makeup can be performed depend-ing upon the final RC system condition to be achieved.
4-1
gi
~
~
To initiate cooldown, the amount of steam dump to the condenser is increased. Steam dump to the condenser is maintained until the air ejector can no longer maintain condenser vacuum (approximately 350 F) and then atmospheric steam dump is initiated. As the volume
.of reactor coolant shrinks due to temperature decrease, automatic
. makeup to the system is provided by the pressurizer level control of the charging and makeup system.
The RHR system is aligned and started to recirculate through the RWST. Upon verification that the boron concentration of the RHR system is compatible with the RC system the RHR system is stopped.
When the RC system reaches 360 psi and 350oF, the RHR system is pressurized to the pressure of the RC system through HCV-133 at a slow rate. The RHR system is then aligned for normal cooldown of the RC system, and the RHR pumps started while the RC system pressure is maintained by sprays and heaters.. As the cooldown continues, the pressurizer is slowly filled to the solid condition at which time pressure control is assumed by PCV-135 and the RC pumps may be taken out of service. Charging pump flow is slowly reduced as cooldown continues to insure pressure of the RCS is maintained at 360 psi by PCV-135. Just prior to achieving 150 F the reactor coolant pumps are taken out. of service. Auxiliary feedwater pumps are used to maintain steam generator level. The remainder of the cooldown is performed and maintained with the RHR system. Any time after the RC pumps are taken out, the charg-ing pumps can be taken out and RC system pressure reduced to atmospheric.
4.2 Normal Shutdown and Cooldown Offsite Power Not Available Loss of offsite power is assumed to occur simultaneous with plant trip: the emergency diesels and turbine-driven auxiliary feedwater pump will start automatically. The diesels automatically tie to the 480-V Class lE buses, energizing the component cooling water, service water, and motor-driven auxiliary feedwater pumps.
4-2
I I
l
Bus 13 is manually tied to Bus 14 and Bus 15 is manually tied to Bus 16 to provide power for the air compressors. Other loads such as the charging pumps and containment fan coolers are man-ually energized if necessary. Heat removal will be accomplished by the secondary system utilizing the atmospheric power operated relief valves (PORVs). Steam generator level is maintained by the auxiliary feedwater pumps or standby auxiliary pumps. As de-cay heat decreases, all auxiliary feedwater pumps are not needed and are removed from service at operator discretion. Primary sys-tem volume is maintained by the charging flow and letdown rate.
Pressure control of the primary system is provided by auxiliary spray and pressurizer heaters. Cooldown is initiated by manipu-lation of the steam relief rate. The primary system is cooled to 360 psi and 350 P at which time the RHR system is put into opera-tion as described above. The RHR system is utilized to achieve and maintain the cold shutdown condition.
4.3 Shutdown and Cooldown No Steam Dum Offsite Power Available This method is identical to the normal method offsite power available (Subsection 4.1), except that heat removal will be accomplished by the secondary system utilizing the main steam PORVs.
4.4 Shutdown and Cooldown No Steam Dum Offsite Power Not Available This method is identical to the normal method offsite power not available (Subsection 4.2).
4.5 Shutdown and Cooldown No Instrument Air Offsite Power Available The plant is tripped and the secondary system safety valves will stabilize the RC system near hot shutdown conditions. The 4-3
turbine-driven, motor-driven or standby auxiliary feedwater pumps can be used to supply auxiliary feedwater. Charging will be ac-complished through the RC pump seals and valves 392A and B acting as. relief valves. Charging water will come from the emergency boration path or from the RWST by opening manual valve 358. Let-down is isolated by the loss of instrument air. If primary system relief is required, the pressurizer.PORVs can be operated manually.
The component cooling water system and the RHR system are not affected by the loss of instrument air.
4.6 Shutdown and Cooldown No Instrument Air Offsite Power Not Available This method is identical to the above method with offsite power available, except that all AC power is supplied from the diesel generators and the RC pumps are off.
4.7 Shutdown and Cooldown No Instrument Air to Containment Offsite Power Available The plant is tripped and the main steam PORVs can be used to stabilize the RC system at hot shutdown conditions. The turbine driven, motor-driven or standby auxiliary feedwater pumps can be used to supply auxiliary feedwater. Charging will be accomplished through the RC pump seals and valves 392A and B acting as relief valves. Charging water will come from the normal boration paths or the emergency boration path. Letdown is isolated by the loss of instrument air. If primaiy system relief is required, the pres-surizer PORVs can be operated manually. The component cooling water system and the RHR system are not affected by the loss of instrument air.
4-4
4.8 Shutdown and Cooldown No Instrument Air to Containment Offsite Power Not Available This method is identical to the above method with offsite power (Subsection 4.7), except that all AC power is supplied from the diesel generators. Therefore, the RC pumps are off and Buses 13 and 15 must be supplied from Buses 14 and 16.
4.9 Shutdown and Cooldown Solid Steam Generators No RHR Offsite Power Available The plant is brought to the point where RHR cooling is normally initiated by the methods described in Normal Shutdown and Cool-down with offsite power. Since the RHR is unavailable, the reactor coolant system is cooled below the 350 F point by the secondary system. After a time, the secondary system will ap-proach 225 F and decay heat in the primary system has become small enough to not significantly increase temperature and pres-sure of thh primary system, with heat removal accomplished by using the steam generators as water-to-water heat exchangers.
The main steam line supports can be pinned (as is done during system hydrotest) in order to prevent possible damage to the pip-ing caused by the water load. To continue the cooldown after 225oF is achieved in the secondary system, the main steam isola-tion valves are closed, the steam generator blowdown lines are aligned to the blowdown flash tank for discharge to the circulat-ing water canal, the turbine-driven auxiliary feedpump is secured with all drains open, the main steam line drains and bypass valves are opened, and the water level is brought up in the steam gen-erators until the steam piping is filled to the main steam iso-lation valves. Heat removal is now accomplished through the drains and steam generator blowdown lines. As the steam piping is filled, the hot water can be drained through the main steam line drains and turbine driven auxiliary feedwater pump drains. The steam generator blowdown system drains hot water directly from the steam generators to the circulating water discharge canal. The rate 4-5
l of cooldown, which in this mode of operation is slow, is regulated by the amount of demineralized water available. Secondary system cooldown of the primary system can be augmented by "feed and bleed" of the primary system utilizing the safety injection or charging pumps with refueling water and the pressurizer relief valves.
Before exhaustion of the demineralized water supply, efforts are made to transfer water from the hot well or AVT condensate storage tanks before resorting to service water as supply for the auxiliary feedwater pumps. It should be noted that since the RHR heat ex-changers are not in use, it is not imperative that the component cooling water system be in operation. This method of cooling is used until the primary system has been cooled to the cold shut-down condition. This shutdown method has previously been described to the NRC in a letter dated July 27, 1978 and was accepted by the NRC in the Systematic Evaluation Program Safe Shutdown Systems Topic Review transmitted by Letter dated November 14, 1980 from Mr. Dennis M. Crutchfield.
4.10 Shutdown and Cooldown Solid Steam Generators No RHR Offsite Power Not Available This method is identical to the above method with offsite power (Subsection 4.9), except that all AC power is supplied from the emergency diesel generators.
4.11 Shutdown and Cooldown Ino erable RHR Valves Offsite Power Available This method is used in the event that one of the RHR suction valves (V-700, V-701) or RHR return valves (V-720, V-721) are stuck closed. The reactor coolant system has been brought to the 350 P point using normal methods. If one of the suction valves is stuck closed, the other letdown valve is closed and the two return valves are opened. In this mode of operation, the return line will provide suction for the RHR pumps through the three-inch recirculation line of the RHR pumps. The return 4-6
I I
route to the reactor coolant system is established by closing RHR heat exchanger outlet valves HCV-624 and HCV-625, and RHR heat exchanger bypass valve V-626, and their respective guard valves V-717, V-715, and V-712B and opening valves V-857 A, B, and C to the suction of the safety injection pumps. To assure circulation through the core, valves V-878 B and D are closed and valves V-878 A and C are opened. When this path of flow has been established, the RHR system pressure is equalized to the reactor coolant system pressure by using HCV-133. The RHR pumps and safety injection pumps are started. Cooldown is continued to cold shutdown with rate of cooldown controlled by the number of safety injection pumps running. If one of the return valves is stuck closed, the other return valve is closed, both suction valves are opened, and the remainder of system alignment and operation remains the same, except that the recirculation line will not be necessary.
4.12 Shutdown and Cooldown Ino erable RHR Valves Offsite Power Not Available 11 This method is identical to the above method with offsite power (Subsection 4.11), except that all AC power is supplied from the emergency diesel generators.
4.13 Shutdown and Cooldown No Char in Pum s Offsite Power Available This method of cooldown is used when the charging pumps are not available for maintaining the RC system inventory. The hot shut-down condition is achieved using normal methods. Cooldown is initiated using the turbine-driven auxiliary feedwater pump (the motor driven auxiliary feedwater pumps are used when required) with steam dump to atmosphere. The safety injection pumps are aligned to take suction from the RWST providing the necessary boration and makeup. Reactor coolant system pressure is reduced by opening the main steam PORVs. If additional depressurization is required, the pressurizer PORVs could be opened to a point NUS CQRPQRATIQN
I I
5
where the discharge pressure of the safety injection pumps is higher than the RC system pressure. A safety injection pump is then started. RC system pressure is controlled with pressurizer heaters, the pressurizer relief valves, and letdown. When the RC system reaches 360 psi and 350 F, the safety injection pumps are stopped. The RHR system is aligned for normal letdown and cooling of the RC system and the RHR pumps are started. The safety injection pumps still have suctions aligned to, the RWST and are started as required to makeup to the RC system.
4.14 Shutdown and Cooldown No Char in Pum s Offsite Power Not Available This method is identical to the above method with offsite power available (Subsection 4.13), except all AC power is supplied by the emergency diesel generators.
5.0 SYSTEMS AND COMPONENTS REQUIRED FOR SAFE SHUTDOWN The R. E. Ginna Station was assessed in order to define the systems or system elements that must be operable in order to meet the func-tional requirements for achieving and maintaining cold shutdown conditions. Table 5-1 presents an overview of the assessment.
To achieve and maintain cold shutdown conditions, the following functions are required:
o Monitor and control primary system inventory and pressure.
o Remove decay heat.
o Borate the reactor coolant.
o Monitor RCS boron concentration to ensure that subcritical-ity is maintained.
The .following subsections of Section 5.0 identify, on a system-by-system basis, the components required for safe shutdown and cool-down operations. Manually-operated valves are not identified in Section 5.0. The system-by-system evaluation assessed redundancy within the system, alternative backup systems to perform a required function, system vulnerability to fire in a selected plant area, loss of offsite power coincident with a fire, modification require-ments to eliminate or to minimize system vulnerability to a fire event, and post-fire system control requirements.
The evaluation identified the need for a new system, the remote shutdown control system RSCS, for use in shutdown operations during and after a fire in the plant. The remote shutdown control system is used when the control room is disabled by a fire in the control 5-1
TABLE 5-1 FUNCTIONAL AND HARDWARE REQUIREMENTS FOR ACHIEVING AND MAINTAINING COLD SHUTDOWN CONDITIONS Plant Equipment Minimum Functional Functional Equipment Re uirements Monitor and control Re Monitor uirements RCS inven- One I
wide-range pres-primary system tory surizer level indica-inventory and pres- tor sure Provide borated One charging pump and makeup water injection path or one SI pump and injection path Borated makeup RWST water source Monitor RCS One wide-range pres-pressure sure indicator Pressure control- 'ne charging pump and increase injection path or one SI pump and injection path Pressure control- One pressurizer PORV decrease or one main steam PORV 5-2
s TABLE 5-1 (continued)
FUNCTIONAL AND HARDWARE REQUIREMENTS FOR ACHIEVING AND MAINTAINING COLD SHUTDOWN CONDITIONS Plant Equipment Minimum Functional Functional Equipment Re uirements Re uirements Re uirements Reracve decay heat by:
a) Feedwater addi- Provide feedwater One pump and associ-tion to the ated valves from the steam genera- MAFW system or the tors with steam SBAFW system venting to atmos-pher'e Monitor steam One wide-range level generator level indicator per loop Vent main steam One main steam PORV to atmosphere and positioner Monitor RCS One temperature sen-temperature sor and associated instrumentation b) Decay heat Remove residual One RHR pump, heat ex removal to cold heat changer and associated shutdown valve train. If RHR is unavailable, utilize secondary coolant loop in solid steam genera tor operation (refer to Section 5.0) .
5-3
Table 5-1 (continued)
FUNCTIONAL AND HARDWARE REQUIREMENTS FOR ACHIEVING AND MAINTAINING COLD SHUTDOWN CONDITIONS Plant Equipment Minimum Functional Functional Equipment Re uirements Re uirements Re uirements Verify reactor is Monitor RCS boron One sample cooler HX subcritical concentration to and valve train ensure that sub-criticality is maintained Auxiliary services Component cooling One pump HX and asso-required by the ciated valve train components that directly perform Service water One pump and associ-the above functions ated valve train 480-Vac power One 480-V bus either distribution Train A or Train B 120-Vac power As required to ener-distribution gize instrumentation 125-Vdc power DC system A or B distribution 5-4 .
Table 5-1 (continued)
FUNCTIONAL AND HARDWARE REQUIREMENTS FOR ACHIEVING AND MAINTAINING COLD SHUTDOWN CONDITIONS Plant Equipment Minimum Functional Functional Equipment Re uirements Re uirements Emergency power One diesel genera-source tor and support systems Pump cooling: RHR, One cooler per charging, and SI system Auxiliary services Instrument air One compressor, con-provided for tainment isolation operator convenience valves
room or when a fire in another plant area disables important con-trol or instrumentation circuits that interface with the control room. The remote shutdown control system is discussed in Subsec-tion 5.15.
5.1 REACTOR COOLANT SYSTEM 5.1.1 FUNCTIONS REQUIRED The following parameters associated with the reactor coolant system (RCS) are essential to safe shutdown:
o Pressurizer level to verify primary system inventory.
o Reactor coolant system pressure.
o Reactor coolant system temperature for control of cooldown.
rate.
5.1. 2 MINIMUM EQUIPMENT REQUIREMENTS The reactor coolant system has been assessed to determine the com-ponents that, as a minimum, must remain functional in a post-fire condition to ensure safe shutdown and cooldown. The following list represents those components of the reactor coolant system that will be designated for, post-fire shutdown operation. Electrically-actuated equipment will generally be aligned with emergency AC and DC power train A.
o Pressurizer level - provide indication from one train of wide-range (0-100%) pressurizer level instrumentation.
o Reactor coolant system pressure provide indication from one train of wide-range RCS pressure instrumentation.
5-6
o Reactor coolant syst: em temperature provide representative temperature indication.
o Reactor coolant system inventory provide for the isola-tion of both pressurizer relief lines, with remote status indication to verify that both paths are isolated.
5.1.3 ALTERNATIVE COMPONENTS CAPABLE OF PROVIDING REQUIRED FUNCTIONS Reactor coolant system pressure will be maintained by control of the primary system cooldown rate in conjunction with operation of the charging or safety injection pumps (to increase pressure) and the pressurizer or steam line PORVs (to decrease pressure) . The control or backup group of pressurizer heaters may be available for use in RCS pressure control, depending upon'he location of the postulated fire. Either group has sufficient capacity to perform this function.
- 5. 1. 4 EXISTING FIRE-HAZARD-RELATED PROBLEM AREAS 5.1.4.1 Instrumentation The existing reactor coolant system instrumentation (pressurizer level and pressure, RCS temperature) is presently subject to loss of function in the event of a fire in either the cable tunnel, relay room, air handling room, or control room. Instrumentation components subject to loss of function may include signal wiring, AC power source or wiring, or instrument loop power supply/signal converter.
5.1.4.2 Pressurizer Relief Lines The pressurizer PORVs are susceptible to spurious actuation in the event of specific postulated fires. The postulated failure of a "hot short" to PORV control wiring may cause the PORVs to open.
5-7
Consequently, relief line isolation capability is required to pre-vent an uncontrolled loss of coolant.
5.1.4.3 RCS Pressure Control RCS pressure will be maintained by control of the primary system cooldown rate with the charging or safety injection pumps provid-ing for pressure increase and the steam line or pressurizer PORVs providing for pressure decrease. The charging and safety injec-tion pumps are discussed in Subsections 5.5.4.1 and 5.4.4.1, re-spectively. The steam line and pressurizer PORVs are presented in Subsections 5.3.4.2 and 5.1.5.2, respectively.
5.1.5 MODIFICATIONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDOWN FUNCTIONS 5.1.5.1 Dedicated Instrumentation Dedicated instrument loops will be installed to provide monitoring of RCS pressure and pressurizer level. The transmitters will uti-lize existing process taps, but the loop power supplies, wiring, and power source will be independent of those fire zones occupied by the existing instrumentation. The existing RCS temperature indication will be upgraded or new instrumentation will be instal-led to provide an appropriate RCS temperature monitoring capability.
The indicators associated with these instrument channels will be provided by the remote shutdown control system.
5.1.5.2 Pressurizer Relief Control Alternative controls will be provided to isolate both pressurizer relief flow paths; these controls will be provided by the RSCS, along with status indication to allow verification that both valves are closed. The remote shutdown controls will be activated through a remote manual transfer switch. Placing of this switch 5-8
I in the "local" position (i.e., RS panel controls activated) will be annunciated in the control room.
All control and indication wiring from the control room to the RSCS control circuits will be provided with suitable isolation devices, so that a fault occurring between these points cannot disable both the normal and the RSCS controls. In addition, the control transfer switch will provide for isolation of the- existing Class-lE,control circuits from the non-Class-lE RSCS circuits.
A remote manual transfer/alternative control scheme will be imple-mented for the pressurizer relief valve trains to ensure that both
.relief paths can be secured in the event of a fire in any fire zone.
5.1.5.3 RCS Pressure Control The modifications planned for charging and. safety injection pump trains; steam line and pressurizer PORVs are presented in Subsec-tions 5.5.5, 5.4.5, 5.3.5, and 5.1.5.2, respectively.
- 5. 2 REACTIVITY MONITORING SYSTEM
- 5. 2. 1 FUNCTIONS REQUIRED Sampling of the reactor coolant for boron concentration is required for shutdown and cooldown operations in order to verify that sub-criticality is maintained.
5.2.2 MINIMUM EQUIPMENT REQUIREMENTS The RCS sample valves and the sample heat exchanger are required in order to draw a reactor coolant sample. Component cooling water is required for cooling of the sample heat exchangers.
5-9
I 5.2.3 ALTERNATIVE COMPONENTS CAPABLE OF PROVIDING REQUIRED FUNCTIONS The source-range nuclear instrumentation available in the control room can be utilized to verify that the reactor is subcritical.
The sampling room, the sample heat exchangers, the laboratory facility, and the component cooling loop equipment required to support the sample heat exchangers are not in fire zones common to elements that would cause the loss of the source-range nuclear instrumentation. Control circuits for the component cooling loop equipment are located in fire zones that are common to the source-range nuclear instrumentation circuits. The RSCS modification for the component cooling loop will enable operation of the component cooling loop following a fire in zones that contain the source-range nuclear instrumentation circuits.
5.2.4 EXISTING FIRE-HAZARD-RELATED PROBLEM AREAS Refer to Subsection 5.2.3.
5.2.5 MODIFICATIONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDOWN FUNCTIONS Modifications to ensure the availability of component cooling water are discussed in Subsection 5.14.5. No additional modifi-cations are required.
5.3 MAIN AND REHEAT STEAM SYSTEM 5.3 ' FUNCTIONS REQUIRED The main and reheat steam (MS) system is required to provide the following functions for shutdown and cooldown operation:
o Supply steam to turbine-driven auxiliary feedwater pump.
5-10
o Provide decay heat removal by atmospheric venting of steam through main steam PORVs.
o Provide decay heat removal by dumping steam to the main condenser (only with offsite power available).
o Provide remote indication of main steam line pressure.
- 5. 3. 2 MINIMUM EQUIPMENT REQUIREMENTS In order to ensure the availability of the decay heat removal func-tion, the following equipment must be operable:
o Turbine-driven auxiliary feedwater pump steam supply valve and remote position indication.
o Main steam PORV remote position indication. Actuation of the PORVs, as required, will be through local manual/
pneumatic (not electrically assisted) control.
o One channel of steam line pressure indication per steam line.
5.3.3 ALTERNATIVE COMPONENTS CAPABLE OF'ROVIDING REQUIRED FUNCTIONS The motor-driven auxiliary feedwater pumps and/or the standby auxiliary feedwater pumps provide alternative sources of feedwater in the event that the turbine-driven pump is not available (i.e.,
interruption of steam flow to turbine) . Although steam dumping to the main condenser is the primary means of decay heat removal through the secondary system, it is anticipated that atmospheric steam venting through the PORVs will generally be used for post-fire cooldown operation.
5-11
I l
5~3 4 EXISTING FIRE-HAZARD-RELATED PROBLEM AREAS 5.3.4.1 Turbine-Driven Auxiliar Feedwater Pum Steam Su 1 Valves The control circuits for the TAFWP steam supply valves are both pres-ently vulnerable to fires occurring in the air handling room, bat-tery room lA or 1B, the cable tunnel, and the intermediate building basement. The anticipated worst-case failure is the spurious clo-sure of these valves (as a result of "hot shorts" to control cir-cuits), terminating the steam supply to the TAFWP.
5.3.4.2 Main Steam PORVs A fire occurring in the vicinity of the air compressors may cause a loss of air supply to the main steam PORVs, requiring the use of an alternative scheme (e.g., connection of nitrogen cylinder) to permit the use of these valves for controlled steam venting.
The control circuits for these valves are also vulnerable to fires in the air handling room, cable tunnel, relay room, and control room.
5.3.4.3 Steam Line Pressure Indication These indication circuits are presently susceptible to damage'and loss of function) in the event of a fire occurring in several fire zones, including the cable tunnel, relay room, and control room.
The postulated failure will result from damage to the cables, instrumentation, or the power source.
5.3.5 MODIFICATIONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDOWN FUNCTIONS 5.3.5.1 Turbine-Driven Auxiliar Feedwater Pum Steam Su 1 A TAFWP steam supply valve will be provided with auxiliary con-trols and position indication from the RSCS. These controls will 5-12
be activated through a remote manual transfer switch; actuation of this switch will be annunciated in the control room. All exist-ing control and indication circuits will be provided with suitable isolation at all interfaces with the RS control circuits. Control and power circuits for the loop A and loop B valves will be rerouted, as required, to avoid routing these circuits through common high-hazard fire zones.
5.3.5.2 Main Steam PORVs Position indication for both PORVs will be provided by the RS control system. These circuits will be isolated from the existing PORV status circuits, and will be routed so as to avoid high-hazard fire zones occupied by the existing position indication circuits.
5.3.5.3 Steam Line Pressure Indication One channel of dedicated pressure instrumentation will be provided (by the RSCS) for each steam line. The cable routing, loop power supplies, and AC power source will be 'independent of high-hazard fire zones occupied by-existing pressure instrumentation circuits such as the relay room, cable tunnel, and control room.
- 5. 4 SAFETY INJECTION SYSTEM 5.4.1 FUNCTIONS REQUIRED Although not directly required for. safe-shutdown operation, the safety injection (SI) system provides alternative functional capabilities in the event that specific shutdown-related systems are unavailable; these functions are listed below:
o Provides an al'ternative primary system makeup capability in the event of loss of all charging pumps.
5-13
I 1
I
,I
o Provides alternative suction/injection paths in the event of isolation of the RHR system.
5.4.2 MINIMUM EQUIPMENT REQUIREMENTS The components that are required, as a minimum, to provide the SI safe-shutdown functions are listed below. It should be noted that the SI accumulator discharge valves must be secured or the accumu-lator nitrogen overpressure must be vented, regardless of the SI shutdown operating mode, to ensure that depressurization can pro-ceed below 700 psig.
o One safety injection pump (pump A).
o One safety injection pump cooling unit.
o Two (series) refueling water storage tank (RWST) discharge valves. The RWST is utilized in this mode as the primary makeup/boration source in lieu of the boric acid and the reactor makeup water systems. Using water borated to refueling concentration, under worst-case conditions of alternative injection and pumping paths, adequate shutdown margin is readily maintained.
o One RÃST to safety injection pump suction valve (train A or B) .
o One safety injection discharge valve (train A or B).
o One channel of SI discharge line flow.
5-14
I l
5.4.3 AITERNATIVE COMPONENTS CAPABLE OF PROVIDING REQUIRED FUNCTIONS As described in Subsection 5.4.1, the SI system provides alterna-tive functional capabilities for charging (chemical and volume control system) and RHR (auxiliary coolant system).
5.4.4 EXISTING FIRE-HAZARD-RELATED PROBLEM AREAS 5.4.4.1 Safet In 'ection Pum s The safety injection system provides an alternative means of reac-tor water makeup in the event of loss of all charging pumps. The SI pumps, their associated cooling .units, and the charging room cooling units are all vulnerable to loss of function in the event of a severe fire in the auxiliary building basement, as the result of damage to cables, power sources, or the pump motors. As pres-ently configured, the SI and charging pumps are therefore subject to loss of normal and alternative reactor water makeup function.
5.4.4.2 SI Dischar e Line Flow Instrumentation The existing SI discharge line flow instrumentation is subject to failure in the event of a fire occurring in selected plant areas, including the cable tunnel,- relay room, and control room. The postulated failure may result from fire-induced damage to cables, the instrument power source, or instrumentation components.
5.4.5 MODIFICATIONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDOWN FUNCTION 5.4.5.1 Safet In 'ection Pum Safety injection pump 1A is presently aligned with 480-Vac power train A. Alternative controls for this pump will be provided by the RSCS. These controls will be activated through a remote 5-15
I manual transfer switch; actuation of the transfer switch will be annunciated in the control room. All existing control and indi-cation circuits will be provided with suitable isolation at all interfaces with the RS control circuits.
5.4.5.2 Safet In'ection Pum Coolin Unit Alternative controls for one safety injection pump cooling unit will be provided by the RSCS. These controls will be activated through a remote manual transfer switch; actuation of this switch will be annunciated in the control room. All existing control and indication circuits will be provided with suitable isolation at all interfaces with the RS control circuits.
5.4.5.3 RWST Dischar e Valves SI Dischar e Valves The RWST discharge valves (V-896A, V-896B) are normally main-tained in the position required for injection/shutdown operation, with DC power removed. Consequently, fire-induced, inadvertent closure of these valves is not probable.
Remote flow indication will be provided for both SI cold leg injection lines. The circuits will be routed and powered so as to avoid high-hazard 'fire zones occupied by existing flow indication circuits.
5.4.5.4 RWST to SI Pum Suction Valve Two parallel valves are provided for SI pump suction; they are supplied from redundant emergency power sources. Alternative controls will be provided for one valve by the RSCS. This con-trol will be activated through a remote manual transfer switch; actuation of this switch will be annunciated in the control room. All existing control and indication circuits will be provided with suitable isolation at all interfaces with the RS control circuits.
5-16
5.4.5.5 SI Accumulator Dischar e Valves Prior to depressurizing the primary system below 700 psig, it is necessary to secure the SI accumulator by closing the discharge valves or removing the nitrogen overpressure. This action will be accomplished by direct manual operation.
5.5 CHEMICAL AND VOLUME CONTROL SYSTEM 5.5.1 FUNCTIONS REQUIRED The chemical and volume control system (CVCS) provides the essen-tial shutdown functions of primary system makeup, letdown (see Sub-section 5.5.3.3), and boration.
5.5.2 MINIMUM EQUIPMENT REQUIREMENTS I
One charging pump One charging pump cooling unit One charging/makeup path valve train One letdown path (closure only)
RWST to charging pumps isolation valve 5.5.3 ALTERNATIVE COMPONENTS CAPABLE OF PROVIDING REQUIRED FUNCTIONS 5.5.3.1 Makeu Function As discussed in Subsection 3.2.3, the safety injection system pro-vides an alternative makeup function in the event of loss of all charging pumps.
The CVCS is provided with normal and alternative charging paths.
In the alternative charging mode, powered control of the injection 5-17
isolation valves is not required; they are essentially operated as relief valves.
5.5.3.3 Letdown Function In order to maintain hot shutdown or to reach cold shutdown, bor-ated water must be added to the reactor coolant system to ensure subcriticality. During a normal shutdown, this is provided by simultaneous charging and letdown. Letdown would be provided through the letdown isolation valve, the letdown orifice valves, and the associated heat exchangers. However, analyses have shown that coolant shrinkage within the reactor coolant system is suf-ficient such that only addition of borated water to the reactor coolant system is required to ensure subcriticality. This approach has been accepted in the NRC's Systematic .Evaluation Program Safe Shutdown System Topic Review, transmitted by letter dated November 14, 1980 from Mr. Denni.s M. Crutchfield. Only isolation of the letdown function is required following a fire to maintain RCS inventory. Isolation of the letdown can be accomplished by clos-ing either the letdown isolation valve or the orifice isolation valve.
5.5.4 EXISTING FIRE-HAZARD-RELATED PROBLEM AREAS 5.5.4.1 Char in Pum s The charging pumps are presently susceptible to loss of function in the event of a fire in the charging pump room or in the safety injection pump area (which contains the charging room coolers) .
The postulated failures are addressed in Subsection 5.4.4.1.
5.5.4.2 Letdown Paths Although the letdown function is not specifically required for safe shutdown, the letdown isolation and/or orifice valves may be subject to spurious actuation in the event of fires occurring 5-18
in selected plant areas, including the cable tunnel, relay room, air handling room, and control room. The spurious actuations (inadvertent opening of valves) would result from fire-induced "hot shorts" to control circuits.
5.5.5 MODIFICATIONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDOWN FUNCTIONS 5.5.5.1 Char in Pum Room The charging pump room will be enclosed with an appropriately rated fire barrier to provide protection from the auxiliary building basement-safety injection pump area. This modifica-tion will include the following:
o Two rated fire doors.
o Sealing of all electrical and mechanical penetrations and blockouts.
5.5.5.2 Char in Pum s Alternative controls will be installed for the train A charging pump; these controls will be part of the remote shutdown control system, and will be activated by a remot'e manual transfer switch.
The transfer switch will be provided with annunciation in the con-trol room, which will alarm when the RSCS controls have been activated.
Control and/or power cables for the train A pump will be rerouted as required to ensure that the following conditions are met:
o Train A cables are not routed through high-hazard fire zones occupied by train B or train C cables.
5-19
o Train A cables are not routed through the auxiliary build-ing basement-safety injection pump area, the cable tunnel, control room, relay room, or air handling room.
5.5.5.3 Char in Pum Room Coolin Units The existing charging pump room cooling units are subject to loss of function as a result of a fire in the auxiliary building base-ment-safety injection pump area.
Although subject to further study, it is anticipated that the reso-lution of this situation will involve one of the following options:
o Relocate (or protect with an adequate barrier) the existing cooling units, control and power cables, and realign to train A power source, as required. If relocated, the units would be placed outside the safety injection pump area, and in all cases, cable routing would avoid the cable tunnel, con-
.trol room,- relay room, and air handling room. The existing local/automatic control function would be retained.
o Install a new, dedicated cooling unit, independent of the existing coolers. This unit, which would be configured only for post-fire dedicated shutdown use, would be aligned with power train A and provided with remote manual controls. All control and power cables would be routed so as to avoid fire zones occupied by cables servicing the existing coolers.
5.5.5.4 Char in Makeu Pi in Path Alternative charging paths are available, using CVCS injection valves that will function as relief valves, thereby opening to allow injection flow without the use of control power. However, flow indication information will be provided. The flow indication circuits will be energized from the alternative (RS) power source, 5-20
and will be part of the remote shutdown control system. Cables associated with the RS flow indication channel will be routed so as to avoid high-hazard fire zones occupied by existing flow indication circuits, to the extent practicable.
5.5.5.5 Letd wn Isolation and Orifice Valves Remote status indication will be provided to indicate that the letdown path has been isolated. The status indication circuitry will be consistent with that described in Subsection 5.5.5.4.
Cable routing to the RS control system will avoid the cable tunnel, control room, and air handling room, and will avoid, to the extent practicable, high-hazard fire zones occupied by the pressurizer PORV control cables.
5.6 SERVICE WATER SYSTEM 5.6.1 FUNCTIONS REQUIRED The service water (SW) system provides the following safe-shutdown-related functions:
Cooling water for safe-shutdown equipment.
o Alternative water source for auxiliary feedwater system.
o Primary water source for standby auxiliary feedwater system.
5-21
I 5.6.2 MINIMUM EQUIPMENT REQUIREMENT For post-fire shutdown and cooldown operations, the following components must be operable:
o One service water pump.
o Two service water auxiliary building isolation valves.
5.6.3 ALTERNATIVE COMPONENTS CAPABLE OF PROVIDING REQUIRED FUNCTIONS Piping provisions will be made to permit emergency connection of, selected loads to the yard hydrant system or portable pumps so that they may continue to function in the event of loss of all service water, These loads include the diesel generator jacket cooling systems and the water supply to the turbine-driven auxiliary feedwater pump.
5.6.4 EXISTING FIRE-HAZARD-RELATED PROBLEM AREAS
- 5. 6. 4.1 Service Water Pum s All four service water pumps are susceptible to simultaneous loss of function in the event of a severe fire occurring in any of the following areas: air handling room, cable tunnel, diesel generator "B" cable vault, relay room, control room, intermediate building basement, screen house operating floor, or screen house basement.
The postulated failures may result from fire-induced damage to any of the following:
o Service water pump motors.
o Electrical distribution panels 480-Vac train A and B switchgear and 125-Vdc train A and B distribution panels.
o Control and power cables.
5-22
5.6.4.2 Service Water Isolation Valves The auxiliary building service water isolation valves are subject to spurious actuation (inadvertent closure, as the worst case) in the event of fires occurring in areas including the cable tunnel, air handling room, relay room, or control room. The spurious actuations would result from fire-induced "hot shorts" to control circuits.
Closure of the auxiliary building SW isolation valves would result in termination of service water flow to most safe-shutdown-related components.
5.6.5 MODIFICATIONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDOWN FUNCTION 5.6.5.1 Service Water Pum s To ensure the availability of at least one pump, an appropriately rated fire barrier will be installed in the screen house, so that one pump is completely independent of fire hazards affecting the remaining three pumps. Alternative AC power and DC control power will be routed to the screen house for operation of this pump.
In addition, alternative controls for the protected pump will be available as part of the RSCS. Consequently, this pump will not be affected by any fire-induced failures which are common to the other pumps.
5.6.5.2 Auxiliar Buildin Isolation Valves Alternative controls and status indication will be provided for one train of the auxiliary building isolation valves. Because these valves control cooling water to hot-shutdown-related loads, alternative remote controls will be provided for rapid valve re-positioning, if required. These controls will be activated by 5-23
a remote manual transfer switch; actuation of this switch will be annunciated in the control room.
The cables associated with the remote shutdown controls will be routed so as to avoid the cable tunnel, relay room, control room, and diesel generator cable vaults.
5.7 INSTRUMENT AIR SYSTEM
- 5. 7. l FUNCTIONS REQUIRED The instrument air system provides compressed air for valve actu-ation. Instrument air is not required for shutdown and cooldown.
Subsection 5.7 describes equipment which is desirable for plant operation, although not specifically required, following a fire.
- 5. 7. 2 MINIMUM EQUIPMENT REQUIREMENTS o One instrument or service air compressor.
o Instrument air containment isolation valves.
5.7.3 ALTERNATIVE COMPONENTS CAPABLE OF PROVIDING REQUIRED FUNCTIONS In the event of complete loss of instrument air supply, all air-actuated components (valves) that interface with safety-related plant systems are designed to fail in the "safe" or preferred posi-tion, predominantly to avoid compromising primary system integrity.
Although the fail-safe mode does protect primary system integrity, it 'lso causes the isolation of several flow paths that may be desirable for shutdown or cooldown operations. For those selected components that require a pneumatic pressure source for operation (e.g., primary and secondary PORVs), alternative sources such as nitrogen cylinders are available for temporary connection to power the valve actuators.
5-24
I 5.7.4 EXISTING FIRE-HAZARD-RELATED PROBLEM AREAS The instrument air system is susceptible to loss of function in the event of fires occurring in plant areas, including the air com-pressor area, the relay room, and the control room. The failures may result from fire-induced damage to compressor motors, power sources, and control and power cables. For instrument air loads in containment, the loss of function may result from spurious ac-tuation (closure) of the containment isolation valves.
5 ~ 7.5 MODIFICATIONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDOWN FUNCTIONS The following modifications are presently under consideration for enhancement of the availability of control air for the pressurizer PORVs and the RWST supply valve to charging pump suction.
o Provide an additional or existing spare breaker in 480-V power train A switchgear, which would function as the new supply for one instrument air compressor. This circuit breaker would be provided with appropriate trip functions (e.g., undervoltage) to ensure that this non-safety-related load cannot compromise the ESF functions of the bus.
The existing control scheme would be retained, but would include an alternative control capability with all wiring independent of the control room, relay room, cable tunnel, and air handling room. The isolation and control transfer concepts applied would be identical to those described herein for other shutdown-related modifications.
o Provide alternative controls, remote status indication, and DC power for the instrument air containment isolation 5-25
valves. The circuit isolation and control transfer con-cepts applied to these alternative controls would be iden-tical to those described herein for other shutdown-related modifications.
5~8 HEATING VENTILATION AND AIR CONDITIONING SYSTEM
- 5. 8. 1 FUNCTIONS REQUI RED The HVAC systems required to function for continued operation of safety-related equipment are delineated in the R. E. Ginna Environ-mental Qualification of Electrical Equipment Report submitted to the NRC on October 31, 1980. The required systems are the residual heat removal, safety injection, containment spray, charging and standby auxiliary feedwater pump coolers, and the battery room ventilation systems. All other equipment, including that in the ccaftrol room, will function properly in the ambient environment and require no cooling or ventilation.
5 8~2 MINIMUM EQUIPMENT REQUIREMENTS o RHR room cooler o SI and CS pump cooler o Charging room cooler o SBAFW room cooler Ventilation for the present battery rooms is not required because of the alternative DC power source to be provided for operation of the remote shutdown control system.
- 5. 8.3 ALTERNATIVE COMPONENTS CAPABLE OF PROVIDING REQUIRED FUNCTIONS The safety injection pumps are not separated from the rest of the auxiliary building environment by room walls. Since the auxiliary building is a very large-volume building, it is not expected that 5-26
I l
there would be an increase in the ambient temperature due to SI pump operation, even if the main building ventilation system is inoperable. Thus, it may be possible to cool the SI pumps using portable fans.
The SBAFW system is housed in a separate building with no other heat sources. The building can be opened to the outside and thus these pumps may be cooled using portable fans exhausting out of the building.
5.8.4 EXISTING FIRE-HAZARD-RELATED PROBLEM AREAS Hazards affecting each of the pump coolers are delineated in the sections of this report which discuss the associated pumps.
5.8.5 MODIFICATIONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDONN FUNCTION Modifications planned for each of the required cooling units are discussed in the sections of this report which address the asso-ciated pumps.
5.9 CONDENSATE SYSTEM 5.9.1 FUNCTIONS REQUIRED The condensate system is the primary water source for the auxil-
'ary feedwater system.
5.9.2 MINIMUM EQUIPMENT REQUIREMENTS o Condensate storage tank.
o Condensate storage tank level indication.
5-27
5.9.3 ALTERNATIVE COMPONENTS CAPABLE OF PROVIDING REQUIRED FUNCTIONS The service water system is the alternative source of water for the auxiliary feedwater system.
- 5. 9. 4 EXISTING FIRE-HAZARD-RELATED PROBLEM AREAS The existing condensate tank level instrumentation is subject to loss of function in the event of a fire occurring in selected plant areas, including the cable tunnel, relay room, and control room.
5.9.5 MODIFICATIONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDOWN FUNCTION A new, dedicated channel of condensate storage tank level instru-
'mentation will be installed; indication will be provided as part of the remote shutdown control system. Cable routing, instrumen-tation, and the power source will be independent of that utilized by the existing level instrumentation channel.
5.10 NORMAL EMERGENCY POWER DISTRIBUTION SYSTEM 5 10.1 FUNCTIONS REQUIRED The power distribution system provides AC and DC power to safe-shutdown-related (and other) plant loads under all postulated conditions of offsite/onsite power availability.
- 5. 10. 2 MINIMUM EQUIPMENT REQUIREMENTS o One 480-Vac ESF power train.
o One emergency diesel generator and auxiliaries (aligned with above bus) .
5-28
o One 480-Vac ESF motor control center (aligned with above
.bus) .
o One 125-Vdc battery and distribution panel.
o One 120-Vac instrument bus (inverter powered from above battery) .
5.10.3 ALTERNATIVE COMPONENTS CAPABLE OF PROVIDING REQUIRED FUNCTIONS With incorporation of the features described in Subsection 5.10.5, either of the two power trains, in an onsite or offsite supply mode, is capable of accommodating all safe-shutdown-related loads.
5.10.4 EXISTING FIRE-HAZARD-RELATED PROBLEM AREAS
'nadequate separation (with respect to fire zones) of power trains A and B at several locations throughout the plant make both trains of AC and DC power susceptible to simultaneous loss of function as the result of a single postulated fire.
5.10.5 MODIFICATIONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDOWN FUNCTIONS o The train A 480-Vac switchgear bus will be provided with a new feeder from its associated emergency diesel generator.
The cable routing will be completely independent of all zones occupied by train B.
o Selected train A and/or train B cable rerouting will be accomplished such that safe-shutdown-related circuits from redundant trains will generally not occupy common fire zones.
5-29
)
o An alternative source of 125-Vdc control power and 120-Vac instrument power, independent of the existing plant AC and DC systems, will be provided. This power source will be capable of supplying.all necessary control power (and AC instrument power) for dedicated shutdown operation. A re-mote manual transfer switch scheme will enable the operator to align the train A switchgear and actuated devices with either the existing plant battery system or the alternative, dedicated shutdown DC source. Suitable isolation/interlocks will be provided to preclude the possibility of degrading the safety-related DC system by inadvertent cross-connec-tion with the dedicated shutdown source.
5.11 RESIDUAL HEAT REMOVAL SYSTEM 5.11.1 FUNCTIONS REQUIRED The residual heat removal (RHR) system provides cooling of the primary system to ach'ieve cold shutdown. Either the RHR or the secondary system in the solid steam generator mode can be utilized to remove the decay heat and achieve cold shutdown.
5.11. 2 MINIMUM EQUIPMENT REQUIREMENTS The RHR system has been assessed to determine the components that,,
as a minimum, must remain functional in a post-fire condition to ensure safe shutdown and cooldown. The RHR has two 1008-redundant trains (i.e., trains lA and 1B) . Either train is capable of providing the required cooling. The following list represents those components of the RHR system that will be- aligned with the remote shutdown control system (RSCS) for. post-fire shutdown operation.
o RHR train components Heat exchanger (HX)
Component cooling isolation valve to HX 5-30
I l
~
i l
'1
~
I
RHR pump RHR pump suction valve HX discharge control valve.
o RHR room cooler.
o Flow control valve.
o Suction valves from loop A.
o Discharge valves to loop B.
o Containment sump B isolation valves.
5.11.3 ALTERNATIVE COMPONENTS CAPABLE OF PROVIDING REQUIRED FUNCTIONS The RHR can be totally disabled and the reactor can still be brought to safe shutdown by utilizing a less efficient cooling
~ approach. At the point in the cooldown cycle where the RHR cool-ing is normally initiated, the secondary system will continue to cool the reactor coolant system, as described in- Subsection 4.9.
The RHR system, in combination with selected elements of the SI system, can provide alternative flow paths to provide cooling if either the RHR suction valves from loop A or the RHR discharge valves to loop B block normal RHR flow. Subsection 4.11 describes the alternative RHR/SI system flow paths.
RHR train 1A is 100% redundant to train 1B. Either RHR train is capable of providing the required cooling.
5.11.4 EXISTING PIRE-HAZARD-RELATED PROBLEM AREAS Both trains of the RHR are located in the auxiliary building basement and are vulnerable to a fire in that area. In addition, a fire occurring in the auxiliary building mezzanine, cable tun-nel, control room, or the air handling room could cause the loss of control circuits, power feeds, or the power source itself for redundant RHR components.
5-31
~
rg
~
5.11. 5 MODIFICATXONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDOWN FUNCTION The RHR power feeds and control circuits will be rerouted to
~provide separation of active safe shutdown circuits aligned with
,each power division, diesel generator lA/battery lA and diesel generator 1B/battery lB. Xn the auxiliary building basement, both power divisions are present to support redundant RHR com-ponents. The applicable circuits will be rerouted to minimize the common fire hazard exposure of redundant power division cables and conduits.
The RHR is not required to achieve hot shutdown, therefore, there is no requirement, based on time response restrictions, to control the RHR'rom the RSCS. The RHR may be aligned using manual opera-tion of valves which are normally operated using electric power or pneumatic assist. The .RSCS will incorporate the following RHR features:
o Train lA valves:
Shed load from the present MCC or DC supply Provide valve status information independent of the control room.
o Transfer control of RHR pump lA to RS panel.
o Transfer control of RHR room cooler to RS panel.
o Provide flow indication for RHR.
o Component cooling isolation valve to HX shed load.
o Flow control valve shed load.
5-32
~
~
~
~
~
l
~
~
o Align SIS interface with the RSCS. (SI/RSCS interfaces are presented in Subsection 5.4.5.)
In addition, the spurious opening of sump B valves V-850A or V-850B will disable the RHR and also cause the RWST to drain into the sump.
Modifications to the valve under administrative control (e.g., disable normal DC control power or open the breaker at the MCC) and plumbing modifications that would inhibit backflow into the sump are under evaluation.
5.12 MAIN AUXILIARY FEEDWATER SYSTEM 5.12.1 FUNCTIONS REQUIRED The main auxiliary feedwater (MAFW) system provides feedwater to steam generators following a safety injection signal or loss of offsite power.
- 5. 12. 2 MINIMUM EQUIPMENT REQUIREMENTS The MAPW system has been assessed to determine the components that, as a minimum, must remain functional in a post-fire condition to ensure safe shutdown and cooldown. The MAPW has three trains (i.e., two trains have a motor-driven pump, the third train has a turbine-driven, pump) . Any one of the three trains can supply the required feedwater to both steam generators (only a single steam generator is required) .
The standby auxiliary feedwater (SBAFW) system provides a backup to the MAFW system. The SBAFW system consists of two motor-driven pump (MDP) trains, either of which can supply the required feed-water to the steam generators (SGs). When both the MAPW system and SBAFW systems were assessed for post-fire operation, it was determined that the RSCS will interface with the TAPWP train and an MDP train from the SBAFW system.
5-33
l I
'I
The following list represents those components of the MAFW system that will be designated to interface with the RSCS for post-Cire operation.
o Turbine-driven pump train Turbine-driven pump Discharge valve SW isolation valve Steam generator (SG) control valves Lubricating oil supply tank and pumps Steam supply valve (Part of the MS system. Refer to Subsection 5.3) .
In addition to the MAFW system equipment, SG level instrumentation is required to monitor operation of the MAFW.
5.12.3 ALTERNATIVE COMPONENTS CAPABLE OF PROVIDING REQUIRED FUNCTIONS The SBAFW system provides a backup to the MAFW system. The SBAFW system consists of two MDP trains.
Either SBAFW train can supply the required feedwater to both steam generators. The SBAFW system is discussed in Subsection 5.13.
- 5. 12. 4 EXISTING FIRE-HAZARD-RELATED PROBLEM AREAS All three trains of the MAFW are located in the intermediate build-ing on the intermediate floor and are vulnerable to a fire in that area. In addition, a fire occurring in the auxiliary building mezzanine, cable tunnel, battery rooms, or the intermediate build-ing basement could cause the loss of control circuits, power feeds, or the power source itself for redundant AFW components.
5-34
5.12.5 MODIFICATIONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDOWN FUNCTION The TAFWP train power feeds and control circuits will be rerouted to provide separation of active safe shutdown circuits aligned with each power division. The TAFWP train circuits will be re-routed so that they are not in a common fire zone with the SBAFW power feeds and control circuits.
Auxiliary feedwater is not required during the first 30 minutes following the start of the fire because the SG will not boil dry during that time. Within that period of time, the operator must initiate operation of either the MAFW or the SBAFW. The RSCS will incorporate the following features to enable manual operation of the TAFWP train.
o Isolate the control circuits of the TAFWP DC auxiliary oil pump and provide for local control of the pump.
o Enable local manual control of the following valves (no power or air assist)
TAFWP discharge valve SG FW control valves.
5.13 STANDBY AUXILIARY FEEDWATER SYSTEM 5.13.1 FUNCTIONS REQUIRED If the MAFW system is unavailable, the SBAFW system provides feedwater to the steam generators following a safety injection signal or loss of offsite power.
5-35
5.13.2 MINIMUM EQUIPMENT REQUIREMENTS The SBAFW system has been assessed to determine the components that, as a minimum, must remain functional in a post-fire condi-tion to ensure safe shutdown and cooldown. The SBAFW system has two 100%-redundant MDP trains. Either of the trains can supply the required feedwater to both steam generators (only a single steam generator is required) .
The SBAFH system provides backup to the MAFW system. When both the MAFW system and the SBAFW system were assessed for post-fire operation, it was determined that the RSCS will interface with the TAFWP train and an MDP train from the SBAFW system.
The following list represents those components of the SBAFW system that will be designated to interface with the RSCS and for post-fire operation if the MAFW system is unavailable.
o MDP train Motor starter Suction valve Discharge valve SG isolation valve.
o SW isolation valve (part of SW system) .
o SG .level instrumentation (part of SG instrumentation required to monitor the operation of the SBAFW).
5.13.3 ALTERNATIVE COMPONENTS CAPABLE OF PROVIDING REQUIRED FUNCTIONS The SBAFW system provides a backup to the MAFW system.
5-36
The MAFW system consists of two MDP trains and one TAFWP train.
Any of the three MAFW trains can supply the required feedwater to both steam generators. The MAFW system is discussed in Sub-section 5.12.
5 ~ 13 ~ 4 EXISTING FIRE-HAZARD-RELATED PROBLEM AREAS Both trains of the SBAFW are located in the standby auxiliary feed-water pump building and are vulnerable to fire in that area. In addition, a fire occurring in the auxiliary building basement or mezzanine, cable tunnel, air handling room and the control room could cause the loss of control circuits or power feeds for the redundant pump trains.
5.13.5 MODIFICATIONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDOWN FUNCTION The SBAFW train power feeds and remote shutdown control circuits will be rerouted so that they are not in a common fire zone with the TAFWP train power feeds and normal control circuits.
The RSCS will provide the operator the ability to align and operate a single train of the SBAFW system from a remote panel, independent of any control room interfaces.
5.14 COMPONENT COOLING LOOP 5.14.1 FUNCTIONS REQUIRED The component cooling (CC) loop removes heat from the following heat sources during normal plant operation:
o RHR HXs o Reactor coolant pumps o Nonregenerative HX o Excess letdown HX 5-37
o Seal water HX o Boric acid recycle evaporator o Sample HXs o Waste gas compressor o Waste gas condenser o Reactor support cooling pads o RHR pumps o SI pumps o Containment spray pumps.
- 5. 14. 2 MINIMUM EQUIPMENT REQUIREMENTS The CC has been assessed to determine the components that, as a minimum, must remain functional in a post-fire condition to ensure safe shutdown and cooldown. The CC loop has two 100%-redundant trains of HXs and circulating pumps. Only one CC HX and one CC pump is required to meet the shutdown and cooldown requirements for the R. E. Ginna Station. The CC loop distribution to redundant equipment (e.g., both RHR HXs) is a single train. The following list represents those components of the CC loop that will be designated for post-fire shutdown operation.
o CC HX o CC pump o Surge tank 5.14.3 ALTERNATIVE COMPONENTS CAPABLE OF PROVIDING REQUIRED FUNCTIONS No functional backup exists for the loss of the CC loop. However, alternative shutdown and cooldown methods are available when the 5-38
following shutdown-and-cooldown-related components are disabled by the lack of CC.
o SI pumps o RHR HXs o RHR pumps l
The SI system is not a principal shutdown-related system. It provides alternative functional capabilities in the event that specific shutdown-related systems are unavailable. The SI system provides an alternative primary system makeup capability in the event of loss of all charging pumps and it also provides alterna-tive suction/injection paths in the event of isolation of the RHR system.
The RHR can be totally disabled and the reactor can still be brought to safe shutdown by utilizing a less efficient cooling approach. At the point in the cooldown cycle where the RHR cool-ing is normally initiated, the secondary system will continue to cool the reactor coolant system, as described in Subsection 4.9.
5.14.4 EXISTING FIRE-HAZARD-RELATED PROBLEM AREAS Both CC pumps are located in the auxiliary building operating floor and are vulnerable to a fire in that area. In addition, a fire occurring in the auxiliary building mezzanine, cable tunnel, control room, or the air handling room could cause the loss of control circuits, power feeds, or the power source itself to the CC pumps.
5.14.5 MODIFICATIONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDOWN FUNCTION The CC loop power feeds and control circuits will be rerouted to provide separation of active safe shutdown circuits aligned with 5-39
each power division, diesel generator lA/battery lA and diesel generator 1B/battery 1B.
On the auxiliary building operating floor, both power divisions are present to support the redundant CC pumps. The applicable circuits will be rerouted to minimize the hazards betwe'en redun-dant power division cables and conduits.
The RSCS will incorporate a transfer of control of CC pump lA to the RSCS.
- 5. 15 REMOTE SHUTDOWN CONTROL SYSTEM
- 5. 15. 1 FUNCTIONS REQUIRED The RSCS provides an alternative means of bringing the plant to a cold shutdown state when the control room is disabled by a fire in the control room or by a fire in another 'plant area which disables important control circuits that interface with the control room.
The RSCS incorporates a remote shutdown (RS) panel concept for the transfer of control of selected components from the control room and to provide a single channel of all instrumentation required to achieve and maintain cold shutdown. The location or locations of the new RS panel(s) is under evaluation. The RS panel concept has not been finalized; the design will incorporate, either a sin-gle new remote control panel, or a system of distributed panels located in selected plant areas. The RS panel will have the following functions available for operator use.
o Instrumentation continuously available SG level, wide range (1 channel per SG)
RCS pressure, wide range Pressurizer level, wide range RCS temperature 5-40
Steam line pressure, wide range (1 channel per steam line)
Condensate tank level, wide range SI system cold leg in jection line flow (1 channel)
RHR system flow Charging pump flow.
o Transfer control to DS panel and provide status Pressurizer PORVs (2, status only)
Pressurizer PORV relief line isolation (2)
SX train (1)
SX pump cooling unit (1)
Charging pump train (1)
Charging pump room cooling unit Charging pump/RWST suction valve (1)
SW pump train (1)
Auxiliary building SW isolation valves (2)
RHR pump (1)
SBAFW train {1)
TAFWP steam supply valve {1)
Letdown line isolation RHR room cooler (1).
o Provide control room alarm when control is transferred.
o Shed specific non-RS loads from AC and DC load groups aligned with RS panel.
o Override normal control circuit inputs to enable non-power or non-pneumatically assisted local control.
Provide status information.
RWST discharge valves (2)
RHR valves (1 train)
RHR suction valves from loop A
RHR discharge valves to loop B Component cooling isolation valve to RHR HX (2).
o Override normal control circuit inputs to enable non-or non-pneumatic assisted local control.
TAFWP train valves All control and indication wiring from the control room to the RSCS control circuits will be provided with suitable isolation devices so that a fault occurring between these points cannot-disable both the normal and the RSCS control. In addition, the control transfer switch will provide for isolation of the exist-ing Class-lE control circuits from the non-Class-lE RSCS circuits.
5.15.2 MINIMUM EQUIPMENT REQUIREMENTS The RSCS is a single-train system. The minimum equipment/functions are defined in the previous subsection, 5.15.1.
5 '5.3 AITERNATIVE COMPONENTS CAPABLE OF PROVIDING REQUIRED FUNCTIONS The RSCS is not the primary means of control. It provides an alternative to the normal control function performed from the con-trol room. See Subsection 5.15.1 for details.
- 5. l5. 4 EXISTING FIRE-HAZARD-RELATED PROBLEM AREAS The RSCS is a new system. There are no existing fire-hazard-related problem areas. However, the RSCS design will include consideration of the impact of high-hazard fire zones, partic-ularly when routing cables and locating the RSCS control panel(s) .
5-42
5.15.5 MODIFICATIONS PLANNED TO ENSURE AVAILABILITYOF SAFE-SHUTDOWN FUNCTION The RSCS is a new system. The system will be designed so that no single postulated fire will be capable of disabling both the normal control/power train and the RSCS.
5-43
6.0
SUMMARY
OF MODIFICATIONS REQUIRED TO ENSURE SAFE SHUTDOWN AND COOLDOWN CAPABILITY r
The safe shutdown analyses have identified a number of plant modi-fications in order to provide additional assurance of the ability to reach a safe shutdown following a maj'or fire within any single fire area. These modifications and the bases for their recommen-dation are discussed in Section 5.0 of this document, with specific references made to the components or areas that must be upgraded. Q In each case, the conceptual approach and options under consider-ation for accomplishing these modifications have been identified.
At least one hardware train, subsystem, or component will be made available for performance of each of the required safe shutdown functions in the event of a severe fire in ~an one of the desig-nated plant fire zones.
The required modifications, although affecting many plant compo-nents, may be classified into several generic types, as follows:
o Establishment of alternative control and monitoring sta-tion(s), incorporating alternative primary and secondary system instrumentation to provide continuous displays of critical safe-shutdown-related parameters. The station is identified as the remote shutdown (RS) control panel.
A control transfer scheme is provided to activate the alternative controls and status indication for critical safe-shutdown-related actuated devices.
o Provide for disconnection/override of normal electrical or pneumatic supply to safe-shutdown-related actuated device to permit local manual control. Device status indication is provided on the RS control panel when required.
6-1
o Provide for deenergizing of AC or DC power to the actu-ated device during normal plant operation, to preclude the possibility of fire-induced spurious actuations.
o Reroute control and/or power cables to avoid specific high-hazard fire zones generally occupied by redundant cables or components.
o Protect critical shutdown-related cables in selected areas with an appropriately rated fire barrier.
o Protect equipment by constructing new fire areas (i.e.,
enclosing areas within existing zones with appropriately rated barrier).
The generic types of required modifications and the affected sys-tems or components are summarized on Table 6-1.
6-2
Table 6-1. Modifications to Enhance Safe Shutdown and Cooldown Capability Number of Channels T e of Modification S stems or Com onents Affected or Trains Affected Install remote shutdown (RS) control New system One remote shutdown panel(s) equipment train; number of panels not yet defined Provide alternative remote indication Steam generator level, wide range 2 DS panel Pressurizer level, wide range 1 RCS pressure, wide range 1 RCS temperature Note 1 Steam line pressure, wide range 2 Condensate storage tank level, wide range SI system cold leg in)ection line flow RHR system flow Charging pump flow Provide alternative controls, consisting Pressurizer. relief isolation valves 2 of remote manual transfer of control SI injection train 1 with status indication and annunciation SI pump cooling unLt 1 of control transfer in control room CC pump 1 Charging pump in)ection train 1 Charging pump room cooling unit 1 Letdown path isolation Note 1 Pressurizer PORV relief path isolation 2 RWST to charging suction valve Service water pump train SW auxiliary building isolation valves
Table 6-1. Hodifications to Enhance Safe Shutdown and Cooldown Capability (Continued)
Number of Channels T e of Hodification S stems or Com onents Affected or Trains Affected (cont 'd. from sheet 1) RHR pump train Standby auxiliary feedwater pump train Instrument air compressor Pressurize PORVs (status indica-tion only)
Provide for remote manual shedding 480-Vac distribution train A of non-shutdown-related loads from DS-aligned switchgear Provide for remote manual transfer of 125-Vdc distribution train A DC power source from ESF (normal) DC supply to DS alternative DC supply Provide for disconnection of normal Hain steam PORVs electrical or pneumatic supply to actu- RNR valves ated device to permit manual controls Turbine-driven auxiliary feed pump provide remote status indication valve train (status indication not required)
RWST discharge valves Reroute or protect power and/or control AC and DC electrical distribution cables to avoid exposing train A or components to common fire redundant'rains Turbine-driven auxiliary feed pump hazards Plant physical (structural) modifica- Charging pump room tions install rated fire barriers, Screen house operating floor which may include fire doors, walls, service water pump area and penetration seals Notes l. analyses.
To be defined based on subsequent
I
- 7. 0 REFERENCES
- 1. RGGE NRC letter dated July 27, 1978; SEP Safe Shutdown Review
- 2. RG&E NRC letter dated December 28, 1979; Fire Protection Shutdown Analysis
- 3. NRC SEP Safe-Shutdown Review dated November 14, 1980.
- 4. RGGE - NRC letter dated October 31, 1980; Environmental Qualification of Electrical Equipment 7-1