ML19338E992
| ML19338E992 | |
| Person / Time | |
|---|---|
| Site: | Summer  |
| Issue date: | 09/29/1980 |
| From: | SOUTH CAROLINA ELECTRIC & GAS CO. |
| To: | |
| Shared Package | |
| ML19338E991 | List: |
| References | |
| NUDOCS 8010070260 | |
| Download: ML19338E992 (35) | |
Text
.
1~'"-.
(
)
s_-
SOUTH CAROLINA ELECTRIC & GAS CO.
V. C. SUMMER NUCLEAR STATION - LWIT 1 SAFE SHUTDOW ANALYSIS for FIRES IN CONTROL ROOM, RELAY ROOM or CABLE SPFEADING ROOMS Rev. 0 5/16/80 Rev. 1 9/29/80 8010070 2Co
SAFE SHUTDOWN ANALYSIS FOR FIRES IN CONTROL ROOM, RELAY ROOM OR CABLE SPREADING ROOMS I.
PURPOSE To supplement the existing Fire Protection Evaluation, in response to Question No.1, by providing an indepth review of the ability to achieve safe shutdown with the assumptions implied by Question No. 1.
This analysis does not consider the number of plant personnel required to achieve safe shutdown, nor does it discuss the required procedures.
II. ASSUMPTIONS The following assumptions have been used in this re-evaluation of the control room, relay room, and spreading rooms:
1)
A fire anywhere in the control building, including inside the main control board is to be postulated. The initial fire is limited to 2 gallons of liquid or 2 bags of trash and produces flames 3 to 4 feet in diameter and.8 feet high. Fire causes shorts in unprotected cables in 4 to 6 minutes and burns for 5 to 10 minutes.
2)
Loss o
.e power c concurrent with, or subsequent to the fire.
3)
Failure of fire suppression systems is to be assumed.
4)
Unrelated failures of safe shutdown equipment need not be postulated.
5)
The use of non-safety class equipment to achieve safe shutdown is permitted.
6)
Minimum time for operator action, including installation of jumpers in control wiring, 30 minutes.
7)
An accident is not considered coincident with a fire.
The reactor is tripped (either manually or by the reactor protection system) before the plant parameters deviate from the normal operating values. Once the reactor is tripped, only the instrumentation identified on Table 1 of CAI's response to the NRC's post-site review question #1 is required to bring the plant to a cold shutdown condition.
It should be recognized that these assumptions differ from those used in the i
original Fire Protection Evaluation.
In the original analysis, credit was taken for the operation of the fire detection and suppression systems. As a result, fires in the control room, relay room, and spreading rooms were determined to be limited to very small areas such that, with separation in accordance with R.G. 1.75, only one channel of the control circuitry could be damaged by a given postulated fire.
Rev. 9/29/80
III. SHUTDOWN SEQUENCE For fires in the control room, relay room, or spreading rooms the normal safe shutdown sequence is not applicable since normal controls, including many automatic functions, may be disabled. Therefore, each basic shutdown function was analyzed to establish the minimum functions required and the maximum possible delay before actuation.
Reactor Shutdown (3 cram) must be immediate. However, this is a fail safe system where the scram breakers trip on loss of the 48. volt signal.
Therefore, this function will not be adversely affected by a fire.
Decay Heat Removal must be initiated immediately. The turbine driven emergency feedwater pump will operate on loss of control voltage to either of the steam valve solenoids and the pump necds no electrical power to operate. Steam will be dumped through the code safety valves until the steam dump valves are opened manually.
Reactor Coolant Make-Up is not required immediately. Assuming the design leakage rate and the pressurizer at the low level alarm point, approximately 30 minutes is available before the pressurizer is empty.
(SCE&G Co. has determined that seal injection flow is not required for safe shutdown with the reactor coolant pumps de-energized.)
Boron Addition is required for reactor coolant make-up about 30 minutes after the incident. Borated water can be obtained directly from the refueling water storage tanks by the charging pumps or by using the boric acid transfer pumps to supply borated water from the boric acid starage tanks to the charging pump suction.
Reactor Coolant Letdown is not required immediately.
Letdown is not essential to safe shutdown, but the availability of letdown would greatly simplify reactor coolant pressure control and boration.
Diesel Generators are not required to produce power until required by some other function, such as reactor coolant make-up after 30 minutes. However, the diesel generators will start automatically (and cannot be stopped with normal controls) on a loss-of-offsite power.
(The engines must be provided with water and air cooling to prevent damage to the diesel generator and its controls.)
Residual Heat Removal (RHR) is not needed until the reactor coolant system has been partially cooled by dumping steam and has been depressurized. A
)
delay of up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is permitted before starving this cooldown.
.. xs Component Cooling Water is not needed unless letdown is initiated or until the RHR system is to be placed in operation for final cooldown.
Rev. 9/29/80
m
. Chilled Water is needed to support the operation of the charging pumps, the component cooling water pumps, the RifR pumps and other local equipment ccolers. Since the charging pumps for make-up are needed first, chilled
~
water is not needed until just prior to the operation of the charging pumps, or about 30 minutes after the incident.
Reactor Building Cooling is needed to limit the temperature within the building. The temperature rise, with the reactor coolant pumps de-energized, is estimated to be 4.2 F per minute. Assuming an initial temperature of 120*F, then approximately 40 minutes is available before the building temperature reaches the safety related equipment temperature qualification limit of 285 F.
Service Water is needed for the diesel generator, water chillers, Reactor Building cooling, and component cooling water. The water chillers are not needed for approximately 30 minutes, Reactor Building cooling is not needed for approximately 40 minutes, and component cooling is not needed for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (unless letdown is initiated). Diesel generator cooling is needed immediately but the fire service system can be substituted as a cooling water source for the diesel generators.
Local Ventilation and Cooling for pump rooms and switchgear rooms is required shortly (1 to 5 minutes) after the equipment is re-energized. The most critical units are the local coolers for each charging pump.
DC Power is required for operation of controls and instruments mounted on the Control Room Evacuation Panel and for operation of the diesel generators. DC power is required continuously.
Communication is needed between the control room evacuation panels and the various switchgear rooms and local control locations in order to coordinate the shutdown seque.nce.
(Portable radios are being provided by SCE&G Co. to provide the necessary cocmunication capability.)
METHOD OF ANALYSIS The analysis was developed from the shutdown requirements described above and from the list of equipment required for safe shutdown as documented in the answer to Question No. 1.
Two cases were developed for each plant system.
In the first case, a fire is postulated in either the relay room or the cable spreading room at El. 425'-0".
In the second case, a fire is postulated in the control room or the cable spreading room at E1. 448'-0".
This combination of the control room and relay room with their associated spreading rooms was done to simplify the analysi_. The consequences of a fire in one of the spreading rooms are essentially identical to a fire in the relay room or control room above the given spreading room.
~_ _. _ _.
i For each of the two cases, each plant system was reviewed in detail, including the elementary designs and circuit routing, to determine the following:
f 1)
The consequences of the postulated fires on the existing systems.
]
2)
Any changes required to ensure that the system will function as l
required when immediate action is necessary, such as the addition of
~
automatic controls to cool the diesel generators with the fire service system.
3)
Any changes required to ensure continuity of operation, such as the alteration of wiring so that the isolation switches on the CREP are cffective against all postulated fires.
)
4)
The extent of manual operation required to achieve safe shutdown.
In developing the consequences of postulated fires, the possibility of short l
circuits causing spurious operations was not reviewed on a system by system i
basis in Appendix A.
In lieu of this, a separate analysis addressing the j
possible consequences of shorts in general and spurious actuation of systems is summarized below and is described in detail in Appendix B.
1 1
With the fire in the relay room, or its associated spreading room, the j
controls were reviewed to ensure that functions required immediately after the loss-of-offsite power will occur, assuming both engineered safety features loading sequencers and the other equipment in the relay room are
}
completely disabled. Where the function can be delayed by at least 30 minutes, the use of controls at the CREP and at switchgear and the use of 3
jumpers in MCC's were all considered acceptable.
j l
With the fire in the centrol room, or its associated spreading room, the controls were reviewed to ensure that functions required immediately after j
the loss of offsite power can be achieved by the remaining automatic j
controls. Where the function can be delayed by at least 30 minutes, the use of controls at the CREP and at switchgear and the use of jumpers in MCC's were all considered acceptable, i,
The results of this review are documented in Appendix A of this analysis.
i V.
SPURIOUS OPERATION I
Since the postulated fires can cause short circuits in unprotected cables, the possibility exists for these short circuits to cause spurious operation which could be detrimental to the process of safe shutdown. Plant systems were reviewed to determine what sort of operations could be detrimental.
With the assumption of an immediate reactor trip, loss of reactor coolant was found to be the most significant problem.
j Reactor coolant could be lost through the spurious operation of the normal letdown valves, the power operated relief valves (PORV), the sample lines, the RHR isolation valves, or the newly added reactor vessel head vent
- valves, i
i 1
4 e
e g
M.e+
m-m
-m.
m m w
. m.
m y
J t
- -r-3
- y
,--p r
+71,--
m-,
m, s
,_ _ -w,
,a_,
.y
-9
.,.y e,y-y,--.
9y a v-. ----
8 t
i Normal 19tdown includes several fail closed valves in series and the sample lines include two solenoid valves in series plus manual valves a,t the sample j
room. The RHR isolation valves and reactor vessel head vent valves are motor operated. Because of the complex nature of the control circuits for 2
(
motor operated valves, spurious operation is highly unlikely. However, the PORV's are solenoid operated. As a result, a simple short, or multiple short circuit, in the cabling to the control switch may cause the vilve to open.
j Therefore, a review of the control circuits was made to determine if any single postulated fire could cause spurious operation of the PORV's and simultaneously disable the charging pumps and other required safety systems including the diesel generators (which could provide the necessary make-up to mitigate the consequence of such spurious operation). This review is documented in Attachment B.
VI.
CONCLUSIONS Within the limits and assumptions of this analysis, and with the proposed modifications to existing systems, the plant can be safely shutdown with a postulated fire in any location within the control room, relay room, or either of.the two spreading rooms.
Except for reactor trip and decay heat removal, the operation of plant systems may be interrupted for approximately 30 minutes without jeopardizing the ability to achieve safe shutdown.
In general, manual isolation of control circuits and local manual operation of circuit breakers and motor control centers will be required to achieve safe shutdown. Because of this reliance on manual local control of i
equipment, suitable procedures, including a diesel generator loading 1
sequence, must be developed. Unlike the automatic loading sequence, the time required for manual loading necessitates that the service water system, and subsequently the chilled water system, be placed into operation before starting a charging / safety injection pump for reactor make-up.
For a fire in the spreading room at elevation 425'-0", channel "B" equipment should be used to achieve safe shutdown, since a variety of channel "A" circuits which could be used for a safe shutdown from outside the control building are routed through this spreading room.
Spurious operation will not generally be detrimental to safe shutdown. Loss of reactor coolant due to spurious valve operation is possible, but no credible single incident could also disable the operation of charging pumps which can mitigate the consequences of this loss of reactor coolant.
I.
4 4
f e
p-3 y
-eg
,7 1m-y q
r w
-v-yy y-v-r--
APPENDIX A SYSTEM CASE STUDIES for SAFE SHUTDOWN ANALYSIS for FIRES IN CONTROL ROOM, RELAY ROOM or CABLE SPREADING ROOMS a
5 L
l f
=
m en
1 i
APPENDIX A j
SYSTEM CASE STUDIES 1
INTRODUCTION To determine the system design changes necessary to ensure safe shutdown with i
postulated fires in the control room, relay room, or cable spreading rooms case studies have been prepared.
i The study was performed on a system basis to facilitate the analysis. For each 1
system two cases were studied:
CASE 1 - ^ fire in the control Luilding spreading room Elevation 425'-0",
or relay room Elevation 436'-0", and a concurrent loss of offsite 2
power.
CASE 2 - A fire in the control building spreading room Elevation 448'-0",
or control room, Elevation 463'-0", and a concurrent loss of offsite power.
The case studies describe the consequences of the postulated fires with respect 1
to system specific equipment.
In addition to the specific problems identified in each case study the following general consequences were considered:
CASE 1 - The engineered safety features loading sequencers will be disabled and manual action will be required to clear the Class 1E buses, close the diesel generator breakers, and sequence required loads.
4 In addition, the auxiliary relay panel XPN5303 will be disabled, along with a variety of other equipment.
CASE 2 - The main control board and HVAC control board are both assumed to be disabled alone with circuits terminating in the termination cabinets in the spreading room.
l 1
i r
l Rev.-9/29/80
-. =.
~
l EMERGENCY FEEDWATER SYSTEM - CASE 1 Consequences 4
Emergency Feedwater Motor Driven Pump A & B (XPP21A-EF, XPP21B-EF):
In the event of a fire the loading sequencers may be destroyed. This meer the operator may have to manually accomplish the functions of the loading 1
sequencers by manually closing the pump breakers in sequence to prevent overloading the diesel.
1 Emergency Feedwater Turbine Driven Pump (XPP8-EF):
The turbine driven pump (TDP) is designed to operate without air or i
electrical power. The TDP is operated by valve IFV2030-MS. This valve is normally closed but in the event of loss of power the valve will open. To close valve IFV2030-MS, it is necessary to operate two (2) solenoids. A fire would not immediately affect the operation of these solenoids because j
they can be opened from the MCB or CREP.
i Emergency Feedwater Flow Control Valves from FDP and Emergency Feedwater Flow Control Valves from TDP (IFV3536-EF, IFV3546-EF, IFV3556-EF):
t These valves fail open.
In the event of a fire the valves are controllable i
from the MCB or CREP, if there is instrument air supplied to them.
If air is not available they can be manually throttled.
Backup Supply and Isolation Valves from Service Water System (XVG1001A-EF, XVG1001B-EF, XVG1008-EF, XVG1002-EF, XVG1037A-EF, XVG1037B-EF):
In case of a fire these valves can be operated from the MCB. There are handwheels on these valves.
(These valves are reouired when condencate storage tank is empty.)
Analysis Since the Emergency Feedwater Turbine Driven Pump will operate automatically and without electric power, and since the flow control valves fail open, the system is adequate as designed and no changes are required.
Manual action will be required at some time after the incident to locally operate the flow control valves. The emergency feedwater motor driven pumps are not required.
i Rev. 9/29/80
CHARGING SYSTEM - CASE 2 Consequences Charging Pumps (XPP43A, XPP43B & XPP43C):
The pump that was operating prior to the loss of offsite power will resume automatically once the diesel breaker is closed but it can only be controlled manually at switchgear.
Charging Flow Control Valve Positioner (FCV122):
- Valve will remain operable with control at CREP.
Open/Close Boric Acid Tank to Charging Pump Suction Valve (XVT8104):
j Valve, normally closed, will be operable from CREP.
Open/Close Refueling Water Storage Tank Line Stop Valves (LCV115B & LCV115D):
Valves, normally closed, can be controlled only at MCC using jumpers.
l Boric Acid Transfer Pumps (XPP13A & XPP13B):
"A" pump will be operable from MCC only using jumpers.
"B" pump will be operable from CREP.
Open/Close Letdown Line Valves to Volume Control Tank - LCV459*, LCV460*,
PVT 8149B* & XVT8152* - normally open:
PVT 8149A* & PVT 8149C* - normally closed:
The loss of offsite power will ie-energize normally'open valves and they will close. All valves except XVT8152 can be controlled from CREP. The only control for XVT8152 was located on the MCB therefore, valve cannot be opened. For normal letdown all above valves are required.
Analysis Based on the shutdown sequence one charging pump is required after approximately 30 minutes, but letdown is not essential.
Boric acid transfer pump "B" can be controlled from the CREP and valve XVT8104 can be operated from the CREP. This will meet the need for a borated water supply to the charging pumps. Valves LCVil5B and LCV115D are therefore not required.
(With the planned revisions to the Boric Acid Pump B controls these controls can be fully isolated from the control buildings).
With the planned revisions to the letdown valve controls, these valves can be isolated from the control building and operated from the CREP.
- These valves must also have an air supply to operate. If air supply is not available to FCV122, Boration can be accomplished by cycling of the charging pumps.
'Rev, 9/29/80
RESIDUAL IfEAT REMOVAL SYSTEM - CASE 1 Cons,quences Residual Heat Removal Pumps (XPP31A & XPP31B):
The autcmatic starting of both pumps through the loading sequencer is postulated to be lost.
Open/Close R.l!.R. Suction Valves from Reactor Coolant System (XVG8701A & B; XVG8702A & B):
Valves, normally closed, are postulated to be inoperable (cannot be opened) from the main control board because control wiring is routed through the auxiliary safeguards cabinets located in the relay room. Valves can be opened at their respective motor control centers using jumpers.
Analysis Since 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are available before proceeding to cooldown, manual local operation of a breaker for one pump and the use of jumpers in the motor control centers in the intermediate and auxiliary buildings is acceptable.
t 6
)
6
~
RESIDUAL HEAT REMOVAL SYSTEM - CASE 2 Consequences Residual ifcat Removal Pumps (XPP31A & XPP31B):
The automatic starting of both pumps through the loading sequencer may be lost since control wiring is routed through the termination panels.
Pumps may have to be manually loaded onto the diesel and controlled from the switchgear.
Open/Close RHR Suction Valves from Reactor Coolant System (XVG8701A & B; XVG8702A & B):
Valves, normally closed, are postulated to be inoperable from control building and can only be opened at their respectise motor control centers l
- t. sing jumpers.
l Analysis Same as CASE 1 Y
=
COMPONENT COOLING SYSTEM - CASE 1 Consequences Component Cooling Pumps:
The automatic tripping and then closing of the pump breakers by the loading seq. is postulated to be lost. This requires the operator to trip the breaker and then load the pump on the diesel manually.
Analysis Since Component Cooling is required if letdown is initiated or for the RHR heat exchangers and since 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is available before proceeding to cold shutdown, manual operation of the pump breakers locally from the switchgear in the intermediate building is acceptable.
~
f
- 9 e e,e
- ae em me a we we e
4 w e
e-
- -***WDwa h*-
W*
O
~
COMPONENT COOLING SYSTEM - CASE 2 Consequences
~
~
Component Cooling Pumps:
~
The pump breakers are postulated to be inoperable from the MCB and the automatic control of the breakers through the loading seq. will be lost because the cables are routed through the termination panels. The only control remaining will be manually at the 7.2kV switchgear because there are no control switches on the evac, panel.
Analysis Same as CASE 1 e
l I
i m
e b e
e O
O
+
y
,-3
~ _ - - -
-e-.. -,
w
-q---
CHILLED WATER SYSTEM - CASE 1 Consequences-1E Aux. Relay Panel.(XPN5303):
The relays necessary to open and close the 480V switchgear breakers and i
operate the "A" and "B" chillers from the MCB are mounted in this panel.
If this panel is destroyed by the fire, the switchgear will have to be operated locally and the chillers will have to be operated at the local chiller i
control panels on each chiller by inserting jumpers.
HVAC Mech. Vater Chillers "A" and "B":
The relays necessary to trip and close the 480V switchgear and control the chillers are mounted in the IE aux. relay panel.
If the 1E aux.
relay panel is destroyed, the 480V switchgear will have to be operated locally and the chillers will have.to be operated at the local control panel on each t
chiller after jumpers have been added to block out the MCB controls.
The postulated destruction of the loading seq. will also render the starting i
controls for the 480V switchgear breakers and the chillers inoperable.
1 i
I i
HVAC Mech. Water Chiller "C" (XHX1C)-
i The control circuits for the chiller will remain ope :able but the closing circuit of the 480V switchgear breaker may be blocked by the loss of the loading seg. The switchgear breaker may have to be operated locally.
j HVAC Chilled Water Pumps (XPP48A, B & C):
The automatic tripping and closing of the 480V switchgear through the.
loading seq. may be lost but the manual controls on the MCB may remain operable.
Analysis Based on the shutdown sequence one chiller and its associated water pump are
, required after approximately 30 minutes. Therefore manual local operation of the breakers and the use of jumpers in the control panels is acceptable.
Based on CASE 1 for the diesel generator system, the train B chiller ar.d pump or l
the train B supplies for the "C" chiller and pump are preferred.
i I.
i f
i
{
7 m.
r
.m-
,-2,a-
-.,a
-w-4.
a u
CHILLED WATER SYSTEM - CASE 2 Consequences I!VAC Mech. Water Chillers A" and "B":
The control switches necessary to start and stop these chillers are located on the MCB.
If these switches are destroyed, jumpers will have to be inserted in the local control panels so the MCB controls are blocked out.
l The 480V switchgear breaker will also have to be operated manually.
HVAC Mech. Water Chiller "C" (XID(IC):
The relays necessary to trip and close the 480V switchgear breaker and control the chiller are mounted in relay panels in the spreading room, El.
448'-0".
If these relay panels are destroyed, the 480V switchgear breaker will have to be operated locally and the chiller will have to be operated at the local control panel mounted on it after jumpers have been added to block l
out the MCB centrol.
i l
HVAC Chilled Water Pumps (XPP48A, B & C):
l The control switch on the MCB is postulated to be destroyed and the pumps may have to be operated locally from the 480V switchgear breakers.
Analysis Based on the shutdown sequence one chiller and its associated water pump are required after approximately 30 minutes. Therefore manual local operation of the i
breakers and the use of jumpers in the control panels is acceptable.
i a
J
=
6 l
l I
l
,wn
,w-.
,,n
,-g
,--n-
~, - -, -
7,,
SERVICE WATER SYSTEM - CASE I Consequences Service Water Pump "A" (XPP39A):
i The control wiring from the pump switchgear to the evac. panel and the MCB is routed through the cable trays in the spreading room. Therefore, the
. ability to trip or close the pump bhr. from the main plant may be lost.
The control wiring from the speed switch to the MCB is routed through the cable trays in the spreading room.
Therefore, the ability to change the speed of the pump from the main plant may be lost.
If this pump was running when the incident occured, someone would have to go to the service water pump house and manually pull the switchgear breaker before the bus could be energized through the diesel.
s l
Service Water Pump "B" (XPP39B):
The control wiring from the pump switchgear to the evac. panel and the MCB is not routed through the spreading room. Therefore, the ability to trip or j
close the pump breaker will not be lost. The only problem with starting this pump will be because of the loss of the loading seq. The pump may have to be loaded on the bus manually.
The control wiring from the speed switch to the control switch on the MCB for high speed of the pump will remain operable.
The operator will have to manually switch the pump to high speed assuming that the loading seq. is destroyed.
Service Water Pump "C" (XPP39C) - Channel "A":
The control wiring from the pump switchgear to the evac panel and the MCB is routed through the cable trays in the spreading room. Therefore, the ability to trip or close the pump breaker from the main plant may be lost.
4 The control wiring from the speed switch to the MCB is routed through the cable trays !n the spreading room. Also, the relaying to change speeds for I
the pump is in the IE aux. relay panel in the relay room.
If the fire l,
destroys the wiring and relays, the ability to change the speed of the pump
~
from the main plant will be lost.
Service Water Pump "C" (XPP39C) - Channel "B":
The control wiring from the pump switchgear to the evac. panel and the MCB
-is not routed through the spreading room. Therefore, the ability to trip or close the pump breaker will not be lost.
If the loading sequencer is destroyed, the pump will have to be loaded on the bus manually.
The control relaying to change speeds for this pump is in the 1E aux.
relay panel in the relay room. This panel is postulated to be destroyed by the fire and, therefore, the af ility to change the speed of the pump from the main plant will be lost.
h.-
e sp
=g e,
ee..e m
M6 w"-
+e r.*
_e
~+.%
w
.. +....,.,....
~-,
CASE 1 (Cont'd)
Service Water Discharge Valves:
The control circuits for the "A'" valve are postulated to be lost and the valve will remain as is until jumpers are added in the MCC at the pump house.
The "B" and "C" valves will remain operable automatically and from the MCB.
Service Water Booster Pumps:
The automatic starting of both pumps through'the loading seq. may be lost but the manual controls will remain operable.
Bldg. Service Isolation Valves (Water from Ind. Cooler to R.B. Cooling Units):
XVB3110A & B; XVB3111A & B; XVB3112A & B The automatic closing of these valves through the loading seq. may be lost but the control switches on the MCB will be operable.
Reactor Bldg. Isolation Valves (Water from Booster Pumps to the R.B. Cooling Units and Back to the Service Water Pond): XVB3106A & B; XVG3107A & B The automatic closing of these valves through the loading seq. may be lost but the control switches on the MCB will be operable.
Service Water Pump House Cooling Units (XFNSOA & XFN80B):
l The "A" fan will stop and may be inoperable from the MCB. Jumpers may have l
to be added at the MCC in the service water building to get it running again.
I The automatic starting of the "B" fan through the loading seq. may be lost but the control switch on the HVAC control board will be operable.
Service Water Pump House Dampers:
The "A" dampers are postulated to be inoperable but they will fail in a manner that will allow the pump bouse to be cooled when the "A" fan is put back into service.
The "B" dampers will not have automatic control assuming a loss of the solid state protection cabinet, but the control switch on the MCB will remain operable.
Analysis Operation of service water pump B, or C (Channel B controls) from the MCB is preferred since diesel generator "A" may also be disabled due to a fire in the spreading room at El. 425'-0" as described in CASE 1 for the diesel generator system. However, operation from the CREP and local operation of the speed switches using jumper is acceptable since the shutdown sequence indicates that service water is required approximately 30 minutes after the incident (except for the diesel generators which are discussed in the analysis of Case 2).
A review of the service water pump discharge valves indicates that the controls should be modified to drive the valve open, and override any previous close signal, any time a pump is started.
i l
9
.,.6 w.
,n r.
,w--,
e v
.r
.w---~m-v
CASE 1 (Cont'd)
Manual operation of the service water booster pumps and the various valves f rom the switchgear and MCC's in the intbrmediate and auxiliary buildings is acceptable since the shutdown sequence indicates that reactor building cooling must be restored approximately 40 minutes after the incident.
Operation of service water pump house cooling fan B is adequate to cool one or two service water pumps and the associated switchgear.
If the fan is temporarily lost manual restoration of service is acceptable since approximately 25 minutes are available with two pumps in high speed before the motor winding design temperature is exceeded (room air temperature of 240* F).
4 o
f 4
'I
- e e
en=
= w 4
SERVICE WATER SYSTEM - CASE 2 Consequences Service Water Pumps (XPP39A, B & C):
~
The service water pump breakers can be controlled from the evac. panel if the MCB is lost. The problem will be with the ability to control the speed switches.
i The control wiring for all three speed switches is routed to the MCB termination panels, then to the control switches on the MCB and the loading seq.
Therefore, if the 448'-0" elev. and the 463'-0" elev. is destroyed, I
the ability to change the speed of ptmps from the main plant will be lost.
The inability of the operator to change the speed of the service water pumps may cause a problem because one pump is required to be run at high speed after the loss of offsite power.
Service Water Pump Discharge Valves:
The control switches for these valves are on the MCB only and if these switches are lost all control of these valves from the main plant will be lost. Jumpers will have to be added in the MCC's to operate these valves.
Normal operation of the plant requipes one service water pump to be running at low speed with its associated valve open. The other two pumps are off with their associated valves closed.
To put any pump in high speed the 7.2kV breaker must be operated, the speed switch must be reset, and the valve opened. The 7.2kV breaker can be controlled from the evac. panel but the valve and speed switch must be contrilled at the service water pumphouse using jumpers.
Service Water Booster P. umps:
The control switches on the MCB and the automatic start through the loading seq. are postulated to be lost. The pumps will have to be started locally at the 480V switchgear in the auxiliary and intermediate b1dgs.
Pnilding Service Isolation Valves (Water from the Ind. Cooler to the R.B. Cooling Units):
XVB3110A & B; XVB3111A & B; XVB3112A & B The control switches on the MCB and the automatic closing through the loading seq. are postulated to be lost and the valves will remain open. The i
valves will have to be controlled at the MCC's or by use of the handwheels.
These valves block the flow of water frcm and to the ind. cooler which will be lost due to the loss of offsite power.
Reactor Building Isolation Valves (Water from Booster Pumps to the R.B. Cooling
-Units and back to the Service Water Pond): XVB3106A & B; XVG3107A & B The control switches on the MCB and the automatic opening through the loading seq. are postulated to be lost and the valves will remain closed.
The valves will have to be controlled at the MCC's or by use of the handwheels. These valves are required to open when the ind. coolers shut down so service water can be pumped into the reactor building cooling units and back to the service water pond.
4
-we V
e wn
,,n
1 CASE 2 (Cont'd)
Service Water Pump House Cooling Units (XFN80A & XFN80B):
i Both fans "A" and "B" may stop because their control switches are on the liVAC control board. Jumpers may have to be added at the MCC's in the service water pump house to get them running again.
Service Water Pump House Dampers:
i All damper controls are postulated to be lost but they will fail in a manner that will allow the pump house to be cooled, when the fans are in service, without power to the damper actuators.
i Ana?vsis i'
Operation of the pump breakers from the CREP with local operation of the speed i
switches using jumpers is acceptable since the shutdown sequence indicates that j
service water is required approximately 30 minutes after the incident (except as j
noted below for the diesel generators) (Therefore the planned modifications of j
the speed switch control circuits does not appear warranted).
Operation of the service water pump discharge valves using jumpers at the MCC's is also acceptable for the same reason as given above.
(Therefore the planned relocation of the valve control switch from the MCB to locally at the MCC does not appear warranted).
Manual operation of the service water booster pump and the various valves from the switchgear and MCC's in the intermediate and auxiliaiy buildings is acceptable since the shutdown sequence indicates that reactor building cooling must be restored approximately 40 minutes after the incident.
J Operation of a service water pump house cooling fan using jumpers at the MCC is i
acceptable since approximately 25 minutes are available as described in " Service Water System - Case 1".
Since the diesel generators require water cooling immediately (within 5 minutes) after a loss of offsite power, the fire service connections to the diesel generators (valves XVG3105A-SW and XVG3105B-SW) need to be modified to automatically open on high lube oil o'r high jacket water temperature.
i 1
5 d
)
i e
1 l
t i
e.
L
~
REACTOR COOLANT SYSTEM - CASE 1 Consequences Pressurizer Power Operated Relief Valves (PCV444B & PCV445A):
These valves are normally closed, and use a nitrogen supply for opening.
i Normal control at MCB would remain operable.
Accumulator Isolation Valves (XVG8808A, B & C):
Valves, normally open, are postulated not to be inoperable from MCB since their control wiring is routed through the solid state protection cabinets at El. 436'-0".
Valves will have to be closed at their respective motor control centers using jumpers.
Analysis With the planned changes in control circuits the power operated relief valves will be operable from the CREP when compressed air is available.
The use of jumpers to close the accumulator isolation valves is acceptable since 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is available before proceeding to cool down (and depressurize).
(Note that the starters for these valves are normally pad-locked open.)
8 e
e e
awW b
~ ~
~-^
M --
m--,
-%,4
%Msyy, m*p.,
1
REACTOR COOLANT SYSTEM - CASE 2 Consequences Pressurizer Power Operated Relief Valves (PCV444B & PCV445A):
- Valves, normally closed, would fail in a closed position and may be completely inoperable. Also a nitrogen supply is used to open these valves.
Accumulator Isolation Valves (XVG8808A, B & C):
Valves, normally open, may have to be closed at their respective motor control centers using jumpers.
Analysis Same as CASE 1 4
4 l
=
4 HVAC SYSTEMS - CASE 1 Conseguences 4
Reactor Building Cooling Units (XAA1A & 2A-AH and XAA1B & 2B-AH):
The autcmatic starting of all units through the loading sequencer (ESFLS) is j
postulated to be lost. Additionally, the manual loading onto the diesel and the control of the high speed fan motors from the MCB may not be operable since they are wired in series with the loading sequencer panels.
To achieve safe shutdown a minimum of one cooling unit operating at low speed will be employed. Units may have to be manually loaded onto the diesel and controlled from their respective switchgear.
i Also dampers XDP110A & B* and XDP111A & B*, which are normally open to by pass the HEPA filters, will automatically close upon loss of power.
Dampers may now be inoperable since their control wiring is routed through the solid state protection cabinets located at El. 436'-0".
With dampers 1
closed, return air to the cooling units must pass through the HEPA filters.
Battery Room Cooling Units (XAH24A & B-AH):
- The automatic starting through the ESFLS is postulated to be lost. The
- units, consisting of a supply fan (XFN38A & B) and a face and bypass damper (XDP233A & B)* operate in conjunction with an inlet supply damper (XDP89A &
B)*, an exhaust discharge damper (XDP88A & B)* and an exhaust fan (XFN39A &
J B), can all be manually loaded onto the diesel and controlled from the HVAC control board.
2 Service Water Pump House Cooling Units (XFN-80A & B-AH):
See service water system.
Control Room Cooline Units (XAH-12A & B-AH):
The automatic starting through the ESFLS is postulated to be lost. The normal supply fans (XFN32A & B) can be manually loaded onto the diesel and controlled from the HVAC control board.
Relay Room Cooling Units (XAH-13A & B-AH):
This area is postulated to be destroyed by fire.
Charging /SI Pump Roem Cooling Units (XAH-1A & B-VL and XAH-2-VL):
The Channel A & B cooling unit fans (XFN46A & B) will start automatically uben the associated charging pump is running if their selector switch is set in the automatic position. Manual control at the HVAC control board will also remain operable.
Channel C fan (XFN47-VL) may be operated manually frcm the HVAC control board.
]
Residual Heat Removal Pump Room Cooling Units (XAH-4A & B-VL):
The cooling unit fans (XFN49A & B) will start automatically when the associated RHR or spray pump is running if their selector switch is set in the automatic position. Manual control from the HVAC control board will i
also remain operable.
1
?
m
-i. -
.-m
-y y
9
--y
,w, e
--e-7--
l CASE I (Cont'd)
Auxiliary Building MCC & Switchgear. Cooling Units (XAH-32-VL & XAH-33-VL):
The automatic. starting through the ESFLS is postulated to be lost along with the high temperature relay contacts.
Cooling unit fans (XFN132 & XFN133) can be manually loaded onto the diesel and controlled from the HVAC control
- board, i
ESF Switchgear Room Cooling Units (XAH-6-VL & XAH-8-VL):
The automatic starting through the ESFLS is postulated to be lost along with the high temperature relay contacts.
Cooling unit fans (XFN50 & XFN76) can j
be manually loaded onto the diesel and controlled from the HVAC control i
board.
i I
)
Speed Switch Room Cooling Units (XAH-19A & B-VL):
j The. automatic starting through the ESFLS is postulated to be lost along with the high temperature relay contacts.
Cooling unit fans (XFN106A & B-VL) can be manually loaded onto the diesel and controlled from the HVAC control board.
Emergency Feedwater Pump Cooling Units (XAH-11A & 11B-VL):
r The cooling unit fans (XPN83A & B) will start automatically when the associated motor driven emergency feedwater pump is running if their
]
selector switch is set in the automatic position. Manual control at the j
HVAC control board will also remain operable.
Diesel Generator Room Supply Fans (XFN45A & 45B-AH and XFN75A & 75B-AH) and associated dampers:
- The dampers fail open and will open automatically when the diesel generators start. The fans will start automatically once ac power is available.
Analysis Manual local operation of the breakers for the reactor building cooling unit fans I
is acceptable since the shutdown sequence indicates that approximately 40 minutes are available before reactor building cooling must be restored.
1 The diesel generators start immediately on loss of offsite power, but are not necessarily connected to the buses because of failure of the loading sequencers.
However, the dampers open on diesel starting and large ventilating air paths exist. As a result natural convection cooling will limit the room temperature to 1
approximately 160 F (with the engine operating at no load). Therefore operation of the room supply fans can F' delayed until the diesel is manually connected to l
the class 1E buses.
Since other areas of the plant will have negligible heat input without ac power, the operation of these fans can be manually restored, where necesrary, after the diesel generators are manually connected to the buses.
In most cases a
. considerable delay in restarting the ventilation, after the equipment is re-energized is acceptable. However, the cooling fans for pump rooms, particularly those for the charging pumps, should be started before, or immediately af ter, the pumo motor is energized.
- These dampers are controlled by a solenoid and require an air supply to operate.
h' 4
m... _, - _ _ _ _.
HVAC SYSTEMS - CASE 2 Consequences Reactor Building Cooling Units (XAA-1A & 2A-AH and XAA-1B & 2B-SH):
Cooling Unit fans may have to be manually loaded onto the diesel and controlled from their respective switchgear as the only other control was on the MCB.
Also, dampers, XDP110A & B and XDP111A & B*, which are normally open will automatically close upon loss of power. Dampers may now be completely inoperabic as their only control was on the MCB. With dampe rs closed, return air to the cooling unit must pass through the HEPA filters.
Battery Room Caoling Units (XAH-24A & B-AH):
The automatic starting through the ESFLS is postulated to be lost along with all control from the Control Building. The units and their associated equipment can be manually loaded onto the diesel and controlled from their respective MCC using jumpers. One channel of the following equipment is required; supply fan and unit face and bypass damper *, supply inlet damper *,
exhaust discharge damper
- and exhaust fan.
Service Water Pump House Cooling Units (XFN80A & B-AH):
See Service Water System i
Control Room Cooling Unit; (KAH-12A & B-AH):
This area is postulated to be destroyed by fire.
Relay Room Cooling Units (XAH-13A & B-AH):
The automatic starting through the ESFLS is postulated to be lost along with all control from the Control Building. The unit fans (XFN36A & B) can be m'anually loaded onto the diesel and controlled from their respective MCC using jumpers.
Charging /SI Pump Room Cooling Units (XAH-1A & B-VL and XAH-2-VL):
The channel A & B cooling unit fans (XFN46A & B) are wired to run automatically when their associated charging pump is running, but losing the selector switch on the HVAC control board will prevent this. These fans may only be operable from their respective MCC using jumpers.
Channel C fan (XFN-47) may be operated manually using jumpers at charging pump accessories equipment cabinet (XPN40) located in the Auxiliary Bldg.
El. 388'-0".
- These dampers are controlled by a solenoid and raquire an air supply to operate.
e e
-w.
sur m.
,.. e e,
,.e w
=
CASE 2 - Cont'd Residual Heat Removal Pump Rocm Cooling Units (XAH-4A & B-VL):
\\
The cooling unit fans (XFN49A & B) are wired to run automatically when their associated RHR or spray pump is running, but losing the selector switch on the HVAC control board will prevent this. These fans may only be operable from their respective MCC using jumpers.
Auxiliary Building MCC and Switchgear Cooling Units (XAH-32-VL & XAH-33-VL):
A postulated loss of the control switch on the HVAC control board will prevent both the automatic starting through the ESFLS panels and starting upon closure of the high temperature relay contacts. The cooling unit fans (XFN132 & 133) can be manually loaded onto the diesel and controlled only at their respective MCC using jumpers.
ESF Switchgear Room Cooling Units (XAH-6-VL & XAH-8-VL):
The automatic starting through the ESFLS may be lost along with starting through the high temperature relay contact. The cooling unit fans (XFN50 &
- 76) can be controlled and manually loaded onto the diesel only at their respective MCC using jumpers.
Speed Switch Room Cooling Units (XAH-19A & B-VL):
A postulated loss of the control switch on the HVAC control board will prevent any automatic starting through the ESFLS panels or through the high temperature relay contact. The cooling unit fans (XFN106A & D) can be manually loaded onto the diesel and controlled only at their respective MCC using jumpers.
Emergency Feedwater Pump Cooling Units (XAH-113. & B-VL):
The cooling unit fans (XFN83A & B) are wired to run automatically when their associated motor driven emergency feedwater pump is running but if the selector switch on,the HVAC control board is lost, this is prevented. These fans will only be operable from their respective MCC using jumpers.
Diesel Generator Room Supply Fans (XFN45A & 45B-AH and XFN75A & 75B-AH) and Associated Dampers:
The dampers fail open and will open automatically when the diesel generators start.
But if there is a loss of the control switch on the HVAC control board the fans can only be operated from the respective MCC using jumpers.
Analysis Manual local operation of the breakers for the reactor building cooling unit fans is acceptable since the shutdown sequence indicates that approximately 40 minutes is available before reactor building cooling must be restored.
The diesel generators start immediately on loss of offsite power, but are not necessarily connected to the buses because of failure of the loading sequences.
However, the dampers open on diesel starting and large ventilating air paths exists. As a result natural convection cooling will limit the room temperature i
to approximately 160 F (with the engine operating at no load). Therefore operation of the room. supply fans can be delayed until the diesel is manually connected to the class 1E buses and jumpers added to the MCC's.
we w
=
we w
DC P0kf.R SYSTEM - CASE 1 Consequences 125 V DC Dist. Panel IHA2 (DPNIHA2):
Distruction of this panel by a fire would disable the diesel generator "A" field flashing circuit.
l 125 V DC Dist. Panel 1HB2 (DPNIHB2):
Distruction of this panel by a fire would disable the diesel generator "B" l
field flashing circuit.
Analysis Since field flashing is needed for reliabic starting of the diesel generators the circuits for field flashing power need to be moved to other panels.
t l
I l
l e
l l
c l
l 1
DC PO'JR SYSTE!! __ CASE 2 Consequences None, for a fire in the control room or the spreading room at El. 448'-0".
Analysis None.
t I
l 1
COMMUNICATION SYSTEM - CASE 1 Consequences Mair, Page/ Party Line Communication System:
Power for this system is provided from Panel APN5906, which is connected to plant inverter (!6. Therefore, the syst.em may become inoperable.
Redundant Communication System:
The redundant communications system receives its power frca panel APN1FB.
Therefore, the system may become inoperable.
Maintenance Communication System:
This system receives its power from panel APNIFXI. Therefore, the system may become inoperable.
Analysis SCE&G Co. (Operations) has determined that portable radios and repeaters, to be installed by SCE&G Co., will be used for communications in the event of a fire in the control building.
1 l
l l
4
COMMUNICATIONS SYSTEM - CASE 2 Consequences Main Page/ Party Line Communication System:
Although there is no major equipment located in the control room, or spreading room El. 448'-0", a fire in these areas could cause shorts in the communications cables and thereby disable the system.
Redundant Ccamunitcation System:
Although there is n'o major couipment located in the control room, or spreading room El. 448'-0", a fire in these areas could cause shorts in the communications cables and thereby disable the system.
Maintenance Communication System:
Although there is no major equipment located in the control room, or spreading room El. 448'-0",.a fire in these areas could cause shorts in the communications cables and thereby disable the system.
Analysis Same as CASE 1 s
CASE 2 - Cont'd Since other areas of the plant will.have negligibic heat input without a-c power, the operation of these fans can be manually restored, where necessary,
-fter the diesel generators are manually connected to the buses.
In most cases a c'onsiderabic delay in restarting the ventilation, af ter the equipment is re-energized is acceptable. However, the cooling fans for pwnp rooms, particularly those for the charging pumps, should be started before or, immediately after, the pump motor is energized.
l 1
l l
l l
l l
?
I e=4 m en w = =
e-e
O APPENDIX B ANALYSIS OF SPURIOUS OPERATION for SAFE SHUTDOWN ANALYSIS for FIRES IN CONTROL ROOM, RELAY ROOM or CABLE SPREADING ROOMS 4
an
~
j INTRODUCTION i
i To assess the significance of'possible spurious operations, it is necessary to first determine what systems would be adversely affected by spurious operations.
A. review of the critical plant systems, in the operating modes applicable to achieving safe shutdown, reveals.that loss of reactor coolant from the reactor coolant ' system is the most significant action that would adversely affect safe shutdown.
t l
ANALYSIS l
l A detailed review of the reactor, coolant system indicates five possible paths for loss of coolant:
l l
1.
The normal letdown path.
2.
The RHR suction and return lines.
l 3.
The reactor vessel head vent path.
4.
The sample lines.
l 5.
The power operated relief valves (PORV).
l The normal letdown path has a variety of fail closed valves in series; and the simultaneous spurious operation of these valves is very unlikely. Therefore, this path does not warrant further review.
The RHR suction line has two normally closed motor operated valves in series; and the return line includes a check valve. The spurious operation of motor operated valves is unlikely because of the complexity of the control circuits; and the spurious operation of two motor operated valves, of different channels is considered very unlikely. Therefore, this path does not warrant further review.
The reactor vessel head vent path consists of-two parallel lines with two motor operated valves in series on each line. One valve on each line will be normally l
open. Although spurious operations of motor operated valves is unlikely, no j
special provisions exist.to prevent spurious operation for this path.
i The sample lines include two solenoid valves in series plus manual valves at the sample room.
Since the manual valves are normally closed, this path does not warrant further review.
The power operated relief valves consist of three solenoid operated valves on l
individual lines. Spurious operation of these valves is possible since shorts, one or multiple, in the MCB control switch and associated cabling may cause the valve to open; even multiple ground faults may not blow the control power fuses i
since valve controls are on~the positive side of the de supply. Therefore, the l
plant design has been reviewed to determine if a single fire can cause spurious operation of one of these valves and also disable both channels of charging pumps, and associated safety systems including the diesel generators.
9 O
O 9 4 W"
P O
.M-J-h" e @b p _- -
^
, S%g4 49.-
M M 9 PEW' M
2
~,- -
e The control switches for the PORV's are located in section XCP6109 of the MCB; j
the charging pump control switches are located in section XCP6108. The centerline distance of the closest PORV control switch to the closest charging pump control switch is approximately 48 inches. Control switches for other safety systems are located farther away from the PORV switches. The wiring for the two channels of switches for the charging pumps are in different fully metal enclosed wireways within the MCB. With these totally enclosed wireways and the flame retardant cable used for the control board, a postulated secondary fire l
will not propagate in the wire insulation. Therefore, with the postulated fire that burns for five to ten minutes and has a flame diameter of three to four feet, it is very unlikely that one fire can affect a PORV circuit and both channels of charging pump controls, and associated safety systems.
The cables for the PORV control switches terminate in panels XPN7112 and XPN7122 in the spreading room. The cables for the charging pump control switches terminate in panels XPN7111 and XPN7123.
Panels for the redundant channels for j
the charging pump controls are separated by a 3'-6" aisle. The cables above those termination panels are in totally cnclosed wireways. With the postulated fire on the platform between the termination panels, it is unlikely that it can affect any circuits and it is very unlikely that it will disable the redundant channels of charging pump controls and associated safety systems, and cause short l
circuits in the PORV controls.
The field cables into the termination cabinets enter from trays below the l
cabinets. The trays for redundant channels of controls are separated by 9'-5" with trays stacked four high. Between these trays for class IE cables is a stack of four' trays for non-Class IE cables. The trays run parallel in a North-South direction. A postulated fire in this area could propagate into one or two stacks of trays and disable cables in these trays. However, with the spacing and limited height of the stacks of trays, it appears unlikely that the postulated fire could disable both channels of controls for the charging pumps (although the trays are within 20 feet and the fire loading is 240,000 Btu per square foot).
CONCLUSION Based on the analysis presented above, it is concluded that spurious operation could occur. However, the spurious operation with the most significant consequence is operation of a PORV which would release reactor coolant. A review of che plant design concludes that it is very unlikely that any single postulated L
fire can cause spurious operation of a PORV and disable both redundant chat uls of charging pump controls and associated safety systems. Therefore, the plant design is acceptable without modification.
l 4
- 1 e am W6 m
--m ww g m..
,b
..w-e P
y-
-,,my w
~~ -