Amendment 28 to Updated Final Safety Analysis Report, Appendix F, Unit Sharing and Interactions

ML19298B464
Person / Time
Site:	Browns Ferry
Issue date:	10/04/2019
From:	Tennessee Valley Authority
To:	Office of Nuclear Reactor Regulation
Shared Package
ML19298B540	List: ML19298B452 ML19298B455 ML19298B456 ML19298B458 ML19298B461 ML19298B464 ML19298B467 ML19298B469 ML19298B471 ML19298B474 ML19298B477 ML19298B478 ML19298B480 ML19298B485 ML19298B488 ML19298B490 ML19298B497 ML19298B500 ML19298B508 ML19298B510 ML19298B515 ML19298B523 ML19298B525 ML19298B528
References
Download: ML19298B464 (30)
v • d • e

Text

BFN-27 APPENDIX F UNIT SHARING AND INTERACTIONS TABLE OF CONTENTS F.1 Introduction .............................................................................................................................F.0-1 F.2 Scope .....................................................................................................................................F.0-2 F.3 References .............................................................................................................................F.0-3 F.4 Criteria ....................................................................................................................................F.0-3 F.5 List of Shared Features ..........................................................................................................F.0-5 F.6 Description of Shared Conventional Systems ........................................................................F.0-7 F.6.1 Normal Auxiliary Power System (Includes Offsite and Station Sources) ....................F.0-7 F.6.2 Environmental Radiological Monitoring Program .......................................................F.0-8 F.6.3 Control and Service Air Systems ................................................................................F.0-8 F.6.4 Condenser Circulating Water System ........................................................................F.0-9 F.6.5 Raw Cooling Water System .......................................................................................F.0-9 F.6.6 Raw Service Water System ........................................................................................F.0-10 F.6.7 Radioactive Waste Control Systems ..........................................................................F.0-10 F.6.8 Drywell Equipment and Floor Drain Systems .............................................................F.0-10 F.6.9 Fire Protection Systems .............................................................................................F.0-11 F.6.10 Condensate Storage and Transfer Systems ..............................................................F.0-11 F.6.11 Potable Water and Sanitary Systems .........................................................................F.0-11 F.6.12 Auxiliary Boiler System...............................................................................................F.0-12 F.6.13 Plant Communications Systems .................................................................................F.0-12 F.6.14 Turbine Building and Radwaste Building ....................................................................F.0-12 F.6.15 Lighting System ..........................................................................................................F.0-13 F.6.16 Plant Preferred and Nonpreferred AC System ...........................................................F.0-13 F.6.17 Auxiliary DC Power Supply and Distribution ..............................................................F.0-13 F.6.18 Demineralized Water System .....................................................................................F.0-13 F.6.19 Reactor Building Closed Cooling Water System ........................................................F.0-13 F.6.20 Reactor Building Equipment and Floor Drain Systems...............................................F.0-14 F.7 Description of Shared Class I Seismic Features, Structures, Safeguards Systems and Supporting Auxiliary Systems ..........................................................................................F.0-15 F.7.1 Reactor Building (Secondary Containment System) ..................................................F.0-15 F.7.2 Control Bay ................................................................................................................F.0-16 F.7.3 Spent Fuel Storage Facilities .....................................................................................F.0-16 F.7.4 Reactor Building Crane ..............................................................................................F.0-16 F.7.5 Process Radiation Monitoring System........................................................................F.0-16 F.7.6 Diesel Generator Buildings .........................................................................................F.0-17 F.7.7 Pumping Station (Intake Building) ..............................................................................F.0-18 F.7.8 Standby Gas Treatment Building ...............................................................................F.0-19 F.0-i

BFN-27 APPENDIX F UNIT SHARING AND INTERACTIONS TABLE OF CONTENTS (Cont'd)

F.7.9 Standby AC Power Supply and Distribution ...............................................................F.0-19 F.7.10 250-V DC Power Supply and Distribution...................................................................F.0-21 F.7.11 Subsections of the Heating and Ventilating Systems .................................................F.0-22 F.7.12 Control Rod Drive Hydraulic System ..........................................................................F.0-24 F.7.13 Deleted .......................................................................................................................F.0-24 F.7.14 Gaseous Radwaste System (Stack) ...........................................................................F.0-24 F.7.15 Standby Coolant Supply System ................................................................................F.0-24 F.7.16 RHR Service Water System .......................................................................................F.0-25 F.7.17 Emergency Equipment Cooling Water System ..........................................................F.0-27 F.7.18 Standby Gas Treatment System ................................................................................F.0-27 F.0-ii

BFN-27 APPENDIX F UNIT SHARING AND INTERACTIONS F.1 INTRODUCTION The Browns Ferry Nuclear Plant is a three-unit plant. As in the case of any multi-unit plant in which the units are contiguous or even in the same general vicinity, the design must be evaluated in respect to possible influence of one unit on the others through the various coupling mediums which exist in the design. An obvious coupling medium is simply the atmosphere, in the sense that a radioactive release from one unit could require emergency action to protect operators at a contiguous or nearby unit. Another coupling is the interconnected electrical grid. In this case, a hypothetical accident on one unit must be considered as having the potential, however small, of causing a general electrical system loss of offsite power, and thus inducing trips and shutdowns of all reactors which are connected to that system. A less obvious coupling may be a conventional service system, such as compressed air or any of several conventional service water systems, failure which might cause the unit(s) to shut down either directly or indirectly. Couplings from intense natural events such as tornadoes, earthquakes, and floods are considered in these designs, as well as intense unnatural events such as fire, steaming, flooding, and collision or impact from mechanical failures.

Such couplings are evaluated under the following categories of events.

1. Normal Events These are events that occur regularly and frequently under normal operating conditions. For a three-unit plant, any or all of the units may be operating at any power level or may be shut down. However, it is unlikely that all units will be shut down at the same time.

2. Expected Events These events are expected to occur infrequently during the life of the plant. They may be due to such causes as operator error, failure in a unit or plant system, normal weather extremes, and transmission line faults.

3. Postulated Events These events are postulated to occur during the life of one of several plants from such causes as severe floods, minor Operational Basis Earthquakes, or tornadoes; or severe unnatural events such as fire, mechanical failure of small F.0-1

BFN-27 equipment or failure in equipment and components in the conventional nonredundant systems of this plant.

4. Limiting Postulated Events Certain limiting events are postulated in order to establish the limiting design conditions for the Protection and Engineered Safeguards Systems. They have potential for serious public damage and plant damage extending to the complete functional loss of a unit or the plant. These events are not expected to occur during life of the plant. They include such events as recirculation line failure, design basis earthquake associated with recirculation line failure, sustained loss of offsite power, or curtailed flow of water due to earthquake damage combined with loss of downstream dams.

The demands on the unitized and the shared systems under these categories of events vary according to the state of the individual units. These states are represented by Matrix 1 in Appendix G.

Appendix G, in general, refers to the operational status of a single unit. The design of shared features of the plant is based on all combinations of states possible with three units, except that in the case of accidents, accidents are limited to only one of three reactors.

Certain shared plant systems, such as electric power and ventilation systems, have a significant importance in that they must be in essentially continuous operation under all of the event categories and plant states listed above. The design includes features which recognize the importance of continuity of these services with due regard for allowable outage or repair times.

F.2 SCOPE The scope of this appendix includes all plant features in which unit sharing and interaction are a significant consideration, except that it does not include those aspects of design and operation associated with refueling operations.

"Unit sharing" implies a coupling of some kind between two or three operating reactors. Where appropriate, this appendix also briefly discusses shared system interactions with each other.

One of the objectives of this appendix is to provide additional information to support the technical specifications and the associated operating and emergency procedures in respect to shared systems. It will be noted that the degree of disablement of plant systems, equipment and components, both in a unit and a plant or intersystem sense, cannot always be defined simply within individual groups or sets of equipment without consideration of the condition of other sets of equipment. For example, certain pumps F.0-2

BFN-27 cannot be deliberately disabled for maintenance if certain diesel generators are concurrently disabled. The reasons for this are explained in the following sections.

F.3 REFERENCES Interaction between units is briefly discussed in the Browns Ferry Units 1 and 2 Design and Analysis Report (DAR), Chapter 1-9.0, and Amendment 6, Question C-10 (sharing of control rod drive hydraulic pumps).

The Browns Ferry Unit 3 Design and Analysis Report (DAR) is referenced to this subject in the following chapters and amendments:

1. Browns Ferry Design and Analysis Report, Chapter XV (Unit Sharing and Interactions),

2. Amendment 2, Question 3.9 (Listing of components, systems, and structures designed to Class I criteria),

3. Amendment 2, Question 4.2 (Onsite electric system),

4. Amendment 2, Question 4.6 (DC system),

5. Amendment 2, Question 5.4 (Failure of control and service air system),

6. Amendment 2, Question 6.6 (Loss of offsite power operation with and without main condensers),

7. Amendment 2, Question 6.4 (EECW, RHRSW, & RBCCW systems),

8. Amendment 2, Question 7.2 (Sharing of controls, instrumentation and alarms between control rooms),

9. Amendment 4, Question 3 (Watertight sealing of the corner rooms of the torus area),

10. Amendment 4, Question 4 (Additional information on diesel-generator system),

and

11. Amendment 5, Question 3 (Additional information with respect to parallel operation of diesel generators).

The balance of Appendix F provides additional information on the subjects related to shared systems in the above amendments.

F.0-3

BFN-27 F.4 CRITERIA The criteria for the design of shared systems are as follows:

a. Only one of the three units shall be assumed to be in a loss-of-coolant accident or postaccident recovery mode at any point in time; however, the system shall be adequate to address accident signals, spurious and real, in all three units in any order (real followed by spurious or spurious followed by real).

b. The most severe combinations of thermal, hydraulic and electrical loads associated with the various combinations of plant states shall be assumed to establish the design basis for capacity of the shared systems, consistent with the assumption in (a) above.

c. Shared engineered safeguards and supporting service systems shall provide reliable and redundant services to the units and to the plant in all combinations of modes of operation of the units.

d. Systems which are potentially contaminable by accident consequences such as RHR shall not be shared except in the extremely degraded postaccident cases described in (e) and (f) below.

e. It shall be assumed that gross flooding of the basement (El. 519.0) areas could occur as a consequence of torus or torus header piping failure below the water line in the torus in the long term following a loss-of-coolant accident. Additional core damage shall be prevented under these circumstances. The effect of gaseous releases shall not be accommodated in this design; the sole intent shall be to provide continuous core cooling to preclude further core damage.

f. Postaccident core cooling shall be provided in the long term after all of the accident unit Core Standby Cooling Systems have failed because of flooding or other cause. For this case, long-term post accident cooling is defined to begin no sooner than 10 minutes after the accident.

g. Incidents or accidents in one unit shall not directly influence the operation of the other units; they may indirectly cause or require shutdown of the other units.

Examples of such incidents are loss of offsite power and compressed air.

h. Control rooms and other common rooms requiring temporary occupancy in order to operate or shut down the plant shall be protected by appropriate shielding and atmospheric filter systems, so that the most severe radiation release event from one unit shall not cause excessive dose levels in these rooms.

F.0-4

BFN-27

i. Common plant features shall be designed to resist the most severe postulated natural phenomena, such as tornado, flood, and earthquake, without causing fuel damage, except that fuel damage is permissible in the event of a maximum postulated earthquake coincident with recirculation line failure on one unit. The combination of concurrent earthquake and recirculation line failure would be a beyond design basis event. The design shall allow for a random single failure in addition to those which might occur as the result of these conditions, such as pump losses from possible missile impact or water header failures which could cause both partial loss of cooling water and flooding of critical features.

j. Redundant shared systems shall be appropriately isolated and/or separated to avoid loss of essential services from single intense events, including failure of such systems.

k. Shared systems which are in the category of engineered safeguards or their auxiliary supporting systems shall be protected from failure of lower class systems or structures.

F.5 LIST OF SHARED FEATURES The following lists include two categories of shared systems. The first list includes several shared systems which are not in the category of Class I seismically designed Engineered Safeguards Systems. The second list itemizes the safeguards systems and their supporting auxiliary systems. On some of the systems, only a portion of the system serves a safeguard or supporting function. All of the portions that serve safeguard or supporting functions are designed to seismic specifications in redundant configurations, and are otherwise qualified as elements of the overall protection and actuator systems in the plant. The parenthetical numbers refer to sections, subsections, or paragraphs of the FSAR.

Shared Conventional Features (Not Engineered Safeguards)

1. Normal Auxiliary Power System (Includes Offsite and Station Sources) (8.4)

2. Environmental Radiological Monitoring Program (2.6)

3. Control and Service Air Systems (10.14)

4. Condenser Circulating Water System (11.6)

5. Raw Cooling Water System (10.7)

6. Raw Service Water System (10.8)

F.0-5

BFN-28

7. Radioactive Waste Control Systems (9.0)

8. Drywell Equipment and Floor Drain Systems (10.16)

9. Fire Protection Systems (10.11)

10. Condensate Storage and Transfer Systems (11.9)

11. Potable Water and Sanitary Systems (10.15)

12. Auxiliary Boiler System (10.20)

13. Plant Communications Systems (10.18)

14. Turbine Building and Radwaste Building (12.2.3 and 12.2.5)

15. Lighting System (10.19)

16. Plant Preferred and Nonpreferred AC System (8.7.3.2)

17. Auxiliary DC Power Supply and Distribution (8.8)

18. Demineralized Water System (10.13)

19. Reactor Building Closed Cooling Water System (10.6)

20. Reactor Building Equipment and Floor Drain Systems (10.16)

The shared features listed above are those that are significant to unit and plant operation, and to this extent have an interface relationship with the Engineered Safeguards Systems. Maloperation of some of these systems may challenge the protection and safeguards systems of the units or plant by requiring unit trips and shutdown cooling; however, none of these systems is required to safely shut down the plant. While some of these systems are used during normal shutdown, loss of these systems will not preclude going to cold shutdown.

Common plant features that have little, if any, connection with reactor operation and safety considerations are not included in this list. Examples would be the Service and Office Buildings, Supplemental Diesel Generator system, and Gatehouse.

F.0-6

BFN-27 Shared Class I Seismic Features, Structures, Safeguards Systems and Their Auxiliary Support Systems

1. Reactor Building (Secondary Containment System) (5.3 and 12.2.2)

2. Control Bay (12.2.2)

3. Spent Fuel Storage Facilities (10.3)

4. Reactor Building Crane (12.2.2.5)

5. Process Radiation Monitoring System (7.12)

6. Diesel Generator Buildings (12.2.8 and 12.2.13)

7. Pumping Station (Intake Building) (12.2.7 and 12.2.7.2)

8. Standby Gas Treatment Building (12.2.10)

9. Standby AC Power Supply and Distribution (8.5)

10. 250-V DC Power Supply and Distribution (8.6)

11. Subsections of the Heating and Ventilating Systems and Heating, Ventilating, and Air-Conditioning Systems (5.3.3.6 and 10.12)

12. Control Rod Drive Hydraulic System (3.4.5.3) (Note: The shared portion of this system is not Class I seismic.)

13. Deleted

14. Gaseous Radwaste System (Stack) (9.5 and 12.2.4)

15. Standby Coolant Supply System (4.8.6.4)

16. RHR Service Water System (10.9)

17. Emergency Equipment Cooling Water System (10.10)

18. Standby Gas Treatment System (5.3.3.7)

F.0-7

BFN-27 F.6 DESCRIPTION OF SHARED CONVENTIONAL SYSTEMS F.6.1 Normal Auxiliary Power System (Includes Offsite and Station Sources)

This system basically consists of seven 500-kV lines which transmit power from the station into the interconnected grid, two 161-kV lines which furnish incoming power to the plant, and the three turbine-generator units.

The shutdown auxiliary power requirements can be met by any of five normal power sources as follows:

a. The two 161-kV lines connected to the two common station service transformers are capable of providing shutdown auxiliary power to any two units.

b. Either of the 500-kV sources for Units 1 or 2 can provide shutdown power to either Unit 1 or Unit 2.

c. The 500-kV source for Unit 3 can provide shutdown power for Unit 3.

The capacity and mode of operation of the offsite power systems ensure that there is a very low probability of system upset if the largest generating unit on the grid is tripped. In the case of earthquake, possible loss of the offsite power system is recognized; the onsite standby diesel generators are designed for this occurrence.

In the event that all three of the Browns Ferry units were tripped within a short interval, the possibility of offsite power loss would be increased considerably. However, the probability of a three-unit trip is very low.

The offsite power system is subject to perturbations from many sources besides those due to events at the Browns Ferry Nuclear Plant itself. However, the reliability of the offsite system is considered to be compatible with the reliability of the onsite system with respect to providing an adequate power supply to the plant under any emergency situation.

F.6.2 Environmental Radiological Monitoring Program The Environmental Radiological Monitoring Program includes periodic sampling of vegetation, crops, milk, soil, and various water sources in the environs for determination of radioactivity level of various kinds.

F.0-8

BFN-27 F.6.3 Control and Service Air Systems Each unit has its own drywell control air system for supplying air-operated devices inside its drywell. For Units 1, 2, and 3, the drywell control air system is supplied with nitrogen from the shared Containment Inerting System. The remainder of the control air system and the service air system are shared in the plant. Control air is not required for proper functioning of the engineered safeguards and their supporting auxiliary systems. All necessary air-operated devices, such as main steam isolation and relief valves, which are part of the safeguards complex, are equipped with Class I accumulators which provide a sufficient quantity of stored air for a sufficient number of cycles. This shared system does not influence the nuclear safety of the plant, except the portions which penetrate primary and secondary containment. These portions prevent seismically induced failure from causing a breach of secondary containment and maintain primary containment integrity by providing primary containment isolation and through a seismic design.

F.6.4 Condenser Circulating Water System In the normal mode of operation, this system is unitized. The three condenser circulating water pumps per unit are powered from the unit 4160-V boards. The pumps are 2250-hp each. Power is normally supplied either from offsite sources or from station sources (unit turbo-generators).

In the shutdown mode (MODE 3), with all the units down and with the reactors steaming to the condensers via the turbine bypass system, only a small amount of condensing water is required to hold normal condenser vacuum which is essential to continuing operation of both the bypass system and the turbine-driven feedwater pumps. One of the nine condenser circulating water pumps has sufficient capacity to furnish a surplus of cooling water for all three units in this condition.

The design provides circulating water tunnel inter-ties so that any one circulating pump can provide condensing water to all units under shutdown conditions. This mode of operation may also be used during outage of the normal onsite sources and loss of offsite power, in preference to discharging steam to the torus or resorting to shutdown cooling operation of the RHR system.

Under such conditions, two of the eight diesel generators would be placed in parallel unit operation and connected to the appropriate unit 4160-V switchboard. The two generators would be used to carry the circulating water pump. The other diesel generators would be used for other shutdown loads.

F.0-9

BFN-27 This mode of operation will not be used with an accident unit. It will be used for nonaccident units in the unlikely case of sustained loss of offsite power coupled with loss of normal onsite generation. This mode minimizes the onsite power requirement for shutdown heat removal.

F.6.5 Raw Cooling Water System This system supplies water to all units and common equipment. It is designed to maintain adequate cooling flow to various loads which are nonessential to safe shutdown, and it provides the preferred source of cooling water for certain shutdown functions such as RBCCW heat exchanger cooling and the control and service air compressors. The Raw Cooling Water System also serves as a secondary source of cooling water to some components which are normally supplied by the Emergency Equipment Cooling Water System in Unit 2 only.

The Raw Cooling Water System is normally operated in conjunction with the condenser circulating water pumps. Under loss of normal auxiliary power conditions, when the circulating pumps are inoperative, the raw cooling water consumption must be conserved. Raw Cooling Water flow is limited to one pump per unit to prevent cavitation damage from lack of suction pressure.

This shared system does not influence the nuclear safety of the plant, except the portion which penetrates secondary containment. This portion is designed to prevent seismically induced failure from causing a breach of secondary containment.

F.6.6 Raw Service Water System This system provides miscellaneous shared noncritical services with raw water. It maintains pressure on the fire mains. It is not a critical system.

This shared system does not influence the nuclear safety of the plant, except the portion which penetrates secondary containment. This portion is designed to prevent seismically induced failure from causing a breach of secondary containment.

F.6.7 Radioactive Waste Control Systems The Shared Liquid and Solid Radwaste Systems are essential to normal operation of any or all plant units, but are not essential for shutdown. Emergency power and Class I seismic design are not required for this system.

This shared system does not influence the nuclear safety of the plant, except the portion which penetrates secondary containment. This portion is designed to prevent seismically induced failure from causing a breach of secondary containment.

F.0-10

BFN-27 The Gaseous Radwaste System discharges a mixture of gases from various plant sources through subsystems which process the gases to the shared stack. Some subsystems (e.g. charcoal adsorbers) in one unit may be operated in parallel with another units subsystems. Other equipment (e.g. chillers for the dehumidification and recombiner room cooling coils) may be cross tied between units. Unitized air dilution fans in the base of the stack dilute the explosive mixture of hydrogen, oxygen, and air at the point where these gases are discharged from the explosion-resistant piping system. Two fans are provided per unit. These fans are not required in either the accident or loss of offsite power cases. The ducting within the stack and the stack itself are designed to Class I seismic requirements (see paragraph F.7.14).

F.6.8 Drywell Equipment and Floor Drain Systems This system is shared to the extent that the drains discharge into common receivers through piping systems which are common for all units. The receivers are higher than the sump; thus, natural drainage will not occur.

This shared system does not influence the nuclear safety of the plant, except the portion which penetrates secondary containment. This portion is designed to prevent seismically induced failure from causing a breach of secondary containment.

F.6.9 Fire Protection Systems The common parts of this system are the high-pressure water based suppression systems (i.e., water spray deluge and preaction systems, hose stations, hydrants, etc.),

the low-pressure CO2 systems, and the fire detection, annunciation, and initiation systems. Fire Protection is described further in FSAR Section 10.11.

The Fire Protection System piping is seismically supported to ensure that it will not fall on ESS equipment during a seismic event. The system itself is not designed to seismic requirements. However, portions of the CO2 subsystems within the Diesel Generator Buildings and the Control Building, designed to Class I seismic criteria and part of the detection circuitry, which closes the Diesel Generator Rooms for CO2 flooding, have been designed to prevent spurious closing of these rooms under earthquake shock conditions.

This shared system does not influence the nuclear safety of the plant, except the portion which penetrates secondary containment. This portion is designed to prevent seismically induced failure from causing a breach of secondary containment.

F.6.10 Condensate Storage and Transfer Systems This shared system, which is operated in the unitized mode, provides a common source of preferred water supply to the RCIC and HPCI systems of all units. The system may also furnish water for non-safety related purposes to all the control rod F.0-11

BFN-27 drive hydraulic, Residual Heat Removal, and Core Spray pumps. The common portion of the piping, tanks, and valves outside of the reactor building are not required for safe shutdown and do not have any seismic requirements. The HPCI system for each unit is provided with an automatic suction transfer to the torus of that unit. The associated level switches for this transfer are mounted on the Condensate Storage and Supply System piping.

This system penetrates secondary containment and is designed to prevent seismically induced failure from causing a breach of secondary containment. The unitized portions of this system do provide a safety function in support of the HPCI System.

F.6.11 Potable Water and Sanitary Systems These shared systems do not influence the operational safety of the plant, except in the sense that those portions of the systems which penetrate secondary containment are designed to prevent seismically induced failure from causing a breach of containment. The lines are provided with valves to insure the containment integrity if the piping systems are damaged by seismically induced loads.

F.6.12 Auxiliary Boiler System This system provides a common means to test the HPCI and RCIC steam turbines at low pressure and place the steam jet air ejectors in service. The outage of this system does not influence the capability of the plant to shut down in any mode.

The boilers are relatively low-pressure (250 psig). They are located in the Turbine Building. The Turbine Building is separated from the control bay by a two-foot-thick concrete wall. This protection, plus backup protection in the event control room equipment becomes inaccessible or inoperative, effectively prevents a boiler accident from interfering with the safe shutdown of the plant.

This shared system does not influence the nuclear safety of the plant, except the portions which penetrate secondary containment. These portions are designed to prevent seismically induced failure from causing a breach of secondary containment.

F.6.13 Plant Communications Systems This common system provides routine communication needs and, in addition, provides emergency communication by independent sound-powered systems. Six separate, sound-powered systems are provided between the control room and various areas in the plant. A seventh, redundant and independent sound-powered system interlinks the Diesel Generator Rooms with the backup control center and the 4-kV shutdown boards.

F.0-12

BFN-27 F.6.14 Turbine Building and Radwaste Building These buildings house common services to all three units. The Turbine Building is physically divided into unit areas wherein shielding from on-line N-16 radiation is the main consideration for the wall designs. Neither of these buildings is required for safe shutdown. Damage by tornado, earthquake, turbine failure, or other cause is considered to be credible and allowable.

The interfaces between these buildings and their internal structures, and the Class I control bay and Diesel Generator Building, have been examined for possible influence of failure of the lower-class system. Portions of the Radwaste Building structure have been assigned to Class I seismic criteria because of their influence on the Diesel Generator Building. Similarly, the interface wall between the control bay and the Turbine Building has been designed to withstand impact from failure of the lower-class Turbine Building.

F.6.15 Lighting System This common system is ordinarily powered from the Normal Auxiliary Power System.

There are two backup subsystems, each of which has multiple circuits. One backup subsystem uses the 250-V DC system as a Class IE source of power. The other backup system, which also has a Class I power source, uses the standby diesel generators to furnish lighting in critical areas. Battery packs are used to supplement the above systems. A portion of the individual battery pack lights are required to meet fire protection requirements.

F.6.16 Plant Preferred and Nonpreferred AC System This system provides the plant with a transient-free, constant-frequency system for such items as clocks and chart drives. While it is a highly reliable system, its failure does not represent a nuclear safety problem.

F.6.17 Auxiliary DC Power Supply and Distribution The 48-V DC system provides power to the general plant communication and annunciator systems. Although the system is highly reliable, with three batteries and four chargers, it is not a Class I seismic design. Failure of the system would cause loss of the annunciator complex, but this would not directly influence continued operation nor prevent a safe shutdown of the plant.

F.6.18 Demineralized Water System This shared system provides high purity water to all three units and to the common plant facilities such as the radio-chemical laboratory. It serves no essential shutdown function.

F.0-13

BFN-27 This shared system does not influence the nuclear safety of the plant, except the portions which penetrate primary and secondary containment. These portions prevent seismically induced failure from causing a breach of secondary containment and maintain primary containment integrity by providing primary containment isolation and through a seismic design.

F.6.19 Reactor Building Closed Cooling Water System This system is normally unitized but a common spare pump and heat exchanger are used for all three units. The system differs from the design described in Section 6.4.3 of Amendment 2 of the Unit 3 DAR, wherein the common pump was shared only by Units l and 2. Otherwise, in respect to utilization of the spare pump, the design is unchanged. Each reactor normally operates with two pumps and two exchangers; however, one is sufficient in an emergency.

The multi-unit plant requires consideration of maintaining RBCCW operation for nonaccident units under combined accident and loss of offsite power conditions. It is necessary to avoid high drywell temperature and seal damage in the nonaccident units to avoid the creation of secondary emergencies in addition to the primary emergency which requires concentration of pumping and electrical power. Appropriate parts of the RBCCW systems are programmed to automatically start on diesel power. They, thus, protect the recirculation pump seals and through operation of the multiple blowers, maintain satisfactory drywell temperature in the nonaccident units.

Also, spent fuel pool cooling can be restored to maintain pool temperatures within acceptable limits. The RBCCW systems provide cooling for the spent pool heat exchangers. This cooling function must be reestablished in the long term following an accident to prevent discharge of excessive water vapor into the secondary containment, where vapor could enter the SGTS and damage the filters.

The systems are nonredundant in respect to the piping system. If a system should fail for this or any other reason, drywell temperature would be maintained by operation of the RHR drywell spray system and/or programmed blowdown of the unit to reduce primary coolant temperature. Heatup of the drywell is slow enough to permit manual operation of the drywell spray system. Alternate means of cooling the spent fuel pools are provided by an inter-tie with the RHR systems. The pool water can be circulated through the RHR system, where it is cooled before it is returned to the pool.

F.6.20 Reactor Building Equipment and Floor Drain Systems This system is shared in respect to the common drain header into which the unitized Reactor Building floor drainage pumps discharge. Two pumps are provided for each unit, each of which is powered from diesel-backed sources. They are designed to F.0-14

BFN-27 accommodate several times the maximum expected drainage flow. Each pump has a capacity of 160 gpm at 90 ft of head, and both pumps may operate concurrently.

In the event that system failures lead to flooding of the Reactor Building floor at elevation 519.0, only one zone would be affected. Doors between the zones are designed as bulkheads and are administratively maintained closed.

Essential raw water headers (EECW system) are sectionalized to provide isolation of possible leak sources into the zone while maintaining sufficient flow for essential safeguards equipment.

In the event of gross failure of the torus or torus header piping under postaccident conditions, the unit drainage system would be greatly exceeded and the drainage flow would stop because of pump failure. The system cannot naturally drain into the receiver tanks. The Standby Coolant Supply System (see paragraph F.7.15) would be used to cool the reactor.

F.7 DESCRIPTION OF SHARED CLASS I SEISMIC FEATURES, STRUCTURES, SAFEGUARDS SYSTEMS AND SUPPORTING AUXILIARY SYSTEMS F.7.1 Reactor Building (Secondary Containment System)

The Reactor Building is shared by all three units. It serves as the secondary containment envelope for any radiation release from the primary containments and as the primary envelope for any release from sources inside the building but exterior to the drywell or torus piping of any unit.

The design basis of the Secondary Containment System and the Standby Gas Treatment System is to maintain a negative pressure inside secondary containment.

The Reactor Building is designed as a Class I structure in order to maintain its integrity and, hence, pressure boundary following a Design Basis Earthquake. The penetrations through the secondary containment membrane in conjunction with the Standby Gas Treatment System are designed to maintain a negative pressure inside the secondary containment boundary following a Design Basis Earthquake, thus limiting the release of radioactive material directly to the environment.

The building is divided into three reactor zones and one common refueling zone. Upon receiving an initiation signal, the SGTS provides for reduction of pressure in the reactor zone to be isolated and in the shared common refueling zone.

Isolation results in all normal ventilation ceasing in the isolated zone(s). Subsection 5.3.3.2 describes the sequence and logic for isolation of the secondary containment system. Normal plant operation requires the ventilation in order to maintain equipment operability and to prevent trips based on high ambient temperatures. Recent operating F.0-15

BFN-27 history has demonstrated that the loss of ventilation to the main steam and feedwater valve vaults for an operating unit can quickly (approximately 10 to 30 minutes) result in a main steam system isolation (and hence reactor trip) based on high area temperatures.

The unit zones provide a means to support postaccident cooling of a unit in the postulated case of subsequent loss-of-torus water which would cause zone flooding.

This is discussed in paragraph F.7.15.

F.7.2 Control Bay The control bay houses facilities for all three units. In respect to direct shielding from accident-created sources and to atmospheric control, the control bay includes the separate rooms in the Reactor Building which contain the 4160-V and 480-V shutdown switchboards. These rooms are therefore accessible for direct switching operations during any postulated event except, of course, for some unnatural occurrence in one such room. The board rooms are shielded from accident-created sources to enable temporary occupancy, whereas the control bay proper is shielded for long-term occupancy.

The control bay is approximately 400 feet long and vertically is separated into three floors at elevations 617, 606, and 593 feet. The upper floor contains the normal control room complex for all three units, the middle floor contains cable spreading rooms and rooms for mechanical HVAC equipment, and the bottom floor contains rooms for electrical and instrumentation equipment. Room separation on all three floors is accomplished by masonry walls and metal doors.

The control bay has been designed to provide an environment protected from tornado missiles and differential pressures. With respect to incidents arising from causes within the control bay which might necessitate evacuation by operators, facilities have been provided in the Reactor Building to enable operators to safely shut down all units to either the hot (MODE 3) or cold (MODE 4) shutdown condition.

F.7.3 Spent Fuel Storage Facilities The spent fuel storage facilities are shared only for Units 1 and 2, and the sharing feature is only a transfer canal which connects the two storage pools. Watertight gates are provided at each end of the transfer canal.

An incident arising from a fuel handling accident from an open reactor or from the storage pools influences the entire three-unit refueling floor. This zone of the secondary containment would be isolated and placed on the Standby Gas Treatment System. Units which might be in operation would not be directly affected by such an incident and would not necessarily have to shut down.

F.0-16

BFN-27 F.7.4 Reactor Building Crane The crane is shared by all three units. However, from an operational viewpoint, it influences only one unit at a time.

F.7.5 Process Radiation Monitoring System The four subsystems that are shared are the Main Stack Radiation Monitoring System, the Reactor Building Ventilation Radiation Monitoring System, the Plant Ventilation Exhaust Radiation Monitoring System, and the Liquid Radwaste Effluent Monitor. The main stack system monitors the diluted gaseous release from all three units. It may therefore become the first source of information which would require power reduction or shutdown of any or all units.

The Main Stack Radiation Monitoring System does not initiate any control action, since it cannot distinguish which unit may be the source of high radiation. Additional unitized process radiation systems, including those in each off-gas holdup pipe, provide source recognition so that the offending unit may be identified. The unitized systems provide control action which would result in a unit trip if no corrective action is taken to reduce activity release.

The Reactor Building Ventilation Radiation Monitoring System is shared in the sense that radiation monitors in the common refueling zone act in conjunction with unitized zone monitors to cause alarms, isolation of the affected zone plus refueling floor, and closure of unit primary containment purge and exhaust paths. The latter paths are normally closed when the units are in operation. If radiation from an accident unit is detected in a non-accident operating unit, the principal effect would be isolation of the non-accident unit's reactor zone of secondary containment and loss of normal ventilation. The effect of isolating the secondary containment and the associated loss of ventilation for an operating unit is discussed in Section F.7.1.

The Plant Ventilation Exhaust Radiation Monitoring System records the activity released by way of the ventilation exhaust and alarms when the activity released reaches a preset value. The system is unitized and is shared only in the sense that the unitized detectors monitor samples from the common Turbine Building, Radwaste Building and refueling zone.

The Liquid Radwaste Effluent Monitor records the activity released by way of the Liquid Radwaste System and alarms when the activity released reaches a preset value.

F.7.6 Diesel Generator Buildings These buildings provide a protected environment for the standby diesel generators which are essential to safe shutdown in the event of a sustained offsite power loss and complete loss of station sources.

F.0-17

BFN-27 The buildings are independent structures. Internally, each is divided into four reinforced concrete bays, or stalls, that contain the engine generators and their respective auxiliaries. Each stall is separately ventilated to cool the engine exterior and generator. The engine jacket water is separately cooled by the Emergency Equipment Cooling Water System. Combustion air and exhaust are independent of the ventilation system, but the generators are dependent on room ventilation.

A gallery at the rear of the generator stalls houses two auxiliary boards which provide dual auxiliary supply power to all four of the diesel generators. These auxiliaries include two 100-percent-capacity ventilation fans per generator. The boards are in separate rooms; however, the gallery below the boards extends across the full length of the building.

A fifth room, or stall, in the Diesel Generator Building contains the CO2 storage system and a central information panel for diesel operation. This panel is a passive backup information center for use under abnormal conditions which might require operator evacuation of the Main Control Rooms.

The buildings are designed to Class I seismic requirements. They have also been designed for tornado missile impact and for the differential pressures arising from a tornado. See Section 12.2.8 for greater detail of design wind and tornado loadings.

Access to the buildings is provided from outside by doors at the end of each stall. In addition, shielded accesses are provided via doors and stairways from the Control Building. Operators may thus enter the Diesel Generator Buildings from the control bay.

F.7.7 Pumping Station (Intake Building)

This building houses equipment which provides all cooling water to the plant. Integrity of this building is essential to plant safety in any mode of operation, since continuity of operation of at least part of the pumps therein is required. Similarly, the intake channel must always supply at least enough water to effect shutdown heat removal and auxiliary equipment cooling.

For this reason, these structures have been designed to resist tornados, floods and earthquakes, and to provide physical separation of essential pumps so that any violent event of natural or unnatural origin will not damage enough pumps to prevent safe shutdown cooling. The essential pumps are not dependent on the general building circuitry; instead, they are powered by separate feeders entering the building from physically separated routes.

The RHR service water pumps assigned to the RHRSW System, which provide shutdown cooling water, are mounted outdoors in pairs on the deck within F.0-18

BFN-27 compartments in addition to one RHRSW pump per compartment assigned to the EECW System, to minimize the possibility of missile damage.

The intake channel has been designed to assure continuity of water flow into the plant under postulated Design Basis Earthquake conditions, which are further hypothesized to cause loss of the downstream dam. The channel is cut sufficiently deep to insure continued flow from the main river channel assuming failure of the dam. The channel walls are sloped and otherwise designed to preclude channel blockage under any postulated conditions.

Normally, a large amount of cooling water enters the plant via the intake structure.

Under shutdown conditions, intake flow is reduced to a few percent of normal, thus not requiring continued use of the traveling feature of the screens used under normal operating conditions. Water flow rate is reduced to near zero in the channel and within the building under emergency conditions.

F.0-19

BFN-27 F.7.8 Standby Gas Treatment Building This shared building is essentially a four-compartment, concrete box buried in the berm in the southwest end of the Reactor Building (see Section 12.2.10.1 for a description of the structure). It contains the blowers, filters and other auxiliaries of the Standby Gas Treatment System. The building is Class I seismic. Internal shadow-shielding is provided between the three subsystems. The building is drained by four sump pumps, located in two sumps. The pumps are powered by emergency power.

F.7.9 Standby AC Power Supply and Distribution This paragraph is intended to supplement the information contained in Subsection 8.5 with regard to the common or shared character of the system. The system is composed of four independent, diesel generator units coupled as an alternate source of power to four independent, 4160-V boards for Units 1 and 2. There are four additional diesel generator units coupled as an alternate source of power to the four Unit 3 4160-V boards. Each board furnishes essentially identical services. Any given Unit 1 and Unit 2 4160-V board has, as a possible load, two RHR pumps, each assigned to a different unit. Thus, the four shutdown boards supply four RHR pumps on each unit. Any given Unit 3 4160-V board has, as a possible load, one RHR pump; thus, the four Unit 3 boards also supply four RHR pumps. Similarly, the four Unit 1 and Unit 2 shutdown boards power eight core spray pumps, and the Unit 3 shutdown boards power four core spray pumps. Two such pumps operating in parallel on the same core spray loop are required for core spray on a particular unit.

No single 4160-V shutdown board will have more than the following loads:

1 RHR pump, 1 Core Spray pump, 2 RHRSW pumps, and associated 480-V loads.

For Units 1 and 2 only, to prevent overloading the shared Unit 1/2 4KV shutdown boards during combinations of real and spurious accident signals, the RHR (LPCI) and Core Spray systems will initiate the ECCS preferred pump logic to dedicate the Division I 4KV shutdown boards and their associated pumps to Unit 1. The Division II shutdown boards and their associated pumps are dedicated to Unit 2. For additional discussion of the ECCS preferred pump logic, see Section 7.4 Additional discussion of the 4160-V shutdown board loading is given in Section 8.5.

Below the 4160-V level, the system is basically unitized, having two 480-V shutdown and two diesel auxiliary boards. The two 480-V shutdown boards, one physically isolated from the other, have independent supplies from different 4160-V boards; and, in addition, each has a backup supply from a third 4160-V board. The four 480-V F.0-20

BFN-27 diesel-auxiliary boards which provide common services to the diesel generators are similar to the unit 480-V shutdown boards in respect to physical and electrical separation and supply.

As mentioned previously in this appendix, this system must meet the maximum power requirement, assuming prolonged loss of offsite power and station sources and the worst possible combination of unit operating modes. This is determined to be the design basis earthquake plus design basis loss-of-coolant accident in one unit, with the other units being tripped, for any reason, or already shut down and operating on their respective shutdown pumps.

The system is required to cope with this mode for a period of at least 10 minutes without assistance from the operators. In this mode, the 4160-V boards will disconnect from the normal supply and will shed their normal loads, including any pumps which may already be in operation, and will then be automatically connected to their respective diesel generator as soon as voltage and frequency are obtained after the automatic start.

The accident-initiate signals from the reactor system in the accident mode perform two essential functions: (1) they align the core cooling function to the accident unit and process any accident-initiate signals which may subsequently arise, and (2) they initiate the timed loading of the 4160-V shutdown boards. Timing is required to enable the diesel generators to successfully start the comparatively heavy pump loads.

Timers are independent; the failure of any timer may prevent successful operation of only one 4160-V board and generator combination.

In the event that normal auxiliary power is not lost under the single- or multi-unit trip cases, a different timing system is used to avoid the simultaneous starting of all accident-unit pumps on the common Normal Auxiliary Power System. Timers are again independent; the loss of one such timer may cause the loss of the pumps assigned to one board if it fails to operate.

In the event of an accident and the failure of one diesel generator the Standby AC Power Supply System would retain in operation three of four RHR pumps on LPCI and two parallel core spray pumps (one loop) for ten minutes. Nonaccident units would be on RCIC-HPCI operation, if they had tripped from normal operation, and would be discharging heat to their respective pressure suppression chambers.

Following the initiation of an accident and loss of normal auxiliary power, the Standby AC Power Supply System will automatically restore selected loads in the non-accident units (such as drywell blowers) that are needed to support the non-accident units in a safe shutdown condition during the initial ten minutes following an accident.

F.0-21

BFN-28 At ten minutes, the operators are assumed to begin to manually operate the system.

Basically, their task is to verify that the accident unit is under control with core spray and RHR pumps, after which they will withdraw one or two of the three or four RHR pumps which are serving the accident unit in LPCI mode. The reactor operators will manually begin the operations necessary to successfully remove heat from the pressure suppression chambers of all three units. For Units 1 and 2, the non-accident unit operators will have to coordinate with the accident unit operators to reduce loads on the shared Unit 1/2 4KV shutdown boards prior to restoring any large loads, such as RHR pumps for shutdown cooling in the non-accident unit. Further discussion of non-accident unit shutdown is contained in FSAR Section 14.12.4.4. The standby AC power system has the flexibility to permit the Unit 3 diesel generators to power de-energized Unit 1 or Unit 2 4kV shutdown boards or to allow paralleling the Units 1 and 2 diesel generators with the Unit 3 diesel generators, if desired for flexibility or Defense-in-Depth.

In the postaccident recovery mode, the Standby AC Power Supply System is realigned and supervised by the operators to reflect its long-term function as a shared system.

Six out of eight of the diesel generators can provide sufficient power, with a fair margin based on their rated capacity. However, the diesel generators, switchboards, headers and valving, and pumps and heat exchangers are arranged in certain sets which must be considered as integrated subsystems in developing detailed emergency loading and operating procedures. Core spray on the accident unit is provided from two of the three boards available and other shared services are appropriately divided between the three boards.

As noted above, both the automatic and manual modes of operation of the Standby Diesel Generator System utilized eight independent electrical sources.

If failure of the Normal Auxiliary Power System should be the only occurrence, the preferred method of removing afterheat is through the main condensers, because this is simpler and requires less electrical power. However, one of the nine 2250-hp condenser circulating water pumps must be started and operated. This would require the paralleling of two diesel generators. The design provides for this mode of operation.

F.7.10 250-V DC Power Supply and Distribtuion The 250-V Unit DC System has three batteries, one located in each unit. The unit batteries are connected and sized so that any two can carry the maximum expected design basis accident load for 30 minutes without recharging.

The fourth, fifth, and sixth batteries located in the Turbine Buildings are provided as non-class 1E sources for unit specific non-class 1E loads and common station services.

F.0-22

BFN-27 The battery chargers are also unitized in normal operation; however, a spare charger can be manually switched to any of the unit or station batteries.

A possible shared influence is related to circuit faults. Circuits that are assigned to a given separations division are not permitted to be routed with circuits assigned to the other separations division. Hence, a faulted circuit could influence only one separations division. Non-divisional circuits routed with both divisions have two isolation devices. Additionally, selective coordination is provided such that the device nearest the fault isolates the faulted circuit. For ungrounded DC control circuits, fuses are provided in both the positive and negative circuit to provide backup protection should one of the fuses fail to open the faulted conductors.

The 250-V DC Control Power Supply System consists of five batteries and chargers (one set assigned for each of the Unit 1 and Unit 2 shutdown boards and shutdown board 3EB). Thus, the sharing is limited to one of the four shutdown boards that supplies the Standby AC Power Supply System for Units 1 and 2.

F.7.11 Subsections of the Heating and Ventilating Systems These shared systems are described in paragraph 5.3.3.6 and Subsection 10.12 of the FSAR. The effect of loss of normal ventilation in the Reactor Building is discussed briefly in paragraph F.7.1.

The Turbine Building heating and ventilating system is shared in the sense that the turbines are in a common ventilation zone. Each unit has its own complement of intake and exhaust fans, and the normal air flow patterns should not cause any significant cross flow in the common turbine room.

For the purpose of this description, the control bay includes the shutdown board rooms which are actually within the Reactor Building, but outside the perimeter of secondary containment.

The Unit 1 and Unit 2 rooms contain both the 4-kV and 480-V shutdown boards whereas the Unit 3 rooms contain only the 480-V shutdown boards. (The Unit 3 4-kV shutdown boards are housed in the Unit 3 Diesel Generator Building.)

The Unit 1, 2, and 3 control bay cooling system consist of two independent central chilled water systems serving two independent area chilled water air handling systems.

The Unit 1 and 2 chilled water system consist of two 100% capacity air cooled, water chilling units and nine area chilled water air handling units: four 100% capacity units serving the Unit 1 and 2 Electric Board Rooms located in the Reactor Building, two 100% capacity units serving the Unit 1 and 2 safety related equipment rooms located on the 593 elevation of the Control Building, two 100% capacity units serving the Unit 1 and 2 Control Building, and one 100% capacity unit serving the common Switchyard F.0-23

BFN-27 Relay Room also located on the 617 elevation. The Unit 3 chilled water system consist of two 100% capacity chillers and five area chilled water air handling units, two 100%

capacity units serving the Unit 3 safety related equipment rooms located on the 593 elevation of the control building, two 100% capacity units serving the Unit 3 control room and office spaces located on the 617 elevation of the control building, and one 100% capacity unit serving the common switchyard relay room located on elevation 617 of the control building.

Separate ventilation systems supply outside air to the Control Building. The outside air serves as makeup air for the air-conditioned areas and for ventilation of the spreading rooms, and the Units 1 and 2 Elevation 606 Mechanical Equipment Room. Two of the outside air systems are shared. The first serves the Unit 1 and Unit 2 Main Control Room, the Switchyard Relay Room, Units 1 and 2 Elevation 606 Mechanical Equipment Room, and the Unit 1 and Unit 2 Auxiliary Instrument Rooms; and the second serves the Units 1 and 2 spreading room. The third and fourth are not shared, as the third serves the Unit 3 Main Control Room and Auxiliary Instrument Rooms, and the fourth serves the Unit 3 spreading room.

The air-conditioning for the Unit 3 4-kV electric board rooms is provided by the Unit 3 Diesel Generator Building systems, as discussed in FSAR paragraph 10.12.5.3.

There are two separate systems serving two different areas in the building. Two of the four boards are in one area and two boards are located in the other area.

Maloperation of the air-conditioning or ventilation air systems could adversely affect the operation of any or all generating units in any mode. These systems are therefore designed as redundant sets serving corresponding rooms or groups of rooms. Each redundant set has two 100-percent-capacity air-handling (recirculation) systems and are designed as engineered safeguards support systems. Although the temperature rise in most of the rooms served by the air-conditioning and ventilation air systems would be fairly slow after system failure, calculations show that the ultimate temperatures would be too high to predict reliable operation of the equipment therein.

A typical example would be a room containing a 250-V battery charger wherein the continued set operation is contingent on maintaining room ventilation. Therefore, the systems are designed in redundant configurations, have access to normal and emergency power, and, where appropriate, are designed to Class I seismic requirements.

The rooms containing the Unit 1 electric boards and Unit 2 electric boards are cooled by two 100 percent capacity air handling units. The Unit 3 480-V electric boards are cooled by two 100 percent capacity air conditioning units. These units are water cooled and reject the internal room heat load to the EECW system. The conditioned air operates as a closed loop within the corresponding board rooms located in each of the Reactor Buildings.

F.0-24

BFN-27 F.7.12 Control Rod Drive Hydraulic System A Control Rod Drive Hydraulic System water pump is shared between Units 1 and 2.

There is no direct safety-related function required of this or the other pumps, since control rod scram is accomplished by accumulators on each rod backed up at high reactor pressure by the reactor primary coolant system.

The use of the shared pump is fully discussed in Amendment 6 of the Browns Ferry Units 1 and 2 DAR, with the conclusion that no adverse interaction would result between Units 1 and 2. It should be noted that an additional feature of the CRD system is to provide purge water for the recirculation pump seals. A pump shaft seal water line is cross tied between all five control rod drive pumps. A shutoff valve allows each pump or unit to be isolated.

F.7.13 Deleted F.7.14 Gaseous Radwaste System (Stack)

These systems are unitized except for the common discharge plenum, ducting, and the stack itself. The unitized systems have dual air-dilution fans; during normal operation, the common portions of the system see diluted gaseous radwaste.

In the postaccident mode, the stack and internal ducting are used to obtain elevated discharge from the Standby Gas Treatment System and the Unit 3 HWWV. For this and other reasons, the stack and the internal ducting which perform this function are designed to Class I seismic requirements.

The 600-foot stack is also designed for controlled failure if it should be damaged by a violent tornado. The upper portion is designed to fail first and thereby to limit the reach of the stack if it should be blown down. It would therefore not strike the Diesel Generator or Reactor Building.

F.7.15 Standby Coolant Supply System This shared system is designed to provide continuing core cooling in the most degraded state of the unit RHR and Core Spray Systems, namely, that of complete failure due to inundation from torus, torus header piping failure, or other cause. The system provides for an open-cycle mode of core cooling with discharged water from the primary system leak passing into the basement area. For this mode, the only pump required for the accident unit would be one of the two RHRSW pumps connected to the RHR service water header supplying the standby coolant system. This mode of operation would be used only until a sufficient hydrostatic head of water is built up in the basement to supply adequate NPSH to RHR pumps on the unit cross-connection.

F.0-25

BFN-27 The building walls, bulkhead doors, and penetrations are designed for a hydrostatic head considerably greater than that necessary to achieve adequate NPSH on the cross-connected RHR pumps at the specified flow rate for this mode. Subsequent cooling would be a closed-cycle mode using one of the two available RHR heat exchangers on the adjacent unit.

This shared system is normally valved off. Valves are located high enough to insure adequate time for lineup before they become inundated. The zones are provided with instrumentation which annunciates when the floor is flooded at the 519.0 elevation.

The Standby Coolant Supply System provides means for core cooling for any postulated failure of the RHR cooling complex, provided the reactor has been tripped for several minutes and sufficient time is available for system alignment. Additional features of the system are discussed in paragraph 4.8.6.4.

F.7.16 RHR Service Water System This shared system consists of four pairs of RHR service water pumps assigned to the RHR systems and four additional pumps assigned to the EECW system. Each of the pairs feeds one independent RHR service water header which, in turn, feeds one RHR heat exchanger in each unit. Two of the individual pumps feed one emergency equipment cooling water header. The two remaining pumps feed the alternate header.

The entire system is Class I seismic. On a per unit and plant basis, the system provides several ways to furnish raw cooling water to essential shutdown equipment.

Each RHR service water and EECW header is physically, mechanically, and electrically independent of the alternate headers performing the same function.

The main function of the RHR Service Water System is to provide an assured heat sink for long-term dissipation of afterheat to Wheeler Reservoir, when the normal means of heat rejection through the condensers is not available for any reason or cannot be used because the reactors are depressurized or isolated from the condensers. The reactor cooling systems have sufficient heat storage capacity so that under emergency conditions temperature changes are slow enough to permit manual operation of the RHR Service Water System. Therefore, all system operations are manually controlled both in the normal and postaccident modes.

A second function of the RHR Service Water System is to provide an assured supply of water for the Emergency Equipment Cooling Water System, which supplies cooling water for the various auxiliary systems and items of equipment which support the shutdown operations. These may be unit or plant functions. Examples are RHR seal coolers, RHR and core spray room coolers, the Control Building emergency cooling unit, and the diesel-engine coolers. In these cases, a dependable and promptly-available raw cooling water flow is required, thus necessitating a fully automated source (see paragraph F.7.17).

F.0-26

BFN-27 Two RHRSW pumps and two RHR heat exchangers (and associated RHR pumps) are required per unit to effectively remove afterheat under emergency conditions. Each unit has four such RHR pump/heat-exchanger combinations.

The RHR service water headers feed the RHR heat exchangers individually. The service water discharge from each heat exchanger is provided with a combined throttling and stop valve. The discharge from this valve is combined with the discharge from a second RHR heat exchanger valve so that each unit has two independent drain systems, one from each pair of heat exchangers. Heat exchanger flow is controlled as desired by the throttling valves, so that service water is available to any of the three heat exchangers on a given RHR service water header, although no more than two heat exchangers may be operated at any one time due to pump capacity limitations.

The discharge from each pair of heat exchangers is provided with a radiation detector.

Because of pump alignment, no one train's heat exchanger set can be operable for all three units at any given time. Only two of any train's heat exchangers A, B, C, or D can operate simultaneously for the three-unit plant. One header per train has three supply connections, e.g., 1A, 2A, and 3A heat exchangers. There are only two pumps serving the "A," as well as the remaining, trains; and it takes one pump to supply enough coolant to serve each heat exchanger.

Since the RHR primary pumps are rated at 2000-hp, and the companion RHRSW pumps have a rating of 400-hp, the major part of a single diesel generator capacity is required for operation of one such set of pumps. For the three-unit plant, six sets are required; thus, six out of the eight diesel generators are required if normal auxiliary power is not available. On a unit basis, two-out-of-four RHR pump/service water pump sets are required.

Selection of a given unit set of such equipment for afterheat removal implies that all or a sufficient fraction of that set is operational for that purpose. The respective RHRSW header for each such set has sufficient flow capacity to serve the RHR heat exchangers of two units at full capacity by running two RHRSW pumps on that header--even three heat exchangers could be accommodated at reduced capacity.

However, such an operation, while possible, is not contemplated.

The RHR Service Water System is designed to provide adequate cooling even when degraded by selected multiple failures, but it is limited to certain allowable loading combinations of diesel generators, electrical boards, and pumps. Therefore, certain sets of multiple failures are not allowable. A sufficient number and kinds of failures could be postulated to disable the system; however, the probability of these sets of failures in independent systems is too low to be of concern.

The technical specifications permit temporary disabling of elements of this system for the purpose of maintenance. Detailed procedures consider elements of the separate sets or subsystems in the RHR-RHRSW and standby power systems to insure that an F.0-27

BFN-27 adequate number of fully-operable subsystems is provided during the maintenance interval.

F.7.17 Emergency Equipment Cooling Water System As discussed above, this shared system distributes cooling water to equipment and auxiliary systems which are required for shutdown of all three units. Since some equipment cannot tolerate loss of water flow for more than a few minutes, the RHRSW pumps start automatically to supply water to this system.

The piping system is designed as two independent, closed-ended loops with an independent RHRSW pump feeding the closed ends of each loop. A system of check valves on each critical load ensures that such loads will be served from either of the two loops. Only mechanical check valves are used; consequently, when the header(s) are pressurized, all of the loads in the three-unit plant are served simultaneously, whether such loads are in actual operation or not. The plant is thus treated essentially as a single unit in respect to use of this system.

To accommodate the possibility of header piping or tap failure, the headers are sectionalized and the taps are either restricted in size or orificed to limit flow to individual loads. Doubled check valves insure against a header or tap failure draining water from the alternate header.

Sectionalizing valves and the headers are so located that, if a header failure should occur in a unit zone, one core spray system and two of the four RHR pumps and their respective room coolers would still be served in the affected unit and one of its adjacent units. Flow from the fault would be stopped to avoid flooding the zone.

The operational philosophy is to require the availability of two fully-pressurized headers and eight diesel generators for the case of loss of normal power. A pressure failure in one header would be annunciated and manually restored.

This system has been designed with the intent of achieving very high reliability in view of its root function during loss-of-power and other emergency situations. It has been checked against postulated natural and unnatural events which might affect it, and against the field of failures which might occur in the system itself. The system is fully adequate for its purpose.

F.7.18 Standby Gas Treatment System This shared system operates to filter and exhaust the air from a unit zone plus the refueling zone, the refueling zone only, or the entire secondary containment of four zones (see also paragraph F.7.1). The system is used only when an abnormal activity release occurs. It will tend to localize the influence of activity release and minimize the possibility of having to shut down and decontaminate all unit areas.

F.0-28