Text

Alternate Shutdown Sys for Monticello Nuclear Generating Plant,Northern States Power Co
	ML20083D870
Person / Time
Site:	Monticello
Issue date:	12/31/1983
From:	Brandon R, Gridley R; GENERAL ELECTRIC CO.
To:	;
Shared Package
ML112991206	List: ML20083D870;
References
	NEDC-30291, NUDOCS 8312280325
	Download: ML20083D870 (100)
	v • d • e

- - - - - - - - - - - - - - -

"'" :a; DECEMBER 1983 ALTERNATE SHUTDOWN SYSTEM FOR MONTICELLO NUCLEAR GENERATING PLANT NORTHERN STATES POWER COMPANY pgA2e88Pasass23 GENER AL $ ELECTRIC 1

NEDC .iO291 Class I December 1983 ALTERNATE SHUrDOWN SYSTEM FOR MONTICELLO NUCLEAR GENERATING PIANT NORTHERN STATES POWER COMPANY Approved: &Mm- Approved: /> b Iz//z[f f R.J[/frandon, Manager R.'/.'Gr'idleypManager' ~

Application Engineering Fuel Services Licensing NUCLEAR POWER SYSTEMS DIVISION

GENERAL ELECTRIC COMPANY SAN JOSE, CALIFORNIA 95125 GENERAL $ ELECTRIC L

NEDC-30291 IMPORTANT,NOIICE REGARDING CONTENTS OF THIS REPORT Please Read Carefully The only undertakings of General Electric Company respecting information in this document are contained in the contract between Northern States Power Company and General Electric Company, Purchase Order No. D0703BMQ and nothing contained in this doedment shall be construed as changing the contract. The use of this information by anyone other than Northern States Power Company, or for any purpose other than that for which it is intended, is not authorized; and with respect to any unauthorized use, General Electric Company makes no representation or warranty, and assumes no liability as to the completeness, accuracy, or usefulness of the information contained in this document.

I 11

NEDC-30291 CONTENTS

_P. age ABSTRACT ix

1.0 INTRODUCTION

1-1 1.1 Background 1-1 1.2 Report Content and Objectives 1-2 2.0

SUMMARY

2-1 3.0 SAFE SHUTDOWN SYSTEM REQUIREMENTS 3-1 3.1 Limiting Safety Consequences 3-1 3.2 Bases for Limiting Safety Consequences 3-1 3.3 Performance Goals 3-2 3.4 SSDS Design Requirements 3-3 4.0 ALTERNATE SHUTDOWN SYSTEM DESIGN 4-1 4.1 ASDS Selection 4-1 4.1.1 Reactor Shutdown 4-2 4.1.2 Overpressure Protection 4-3 4.1.3 Maintenance of Coolant Inventory 4-3 4.1.4 Decay Heat Removal 4-3 4.1.5 ASDS Summary 4-4 4.2 ASDS Design Requirements 4-4 4.3 ASDS Description 4-6 4.3.1 Primary Systems for ASDS 4-6 4.3.2 Auxilf ary Systems for ASDS 4-8 4.3.3 Instrumentation for ASDS 4-11 5.0 ELECTRICAL DESIGN FOR ASDS 5-1 5.1 Introduction 5-1 5.2 Electrical Circuit Design 5-2 5.2.1 Typical Circuit Design for ASDS Operation 5-2 5.2.2 Typical Circuit Design for ASDS Indication 5-3 5.2.3 Alternate Power Source 5-4 5.3 ASDS Cable Routing 5-5 5.3.1 Introduction 5-5 5.3.2 Existing Cable Routing 5-5 5.3.3 Cable Routing for ASDS 5-7 5.4 Hardware Design 5-8 5.4.1 ASDS Control Panel 5-8 5.4.2 ASDS Relay Panels 5-9 6.0 ASSOCIATED CIRCUITS 6-1 6.1 Common Power Source 6-1 6.2 Spurious Operation 6-1 6.2.1 ASDS Equipment 6-3 6.2.2 Safety / Relief Valves 6-3 6.2.3 Other Non-ASDS Components 6-3 6.2.4 High-Low Pressure Interface 6-4 6.3 Common Enclosure 6-6 111 j

NEDC-30291 CONTENTS (Continued)

.Page, 7.0 ASDS PERFORMANCE EVALUATION 7-1 7.1 Thermal-Hydraulic Analysis 7-1 7.1.1 Analysis Methods 7-2 7.1.2 Event Description and Analysis Assumptions 7-3 7.1.3 Results for the Evaluation Fire Event 7-5 7.1.4 Analyses for Spurious Operation of Safety / Relief

. Valve 7-6 7.1.5 Conclusions 7-8 7.2 Auxiliary Systems Performance Evaluation 7-8 7.3 Evaluation of the ASDS Instrumentation 7-8 7.3.1 Process Instruments 7-8 7.3.2 Diagnostic Instruments 7-8 7.4 ASDS Impact on Plant Safety 7-9 7.4.1 ASDS Fire Area Evaluation 7-9 7.4.2 ASDS Impact on Other Fire Areas 7-10 7.4.3 Design Basis Accident Evaluation 7-10 8.0 ASDS OPERATION AND TESTING 8.1 Operating Procedures 8-1 8.2 Testing Methods S-3 8.3 Operational Restrictions 8-4

9.0 CONCLUSION

S 9-1

10.0 REFERENCES

10-1 APPENDICES A. RESPONSE TO NRC REQUEST FOR ADDITIONAL II.' FORMATION CONCERNING DESIGN MODIFICATION A-1 B. AVAITABILITY OF SCRAM AND ISOLATION B-1 C. LISTING OF ASDS DRAWINGS C-1 iv

NEUC-30291 TABLES Table Title Pag 4-1 Primary Systeme for ASDS 4-13 4-2 Auxiliary Systems for ASDS 4-14 4-3 Instrumentation for ASDS 4-15 5-1 Equipment List for ASDS 5-10 6-1 High-Iow Pressure Interface Components 6-7 O

v/vi

NEDC-30291 ILLUSTRATIONS

- Figure Title Page 4-1 Principal Safe Shutdown Systems 4-16 4-2 ASDS Primary Systems for a Fire Event in the Control Room or Cable Spreading Room 4-17 4-3 ASDS Primary and Auxiliary Systems Interaction 4-18 5-1 Transfer of Control to ASDS 5-15 5-2 Operation of Equipment from ASDS 5-16 5-3 Status Indication of Equipment at ASDS 5-17 5-4 Alternate Power Source for ASDS 5-18 5-5 Cable Routing Arrangement 5-19 5-6 Plant Layout for Division II Route 5-20 5-7 ASDS Control Panel 5-21 7-1 Reactor Pressure Response for Shutdown with ASDS 7-12 7-2 Reactor Water Level Response for Shutdown with ASD$ 7-13 7-3 Suppression Pool Temperature Response for Shutdown with ASDS 7-14 7-4 Reactor Pressure Response for Shutdown from ASDS without Assuming Initial Isolation 7-15 7-5 Reactor Water Level Response for Shutdown from ASDS without Assuming Initial Isolation 7-16 7-6 Reactor Pressure Response for Spurious Operation of One S/RV 7-17 7-7 Reactor Water Level Response for Spurious Operation of 7-18 One S/RV 7-8 Reactor Water Level Response for Spurious Operation of One S/RV without Assuming Initial Isolation 7-19 vii/viii

NEDC-30291 ABSTRACT An alternate shutdown system (ASDS) will be installed in the Monticello Nuclear Generating Plant (MNGP) to provide alternative shutdown capalility as required by 10CFR50.48 and 10CFR50 Appendix R. This system assures safe shut-i down in the event of a fire in either the control room or the cable spreading room.

This report provides the information required by the Nuclear Regulatory Commission (NRC) related to alternative shutdown capabilities. The information includes a description of the ASDS, its circuitry, cable routing, hardware, and a summary of the operating and testing procedures. This report also presents evaluations of the effects of associated circuits and high-low pressure inter-faces on the ASDS, of the ASDS shutdown capability, and of the ASDS impact on plant safety. The evaluations conclude that implementation of the ASDS will bring the control room and cable spreading room of MNGP into compliance with 10CFR50.48 and 10CFR50 Appendix R.

r ixlx p i

l NEDC-30291

1.0 INTRODUCTION

1.1 BACKGROUND

In accordance with 10CFR50.48 and 10CFR50 Appendix R, adequate protection is required to safely shut down a nuclear plant in the unlikely event of a fire in any location of the plant. A plant-specific evaluation was performed for the Monticello Nuclear Generating Plant OC4GP) to determine its fire protection and safe shutdown capability in compliance with Section III.G.2 of 10CFR50 Appendix R. The evaluation is documented in a licensing report NEDO-22087 (Reference 1), which was submitted to the Nuclear Regulatory Commission (NRC) by Northern States Power (NSP) Company as part of their overall 10CFR50 Appendix R submittal. The report documents the limiting safety consequences and safe shutdown system performance goals for Appendix R purposes. Based on these performance goals, the minimum safe shutdown systems, including their required auxiliary support systems, were identified and analyses were performed to justify the choice of the safe shutdown systems. The report further pre-sented a fire area evaluation which determined the potential fire effects on plant shutdown capacity for each fire area. The fire area evaluation included the effects of associated circuits. The report further identified those areas which are not in compliance with 10CFR50 Appendix R. III.G.2, and described the recommended modifications or exemptions required to bring those areas into compliance.

The recommendations from this previous study were: .

(1) Upgrade the fire barriers to three-hour equivalent for various areas in the plant.

(2) Reroute cables in certain fire areas to provide separation for the redundant trains of the safe shutdown systems.

(3) Apply for an exemption for the control room.

1-1

^

NEDC-30291 Through subsequent NRC (Reference 2) and NSP evaluations, NSP decided to provide alternate shutdown capabilities for a fire in the centrol room or cable spreading room. Thus, the control room exemption is modified to only require exemption from automatic fixed fire suppression.

1.2 REPORT CONTENT AND OBJECTIVES This report describes the alternate shutdown system (ASDS) designed to bring the control room and cable spreading room into compliance with 10CFR50.48 and 10CFR50 Appendix R. The system was jointly developed by NSP and General Electric (CE). The ASDS is defined as those systems and components which require modification to achieve safe shutdown capability for the control room and cable spreading room.

This report presents a detailed description of the system design and the electrical design for the ASDS. The system design includes the system selec-tion and the design requirements. The electrical design includes the electrical circuitry, the cable routing, the control panel, hardware description, and equipment list. The report also presents the evaluations which demonstrate the design conformance to the requirements (i.e. , the plant can achieve safe shut-down through manual operation at the ASDS in the event of a fire in the control room or cable spreading room). A brief discussion of the operational procedure and testing for the ASDS is also included in the report.

This report also provides the technical information requested by the NRC in their Generic Letter 81-12 (Reference 3) and a subsequent clarification letter (Reference 4). To facilitate NRC review, this report includes a listing of the required information and a cross reference to the material contained herein (see Appendix A) .

1-2 l

NEDC-30291 2.0 S UMMARY The alternate shutdown system (ASDS) is designed for the Northern States Power Company's (NSP) Monticello Nuclear Generating Plant (MNGP) to provide the alternative shutdown capability raquired by 10CFR50 Appendix R. This system provides alternative shutdown capability in the event of a fire in either the control room or cable spreading room.

The ASDS consists of a control panel, necessary circuitry and cabling modifications to provide for manual control of selected Division II equipment.

The ASDS control panel is located on the third floor of the emergency filtra-tion train (EFI) building, which is a new Class I building adjacent to the turbine building. Manual control is obtained by transferring control from the l control room to the ASDS control panel through transfer switches and relays.

The relays are contained in relay panels installed outside of the control room and cable spreading room. The systems for the ASDS include safety / relief valves, core spray, residual heat removal (RHR), and their auxiliary systems, and instrumentation. The ASDS allows the operator to safely shut down the plant at a centralized location for a fire in the control room or cable spreading room.

In the ASDS design process, a set of limiting safety consequences were derived from the Nuclear Regulatory Commission (NRC) regulatory requirements and the guidelines provided by the NRC staff. The limiting safety consequences were then translated into a set of performance goals to protect fission product boundaries.

The ASDS was derived from the safe shutdown systems identified from a previous study to satisfy the performance goals. These systems were further evaluated to determine the modifications required to provide alternate shutdown capability for a fire in the control room or cable spreading room.

The identified systems and their required modifications for the ASDS are described in this report. The design requirements are established to assure the operability of the ASDS. These design requirements include require-ments for auxiliary systems, monitoring instruments, interfaces with existing 2-1 i

NEDC-30291 safety . systems, associated circuits including high-low pressure interfaces, operation, testing, and other NSP requirements.

Evaluations are presented to demonstrate that the ASDS satisfies all design requirements without automatic initiation of any emergency core cooling systems. In some cases, the ASDS design exceeds the NRC guidelines. The eval-untion further demonstrates that implementation of the ASDS will not degrade present plant safety. Installation of the ASDS will bring the control room and cable spreading room of MNGP into compliance with 10CFR50.48 and 10CFR50 Appendix R.

This report contains the necessary information requested by the NRC staff in their Generic Letter 81-12 and their clarification letter (References 3 and 4). To facilitate NRC review Appendix A of this report provides a listing of the required information and a cross reference to the materials contained herein.

2-2

_ _m-___m_._m_m..___: . . . _. -

NEDC-30291 l

3.0 SAFE SHUTDOk'N SYSTEM REQUIREMENTS This section describes the system level design requirements established for the safe shutdown system (SSDS) for the Monticello Nuclear Generating Plant (MNCP). The SSDS design requirements are based on the Nuclear Regulatory Commission (NRC) requirements in 10CFR50.48 and 10CFR50, Appendix R. subsequent NRC staf f positions, and guidelines considering the current MNGP design and systems performance capability.

The alternate shutdown system (ASDS) contains those systems requiring modification to achieve alternative shutdown capability. Thus, the SSDS for the fire areas required to satisfy the SSDS design requirements must be esta-blished first, and the SSDS is then evaluated to establish which systems require modification.

The SSDS design requirements for MNGP consist of a set of limiting safety consequences and functional performance goals which were first identified in NED3-22087 (Reference 1). The limiting safety consequences are used in the evaluation of the SSDS in any fire area in the plant, including the control room and cable spreading room. The performance goals are used as the system require-ments for safe shutdown. These design requirements and their bases are described below.

3.1 LIMITING SAFETY CONSEQUENCES The Ibniting safety consequences used in the evaluation of the SSDS are:

(1) No calculated fuel failure due to cladding temperature increases.

(2) No primary system pressure in excess of the Technical Specifications safety limit (Reference 5).

(3) No primary containment pressure or suppression pool temperature in excess of allowable values.

3-1

NEDC-3d291 3.2 BASES FOR LIMITING SAFETY CONSEQUE5CES The limiting safety consequences for the MNGP are based on the required shutdown functions and guidance in Generic,Lecter 81-12 (Reference 3), and, in particular, those related to the fission product boundary integrity.

r The limiting safety consequences associated with cladding temperature increases and primary system pressure increases inherently place constraints on the primary system parameters sufficient to assure adequate protection during a fire. The guidance given in Generic Letter 81-12 is that the process variables will be limited by those predicted for a loss of offsite power event.

However, the design basis event defined in Generic Letter 81-12 is more severe than the loss of offsite power event. Therefore, the process variables may momentarily exceed those associated with the loss of offsite power event.

The MNGP limiting safety consequence placed on suppression pool tempera-ture inherently places a constraint on the time allowed in hot shutdown. To preclude'the suppression pool temperature from exceeding limits when the off-site power is not available, the primary system is required to be depressurized and cold shutdown attained in less than 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months as identified in Generic Letter 81-12. (

q i 3.3 PERFORMANCE GOALS 4

To satisfy the requirements of th$ limiting. safety consequences, unique performance goals are identified in E4EDO-22087 tel estatitsh the SSDS require-s ments with or without off site power available.

These p\.erformance goals are:

a (1) Reactor shutdown - insert sdfficient negative reactivity to main- l tain the reactor in a suberitical condition.

' (2) Maintain coolant inventory - restore and maintain the reactor a vessel water at an acceptable level sufficient to preclude j calculated fuel failure due to cladding heatup.

4 ,

j

s. l w , ,

g 'x.

( '

'3_2 [ w 1

3 . ,

, 's 4 .

+

4

,\ 1 h .

NEDC-30291 (3) Overpressure protection - prevent overpressurization of the reactor vessel in excess of the safety LLaits.

(4) Decay heat removal - remove sufficient decay heat to achieve and maintain cold shutdown conditions to limit containment pressure and suppression pool temperature increases.

3.4 SSDS DESIGN REQUIREMENTS Based on the performance goals, the following SSDS requirements are derived:

(1) Cladding Heatup - Cladding temperature must be limited to less than 1500*F (Reference 6). The use of a peak cladding temperature as a design requirement rather than no core uncovery is consistent with NRC guidance (Reference 7) which establishes that short-term uncovery of the upper portion of the core during depressurization prior to reflooding is acceptable for a BWR.

(2) Primary System Pressure - The peak steam dome pressure shall not exceed 1335 psig. The requirement that the primary system not exceed the Technical Specifications safety limit (Reference 5) minimizes the potential for failure of the primary system pressure boundary.

(3) Primary Containment Pressure and Temperature - The design require-ments for the integrity of the primary containment boundary are:

(a) The primary containment pressure shall be maintained below the ASME code allowable pressure of 62 psig to prevent over-pressure of the primary containment boundary (Reference 8).

3-3

NEDC-30291 (b) The local suppression pool temperature in the vicinity of the T-Type quenchers used in the S/RV discharge lines must be within the limits established in NUREG-0783 (Reference 9) when S/RVs are discharging steam to the suppression pool. The local suppression pool temperature limits for MNGP are approximately 200*F for a reactor pressure below 200 psia. The maximum dif-ference between the local and bulk pool temperatures is 43*F as stated in NUREG-0783.

(c) The bulk pool temperature must be low enough to assure adequate net positive suction head (NPSH) for the system using the sup-pression pool as a water source (Reference 8).

By requiring that pressure and temperature not exceed the allowable values, the potential for primary containment failure is minimized.

/

3-4 l

NEDC-30291 4.0 ALTERNATE SHUTDOWN SYSTEM DESIGN This section describes the system level design of the alternative shutdown system (ASDS) for the Monticello Nuclear Generating Plant (MNGP).

The ASDS is designed to provide alternative shutdown capability for the control room and cable spreading room. In accordance with the definition given in Generic Letter 81-12 and the clarification letter (References 3, 4), the ASDS is defined as those systems which require modifications to provide alternative shutdown capability for a fire area. Thus, the ASDS is a subset of the safe shutdown system (SSDS) designed to satisfy the requirements provided in Section 3.0 in the event of fire in the control room or cable spreading room.

4.1 ASDS SELECTION Based on the performance goals, the SSDS were identified in NEDO-22087 (Reference 1) by a systematic analysis of the systems required to bring the plant to a safe shutdown condition. The SSDS were identified by tracing through, in sequence, the logic paths needed to fulfill the performance goals for each event tree. By using this analysis methodology, it was possible to explicitly identify all SSDS and the required actions (automatic and manual) necessary to satisfy each of the four performance goals. In addition, all required initiating and monitoring instrumentation was identified.

To simplify the SSDS selecticn process, two groups of systems which generally conform to the two Divisions of safety systems were selected based on the original plant design philosophy. These were designated as the princi-pal SSDS and are shown in Figure 4-1. Due to systems design considerations, some systers are shared between Divisions.

Evaluation of the various possible combinations of systems was performed to determine the minimum systems within each Division required to satisfy the four performance goals. These minimum systems are used to provide the safe shutdown capability with a loss of offsite power and are evaluated to 4-1

NEDC-30291 -

determine if alternative shutdown capability must be provided to satisfy the performance goals and meet the design requiraments. The results of this pro-cess are shown La Figure 4-2. The systens required to satisfy each of the per-formance goals are described further below.

4.1.1 Reactor Shutdown To accomplish the reactor shutdown function, either automatic scram or manual reactor shutdown is required. If automatic scram is required, the reactor protection system (RPS) must be capable of initiating reactor scram through actuation of the control rod drive system (CRD) scram function. If manual control rod insertion is required, a manual reactor shutdown can be initiated.

The RPS will initiato an automatic scram if required. The same initiat-ing parameters identified in NEDO-22087 for the safe shutdown systems must be available for the ASDS. As described in Appendix B and NEDO-22087, the RPS is a fail-safe design and thus requires no design charges. Therefore, the RPS is not considered part of the ASDS.

If automatic scram is not required during a fire event in the control room or cable spreading room, the operator can perform the manual control rod insertion before leaving the control room. The manual control rod insertion via a scram is fail-safe.

Further, as an extra measure NSP elected to incorporate a new system (equivalent to a backup scram valve). The new shutdown system is not required to satisfy the performance goal; therefore, this system is not considered part of the ASDS.

4-2

NEDC-30291 The CRD will insert the control rods if initiated by either the RPS or reactor manual shutdown system. As described in NEDO-22087, the CRD is a fail-safe design and thus requires no modification. Therefore. the CRD is not considered part of the ASDS.

4.1.2 Overpressure Protection Overpressure protection prior to depressurization is provided by the safety / relief valves (S/RVs). This function is provided by the self-actuation (pilot) mode of the S/RVs which does not require modifications to aatisfy the ASDS design requirements. Therefore, this mode is not considered part of the l

ASDS.

4.1.3 Maintenance of Coolant Inventory Restoration and maintenance of reactor coolant inventory is accomplished through the automatic actuation of the main steamline isolation system when required and the manual operation of the S/RVs to depressurize the reactor vessel followed by the manual operation of the Division II core spray system.

The main steamline isolation system consists of the main steam isolation valves (MSIVs), turbine control valves, and associated instrumentation. As described in Appendix B, the main steamline isolation system is a fail-safe design and thus requires no modifications. The manual operation mode of the S/RV and core spray systems require modifications and are considered part of the ASDS.

4.1.4 Decay Heat Removal Decay heat removal is provided by manual operation of the Division II RHR system in the suppression pool cooling (SPC) mode. The S/RVs are manually operated to provide a path for transfer of decay heat from the reactor vessel to the suppression pool. These systems require modifications and are con-sidered part of the ASDS.

4-3

NEDC-30291 4.1.5 ASDS Summary The above system selection process for the ASDS thus identified all the primary systems which require design modifications to satisfy the ASDS design requirements. These systems and their respective performance goals are shown in Table 4-1. The auxiliary systems required to support the identified primary systems are identified through the interaction diagram shown in Figure 4-3.

The identified auxiliary systems are listed in Table 4-2. The required moni-toring instruments for the ASDS are shown in Table 4-3.

4.2 ASDS DESIGN REQUIREMENTS The system selection process discussed above identified those systems which require design modifications to provide alternative shutdown capability for the control room and cable spreading room. The design modifications are governed by a set of design requirements derived from the performance goals, the guidelines specified by the staff of NRC (References 3, 4,10 and 11), and the requirements established by Northern States Power Company (NSP). These design requirements are:

(1) Independent of Affected Fire Areas - All ASDS systems and components shall be operable so that cold shutdown can be acnieved independent of fire damage in the control room or cable spreading room.

I (2) Associated Circuits - Associated circuits located in the control room or cable spreading room shall not defeat the ASDS shutdown capability as limited by the following assumptions on fire-induced faults:

(a) all associated circuits may experience open circuits or shorts to ground; and (b) one hot short resulting in a spurious operation of a non-high low pressure interface valve or component; or 4-4

NEDC-30291 (c) two or more hot shorts resulting in spurious operations of two or more' valves in series in a high-low pressure interface.

(3) Application of Safety Criteria - The ASDS is exempted from the following safety criteria or standards, except those portions of the ASDS which interface with or impact existing safety systems:

(a) Seismic Category I (b) Institute of Electrical and Electronics Engineers (IEEE)

Class IE requirements (c) Single-failure criteria (4) Event Assumptions - Except for the assumption of loss of offsite power, the fire is not assumed to occur simultaneously or coincident with the recovery from any abnormal condition and all systems and components not affected by the fire are assumed to be available and to function as designed.

(5) Independent of Offsite Power - The ASDS shall be capable of opera-tion with either offsite power available or unavailable for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

(6) Process Monitoring - Process signals shall be provided to determine proper functioning of the ASDS.

(7) Auxiliary Systems - Supporting functions capable of providing process cooling, lubrication, etc., necessary for operation shall be included in the ASDS.

(8) Testable - The ASDS shall be testable during reactor shutdown.

4-5

EEDC-30291 (9) NSP Requirements - The following design requirements were established by NSP for the ASDS:

(a) Cable Routing - The ASDS shall use the new Division II cable route previously. installed.

(b) ASDS Operation - The ASDS shall be capable of achieving cold shutdown from a centralized location with minimum local oper-ations in remote plant areas. This exceeds the requirements of 10CFR50 Appendix R.

(c) Equipment Repair - The ASDS shall be capable of achieving cold shutdown without the need for equipment repair. This exceeds the requirements of 10CFR50 Appendix R.

(d) Operator Action Time - For evaluation purposes, transfer of control to the ASDS control panel and manual operation of the ASDS shall be assumed to occur 10 minutes af ter the initiating event.

4.3 ASDS DESCRIPTION This section describes the ASDS which can be separated into three system categories: primary systems, auxiliary systems, and instrumentation. The primary systems in the ASDS are those systems which directly satisfy the per-formance goals. The auxiliary systems are those systems necessary to enable operation of the ASDS primary systems or other ASDS auxiliary systems. The instrumentation includes process and diagnostic instruments. The system modifications are described in Section 5.

4.3.1 Primary Systems for ASDS This section describes the primary systems for ASDS. The primary systems are those which require design modifications to provide the alternative shutdown capability to fulfill the established performance goals. The primary systems 4-6

NEDC-30291 are: (1) S/RV system; (2) core spray system; and (3) RHR system in the SPC mode. All selected systems have manual capability and are derived from Division II. The ASDS primary systems are shown in Table 4-1.

Safety / Relief Valve (S/RV) System - The S/RV system for the ASDS is required for two shutdown functions. The ASDS must have the capability to manually actuate three S/RVs to depressurize the reactor vessel to enable the core spray system to perform its inventory makeup function. The ASDS must also provide at least one S/RV to transfer decay heat from the reactor vessel to the sup-pression pool during the decay heat removal process.

The S/RV system for the ASDS design includes four S/RVs capable of manual operation from the ASDS control panel. The fourth valve is not required for meeting the design requirements of the ASDS. Each S/RV system includes the S/RV itself, an air accumulator, the Division II solenoid valve controlling the air supply, and tha circuitry for manual operation. The S/RVs require de power from the Division II de power system for operation.

Core Spray - The ASDS uses Division II of the core spray system to maintain reactor inventory. The MNGP core spray system is designed to provide a high capacity low pressure source of spray water to the reactor vessel to assure adequate core cooling for a spectrum of conditions which can depressurize the

' reactor vessel. Following reactor depressurization, the core spray system will be manually operated from the ASDS control panel to inject the flow from the suppression pool to the reactor vessel through the spray sparger over the core.

The ASDS controls the following components of the core spray system: a motor-driven pump, motor-operated valves, and required circuitry. For opera-tion, the core spray system requires ac power from offsite sources or the Division II on-site ac power system for pump and valve operation, and de power from the Division II de power system for pump control. It also requires make-up water from the suppression pool, cooling water from the Division II emerF" -/

service water system, and space cooling from the Division II emergency core cooling system (ECCS) room cooler.

4-7

NEDC-30291 Residual Heat Removal (RHR) - To limit suppression pool temperature and con-tainment pressure, the ASDS uses the Division II RHR system in the SPC mode to remove reactor decay heat from the suppression pool. In the SPC mode, suc-tion is taken from the suppression pool and an RHR pump circulates flow through the RHR heat exchanger and back to the suppression pool. The RHR service water system is used to remove the decay heat through the RHR heat exchanger.

The ASDS controls the following components of the SPC system: one motor-driven RHR pump, motor-operated valves, and required circuitry. The SPC opera-tion requires:

(1) AC power from offsite sources or Division II on-site ac power system.

(2) DC power from Division 11 de power system.

(3) Water from the suppression pool.

(4) Cooling water from Division II of the emergency service water system.

(5) Space cooling from the Division II ECCS room cooler.

(6) Cooling water to the RHR heat exchanger from the Division II RHR >

service water system.

4.3.2 Auxiliary Systems for ASDS The auxiliary systems are systems which support the functioning of the primary systems. These systems are shown in Table 4-2 and the interaction between the auxiliary systems and the primary system is shown in Figure 4-3.

The function of the individual auxiliary system in relationship to the primary systems used for ASDS is described below. The auxiliary systems are a subset of the required auxiliary support systems identified in NEDO-22087.

4-8

NEDC-30291 On-Site AC Power System - The required ac power supply for the ASDS can be supplied from either offsite or on-site sources. Because of the requirement to consider the loss of offsite power concurrent with a fire, the on-site ac power system is selected for the auxiliary systems. The on-site ac power system consists of the standby diesel generator and associated components of the ac power distribution system.

To satisfy the design requirements for the ASDS, the Division II on-site ac power system can be operated from the ASDS control panel to supply the necessary ac power to the core spray system, RHR/SPC, emergency service water system, ECCS room cooler, RHR service water system RHR auxiliary air system, and the ASDS control and relay panel support sy stems . To assure that the diesel generator will not be overloaded during ASDS operation, load shedding capability is provided at the ASDS control panel for isolating unnecessary loads.

DC Power System - To support the ASDS operation Division II of the 125 Vdc power system is required. The de power system provides the required control power to the core spray and RER pumps, and on-site ac power systems. The de power systems also provides power to the solenoid valves which allow actua-tion of the S/RVs.

To satisfy the ASDS design requirements, the Division II of 125V de power system is provided for the ASDS operation. Being a passive system, operation of the de power system at the ASDS control panel is not required.

E,CCS Room Cooler - To satisfy the ASDS design requirements, the Division II ECCS room cooler is manually operated at the ASDS control panel. The ECCS room cooler provides the necessary cooling to the core spray and RHR compartment to maintain the air temperature within the system design limits for long-term ASDS operation. The ECCS room cooler requires ac power and emergency service water to support its operation.

i Emergency Service Water System - To satisfy the ASDS design requirements, Division II of the emergency service water (ESW) system can be manually operated at the ASDS control panel. The system consists of an ac motor-driven pump 4-9

NEDC-30291 which provides cooling water for the diesel generator, ECCS room cooler, and coolers for the RHR and core spray pump motors. The automatic function of the ESW will be protected to assure that the required cooling water is provided during the fire event.

RHR Service Water System - To satisfy the ASDS design requircments, the ASDS uses the Division II RHR service water system, which consists of one ac motor-driven pump and instrumentation, to transfer the decay heat from the RHR system to the ultimate heat sink. The RHR service water is discharged through a differential pressure control valve which maintains the service water dis-charge pressure from the heat exchanger approximately 20 psi above the shell side. For ASDS operation, the differential pressure control valve may be con-trolled by a controller at the ASDS control panel.

RHR Auxiliary Air System - To satisfy the ASDS design requirement, the Divi-sion II RHR auxiliary air system will be provided for the ASDS operation. The Division II RHR auxiliary air system provides air to the control valve which maintains the dif ferential pressure between the RHR and RHR service water systems in the SPC mode of operation.

Diesel Oil System - To satisfy the ASDS design requirements, the ASDS uses the Division II diesel oil system to provide fuel for the diesel generators in the on-site ac power system. The ASDS has manual control of the diesel oil transfer pump. The diesel oil transfer pump is supplied with power from the on site ac power supply.

Communication, Lighting, and HVAC - Suf ficient commur.ication, lighting and HVAC will be provided for the ASDS room. Power will be provided for these systems by the on-site ac power system. Emergency lighting will meet the requirements of 10CFR50 Appendix R. Section J.

4-10

NEDC-30291 4.3.3 Instrumentation for ASDS 1

I

! Both process and diagnostic instrumentation are required for ASDS opera- ,

tion. The process instruments are those required for monitoring and shutdown l

operation. . These include reactor pressure, reactor water level, suppression

' pool temperature and suppression pool level. The diagnostic instruments are those required to determine if the ASDS equipment are operative. These include power supply availability, pump breaker position, valve position, flow indica-tion, and diesel oil tank level (Table 4-3) . The adequacy c' these instruments to provide the necessary information for ASDS operation is demonstrated by the analysis in the following sections.

The process instrumentation are:

Reactor Vessel Pressure - The measurement of reactor vessel pressure is used i to determine when the core spray can function. Reactor vessel pressure is indicated on the ASDS control panel by using a Division II pressure transmitter.

The pressure transmitter has a range of 0 to 1200 psig.

Reactor Water Level - Reactor water level is measured to determine the need for additional coolant inventory. Two reactor water level instruments are pro-vided for ASDS operation. One of the reactor water level instruments measures the fuel zone range, which is from -350 inches to +50 inches. The other reactor water level instrument measures the shutdown range, which is from -50 inches to +350 inches. Instrument zero is at 477.5 inches above vessel zero (126 inches above top of active fuel).

l Suppression Pool Temperature - The temperature of the suppression pool provides an indication of the capability of the pool to accept additional energy. Based on this information, the need to depressurize the reactor for core spray opera-tion and to initiate RHR for decay heat removal can be determined. For ASDS i operation, the temperature of the suppression pool is indicated and recorded by a separate monitoring system located adjacent to the ASDS control panel.

4-11 i

i y . ,, -,y, p -. ...-4. , , . _ , , _ - . . . . . , - , , - , _ . ~ , _ , - , , - -

l NEDC-30291 Suppression Pool Level - The measurement of water level in the suppression pool determines the availability of water from this source for the ASDS operation.

Suppression pool water level at the ASDS control panel is similar to that in the control room.

The diagnostic instrumentation are:

Power Supply - Availability of both ac and de power supplies for ASDS operations is indicated at the ASDS control panel. If a necessary power supply is not available during ASDS operation, this information allows corrective actions to provide the necessary power supply.

Pump Breaker Position - A positive "on-off" type indication of the pump breaker position for each water pump is provided in the ASDS control panel.

Valve Position "On-of f" lights which indicate the position of each ASDS valve are provided at the ASDS control panel to assist in alignment of the valves for the ASDS operation. The S/RVs have indirect indication provided by the tailpipe pressure devices.

Flow Indication - Flow transmitters are used to provide direct flow indication for core spray, RHR, and RHR service water at the ASDS control panel. Flow for the emergency service water system at the ASDS control panel is inferred from a pressure switch.

Diesel Oil Tank Level - An alarm for the level of the diesel oil day tank, which supplies fuel to the standby diesel generator, is provided at the ASDS control panel. This provides a warning of possible fuel shortage at the day tank. Based on this information, the operator can replenish the day tank by starting the diesel fuel transfer pump at the ASDS control panel.

4-12

NEDC-30291 Table 4-1 PRIMARY SYSTEMS FOR ASDS Performance Goals Primary Systems Reactor Shutdown None Required Overpressure Protection None Required Maintain Coolant Inventory Division II S/RVs Division II Core Spray Decay Heat Removal Division II S/RVs Division II RHR in SPC Mode 4-13

NEDC-30291 Table 4-2 AUXILIARY SYSTEMS FOR ASDS e On-site AC Power System o DC Power System o ECCS Room Cooler e Emergency Service Water System o RHR Service Water System ,,

e RHR Auxiliary Air Supply e Diesel Oil System o Communication, Lighting, and HVAC 4-14

NEDC-30291 Table 4-3 INSTRUMENTATION FOR ASDS e Process Instrumentation

- Reactor Pressure

- Reactor Water Level

- Suppression Pool Temperature

- Suppression Pool Level e Diagnostic Instrumentation s

- Power Supply Availabilities

- Pump Breaker Positions

- Valve Positions

- Flow Indications

- Diesel Oil Day Tank Level 4-15 l

NEDC-30291 OlVISION I OlVISION 11 1

F - - - - - - - - - - - 7 g REACTOR PROTECTION SYSTEM ]

CRO ISCR AM) l

[

SYSTEM INIT! ATION SIGNAUS

]AFETY RELIEF VALVES

~~~~l CORE SPR AY-A CORE SPRAY 8 l l l SUPPRESSION POOL COOLING-A MONITORING INSTRUMENTS A l SUPPRESSION POOL MONITORING INSTRUMENTS-8 COOLING-8 l l REQUIRED AUXILIARY l REQUIRED AUXILIARY l SUPPORT SYSTEMS-A l l

, L _ SUPPORT SYSTEMS-8___z___

l l L. __________ _______ _ _ _ _J RCIC HPCI ALTERNATE LPCI SHUTDOWN MINIMUM REQUIRED SYSTEMS Figure 4-1. Principal Safe Shutdown Systems 4-16

NEDC-30291 FIRE IN CONTR ROOM OR CABLE SPREADING R NO AUTO SCRAM

?

YES F- M^ UAk--l F --- 7 l--- 7 l---- '

l EACTOR REAC OR l l SAFETY /RELlEF l l STEAMLINE SHUTDOWN g VALVE SYSTEM i LA N l SYST gg {

1 r

- ""_ J L _ _ _1 L _ _ _ _J L _ _ J l

r- CONTROL

-7 l DIVISION il I O0 VE i OVERPRESSURE SAFETY / RELIEF y PROTECTION VALVE SYSTEM l l L_ _J REACTOR OlVISION 11 SHUTDOWN CORE SPRAY SYSTEM P

OlVISION 11 MAINTAIN SAFETY / RELIEF COOLANT SYSTEM INVENTORY P

OlVISION li l

p INDICATES SYSTEMS REQUIRED TO

] SATISFY THE PERFORMANCE GOAL RHR SYSTEM /

SUPPRESSION BUT NOT A PART OF THE ALTERNATE POOL COOLING L - ] SHUTOOWN SYSTEM P MODE

- - INDICATES REACTOR DEPRESSURIZATION TO ATTAIN A STABLE COLD SHUTDOWN OE Y CONDITION g REMOVAL P -PERSONNEL ACTION Figure 4-2. ASDS Primary Systems for a Fire Event in the Control Room or Cable Spreading Room I

i 4-17 i

NEDC-30291 SAFETY / CORE RHR RELIEF VALVE SPRAY SYSTEM SYSTEM SYSTEM SPC MODF II il il ik il il ik h il ik If EMERGENCY RHR SE RVICE ON41M 04 POWER ECCS ROOM # R SE RVICE e

SYSTEM COOLER WATE R 3y , WATE R SYSTEM SYSTEM il iL < b il i l &

4 1 OIESEL RHR OIL AUXILLARY SYSTEM AIR SYSTEM ALLSYSTEMS ARE DIVISION 11 Figure 4-3. ASDS Primary and Auxiliary Systems Interaction 4-18 l

NEDC-30291 5.0 ELECTRICAL DESIGN FOR ASDS

5.1 INTRODUCTION

This section describes the electrical design modifications for the alternate shutdown system (ASDS). The design modifications itaclude electrical

~

circuitry changes to provide manual operation of various equipment at the ASDS control panel, cable routing to assure equipment operability, and new equipment or hardware to implement the modifiestions. These three electrical design modifications are interrelated in that they supplement each other to satisfy the design requirements specified in Section 4.3.

The ASDS design concept consists of circuitry changes to transfer control of equipment from the control room and cable spreading room to the ASDS control panel located in the emergency filtration train (EFT) building. This concept is illustrated in Figure 5-1, which shows that the pump and motor-operated valves of the Division II core spray system can be controlled at the control roos .r the ASDS control panel, depending on the position of the transfer switch (Asis). To implement the transfer circuitry, cable routing is important because it can impact the complexity of the transfer circuit design. The hard-ware used in the transfer circuitry is important because it must satisfy the ASDS design requirements. Thus, to meet the ASDS design requirements, the electrical design for the ASDS provides the following:

(1) Manual transfer capability (2) Manual operation capability (3) Equipment protection (4) Isolation frca safety systems The first three items above are to assure that the ASDS operation is independent of any potential fire damage in the control room or cable spread-ing room. This is accomplished by using transfer switches, transfer relays and fuses in the circuit design. Equipment protection includes effects of 5-1

NEDC-30291 associated circuits which are discussed in Section 6. The fourth item above is to ensure that the ASDS implementation will not degrade existing safety systems.

This is accomplished by providing an electrical design which is compatible with the existing safety system requirements.

Implementation of these four electrical design requirements is described below, including changes in circuit design, cable routing, and hardware.

Because of the multitude of the equipment involved and the uniformity of the actual detail design, the description of the ASDS electrical design is pre-sented at a conceptual level. Details of the electrical design as applied to each ASDS component can be obtained from Table 5-1 and the applicable figures identified.

5.2 ELECTRICAL CIRCUIT DESIGN Three simplified sample circuit designs are selected to describe the concept of the ASDS transfer mechanism and circuit design. These three cir-cuit designs are for:

(1) Operation of equipment from the ASDS control panel (Figure 5-2) .

(2) Status indication from the ASDS control panel (Figure 5-3).

(3) Alternate power supply for ASDS operation (Figure 5-4).

These three circuit designs are typical for the ASDS circuitry. Each of the circuit designs is explained in the following sections.

5.2.1 Typical Circuit Design for ASDS Operation Figure 5-2 shows a simplified conceptual design for the electrical cir-cuitry for equipment operation from the ASDS control panel. The example shown here uses a motor start relay (RI) in a motor control center (MCC) to represent the equipment. The normal manual operation of the equipment is accomplished by closing the start switch (SWl) in u..e control room, which 5-2

NELC-30291 energizes relay Rl. The normal connection between the MCC . d the control panel in the control room passes through the ASDS relay panel. This normal connection is maintained by a pair of normally closed contacts (Cl and C2) in the ASDS relay panel. The transfer switch (TSW) and the transfer relay (R2) control this pair of contacts and another pair of normally open contacts (C3 and C4) in the ASDS circuitry. Closing the transfer switch (TSW) will energize relay R2, which will open contacts C1 and C2 and close contacts C3 and C4. This transfer will effectively isolate the MCC from the control room so that direct manual operation is available at the ASDS control panel (SW2) and the start relay in the ASDS relay panel (R3) will control relay R1 in the MCC. Closing SW2 will energize R2, which will close contact C5 to com-plete the MCC circuitry to energize relay Rl.

In addition to demonstrating the transfer method Figure 5-2 also shows three significant design features of the ASDS:

(1) Equipment Protection - F1 represents a fuse which protects the equipment from a power surge resulting from a fire in the control room or cable spreading room.

(2) Isolation - Because the ASDS interfaces with existing safety systems and their associated equipment, isolation is provided to assure that the safety systems are not degraded.

(3) ASDS Power - In this design, the power for ASDS operation is completely separated from the normal power rupply for the Division IT. safety grade equipment.

5.2.2 Typical Circuit Design for ASDS Indication Figure 5-3 shows a simplified conceptual design for the electrical cir-cuitry which indicates equipment status at the ASDS control panel. The equip-ment status is indicated by a light (L1) at the control panel in the control room. The indicating light is controlled by a contact (C6) at the equipment.

The normal connection between the equipment and the control panel in the control room passes through the ASDS relay panel. This normal connection is 5-3

NEDC-30291 maintained by a pair of normally closed contacts (C1 and C2) in the ASDS relay panel. The transfer switch (TSW) and the transfer relay (RI) control this pair of contacts and the other pair of normally open contacts (C3 and C4) in the ASDS circuitry. Closing the transfer switch (TSW) will energize relay R1, which will open contacts C1 and C2 and close contacts C3 and C4. This transfer will effectively isolate the equipment from the control room so that the fire in the control room or cable spreading room will not interfere with the indi-cation at the ASDS control panci. The indicction at the ASDS control panel is provided by a light (L2) similar to light L1. Once the transfer is accomplished, contact C6 in the equipment controls light L2 through the indication relay R2 and contact C5 (i.e., closing contact C6 will energize relay R2, which will close contact C5 to energize light L2).

5.2.3 Alternate Power Source If a fuse in tha power supply circuit for any ASDS equipment is blown during a fire event in the control room or cable spreading room, the power supply and the equipment associated with it would be disabled. Thus, a cir-cuit for alternate power source is designed to ensure that the power supply would be available for ASDS operation.

A simplified schematic of the circuit is shown in Figure 5-4. Normal power to any ASDS equipment is supplied by lead L1 and N through a normally closed contact C1 in the ASDS relay panel. Fuse F1 is in the normal protection device for the power supply. Alternate L2 for the ASDS equipment is connected to the ASDS equipment through a normally open contact C2 and fuse F2. The transfer relay R1 controls contacts C1 and C2. Closing the transfer switch (TSW) will energize relay R1, which will open contact C1 and close C2, assuring that power is available for the ASDS equipment regardless of the status of fuse F1.

5.3 ASDS CABLE ROUTING 5.3.1 Introduction Cable routing is essential to establish the required independence of the ASDS from the control room and cable spreading room. It is also needed to 5-4 1

1

NEDC-30291 ensure that the addition of the ASDS will not introduce a fire area that con-tains both redundant trains of safe shutdown systems. The ASDS cable routing is designed to meet the separation requirements for a 3-hour equivalent fire barrier as identified in NED0-22087.

This section provides a description cf the cable routing for the ASDS.

The existing cable routing will be discussed first. This includes a descrip-tion of the cable routing inside the reactor building, the turbine building, and the control building, which houses the control room and the cable spreading room. The description of the new cable routing for ASDS will then follow.

This includes the addition of the EFT building and the Division II tunnel route.

5.3.2 Existing Cable Routing A conceptual cable routing is shown in Figure 5-5. The three buildings of interest are: reactor building, turbine building, and control building.

The cable routing in each building is discussed as follows:

Reactor Building - Divisional separation of the redundant trains of the safe shutdown systems in the reactor building is generally maintained by an east-west arrangement (i.e., Division I equipment is located on the east side and Division II is on the west side). The cable routings for the two divisions are usually separated. The adequacy of the separation in meeting Section III.G.2 of 10CFR50 Appendix R is addressed in NEDO-22087.

Turbine Building - The turbine building provides the necessary power distribu-tion for the plant, including the essential buses (4.16 kV switch-gear) and the load centers (480V) at the northwest corner, the standby diesel generators at the north side of the Division II essential bus and the MCCs at the south-east corner.

Power distribution and cable routing inside the turbine building are divisionally separated by floor levels. The Division II cables are at the upper level of the turbine building. The Division II 4.16 kV power supply cables are routed from the essential bus to the essential equipment, such as 5-5

NEDC-30291 core spray and RHR pumps in the reactor building through an underground tunnel ir. dependent of the control room and cable spreading room. The Division II 480 Vac power supply cables are routed from the load center to the MCCs along the upper level. The 480 Vac power supply cables are then routed from the MCC to the corresponding equipment in the reactor building through the cable spreading room. A stepdown transformer is available at each MCC to provide the 120 Vac control power for the equipment. The 120 Vac cables are presently routed from the MCC to the control relays in the cable spreading room and the control room. The Division I power supply cables are routed in a similar path except that the Division I equipment and cables are one level below the Division II equipment and cables. This arrangement maintains the necessary divisional separation. The adeqdicy of the separation for meeting Section III.G.2 of 10CFR50 Appendix R is addressed in Reference 1.

Control Building - The control building contains the battery room on the first level, the cable spreading room on the second level, and the control room on the third level.

The de power supply is originated from the battery room, which is directly below the cable spreading room in the control building. The de power cables are routed up to the cable spreading room and are then routed to equip-ment in either the reactor building or the turbine building.

The cable spreading room houses the control relays for the safe shutdown systems. It also provides the route between the electrical power from the turbine building and the equipment in the reactor building. The control room, located directly above the cable spreading room, has all the manual controls and indications of the safe shutdown equipment. This cable arrangement is shown conceptually in Figure 5-5.

5.3.3 Cable Routing for ASDS The ASDS provides direct manual control of selected Division II equip-ment. Thus, the control cables (120 Vac) for these equipment are intercepted at the MCCs for the manual control at the ASDS control panel in the EFT 5-6

NEDC-30291 building (Figure 5-5). The power cables (480 Vac) for the ASDS equipment are also routed independent of the cable spreading room. The new routing involves the EFT building and the Division II tunnel route.

The EFT building is a new three-level building at the east side of the turbine building and the north side of the administration building. The third floor of the EFT building is the designated area for the ASDS control panel.

The west side of the third floor area has penetrations to the turbine building at the Division II MCC Area. The east side of the third floor area has pene-trations connected to the Division II tunnel route.

The tunnel route is an underground tunnel which connects the EFT building with the west side (Division II) of the reactor building (Figure 5-6). This tunnel is the path to connect the Division II power supply to the ASDS equip-ment in the reactor building.

The ASDS cables are routed as follows. All ASDS cables which are not required in the control room or cable spreading room are routed in this tunnel to establish the necessary separation. These include all the 480 Vac power cables for ASDS equipment and all other cables for ASDS equipment. The ASDS cables which are connected to the control room or the cable spreading room are mainly the 120 Vac control cables. These cables are intercepted at the MCC to previde manual control for ASDS and are protected by the fuses and transfer switches discussed previously. ,

F The 4.16 kV cable routing is not affected because the cables are in their own underground tunnels, which are independent of the control room and cable spreading room. Further, the ASDS and its circuit protection methods will not require any reroute of the control cables which provide the automatic initia-tion (permissives) of the systems emergency core cooling (ECCS). These con-trol cables are located upstream of the MCC in the control room, cable spread-ing room, and the reactor building. Manual initiation of the ASDS is supported by the analyses performed in Section 7, which demonstrates that the ASDS can achieve safe shutdown and meet all the performance goals without the automatic initiation signals of the ECCS.

5-7

. . s l t, NEDC-30291

'4 is 5.4 HARDWARE DESIGN ,

s This section provides a description of the conceptual design of the ASDS control panel and relay panels. The description is for a conceptual level understanding of the hardware design.

5.4.1 ASDS Control Panel

h The ASDS control panel provides all the controls and instrument readouts s.

- for ASDS operation. Id is a comercial grade slope-front puel with top

's >

' access cable entry (Figure 5-7).N5*2wan factor review is used'in the panel

design to provide maximum operator familiarity. This will aid in operator l

training and.raduce potential o'ierator error. The paneJ layout s <

for the ASDS L

, control pcuel maintains the same general Jayout as the panels in cla control

~

room.. The relative positions of the 'contS 1, switches in the c1ntrol room for the S/RVs, bUt, core spray, and 'the' standby diksel generator are similar at the ASUS control panel. The control _ switches are cam actuated switches with s -

handles similar to those in ene cont'rol koom. The same " red-green" indicating lights a'dt'frovided for each switch. The instruments are also s'imil.ar to

, those in the. control room to further enhance operator familiarity. " Mimics",

or operatic [81ow paths, are also provided on the ASDS control panel to aid ASDS operation. The floY paths are arriaged in accordance to the operating procedure discussed in Section 8.

% r.. ,,

) +s

" ~~

4 To fae.111tata 'systdy operation and testing, a master transfee switch and five (5) s$*gtem reansfer switches are provided on the ASDS control panel. The master 't)ansfer switch 'is 'keylocked. Ac'cilatiotl of ths m tster. transfer switch

_ Twill, enable ASDS operdt" ton. It will also initiate an 31 arm in the control room had'anannunciaterat;theASDScontrol[ panel. The'five systen transfer switches

- . \ . , . m are'g ouped to alldrMndividual systes opdiation. '

7

., , \ .

t,,, s .

% ' Activation of these transfer switche's uill enable the manual control of the statems and equipkot at the ASDS control panel. The only exceptions are

,w , s u,

,- the load x shedding air. ctreu.it . < . .

breakers, which will actuate automatically upon manual activation of che' respective transfer switches. It should be noted s 3 s -

e..

N '45-8~ s g 4 5 g '.

i '

h. s y

NEDC-30291 that the ASDS can operate without activating the transfer switch for the standby diesel generator. This switch would be activated only if offsite power is not available, as indicated by the ac power monitor on the ASDS panel. A test circuit is provided for the ac power monitor to confirm the availability of the ac power.

5.4.2 ASDS Relay Panels Two safety-grade panels will be used to house approximately 175 safety grade relays in the ASDS circuitry. These panels are vertical panels with top access cable entry. One of these panels will contain the ac circuitry and it will be installed in the EFT building. The other relay panel will contain the de circuitry for controlling the air-circuit breakers of the essential bus and load center. The de panel is installed at a location close to the essential bus and the load center.

The relay panels are safety grade. A 6-inch separation or steel barrier is provided as minimum separation between the safety grade and commercial grade devices or viring. The ASDS relay panels are designed to the plant seismic and environmental qualifications requirements.

5-9

Table 5-1 EQUIPMENT LIST FOR ASDS Figure Equipment Identification Number Number System RV-2-71E C-2, C-22 A. Safety / Relief Valve Relief Valve (S/RV) C-2, C-22 Relief Valve RV-2-71F RV 2-71G C-2, C-22 Relief Valve RV 2-71H C-2, C-22 Relief Valve Core Spray Pump P-2088 C-1, C-16 B. Core Spray System C-1, C-17 Pool Suction Valve M01742 g 8

Injection Valve-outboard M01752 C-1. C-17 3 o

Injection Valve-Inboard M0175/, C-1, C-17 y M01750 C-1, C-17 Test Valve P2028 C-3, C-18 C. Residual Ueat RHR Pump Removal (LHR) C-3, C-15 System Pool Suction Valve M01987 M02003 C-3, C-16 Heat Exchainger By-Pass Valve M02007 C-3, C-15 SPC Valve-Outboard M02009 C-3, C-15 SPC Valve-Inboard CV1995 C-3, C-15 Minimum Flow Valve Heat Exchanger Discharge Valve CV1729 C-3, C-14

Table 5-1 (Continued)

Figure Equipment Identification Number Number System RHP. Service Water Pump P-109B C-3,C-16 D. Auxiliary Sfstems (operable from the C-6,C-7,C-21 Diesel Fuel Transfer Pump P-ll ASDS Panel)

Standby Diesel Generator DC 12 C-6 C-7,C-19 Emergency Service Water Pump P-lllB C-6,C-7,C-18 V-AC-5 C-6 C-7,C-21 ECCS Room Cooler RHR Au, iliary Air Compressor K-10B C-3 E. Auxiliary Ssytems z for ASDS Opera- C-6,C-14 tion AC Power System Bus No. 16 ts e

i DC Power System Battery No. 12 C-12 U C U

~

V-SF-9 Not Applicable DG Room Ventilation Fan Not Available Not Applicable ASDS Communication ASDS Lighting Not Available Not Applicable Not Available Not Applicable ASDS HVAC Reactor Pressure PT 40678 C-8,C-14 F. Instrumentation for Reactor and Pool C-8,C-14 Monitoring Reactor Water Level (-350", 50") Not Available Reactor Water Level (-50", +350") Not Available C-8,C-14

Table 5-1 (Continued)

Figure Equipment Identification Number Number System Pool Level LT7338B C-5,C-14 F. Instrumentation fer Reactor and Pool Not Applicable Monitoring (Continued) Pool Temperature Not Available Valve positions for all valves See A, B, C See A,B,C G. Instrumentation for Diagnostics of listed in A, B, C Primary Systems C-2,C-22 Tail-pipe pressure switches for dPT 4061B dPT 4062B C-2,C-22 each SRV listed in B C-2,C-22 dPT 4063B PS-7464 C-2,C-22 RHR Pump Breaker Position 152-604 C-3,C-6,C-'18 z CS Pump Breaker Position 152-605 C-1 C-6,C-16 i

.' o RHR System Flow - SPC Not Available C-3,C-14 e]

CS System Flow Not Available C-1.C-14 Diesel Day Tank Level LS 1529 C-6,C-7,C-21 H. Instrumentation for Diagnostic of C-3,C-14 Auxiliary Systems RHR Service Water Flow Not Available RHR Service Water Pump Breaker 152-608 C-3,C-6,C-16 Position RHR Heat Exchanger AP Not Available C-3,C-4,C-14 RHR Air Supply Control dPIC 10-130B C-3,C-14 152-602 C-6,C-7,C-19 Diesel Generator Status PS-2439 C-6,C-7,C- 19 ESW Pump Discharge Pressure

J Table 5-1 (Continued)

Figure Equipment Identification Number Number System Diesel Fuel Transfer Pump B4202 C-6,C-7,C-11 H. Instrumentation for Diagnostic of Breaker Position Auxiliary Systems ECCS Room Coeler Status V-AC-5 C-7,C-21 (Continued)

AC Power Status Bus No. 16 C-14 DC Powcr Status Battery No. 12 C-14 Diesel Generator Frequency Not Available C-6 C-7,C-19 l l

' Diesel Generator Voltage Not Available C-6,C-7,C-19 I Bus Tie to L.C. No. 104 ACB 52-401 C-6,C-7,C-19 m I. Air Circuit Breakers O 1 (ACB) for Control C-6,C-7,C-19 8

" Diesel Generator Breaker ACB 152-602 and Indication at 3 ASDS C-6,C-7,C-20 Bus Tie to 480V Step Down ACB 152-609 Transformer 1.0B 152-610 C-6 C-7,C-20 Bus Tie to No. lAR Transformer Bus Tie to Bus No. 14 ACB 152-408 C-6,C-7,C-20 Bus Tie to Bus No. 15 ACB 152-601 C-6,C-7,C-20 Bus Tie to L.C. No. 103 ACB 52-409 C-6,C-7,C-18 Bus Tie to B41 ACB 52-402 C-6,C-7,C-18 Bus Tie to B42 (Non-essential) ACB 52-4231 C-6,C-7,C-18 Bus Tie to B43(P) ACB 52-407 C-6,C-7,C-18

E?s". -

er 7 7 7 re - - -

ub C C C gm iu , , ,

FN 6 6 6 C C C r

e b

m u

N n

o i

t a

c 8 3 4 i 0 0 0 f 4 4 4 i - - -

t 2 2 2 n 5 5 5 e

d B B B JCA C A

C A

)

d e

u n

i t

n o

C

( )

l 1 a

- g i 5 n t i n e t d e l n l s b e i s a m u E

(

)

T i p B A

(

u q

T 2 3 F 4 4 E E B B o o o t t t e e e i i i T T T s s s u u u B B B n

o l i ot ra t r t op ne m

e iCO t u s

y css rrD S ieS CkA a

rer ir o ABf J

Y=

1 lllllllll

NEDC-30291 ONTROL ROOM i ;

! RMS RMS RMS MS RMS

____ _ _ _ _ ____ ____ _ _ _ _ l I P 2(25 M01754 M01752 M01742

.M01750 i

g l L __ _ _ _ _ _ _ _ _.__ _ __ _ _ _ __ _ _ _ _ _ _ _ __ _ J l 1 P-2088 M01754 AST5 M01752 ASoS M01742 M01750 I I A606 MO MO MO MO 152406 M01754 M01752 M01742 M01750

>4 4 >< >4 CORE SPH AY PUMP P 2008 NOTES:

(1) ALL EQUIPMENT ARE PLANT EXISTING EQUIPMENT EXCEPT ASOS (2) RMS = REMOTE M ANUAL SWITCH (3) MS = MANUAL SWITCH (4) ASTS = TRANSFER SWITCH Figure 5-1. Transfer of Control to ASDS 5_

bn{o$"

7illlIlI J_

-M _

- O _

-O R _

- 1 L _

O W _

- R 1IS

- T _

v

-N C

- C .

r8 le(e! it L

L

^

W L

E E

I S

ll I 4 i i 1l S

T D S

i'

g A

- t g

m F

o l

' *e- r

_ f I 2 t

$ R --

n g e Cl}"dB, l

I88l Ii4 m p

$ i T1#- u

- X E q

- - a f

Z o

- - w1s s1 i n

o h

f e- & .

i t

_ viI_

4 6 l

i 3

H L a

r p

e

- C C $ E

" h I -

N A

P L

O A

I -

l lT W

S O,

H T

N 2

5 e

O r

" Z l C S u h l D i g

l S X l A F

' l 3 ll c c L N C

A S

O S

A 51!

7lII3 is.

- H T _ )

4

-A _ C 5

- ST .

AEH _

HY _. oL a U l

-O T L A 1

_ oNVGIl

-OE H _ O (F

- MH _

r1lllg iL m1&

li(l

NEDC-30291 I l l3 3 I IE O l la ;

1 ll-l l L_ _ _ . ___ _J d

R

w Y

q . - --

m N to p <

o 4l- l

%l.1

. E v

i l 2.

I -h--- --- -

I r 4.-y-w:

l F-3 a

d. A8

. ab;-l '

i

, l.j, i i

e 1 3

I o i .Il -

' - J ,5 l s *. * .

a

l. -n

x i .e! i , g

< i -

A

. kl M Z

$ 8 .

I 8

%l-l r 8 y

'?

e . .

2 %l-l _x _

d

=

x 0 g U Z <a b

s Q r--- l 324: o I

3 23 l

5 l 3J >9 0*

I

{ l ,8 1 I8 I =

MH I 1

L______J 5-17 i

xU ywoP@- J T

N E

M P

II L UU SQ L AE A w

L E

E T

s A,

, ' s Ia g a '

~ .

_~ _- _

S

_:- D

- S A

~ -

_ r

' _ o

' - f

_ e l

a1 j - c l J, _l r

,1 u

bH o

~ ' T jii l S

1 C

jL _:

r e

w

_: o P

- l w L l

S T

E e

~ . _ N t L - A a E _

P n N L r A O e P H t i l Y l _: l T l A - N A L 2 _ - O E F _: C 4t l i

l l

S .

S D 4 D _: S -

S - A S A

s '

l- , . . i 1 e

r u

g i

F l

l 1

F l

l C C C

N A L S

D S

C e C A 2 i L L N C

A i

l V1 0

uLoo s

li .

\ .

NEDC-30291 OlVISION I OlVISION 11 4,16 k V -

4.16 k V l

~ ~ ~

ESSENTIAL ---] p---> ESSENTIAL sus (ASOS)

- , I g

sus l y I

l V y i I i gl i i

uce l1 l iASoSi l

, ,cc I

I I l l g

l TURBINE l l

8UILDING l l L.

I I I l 1 I i l

uIi o I <

CABLE l 125 VDC -* SPREADING 4 125 VOC 3 I l ROOM -ll-l- - - 1 l

I I CONTROL 0 0I O l

-- ..._ LOIN G_ u I l I I I I L_ i ----> EQUIPMENT

i i

NON ASDS _

i i -__J L___. EcuiruENT tj -g l l I I 1 "

(ASDSil

+A l ASDS _ (ASOS) l EQUIPMENT !

REACTOR SUILDING

-- __ l 400 Vac/120 Vac

- 120 Vdc

-. 4.16 kV Figure 3-5. Cable Routing Arrangement 5-19

l l

NEDC-30291 l

INTAKE DIESEL U m RE GENERATOR ROOMS I i

.~

olv 11 olv s -

SWITCH GEAR ROOM TURBINE BUILOING SOILER ROOM E

MCC EFT AREA BUILDING I

l CONTROL REACTOR ROOM /CA8LE g,c, SPREADING BUILDING ROOM l

ROOM l

< : olv II oiv i A DMINISTR ATION BUILDING I

I I i RA0 WASTE BUILDING TUNNEL ROUTE Figure 5-6. Plant Layout for Division Il Route 5-20

NEPC-30291 47IN d

30IN.

90IN.

U 64IN. L l Figure 5-7. ASDS Control Panel 5-21/5-22

NEDC-30291 6.0 ASSOCIATED CIRCUITS A requirement for the electrical design of the alternate shutdown system (ASDS) is that the system must be isolated from all associated circuits .

(including non-safety circuits) such that hot shorts, open circuits or shorts .

l to ground in the associated circuits will not prevent operation of the safe l nhutdown equipment or result in spurious operations which could adversely l

affect the shutdown capability of the ASDS. The NRC Generic Letter 81-12 ?*

(Reference 3) defines three typas of associated circuits: common power source, spurious operation, and common enclosure. The electrical design methods described previously are employed to protect the ASDS from associated circuits and their potantial effects.

An evaluation of the ASDS performance due to each type of associated circuit defined in Generic Letter 81-12 is performed. This evaluation is to demonstrate that the ASDS electrical design is acceptable. The evaluation also identifies the need to perform analyses to address the liniting event which associated circuits may cause [i.e., spuriously opening of a safety /

relief valve (S/RV)]. The evaluation process employed in Reference 1 and in this report consider a high-low pressure interface as a type of associated circuit. The results of the evaluation for high-low pressure interfaces are also presented below. ,

6.1 COMMON POWER SOURCE As a result of the fire protection analysis documented in NED0-22087 l (Reference 1), it was concluded that the Monticello Nuclear Generating Plant l

(MNGP) does not have associated circuits of the type having a common power l

source with the shutdown equipment and the power source not electrically protected from the circuit of concern by coordinated breakers, fuses, or similar devices. The ASDS circuitry was specifically designed to avoid intro-l ducing circuits of this type. Therefore, it is not necessary to perform an evaluation for this type of associated circuit.

6.2 SPURIOUS OPERATION The following sections describe the analysis performed to demonstrate that spurious operation will not prevent the ASDS f rom achieving cold shutdown 6-1

NEDC-30291 during a fire in the control room or cable spreading room. The analysis was presented for four categories of equipment located in the control room or cable spreading room:

(1) ASDS Equipment (2) S/RVs (3) Non-ASDS Equipment (4) High-Low Pressure Interface Spurious operation of equipment has the potential for defeating the safe shutdown systems or causing an unacceptable loss of reactor coolant inventory.

The process of identifying the significant spurious operation for a fire in the control room or cable spreading room was the same process described in NEDO-22087. This involved locating all high-low pressure interfaces, all potential paths for coolant inventory loss, all potential paths for flow diversion and all potential flow blockages within the nuclear steam supply system and balance-of-plant systems. Each of these potential adverse spurious operations was evaluated for its potential consequence in accordance with the assumptions described below:

(1) Spurious operation occurs stuultaneously with other fire effects.

(2) Spurious operation for any equipment in the control room or cable spreading room is considered plausible unless the equipment is protected.

(3) The number of spurious operations considered in this analysis is limited by the design requirements specified in Section 4.

(4) A motor-operated valve or any other electrical equipment that has its power supply disabled during normal operation will not spuri-ously operate.

(5) Spurious operation of the equipment in the reactor protection system (RPS) or the main steam isolation valves (MSIVs) is not considered plausible as discussed in Appendix B.

6-2

1 NEDC-30291 6.2.1 ASDS Equipment The ASDS was designed to handle spurious operations within its own equipment. Manual control of the ASDS components is available at the ASDS control panel. Therefore, it is possible to correct any undesirable spurious operations once the manual control transfer from the control room to the ASDS control panci is accomplished. For example, spurious operation of the test valve in the core spray system may divert the makeup water away from the reacter vessel. However, once the control is transferred to the ASDS, the valve can be manually closed to provide sufficient makeup flow for the reactor vessel. Following transfer of control, all ASDS equipment will be isolated from both the control room and the cable spreading room.

6.2.2 Safety / Relief Valves There is a potential for spurious S/RV operation due to a fire in the control room or cable spreading room. Spurious S/RV operation, where the valve fails open, can reduce reactor coolant inventory and increase suppression pool temperature. Under the present design requirements, the ASDS design only needs to consider the spurious operation of one S/RV. Thus, thermal-hydraulic analysis was performed and presented in Section 7 to demonstrate that spurious S/RV operation will not adversely affect the system capability of the ASDS to achieve saf e shutdown.

6.2.3 Other Non-ASDS Components Other non-ASDS components include all the equipment in the control room and cable spreading room which is not a component of the ASDS, a high-low pressure interface, or an S/RV. Examples of these components are the Division I core spray system, high pressure coolant injection (HPCI), reactor core isola-tion cooling (RCIC), Division I of the RHR and Division II of the RHR which is not in the SPC mode. These components will not prevent the ASDS from achieving cold shutdown for the following reasons:

6-3

NEDC-30291 9

(1) No credit is taken for operation of these components. Spurious stop of a component is equivalent to the loss of the component.

Spurious start of any of these components will not degrade the ASDS performance.

(2) Effects of spurious operation are bounded by other events. For example, spurious operation of the HPCI or RCIC systen could lead to inventory loss because of the steam-driven turbines. However, the amount of inventory loss due to these spurious operations is bounded by the spurious opening of a single S/RV. Therefore, consideration of spurious operation of these non-ASDS components is not required.

Any spurious operation of the non-ASDS components in the control room or cable spreading room w t act prevent the ASDS from achieving cold shutdown.

6.2.4 High-Low Pressure Interface A high-low pressure interface is a special case of spurious operation which may result in a breach of the barrier between a low pressure system and the reactor coolant pressure boundary. A list of all high-low pressure interfaces is provided in Table 6-1. These components were identified by tracing through all the paths on the nuclear boiler system which may lead to a low pressure system. The significance of the high-low pressure interface was then evaluated to identify the necessary corrective actions. The following types of high-low pressure interfaces do not require corrective action:

(1) One-inch or smaller line because the amount of inventory loss is minimal.

(2) Lines which have check valves to prevent potential inventory loss.

6-4

NEDC-30291 l

(3) Lines with fail-safe isolation valves because these valves will not spuriously operate.

(4) Lines that contain an isolation valve which has its power disabled during normal operation.

(5) Lines with S/RVs or equivalent size s because analysis demonstrated that the plant can tolerate their spurious operation.

Based on this method, the fire protection analysis concluded that only four sets of valves would require corrective actions. These valves are:

(1) M02029 .nd M02030 in the suction line of RHR in the shutdown cooling (SDC) mode.

(2) M02407 sad M02032 on the RHR line to the radwaste system.

(3) M02401, CV2403 and M02404 on the reactor wattJ cleanup (RWCU) line -

to the hot well.

(4) M02401, CV2403 and M02405 on the RWCU line to thi radwaste system.

The corrective actions for sets (1) and (2) above are to remove the power sources for one of the valves (M02029 and M02032) when the plant is at power operatice.. The power sources will return to these valves under con-trolled conditions when their services are required during plant shutdown.

For sets (3) and (4), the identified corrective action is to remove the power source for valve M02401, which is a 3-inch bypass line around a 1/4-inch restricting orifice (R02402) upstream of valve CV2402. The 1/4-inch orifice will limit the amount of potential inventory loss through the downstream high-low pressure interfaces. This corrective action allows the plant to retain the required services of the valves CV2403, M02404, and M02405 during normal plant operation without sacrificing plant protection.

Installation of the ASDS will not af fect any of these components or their corrective actions; therefore the high-low pressure interface has no impact on the ASDS.

6-5

NEDC-30291 6.3 COMMON ENCLOSURE The fire protection analysis documented in NEDO-22087 (Reference 1) con-cluded that associated circuits of the common enclosure type are found only in the cable spreading room. To ensure that this type of associated circuit will not affect the ASDS operation, it is necessary to:

(1) provide appropriate measures to prevent propagation of the fire, and (2) provide electrical protection (e.g., breakers, fuses, or similar devices).

Fire in the cable spreading room will not propagate to the ASDS area or to the MCC area (Fire Zone 19B in NEDO-22087) with which the ASDS interfaces.

This is because the cable spreading room is a three-hour fire area with an automatic fire detection and suppression system. The ASDS circuitry is also protected from any damage from the fire in the ccble spreading room by the fuses or by cable routing. Therefore, adequate protection has been provided for the ASDS and associated circuits of the common enclosure type will not affect the ASDS.

6-6

NEDC-30291 Table 6-1 HICH-LOW PRESSURE INTERFACE COMPONENTS System Equipment Corrective Actions RHR M02029, M02030 Open power breaker for M02029 during normal plant operation RHR M02407, M02032 Open power breaker for M02032 durir.g normal plant operation RWCU M0240l, CV2403, Open power breaker for M02401 during M02404, M02401, nonnal plant operation. M02401 is CV2403, M02405 a 3-inch bypass valve to the 1/4-inch restricting orifice (R02402) which is upstream of CV2403.

RHR M02014 None required. See Note 1.

RHE M02015 None required. See Note 1.

RHR M02027. M02026 None required. See Note 1.

Core Spray M01753 None required. See Note 1.

Core Spray M01754 None required. See Note 1.

HPCI M02068 None required. See Note 1.

RCIC M02017 None required. See Note 1.

HPCI CV2046A, CV2046B None required. See Note 2.

RCIC CV2062A, CV2062B Nonc required. See Note 2.

CRD CV127, CV3-32A None required. See Note 2.

CRD CV127, CV3-32B None required. See Note 2.

CRD CV127, CV3-33 None required. See Note 2.

NBS CV2790, CV2791 None required. See Note 2.

NBS CV2371, CV2372 None required. See Note 2.

NBS CV2369 CV2370 None required. See Note 2.

NBS A02-80A, A02-86A None required. See Note 3.

NBS A02-80B, A02-86B None required. See Note 3.

6-7

NEDC-30291 Table 6-1 (Continued)

System Eqaignent Corrective Actions NBS A02-80C, A02-86C None required. See Note 3.

NBS A02-80D, A02-86D None required. See Note 3.

NBS M02373, M02374 None required. See Note 4.

NBS RV2-71A through H None required. See Note 5.

NOTES TO TABLE 6-1 (1) Mechanical check valves are available to prevent reactor inventory loss through the injection valve from makeup system.

(2) Reactor inventory loss is limited by line size (less than 1-inch) and ASDS has sufficient capacity to mitigate consequences.

(3) See analyses for MSIVs in Appendix B.

(4) Effect of spurious operation is equivalent to spurious operation of 1 S/RV. See analyses for S/RVs in Subsection 7.1.4.

(5) See analyses for S/RVs in Subsection 7.1.4.

6-8

NEDC-30291 7.0 ASDS PERFORMANCE EVALUATION This section presents the results of the analyses which evaluate the safe shutdown capability of the alternate shutdown system (ASDS) for the Monticello Nuclear Generating Plant (MNGP). The ASDS capabilities were evaluated against the performance goals and design requirements stated previously. Thermal-hydraulic analyses were performed to evaluate the ASDS capability to maintain coolant inventory and containment boundary integrity. Design evaluations were performed to assess the performance of the auxiliary systems and instrumenta-tion. Finally, the impact of ASDS on plant safety is evaluated.

7.1 THERMAL-HYDRAULIC ANALYSIS Analyses were performed to demonstrate the capability of the ASDS to bring the plant to cold shutdown in the event of a fire in the control room or cable spreading room. These analyses demonstrate that the ASDS function is sufficient to achieve cold shutdown by satisfying the performance goals for fuel cladding integrity and containment integrity. These analyses also provide the bases for the ASDS operating procedures.

The thermal-hydraulic analysis presented here is the same as the safe shutdown sysr. ems analysis documented in NEDO-22087 (Reference 1) except that the ASDS evaluation is expanded to include three changes. First, since the shutdown process from the ASDS control panel depends on manual operation, a conservative 10-minute period between event initiation and manual action at the ASDS control panel is imposed. Second, the assumption of main steamline isolation at event initiation (as defined for the evaluation fire event) is evaluated to assure that the analysis performed is conservative. Third, with the current design requirements, the itmi. ting event for spurious operation is the spurious operation of one S/RV. This is s change f rom NEDO-22087, which assumes spurious operation of multiple S/RVs. It should be noted that the analysis presented here is to evaluate the long-term effects of the fire event.

Short-term transient effects on fuel integrity and peak pressure limits are covered by the safety analyses performed in Reference 8.

7-1 l

i

NEDC-30291 7.1.1 Analysis Methods The analyses performed for the reactor vessel response and suppression pool response are discussed below.

7.1.1.1 Reactor Vessel Response Current General Electric BWR evaluation mudels were used to determine the reactor and core responses to a postulated fire in the control room and cable spreading room. The reactor system (pressure and coolant inventory) response was evaluated by the SAFE code (Reference 12). The core heatup response was determined by the CHASTE code (Reference 12). Use of SAFE and CHASTE to analyze events similar to the postulated transient arising from fire in the control room or cable spreading room is discussed in the development of the Emergency Procadure Guidelines (References 13 and 14).

To obtain more realistic predictions of the plant response to the pos-tulated event, the inputs and assumptions to these models were modified.

These models and assumptions are similar to those used to develop the Emergency Procedure Guidelines and for evaluation of loss of feedwater transients and small break LOCAs (Reference 15).

7.1.1.2 Suppression Pool Response The suppression pool temperature response was determined from heat and mass balance calculations on the suppression pool. This was performed by modeling the pool as an insulated volume. The heat balance accounted for heat addition from the reactor safety / relief valves (S/RVs) and for heat removal through heat exchangers of the residual heat removal (RHR) system. Heat addi-tion from the S/RVs was obtained from the SAFE output. An ideal gas model was used for the air space and the suppression pool internal pressure was obtained by assuming thermal equilibrium between the air space and the pool water.

7-2

__m. _ _ - -

NEDC-30291 7.1.2 Event Description and Analysis Assumptions An evaluation fire event was defined in NEDO-22087 and used for the eval-uation of the ASDS performance. The fire occurs in, and is confined to, the control room or cable spreading room, while the reactor is operating at rated power and the ASDS is used to bring the plant to cold shutdown. The analysis of the ASDS is based on the following assumptions:

(1) No credit is assumed for offsite power. This assumption is simu-lated in the analysis by imposing a loss of offsite power and reactor isolation with loss of feedwater and loss of main condenser at time zero. This maximizes the primary system stored energy, resulting in higher reactor coolant inventory loss, faster reactor pressurization and faster suppression pool heatup. Even though most fires are not expected to cause loss of offsite power, this assumption is made because it results in the most severe challenge to shutdown from the ASDS.

(2) All systems and components having cables or equipment in the control room or cable spreading room are assumed lost. However, the ASDS systems and components are transferred to the ASDS panel and assumed to be operable.

(3) All systems and components not affected by the fire in the control room or cable spreading rcom are assumed to be operable.

(4) Equipment failures beyond the fire-induced failures do not occur (i.e., single-failure criterion is not applicaole).

(5) Performance parameters of all operable systems and components are consistent with the system design values.

(6) The fire event does not occur simultaneously or coincident with any other abnormal conditions except the loss of offsite power and fire-induced spurious operations or failures. No other challenges to the ASDS are considered.

7-3

NEDC-30291 (7) The initial core power is conservatively set at 102% of rated.

Initial steam flow, core flow and vessel pressure are consistent with the heat balance for 102% rated core power.

(8) Initial reactor water level is at or above the scram level. A low initial water level is used for evaluating the reactor vessel response because it presents the most severe challenge to the requirement of maintaining coolant inventory. A high initial water level is used for evaluating suppression pool response because it presents the most severe challenge to the requirement of removing decay heat.

(9) Initial suppression pool level is at the lowest level allowed by the current plant Technical Specifications (Reference 5). This presents the most severe challenge to meeting the decay heat removal requirements.

(10) Initial suppression pool temperature is the highest value allowed by the current plant Technical Specifications (90*F) for normal operation without suppression pool cooling (SPC). This presents the most severe challenge to meeting the decay heat removal requirement.

(11) Reactor scram and isolation occur upon event initiation. Additional analysis is performed for events without initial isolation on the main steam system to demonstrate that this assumption does not affect the ASDS performance.

(12) All actions taken at the ASD5 panel are consistent with the plant Technical Specifications and the Emergency Procedure Guidelines.

(13) Manual operation at the ASDS begins 10 minutes af ter event initia-tion. Because of the proximity of the ASDS control panel to the control room, the 10-minute assumption is conservative.

(14) Suppression pool cooling is not initiated until depressurization is completed.

7-4

NEDC-30291 7.1.3 Results for the Evaluation Fire Event Results of the thermal-hydraulic analysis for the evaluation fire event are shown in Figures 7-1, 7-2, and 7-3. Figure 7-1 shows that immediately after scram isolation, the reactor pressure increase is limited by the S/RVs operating in the safety mode. There is no potential for vessel overpressuri-zation, since the S/RVs are sized for the most severe isolation event. The maximum reactor pressure is approximately 1150 psig, which is weil below the T;;hnical Specification Safety limit of 1335 psig. Therefore, the performance goal of overpressure protection is satisfied.

Assuming both high pressure makeup systems lost, the reactor coolant inventory will be reduced with each S/RV actuation as shown in Figure 7-2. .

The indicated reactor water level will drop to near the top of the active fuel (TAF) in approximately 1000 seconds (Figure 7-2) . The reactor will then be depressurized by manually opening S/RVs as required at the ASDS panel. When vessel pressure drops below the core spray shutoff head, the core spray pump will begin operation and quickly reflood the core. The fuel node having the . .

highest peak clad temperature (PCT) will be uncovered for approximately 200 seconds. The calculated PCT for this node is approximately 1200*F, which is signif'cantly below the design requirement ef 1500*F.

The suppression pool temperature response is shown in Figure 7-3. The bulk pool temperature increases from its initial temperature of 90*F to approx- .

imately 121*F at which point manual depressurization is initiated as required by the Technical Specifications and Emergency Procedure Guidelines. Suppres-sion pool cooling (SPC) is initiated af ter depressurization is completed at approximately 2500 seconds. At this point, the bulk pool temperature is approximately 143*F. The maximum local pool temperature is approximately 186*F, which is below the design requirement for local pool temperature.

When the SPC is first initiated, the RHR capacity is less than the reactor decay power, and the bulk pool teeperature will increase until the decay power drops below the RHR capacity. The calculated peak bulk pool temperature is 191*F at about 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months . This temperature is low enough to l

l 7-5

NEDC-30291 assure pump operability. The maximum pressure calculated for the suppression pool is approximately 9 psig, which satisfies the design requirement.

To evaluate the effect of the assumption of reactor isolation at event initiation, the above evaluation fire event was repeated except for the assumption of isolation. For this event the main ateam line is not assumed isolated at event initiation; rather isolation is accomplished through the normal operation of the turbine control valves and the acin steam isolation valves (MSIVs). The results, shown in Figures 7-4 and 7-5, demonstrate that the system and core response will be essentially the same as the event analyzed above. The suppression pool temperature response for this analysis is bounded by the analysis which assumes initial isolation because some of the reactor inventory is released to the main condenser before any pool heatup.

Therefore, the above analyses show that the assumption of reactor isola-tion at event initiation has no significant impact en the safe shutdown performance for the ASDS.

7.1.4 Analyses for Spurious Operation of Safety / Relief Valve The effects of spuricus operation on the ASDS shutdown capability are considered below. The ASDS design requirements limit the number of spurious operations to one valve or ccmponent except for high-low pressure interface in which two or more valves in series are assumed to spuriously operate. The evaluations of associated circuits, including the evaluation of high-low pressure interfaces (Section 6), conclude that the S/RV is the limiting component whose spurious operation could adversely affect plant shatdown. The S/RV has the potential to reduce reactor inventory and increase suppression pool temperature.

Therefore, analyses were performed to demonstrate that spurious operation of one S/RV could be mitigated by operations from the ASDS control panel.

The analyses were performed with the same evaluation fire event, methods, and assumptions described previously. The effect of isolation assumption on the analysis is also evaluated.

7-6

.t

- NEDC-3029b w

The results (Figure 7-6) show that, with one S/RV spuriously stuck open, the' react 0r blows down slowly during td611rst 10% icut.ui. When the indicated water level reaches the top of the active fuel (app [otimately 460 sec), the

' reactor pressure is approximately 600 psia, which(is above the shutoff head of thg core spray peop. Operator action is requirea'to manually open S/RVs to reduce system pressure further and allow core spray injection. If one additional S/RV is opened at 10 mirntes, the top portion (15w power level) of the core j

will Ve docovered for apptcotisately 191 seccadi (Figure 7-?). The core uncovery for this event}s limited to only the upper region (lower power p

region) or the em 2 This core uncovery is less than that for the evaluation

- fire event analyzed previcusly. The resulting PCT is calculated to be approxi-

"' mately 936*F, which satisfies Ahe design requirements.

x Af ter the reactor coolant inventory is recovered at approximately 1400 sec,

,.

i. ,

gthe operator begins the deuy heat removal process with the ASDS to achieve cold shutdown. If SPC is not initiated until depressurization is completed, t

,he po61 temperature increases from an initial pool temperature of 90*F to

_ approximately 137*F at 1400 sec. The suppre'ssion pool temperature and pressure e

vill be well within the design requirements because the bulk pool temperature af ter blowdown is less than that for the evaluation fire event.

The above analysis was repeated to evaluate the assumption of reactor isolation at event initiation. If reactor isolation does not occur at time However, zero, the reactor pressure is reduced by the S/RV and the open MSIVs.

the turbine control valves will close when reactor pressure drops below approximately 950 psig. This, in effect, isolates the reactor. The resulting reactor pressure and water level responses are similar to the isolation case (Figures 7-6 and 7-7). The top portion of the core (low power level) will be Therefore, the PCT for uncovered for approximately 181 seconds (Figure 7-8).

this case will be slightly less than the 936*F for the isolation case. Since some of the reactor inventory is released to the main condenser, the final suppression pool temperature is bounded by the analysis assuming initial isolation.

7-7

NEDC-30291 7.1.5 Conslusions The results of the thermal-hydraulic analyses demonstrate that the ASDS can be used to achieve cold shutdown of the plant for a fire in the control room or cable spreading room.

7.2 AUXILIARY SYSTEMS PERFORMANCE EVALUATION Auxiliary systems were selected for the ASDS using the systems selection process described previously. The auxiliary systems identified for the ASDS are re:;uired to perform 'their designed functions. Therefore, the performance analyses for these systems as documented in the plant safety analyses (Refer-ence 8) are applicable and further evaluation is not required.

7.3 EVALUATION OF THE ASDS INSTRUMENTATION This section contains the evaluation to demonstrate that the instrumen-tation provided for the ASDS is sufficient to support the ASDS operation. The ASDS instrumentation is evaluated against the NRC guidelines given in Refer-ences 3 and 10.

7.3.1 Process Instruments The ASDS has all the required direct process instrumentation for:

(1) reactor vessel pressure (2) reactor water level (3) suppression pool temperature (4) suppression pool level 7.3.2 Diagnostic Instruments The NRC guidelir.es require diagnostic instruments such as valve positions and liquid level indication for all tanks used. The diagnostic instruments provided for the ASDS exceed the minimum requirements from the guidelines.

7-8 l

NEDC-30291 Status of ac and de, power supplies is monitored at the ASDS. An ac power test relay is also provided to assure that the ac power indication is correct. This indication gives the necessary confirmation for events where offsite power is lost and where emergency power from the standby diesel generator is required. Frequency and voltage meters and controllers are provided for the standby diesel generator. Positions of the feed breakers for the essential bus are also indicated at the ASDS panel to assure load shedding is accomplished during the ASDS operation with diesel power. System operation for core spray, RHR, and RHR service water are verified by valve position, pump breaker position, and system flow. Only two out of the above three indications are required for system verification. An automatic differential pressure controller is provided for the RHR service water flow. Valve position indications are provided for all other ASDS valves. Pusp discharge pressure is used to indicate emergency service water pump operation. Alarm is provided for the diesel fuel oil day tank. Therefore, sufficient diagnostic instruments are provided.

7.4 nSDS IMPACT ON PLANT SAFETY The ASDS is designed to provide alternative shutdown capability in the event of fire in the control room cr cable spreading room. This alternative shutdown capability is provided by adding the transfer and control circuits to selected existing Division II safety equipment and by installing new equipment for the ASDS operation. These modifications involve a significant change in the plant. Therefore, a plant safety evaluation was performed to demonstrate that the addition of the ASDS will not significantly degrade the plant safety.

The evaluation was performed for the following three events.

(1) Fire in the ASDS area.

(2) Fire in other areas with ASDS cables.

(3) Design Basis Accident (DBA) with single failure in the ASDS.

7.4.1 ASDS Fire Area Evaluation The evaluation method for the ASDS area is the same as the method used for other fire areas in the plant. This evsitation includes:

7-9 1

NEDC-30291 (1) define the fire area; (2) identify all safe shutdown equipment in the fire area; -

(3) assess safe shutdown capability if all equipment is lost; and (4) assess potential impact from associated circuits.

The ADS area (i.e., the third floor of the EFT Building) is surrounded by three-haur fire barriers. This area contains the ASDS equipment (e.g., ASDS core spray pump). Should a fire occur in this area, only the selected Division 11 equipment or new ASDS equipment would be lost. The full complement of the Division I safe shutdown equipment and those Division II equipment not involved in ASDS are available in the control room. These available systems are sufficient for the plant to achieve safe shutdown. Therefore, fire in the ASDS area will not adversely degrade the safe shutdown capability.

7.4.2 ASDS Impact on Other Fire Areas The ASDS changes the cable runs for some fire areas which were previously evaluated in NEDO-22087 (Reference 1) . The cable routing involves connecting selected Division II equipment from the Division II MCC Area to various Division II fire zones in the reactor building through the underground tunnel route. Since only Division II equipment and Division II fire areas are involved, the availability of the Division I systems for the affected fire areas will be unchanged. The fire area evaluation performed for these Divi-sion 11 fire areas is also unchanged. In conclusion, the ASDS will not change the conclusions of the fire area evaluation for other fire areas.

7.4.3 Design Basis Accident Evaluation In accordance with 10CFR50 Appendix K, single failure must be considered for the design basis accidents (DBA). The limiting single f ailure for MNGP is the low pressure coolant injection (LPCI) system injection valve failure with a 34% suction line break (Reference 8). A single failure in the ASDS system, such as inadvertent transfer of the core spray system, could potentially reduce the availability of the emergency core cooling systems (ECCS) for the DBA events. The worst-case single failure in the ASDS system is the inadvertent transfer of the standby diesel generator, which would result in loss of ac power I

7-10

I NEDC-30291 for one division of the ECC system. However, this failure is less limitng than the LPCI injection valve failure.

Failure in the ASDS system is an extremely low probability event. This is because the ASDS is a manual system in a normally de-energized state. The contacts to the normal plant systets are normally closed and the contacts to the ASDS control panel are normally open. Activation of the key-locked trans-fer switch wculd be annunciated in the control room and at the ASDS control panel. This would reduce the potential for inadvertent transfer during normal plant operation or failure to return control back to control room af ter testing. Therefore, the ASDS will not degrade the plant performance for the DBA events.

7-11

NEDC-30291 M ANUAL BLOWDCWN 800 -

3 b

E 4o0 -

SYSTEM PRESSURE O I I I O 1000 2000 3000 4000 TIME (sec)

Figure 7-1. Reactor Pressure Response for Shutdown with ASDS 7-12

NEDC-30291 6C 2 1 - LEVE L !NSIDE SHROUO 2 - LEVEL OUTSIDE SHROUD RE ACTOR LEVEL 2 AT STEAM LINE 1 1 tng i 2

bh(( TOP OF ACTIVE FUEL = 29.29 FT 5 2 7

m 20 -

BOTTOM OF ACTIVE FUEL = 17.29 FT I I 0

O 1000 2000 3000 4000 TIME issc)

Figure 7-2. Reactor Water Level Response for Shutdown with ASDS 7-13 l

NEDC-30291 tr 220 T , = 1910F 180 -

E o

[ 160 -

b 7

g i40 -

BEGIN LONG TERM DECAY HEAT REMOVAL 120 - AT 2500 SEC IOC -

80 I I I I '

O 4 8 12 16 20 TIME (hr)

Figure 7-3. Suppression Pool Temperature Response for Shutdown with ASDS 7-14

j NEDC-30291 1200

[ MANUAL BLOWDOWN ffhf$f fff l

s E

a -

0 I I !

0 900 1800 2700 3600 TIME (esc)

Figure 7-4 Reactor Pressure Response for Shutdown with ASDS without Assuming Initial Isolation 7-15 l

NEDC-30291 ao e -

0 4 3

d (L('"Lwy 6

> 6L "j TOP OF ACTIVE FUEL = 29.29 FT 5

4 E

20 -

BOTTOM OF ACTIVE FUEL = 17.29 FT l

g f I f 0 900 1800 2700 3600 TIME (soci Figure 7-5. Reactor Water Level Response for Shutdown with ASDS without Assuming Initial Isolation 7-1G

NEDC-30291 1200 MANUAL

$ B LOWOOWN 3

E a.

400 -

- PRESSURE o e t t t t t t i 1 I g ,

O E a 900 1200 TIME (sec)

Figure 7-6. Reactor Pressure Response for Spurious Operation of One S/RV 7-17

NEDC-30291 so 40 WATER LEVEL

~

t

_a TOPCF ACTIVE FUEL u , gr 4

E 20 -

_ BOTTOM OF ACTIVE FUEL Q t t t t i f f f f f f f 0 300 600 900 1200 TIME (sec)

Figure 7-7. Reactor Water Level Response for Spurious Operation of One S/RV 7-18

NEDC-30291 l

80 MANUAL 8 LOWOOWN

,_ e -

3 WATER LEVEL s

g TOP OF ACTIVE FUEL f

i V m _

BOTTOM OF ACTIVE FUEL 1 =

0 ' ' ''' ' '

O 300 600 900 1200 TIME (sec)

Figure 7-8. Reactor Water Level Response for Spurious Operation of One S/RV Without Assuming Initial Isolation j j

7-19/7-20

- - - _ _ _ _ _ _ _ _ _ _ _ _ \

NEDC-30291 8.0 ASDS OPERATION AND TESTING This section provides a summary of the operating procedures, the test procedure, and operational restrictions for the alternate shutdown system (ASDS).

Detailed procedures will be developed after the ASDS is approved and implemented.

8.1 OPERATING PROCEDURES A system level procedure for reactor shutdown from the ASDS control panel is given below. These operating procedures are consistent with the Emergency Procedure Guidelines (Reference 14).

When a fire occurs in the control room or cable spreading room, the operator will scram the reactor by the scram switch in the control room before leaving. Manual scram is necessary for shutdown if automatic scram by the reactor protections system (RPS) is not initiated.

The main turbine pressure regulator will control reactor pressure by allowing steam flow through the turbine control valves; the feedwater control system will control reactor water leiel. However, if the automatic pressure regulator is not available or if the main steam isolation valves (MSIVs) are closed, safety / relief valves (S/RVs) will open and will cycle automatically to maintain reactot pressure. The reactor water level will drop if feedwater is lost.

a Upon arriving at the ASDS panel, the operator activates the master transfer switch and other transfer switches. He will then check the status of the power supply availability. If necessary, control of the standby diesel generator may be transferred to the ASDS control panel to provide power for ASDS operation. Control transfer initiates an alarm in the c >ntrol room and an annunciator at the ASDS control panel. After transfer, the operator will check the status of the reactor pressure and water level, the suppression pool temperature, and the ASDS equipment before taking further action.

8-1

NEDC-30291 Next,.the operator will start the core spray pump and initiate manual blowdown by activating the S/RVs if one of the following conditions exists:

(1) The reactor water level drops below the top of the active fuel; (2) The reactor water level cannot be determined; or (3) The suppression pool temperature exceeds the pool heat capacity limit (e.g. , pool ' temperature above 120*F at 1020 psig reactor pressure).

When the reactor pressure drops below the shut-off head of the core spray pump (315 psig), the operator will initiute core spray to provide make-up inventory water.

If the bulk suppression pool temperature exceeds 90*F at any time af ter control is transferred to the ASDS, the operator will initiate the SPC mode of the RHR.

After manual blowdown is initiated, the operator will proceed with the cold shutdown operation which includes:

(1) keeping the S/RVs locked open; (2) maintaining reactor inventory with the core spray system; and (3) removing reactor decay heat with the RHR system operating in the SPC mode.

While attaining cold shutdown, the operator should take any necessary actions to verify plant conditions and to re-establish normal control of the plant.

'i 8-2

1 NEDC-30291 8.2 TESTING METHODS Testing requirements for the ASDS will be developed to reflect the detailed ASDS design. The ASDS can be tested during the refueling outage.

Testing methods outlined here only apply to new ASDS equipment.

Because a transfer to the ASDS bypasses automatic baitiation for some emergency core cooling systems, the ASDS is intended to be tested when the reactor is shut down. Detailed test procedures will be developed and will include the following testing.

(1) Operability of the transfer switch. This test is conducted by activating each transfer switch to check:

(a) transfer annunciation in the control room, and (b) ability to operate transferred equipment from the control room (2) Functional test of the ASDS. A functional test is defined as a verification of the equipment function, such as start-stop of a pump and open-close of a valve. Functional testing of the equip-ment is conducted by activating each control switch on the ASDS control panel to check if the corresponding relays are activated.

The following system functional tests can be performed:

(a) S/RVs (b) Core spray system. Functional test of the core spray injection valves and the suction valve can be performed with the core spray pump off.

2 (c) RHR in the SPC mode i

8-3

NEDC-30291 (d) Standby diesel generator and load she,fding (e) Instrumentation Upon completion of the functional test of the ASDS, control of the equip-ment shall be returned to the control room. In addition to checking the trans-fer annunciation and control room operation, confirmation will be made to verify that the ASDS does not have control of any equipment.

8.3 OPERATIONAL RESTRICTIONS Being an alternate control system to some essential equipment, the ASDS will not be operated unless required. Administrative controla will be applied to the access to the ASDS area and to the key of the keylocked master transfer switch.

8-4

I I

NEDC-30291

9.0 CONCLUSION

S Based on the analyses and descriptions presented in the previous sections, it can be concluded that the alternate shutdown system (ASDS) for the Monticello Nuclear Generating Plant will provide alternate shutdown capability, as defined in 10CFR50 Appendix R. in the event of fire in either the control room or cable spreading room. Specifically, the information and analyses presented herein provide the bases for the following conclusions:

(1) The systems selected for tne ASDS are adequate to fulfill the per-formance goals for a fire in the control room or cable spreading room for events with or without offsite power. Analyses are per-formed to demonstrate that these capabilities satisfy the regulatory requirements.

(2) Auxiliary systems to support the ASDS operation are adequate.

(3) The instrumentation is adequate to monitor the safe shutdown process and to confirm acceptable equipment performance.

(4) The ASDS is adequately protected from the control room and cable spreading room and fire in either room will not prevent safe shut-down considering the effect of associated circuits.

(5) The performance of the existing safety systems is not degraded.

The ASDS components interfacing with existing safety systems are designed to meet the criteria and standards for the existing safety systems. All other components are isolated from existing safety systems by transfer switches and protective devices.

(6) The procedures to be developed will enable cold shutdown conditions to be attained.

(7) The ASDS will not affect the NEDO-22087 (Reference 1) conclusions regarding high-low pressure interfaces and other fire areas.

9-1

NEDC-30291 (8) The ASDS analyses demonstrate that automatic initiation signals for any non-failsafe systems, including core spray, are not required.

(9) Implementation of the ASDS will bring the control room and cable spreading room areas into compliance with 10CFR50.48 and 10CFR50 Appendix R, Section III.G.

9-2

NEDC-30291

10.0 REFERENCES

(1) " Fire Protection and Safe Shutdown Systems Analysis Report, Monticello Nuclear Generating Plant, Northern States Power Company," General Electric, NEDO-22087, June 1982.

(2) Letter, D. G. Eisenhut (NRC) to D. M. Musolf (NSP). " Exemption Requests 10CFR50.48 Fire Protection and Appendix R to 10CFR Part 50," Docket No.

50-263, June 16, 1953.

(3) Letter, D. G. Eiser. hut (NRC) to all power reactor licensees with plants licensed prior to January 1, 1979, " Fire Protection Rule (45 FR76602, November 19, 1980), Generic Letter 81-12," February 20, 1981.

(4) Letter, D. B. Vassallo (NRC) to L. D. Mayer (NSP), " Exemption Request -

Fire Protection Rule Schedular Requirements of 10CFR50.48(c),"

Docket No. 50-263, May 4, 1982.

(5) Monticello Nuclear Generating Plant Technical Specifications, Northern States Power Company, Docket No. 50-263, License No. DPR-22, Rev. 67, April 17, 1983.

(6) R. VanHouten, " Fuel Rod Failure of a Consequence of Departure from Nucleate Boiling or Dryout," U.S. Nuclear Regulatory Commission, NUREG-0562, June 1979.

(7) Memo, L. S. Rubenstein to R. J. Mattson (NRC), "Use of Automatic Depres-surization System (ADS) and Low Pressure Coolant Injection (LPCI) to Meet Appendix R, Alternate Shutdown Goals," December 3,1982.

(8) Monticello Nuclear Generating Plant Updated Safety Analysis Report, Northern States Power Company, Docket No. 50-263, License No. DPR-22, April 1982.

10-1

NEDC-30291 (9) T. M. Su, " Suppression Pool Temperature Limits for BWR Containment -

Generic Technical Activity A-39," Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission NUREG-0783, November 1981.

(10) Memo, L. S. Rubenstein to R. J. Mattson (NRC), " Statement of Staf f Posi-tion Regarding Source Range Flux, Reactor Coolant Temperature, and Steam Generator Pressure Indication to meet Appendix R. Alternate Shutdown Capability", January 7,1983.

(11) Telecon, H. Nicolaros (NRC), N. Feravonte (NRC), S. Engelke (NSP),

S. Hassner (NSP), "ASDS Design," File 82-05-COM, August 23, 1983.

(12) " General Electric Company Analytical Model for Loss-of-Coolant Analysis in Accordance with Appendix K," General Electric Company, NEDO-20566, January 1976.

(13) " Additional Information Required for NRC Staff Generic Report on Boiling Water Reactors," General Electric Company, Vol. I, NEDO-24708, August 1979, and Vol. II, NEDO-24708A, December 1980.

(14) " Emergency Procedure Guidelines, BWR 1 through 6," General Electric Company, NEDO-24934, Rev. 3, December 8, 1982.

(15) ' Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant Accidents in GE-Designed Operating Plants and Near Term Operating License Applications," Of fice of Nuclear Reactor Regulation, Nuclear Regulatory Commission. NUREG-0626, January 1980.

10-2

NEDC-30291 APPENDIX A RESPONSE TO NRC REQUEST FOR ADDITIONAL INFORMATION CONCERNING DESIGN MODIFICATIONS NRC stated the required information for reviewing the design modifica-tions to meet the requirements of Section III.G.3 of 10CFR50 Appendix R in Enclosures 1 and 2 of the Generic Letter 81-12 (Reference A1) and in Attach-ments 1 and 2 to'the clarification letter (Reference A2). To facilitate NRC's review process, this Appendix provides a cross reference of the specific information required and the section(s) of this licensing report in which the information is provided. Since this licensing report only covers the tech-nical aspects of the ASDS design, any administrative requirements, such as connaitments to provide adequate staffing, are not provided in this report.

It should be noted that a system approach was taken in the design and evaluation of the ASDS for the Monticello Nuclear Generating Plant (MNGP).

This approach is more conservative than a component-by-component or a circuit-by-circuit approach. Since some specific information requested by NRC is tailored to the component-by-component approach, such specific information is not applicable to the Northern States Power Company's (NSP) submittal and the response of "not applicable" is identified in this Appendix.

The requirements identified in this Appendix are direct quotes from Attachments 1 and 2 to the clarification letter.

Response to NRC Requests in Attachment 1 e NRC Request:

1. '" Identify those areas of the plant that will not meet the require-ments of Section III.G.2 of Appendix R and, thus, alternative shut-down will be provided or an exemption from the requirements of Section III.G.2 of Appendix R will be provided. Additionally, provide a statement that all other areas of the plant are or will be in compliance with Section III.G.2 of Appendix R."

A-1

NEDC-30291

Response

The fire areas that require alternative shutdown are the control room and the cable spreading room (see Section 1). All other areas of the plant are or will be in compliance with Section III.G.2 of Appendix R or exemption requests approved.

e NRC Request:

la. "For each of those fire areas of the plant requiring an alternative shutdown system (s) provide a complete set of responses to the fol-loving requests for each fire area:

a. List the system (s) or portions thereof used to provide the shutdown capability with the loss of offsite power."

Response

The systems used to provide the shutdown capability with the loss of offaite power for the control room and cable spreading room are the minimum required systems identified in Section 4 and shown in Figure 4-1.

e NRC Request:

lb. "For those systems identified in "la" for which alternative or dedicated shutdown capability must be provided, list the equipment and components of the normal shutdown system in the fire area and identify the functions of the circuits of the normal shutdown sys-tem in the fire area (power to what equipment, control of what components and instrumentation). Describe the system (s) or portions thereof used to provide the alternative shutdown capability for the fire area and provide a table that lists the equipment and components of the alternative shutdown system for the fire area.

A-2

NEDC-30291 For each alternative system identify the function of the new circuits being provided. Identify the location (fire zone) of the alternative shutdown equipment and/or circuits that bypass the fire area and verify that the alternative shutdown equipment and/or circuits are separated from the fire area in accordance with Section III.G.2."

, Response:

Cabling and circuitry for all normal shutdown systems are located in the control room and cable spreading room. Because of the approach taken, development of the specific list of equipment and functions of circuits of the normal shutdown systems is noc required. The alternate shutdown system (ASDS) is described in Section 4 with the system lists given in Tables 4-1 through 4-3 and the equipment lists given in Table 5-1. The location of the ASDS is described in Section 5. The separation of the ASDS from the control room and cable spreading room is discussed in Sections 5, 6 and 7.

o NRC Request:

Ic. " Provide drawings of the alternative shutdown system (s) which highlight any connections to the normal shutdown systems (P& ids for piping and components, elementary wiring diagrams of electrical cabling). Show the electrical location of all breakers for power cables, and isolation devices for control and instrumentation cir-cuits for the alternative shutdown systems for that fire area."

Response

Drawings of the ASDS are listed in Appendix C and are provided under -

separate cover.

A-3

NEDC-30291 .

e NRC Request:

Id. " Verify that changes to safety systems will not degrade safety systems; [e.g., new isolation switches and control switches should meet design criteria and standards in the FSAR for electrical equipment in the system that the switch is to be installed; cabinets that the switches are to be mounted in should also meet the same criteria (FSAR) as other safety-related cabinets and panels; to avoid inadvertent isolation from the control room, the isolation switches should be keylocked or alarmed in the control room if in the " local" or " isolated" position; periodic checks should be made to verify that the switch is in the proper position fer normal operation; and a single transfer switch or other new device should not be a source of a failure which causes loss of redundant safety systems]."

Response

The new isolation devices were designed to meet the do. sign requirements and standards for existing electrical equipment. The electrical design is discussed in Sections 5 and the tapact of ASDS to existing safety systems is discussed in Section 7.

e NRC Request:

le. " Verify that licensee procedures have been or will be developed which describe tasks to be performed to effect the shutdown method.

Provide a summary of these procedures outlining operator actions."

Response

A summary of the operating procedure is given in Section 8.

A-4

11 0

l of @*

g% IMAGE EVALUATION *p4,

////g%j/([4epg g py s$ @.

TEST TARGET (MT-3)

Y %,'/

l.0 lf Ba Ha tf 9 Das i,i [ ELE 1.8 l.25 1.4 1.6 4 150mm >

< 6" >

L*% /S4%

'j$'f)h, 4

o

't

'4,*k+'Q s _

& (>

'O gpff s'j.h#

IMAGE EVALUATION

/ $[9 4'4, TEST TARGET (MT-3) ///[NNY <

>+f %'e4 I.0 l!En BE

" @ En I

I 1.1 [" E lJe I.25 1.4 1.6 150mm #

4 6" *

s % ++

h/ "

b

D);;lb

.@ () .

h IMAGE EVALUATION MEff

((//f g),,f %g> @/ \$h/ TEST TARGET (MT-3) ft <

%'O

$ +# *%'k$

1.0 Em E lf 9 illal

l !E RM l l.8 l_

I.25 1.4 1.6 150mm #

6" #

4

> 4 + 44

+? 6

E k,.b.[M 7>e////

i NEDC-30291 e NRC Request:

If. " Verify that the manpower required to perform the shutdown functions using the precedures of e as well as to provide fire brigade members to fight the fire is available by the fire brigade technical specifications."

Response

Staffing requirements will be provided by NSP separately.

e' NRC Request:

Ig. " Provide a commitment to perform adequate acceptance tests of the alternative shutdowr. capability. These tests should verify that:

equipment operates from the local control station when the transfer or isolation switch is placed in the " local" position and that the equipment cannot be operated from th~e control room; and that equip-ment operates from the contro). room but cannot be operated at the local control station when the transfer isolation switch is in the

" remote" position."

Response

Acceptance test is a design requirement for the ASDS (Section 4). ~A summary of the test procedures is given in Section 8.

e NRC Request:

lh. " Provide Technical Specifications of the surveillance requirements and limiting conditions for operation for that equipment not already covered by existing Technical Specifications. For example, if new isolation and control switches are added to a shutdown system, the existing Technical Specification surveillance requirements should be supplemented to verify system / equipment functions from the alternate shutdown station at testing intervals consistent with A-5 1

NEDC-30291 the guidelines of Regulatory Guide 1.22 and IEEE 338. Credit may be taken for other existing tests using group overlap test concepts."

Response

NSP will provide this information separately.

e NRC Request:

11. "For new equipment comprising the alternative shutdown capability, verify that the systems available are adequate to perform the necessary shutdown function. The functions required should be based on previous analyses, if possible (e.g., in the FSAR), such as a loss of normal ac power or shutdown on Group 1 isolation (BWR). The equipment required for the alternative capability should be the same or equivalent to that relied on in the above analysis."

Response

Performance evaluation of the ASDS is given in Sections 6 and 7.

e NRC Request:

lj . " Verify that repair procedures for cold shutdown systems are

' Provide developed and material for repairs is maintained on site.

a summary of these procedures and a list of the material needed for repairs."

Response

The ASDS is designed to achieve safe shutdown without the need for repair.

A-6

NEDC-30291 Response to NRC Requests in Attachment 2 e NRC Request:

" SYSTEMS APPROACH

1. For each area where an alternative or dedicated shutdown method, in accordance with Section III.G.3 of Appendix R, is provided, the following information is required to denor. strate that associated circuits will not prevent operation or cause maloperation of the alternative or dedicated shutdown method:

a. Describe the. methodology used to assess the potential of associated circuit adversely affecting the alternative or dedicated shutdown capability. The description of the methodology should include the methods used to identify the circuits which share a common power supply or a common enclosure with the alternative or dedicated shutdown system and the cir-cuits whose spurious operation would affect shutdewn. Addi-tionally, the description should include the methods used to identify if these circuits are associated circuits of concern due to their location in the fire area."

Response

The methodology and analysis for associated circuits are given in Section 6.

2 NRC Request:

lb. " Provide a table that lists all associated circuits of concern located in the fire area.

A-7

NEDC-30291

Response

This request is Not Applicable to the ASDS design of the MNGP. One of the assumptions used in analyzing the potential effects of associated circuits is that all equipment in the control room and cable spreading room will be considered. Because the control room and cable spreading room contain all the control cables for the ASDS and other safety equip-ment, it is not necessary to list all the associated circuits. However, the systematic approach in evaluating the associated circuits (Section 6) assures that all associated circuits are evaluated.

e NRC Request:

Ic. "Show that fire-included failures (hot shorts, open circuits or short to ground) of each of the cables listed in b. will not pre-vent operation or cause maloperation of the alternative or dedicated shutdown method."

Response

Analysis of the associated circuits is given in Section 6.

e NRC Request:

Id. "For each cable listed in b where new electrical isolation has been provided, provide detailed electrical schematic drawings that show how each cable is isolated from the fire areas."

Response

Electrical isolation methods to protect the ASDS from the control room and cable spreading room are discussed in Sections 5 and 6. Drawings of the ASDS are listed in Appendix C and are provided under separate cover.

A-8

NEDC-30291 l

e NRC Request:

1e. " Provide a location at the site or other offices where all the tables and drawings generated by this methodology approach for the associated circuits review may be audited to verify the information provided above."

l

Response

NSP will provide this information separately.

e NRC Request:

"High-Low Pressure Interface For either approach chosen the following concern dealing with high-low pressure interface should be addressed.

2. The residual heat removal system is generally a low pressure system that interfacee with the high pressure primary coolant system. To preclude a LOCA through this interface, we require compliance with the recommendations of Branch Technical Position RSB 5-1. Thus, the interface most likely consists of two redundant and independent motor operator valves. These two motor-operated valves and their associated cables may be subject to a single fire hazard. It is our concern that this single fire could cause the two valves to open resulting in a fire initiated LOCA through tha high-low pres-sure syecen interface. To assure that this interface and other high-low pressure interfaces are adequately protected from the effects of a single fire, we require the following information:

a. Identify each high-low pressure interface that uses redundant electrically controlled devices (such as two series motor l cperated valves) to isolate or preclude rupture of any primary coolant boundary."

A-9 l___ _ . . _ . . . _ . _ . .

NEDC-30291 t

Response

All high-loss pressure interfaces are identified in Section 6 and shown in Table 6-1.

e NRC Request:

2b. "For each set of redundant valves identified in a., verify the redundant cabling (power and control) have adequate physical separa-tion as required by Section III.G.2 of Appendix R."

Response

This request is Not Applicable because the control room and cable spread-ing room do not provide adequate physical separation as required by Section III.G.2 of Appendix R.

e NRC Request:

2c. "For each case where adequate separation is not provided, show that fire-induced failures (hot short, open circuits or short to ground) of the cables will not cause maloperation and result in a LOCA."

Response

The corrective actions were identified in NEDO-22087 (Reference A3) and discussed in Section 6. Analysis to support the high 'ow pressure inter-face evaluation is presented in Section 7.

A-10

l NEDC-30291 REFERENCES (Al) Letter, D. G. Eisenhut (NRC) to all power reactor licensees with plants licensed prior to January 1,1979, " Fire Protection Rule (45 FR76602, November 19, 1980), Generic Letter 81-12," February 20, 1981.

(A2) Letter, D. B. Vassallo (NRC) to L. O. Mayer (NSP), " Exemption Request -

Fire Protection Rule Schedular Requirements of 10CFR50.48(c)," Docket No. 50-263, May 4, 1982.

(A3) " Fire Protection and Safe Shutdown Systems Analysis Report, Monticello Nuclear Generating Plant, Northern States Power Company," General Electric Company, NEDO-22087, June 1982.

A-ll/A-12

NEDC-30291 APPENDIX B AVAILABILITY OF SCRAM AND ISOLATION B.1 INTRODUCTION This Appendix provides the bases for the availability of reactor scram and main steamline isolation functions in case of a fire in the control room or cable spreading room. The reactor scram is provided by the reactor pro-tection system (RPS). The main steamline isolation is provided primarily by the main steam isolation valves (MSIVs) and supplemented by the turbine con-trol valves. The RPS and the MSIVs have the unique design features of being redundant and fail-safe. Redundancy assures that the system is single-failure proof, and the fail-safe design assures that a failure will fail the system in the safe direction (i.e., system actuation) . These special features are the bases for the justification of the system function availability. A brief dis-cussion of each system is also provided below because the justif'. cation is dependent on the system design.

B.2 EVALUATION OF THE SCRAM FUNCTICN B.2.1 Reactar Protection System (RPS)

The RPS is the system and circuitry which initiates reactor scram through initiation of the control rod drive (CRD) system. The RPS includes the RPS motor-generator power supplies and associated control and indicating equipment, sensors, relays, bypass circuitry and switchea that initiate rapid insertion of control rods (scram) to shut down the reactor. There are two independent trip systems in the RPS. During operation, all sensor and trip contacts essential to safety are closed; trip channels, trip logics, and trip actuators are normally energized.

Whenever a trip chatuel sensor contact opens, its auxiliary relay de-energizes, causing contacts in the trip logic to open. The opening of contacts in the trip logic de-energizes its trip actuators. When de-energized, the trip actuators open contacts in all the trip actuator logics for that trip systen. This action results in de-energizing the scram pilot valve solenoids B-1

. . . .. . . - x NEDC-30291 associated with that trip system (one scram pilot valve solenoid for each control rod). Unless the other scram pilot valve salenoid for each rod is de-energized, the rods are not scrammed. If a trip then occurs in any of the trip logics of the other trip system, the remaining scram pilot valve solenoid for each rod is de-energized, which causes the control rod drive system to scram the control rods.

To facilitate the description of the reactor protection system, the two trip systems are called trip system A and trip system B. The automatic trip logics of trip system A are trip logics Al and A2; the manual trip logic of trip system A is trip logic A3. Similarly, the trip logics for trip system B are trip logics B1, B2, and B3. The trip actuators associated with any par-ticular trip logic are identified by the trip logic identity (such as trip .

actuators B2). The trip actuator logics associated with a trip system are identified with the trip system identity (such as trip actuator logic A).

Trip channels are identified by the name of the monitored variable and the trip logic identity, with which the channel is associated (such as reactor lower water level trip channel B1).

The scram trips for the RPS required for the safe shutdown system are described in NEDO-22087 (Reference B.1). The function for each scram trip is described in detail in the safety analysis report (Reference B.2).

B.2.2 Availability of the Scram Function Availability of the scram function from the RPS is evaluated for fire events in which offsite power is lost and in which offsite power is available.

The evaluation is performed for the automatic scram function. Manual scram is available in the control room.

Events with loss of offsite power. If offsite power is lost during a fire in the control room or cable spreading room, scram will occur automatically.

This is because power supply for the RPS is from the RPS motor-generating (MG) sets which are powered by of fsite power. Since the RPS is a "de-energize to activate" system, scram will occur if its power supply is lost.

B-2

NEDC-30291 Events with offsite power available. If offsite power is available during a fire in the control room or cable spreading room, the RPS would function unless there is damage to its circuitry. However, the RPS is a grounded ac powered system with cables run in individual conduits. The circuits are individually fused and connected to normally closed devices which initiate their protective function on the de-energization of relay coils. In order to fail the RPS function, a short between two conductors of a cable would have to occur in two separate conduits without a short to ground in either conduit; a short to ground in either conduit would result in a blown fuse and initiation of the protective function. This scenario as described below (two separate shorts with neither grounded) is not considered plausible for the purposes of this fire protection analysis:

(1) AC Short in the Reactor Protection System For each channel, the RPS cables are run in individual conduits, are individually fused and are connected to normally closed devices (when the plant is in normal operation). All the conductors in any one of these cables have no potential difference between them; but all con-ductors have 120V potential to the conduit (RPS is a grounded system).

Thus, damage to a cable will most probably cause a ground and blow the fuse. A blown fuse would result in the same condition as a trip signal from the sensor to which the cable is connected. In order for the RPS cables to fail without a trip (short and not grounded),

it would be necessary for fire to melt the inner insulation between the two (or more) conductors without melting the outer insulation enough to allow current flow to the conduit. Even if the inner insulation should melt to the point that it could burn or run out from between the two conductors (which is unlikely as the outer insulation would probably have to be damaged to a point that a ground would occur), ;here is no mechanical reason for the conductors to touch or electrically weld. Any bends, pulls, or slack in the cable would improve the chances of grounding any one of the conduc-tors. Even if this unlikely event should happen, it would be neces-sary.for the same events to occur to a second cable in the trip circuit of the redundant channel.

B-3

NEDC-30291 (2) AC Ground in the Reactor Protection System Grounding of any conductor in the RPS would cause a fuse to blow and the result would be equivalent to a scram signal in one channel of the scram circuit.

(3) AC Hot Short in the Reactor Protection System i

l The RPS cables are in individual conduits. This precludes hot short due to power from an external cable.

B.3 EVALUATION OF THE ISOLATION FUNCTION B.3.1 Main Steam Isolation valves (MSIVs)

The MSIVs are designed to provide main steam isolation to limit the potential for loss of coolant inventory. Two redundant isolation valves with independent power sources are provided in each steamline so that either can perform the isolation function.

The MSIV control system includes the power supplies, the sensors, trip channels, switches, and remotely activated valve closing mechanisms.

The power supply for the trip systems and trip logics is fed from the same two motor-generator sets that supply the RPS trip systems. Power for the operation of the two valves in each steamline is fed from different sources.

Automatic controls for the two valves are mounted in separate panels. The MSIVs use ac, de, and pneumatic pressure in the control scheme. The control arrangement for the MSIVs includes a pneumatic cylinder and an air accumulator.

Air is used to hold the valve open against a large spring. Upon receipt of an isolation signal, the air power is shif ted to aid the spring enclosing the valve. The isolation logic is arranged as a dual logic channel system, similar to that of the RPS. The overall logic of the system is basically one out-of-two-taken twice.

B-4

NEDC-30291 Power cables are run in conduits from the electrical sources to the sole-noid of each MSIV. Cables from each sensor are routed in conduits and cable trays to the control room with particular attention to routing in order to maintain independency. The sensor cables and power supply cables are touted to cabinets in the control room where the logic arrangements of the system are i formed.

- During normal operation of the isolation control system, when isolation 4 is not required, sensor and trip contacts essential to safety are closed; trip channels, trip logics, and trip actuators are normally energized. When-ever a trip dhannel sensor contact opens, its auxiliary relay is de-energized, causing contacts in the trip logic to cpen. The opening of contacts in the trip logic de-energizes its trip actuators. When de-energized, the trip actu-ators open contacts in all the trip actuator logics for that trip system. If a trip then occurs in any of the trip logics of the other trip system, the trip actuator logics for the other trip system are deenergized. With both trip systems tripped, the valve control circuitry actuates the valve closing mech-anism. Once isolation is initiated, the valve continues to close, even if the condition that caused isolation is restored to normal. The operator must manually operate switches in the main control room to reopen a valve which 4

has been automatically closed. Interlocks are provided that prevent automatic reopening of the isolation valve upon isolation logic reset.

The fail-safe trip mechanism for the MSIVs is similar to the RPS design.

In addition to trip logic, loss of pneumatic supply will initiate MSIV closure.

For the safe shutdown system function, the low level, low pressure and high flow trips can provide protection. These trips are described in detail La Reference B.2.

f

3. 3. 2 Turbine Control System I

The turbine control system is provided to operate the steam admission valves to the turbine and/or main condenser in a coordinated sequence.

This sequencing is provided to control reactor pressure and turbine load (or speed during startup) to set values in relation to reactor power output. The tur-bine control system supplements the MSIVs to provide main steam isolation by 3-3

NEDC-30291 operation of its pressure control system. The reactor pressure control is composed of two independent pressure regulators. One of the pressure regu-lators is of hydraulic-mechanical design, the other of electro-hydraulic design. Each regulator is capable of overriding the other with the regulator l

adjusted for the lowest setpoint being in actual control. In the event of '

the operating pressure regulator becoming ineffective, the second regulator l

4 automatically assumes reactor pressure control ct its own control pressure setpoint.

The hydraulic mechanical regulator is designed to control system pressure

between 150 and 1050 psig by sending a signal to open or close control valves or bypass valves as required to maintain a preset steam pressure. This mech-I anical controller is located in the turbine building near the turbine with remote control from the control room.

The electro-hydraulic design is an electrical pressure regulator designed to control system pressure between 950 and 1050 psig during normal operation.

The electrical pressure regulator is composed of three electrically connected devices: (1) a main steam pressure sensing unit, (2) electronic control unit in the cable spreading room, and (3) a hydraulic output unit in the turbine building. The electrical pressure regulator can be manually controlled at the control room and is capable of performing the same functions as the mechanical 1 pressure regulator. It should be noted that the electrical pressure regulator also has a fail-safe design (i.e. , the turbine control valves will close with a loss of control signal or power) .

B.3.3 Availability of the Isolation Function Availability of the isolation function from the MSIVs and the turbine pressure regulators is evaluated for fire events it which offsite power is not available and for fire events in which offsite power is available.

3-6

_ . _ = _ _ _ _

NEDC-30291 Events with Loss of C~lsite Power. If offaite power is lost during a fire in the control room or cable spreading room, main steam isolation will occur automatically. This is because power supply to the MSIVs trip logic is from the RPS MG set which is powered by offsite power. Because the MSIVs are a "de-energize to close" system, MSIV closure will occur if the power supply is lost.

Events with Offsite Power Available. If offsite power is available during a fire in the control room or cable spreading room, the main steam isolation would function unless there is damage to the circuitry of the MSIVs and that of the turbine pressure controllers. However, the MSIVs are similar in design to the RPS with the distinction that some of the MSIV cables are not enclosed in conduit. Cables which are enclosed in conduits are covered by the analysis for the RPS cables. Analyses for cables which are not enclosed in conduits are presented below.

(1) AC Short in the MSIV System Although some of the MSIV cables are not run in individual con-duits, the MSIV cables are still individually fused and are con-nected to normally closed devices. Cables which are not in con-duits are in cable trays or panels in the control room or cable spreading room. All the conductors in any one of these cables have no potential differences between them, but all conductors have ,

120V potential to the trays or panels because the MSIV is a grounded system. Thus, damage to a cable will most probably cause a ground and blow the fuse. A blown fuse would result in the same condition as a trip signal from the sensor to which the cable is connected.

In order for the MSIV cables to fail without a trip, an ac short must occur. The fire would have to melt the inner insulation between the two (or mora) cunduecors without melting the outer insulation enough to allow current flow to the tray or panel to cause a ground. This is unlikely because the outer insulation would probably be damaged to cause a ground. Even if the inner insulation should melt without causing a ground, there is no mech-anical reason for the conductors to touch or electrically weld.

B-7

NEDC-30291 Any bends, pulls, or slack in the cable would improve the changes of grounding any one of the conductors. Even if this unlikely l event should happen, it would be necessary for the same event to l

occur to a second cable in tne trip circuit of the redundant channel.

(2) AC Ground in the MSIV System Grounding of any conductor in the MSIV cables would blow a fuse, which would be equivalent to initiating an isolation signal in one channel of the isolation circuit.

(3) AC Hot Short in the MSIV System AC hot short in the MSIV would occur if another power cable shorted with the MSIV cables. However, this would require a damage in :e MSIV cable without causing a ground. This scenario is explained in item 1 above. A hot chort will have to also occur on the redundant channel to prevent MSIV from closing.

Finally, if the MSIVs fail to close, the reactor can still be isolated by the turbine control valves which have a fail-safe electrical pressure controller and a backup mechanical pressure controller. Failure to all these components would require three hot shorts without a short to ground or an open circuit and a failure in the mechanical pressure regulator. This scenario is not considered plausible for the purpose of this fire protection analysis.

B.4 CONCLUSIONS Based on the evaluation given in this Appendix, the scram function and the main steam isolation function are available independent of the spurious operation that may occur during a fire in the control room and cable spreading room. Both functions (i.e., scram and isolation) are assured by a combination of their fail-safe design and redundancy.

B-8

NEDC-30291 B.5 REFERENCES B.1 " Fire Protection and Safe Shutdown Systems Analysis Report, Monticello Nuclear Generating Plant, Northern States Power Company", General Electric Company, NEDO-22087, June 1982.

B.2 "Monticello Nuclear Generating Plant Updated Safety Analysis Report",

Northern States Power Company, Docket No. 50-263, April 1982.

B-9/B-10

l

[

NEDC-30291 APPENDIX C LIST OF ASDS DRAWINGS Figure C-1: P&ID/IED For Core Spray System Figure C-2: P&ID/IED For Safety / Relief Valve System Figure C-3: P&ID/IED For Residual Heat Removal System-1 Figure C-4: P&ID/IED For Residual Heat Removal System-2 Figure C-5: P&ID/IED For Rod Insertion and Suppression Pool Level a

Figure C-6: P&ID/IED For On-Site AC Power System, Diesel Oil Transfer

System, and Emergency Service Water System.

Figure C-7: IED For On-Site AC Power System Diesel Oil System, ECCS Room Cooler System, and Emergency Service Water System.

Figure C-8: P&ID/IED For Reactor Vessel Pressure and Water Level Instrumentation.

Figure C-9: Index and Notes For Elementary Diagrams j Figure C-10: Elementary Diagram (Relay Tabulation and Switch Development - 1)

Figure C-11: Elementary Diagram (Relay Tabulation and Switch Development - 2)

Figure C-12: Elementary Diagram (Power Distribution) l Figure C-13: Elementary Diagran For Transfer Switches Figure C-14: Elementary Diagram For Instrumentation Figure C-15: Elementary Diagram For M01987, M02007, CV1995 Figure C-16: Elementary Diagram For P-208B, M02003, M02009, P-109B l Figure C-17: Elementary Diagram For M01754, M01742, M01752, M01750 l Figure C-18: Elementary Diagram For F-202B, P-111B,52-409, 52-407, 52-4231,52-402 l

Figure C-19: Elementary Diagram For 152-602,52-401, Standby Diesel Generator (Start, Stop, Frequency and Voltage Control),

Fipur'e C-20: Elementary Diagram For 152-609, 152-408, 152-610, 152-601 Figure C-21: Elementary Diagram for V-AC-5, P-11 Figure C-22: Elementary Diagram For RV2-71E, F, G, H C-1/C-2 l

I

( - .

i l

GENER AL @ ELECTRIC

/

ML20083D870

Contents

Text

1.0 INTRODUCTION

SUMMARY

9.0 CONCLUSION

10.0 REFERENCES

1.0 INTRODUCTION

1.1 BACKGROUND

5.1 INTRODUCTION

i i

9.0 CONCLUSION

10.0 REFERENCES

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Navigation menu

ML20083D870

Text

1.0 INTRODUCTION

SUMMARY

9.0 CONCLUSION

10.0 REFERENCES

1.0 INTRODUCTION

1.1 BACKGROUND

5.1 INTRODUCTION

i i

9.0 CONCLUSION

10.0 REFERENCES

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Navigation menu

Search