ML18033A463

From kanterella
Jump to navigation Jump to search
Safety Evaluation Accepting Util App R Submittal as Applied to Adequacy of Minimum Safe Shutdown Sys
ML18033A463
Person / Time
Site: Browns Ferry  Tennessee Valley Authority icon.png
Issue date: 12/08/1988
From:
NRC OFFICE OF SPECIAL PROJECTS
To:
Shared Package
ML18033A462 List:
References
NUDOCS 8812140033
Download: ML18033A463 (26)
v  d  e


Text

~g,S A%Cot 0*

/~

~O

+a*+>>

t UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, O. C. 20555 ENCLOSURE SAFETY EVALUATION BY THE OFFICE OF SPECIAL PROJECTS OF THE BROWNS FERRY APPENDIX R SUBMITTAL AS APPLIED TO THE ADE UACY OF THE MINIMUM SAFE SHUTDOWN SYSTEMS BROWNS FERRY NUCLEAR PLANT UNITS.1, 2, AND 3 DOCKET NOS:

50-259,

260, AND 296
1. 0 INTRODUCTION Following a major fire at the Browns Ferry Nucl"..r Plant on March 22, 1975, the NRC established a Special Review Group to evalI.

~ the need for improving the fire protection programs at all nuclear power p'nts.

The group found serious design inadequacies in fire protection at Brow.:s Ferry, and its report

("Recommendations Related to Browns Ferrv Fire;" NUREG-0050, February 1976),

contained over 50 recommendations regarding improvements in fire prevention and control in existing facilities.

The NRC developed technical guidance for I:,I; plants based upon the recommenda-tions in the Spec.ial Review Group's Repor.:,

and issued those guidelines as Branch Technical Position (BTP)

APCSB 9.~-..

Guidance to operating plants was'rovided later in Appendix A to BTP. APCSB 9.5-1, which relies on BTP APCSB 9.5-1.

,r The Commission issued for comment a proposed fire protection rule and its associated Appendix which was described as setting out minimum fire protection requirements for the unresolved issues.

The fire protection features addressed included protection of safe =shutdown capability, emergency lighting, fire

barriers, associated circuits, reactor coolant. pump lubrication system protection, and alter native shutdown systems.

On February 17, 1981, the final rule 10 CFR 50.48 and Appendix R to 10 CFR 50, became effective, replacing the proposed rule.

Three of the 15 items in Appendix R were of such safety significance that the Commission decided they should apply to all plants, including those for which alternative fire protection actions had been approved previously by the staff.

These items are protection of safe shutdown capability (including alternative shutdown systems),

emergency lighting, and protection of the reactor coolant pump lubrication system.

Accordingly, the final rule required all reactors licensed to operate before January I, 1979, to comply with these three. items, even if S812 CK p~~ppp259 140033 881208 PDR ADO PDC F

0 the NRC had previously approved alternative fire protection features in these areas.

However, the final rule is more flexible than the proposed rule because Item III.G of Appendix R provided three optional fire protection features which do not require analysis to demonstrate the protection of redundant safe shutdown equipment, and reduced the acceptable distance in the physical separation option from 50 feet to 20 feet.

In addition, the rule provided an exemption procedure which can be initiated by a licensee's assertion that any required fire protection feature will not enhance fire protection safety in the facility, or that such modifications may be detrimental to overall safety.

Following the promulgation of the final rule; licensees and applicants requested exemptions and deviations from Appendix R to 10 CFR 50 in the form of a fire hazards analysis (FHA).

The NRC staff has reviewed and evaluated these

- FHAs to ensure that each proposed alternative to meeting Appendix R provides an acceptable level of overall protection of plant safe shutdown capability.

Generic Letter 86-10 was written to provide guidance to the licensee for the interpretation of Appendix R.

The above provides background of the development of fire protection regulations which are used by the industry in developing fire protection programs for nuclear facilities and by the Commission in the evaluati'" licensee fire protection programs.

1.2 Plant-S ecific Back round On October 31, 1984, the Tennessee v~lley Authority (T'lA, the licensee) submitted a revised Appendix R evaluation to the NRC or Browns Ferry Nuclear (BFN) Units 1, 2, and 3.

.'ubsequently, the licensee has undertaken a major effort to bring the plant into compliance with all re gulatory requirements based on the guidance provided in various staff pc i 'ions and Generic Letters.

By letter dated January 31, 1986, the licensee subm'tted a new plan for compliance with Append;x R to 10 CFR 50.

This d>c<.nent, "Fire Protection and Safe Shutdown System AAalysis" was prepared by'eneral Electric and supersedes the licensee's previous submittals evaluating their compliance with Appendix R.

It contains significant changes to fire protection features and the manner in which all three reactors would be shut down in the event a fire threatened the safe operation of any unit.

In response to staff questions on the submitta.

ra'ised during NRC/TVA meetings on May 29, June 23 and June 24, 1986,'nd a formal request for additional information dated August 7, 1986, the licensee provided a submittal dated November 21, 1986.

The submittal additionally included (1) a report listing all the required local (i.e., outside the control room) manual actions for a postulated single fire in any fire location (i.e., fire area of reactor building zone) for achieving plant shutdown in a timely manner per Appendix R

requirements, (2) Fire Hazards Analysis, (3) Fire Protection Engineer's Report

for the BFN units dated July 18, 1986, (4) revised exemption requests from applicable Appendix R requirements and (5) reclassification of fire areas and zones (i.e., applicable III.G classification for the subject location).

In telephone conversations of April 2 and 7, 1987, the licensee coomitted to update the local manual action report and document its response to staff concerns raised in these telephone conference calls.

The licensee's June 22, 1987 submittal responds to this commitment.

The Safety Evaluation (SE) is based on the (1) January 31,

1986, November 21, 1986 and June 22, 1987 submittals, (2) a technical review of the licensee's fire hazards analysis submittal by the Franklin Research Center (FRC),

and (3) the licensee's submittal dated April 4, 1988.

This SE addresses the Safe Shutdown System Analysis for Browns Ferry including the required local manual actions for achieving plant shutdown in a timely manner per Appendix R requirements.

The staff's Appendix R Exemption SE dated August 4, 1988, addresses the exemptions from Appendix R that were requested by.

the licensee.

The remainder of the Appendix R evaluation will be addressed in the Browns Ferry Appendix R Inspection Report which will be on the results of the Browns Ferry Fire Protection Site Audit.

1.3 Review Criteria The criteria used in reviewing the licensee's information are based on the following documents:

1.

Fire 'Protection Program for Operating Nuclear Power Plants, 10 CFR 50.48, and Appendix R to 10 CFR 50.

2.

Standard Review Plan, NUREG-0800 Branch Technical Positie;.

(BTP),

APCSB 9.5-1, "Guidelines for Fi " Protection for Nuclear

'ro ter Plants" and Appendix A to BTP APCSB 9.5-1.

3.

Generic Letter 86-10,- "Imple..',.;tation of Fire Protection Requirements,"

dated April 24, 1986.

2.0 POST-FIRE SHUTDOWN CAPABILITY 2.1 S stems R

uired for Safe Shutdown Shutdown of any of the three reactors is intiated by automatic scram in the event of 1'oss of offsite power, or is initiated from the control room by a manual scram.

After closure of the Main Steam Isolation Valves (MSIV), Reactor Coolant System (RCS) pressure is maintained by the Main Steam Relief Valves (MSRVs).

The High Pressure Coolant Injection (HPCI) system maintains the reactor coolant inventory for the non-fire affected units.

For the fire affected units (HPCI system for the unit assumed to be lost due to the fire event),

the Residual Heat Removal (RHR) system in its Low Pressure Coolant Injection (LPCI) mode of operation is used to inject water from the suppression

pool into the vessel to maintain the reactor coolant inventory after manual depressurization of the RCS is achieved using the MSRVs.

Decay heat removal and suppression pool (SP) cooling are accomplished by the RHR system in conjunction with the MSRVs and RHR Service Water (RHRSM) system.

The diesel generators, which are to be used for achieving safe shutdown in the event of

'oss of offsite power concurrent with a fire event in the plant, and RHR pump seal coolers are to be cooled by the Emergency Equipment Cooling Mater System (EECW) System.

2.2 Areas Where Alternate Shutdown is Re uired The three BFN units are divided into a total of 25 fire areas excluding the common refueling floor for the units.

The reactor buildings for the three units excluding the shutdown boar d rooms in the buildings are designated as Fire Areas 1,

2 and 3, and are further subdivided into a number of fire zones, since the areas are large.

The licensee analyzed the need for providing alternate shutdown capability for each location (i.e., fire area or reactor building zone) due to a postulated fire in that location.

Based on the

analysis, the licensee concluded that a fire in any location will require some local (i.e., outside the control room) manual operations to operate some or all Safe Shutdown System (SSDS) equipment and components for achieving safe shutdown of the plant.

However, the licensee determined (November 21, 1986 submittal) that except for the Fire Area 16 and all the reactor building zoi.s, all other fire areas will not require an alt'ernate shutdown capability to achieve hot shutdown of the plant because, the licensee states that all the other Fire Areas (4 through 15; 17 through 25) with the exception of'ire Area 25 (turbine building, cable tunnel and intake pumping station),

do not contain equipment, components or cabling associated wit'.i the redundant shutdown path available for these areas (June 22, 1987 submittal).

Fire Area 25 which is r signated as a III.G.2 area, is discussed in Section 2.3 of this S

Therefore, the licensee has designated these areas (Fire Areas 4 thrc;g'i 15; Fire Areas 17 through 24) as solely III.G.1 areas (November 21, 1986 s<:bmittal).

The fire areas, that have been designated as solely III.G.1 areas wi~ 1 ae verified for the validity of such designc;tion, during the Appendix R Site Audit.

Regarding the common refueling floor, the licensee stated that it does not have any safe shutdown equipment or cabling and therefore, for a fire in that floor, safe shutdown will be achieved from the control room.

With regard to the Fire Area 16 and all the reactor building zones, the licensee has provided alternate shutdown capability independent of the cables, system or components in the applicable locations, per III.G.3 requirement.

2.3 Areas Where Alternate Shutdown is Re uired For some areas (Fire Areas I, 2 and 3 containing reactor building zones, Fire Area 25),

a fire may require the use of a redundant train in the same area.

Therefore, the licensee has separated the cables, equipment and associated non-safety circuits of the redundant trains and has provided fire protection features in these locations in accordance with III.G.2 requirements, or has requested exemptions from the above requirements, as applicable, based on their fire hazards analyses for the locations.

2.4 Alternate Shutdown S stem 2;4. 1 Minimum Safe Shutdown S stem The alternate shutdown capability utilizes the existing plant systems and equipment as identified in Section

2. 1 of this SE with some modifications, local manual alignments, local instrumentation and local control of shutdown and support equipment.

As part of providing alternate shutdown capability the licensee has proposed to ensure the availability of minimum SSDS for achieving safe shutdown within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for any fire in Fire Area 16 concurrent with loss of offsite power.

For all fire areas except Fire Area 16 (control rooms 5

cable spreading rooms),

safe shutdown will be achieved by a combination of operator actions in the control rooms and local stations outside the control rooms.

Additionally, for fire in certain areas (Fire Areas I, 2 and 3),

redundant equipment in the same area may be utilized for performing a specific shutdown function.

The minimum SSDS includes the reactor protection and control rod drive (CRD) systems for performing the scram function, the MSIV and the RHR system for maintaining the reactor coolant inventory, and the MSRVs for providing pressure control.

Additionally, the minimum SSDS for alternative shutdown capability will contain at least the following primary system equipment or components and associated cabling and circuitry as appropriate for each BFN unit.

r 1.

Main Steam S stem - Three MSRVs and associated control and power cables or per ormsng manual depressurization of the RCS, either from the control room or from backup control panel (25-32), is to be available for achieving hot shutdown.

One MSRV for discharge of sub-coole.i water into the suppr.ssion pool during the plant cooldown phase is to be available for achi ving cold shutdown.

2.

~IIHRS

-0 RHRp pf i

h

()LPCI d

f p

i f

ma~ntasn>ng the reactor coolant inventory following manual depressurizaiton of the RCS by injecting water from the suppression pool into the reactor vessel and (b) alternate shutdown cooling mode when sub-cooled water from the reactor vessel is discharged through an MSRV to the suppression pool for decay heat removal during the cooldown phase for achieving cold shutdown.

There are two shared pumps in each'f two independent LPCI loops for each unit.

In addition, the pool suction

valve, two LPCI injection valves, power cables to the RHR pump and RHR inboard injection valve will be available for manual injection by the RHR pump.

3.

RHRSW S stem - One RHRSN pump is to be used for decay heat removal during t e coo own phase when suppression pool water is cooled by the RHRSW system in the RHR heat exchanger.

There are four pairs of RHRSW pumps shared by all the units with each pair feeding one independent RHR header which, in turn, feeds one RHR heat exchangei in each unit.

Additionally, the RHRSW inlet and outlet valves for the RHR heat exchanger and power cable for the RHRSW pump will be available for manual start of the RHRSW pump and decay heat removal.

Additionally, for each unit, the minimum SSDS includes the KPCI system for normal shutdown capability to maintain the reactor coolant inventorv (Section

2. 1) during hot shutdown, if the unit is non-fire affected.

The minimum SSDS includes only that segment of the HPCI system which is located inside the reactor and control buildings, the HPCI pump connection to the condensate storage tank and the HPCI steam line drain wi 11 not be used.

2.4.2 Auxiliar S stems for Minimum SSDS The auxiliary or supporting systems for the minimum SSDS include the (I) Auxiliary Power System (APS), (2) 250V DC Power System, (3)

EECW System, (4) Diesel Auxiliary System, '(5)

RHR Auxiliary System, (6)

MSRV Control Air

System, and (7) Instrumentation (see Section 2.4.9).

These systems include eight (three are required) diesel generators (DG), 4kV and 480V shutdown boards (SDBDs);

4kV bus tie board; 480V reactor motor-operated valve (RMOV) boards (i.e.,

MCCs);

250V DC-unit battery charger, battery board and three RMOV boards (one set for each unit and one spare charger);

250V DC-battery, charger and distribution board (one set for each of five select 4kV SDBDs and one spare charger);

two EECW pumps feeding each of two independent EECW headers (one header required);

DG support systems (i.e., diesel auxiliary board, 125V DC-batteries, chargers and distribution boards, air starting subsystems and DG room exhaust fans);

RHR pump seal coolers; Drywell Control Air (DCA) systems, accumulators for the ADS valves and Containment Atmosphere Dilution (CAD) systems; The power systems are signed to permit (1) various combination of OG and power boards, and (2) supply of normal or alternate power to each 250V OC RMOV board from the applicable battery board.

Switching power supplies will generally involve a manual operation.

The systems provide th. following support functions:

1.

supply onsite AC power when needed to RHR, RHRSW and EECW pumps, RHR injection valves, 250V OC chargers and 480V diesel auxiliary boards (Auxiliary Power System);

2.

supply DC power to MSRV solenoid valves, monitoring instrumentation and HPCI valves.

Also supply control power to the 4kV and select 480V SDBOs to ensure that the associated electrically operated breakers that do not have mechanical interrupt devices can be tripped to avoid their spurious operations (250V OC Power System);

3.

supply cooling water to DGs, Unit 3 environmental coolers and RHR pump seal coolers (EECW System);

4.

ensure long term operation of the OGs (Diesel Auxiliary and EECW Systems);

5.

ensure long term RHR pump operation (RHR Auxiliary and EECW Systems)';

and

I.t 6.

Ensure long term control air supply for the MSRVs (MSRV Control Air Supply System).

The staff concludes that the above systems are adequate.

By submittal dated November 21, 1986, the licensee provided staff the requested clarification on how the 250V DC power requirements for all the three units will be met in the event of a fire in any unit battery board room (Fire Areas 17, 18, or 19).

The staff finds the clarification acceptable.

2.4.3 Manual 0 erations for a fire in any location except Fire Area 16, the licensee will have to perform a number of manual operations both inside the control rooms and outside at a number of local shutdown stations.

For Fire Area 16, except manual scram and reactor isolation, all other manual actions will be performed outside the control room.

The local stations include the 4kV bus tie board, 4kV and 480V

SDBDs, 480V and DG auxiliary boards, 250V OC battery, distribution and RMOV
boards, DG 125V DC distribution boards, backup control panels 25-32, Unit.3 DG building panels (25-270 A&B), yard panels (25-246 AEB) and intake pumping station (Fire Area 25).

The design includes provisions for manual controls for MSIVs and MSRVs, and instrumentation for process variables (i.e., re'actor pressure and water level) at the 25-32 panels; manual controls for RHR,

RHRSM, EECM and HPCI pumps and valves as.appl'icable, and breaker and valve position indications at the various shutdown boards.

Further, the design incorporates a

number of local switches at the various boards or panels to facilitate local manual operations.

The manual actions have been prioritized in terms of time such as being required in 10, 20, 30, 60,

120, 180 and 480 minutes.

The major manual actions, their obiectives, and time frames for their completion are:

1.

Initiate manual scram and r actor isolation in the control room

( Immedi ately).

2.

Transfer to local control (if needed) and ensure MSIVs closure (10 minutes).

3.

4.

5.

Close the HPCI steam supply shutoff valve (in the fire affected unit) to prevent water intrusion into the main steam lines (10 minutes).

Trip 250V OC control power to 4kV and 480V SOBDs that supply power to safe shutdown components (fire affected unit) after tripping associated non-safe shutdown load breakers and closing safe shutdown load breakers to prevent spurious operation of the breakers, in order to facilitate manual operation of the breakers, and to facilitate manual operation of other safe shutdown components (20 minutes).

Initiate manual depressurization (fire affected unit) by opening three MSRVs.

This may also involve either transfer (1) to backup control panels, or (2) from normal to the alternate power supply feeder for the 250V RMOV boards that supply power to the MSRVs (20 minutes).

6.

7.

8.

9.

10.

13.

14.

15.

16.

17.

Initiate LPCI for reactor coolant inventory control (fire affected unit) after manual depressurization, by aligning AC power to one RHR pump and inboard injection valve, starting the pump and opening the valve.

For a fire in Fire Area 16, open the outboard isolation valves also (20 minutes).

Align AC power to an EECW pump (for the unaffected unit) and start it manually (if needed)

(30 minutes).

Initiate diesel auxiliary systems to support long-term DG operation by aligning power to diesel auxiliary board(s).

Also, connect 125V DC distribution boards if needed (30 minutes).

Trip nonessential loads from OGs (30 minutes).

Connect the CAO system to OCA system for long term MSRV air supply (120 minutes).

Initiate manual depressurization and RHR injection for the non-fire affected units (120 minutes).

Start one or more DGs to support operation of RHR pump(s) for fire affected unit(s)

(20 minutes), diesel auxiliary board (30 minutes),

RHR inboard injection valve for non-fire affected unit (120 minutes),

and 250V OC battery charger (180 minutes).

Initiate RHRSW system operation to remove decay heat by aligning AC power to one RHRSW pump, tripping power to RHR heat exchanger outlet valves, closing all but one outlet va ve, and starting one pump for each unit (120 minutes).

Trip power to RHRSW valve(s) to EECW header(s) and close the valves to prevent RHRSW flow into EECW header(s)

( 120 minutes).

Start 250V DC battery chargers for long term DC power supply (180 minutes).

Close applicable steam line drain and RWCU branch connections to maintain condenser and radwaste system high/low pressure interface valves to mitigate their potential spurious operations (480 minutes).

Close a valve to prevent CST water overfilling the torus (fire affected unit) (480 minutes).

The specific manual actions inside and outside the control room for achieving safe shutdown of. all the units will depend upon the fire location.

A fire in the Fire Area 16 will require the largest number of local manual actions since it may render all the control rooms unavailable and affect all the units.

Based on the above, review of the licensee's local manual operations assessment and the licensee's submittal dated June 22, 1987, the staff finds that no manual actions need to be performed within the fire locations themselves for achieving 'hot shutdown.

However, cold shutdown can involve applicable fire

1'

locations themselves, in approximately two hours after manual scram (e.g.,

aligning the CAD system in certain Reactor Building (RB) zones.

In this context, the staff notes that.the licensee has determined (June 22, 1987 submittal) that their originally proposed (November 21, 1986 submittal) manual actions in 5 minutes (aligning AC power and starting two EECW pumps feeding the same header for preventing the spurious operation of an EECW valve) for a fire in certain areas to ensure timely supply of required cooling water to the DGs will not be needed.

The licensee stated that for a single fire in any location except in the RB Zones 1-3 and 2-3, and Fire Area 25, at least two EECW pumps from the same header will autostart upon a start signal from their associated DGs.

With regard to Fire Area 25, the licensee stated that the 5-minute manual operations described above wi 11 not be needed for a fire in that area, since the HPCI system wi 11 be utilized to achieve hot shutdown of the plant, and the OGs that have started automatically can be tripped manually from the control

room, upon receiving the high temperature alarm for the OGs, until the EECW pumps are made available.

With regard to RB Zone 1-3, the licensee stated that at least one EECW pump will autostart and that it wi 11 be sufficient to provide cooling water to all the Unit 3 DGs, which will be used only for the plant shutdown for a fire in that zone.

With regard to the RB zone 2-3, the licensee stated that at least one EECW pump will autostart and that it wi 11 be sufficient to supply the coolinq water to the Unit 3 OGs, which will be used for shutdown of both the fire

..'ected Unit 2 and the non-fire affected Unit 3.

Unit 3, however, wi 11 uti ize HPCI for hot shutdown and consequently no DG for Unit 3 is required in the short term.

The licensee stated that the unaffected Unit 1 will not need any OG cooling water From the EECW system for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, which gives sufficient time to the operator to take appropriate manual actions to ensure the timely supply of cooling water to the DG used for Unit I shutdown.

B-sed on the above, the st

< 'oncludes that the licensee's proposed manual operations are adequate sub ect to verification during the Appendix R Site Audit that the short term manual actions (particularly, Action Items 2 and 3 given above) are capable of be'ng performed.

2.4.4 Modifications The licensee proposes to complete modifications on circuits, cables, associated

circuits, and miscellaneous items to ensure that each BFN unit has adequate safe shutdown capability.

The circuit modifications will enhance the operation of.

minimum SSDS by preventing spurious operations.

They include modification for each of the two redundant RHR inboard injection valves which involves adding a

local EMER/OPEN switch to the control circuit of the valve at its Motor Control Center (MCC) to ensure its local operability.

For a fire in any reactor building zone or certain SDBD rooms, the above switch may have to be closed to open the valve.'he MCCs for the redundant valves are in different fire zones.

The circuit modification for each of the two redundant outboard RHR injection valves involves adding a break-before-make hand switch to the control circuit of the valve.

This modification provides a shunt bypass around the closing coi 1 and, thus, prevents its spurious closure by locking it in its normal open position.

Of the two valves, only one has backup control.

For a fire in the control building (Fire Area 16), the valve with the backup control modification 2.4.6 Reactor Coolant Inventor For a fire affected unit (i.e.,

HPCI is unavailable for the unit),

RHR in the LPCI mode of operation is to be used to maintain the Reactor Coolant (RC) inventory after achieving manual depressurization.of the Reactor Coolant System (RCS) utilizing the MSRVs.

The above method has the potential for uncovering the upper portion of the core for a short time during the depressurization

and, thus, does not meet the provisions of 10 CFR 50, Appendix R, Section III.L.

These provisions require that the alternate shutdown capability be able to maintain

('1) the RC level above the top of the core for BWRs via its RC makeup function

( III.L.2.b), and (2) the RCS process variables within.those predicted for a loss of normal alternate shutdown method.

These provisions also conclude that it is acceptable to uncover the core provided the uncovering time is short enough to preclude a threat to the fuel cladding integrity, thus, meeting the intent and purpose of Section III.L provisions mentioned above.

The licensee has, therefore, requested exemptions from the above requirements and provided justification for their analysis.

The licensee's analysis assumed manual depressurization with three MSRVs at 30 minutes after manual

scram, "HR/LPCI injection with one pump at about the same
time, RHRSW lineup at three

~mrs after scram, cooling water temperature for RHRSW at 95'F, and initial '.uppression

'pool temperature at 95'F (maximum allowed by plant TS).

Based on the above, the licensee calculated (1) approximately 330 seconds of core uncovery time, (2) a peak cladding temperature of 1342'F (less than 1500'F, the temperature at which the clad would be expected to begin undergoing structural change),

and (3) a peak pool temperature of 211'F at approximately 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> after scram.

The licensee further stated that

+h ir calculation showed that adequate net positive suction head (NPSH) will be a'a lable to ensure continuous operation of the RH'ump.

In the November 21, 1936 submittal, the licensee calculated a peak local suppression pool '".:;:mph rature of approximately 195'F during steam discharge into the pool via the thre'SRVs, assuming manual depressurization and RHR LPCI injection at 20 minutes after manual scram per Appendix R shutdown procedures.

The licensee, therefore, concluded that their Appendix R safe shutdown procedures comply with the NUREG-0783 (Suppression Pool Temperature Limits for BWR Containments, September 30, 1981) local temperature limit for the pool (200'F),

and thus assure that the steam condensation in the pool during steam discharge via.th~

MSRVs will occur under stable conditions.

The staff finds the licensee's commitment to comply with NUREG-0783 in this regard acceptable.

The licensee has also reviewed the use of drywell coolers during an Appendix R

event (Dune 22, 1987 submittal).

The licensee determined that these are not required for an Appendix R shutdown event and that they will be stripped of their power supply from a common power source to prevent any spurious operation associated with their power supply causing a high impedance fault condition compromising the supply of power to require safe shutdown loads.

The licensee,

however, added that only entry into Appendix R shutdown procedures (See Section 2.4. 15 of this SE) will warrant the above action.

The staff finds 'the above position for drywell coolers acceptable.

The licensee reevaluated NPSH for the RHR pump (November 21, 1986 submittal) using the above assumptions for manual. depressurization and RHR/LPCI injection described above will be used.

Circuit modification for the normally open RHR suppress'ion pool suction valves consists of disabling the open and close controls for the valves by adding local switches in their control circuits, and placing them in the isolated positions during normal power operation, thus, locking the valves in their normal open positions.

During surveillance or shutdown cooling, the valve control will be returned to the control room by placing the switches in the applicable positions.

The licensee proposes to reroute the cables for three of the 13 MSRVs, providing adequate separation for them from the other 10 MSRVs, to ensure that they will always be available for performing manual depressurization from the control room.

Currently, all the valves can be manually operated from the control room.

Additionally, at the backup control panels, there is manual control (open and close) capability for the six Automatic Depressurization System (ADS) valves and manual trip capability for two ADS valves for Units I and 2, and one ADS valve for Unit 3.

Also, there is remote manual trip capability for the three valves for each unit at the applicable 250V RMOV board.

The above modification adequately addresses the potential problem (i.e., loss of all MRSVs or unavailability of three MSRVs) that can arise due to a fire in certain locations (e.g., certain reactor building zones or Fire Areas 5,

9 or 13 where the backup control panels are located).

Further, it does not compromise the manual control capability for the needed MSRVs =+ the backup panels.

The licensee has c iso proposed other cable modifications which involve rerouting the cables associated with some safe shutdown components out of specific fire locations, and/or one-hour fire wraps in the applicable areas in order to provid>> the Appendix R required separation for the needed components.

These include modifications for RHR Pump 3C power cable, power cables for applicable RHR injection valves, power feeder cable to 250V RMOV BD 2B, control cables for tl: LPCI motor generator sets for all the units, f'der cables for instrumenta"'.i,n at the backup panels, other cables required ar applicable APS alignment, ard the conduit containing the power feeder cable from 250 V RMOV BD 3C to Division I instrumentation.

The miscel 1 neous modifications include modifications to the DCA system to provide a manual connection to the CAD system for ensuring long term MSRV control air supply.

This modification includes an isolation capability in the form of redundant manual isolation valves, with hand switches for the valves and check valves, to prevent the degradation of the CAD system.

The licensee has performed safety evaluations for all the above modifications and concluded that they do not introduce any unreviewed safety issue.

Additionally, by submittal dated June 22, 1987, the licensee stated that the backup control panels were initially tested and that the plant operating procedures require post-modification testing whenever modifications are completed to assure that the affected equipment operates as designed.

The

'licensee further stated that the BFN Technical'pecifications require the testing of remote shutdown panel and the electrical distribution system each operating cycle, and that this testing includes checks to verify remote operation capability and circuit isolation from the control building.

Based on the above, the staff concludes that the proposed modifications are acceptable.

2.4.5 Reactivit Control Reactivity control wi 11 be accomplished from an automatic Reactor Protection System (RPS) trip, or by manual scram from the control room.

and assuming RHRSW line up in two hours after manual scram.

The staff concluded that with initiation of the RHRSW within two hours of the sc'ram the NPSH for the RHR pump is adequate.

Based on the above, the staff finds the licensee's proposed method to maintain coolant inventory and request for exemptions from applicable Appendix R,Section III.L provisions acceptable.

Regarding loss of coolant inventory via the main steam lines, the licensee states that this will be prevented immediately by reactor isolation (i.e.,

closing the MSIVs) from the control room and further verified within 10 minutes following the manual scram either at the control room or at the backup control panels.

The staff finds this acceptable.

2.4.7 Reactor Coolant Pressure Control Reactor coolant pressure control is provided by the MSRYs.

Overpressurization protection prior to depressurization is provided by the self-actuating pressure mode of the MSRVs.

The staff finds this acceptable.

2.4.8 Deca Heat Removal During hot shutdown, decay heat is to be removed by the self-actuating mode of MSRV operation.

During cold shutdown, it is achieved by utilizing the "alternate shutdown cooling mode" (i.e.,

RHR system used in conjunction with MSRVs and RHR Service Water System).

In this mode, the vessel is flooded with suppression pool water up tothe s.'earn line, with the hot water overflowing into the suppres;ion pool via an open MSRV.

The method provides for a continuous flow oP suppression

ool water through the core, through an MSRV to

- the pool, and back again to th~

essel after cooling via the RHR heat exchanger.

The RHRSW system >rcvides cooling water to the RHR heat exchanger to remove the reactor decay heat s:ored in the pool.

Thus, this mode cools the reactor and the suppressior

~oc 1 The staff finds the proposed decay heat r movdl method acceptable.

2.4.9 Process Monitorin Resides control room instrumentation, local instrumentation is also provided at the 25-32 backup control panels for direct indications of process variables (i.e., reactor vessel pressure and water level).

Also, breaker and valve position indications are provided. at the various SDBDs.

By November 21, 1986 submittal, the licensee listed the local instrumentation available for diagnostic purposes.

These include the instrumentation for applicable a'uxiliary systems for the minimum SSDS and,the

RHR, RHRSW and EECW pumps'ischarge pressures and flow rates.

Also, the licensee stated (above submittal and the June 22, 1987 submittal) that instrumentation is currently available at the control room and at the backup control panels for all the units for direct indications of suppression pool level and temperature.

The licensee stated that at least one train will be available for a fire in any location except in RB Zones 1-3, 2-3 or 3-3, where the associated cables for the two trains run close to each other.

The licensee, stated that in the event a fire in any exception zone renders both the trains unavailable, portable instrumentation readily available on site will be used to measure the pool level and temperature.

The licensee also provided additional justifications to support the adequacy of the existing provisions for direct 'indications of pool temperature and level.

Based on the above, the staff finds the available instrumentation for reactor pressure and water level and diagnostic monitoring acceptable.

The staff also finds the existing instrumentation and proposed portable instrumentation for suppression pool level and temperature acceptable as an interim measure, provided the proposed portable instrumentation is verified for its reliability and dependability at the time of the Appendix R site audit.

However, towards long term resolution of the problem (loss of direct indication capability for fire in certain RB zones),

the licensee should commit to perform appropriate modifications to ensure that at lease one train of instrumentation is free of any fire damage due to a fire in RB zone 1-3, 2-3, or 3-3.

2.4.10 Su ort Functions The auxiliary systems described in Sections 2.4.2 and 2.4.9 of this SE provide the necessary support functions to the alternate shutdown system.

The staff finds them acceptable subject to resolution of the concern relating to instrumentation identified 'in Section 2.4.9.

2.4. 11 72-Hour Shutdown Re uirement The licensee has indicated and the staff concurs, that the BFN units will have the capability to achieve cold shutdown wit." In 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after a fire event in any plant area with a los= of offsite power.

2.4.12

~Re airs The licensee states that their proposed modifications will rule out the need for any repa rs to achieve cold shutdown w"'.thin 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

The staff agrees with the abvve assessment, based on 'i:he clarifications provided in the June 22, 1987 submittal.

2.4. 13 Technical S ecification The licensee states that some of their proposed modifications will require changes in the existing plant Techne al Specifications (TS).

The licensee has submitted requests for such TS changes to the NRC.

The staff is currently reviewing these TS changes.

2.4. 14 Associated Circuits and Isolation The licensee has examined associated circuits concerns, such as common power source including high impedance faults, common enclosure,

'fire-induced spurious operations including high/low pressure interfaces, and electrical isolation deficiencies.

The licensee has discussed all of these concerns in their submittals as summarized below.

2.4. 14. 1 Common Power Source The licensee states that with few exceptions, all safety related and non-safety related power circuits and instrumentation and control power circuits that share a

common power source with some required safe shutdown equipment are protected with coordinated fault protection devices (such as coordinated

breakers, fuses or isolation devices) to ensure proper coordination of the load and feeder breakers (i.e., breaker/fuse coordination).

These provisions ensure a power supply from the common power source to the safe shutdown equipment during a fire event.

For the exceptions, proper breaker/fuse coordinations will be ensured by circuit modifications.

The licensee has identified these exceptions and the corresponding modifications.

The licensee has also performed safety evaluations for the proposed modifications and concluded that they wi 11 not result in any unreviewed safety concerns.

Regarding fire-induced high impedance faults (i.e., faults in circuits supplying power from a common power source to non-safe shutdown loads) which can compromise the power supply to safe shutdown loads from the same power

source, the licensee proposed to strip all non-safe shutdown loads from the common bus in a timely manner as part of post-shutdown procedures.

This will prevent the interruption of the main feed breaker to the common bus during shutdown.

The staff finds the licensee's approach for handling common power source concerns acceptable.

2.4. 14.2 Common Enclosures Based on their examination of all switchgears, dis'..ibution panels and cabinets (for both auxiliary power and instrumentation and c control power systems) that provide a

common enclosure for non-safe and safe st'utdown cables, the licensee found them to be generally adequately protected fram -damage to safe shutdown cables by circuit bre':kers, fuses or isolation de ices.

The licensee,

however, found a few exceptioIs" to the above (e.g.,'inadequate protective devices for the 250V DC control circuits for the 4kV and 480V SDBDs; too much potential fault current in power circuit cables for some 480V RMOVs and diesel auxiliary boards; and inadequately sized cable protective devices for some power circuits at the 250V RMOV boards).

For all the exceptions, the licensee has proposed corrective modifications to provide the needed protection to safe shutdown cables shared by the affected common enclosu s.

These modifications include replacing large fuses by small fuses, providing additional trip circuit fuses in series with existing fuses, replacing existing breakers with new breakers, or installing proper fuses.

The licensee has also performed safety evaluations for all the modifications and concluded that they do not result in any unreviewed safety concerns.

Based on the above, the staff finds the licensee's approach for handling common enclosure concerns acceptable.

2.4. 14.3 Associated Circuits Concerns for 250V DC Control Circuits The licensee has assessed the special case of associated circuits concerns which involve 250V DC control circuits.

Specifically, the potential exists for the 250V DC control power cables to 4kV and 480V electrically operated breakers (that do not have mechanical interrupt devices),

and the 4kV and 480V power cables, to have associated circuits concerns because they may share either a

common power source or a common enclosure in the same fire area.

If faults occur as a result of fire, then such arrangements can compromise the availability of 250V DC control power which is needed to operate the breakers (i.e., interrupt them when fault conditions occur during a fire event) required for safe shutdown.

Therefore, the licensee has proposed corrective modifications such as a

one-hour fire wrap of the applicable cables in the applicable areas or rerouting the cables.

The licensee has performed safety reviews of all the modifications mentioned above and concluded that they do not introduce any unreviewed safety concern.

Based on the staff's review of the above, the staff finds the proposed corrective modifications acceptable.

2.4. 14.4 Electrical Isolation Deficienc Regarding electrical isolation deficiency (i.e.,

a fault on a remote circuit blowing a fuse needed for local control prior to isolation, and consequently impairing the capability for local control of the needed safe shutdown equipment),

the licensee states that transfer switches have been provided for all equipment that needs backup controls, and that redundant fuses have been provided for the backup control circuitries which will consequen

, ensure power supply for local control of the 'needed equipment.

The staff concludes that the above provisions comply with the guidelines of I&E Information Notice 85-09, "Isolation Transfer Switches and Post-Fire Shutdown Capability" (January 31, 1985) and are, therefore, acceptable.

2.4. 14.5 S urious 0 erations Fire in some areas can impair safe shutdown due to fire-ini.'used spurious operation of safe shutdown equipment or components.

Therefore, Appendix R Item III.G.2 separation requirements have been provided between r edundant safe shutdown equipment, components end associated cabling as f~ r as practicable (e.g.,

not provided in the control building) to ensure the 'availability of minimum SSDS.

When this is not possible, -spurious operations are to be mitigated in a timely manner by corrective manual operations at local stations.

This is made possible by isolating the minimum SSOS needed from the fire affected area and providing manual control capability at the local stations.

The licensee has identified all potential spurious operations, their effects, and mitigation procedures if needed.

These spur ious ~<erations involve the RHR suppression pool suction valves, RHR outboard injection valves, RHR heat discharge portion of the lines, and single normally closed valves on the branch connections to the main condenser and the radwaste system downstream of the common valve.

The licensee proposes to mitigate the spurious operation of the downstream valves by removing motive power from exchanger outlet valves, EECW discharge

valves, RHR, RHRSW and EECW pumps,
DGs, OG auxiliary systems and 250V OC battery chargers.

The licensee has also provided analyses to demonstrate that

( I) spurious operation of one MSRV wi 11 not compromise the safe shutdown and (2) spurious operation of'igh pressure make-up systems (such as the control rod drive (CRD), feedwater and reactor core isolation cooling (RCIC) systems) are bounded by the spurious operation of the HPCI system.

The licensee states. that the spurious operation of the HPCI system, if it occurs, will be manually corrected in a timely manner by closing the HPCI steam supply shutoff valve within 10 minutes after manual scram.

One special category of spurious operations involves high/low pressure interfaces.

The licensee has listed all such interfaces.

These valves are associated with the

RHR, RWCU, HPCI, RCIC, CRD, feedwater, recirculation
sampling, core spray and main steam systems.

The spurious operations of most of these valves do not require any corrective action, since they satisfy-one of the following considerations:

1.

mechanical check valve or manual valve (i.e.,

use of a hand wheel to operate the valve) in series with the applicable valve is available to prevent RC inventory loss via the applicable valve (e.g.,

RHR inboard injection valves);

2.

RC inventory loss via the valve is limited by its associated line size (less than 1 inch) and minimum SSDS has the capability to mitigate the consequences (e.g.,

steam condensate drain line valves for HPCI);

3.

valve fails closed on loss of air after scram (e.g.,

CRD vent and drain line valves);

and adequate separation is provided between the system high and low pressure portions valves (i.e.,

between the RWCU outboard isolation valve and the local control panel containing the controls for th'MCU filter/demineralizer valves).

There are, however, four sets of high/low pressure interface valves not covered by any consideration given above.

These are (1) three normally closeh main steam line drain valves in series, (2) two valves in series on the RWCU discharge line to the main condenser, (3) two valves in series on the RWCU discharge line to the radwaste

system, and (4) two normally closed valves in series on the suction line of RHR in the shutdown cooling (SDC) mode.

The spurious operations of the steam line drain valves are bounded by the spurious operation of one NSRY which the licensee has demonstrated to be acceptable.

Furthermore, the spurious operations will be corrected by manual",y closing one of the three valves at the applicable local station at eight hours after manual scram.

The RMCU discharge lines share a normally open valve on the common discharge portion of the lines, and single normally closed valves on the branch connections to the main condenser and radwaste system downstream of the common valve.

The licensee proposes to mitigate the spurious operation of downstream valves by removing motive power from a normally closed upstream valves during normal plant operation thus, locking it in its normally closed position.

Additionally, at eight hours after the manual

scram, the two downstream valves (i.e.,

downstream of the common valve) will be manually closed at the applicable local stations.

Based on their safety evaluation of the above approach for the RWCU discharge line valves, the licensee has concluded that it does not result in any unreviewed safety concern.

The staff finds the above approach acceptable.

Regarding the two valves on the suction line of RHR in the SOC mode (submittal dated June 22, 1987), the licensee committed to remove the motive power to one of the valves by opening the breaker disconnect switch and placing a valve hold order tag on the breaker and control room switch.

The above procedure maintains the valve in its normally closed position.

The licensee further committed to, verify the tag-out condition by a semiannual audit which includes the verification of the position of the tagged equipment.

The staff finds the above approach acceptable.

Based'on the above, the staff finds the licensee's proposed handling of spurious operation concerns including those for high/low pressure interfaces acceptable.

2.4. 15 Safe Shutdown Procedures And Man ower The licensee has provided typical shutdown procedures for three fire locations.

The exact procedures for all the fire locations are currently being developed.

Also, the licensee has provided a submittal on detailed local manual actions for all fire locations (November 21, 1986).

Available onsite manpower consists of 13 operational personnel, which includes four fire brigade

members, none of whom will be utilized for achieving hot shutdown.

A fire in Fire Area 16 will involve up to nine operation personnel, all outside the control rooms at the various local stations to achieve safe shutdown of all the units.

A fire elsewhere will involve three in the control rooms and six outside at local stations to achieve safe shutdown of all the units.

Two operators are dedicated to the two unaffected units and up to six operators are dedicated to the safe shutdown of the affected unit.

In their submittal dated November 21, 1987, the licensee identified three entry conditions for Appendix R shutdown procedures a'

stated that all of them must be satisf',ed.

These are (1) occurrence

( a fire at any plant location of such severity that it cannot be extinguished immediately, (2) loss of high pressure makeup capability either du to a fire or an intentional trip to prevent unreliable equipment operation, ano (3) unreliable power source (i.e., the ability to provide normal or emergency power to vital plant equipment is in serious doubt).

In the above submittal, the licensee also stated that the post-fire safe shutdown procedures will be evaluated by plant operators in cooperation with the BFN Training Branch to determine the type and extent of the needed formal training and retraining to ensure that the procedures can be effectively followed.

The licensee further stated that the formal training will be provided to the necessary plant personnel prior to startup and that it will be followed by additonal tra.':.,ng as required to comply. with Appendix R.

Based on the above, the staff finds the available

manpower, the 'licensee's commitment to complete the Appendix R shutdown procedures in a timely manner, the scheme for formal training and retraining to the necessary plant personnel, and the entry conditions for implementing Appendix R shutdown procedures are acceptable subject to the following clarification:

1.

Licensee should clarify whether they will enter into Appendix R

shutdown procedures in the event of a fire in any one of the following Fire Areas:

4, 6, 7, 8, 12, 14, 15, 20 through 25.

This question arises since the HPCI system has been identified as available for achieving hot shutdown of all the three u'nits for a fire in any one of the above areas.

Since utilization of alternate shutdown capability may require a

number of manual actions, the staff will verify during the Appendix R site audit that the necessary manual actions can be completed within their specified time frames for assuring safe shutdown with confidence.

3.0 CONCLUSION

Safe shutdown

systems, components and procedures are expected to be avail-able during a severe fire event when other means of safe shutdown identified in plant procedures are determined to be unavailable.

The staff has reviewed all the licensee's submittals to date.

The staff has also toured the plant during their site visit on June 23 and 24, 1986.

Based on the above, the 'staff concludes that except as identified below, the safe shutdown capability (existing and proposed modifications) at the BFN units satisfies the requirements of Sections III.G.2, III.G.3 and III.L of Appendix R contingent upon the exemptions requested from specific provisions of III.G.2, III.G.3 being issued.

These exemptions are addressed in the Appendix R Exemption SE.

AREAS OF CONCERN Protection of one trair of instrumentation for suppression pool level and temperature for the lc ig term is an area of concern.

The proposed portable instrumentat'ion is only acceptable as an interim measure, provided the reliability and dependability of the instrumentation is verified at the time of Appendix R Site Audit (See SE Section 2.4.9).

The staff additionally requires the licensee's clarification on the entry conditions for the Appendix R shutdown procedures (See SE Section 2.4. 15).

Also, at the time of Appendix R Site Audit, the staff will verify the 1) acceptability of the design basis requirements,

2) adequacy of some fire protection systems,
3) adequacy of the procedures for the testing of fire detection and suppression
systems,
4) validity of licensee's designation of some fire locations as solely III.G.1 areas per Appendix R criterion, and 5) feasibility of performing within a very short time (e.g.,

10 minutes after manual scram) few local manual actions (see SER Section 2.4.3'),

and 6) review of the licensee's clarification of entry conditions for shutdown procedures (Section 2.4. 15).

Principal Contributors:

J.

Watt and P.

Hearn Dated:

December 8,

1988

e

Mr. Oliver J. Kingsley, Jr.

Item 7 above requires a formal response from TVA.

We request that you provide this response within 30 days of the Appendix R Audit currently scheduled for March 6, 1989.

Prior to the Appendix R audit, the staff has indicated previously that additional documentation and analyses wi 11 be required to assure BFN conformance and readiness relative to Appendix R for the plant configuration resulting from the single unit operation of Unit 2.

The licensee has responded to this request by providing specific information pertaining to single-unit operation of Unit 2 by letter dated August 12, 1988.

This submittal is currently under staff review.

As previously noted, the staff intends to address the overall adequacy of fire protection in the Browns Ferry Appendix R

inspection report.

If you have any questions, please contact the Browns Ferry Project Manager, Gerald E.

Gears at 301-492-0767.

The reporting and/or recordkeeping requirements contained in this letter affect fewer than ten respondents; therefore, OMB clearance is not required.

Sincer ely,

Enclosure:

Safety Evaluation cc w/enclosure:

See next page Suzanne C. Black, Assistant Director for Projects TVA Projects Division Office of Special Projects Distribution NRC PDR Local PDR Projects Reading OSP Reading JPartlow

. SRichardson SB1 ack BDLiaw WSLittle GGears DMoran JRutberg DCrutchfield BGrimes EJordan ACRS(10)

GPA/PA GPA/CA BFN Rdg. File FMcCoy MSimms OFC

OSP:TVA/LA
OSP:TVA/PM
T NAME :MSimms
GGear
BDLa DATE

/

/88 8

/4/88 OFFICIAL RECORD COPY

TVA:AD/P
SBlack

/

/88

I "I

'f I"

Retrieved from "https://kanterella.com/w/index.php?title=ML18033A463&oldid=5032747"