Summary of 990818-19 Meeting with BWR Owners Group in Rockville,Md to Discuss post-fire Safe Shutdown Circuit Analysis Issues.List of Attendees & Matl Used in Presentation Enclosed

ML20212B762
Person / Time
Issue date:	09/03/1999
From:	Stephen Dembek NRC (Affiliation Not Assigned)
To:	Richards S NRC (Affiliation Not Assigned)
References
PROJECT-691 NUDOCS 9909200234
Download: ML20212B762 (98)
v • d • e

Text

=

s.,

p* ** coqk p"

UNITED STATES j

,j NUCLEAR REGULATORY COMMISSION

't WASHINGTON, D.C. 20665-4001

\\ *****/

September 3, 1999 5

MEMORANDUM TO: Stuart A. Richards, Director Project Directorate IV & Decommissioning Division of Licensing Project Management Office of Nuclear Reactor Regulation

=

FROM:

Stephen Dembek, Chief, Section 2 h[

Project Directorate IV & Decommis'sioning Division of Licensing Project Management Office of Nuclear Reactor Regulation

SUBJECT:

SUMMARY

OF MEETING WITH THE BOILING WATER REACTORS OWNERS GROUP (BWROG) APPENDIX R COMMITTEE ON POST-J FIRE SAFE SHUTDOWN CIRCUlT ANALYSIS ISSUES (FIRE-INDUCED CIRCUlT FAILURES)

The Nuclear Regulatory Commission (NRC) 5 eld a working level meeting with the BWROG Appendix R Committee in Rockvnle, Maryland on August 18 and 19,1999, to discuss post-fire

[

safe shutdown circuit analysis issues (fire-induced circuit failures). A list of attendees is attached (Attachment 1). An initial draft of the BWROG circuit analysis methodology was discussed at the meeting (Attachment 2). The BWROG Appendix R Committee representatives gave a slide presentation on the draft methodology (Attachment 3).

The staff provided technical and editorial comments on the BWROG circuit analysis methodology document. As a result of extensive discussions, a number of agreements were reached regarding near-term enhancements to the BWROG document. At the end of the meeting it was agreed that the interactions b3 tween the BWROG Appendix R Committee and the staff had centered on three main issues:

e Deterministic evaluation of the effects of fire-induced electrical faults (hot shorts, shorts to ground, and open circuits) on power, control, control logic, and instrumer,.ation circuits, and assessment and c,avention of resultant combinations of multiple spurious signals and/or spurious actuav>ns which may interfere with or prevent the achievement and maintenance of post-fire tafe shutdown.

Development of a generic evaluation methodology which addresses the potential for e

indirect fire-induced physical damage of equipment to interfere with or prevent the achievement and maintenance of post-fire safe shutdown. For example, " mechanistic" failures of motor operated valves (MOVs) (as discussed in Information Notice 92-18,

" Potential for Loss of Remote Shutdown Capability During a Control Room Fire"), or mechanical pump damage from a fire-induced spurious pump start with both the pump discharge and minimum flow valves closed.

r 1

G' Q a

,2 d' o -

,,o,aooa24,,o,o2 PDR TOPRP E7tV9ENE 1

C PDR

l

September 3, 1999

~

Appendix R, Section Ill.G.2. specifies that hgih cables and equipment (including e

associated non-safety circuits) of redundant trains shall be free of fire damage (i.e., able to perform their intended functions). What is the acceptable limit or extent of fire-induced damage to redundant train power, indication and control circuits? Associated with this issue is identification of manual action considerations to be addressed to ensure comprehensive and effective analysis of both redundant train and alternative / dedicated post-fire safe shutdown capabilities.

A detailed summary of the agreements reached during the 1% days of meetings is included as.

In July 1999, the BWROG Appendix R Committee had agreed to submit their final circuit analysis methodology guidance document to the staff by September 30,1999, (as well as submit their safety relief valve / low pressure system (SRV/LPS) utilization position paper and referenced shutdown paths report by August 30,1999)._ Upon consideration of the agreements reached during the committee's August 18 and 19,1999, interactions with the staff, the BWROG revised its planned methodology document submittal date to October 29,1999. There j

was no change to the planned SRV/LPS position paper submittal date.

l Project No. 691 Attachments: 1. List of Attendees j

2. Draft Methodology l

3. Slide Presentation

4. Summary of Agreements j

cc w/att 1: See next page l

l Q$IBIBUTION:

Hard Copy EMail Docket File JDonohew JZwolinski/SBlack JHannon LWhitney RJenkins PUBLIC OGC SDembek PMadden SWong GTracy PDIV-2 Reading ACRS EPeyton PQualls SWest To recews a copy or tnis accument, inalcate v in tne cox OFFICE PDIV-2/PM PDIV-2/LA PDIV-2/SC

,f NAME JDonohewMfEPk SDembed DATE 7 / 3 /99 A 9 / 3 /90 9 / 3 /99 DOCUMENT NAME: G:\\PDIV-2\\BWRog\\msum0818&19.wpd OFFICIAL RECORD COPY l

Project No. 691 Boiling Water Reactor Owners' Group cc w/att 1:

W. Glenn Warren James M. Kenny BWR Owners' Group Chairman BWR Owners' Group Vice Chairman Southern Nuclear Company PP&L, Inc.

42 Inverness Parkway Two North Ninth Street PO Box 1295 Mail Code GENA 6-1 Birmingham, AL 35201 Allentown, PA 18101-1179 Thomas J. Rausch Drew B. Fetters RRG Chairman PECO Energy Commonwealth Edison Company Nuclear Group Headquarters Nuclear Fuel Services MC 61 A-3 1400 Opus Place,4* Floor 965 Chesterbrook Blvd.

Downers Grove, IL 60515-5701 Wayne, PA 19087-5691 H. Lewis Sumner Carl D. Terry Southern Nuclear Company Niagara Mohawk Power Corporation 40 inverness Parkway Nine Mile Point Station PO Box 1295 OPS Bldg /2"8 Floor Birmingham, AL 35201 PO Box 63 Lycoming, NY 13093 George T. Jones John Kelly PP&L, Inc.

New York Power Authority MC GENA 6-1 14* Floor Mail Stop 14K Two North Ninth Street Centroplex Building Allentown, PA 18101 123 Main Street White Plains, NY 10601 Thomas G. Hurst Thomas A. Green GE Nuclear Energy GE Nuclear Energy M/C 182 M/C 182 175 Cudner Avenue 175 Cudner Avenue San Jose, CA 95125 San Jose, CA 95125

r l

LIST OF ATTENDEES i

NRC/BWR OWNERS GROUP MEETING ON APPENDIX R ISSUES I

NAME ORGANIZATION 4

J.Hannon Office of Nuclear Reactor Regulation (NRR)/ Division of Systems Safety and Analysis (DSSA)/ Plant Systems Branch (SPLB)

S. Dembek NRR/ Division of Licensing Project Management P. Madden NRR/DSSA/SPLB P. Qualls NRR/DSSA/SPLB L. Whitney NRR/DSSA/SPLB S. West NRR/DSSA/SPLB i

S. Wong NRR/DSSA/Probabilistic Safety Assessment Branch R. Jenkins NRR/ Division of Engineering / Electrical and Instrumentation Controls Branch R.Hanson Boiling Water Reactors Owners Group (BWROG)

S. Hardy BWROG

~G. Warren BWROG A. Ettlinger BWROG G. Brastad BWROG i

D. Parker BWROG T. Gorman BWROG J. Ribeiro BWROG G. Stramback GE/BWROG T. Hurst GE/BWROG J. Kenny PP&UBWROG F. Emerson Nuclear Energy institute i

l ATTACHMENT 1

i O

GE Nuclear Energy i

175 Curtner Ave., San Jose. CA 95125 NEDC-XXXXXP Draft Revision C DRF#

\\

Class 111 Generic Guidance For BWR Post Fire Safe Shutdown Analysis j

Prepared by GE Nuclear Energy with BWR Owners' Group Appendix R Committee Revision C-Draft l

Issuedfor Comment l

l Prepared by:

J. L. Ribeiro Date: 08/16/99 Verified by:

B. P. Grim Date:

Approved by:

Date:

G. B. Stramback RegulatoryServices

/

ATTACHMENT 2

+

GENucle.ar Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis

..==

Table of Contents EXECUTIVE

SUMMARY

......-...........I

1.0 INTRODUCTION

...........2

1.1 BACKGROUND

.2 1.2 PURPOSE OFDOCUAfENT..

.3 i

1.3 SAFE SHUTDOWN ANAL YSIS AS A PART OF AN OVERALL FIRE PROTECTION PROGRA Af..

.4 1.3.1 Brown 's Ferry Fire: Regulatory History..

.3 1.3.2 Fire Damage Overview Discussion..

.6 j

1.3.3 Causes of the Browns Ferry Fire, its Severity and Consequences...

.7 1.3.4 Fire Protection Program Improvements since Browns Ferry..

.8 2.0 APPENDIX R REQUIREMENTS AND CONSIDERATIONS 1I 1

2.1.1 Regulatory Requirements..

. 11 2.1.1.1 Requirementsfor RedundantSqfe Shutdown..

. 22 2.1.1.2 Requirementsfor Alternative /DedicatedSafeShutdown.

. I4 2.1.2 Regulatory Guidance on Associated Circuits..

. 13 2.1.3 Regulatory Interpretation on Loss ofOfsite Power

.I7 3.0 M ETI 10 DO LOG Y.....

.._...~.. -~..-.... --. ~~~~~.-.

I8

~~---

3.1 SAFE SHUTDOWN MET 110DS AND SYSTEMS

~

.-~~.-...-.~.-.19

.19 3.1.1 Criteria / Assumptions..

3.1.2 Shutdown Functions.

.21 3.L2.1 Reactivity Control..

. 21 3.1.2.2 Pressure ControlSystems..

.21 3.1.2.3 Inventory Afake.Up..

.21 3.1.2.4 Decay Heat Removal...

.22 3.1.2.3 Process Afonitoring..

.23 3.1.2.6 ElectricalSystems..

23 24 3.1.2.7 Cooling Systems..

. 23 3.1.2.8 Communication System..

.23 3.1.2.9 Emergency Lighting...

3.1.3 Methodologyfor Shutdown System Selection.

.23 3.2 SAFE SHUTDOWN EQUIPMENT SELECTION 2 6

.. 26 3.2.1 Criteria / Assumptions.

.28 3.2.2 Methodologyfor Equipment Selection..

3.3 SAFE SHUTDOWN CABLE SELECTION

~ _

~ 29 I

29 3.3.1 CriteridAssumptions.

3.3.2 Associated Circuits Cables..

,31

,32

.(..

3.3.3 Cable Routing andLocation.

33 3.3.4 Methodologyfor Cable Selection..

Pagei L

1 GENuclear Energy Draft Revision C Generic Guidancefor B WR Post Fire Safe Shutdown Analysis 3.4 ClRCUIT ANALYSIS AND EVALUATION..

. 34

3. 4.1 CriteriafAssumptions..

.35

}

3.4.2 Types ofCircuit Failure Concerns..

.37 i

3.4.2.1 Circuit Failures Due to Open Circuits.-

.38

]

3.4.2.2 Circuit Failures Due to Shorts.to-Ground...

...39 3.4.2.3 Circuit Failuras Due to Hot Shorts.

. 41 3.4.2.4 Circuit Failures Due to inadequate Circuit Coordmation..

. 42 3.4.2.3 Circuit Failures Due to Common Enclosure Concerns.

. 45 3.5 FIRE AREA ASSESS' MENT AND COMPLIANCE STRATEGIES.

46 3.3.1 Criteria? Assumptions..

. 46 3.3.2 Compliance Strategy Guidelines.

.47 FIGURES i

Figure 3-1 Safe Shutdown Method & System Selection Process 49 Figure 3-2 Safe Shutdown Component Selection Process 50 Figure 3-3 Safe Shutdown Cable Selection Process 51 Figure 3-4 Safe Shutdown Analysis Flowchart 52 l

l i

l l

l l

l i

l l

\\

Page11 I

6 j

GENuclear Energy Draft Revision C j

Generic Guidancefor BN'R Fost Fire Safe Shutdown Analysis EXECUTIVE

SUMMARY

The intent of this document is to provide a design criteriafor BWR's to perform post fire safe

\\

shutdown circuit analysis. The criteria provided in this document is intended to provide an acceptable means ofsatisfying the Fire Safe Shutdown requirements of10CFR50.48 and the regulatory guidance issued pursuant to this regulation related to Post Fire Safe Shutdown Analysis, includingfire induced circuitfailures and the assessment ofsubsequent impacts on safe shutdown systems and equipment. Performing an Appendix R Safe Shutdown Analysis in c;mrdance with this design criteria will satisfy the Fire Safe Shutdown requirements of 10CFR50.48 and10 CFR 50 Appendix R.

i 1

1

\\

l 1

j l

t u

1 I

l i

Page 1 of52 '

l I

E GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis j

L

1.0 INTRODUCTION

i 1.1 -

BACKGROUND On March 22,1975, the Brown's Ferry Nuclear Power Plant had the worst fire ever to occur in a commercial nuclear power plant operating in the United States. (Reference U.S. Nuclear Regulatory Commission (NRC) Inspection and Enforcement (IE) Bulletin Nos. 50-259/75 and 50-260n5-1, dated 2/25/75.) The Special Review Group that investigated the Brown's Ferry fire made two recommendations pertaining to assuring that the effectiveness of the fire protection programs at operating nuclear power plants conform to General Design Criterion (GDC) 3.

A.

The NRC should develop specific guidance for implementing GDC 3.

B.

The NRC should review the fire protection program at each operating plant, comparing the program to the specific guidance developed for implementing GDC3.

In response to the first recommendation, the NRC staff developed Branch Technical Position (BTP) Auxiliary Power Conversion Systems Branch (APCSB) 9.5-1," Guidance for Fire Protection for Nuclear Power Plants," May 1,1976; and Appendix A to BTP APCSB 9.5-1, " Guidelines for Fire Protection for Nuclear Power Plants Docketed Prior to July 1,1976," February 24,1977. In response to the second recommendation, each operating plant compared its fire protection program with the guidelines of either BTP APCSB 9.5-1 or Appendix A to BTP APCSB 9.5-1.

The staff. reviewed the fire protection programs for compliance with the guidance. In most cases, licensees complied with the majority of the implementing guidance. However, the Staff and some licensees disagreed on 17 issues. To resolve the contested issues, on May 29,1980, the NRC proposed 10 CFR 50.48, " Fire protection," and Appendix R, " Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1,1979," to 10 CFR Part 50 (45 FR 36982). 'Ihe NRC published in the Federal' Register (45 FR 76602) the final fire protection rule (10 CFR 50.48 ) and Appendix R to 10 CFR Part 50 on November 19, 1980.

l The staff did not backfit Appendix R to plants licensed to operate after January 1,1979.

For some plants, the staff required compliance with Appendix A to BTP APCSB 9.5-1 and Sections III.G, J & O of Appendix R. In these cases, the sections of Appendix R that the licensee committed to meet apply to the plant as licensing commitments, rather than as a legal requirement imposed by the code of federal regulations. Some other licensees committed to meet the guidelines of Section 9.5-1, " Fire Protection Program," of Page 2 of52 l

l l

f GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis NUREG-0800. " Standard Review Plan" (SRP), which incorporated the guidance of Appendix A to BTP APCSB 9.5-1 and the criteria of Appendix R. Plants licensed to operate after January 1,1979, can implement the guidance contained in SRP Section 9.5.1 to establish a fire protection program that complies with 10 CFR 50.48 and GDC 3.

Therefore, even though fire protection programs can be essentially equivalent from plant to plant, the licensing basis upon which these programs are founded can be very different.

To clarify the intent and to provide acceptable means for compliance with the Fire Protection Regulations, the Nuclear Regulatory Commission has issued numerous guidance documents, Generic Letters and Information Notices.

Although these documents do not carry the same weight as the NRC regulations or the code of federal regulations, they do provide insights as to the NRC staff's interpretation of the regulations and their views on acceptable methods for complying with the regulations.

One intent of these documents is to establish a uniformity of approach throughout the industry. Guidance documents present' solutions and approaches that are acceptable to the staff, but they do not represent the only possible approaches. Licensees can use approaches that differ from those specified in the guidance document. In these cases, the staff performs more detailed reviews to ensure that the alternative approaches are equivalent to the guidance.

1.2 PURPOSE OF DOCUMENT Nuclear Regulatory Commission requirements and guidance for fire protection are contained in a number of documents. The purpose of this document is as follows:

Establish a generic methodology and design criteria for performing post fire safe shutdown analysis, including safe shutdown circuit analysis.

Provide Boiling Water Reactor Owners' Group (BWROG) positions relative to requirements, clarifications of guidance, and the necessary criteria for determining generic compliance.

The extent to which the requirements and guidance are applicable to a specific plant depende upon the age of the plant and the commitments established by the licensee in develo}.ng its fire protection plan. 'Iherefore, each plant is responsible for comparing the BWROG generic guidance with plant-specific commitments in determining compliance.

Verbatim wording that is extracted from the regulatory documents is shown as italicized in this document.

{

(

Page 3 of52 l

l L

s i

GENuclear Energy Draft Revision C Generic Guidancefor B WR Post Fire Safe Shutdown Analysis The methodology and positions contained herein serve to document additional clarifications on the methods and assumptions considered so that the post fire shutdown analysis is adequately performed for BWR plants.

This document provides a comprehensive review of the criteria and considerations for completing an Appendix R safe shutdown analysis for BWR's. It establishes references to NRC regulations, generic letters, information notices, and industry documents in support of the methodology defined for safe shutdown analysis.

1.3 SAFE SHUTDOWN ANALYSIS AS A PART OF AN OVERALL FIRE PROTECTION PROGRAM Each licensee's Fire Protection Program is based on the concept of defense-in-depth. The echelons of defense-in-depth built into each licensee's program are: (1) measures to prevent fires from starting; (2) measures to detect a fire upon initiation; (3) measures to mitigate the effects of fire;(4) demonstration of the ability to achieve and maintain safe shutdown in the event of a single fire in any plant fire area. This latter component is the domain of the Appendix R Safe Shutdown Analysis. The Appendix R Safe Shutdown Analysis does not exist in isolation of the other components of the defense-in-depth Fire Protection Program, but it is performed using an assumption that many of these other components have suffered significantly to the point of being grossly ineffective.

The Appendix R Safe Shutdown assumption: represent a conservative design basis in that they postulate conditions significantly beyond those that are ever expected to occur based on the existing tefense-in-depth plant features. Fire damage end equipment failures to the extent postulated in an Appendix R Safe Shutdown Analysis has never been experienced in an operating U. S. Nuclear Power Plant. The worst case fire ever experienced in a U. S. Nuclear Power Plant was in 1975 at the Brown's Ferry Nuclear Power Plant Unit 1. Changes made in the design of all four echelons of defense-in-depth at U. S. Nuclear Power Plants since this fire have significantly improved the fire safety of these units such that a repetition of the sequence of event that occurred at Brown's Ferry is not expected to re-occur.

The sections that follow provide a discussian af the Brown's Ferry fire, the investigation of that fire, the recommendations made to prevent recurrence of such a fire and the improvement made by the U.S. Nuclear Power Industry relative to these recommendations.

f(

Page 4 of52

I 4

8 GE Nuclear Energy Draft Revision C p

Generic Guidancefor BWR Post Fire Safe Shutdown Analysis L

1.3.1 Brown's Ferry Fire: Regulatory Ifistory In March of 1975, a fire occurred at the Browns Ferry Nuclear Plant Unit 1. Due to unusual circumstances, the fire was especially severe in its outcome and resulted in considerable loss of systems and equipment with temporary unavailability of systems which would nonnally be utilized to safely shutdown the plant for such events.

The severity of the fire caused the NRC to establish a review group which evaluated the need for improving the fire protection programs at all nuclear plants. The group found serious design inadequacies regarding general fire protection at Browns Ferry, and provided recommended improvements in its repon, NUREG-0050, " Recommendations Related to Browns Ferry Fire" issued in Feb.1976. This report also recommended development of specific guidance for implementation of fire protection regulation, and i

for a comparison of that guidance with the fire protection programs at each nuclear facility.

The NRC developed technical guidance from the recommendations set forth in the NUREG and issued those guidelines as Branch Technical Position BTP APCSB 9.5-1, Guidelines for Fire Protection for Nuclear Power Plants", May 1976. The NRC asked each licensee to compare their operating reactors or those under construction with BTP APCSB 9.5-1 requirements, and, in September 1976, the licensees were informed that the guidelines in Appendix A of the BTP would be used to analyze the consequences of a fire in each plant area.

In September 1976, the NRC requested that licensees provide a fire hazards analysis that divided the plant into distinct fire areas and show that systems required to achieve and maintain cold shutdown are adequately protected against damage by a fire. Early in 1977 l

each licensee responded with a Fire Protection Program Evaluation which included a Fire Hazards Analysis. These evaluations and analyses identified aspects of licensees' Fire Protection Programs that did not conform to the NRC guidelines. Thereafter, the staff initiated discussions with all licensees aimed at achieving implementation of fire protection guidelines by October 1980. The NRC staff has held many meetings with licensees, has had extensive correspondence with them, and has visited every operating reactor. As a result, many fire protection open items were resolved, and agreements were included in Fire Protection Safety Evaluation Reports issued by the NRC.

By early 1980, most operating nuclear plants had implemented most of the basic guidelines in Appendix A of the BTP. However, as the Commission noted in its Order of Page 5 of52 I

i

GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis May 23,1980, the fire protection programs had some significant problems with implementation. Several licensees had expressed continuing disagreement with the recommendations relating to several generic issues, including the requirements for fire brigade size and training, water supplies for fire suppression systems, alternate and dedicated shutdown capability, emergency lighting, qualifications of seals used to enclose places where cables penetrated fire barriers,.and the prevention of reactor coolant pump lubrication system fires. To establish a definitive resolution of these contested subjects in a manner consist'ent with the general guidelines in Appendix A to the BTP, and to assure timely compliance by licensees, the NRC, in May of 1980, issued a fire protection rule, 10CFR50, Appendix R. This new rule was described as setting forth minimum fire protection requirements for the unresolved issues. The fire protection features addressed in the new rule included protection of safe shutdown capability, emergency lighting, fire barriers, associated circuits, reactor coolant pump lube-oil collection systems, and alter-nate shutdown systems.

Following the issuance of Appendix R, the NRC provided guidance on the implementation of fire protection requirements and Appendix R interpretations at nuclear plants through Generic Letters, Information Notices, Regional workshops, question and answer correspondence and plant specific interface. This guidance provided generic, as well as specific, analysis criteria and methodology to be used in the evaluation of individual plant post fire safe shutdown capability.

Plants have received closure with respect to 10 CFR 50, Appendix R via SERs and Regional Inspections over a period of several years. NRC guidance has also evolved during this time, due in part to lessons learned from these interactions and inspections. In some cases, this has led to variations in analysis scope or technical approach from plant to plant. However, as this report shows, the fundamental aspects of the Safe Shutdown Analysis are similar across the entire BWR fleet.

1.3.2 Fire Damage Overview Discussion The Browns Ferry fire was an extremely severe fire. Considerable damage was done to plant cabling and associated equipment affecting vital plant shutdown functions. The fire burned, uncontrolled, while fire fighting efforts, using CO2 and dry chemical extinguishers, continued for approximately 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> with little success until water was used to complete the final extinguishing process.

During the 7 hour8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> fire event period, the plant (Unit 1) experienced the loss of various plant components and systems. He loss of certain vital systems and equipment hampered the Operators' ability to control the plant using preferred shutdown systems.

f

\\

Page 6 of52

GENucle rEnergy Draft Revision C

\\

Generic Guidancefor BWR Post Fire Safe Shutdown Analysis

.7 The Operators were cuccessful in bringing into operation alternate means to cool the reactor. Since both Units 1 and 2 depended upon shared power supplies.. the Unit 2 Operators began to lose control of vital equipment also and were forced to shutdown.

Since only a small amount of equipment was lost in Unit 2, the shutdown wai orderly and without incident.

The results of the Browns Ferry fire event yielded important information concerning the effects of a significant fire on the ability of the plant to safely shutdown. Although the Browns Ferry fire event was severe and the duration of the fire and the loss of equipment was considerable, the radiological impact to the public, plant personnel and the environment was no more significant than from a routine reactor shutdown. At both Unit I and Unit 2, the reactor cores remained adequately cooled at all times during the event.

Due to numerous design and plant operational changes implemented since 1975, nuclear power plants in operation today are significantly less vulnerable to the effects of a fire event such as that experienced at Browns Ferry. Since 1975, a wide range of fire protection features, along with regulatory and industry guided design and procedural modifications and enhancements, have been implemented. These plant fire protection upgrades have resulted in a significant increase in plant safety and reliability, and, along with preventative measures, they ensure that events similar in magnitude to the Browns Ferry fire will not occur again. The improvements in plant design and procedural operations incorporated since the Browns Ferry fire are described below. The designs and operating procedures that existed at Browns Ferry at the time of the fire are also detailed.

1.3.3 Causes of the Browns Ferry Fire,its Severity and Consequences The following factors contributed directly to the severity and consequences of the Browns Ferry fire.

1. Failure to evaluate the hazards involved in the penetration sealing operation and to prepare and implement controlling procedures.

2.

Failure of workers to report numerous small fires experienced previously during penetration sealing operations, and failure of supervisory personnel to recognize the significance of those fires which were reported and to take appropriate corrective actions.

l l

3. Use of an open flame near uncured polyurethane foam without fire precautions specific to this activity.

.(

Page 7of52 l

w

E

]

l l

GENucle:r Energy Draft Revision C l

Generic Guidancefor BWR Post Fire Safe Shutdown Analysis i

4. Inadequate training of plant personnel in fire fighting techniques and the use of fire fighting equipment, e.g., breathing apparatus, extinguishers and extinguishing nozzles.

5. Significant delay in the application of water in fighting the fire.

6. Failure to pro' erly apply electrical separation criteria designed to prevent the failure of p

more than one division of equipment from cable tray fires. Examples are:

Safety related redundant divisional raceways were surrounded by non safety related raceways which became combustible paths routed between divisions, i.e.,

even though separation between redundant division cable trays was consistent with the specified horizontal and vertical required distances, the intervening space j

was not free of combustibles as required by the existing electrical separation criteria.

Contrary to electrical separation criteria, one division of safety related cabling was not physically separated from the redundant division due to cabling of one division routed in conduit within the " zone of influence" of the open redundant division cable tray. Proper application of electrical separation criteria requires that a tray cover or other barrier be installed on the top and/or bottom of the open redundant raceway or between redundant raceways to contain the fire within the open tray and not affect redundant division conduits.

Failure to properly separate redundant equipment indicating light circuits, leading to the loss of redundant equipment necessary for safe plant shutdown.

7. Cabling utilized within the Browns Ferry raceway system included cable jacket and insulation materials that were less resistant to fire propagation, e.g., PVC, nylon, polyvinyl, nylon-backed rubber tape, and neoprene.

8. Failure to provide automatic fire suppression, e.g., sprinklers, in an area highly congested with cabling and other combustibles, containing redundant divisional open tray raceway systems carrying circuits necessary for safe shutdown.

l 1.3.4 Fire Protection Program Improvements since Browns Ferry Page 8 ofD l

t

[,

-~-

8 O

i GENuclear Energy Draft Revision C Generic Guidancefor B WR Post Fire Safe Shutdown Analysis l

The Browns Ferry nuclear facility, generally conformed to the applicable fire protection and electrical separation criteria and guidelines that existed when it was licensed to operate by the NRC in 1968. However, the 1975 fire identified a number of areas concerning fire protection design, plant operating criteria, electrical separation and defense-in-depth considerations that required improvement. As described above, the NRC provided the industry with guidance for improvement of fire protection programs through BTP APCSB 9.5-1, Appendix A,10CFR50 Appendix R and other related regulatory corres'pondence. These improvements are as follows:

1. Fire Prevention Features:

Fire hazards, both in-situ and transient, are identified, eliminated where possible, and/or protection is provided.

Sufficient detection systems, portable extinguishers, and standpipe and hose stations have been provided. These systems are designed, installed, maintained, and tested by qualified fire protection personnel.

2. Fire Protection Features:

Fire barriers and/or automatic suppression systems have been installed to protect the function of redundant systems or components necessary for safe shutdown.

Surveillarce procedures have been established to ensure that fire barriers are in place and that fire suppression systems and components are operable.

Water supplies for fire protection features have been added, both for automatic and manual fire fighting capability.

Automatic fire detection systems have been installed with the capability of operating with or without offsite power availability.

Emergency lighting units with at least 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> battery capacity were provided in those areas where safe shutdown system control was necessary as well as in access and egress areas thereto.

Fire barrier qualification programs have been established to qualify and test prospective barrier materials and configurations to ensure that their fire endurance and resistivity is acceptable.

3. Fire Hazards Control:

Administrative controls have been established to ensure that fire hazards are r-inimized.

.he storage of combustibles in safe shutdown areas has been prohibited or e

j l

minimized. Designated storage areas for combustibles have been established.

Transient fire loads such as flammable liquids, wood and plastic have been l

limited.

The use ofignition sources are controlled through procedures and pennits.

6A Page 9 of52 i

e

n GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis

\\

Controls for the removal of combustibles from work areas, following completion e

of work activities, have been established.

Proposed work activities are reviewed by in-plant fire protection staff for impacts on fire protection.

Non-combustible or less fiammable materials including penetration seals, cable jackets, wood products, etc., are being.used.

Self-closing fire doors have been installed.

Oil collection systems have been installed for reactor coolant pumps for containments that are not inerted.

4. Fire Brigade / Training Site fire brigades have been established to ensure adequate manual fire fighting capability is available.

A fire brigade training program has been established to ensure that the capability to fight potential fires is maintained. Both classroom instruction, fire fighting practice and fire drills are performed at regular intervals.

Fire Brigade Training includes:

=

Assignment ofindividual brigade member responsibilities

=

The toxic and corrosive characteristics of expected products of combustion.

=

Identification and location of fire fighting equipment.

=

Identification of access and egress routes.

=

Proper use of fire fighting equipment to be for electrical equipment fires, fires

=

in cable trays and ' enclosures, hydrogen fires, flammable liquids fires, hazardous chemical fires, etc.

Proper us of communication, emergency lighting, ventilation and breathing

=

D equipment.

Review of detailed fire fighting strategies and procedures.

=

Live fire exercises.

=

5. Post Fire Safe Shutdown Capability

. A comprehensive post-fire safe shutdown analysis program using the methodology and criteria described in this report has been established to ensure that post-fire safe shutdown capability is provided.

Fire damage is limited so that one train of safe shutdown equipment necessary to maintain hot and/or cold shutdown is protected and free from fire damage.

Cabling for redundant trains of safe shutdown equipment is separated by 1 or 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> fire rated barriers. In areas where 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> rated barriers are used, additional l

protection is provided by fire detection and an automatic suppression system.

)

i

.y k

Page10 ofS2

)

a GENucle:rE ergy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis Twenty feet of space, containing no intervening combustibles, is provided in lieu of barriers, where applicable.

Where redundant trains of equipment, necessary for post fire safe shutdown, are e

located in the same fire area and adequate protection for one train cannot be main'tained, an alternate or dedicated fire safe shutdown system has been established as follows:

Alternate or dedicated fire safe shutdown systems are capable of achievirig

=

and 16aintaining subcritical reactivity conditions in the reactor, maintaining j

reactor coolant inventory and achieving and maintaining hot or cold shutdown conditions within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Process monitoring instrumentation is provided with the capability of direct.y f

=

monitoring those process varia' ales necessary to perform and control post-fire safe shutdown functions.

Supporting functions (cooling, lubrication, HVAC, etc.) necessary to ensure

=

continued operation of post-fire safe shutdown systems / equipment is I

provided.

2.0 APPENDIX R REQUIREMENTS AND CONSIDERATIONS This section provides a general overview of the Appendix R regulation requirements including the criteria for classifying the various shutdown methods. It describes the j

distinctions between redundant and attemative and dedicated shutdown methods and provides guidance and the methodology for implementing these shutdown methods for BWR's. In addition, the considerations dealing with a loss of offsite power and associated circuits concerns are also discussed.

2.1.1 Regulatory Requirements 10CFR50 Appendix R Section III.G, establishes the regulatory requirements for protecting structures, systems, components, cables and associated circuits required for achieving Appendix R Safe Shutdown.

Sections III.G.1 and III.G.2 discuss the requirements for " Redundant" safe shutdown and Section III.G.3 discusses the requirements for " Alternative or Dedicated" shutdown. The requirements for each of these shutdown classifications will be considered separately.

The following sections discuss the regulations and distinctions regarding " redundant" and a

" alternative / dedicated" shutdown methods:

(

Page 11 of52 I

s s

GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Anal sis f

2.1.1.1 Requirementsfor Redundant Safe Shutdown Section Ill.G.1 provides the requirements for structures, systems and components and states the following:

111. G. Fireprotection ofsafe shutdown capability.

1.

Fire protectionfeatures shall be providedfor structures, systems, and components important to safe shutdown. These features shall be capable of limiting fire damage so that:

One train ofsystems necessary to achieve and maintain hot shutdown condinons a.

from either the control room or emergency control station (s) is free offire damage; and b.

Systems necessary to achieve and maintain cold shutdownfrom ei:her the control room or emergency control station (s) can be repaired within 72 hou, s.

l There are no functional requirements specifically itemized for the structures, systems or components. The only performance goal identified is the requirement to initially achieve and maintain hot shutdown and to subsequently achieve cold shutdown once any required repairs have been completed.

Section III.G.1 establishes the requirement to ensure that adequate fire protection features exist to assure that one train of systems necessary to achieve and maintain hot shutdown is not impacted by the fire. Section Ill.G.2 specifies in detail those fire protection features that are adequate to ensure the protection of the hot shutdown train, including associated circuits.

Ill.G.2 Except as provided for in paragraph G.3 of this section, where cables or equipment, including associated non-safety circuits that couldprevent operation or cause maloperation due to hot shorts, open circuits, or shorts to ground, of redundant trains of systems necessary to achieve and maintain hot shutdown conditions are located within the samefire area outside ofprimary containment, one ofthefollowing means ofensuring that one of the redundant trains isfree of fire damage shallbeprovided:

Separation of cables and equipment and associated non-safety circuits of a.

redundant trains by a fire barrier having a 3-hour rating. Structural steel l

forming a part of or supporting such fire barriers shall be protected to provide

\\

fire resistance equivalent to that required ofthe barrier; b.

Separation of cables and equipment and associated non-safety circuits of redundant trains by a horizontal distance ofmore than 20 feet with no intervening I

Page12 of52

GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis combustible or fire hazards.

In addition, fire detectors and automatic fire suppression system shall be installed in thefire area; or c.

Enclosure of cable and equipment and associated non-safety circuits of one redundant train in a fire barrier having a 1-hour rating. In addition, fire detectors and an automaticfire suppression system shall be installed in thefire area; Inside non-inerted containments one of thefire protection means specified above or one ofthefollowingfire protection means shall be provided:

I d

Separation of cables and equipment and associated non-safety circuits of redundant trains by a horizontal distance ofmore than 20 feet with no intervening combustibles orfire hazards; e.

Installation offire detectors and an automaticfire suppression system in thefire area; or f

Separation of cables and equipment and associated non-safety circuits of redundant trains by a noncombustible radiant energy shield.

Therefore, in order to comply with the regulatory requirements in Section III.G.1 and 2, it is necessary to: (1) provide fire protection features consistent with the requirements of Section III.G.2.a, b, or c (for areas outside of primary containment) to protect structures, systems, components, cables and associated circuits for one train capable of achieving and maintaining hot shutdown conditions; (2) assure that any repairs required to equipment necessary to achieve and maintain cold shutdown can be made within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Redundant shutdown involves any combination of equipment and systems with 'he i

capability to perform the shutdown functions of reactivity control, inventory control, decay heat removal, process monitoring and associated support functions when used within the capabilities ofits design.

Appendix R,Section III.G.2.a, b and c d: scribe the options available within the regulations for assuring one redundant train is free of fire damage. These options i

l essentially provide for the use of either fire-rated construction or physical separation as a means for ensuring protection for a redundant train. Demonstrating the ability to achieve and maintain cold shutdown following a fire by providing fire protection features l

consistent with those described in Section III.G.2.a, b or c is the ultimate goal of Appendix R. In addition, compliance can be supplemented with an exemption request, a documented deviation and/or an GL 86-10 evaluation.

However,Section III.G.2 also makes provisions for the actions requimd in the event that the fire protection features described in Section III.G.2.a, b or c cannot be met. In these Page 13 of52

GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis cases,Section III.G.2 invokes the requirements of Section Ill.G.3. Section Ill.G.3 q

introduces the terms " Alternative" and " Dedicated" shutdown capability.

2.1.1.2 Requirementsfor Alternative / Dedicated Safe Shutdown i

Section III.G.3 also provides additional fire protection features that apply to those situations where alternative or dedicated shutdown capability is used to provide safe shutdown. Sectibn Ill.G.3 reads as follows:

3.

Alternative or dedicated shutdown capability and its associated circuits

• independent ofcables, systems or components in the areas, room or zone under consideration, shallbeprovided:

Where the protection of sys.tems whose function is required for hot a.

shutdown does not satisfy the requirement of paragraph G.2 of this section; or j

b.

Where redundant trains ofsystems requiredfor hot shutdown located in the same fire area may be subject to damage from fire suppression activities orfrom the rupture or inadvertent operation offire suppression systems.

In addition, fire detection and afixedfire suppression system shall be installed in the area, room, or zone under consideration.

HI,G.3 Footnote 2 - Alternative shutdown capability is provided by rerouting, relocating or modification of existing systems; dedicated shutdown capability is provided by installing new structures and systems for thefunction ofpost-fire shutdown.

To satisfy the requirements of Section III.G.3 and use " Alternative" or " Dedicated" shutdown capability, the cables, systems or components comprising the "Alternativ:" or "Dedicsted" shutdown capability must be indeoendent of the area under consideration.

" Alternative" shutdown capability meeting the requirements of Section III.G.3 must satisfy the requirements of Section III.L.Section III.L.I provides requirements on the shutdown functions required for the systems selected for alternative shutdown. It alsa provides the acceptance criterion for the systems performing these functions.

L Alternative anddedicatedshutdown capability.

1.

Alternative or dedicated shutdown capability providedfor a specificfire area shall be able to (a) achieve and maintain subcritical reactivity conditions in the reactor; (b) maintain reactor coolant inventory; (c) achieve and maintain hot standby conditions for a PWR (hot shutdown 3 or a BWR), (d) achieve cold l

f shutdown conditions within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />; and (c) maintain cold shutdown conditions

.f Page14 of52

p GENuclear Energy Draft Revision C Generic Guidancefor B WR Post Fire Safe Shutdown Analysis thereafter. During the postfire shutdown, the reactor coolant system process variables shall be maintained within those predictedfor a loss of normal a.c.

power, and thefission product boundary integrity shall not be afected; i.e., there shall be no fuel clad damage, rupture of any primary coolant boundary, or rupture ofthe containment boundary.

Alternative shutdown capability is provided by rerouting, relocating or modification of existing systems,' dedicated shutdown capability is provided by installing new structures and systemsfor thefunction ofpost-fire shutdown.

Section Ill.L.2 identifies the performance goals for the shutdown functions of alternative shutdown systems as follows:

2.

The performance goalsfor the shutdownfunctions shall be:

The reactivity controlfunction shall be capable ofachieving and maintaining cold a.

shutdown reactivity conditions.

b.

The reactor coolant makeupfunction shall be capable ofmaintaining the reactor coolant level above the top ofthe corefor BWRs and be within the level indication in thepressurizerfor PWRs.

The reactor heat removalfunction shall be capable ofachieving and maintaining c.

decay heat removal.

d.

The process monitoringfunction shall be capable ofproviding direct readings of the process variables necessary to perform and control the abovefunctions.

The supporting functions shall be capable of providing the process cooling, e.

lubrication, etc., necessary to permit the operation ofthe equipment usedfor safe shutdownfunctions.

2.1.2 Regulatory Guidance on Associated Circuits

. 2.1.2.1 In addition to ensuring that safe shutdown systems remain available to perform their intended functions, the Appendix R analysis also requires that other failures be evaluated to insure that the safe shutdown system functions are not defeated.

2.1.2.2 The analysis requires that consideration be given to cable failures which may c use unwanted spurious actuations resulting in direct or indirect smwanted unditions such as flow diversion or flow blockage. Also, circuit failures resulting in the loss of support systems such as the electrical power supply from improperly coordinated circuits must be considered. These types of circuits are referred to as j

Associated Circuits ofconcern.

I l (

Page15 of52

1 I

GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis 2.1.2.3 Appendix R, Section Ill.G.2, states the following related to evaluating associated non-safety circuits when evaluating redundant shutdown capability Appendix R Section III.G.2:

6 "Where cables or equipment, including associated non-safety circuits that can prevent operation or cause maloperation due to hot shorts, open circuits or shorts to ground, ofredundant trains ofsystems necessary to achieve and maintain hot shutdowri conditions are located within the same fire area outside ofprimary containment, one of thefollowing means of assuring that one of the redundant trains isfree offire damage shall be provided.. "

Associated circuits need to be evaluated to determine if cable faults can prevent the operation or cause the maloperation of redundant systems used to achieve and maintain hot shutdown.

2.1.2.4 Appendix R, Section Ill.L provides the requirements for altemative and dedicated shutdown capability. Section Ill.L.7 also highlights the importance of considering associated non-safety circuits for attemative shutdown capability by stating the following:

"The safe shutdown equipment and systemsfor eachfire area shall be known to

\\

be isolatedfrom associated non-safety circuits in thefire area so that hot shorts, open circuits, or shorts to ground in the associated circuits will not prevent operation ofthe safe shutdown equipment. "

l l

2.1.2.5 NRC GL 81-12, Fire Protection Rule (45 FR 76602, November 19,1980), dated on February 20, 1981, provides additional clarification related to associated j

nonsafety circuits that can either prevent operation or cause maloperation of redundant safe shutdown trains. With respect to these associated circuits, GL 81-12 describes three types of associated circuits. Generic Letter 81-12 defines associated circuits of concem as those cables and components that:

I

a. Have a physical separation less than that required by Section 111.G.2 of j

Appendix R, and:

l

b. Have one ofthefollowing:

A common power source with the shutdown equipment (redundant or alternative) and the power source is not electricallyprotectedfrom the circuit

{

ofconcern by coordinated breakers, fuses, or similar devices, or f

Page16 of52 l

i 2

i_

r i

j i

GENuclear Energy Dr:ft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis s

A connection to circuits of equipment whose spurious operation would e

adversely affect the shutdown capability (i.e., RHR/RCS isolation valves, ADS valves, instrumentation, steam bypass, hillowpressure interfaces, etc.), or A common enclosure (i.e., raceway, panel, junction box) with the shutdown e

cables (redundant and alternative) and, i

1) are not electricallyprotected by circuit breakers, fuses or similar devices, or -

2) willallowpropagation ofthefire into the common enclosure.

l 2.1.3 Regulatory Interpretation on Loss of Offsite Power 2.1.3.1 The loss of offsite power has the potential to affect safe shutdown capability. In addition, the requirements for offsite power differ between the redundant and attemative/ dedicated shutdown capability.

Therefore, consideration must be given for the loss of offsite power when evaluating its effect on safe shutdown.

The Appendix R requirement to consider a loss of offsite power is mentioned in Section Ill.L.3 as follows:

i 3.

The shutdown capabilityfor specific fire areas may be unique for each such area, or it may be one unique combination ofsystemsfor all such areas. In i

either case, the alternative shutdown capability shall be independent of the i

specific fire area (s) and shall accommodate postfire conditions where ofsite power is available and where ofsite power is not available for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Procedures shall be in efect to implement this capability.

2.1.3.2 Alternative / Dedicated systems must demonstrate shutdown capability where offsite power is available and where offsite power is not available for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If such equipment and systems used prior to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after the fire will not be capable of being powered by both onsite and offsite electric power systems because of fire damage, an independent onsite power system shall be provided.

Equipment and systems used after 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> may be powered by offsite power only. Actions necessary to restore offsite power systems are considered to be performed under the puwiew of the emergency response organization.

2.1.3.3 For Redundant Shutdown, offsite power may be credited if demonstrated to be free of fire damage.

Page17of52

GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis 3.0 METHODOLOGY This section discusses a generic methodology and criteria which may be used by the BWR licensee's to perform a safe shutdown analysis in accordance with Appendix R requirements. The criteria provided in this document ensures the ability to achieve and maintain safe shutdown through the selection of a safe shutdown method for each fire area which satisfies all of the required safe shutdown functions of Appendix R and which cannot be adversely affected by spurious operations as described in this document. The following aspects will be discussed within this section:

Safe shutdown methods and systems The section on safe shutdown methods will discuss the process of establishing safe shutdown paths and systems. It also describes various shutdown methods developed within the industry for BWR plants and provides assumptions and methods considered in defining valid safe shutdown systems.

Safe shutdown rauipment selection The section on equipment selection discusses the assumptions and process considered in defining valid safe shutdown equipment. Criteria is established for determining the types of components to be considered for the safe shutdown analysis and generic guidelines are provided for selecting typical equipment for each safe shutdown system.

Safe shutdown cable selection The section on cable selection discusses the assumptions and process considered in identifying Appendix R cables (safe shutdown and associated circuits of concem) and establishing their relationship to the affected safe shutdown equipment.

Circuit analysis criteria The section on circuit analysis criteria discusses the various circuit failure concems to be considered when postulating fire-induced cable failures. Examples are provided for selected circuit failures.

Fire area assessment and comollance strateeles This section discusses the process of determining and resolving Appendix R concems by fire area. It establishes the criteria and assumptions for developing compliance strategies for the cases where circuits of redundant systems are located in the same fire area.

f Page18 of52 I

i t~

GENuclearEnergy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis 3.1 SAFE SHUTDOWN METHODS AND SYSTEMS

]

This section discusses the method and criteria for selecting the safe shutdown paths and the required system features. Safe shutdown need not be limited to a single method but may be accomplished by different combinations of systems. The safe shutdown analysis regams that a set of systems be selected.to achieve and maintain safe shutdown condions in accordance with 10CFR50 Appendix R. The safe shutdown systems are those systems that must be assured to remain functional for the post-fire shutdown scenario.

The selected safe shutdown systems form the basis for the selection of the individual components and cables necessary to assure that each system function can be met. The following criteria and assumptions are applicable to the selection of safe shutdown methods and systems:

3.1.1 Criteria / Assumptions 3.1.1.1 GE Report GE-NE-T43-00002-01 entitled " Original Safe Shutdown Paths For The BWR" addresses the systems and equipment originally designed into the GE Boiling Water Reactors (BWRs) in the 1960's and 1970's, that can be used to achieve and maintain safe shutdown per Section Ill.G.1 of 10CFR 50, App. R. Any of the shutdown paths (methods) described in this report are considered to be acceptable methods for redundant safe shutdown.

3.1.1.2 GE Report GE-NE-T43-00002-00-03 provides a discussion on the BWR Owners' Group (BWROG) position regarding the use of Safety Relief Valves (SRVs) and low pressure systems (LPCI/CS) for safe shutdown. The BWROG position is that the use of SRVs and Low Pressure Systems is an acceptable methodology for achieving redundant safe shutdown in accordance with the requirements of 10CFR50 Appendix R Sections III.G. I and 2.

3.1.1.3 The classification of shutdown capability as Alternative Shutdown is made independent of the selection of systems used for shutdown. Alternative shutdown capability is determined based on an inability to meet the separation requirements of section III.G.2. Altemative shutdown capability may include the operation of existing redundant systems from different locations outside of the main control room such as a remote shutdown panel. For example, the operation of RCIC at the remote shutdown panel (in some cases) may be considered as an Alternative shutdown method for evaluating the effects of a main control room fire.

Page19 of52

GENuclear Energy Draft Revision C t

Generic Guidancefor BWR Post Fire Safe Shutdown Analysis -

_-----r---

.,..e -

.~

\\

3.1.1.4 Prior to the onset of the postulated fire, all safe shutdown systems (including applicable redundant divisions) are assumed operable and available for post-fire safe shutdown.

Systems are assumed to be operational with no repairs, maintenance, testing, etc in progress. The unit (s) are assumed to be operating at full power under normal conditions and normal lineups.

3.1.1.5 No FSAR accidents, single failures or non-fire induced transients need be considered in conjunction with the Appendix R fire.

3.1.1.6 For the case of redundant shutdown, offsite power is assumed available unless the fire-induced failures result in a loss of offsite power. However, for areas which rely on alternative or dedicated shutdown a loss of offsite power is assumed at the onset of the fire. For plants that have not reviewed the availability of Offsite Power post-fire, it may conservatively be assumed lost.

3.1.1.7 Safe shutdown systems can be either safety-related or non safety-related.

3.1.1.8 The starting point of all fire-induced damage is assumed to be coincident with a reactor scram. Successful scram (i.e. all rods full-in) fulfills the reactivity control function.

3.1.1.9 The Appendix R analysis assumes a 72 hr coping period starting with a reactor scram. The automatic initiation of systems selected for safe shutdown is not required. Manual initiation of systems required te achieve and maintain safe shutdown is acceptable.

3.1.1.10 Where a single fire can impact multiple units of a multi-unit plant, the ability to achieve and maintain safe shutdown for all units must be demonstrated.

3.1.1.11 The selection of safe shutdown systems is based on the following required safe shutdown functions:

Reactivity Control Pressure Control Systems e

Inventory Make-Up Decay Heat Removal Process Monitoring l

Support Systems Electrical Systems s

Page 20 of52

GENucle:r Energy Draft Revision C Generic Guidancefor B WR Post Fire Safe Shutdown Analysis Cooling Systems Communication System Emergency Lighting in addition to these functions is the requirement to prevent spurious operntions that could result in either a loss of reactor pressure vessel inventory, an inadvertent overfilling of the reactor pressure vessel or a flow loss or blockage in the inventory make-up or decay heat removal systems being used for safe shutdown.

3.1.2 Shutdown Functions The fe!hwing discussion on each of these shutdown functions provides guidelines for selecting the systems and equipment required,for safe shutdown.

For additional l

information refer to GE Repcrt GE-NE-T43-00002-01 entitled "Origint.1 Safe Shutdown Paths For The BWR".

3.1.2.1 Reactivity Control Control Rod Drive (CRD) System The safe shutdown performance and design requirements for the reactivity control fenction can be met without automatic scram capability. Manual scram may be credited.

The Appendix R safe shutdown analysis must only provide the capability to manually scram the reactor.

3.1.2.2 Pressure ControlSystems Saferv Relief Valves (SRVs)

The SRVs are opened to maintain hot shutdown conditions or to depressurize the vessel to allow injection using low pressure systems.

Main Steam isolation Valves (MSIVs)

If Reactor Vessel Isolation is required for the shutdown, one MSIV per steam line is required to be closed to provide the isolation.

3.1.2.3 a sventory Make-Up Either high pressure injection (e.g. HPCI or RCIC) or Safety Relief Valves with low pressure injection (LPCI/CS) can be used to maintain reactor coolant makeup depending on the fire damage.

..(

Page 21 of52

Dr-ft Revision C GENucle:r Energy o

Generic Guidancefor BWR Post Fire Safe Shutdown Analysis

.-,.s..

RHR/LPCIor Core ScravSystem Automatic initiation of the RHR/LPCI or Core Spray system is not necessary to meet the Appendix R requirements. The Core Spray System performs two functions in support of safe shutdown. The primary function is reactor vessel inventory make-up. Core Spray can, also function along with the ADS /SRV valves, in the alternate shutdown cooling mode to perform the decay heat removal function.'.

RCICMPCISystems Automatic initiation of the HPCI or RCIC system is not necessary to meet the Appendix R requirements. The prima 1y function of the HPCI or RCIC system is to provide reactor vessel inventory makeup. HPCI and RCIC can take suction from either the Condensate Storage Tank (CST) or suppression pool and discharge to the vessel via the feedwater sparger. The CST is the preferred water source since it is reactor grade water and the suppression pool is not.

3.1.2.4 Decay Heat Removal The Appendix R scenario may result in a loss of normal heat sink to the condenser. When this occurs, the main steam SRVs are used to transfer decay heat to the suppression pool.

ResidualHeat Removal (RHR) System The RHR System is required by for long term decay heat removal.

Supriression Pool Cooline (SPC) Mode Decay heat is transferred from the vessel to the suppression pool via open SRV(s) or ADS valves and/or HPCI and RCIC turbine exhaust. SPC takes suction from the suppression pool and retums it to the suppression pool via the RHR heat exchanger and full flow test line.

Shutdown Cooline (SDC) Mode

' SDC femoves decay heat by drawing water from the reactor vessel and returning it to the vessel via the RHR heat exchanger and LPCI injection line or the shutdown cooling injection line.

Low Pressure Coolant Infection (LPCD Mode (Alternate Shutdown Coolinal LPCI Alternate Shutdown Cooling takes suction from the suppression pool and injects water inte the vessel via the RHR heat exchanger and SDC/LPCI retum

\\

Page 22 of52 i

~

]

=

1 GENucle:rEnergy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis line. Decay heat removal is provided by the RHR heat exchanger using RHR Service Water to transfer heat to the Ultimate Heat Sink. Core Spray can also function along with the ADS /SRV valves, in the altemate shutdown cooling mode to perform the decay heat removal function.

RHR Service Water Systw.n The RHR Seivice Water System removes decay heat from the RHR system using the RHR heat exchangers.

3.2.2.5 Process Monitoring The process monitoring function is provided for all safe shutdown paths. IN 84-09, Attachment 1,Section IX " Lessons Learned from NRC Inspections of Fire Protection Safe Shutdown Systems (10CFR50 Appendix R)" provides guidance on the instrumentation acceptable to and preferred by the NRC for meeting the process monitoring function.

Instmmentation is selected based on the instrumentation necessary to support the Operating, Off-Normal and Emergency Operating Procedures necessary to achieve safe shutdown.

Nuclear BoilerInstrumentation Reactor water level and pressure indication are provided in the Control Room or at the RSP to alert the Operator to manually scram the reactor and/or actuate safe shutdown systems.

Succression PoolMonitorine Suppression pool temperature and level indication are provided in the Control Room or at the RSP, since the suppression pool provides a heat sink for decay heat removal and makeup water source. Operators may require information regarding suppression pool temperature and level to observe NPSH Iimits for pumps taking suction from the suppression pool.

Safe Shutdown System Monitorine Instrumentation Flow rate indication for makeup systems (RCIC, HPCI, CS and RHR LPCI) are provided in the Control Room or at the RSP. In addition, flow and (sometimes) temperature indication for heat transfer systems (RHR Service Water, RHR SPC, RHR SDC) are provided.

3.1.2.6 ElectricalSystems ACDistribution System

((

'\\

Page 23 of52

i 1

GE Nucle:r Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis

\\

Power for the Appendix R safe shutdown components is typically derived from the 4.16 KV Class IE Buses either directly from the buses or through step down transformers / load centers / distribution panels for 600,480 or 120 VAC loads.

DC Distribution System Typically, the 125VDC distribution system supplies DC control power to various 125VDC control panels including 4.16KV breaker controls. The 125VDC distribution panels may also supply power to the 120VAC distribution panels via static inverters.

These distribution panels typically supply power for instrumentation necessary to complete the process monitoring functions.

For Appendix R events that result in a loss of offsite power, the batteries are necessary to supply control power during the interim time period required for the diesel generators to become operational. Once the diesels are operational, the 125 VDC distribution system can be powered from the diesels through the battery chargers.

Certain plants are also designed with a 250VDC Distribution System which j

supplies power to the RCIC Control and HPCI Control. The 250VDC Control Centers may also supply power to various small horsepower Appendix R safe shutdown system valves and pumps.

3.1.2.7 Cooling Systems EmereencyService WaterSystem The Emergency Service Water (ESW) System provides process cooling in support of safe shutdown components. When the diesel generators are being used for safe shutdown, the applicable division of ESW is required to provide cooling water to the various heat exchangers associated with the running diesel generator. The ESW System is a support system in the Appendix R shutdown scenario. In most BWR plants, it provides cooling to the Emergency Diesel Generators, the RHR pumps and Room Coolers and HPC1/RCIC Room Coolers HVACSystems Typical HVAC systems (e.g. RHR Pump Room Unit Coolers for the RHR Pumps, RCIC and HPCI Pump Room Unit Coolers, Diesel Gec, t t Building HVAC System, ESSW Pumphouse HVAC System) provide coolin; a components which achieve and maintain safe shutdown.

I m

Pcge 24 ofS2

GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis

.7 a

3.1.2.8 Communication System Manual actions may require Communication System for proper coordination with Control Room activities.

3.1.2.9 Emergency Lighting Adequate emergency lighting is required to perform manual actions specified for compliance to Appendix R related activities.

3.1.3 Methodology for Shutdown System Selection The following methodology may be used to define the safe shutdown systems and methods or paths for an Appendix R analysis:

3.1.3.1 Review available documentation to obtain an understanding of the available plant systems and their functions. Documents such as the following may be reviewed:

Operating Procedures (Normal, Emergency, Abnormal)

Similar UFSAR Accidents and Transients (Loss of Feedwater, MSIV Closure, Station Blackout)

System Descriptions Fire Hazard Analysis Single-Line Electrical Diagrams Piping and Instrumentation Diagrams (P&ID's)

GE Paper on Original Shutdown Systems 3.1.3.2 Given the criteria / assumptions defined in sections 3.1.1 and 3.1.2, identify the available systems required to achieve the safe shutdown functions of Reactivity Control, Pressure Control Systems, Inventory Make-Up, Decay Heat Removal, Process Monitoring and Support Systems such as Electrical Systems, Cooling Systems, Communication System and Emergency Lighting.

3.1.3.3 In addition to achieving the safe shutdown functions, consideration must also be given to any spurious operations which may adversely affect the ability to achieve safe shutdown by resulting in either a loss of reactor pressure vessel inventory, an inadvertent overfilling of the reactor pressure vessel or a flow loss or blockage in the inventory make-up or decay heat removal systems being used for safe shutdown.

(

Page 25 of52

GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis

=

-x 4

Refer to Figure 3-1 for a flowchart illustrating the various steps involved in selecting safe shutdown systems and establishing shutdown methods.

3.2 SAFE SHUTDOWN EQUIPMENT SELECTION The previous settion described the methodology for selecting the systems necessary to achieve and maintain safe shutdown for an Appendix R event. This section describes the criteria / assumptions and selection methodology for identifying the specific safe shutdown l

components necessary for the systems to perform their Appendix R function. The selected components should be related back to the safe shutdown systems which they support. The safe shutdown components will then form the basis for identifying the cables necessary for the operation or that can cause the maloperation of the components.

If components are not selected to support the required safe shutdown functions or spurious actuation concerns, then they cannot adversely affect the ability to achieve and maintain safe shutdown.

i d

I 3.2.1 Criteria / Assumptions 3.2.1.1 Safe shutdown components may be classified differently depending on the component function. Components that perform a function that directly affects the operability of the safe shutdown system may include the following types:

pumps, motor operated valves, solenoid valves, fans, ga: bottles, dampers, e

unit coolers, etc.

all necessary process indicators and recorders (i.e., flow indicator, temperature e

indicator, turbine speed indicator, pressure indicator, level recorder) power supplies or other electrical components that support operation of e

primary components (i.e., diesel generators, switchgear, motor control centers, load centers, power supplies, distribution panels, etc.)

Communication System Jack Plates e

i 3.2.1.2 Components that provide a support function to another primary component via i

either an interlock or input signal processor need not be identified as individual safe shutdown components provided that the cables connecting these devices to i

a primary component's control circuit are related to the primary component.

Examples of these supporting components may include flow switches, pressure switches, temperature switches, level switches, temperature elements, speed i

elements, transmitters, converters, controllers, transducers, signal conditioners,

(

Page 26 of52

GENuclear Energy Draft Revision C Generic Guidancefor B WR Post Fire Safe Shutdown Analysis hand switches, relays, fuses and ve9>, instrumentation devices. The impact due to the failure of these supporting sub-components is typically realized along with the failure of the cables affiliated with the primary equipment they support.

3.2.1.3 Typically, only components that require electrical cables to function are classified as safe shutdown components. Components such as hand valves, mechanical relief valves, etc. are not usually not listed as safe shutdown components. Examples of valves included and analyzed are motor operated valves (MOV), solenoid operated valves (SOV), and air operated valves (AOV).

Examples of pumps include all electrically operated pumps and electrically j

started pumps driven by some other mechanical means (i.e. turbine driven RCIC pump).

3.2.1.4 Fire damage to valves and piping is not assumed to adversely impact their ability to function as either pressure boundaries or safe shutdovm components.

3.2.1.5 Manual operated valves are assumed to be in their normal position. Manual valves can be credited for preventing flow diversion if the valve is normally closed as shown on the P&lD or plant operating procedures.

3.2.1.6 A check valve that closes in the direction of potential flow diversion is assumed to seat properly with sufficiently leak tightness to prevent flow diversion sufficient to prevent the SSD function.

3.2.1.7 Instruments (e.g., resistance *emperature detectors, thermocouples, pressure transmitters, and flow transmitters) are assumed to suffer damage in a manner similar to electrical cables. If these devices are exposed to a fire, only associated cables are assumed to be damaged. The instrument fluid boundary remains undamaged. Sight-glasses and mechanically linked tank-level indicators are assumed to be unaffected by fire. The effects of the fire on instrument tubing should also be considered.

3.2.1.8 Safe shutdown components are selected based on their irepact to the required safe shutdown functions or due to spurious actuation conarns. The following definition is used to identify the spurious actuation components: The set of components whose spurious operation could result in either a loss of reactor pressure vessel inventory, an inadvertent overfilling of the reactor pressure vessel or a flow loss or blockage in the inventory make-np or decay heat removalsystems being usedfor safe shutdown.

Page 27ofD

GENucle:r Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis t

3.2.1.9 All components subject to spurious actuation which can directly impact safe shutdown should be identified during the component selection phase.

3.2.2 Methodology for Equipment Selection The following methodology may be used to define the safe shutdown equipment for an Appendix R analysis:

3.2.3.1 Review available A umentation to identify the equipment required for each safe shutdown system and method defined in the previous section. Documents such as the following may be reviewed:

Operating Procedures (Normal, Emergency, Abnormal)

System Descriptions Fire Hazard Analysis Single-Line Electrical Diagram:

Piping and Instrumentation Diagrams (P&ID's) 3.2.3.2 Given the criteria / assumptions defined in section 3.2.1, identify the components required to achieve the safe shutdown functions of Reactivity Control, Pressure Control Systems, Inventory Make-Up, Decay Heat Removal, Process Monitoring and Support Systems such as Electrical Systems, Cooling Systems, Communication System and Emergency Lighting.

3.2.3.3 In addition to the achieving the safe shutdown functiens, the selection of equipment must also consider components which may spuriously actuate and adversely affect the ability to achieve safe shutdown by resulting in either a loss of reactor pressure vessel inventory, an inadvertent overfilling of the reactor pressure vessel or a flow loss or blockage in the inventory make-up or decay heat removal systems.

3.2.3.4 Review the applicable documentation (e.g. PI&D's, electrical drawings, instrument loop diagrams, shutdown logic diagrams) to insure that the failure of l

every component defined within each system flow path has been considered j

either for operability or for impact to safe shutdown due to spurious actuation.

l 3.2.3.5 Adentify the system (s) and method (s) which rely on the operability of the l

equipment or which may be adversely impacted from the failure or maloperation of the equipment. System acronyms and path designation (s) may be assigned to l

l each component to indicate this relationship.

]

s Page 28 of52 l

l L

i

I i

)

GENuclesr Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis 3.2.3.6 Additional componeni related information should be collected to indicate the required role for each component with respect to each system and shutdcwm method or path. In order to facilitate the analysis, it is recommended that related data be tabulated for each component ID.

Examples of related component data would include the equipment type, description, system, path, unit, FA/FZ location of equipment, normal position, shutdown position, Hi/Lo Interface Flag, failed air position, failed electrical position.

i Refer to Figure 3-2 for a flowchart illustrating the various steps involved in selecting safe j

shutdown equipment.

3.3 SAFE SHUTDOWN CABLE SELECTION This section provides industry guidance on the recommended methodology and criteria for selecting safe shutdown cables and determining their potential impact to equipment required for achieving and maintaining safe shutdown of an operating nuclear power plant for the condition of an Appendix R fire. The Appendix R safe shutdown cable selection criteria is developed to ensure that all cables that could affect the proper operation or that could cause the maloperation of safe shutdown components are identified and that these cables are properly related to the safe shutdown component (s) whose functionality they could impact. Through this cable to component relationship, cables become associated with the safe shutdown path assigned to any of the components affected by the cable. If cables are net selected to support a safe shutdown component or spurious actuation concems, then they cannot adversely affect the ability to achieve and maintain safe shutdowm.

3.3.1 Criteria / Assumptions The following criteria may be considered when selecting cables which impact safe shutdown equipment:

3.3.1.1 The list of cables whose failure impacts the operation of a component includes more than simply those cables connected to the equipment. The relationship between cable and affected component is based on a review of the electrical or elementary wiring diagrams. To assure that all cables that could affect the operation of the safe shutdown component are identified, the power, control, instrumentation, interlock, and component status indication cables related to the component need to be investigated. A review of additional schematic diagrams

.(

Page 29 of52

GENuclear EnerD' Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis may be required to identify additional cables for interlocked circuits which also need to be considered for their impact to the component operability.

3.3.1.2 In cases where the failure of a single cable could impact more than one safe shutdown component, the cable should be associated with each one of the safe shutdown components.

3.3.1.3 For sub-components, such as flow switches and pressure switches, the cables that are directly connected to these device are typically assigned to the primary component which they actuate. Therefore, it would not be necessary to assign the cables again to the sub-component as long as they are affiliated with the main component supported by the sub-component.

3.3.1.4 Cables for circuits which do not impact the safe shutdown function of a component such as annunciator circuits, space heater circuits and computer input circuits may be screened out provided they are isolated from the component's control scheme in such a way that a cable fault would not impact the performance of the circuit or unless there is reliance on the annunciator feature for the fire event.

3.3.1.5 In the case of instrument loops, typically all cables in a safe shutdown instrument loop are considered for safe shutdown in order to ensure that the circuit is not disabled from some extraneous cable which may not be isolated in the event of a fire damage.

3.3.1.6 For each affected circuit scheme, the cable supplying power to each safe shutdown and/or required interlock component should be identified. Initially, only the power cables from the immediate upstream power source are identified for these interlocked circuits and components (i.e. the closest power supply, load center or motor control center).

A further review of the electrical distribution system is needed to capture the remaming components from the electrical power distribution system necessary to support safe shutdown. These components may need to be added to the safe shutdown equipment list. The power cables for these additional power supplies will need to be evaluated for associated circuits concerns.

3.3.1.7 Typically, many of the primary safe shutdown components on the ADS, Core Spray, HPCI, RCIC and RHR systems consist of automatic initiation logics.

The automatic initiation logic for the ECCS and RCIC systems should be reviewed for effects of spurious actuations of these systems.

Page 30 of52

I, GENucle:r Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis l

3.3.1.8 With respect to electrical distribution cabling, two types of cable associations exist. For safe shutdown considerations, the direct power feed to a primary safe shutdown component is associated with the primary component. For example, the power feed to a pump is associated with the pump. Similarly, the power feed from the 4.16 KV switchgear to an MCC is associated with the MCC.

However, for the associated circuit issues of common power source, the same cables discussed above would be associated with the power supply. For example, the power feed to the pump discussed above would be associated with the bus from which it is fed because for the case of a common power source analysis the concern is the loss of the upstream power source and not the connected load. Similarly, the cable feeding the MCC from the 4.16 KV switchgear would likewise be associated with the 4.16 KV switchgear since in this case the concern would be on disabling the upstream power source due to inadequate coordination.

3.3.2 Associated Circuits Cables The selection of cables must consider the potential effects from the failure of cables not typically considered to be required for safe shutdown. 10CFR50, Appendix R, Sections III.G.2 and III.L.7 require that associated circuits be analyzed for all of types of cable faults to ensure that the required safe shutdown system is available to achieve and maintain safe shutdown. Basically, the three types of associated circuits concerns are identified as follows:

Spurious Actuations Common Power Source j

e Common Enclosure Cables Whose Failure May Cause Sourious Actuations Spurious actuation concerns can result from fire damage to a cable whose failure could cause the spurious operation of equipment which could adversely affect safe shutdown capability. These cables are identified together with the remaining safe shutdown cables required to support control and operability of the equipment.

Common Power Source Cables The concern with common power source cases of associated circuits actually involves the loss of a safe shutdown power source due to inadequate breaker / fuse coordination. In the Page 31 of52

E 4

GENucle:r Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis case of a fire-induced cable failure on a load circuit supplied from the safe shutdown power source, the lack of coordination between the upstream supply breaker / fuse feeding the safe shutdown power source and the load breaker / fuse supplying the faulted circuit can result in loss of the safe shutdown power source. Consequently, this would result in the loss of the safe shutdown equipment supplied from the power source. Cables of this type which are not properly coordinated must also be addressed as part of the Appendix R analysis.

Common Enclosure Cables The concern with common enclosure cases of associated circuits is fire damage to a cable whose failure could propagate to other safe shutdown cables in the same enclosure either because the circuit is not properly protected by an isolation device (breaker / fuse) or the fire could somehow propagate along the cable and impact safe shutdown equipment.

Cables of this type without adequate circuit protection must also be addressed as part of the Appendix R analysis.

j l

3.3.3 Cable Routing and Location The routis g and location of the Appendix R cables needs to be determined by fire area in order to pc-fonn the Appendix R analysis. The safe shutdown systems are defined for each shutdown method or path and the equipment required to be operable or which may maloperate is related to each system. The cables required to support the operability or which may cause the maloperation of a component are then related to each component.

Both the routing of the cables and the location of the raceway (e.g. ceble trays, conduits, wireways, junction boxes) by fire area must also be identified in order to determine which cables and equipment may be affected as a result of a fire in a given fire area. This also includes locating the endpoints for each cable since the cable endpoint may be located in a separate fire area from the remaining cable raceway.

i Typically, the location of cables by 5a area may be derived by joining the list of Appendix R cables with the cable-raceway and raceway-fire area data tables from an existing cable and raceway system. However, in many cases the raceway location by fire arer, is not defined in existing cable raceway data and the location of each raceway must be determined and populated manually as Appendix R cables are defined. This becomes an iterative process until the list of cables is finalized and all the raceway and endpoints enclosing each cable are located by fire area.

Once the raceway and endpoints are located by fire area, this ' formation may be merged m

with the cable raceway data and endpohn configuration data. To determine the list of Page 32 of52 le

-n.-n.

_.w

.~

w

,., +. -

r GENuclear Energy Draft Revision C

\\

Generic Guidancefor BWR Post Fire Safe Shutdown Analysis l

components potentially affected by a fire in each fire area, this data may be merged with the cable to affected component relationships. To determine the list of systems and shutdown methods or paths potentially affected by a fire in each fire area, this data may be' merged with the component data defining the system and shutdown method or path for each component. Ultimately, the shutdown method or path relied upon for safe shutdown should be defined for each fire area. This information may then be used to filter out only those cables which pose a concem to equipment and systems required for the shutdown path least affect 6d by the fire in a fire area. This will focus the evaluation on the effects of a fire on only those cables which may impact the relied upon shutdown method in each fire area.

3.3.4 Methodology for Cable Selection The following methodology may be used to define the cables ' required for safe shutdown including cables which may cause associated circuits concerns for an Appendix R analysis:

3.3.4.1 For each safe shutdown component defined, review the appropriate electrical diagrams including the following documentation to identify the cables whose failure may impact the operability of each component:

Single-Line Electrical Diagrams

=

Elementary Wiring Diagrams

=

Electrical Connection Diagrams

=

Instmment Loop Diagrams

=

3.3.4.2 Given the criteria / assumptions defined in sections 3.3.1 and 3.3.2, identify the cables required to operate or which may result in maloperation of each component. Typically,'all cables associated with a component scheme or which can trip the control circuit isolation device (i.e. blow fuse, trip breaker) are selected with the exception of space heater circuits and annunciator or computer inputs.

3.3.4.3 The list of cables potentially affecting each component should be tabulated including the respective drawing numbers, their revision and any interlocks which are investigated to determine their impact en the operability of the component. This includes any cable whose failure may result in spurious acttution of the component during any of the required component positions or modes of operation.

lf\\

l Page 33 of 52 t -

GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis

\\

3.3.4.4 In some cases the same cable will be associated with multiple components, however the cables only need to be affiliated with a main component and not necessarily each supporting sub-component.

3.3.4.5 Identify the cables. supplying power to each safe shutdown and/or required interlock or sub-component. If additional power supplies are discovered to be necessdry for the operability of a component, then these should be added to the safe shutdown equipment list and the power cables which supply these power sources must also be identified and related to the respective power source.

3.3.4.6 Determine if each power cable (safe shutdown or not) is fed from a common power source is connected to a properly coordinated breaker. If adequate coordination does not exist, then the power cable should be related to the power source since fire damage to the cable may result in tripping the upstream breaker supplying the bus and ultimately result in a loss of power to the bus and any required safe shutdown loads.

3.3.4.7 Identify the route for each cable identified including all raceway and cable endpoints.

3.3.4.8 Identify the fire area location of each raceway and endpoint for the cables selected.

3.3.4.9 Determine the location of each cable by fire area including the list of affected components for each. cable and the shutdown paths and system for each component.

Refer to Figure 3-3 for a flowchart illustrating the various steps involved in selecting Appendix R cables.

3.4 CIRCUIT ANALYSIS AND EVALUATION By this phase of the analysis the supporting data should have been compiled and sorted by fire area. Information should be available to identify what cables need to be analyzed from a circuit analysis standpoint. The raceway and endpoints located in each fire area define which cables may potentially be affected due to a fire in the fire area. The components affected by each cable including their respective systems and shutdown paths provide the necessary information to identify the shutdown method or path relied upon

..(

s Page 34 ofS2

q n-GENuclear EnerD' Drcft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis......

i for safe shutdown for each fire area. The circuit analysis will focus on the cables whose failure poses a concern to the operability of equipment and systems required for the shutdown path relied upon in a fire area.

Appendix R Section III.G.2 and III.L.7 identify those fire-induced cable failure mechanisms that need to be evaluated for. impact from Appendix R fires on safe shutdown. These sections of Appendix R require that hot shorts, open circuits and shorts to ground be considered.

3.4.1 Criteria / Assumptions The following criteria / assumptions apply in performing cable fault evaluations for the case of a postulated fire condition.

3.4.1.1 Evaluate each conductor in each cable that has the potential to affect safe shutdown for the effects of a hot short, short-to-ground and open circuit. This population of cables is determined using the merging process described above.

The fire is considered to be all consuming wherein all unprotected cables within a fire area may be affected as a result of the fire. The following circuit failure modes are postulated on each conductor of each unprotected cable in order to determine the potential impact of a fire on a safe shutdown circuit, and, ultimately, on a safe shutdown component and path.

A hot short may results from a fire induced insulation breakdown between conductors of the same cable, a different cable or from some other extemal source resulting in a compatible but undesired impressed voltage on a specific conductor. A hot short could cause a spurious operation of a safe shutdown component.

An open circuit may result from a fire induced break in a conductor resulting in the loss of circuit continuity. An open circuit will prevent the ability to control or power the affected component. An open circuit could also result in a change of state for a normally energized component. (e.g. Loss of power to the MSIV solenoid valves due to an open circuit will result in the closure of the MSIV's)

A short to ground may result from a fire induced breakdown of a cable insulation system resulting in the potential on the conductor being applied to ground potential. A short to ground can have all of the same effects as an

.(

Page 35 of52

GENucle:rEnergy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis.

open circuit and, in addition, a short to ground can also cause an impact to the control circuit or power train of which it is a part.

The effects of postulating any of the three types of circuit failure modes identified above on each conductor of each cable must be determined and evaluated.

3.4.1.2 Circuit contacts are assumed to be initially positioned (i.e., open or closed) consistent with the normal mode of the safe shutdown component as shown on the schematic drawings. The position of the safe shutdown equipment must be considered for each specific shutdown scenario when determining the impact that fire damage to a particular circuit may have on the operability of the safe J

shutdown component. It is possible for a component to be in two different states depending on the shutdown scenario or the stage of shutdown within a particular shutdown scenario.

3.4.1.3 For equipment required operable for safe shutdown at the remote shutdown panel (RSP), a review must be performed that demonstrates the existence of proper isolation of all circuits required for the operation of the equipment from the main control room (MCR). This review must include a determination that separate redundant control power fusing is available which cannot be impacted by a fire in the main control room.

3.4.1.4 The analysis of fire-induced circuit faults to the following types of cables for equipment such as pumps, valves, fans and dampers can be detennined as not impacting safe shutdown:

Cables providing only indir stion and which are isolated from the primary control circuit.

1 Cables with conductors which are part of an isolated auxiliary circuit that is I

e interlocked with the safe shutdown circuit (auto signal, permissive), but whose signal cannot result in a spurious maloperation or prevent operation of the component.

Cables whose conductors cannot cause spurious actuation of a safe j

shutdown component which is not required to be operated or repositioned.

I

.if

)

Page 36 of52 1

I GEN:cle:r Energy Dr.-ft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis 3.4.1.5 A hot short does not need to be postulated to occur on a safe shutdown control cable that runs in a dedicated raceway without other energized conductors or cables. For this case, a hot short does not need to be postulated because there is no potential within the subject raceway to cause the hot short and it must be demonstrated that for an open raceway a raceway system failure resulting from the fire does not cause energized circuits from other raceway to enter the subject raceway. If this justification is used, provisions must be made to ensure that future circuit changes or cable routings do not alter this condition.

3.4.1.6 Circuit failure modes are postulated to exist until action has been taken to isolate the given circuit from the fire area, or other actions as appropriate have been taken to negate the effects of a spurious actuation, it is not postulated that the fire would eventually clear the circuit failure mode.

3.4.2 Types of Circuit Failure Concerns 10CFR50, Appendix R requires that Nuclear power plants be designed to prevent fires from defeating the ability to achieve and maintain safe shutdown. Fire damage to circuits that control and power equipment required to support safe shutdown of the unit must be evaluated for fires in all plant locations, with only one fire at a time being assumed to occur and with the extent of fire damage being limited by the boundaries of the fire area.

Given this set of conditions, it must be assured one redundant train of equipment capable of supporting safe shutdown is free of fire damage for fires in every plant location. To provide this assurance, Appendix R requires that safe shutdown and associated circuits be free of fire damage and that these circuits be designed for the postulated effects of hot shorts, shorts-to-ground, and open circuits to determine the potential impact of a fire on a safe shutdown circuit, and ultimately, on a safe shutdown component and path.

The circuitry for each component required to support safe shutdown in a fire area must be evaluated for each of these types of circuit failures. Each of these circuit failures can have a different impact on equipment performance. In addition, depending upon the type of circuit (e.g., grounded versus ungrounded), the performance of the component under these fault conditions can be different. With respect to the electrical distribution system, the issue of breaker coordination is also discussed.

This section will discuss specific examples for each of the following types of circuit failures:

Open Circuits 3

i1 Page37ofS2

GENucle:r Energy Dr:ft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis r

• Shorts to Ground Hot shorts The following resulting generic failures are possible from postulating these various types of circuit faults:

Loss of power or control (typically from an open circuit or short to ground)

Spurious actcation (typically from a hot short or in some cases a short to ground)

Loss of a common power source (typically from improper circuit coordination)

Common enclosure concerns (typically from improper cable sizing, breaker / fuse sizing, electrical separation, or inadequate fire propagation measures)

Many of these circuit failures are actually as a result of fire damage to cables not typically considered as required for safe shutdown but rather, these circuits are associated with safe shutdown equipment.

3.4.2.1 Circuit Failures Due to Open Circuits This section provides guidance for addressing the effccts of an open circuit for a safe shutdown component. An open circuit is a fire-induced break in a conductor resulting in the loss of circuit continuity. An open circuit will typically prevent the ability to control or power the affected component. An open circuit can also result in a change of state for j

a normally energized component. For example, a loss of power to the main steam isolation valve (MSlV) solenoid valves due to an open circuit will result in the closure of the MSIV. Also, a loss of control power to a relay interlocked chh several components may result in one or more spurious actuations.

The following consequences should be considered in the safe shutdown circuit analysis when postulating the effects of circuit failures related to open circuits:

Loss of electrical continuity may occur within a conductor resulting either in de-

+

energizing the circuit and thereby causing loss of power or control capability

+ In selected cases, a loss of electrical continuity may result in loss of power to an interlocked relay or other device which may spuriously actuate another component, or prevent its desired operation (ex., injection permissive for LPCI and Core Spray)

Open circuit on a high voltage (e.g. 4.16KV) ammeter current transformer (CT)

+

circuit may result in secondary damage l

Figure 3.4.2-1 below depicts the condition of an open circuit on a grounded control f

circuit.

>g 46 Page 38 of52

f 1

1 l

GENucle:r Energy Dr:ft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis ruse (Typ )

"b X

Pen Circuit (Typ.)

No.1 Cable FaultW No. 2 Open Circuit h MontrolSwitch 1

T 1

Open Contact (Typ )

[

Energize to Close/Stop Energire to Open/ Start 3,

crouno for Cneun Flaure 3.4.2-1 Open Circuit (Grounded Control Circult)

Onen circuit No.1: -

An open circuit at location No. I will prevent operation of the subject component.

Open circuit No. 2:

An open circuit at location No. 2 will prevent opening / starting of the subject component, J

but will not impact the ability to close/stop the component.

3.4.2.2 Circuit Failures Due to Shorts-to-Ground l

This section provides guidance for addressing the effects of shorts-to-ground on circuits for safe shutdown components. A short-to-ground is a fire-induced breakdown of a cable insulation system resulting in the potential on the conductor being applied to ground potential. A short-to-ground can have all of the same effects as an open circuit, and in addition, a short-to-ground can also cause an impact to the control circuit or power train i

of which it is a part.

The following consequences should be considered in the safe shutdown circuit analysis when postulating the effects of circuit failures related to shorts to ground:

J l

l Page39 of52

l GENmclesr Energy Draft Revision C Generic Guidancefor B WR Post Fire Safe Situtdown Analysis

+ A short to ground of power or control circuits may result in tripping one er more isolation devices (i.e. breaker / fuse) and causing a loss of power or control capability.

+ In selected cases, a loss of control power may result in loss of power to an interlocked j

relay or other device which may cause one or more spurious actuations.

Figure 3.4.2-2 illustrates how a short to ground fault may impact a circuit.

]

Fuse Gyp )

Cable Fault (Typ )

d

)(

l snort 4 4round l-.-- contras switen H

short round1x Open contact

((

Energue to Close/Stop Energge to Open/Stari orouno por cercun Flaure 3.4.2 2 Short-to-Ground (Grounded Control Circuit)

Short-to-cround No.1:

A short-to-ground at location No. I will result in the control power fuse blowing and a loss of power to the control circuit. This will result an inability to operate the component j

using the control switch. Depending on the coordination characteristics between the i

protective device on this circuit and upstream circuits, the power supply to other circuits could be alTected.

Short-to-cround No. 2:

A short-to-ground at location No. 2 will have no affect on the circuit until the close/stop control switch is closed. Should this occur, the effect will be identical to that for the short-to-ground at location No. I described above. Should the open/ start control switch be closed prior to closing the close/stop control switch, the component will still be able to be opened / started.

l

.fs Page # ofS2 l

l lw

GENuclear Energy Draft Revision C

\\

Generic Guidancefor B WR Post Fire Safe Shutdown Analysis 3.4.2.3 Circuit Failures Due to Hot Shorts l

This section provides guidance ihr analyzing the effects of hot shorts on circuits for safe shutdown components. A hot short is defined as a fire-induced insulation breakdown between conductors of the same cable, a different cable or some other external source resulting in an undesired impressed voltage op a specific conductor. The potential effect of the undesired impressed voltage would be to cause a component that is not desired to change state to operate and change state or to prevent a component which is desired to change state to fail to change position.

The following specific circuit failures related to hot shorts should be considered as part of the post safe shutdown circuit analysis:

A hot short between an energized conductor and a deenergized conductor within the

+

same cable may cause a spurious actuation of a component. The spuriously actuated device (e.g. relay) may be interlocked with another circuit which causes the spunous actuation of another component.

A hot short between an energized conductor and a deenergized conductor between i

+

two different cables may also cause a spurious actuation of a component.

A hot short between any extemal energized source and a deenergized conductor cable

+

may also cause a spurious actuation of a component.

Figure 3.4.2-3 depicted below shows a typical grounded control circuit that might be used for a motor operated valve. He protective devices and position indication lights that would normally be included in the control circuit for a motor operated valve, however, have been omitted since these devices are not required to understand the concepts being explained in this section. Three individual hot short locations are included in this figure.

In the discussion provided below, it is assumed that a single fire in a given fire area could cause any one of the hot shorts depicted. The discussion provided below describes how these three individual hot short concems are to be addressed in terms of their impact on the operation of the component controlled by this circuit.

.Is Page 41 of52

GENuclear Energy Draft Revision C i

Generic Guidancefor BWR Post Fire Safe Shutdown Analysis r=e gyp t O

H +- convoi swim

-H l

wo. a

)

g(No.1 8

f 1

- Hotshort op nc m from a Reisy 0'

..n sie ry aroun

--p_.. _.. c..._

e e saa pruma l

}, =

= },

Ground for Cercuei Floure 3.4.2-3 Hot Short (Grounded Control Circult)

Hot short No.1:

A hot short at this location would energize the close relay and result in the undesired closure of a motor operated valve or, if this control circuit were for a pump, the undesired stopping of the pump.

Hot short No. 2:

A hot short at this location would energize the open relay and result in the undesired opening of a motor operated valve or, if this control circuit were for a pump, the undesired starting of the pump.

Hot short No.3:

A hot short at this location would not cause a spurious operation of the component, because the open contact below the location of hot short No. 3 would prevent energization of the open/ start relay. However, the relay contacts must be reviewed to determine if they would be expected to change state as part of the overall shutdown transien' allowing the fault to propagate through.

3.4.2.4 Circuit Failures Due to Inadeqs. ate Circuit Coordination The evaluation of associated circuits of a common power source consists of verifying proper coordination between the supply breaker / fuse and the load breakers / fuses for

(T Page 42 ofS2

-~

GENucle:r Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis power sources that are required for safe shutdown. The concern is that, for fire damage to a single power cable lack of coordination between the supply breaker / fuse and the load breakers / fuses can result in the loss of power to a safe shutdown power source that is required to provide power to safe shutdown components.

For the example shown in Figure 3.4.2-5 below, the circuit powered from load breaker 4 supplies power to a non-safe shutdown pump. This circuit is damaged by fire in the same 4

fire area as the Train B Pump which is redundant to the Train A Pump powered from the f

Train A Bus. To assure safe shutdown for a fire in this fire area, the damage to the non-safe shutdown pump powered from load breaker 4 off of the Train A Bus cannot impact the availability of the Train A Pump which is redundant to the Train B Pump. To assure that there is no impact to this Train A Pump due to the associated circuits common power j

source breaker coordination issue, load breaker 4 must be coordinated with the feeder breaker to the Train A Bus.

Tran A gm Tram B Bus WT-p 5,) l}

')

l>- %',;r"

')

')

')

1 2

3 4

6 4

sSYu*mp x

" " ~ -

• • T B m.,

~ ' " ~ '

e 2*e-m Fw Area sourwary Frp )

Ejaure 3.4.2 Common Power Source (Breaker Coordination)

A coordination study should demonstrate the coordination status for each required common power source. For coordination to exist, the time-current curves for the breakers and/or protective relaying must demonstrate that a fault on the load circuits is isolated before tripping the upstream breaker which supplies the bus. Furthermore, the available short circuit current on the load circuit must be considered to ensure that coordination is demonstrated at the maximum fault-level.

/

4 Page 43 of52

r GENuclesr Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis e

The methodology for identifying potential associated circuits of a common power source and evaluating circuit coordination cases of associated circuits on a single circuit fault basis is as follows:

1.

The power sources required to supply power to safe shutdown equipment should be identified.

2.

For each power source, breaker / fuse ratings, types, and coordination characteristics may be identified kr the incoming source breaker supplying the bus breaker / fuse and the breakers / fuses feeding the loads supplied by the bus.

3.

For each power source, proper circuit coordination may be demonstrated by comparing the TCC curve for the largest size load breaker to the TCC curve for the incoming source breaker supplying the bus. For cases in which the supply circuit TCC curve fully envelopes each load circuit TCC cmve and the supply breaker is assured to trip prior to the load breaker for instantaneous available short circuits currents, proper coordination exists. No common power source associated circuits can disable power to the bus. The coordination plot that demonstrates that adequate coordination exists is referenced to each power cable being evaluated.

4.

For cases in which the TCC curves for the supply circuit and a load circuit intersect, proper coordination may not exist. Thus, further analysis is required.

5.

In certain cases, coordination relative to the available short circuit current is dependent upon the distance of the fault from the bus. The inclusion of the cable impedance from the bus to the fire area being evaluated may reduce the fault currents to levels that coordinate.

The required cable length to provide coordination for the different size cables for available short circuit currents could l

be determined. The required cable length is considered in each fire area in which the cable is routed. Coordination exists if the cable distance from the bus to the j

fire area of concern is greater than the length of cable required to ensure j

coordination.

6.

For power sources not properly coordinated, the routing of cables whose breaker / fuse is not properly coordinated with the supply breaker / fuse is tabulated by fire area. The potential for disabling power to the bus is evaluated in each of l

the fire areas in which the associated circuit cables of concem are routed and the power source is required for safe shutdown. A list of the following information is prepared for each fire area:

d i

s Page 44 of52 i

l Draft Revision C GENuclear Energy Generic Guidancefor BWR Post Fire Safe Shutdown Analysis Cables of concem.

Affected common power source and its path.

Raceway in which the cable is enclosed.

Sequence of the raceway in the cable route.

Fire zone / area in which the raceway,is located.

For fire zones / areas in which the power source is disabled, the effects are either mitigated by appropriate methods, or the power source is not credited by the shutdown strategy for that fire area,

Analyzed safe shutdown circuit dispositions are developed for the associated 7.

circuit of concem cables routed in an area of the same path as required by the power source. Adequate separation is evaluated based upon the criteria in Section III.G.2 of Appendix R.

3.4.2.5 Circuit Failures Due to Common Enclosure Concerns The common enclosure Associated circuit concern deals with the possibility of causing secondary failures due to fire damage to a circuit either whose isolation device fails to isolate, causing heating and/or ignition along the route of the faulted cable, leading to a secondary fire in another fire area.

The electrical circuit design for most plants provides proper circuit protection in the form of circuit breakers, fuses and other devices which are designed to isolate cable faults.

Due to the large quantity of nonessential circuits routed with safe shutdown circuits, it may not be practical to evaluate every circuit routed in a common enclosure. However, electrical circuit protection should have been included as part of the original plant design Furthermore, a sample of circuits may be selected to investigate the adequacy of circu protection and cable sizing. For each circuit selected, the protective device trip may be compared with the allowable current carrying capacity of the cable as dej the cable size and type. The fire rated barrier and penetration designs which preclude th propagation of fire from one fire area to the next may also be reviewed.

l I

1 i

t

(

4 l

Page 45 of52

\\

I l

F 1

l GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis l

3.5 FIRE AREA ASSESSMENT AND COMPLIANCE STRATEGIES l

This section documents the criteria and method for demonstrating compliance with the requirements of 10CFR50 Appendix R Sections III.G.1 and 2 or III.G.3 for each fire area.

Based on the circuit analysis described in the previous section, the population of potential impacts to safe shutdown have been identified including spurious actuation concerns.

i This section will focus on mitigating the effects of each of the potential impacts to safe shutdown including spurious actuations.

3.5.1 Criteria / Assumptions The following are some of the key criteria and assumptions in performing fire area compliance assessment to mitigate the consequences of the circuit failures identified in the previous sections for the shutdown method relied upon in each fire area.

3.5.1.1 All equipment impacts that are possible in the fire area should be addressed.

Each potential impact must be mitigated.

1 3.5.1.2 When relying on procedural actions, it should be verified that adequate time is available to perform the procedural action before an unrecoverable plant condition exists. To establish response times, all component impacts are assumed to occur at time zero. Consideration must also be given to additional requirements such as emergency lighting and communications. In addition, repair actions must also consider any requirements for dedicated repair equipment.

3.5.1.3 Appendix R compliance requires that one train of systems necessary to achieve and maintain hot shutdown conditions from either the control room or emergency control station (s) is free of fire damage (III.G.I.a). One of the following means of ensuring that one of the redundant trains is free of fire damage shall be provided:

Separation of cables and equipment and associated non-safe shutdown

+

circuits of redundant trains within the same fire area by a fire barrier having a 3-hour rating.

Separation of cables and equipment and associated non-safe shutdown l

+

l circuits of redundant trains within the same fire area by a horizontal distance of more than 20 feet with no intervening combustibles or fire

{

Page 46 of52 L.

p GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis l

l hazards. In addition, fire detectors and an automatic fire suppression l

system shall be installed in the area (III.G.2.b).

+ Enclosure of cable and equipment and associated non-safe shutdown circuits of one redundent train within a fire area in a fire barrier having a one-hour rating (wrap must be. barrier to barrier in the fire area). In addition, fire detectors and an automatic fire suppression system shall be installed in the fire area (Ill.G.2.c).

+ Altemative or dedicated shutdown capability and its associated circuits, independent of cables, systems or components in the area, room, or zone j

under consideration shall be provided. In addition, fire detection and a fixed fire suppression system shall be installed in the area, room, or zone underconsideration. (III.G.3) 1 Systems necessary to achieve and maintain cold shutdown (but not

+

required for hot shutdown) from either the control room or emergency control station (s) can be repaired within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (repair procedures and i

materials must be maintained onsite, systems necessary to maintain hot shutdown must be available to achieve and maintain hot shutdown until repairs are complete and cold shutdown can be initiated). (III.G.I.b) l 1

1 3.5.2 Compliance Strategy Guidelines The fire area assessment process may be accomplished by identifying each potential Appendix R non-compliance (i.e. component or cable) in each fire area and then reviewing available compliance strategies for each. The available methods for mitigating the effects of circuit failures are summarized as follows.

Provide a qualified fire barrier.

j Reroute or relocate the circuit / component.

Modify the circuit / component (ex., add isolation features)

Provide a procedural action j

Perform a repair Identify other equipment capable of performing the same shutdown function.

Develop an exemption, deviation or 86-10 justification Compliance strategy statements or codes may be assigned to equipment or cables to provide the mitigating actions for equipment operation or the justification of equipment f

A Page 47of52

l GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis l

failure for a fire in the fire zone (s)/ area. Each safe shutdown component for the shutdown path relied upon in the fire area should be provided with a specific comp ~liance strategy.

l i

Spatial Separation (20 feet) without intervening combustibles which is relied upon may be assessed to ensure that adequate separation exists, as defined in Generic Letter 86-10, and to ensure the lack ofintervening combustibles. This review should be performed by review of design' drawings and by plant walkdowns, if possible.

i The manual operator actions required to achieve and maintain safe shutdown conditions are identified and used to prepare post-fire shutdown procedures and perform the emergency lighting review to satisfy the requirements of 10 CFR 50.48 and Appendix R,Section III.J. Examples of manual actions are operating transfer switches, operating valves after racking out their power breaker, sliding links, and pulling fuses..

Cold shutdown repairs which are relied upon, will be assessed to ensure that procedures are in place to implement the repair, dedicated materials are available on-site, and that adequate time and manpower are available to implement the repair. Cold shutdown equipment is defined as equipment required to make the transition from Hot Standby to Cold Shutdown but not required to maintain the plant in a stable hot shutdown condition.

Requirements for area wide suppression and detection should be reviewed and documented for each applicable Fire Area when compliance strategies that require suppression and detection are relied upon for a Fire Area. Documents such as the Fire Hazards Analysis should be reviewed to determine the extent and systems available for suppression and detection. In many cases the presence or absence of suppression and/or detection is documented in licensing documentation (i.e., exemptions, SERs). These i

documents will be reviewed to assess the extent to which the current configuration complies with the previously analyzed / approved configuration.

1

{

Page 48 of52 l

L

e l

DraftRevision C GENuclearEnergy

~

Generic Guidancefor BWR Post Fire Safe Shutdown Analysis Figure 3-1 Shutdown Method & System Selection Process Identify available plant identify the systems required to system functions from a achieve safe shutdown functions review of avaialble including Reactivity Control, documentation such as Pressure Control, inventory systern design descriptions I

Makeup, Decay Heat Removal, and plant operating i

Process Monitoring, Electrical procedures l

Power, and Equipment Coolmg u,,,..,,,,,, __._.-_-o 1V Consider spurious operations resulting in either a loss of RPV inventory RPV overfill or a flow diversion or blockage in inventory make-up or decay heat removal M

,r Assign Path designations or system function codes to identify redundant methods distinguish the different trains and systems comprising of systems and support each shutdown method systems for each shutdown including support systems method.

i

)

k.

Page 49 of52

GENuclear Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis Figure 3 2 Equipment Selection Process

'O n

identify the equipment N

Identify equipment whose Identify availab!; plant Ft required to achieve safe spurious operation can equipment from a r? view of $

shutdown functions including h result in either a loss of avaialble documentation li Reactivity Control, Pressure W m

RPV inventory, RPV m

such as P&lD's, operating 1 Control, inventory Makeup, i overfill or a flow diversion procedures and system i

Decay Heat Removal, Process @

or blockage in inventory design descriptions.

i Monitoring, Electrical Power, @

make-up or decay heat and Equipment Cooling g

removal

?

M m

it, identify the system (s) and P

method (s) which rely on the k

Tabulate component related operability of the equipment

(

information to indicate the or which may be adversely I

Insure that all components required role for each impacted from the failure or i

for each system flow path component with respect to maloperation of the l

have been identified and each system and shutdown equipment. Synem acronyms addressed method or path.

and path designation (s) may j

be assigned to each i

component to indicate this I

relationship g

61 d

Page 50 of52

GENuclear Energy Draft Revision C Generic Guidancefoi BWR Post Fire Safe Sisutdown Analysis Figure 3-3 Cable Selection Process Scicci cach safe shutdown component labulate the hst of cables For each safe shutdovm potentially affecting each Identify the cables required to $

' *E

"*"I "#'" "E ""I component defined, review [

mterl eks whose failure

,j the appropriate electrical y

e w did g M

"####'"l'* 'E""

m diagrams to identify the in maloperation of each te l

M* -

cables whose failure may

.c actuadon oMe component t

,g,p,,,,,

impact the operability of

{

during any of the required

-,, 3 component positions or r.

each component

%wg. 3 6

modes of operation.

j gescr. m anams-g Y

s 1r 4

1. " # * ** ** "EE'I "I re additional power supplic Power to each safe shutdos:. g Associate the cables to each or equipment discovered during an r reqWred intedock or aEccted component.

fp S

the cable selection proc #ess'

~

N v

sub. component.

O g

a gv' M1

-a p'

W 6o 1r Determine if each power cable is fed from a common s the breaker / fuse feeding the List the power cable as power source is connected pour cable properly

- ?

potentially affecting the to a property coordinated coordinated?

power source.

breaker M

M

=

0 1r Determine the location of

• • **

• I Identify the route for each Identify the fire area E

I I

cable identified including location of each raceway 7

7

, 77 g

all raceway and cable and endpoint for the cables each cable and the endpoints.

selected, shutdown paths and rystem for each component.

(

\\

Page 51 of52 l

i

GENucle:r Energy Draft Revision C Generic Guidancefor BWR Post Fire Safe Shutdown Analysis Figure 3-4

(

Safe Shutdown Analysis Flowchart 1

Establish App.R

' Circuit Analysis by Fire Area

("

Requirements Evaluate effects of a hot short, open d

circuit, & short to giound on each a,s'

-caw.

h creductor for each cable one at a time h

mi 5

Determine impad to equipment required for SSD functions Deterrnine RequirN SSO functrons &

N i

Paths 5

M

[

4.* arc w a%c.ew est j

s p,

include those that can defeat $50 h

",$ h" t

b7,.,*,$5,5klo'.*?l*

O ummmmmmmmmmmmmmmmes.:

I The remaining things cannot adversely affect the ability to scheve &

maintain safe shutdown u

Select Shutdown Components.

h Fire Area ssessment cornponents marpertum or nur amat tsD kmceons Methods for Mitiastion M

1. Reroute Cable of Concem

2. Protect Cable of Concem 3.Perfonn Manual Action

4. Perform Repair Select Shutdow.a Cables

5. Develop Exemphon, DeviaGon,86-10 JustHication

6. Identify other equipment capable of performing same funchon monary caws evenrea av epermean or met con cause mamsome$n or esed comarens

7. Plant unique justifcation including use of NEl CF (TF products Mc*menp ersveport conenessa pomercname.

6. Modify Circult/ Component u.co. c.ms m e.,anen.

~'

noms 3 & 4 Muo%s addresshg requkements 06r hmmg. emergency nemag.onenpo r.

=...:s,.anooeseaureewequonent w.oe Da s mener c.ms or res ne.

'l Page 52 of52

=

a O

E

~

G e

5 E

-E

~E E E

o e

a m

G E

g w

5 e er E

E w

3mW g

3 e.a W

'M p

g E

E g

'N G

f4 m

M E

q e

M E

EE e

u as S

g E

O 3

=

m

=

4 ATTACHMENT 3

2 k

k k

c c

c a

a b

b n

a b

a m

m m

m a

l a

a r

a mS r

r r

t t

e t

S G

S eg tn A

em s

u u

c t

o

=

=

=

=

=

a Dn tS e o y

i r

e c s a

t s

n ns o

e au m

p r

dc m

r r

is u

u ui u

==

=

P C

GD S

=

=

e e

e s

i!

.I

0 O

~

m3 s

e e

g E.

o S

SE

=

a

• e a

e o

E e

Ea o

e f/3 m-=

Eo g

mag o m

=

ea

.E=

B

~

==

Ef=

= s,j M

g$

Ihm

=g

=

m a

au EEE

.E =E a'

ga=

g ni a om

-ae E.!!!

ee e

a W

h M

EE

's lii 3

's e oem

-a a

mM O uiE i: ::-

i:f::-

J 4'

=%

-e

iiia 3

E S

sa o

e M

=

Eaa 2.

E e

Gra

=

em 3

mm o

W a

m a

a e a

M e

aa e

gg3 E

o as E

=

a i

a u

.o e u

8"8 e

"e o

E a

'3 m a

G E

2S Em h

I EE IE Emm u

e w

o a

e as E

a 25 m a en E=

'E a sa 5

g3 m

me Em B ".

E *E

.= E Ea ee E

a s.

'E C a

e as

,E =

me ae m a.

ra ra

h ew W

n

>h 5 f/)

menu Om E#

E m

e M

E" E,g

=s O

=a O

m w=

W w

ea w

Ee

=

C#9 E=

E G.==

,o emas a o

'un g 3 EE.E E

eE e

= =o

.O g

E E

I=:

a s-b W

e

.ns b

MM

'O

,$ 'e U

e i==

'3 as

,:lll M

Sas E g

m to E

83= EE O

eme

,!f.8,' a e e

==d E ua

.+.

==

es as S ud M

Ma 4: m e

O 8

.2 to em

=

3 E

E 5

=

e R

/3 t

D E

a Q

mE ess e

"o M

sE

.E e a e

Il=

6 f4

=e E

Q e

E un a

.o e

a =.,,

e m=mu a

• S.E.

E E

g 3

o E 'n E

,8

.E ' =3 =e t o o

D-

sa 3 e g

.E

_=

3 mE E

E i:t::-

i:t::-

4:t::-

(

7 t

yg n

o n

i y

l e

o g

d o

e d

l s

mh o o

s d

u t

oh c

u et h

c s

i f

t a

i Y

aeo D

c I

r r

H p

s s

nB I

p e

e o

wd eA u

r oe n

s s

u i

s t

i i

d mleyf a

sI t

r sl o

e ue F

a a

y e

h vB nt l

S n

Ai a

r c

U d

eoi e

r vl c

f naia e

n aa wnI p

sH S

s r

esSs a

e a

oh she R

F e

t c

d xeh p

e wd d

r si t

i r

i i

gmd s n i

d lpi od e

u np aC A

mp e

ut ep r

G pS S

t A

I p

A e

l I

i]

]

y y

w r

yt go; Vlo t

8 inn PF ivei g

r tvo Rl l

)

cni t

i ain s :s rfnR o

eH es;onn i e

v oo sD RoMi Oe; i r r

tt

t c a vU sns nos nrVi/

oC cF puePDM e

R/

iceotO ey t

e r rr ;gr n Poss ao u

u s;puskn t

F s R p o o. o r

c t

e e

e utrLl v n

n DrM l

l o SP S u yB n a

S s;D pr I

P i

i

)o. So

(

t r

c t

rU )n es n

e

.o 1t/

2e wn u (nM (n N

v F

o oo Pt C

i I

m c

h rn e u eF o

t c

u

.c t

I r

N o

s t

e IA

.F c

a t

p n

m e

s I

e m

ts t

M e

s ip t

n t

a u

e q

C m

E p

/

.e q

iu e

/

E y

e a

s w

h e

s e

c h

n

/

c at c a

o sta D

R pn uer r eso

/

pi poiqup r

s aa Ateqp

{rq e

a u We euReA rp t

ul RF n

.R tnq an y

e i.eivonT i

e n

t m

nEtoI i

h.

u r m U piF s

S ip co t

P o

rip 0mleC C

e u

it t1 E

r.

T C ciuneI v

q s

I o

u a Aqa0s eE t

n e l EP EDN l8 t

S C

r r t

o u D

t a

rn ee c

n ertnhh E

o aec t

RMOO s

S s

t A

M B

6 r

ll l

1 o

y e

9 b

t g

.t dn o

eaa l

nl coy l

l or l l o

aeca l

huym l

sf ri yoar e

rnmp laa eie h

od bptrh t

G n

l e

n ul yf

~

oan o

wbhae M

ot sf r

d ce ou t

t u

urep e

der h

u ohur n

S rt

e. p r t

t ep

. u o n i

f e

ni l

a o

r y, m e

S i d e,a n r

s G

s O

stegdi i

c a a

nt a

R f emun Wef aoo B

B Tadbc hf e

iI ll i

it

1 9

=

J m

g g

'E

=.W w

o 5 5 E

=

'III EE E E

e

=gae

=

m ill - a m

=

E 6 E.E

-EE

• w

= =

e m 1:

e

an m

E

.O

-e g

3 W a

su g

39m#

e ig m e

ig:

ca e

Eo n,,

G

.ena o

e as E E EG*

E e

E m en a3 o

8"EG:EIEe=en M E 'g gg-.

. ]elgggg gg m

g W fa -

JB AI:

Eb..e m m.

M Eif3E s.

g El ea E it

~

O Es aE

.a g

a E.. E

'E g aa 13

.s = 5 s Ea m.m.!

8E ti E s O

E.

.=

f#3 m 3m.

3 O

I' an e E

emes as EE 5

EI E

. :: 2.E=

" 's.

O

,E $ a g e.

=S E =8E E

m3=

=. en =E n = a=z O

'E,lli s =e silli " a ee f/3

= s m. a. s.

a

.5>.M&M M =

man QD ao s.

(

0 4

I N

un

_s e

=g

= tr o

a e

R-aa E

1llz u.=

=-

=

eo a

ma N

WE E E E

'o"w

'e

'eaa E

.B =

5 o.a.e e=s

=

e

'E e

35

= s =8s E

88 a

=m

. =e e= m u

=

e aa e

OE 3

OE c5"ea E

SE g o g E.E eo Eu*oE.3og G

m

===me*E

= g.= g=a= 3..

'g u f/3 Esa s

m g,

S O

-=

M SOM ud G

==

(

5 8

9 m

ha m

E

" '8 es

! m E a

a"sm E E

a. s..it E 5 M

=-

a==.

g u

?.e E E.

~=

=

=

E ".

u i!

u E

gE as n-

.=2 mees.

O u S 5 e as aE a

-mn

.a EE=

5 B ;

'm a g m'=EE "

3 g Em i

s en g g f/J E

GENE

= NEB a

as 2 5== m il e a E.

O m.m E

~=E

, gaga C,',)

se G

G om M

g w# EE 8

W h

M N

gh eO M U E E

a s E.

"n a "., S E.

E.

e e

(

6

+

a-.

8 2

O G

N e

e m =e=

m.

O E

eae=

uma eg.

M i Bi&

um a

=e en 6 g

E

'm smums E

oe G

5.= E E Ihm

,g 3 e B susum e

e O

eEE=

ma eR f#3 'E E e O

EI' R.

1 h=

=

ud E

g

a 8

m E

S a

E

'M e

G g

"O O

N 3e e

am en E a E

EE$

3Ee

=

E.E.=a

-=

g W2 Isse ra

"~

~

.2 o, E E

W gg e i===

E W

4 ii'il G

BEs Emms EE g a e 83 e

.E j smuus O

'm E E co d

an, e

.2 3 'E a h

gi i

E nad b

E g

(

s 6

k 1

n l c a o o

ul it nr a

e t

at s

n Mn e

I e

m deem u

r r

o r

i t

us s

u q;

u es l

rn l

d st o e

oi i

s r mnc t

a n

u a

en i

o q

r r u F

i e

g af t

r asd c

y i

ne t

n t

f D

oi r i

nt i

u ciud e

n t

F ei cqe u

md g

ner ne uiouriu c

v l

Ff wird oq n

y c

r oatsa r

t r

i n e d

V nt aa ieo i

t r

i c

t mt b C

uogte n

a oI y h

p oo et t

uia mAInm r

S mlaP e

eun l

f P

A E

a S

e

C w

j' O

T g

/

M E

z 1

WMeE a

n W

X m

O V

s e-m

.L VW-4,

,g O

i i!

ha 1

.i1 v

n-l t

e v

n a

=

l e

E i

l ll l

U j l

n c I

E o L ---- q------

.I l

S c I

Q 3 i

> 0 l

F En i

e O

5 i

j 1

f l

Jomod lo4uoo popunoJ6un I

_~

9

_L

+

e a,

e e

f I

as g

o O

'5 s

e g

t, t,

s,r

=

i 1 O

8 l' l

- v E

t______,_______;

3 7 l

3 i 5$

l E

i O

l c

i h

I s

JSNCd 104U00 popunOJ0un A

1

'o O

N w

o b

f4 i t E

8w 2 E

E~

!?

e ll E

x G

1j b

n i !

a s

E l

h$

ens x ;

O l

c 3

li

~

s G

n d

'G Nd lo4uoo popunoJoun

l a

1 2

u nam s

g n

i e

t n

e r

ve u

rp l

kc i

o a

lre F

n t

s I

t n

t n

l i

o ua i

ch t

r t

u a

l i

C mV w r

c e

eO t

iu r

p cmc n O

nl ro i

oaCt i i s

C c

a C

u epOl Vl i

l o

vTyMI n

i l

r a

u V

p S

e

e (3

E E

n e

a

=

=

E e

sem-

=m E.

o eM.

M S "e g

~

Gumf

=E

=

Me S =a m

o e

E ea m

Ba em M

=m am-as g e

lg E

E O

E a

gE o

SE

1. 5 e

g f#B E mE M

w o

Mo e o oo eW 3m aaa ee

'a g tumus E

og g E 'E o 'E C5 m as to as e

e

l a

E e

Ihm Ejll E

E 4

e" E

8 m

e a

adh.

=

m umums a

Ed.m e

e o

inns 8

o 8

=li

~

m a

E E

E

'M o

e o

E E

E 3

E e

-o m

emuf m2

,g 3

um 3

g 3

m

=

O M

O

.I M

m-m o

E e

'N

=d 3

ch.

esas umumm E

E M

i:f::-

4:f::-

4:f::-

(

e 4

s 2

m e

u w s o s Lmp c

P a

_N f

r e

m e

\\

rav t

n e

e n

c n L i

a w

n e

f o o e

re d

i t

t t

u c r

n h

u S S I

e u

r e e R a hu i

ig n

r t

H l

H u p n

s l

s o

Ro P

s m C

o C

s e a yr r x a

e P E m

i r

w P

r o

P L

/ha l

o c

i l

H l

l V

P i

R H

l

~

.i

e 3

j W

N E

C

~

b

.3

-e E

_^

je i

w

^_

b a

e-e 8

a a

o e.e a

a e<

-g a

e E

E 5I

_A o

ye Neb me -m n

4 D

}E m

s" e

i.

.e

-^

n m

ei

~

a*

?

_m 5a E

a e e

e eE 3$ ga e

a 8 5

E.

(

W E

- m

.E a

M m

e e

au

.a OE E

O E =g

=.3

=m

=

Ihm M

hm 3o ea E

.ab EE

=

E E.S E.E

==

E m=.

E eo 13 EE EEE cp3 ogE

a o

m e

.= = m n,w a

.E-ge o

.mmo a G "a (3

.a =E -

EN#3 3

W WSS

$,5$

.E a a m-u e co es m a i:t::-

4:t::-

pMusism u iu i i B

n 5

.m m

3 E.a.E ES E 's gesa S =E m3., t.::g

=. =. m m4 W

'g 3 5 a.E E E

.s= n.n. $ m.Eii

~

a E

m $ W=

W

>"'m-E n g. E. E i li i s f/3 o BE EME

=.E

.E E

==a

.g 3 E,u m E,u

. u 3

'.::li ns m

m. 8 E

g.E WM.

g3 BDa w

a ME li m B MM4ME4

(

I s

i NRC Staff and BWROG Annendix R Commi% Meetina on Circuit Analysis Summary of Tonics Covered and Asi::.T.e.G Reached The final BWROG circuit analysis methodology document:

Will address deterministic evaluation of the effects of fire-induced electrical faults (hot shorts, shorts to ground, and open circuits) on power, control, control logic, and i

instrumentation circuits, and assessment and prevention of resultant combinations of multiple spurious signals and/or spurious actuations which may interfere with or prevent the achievement and maintenance of post-fire safe shutdown. [lt is possible that the extent of this approach may be limited based on the complementary risk-informed, performance-based circuit analysis methodology development effort currently being undertaken by the Nuclear Energy Institute (NEI).]

e Will have a definitions section.

Will draw clear distinctions between guidance meant to apply to redundant train e

separation analysis, and other guidance meant to be considered in the analysis of attemative/ dedicated safe shutdown capability.

Will include a definition of the term " free of fire damage" (which may or may not be identical to the NRC definition provided in Generic Letter 86-10).

Will specify and define one or more safe shutdown analysis " time zero" points (e.g., fire e

inception, fire discovery, major fire confirmation, reactor scram, control room evacuation), and will discuss their appropriate applications in activities such as redundant train and attemative/ dedicated safe shutdown capability engineering design and procedure development.

Will provide justification as to why multiple high impedance fault (MHIF) analysis and three phase hot shorts analysis do not need to be conducted by reactor licensees.

Will consider whether the fire-induced circuit failures analysis used to establish Susquehanna Steam Electric Station post-fire safe shutdown capability constitutes an effective generic circuit analysis process.

Will include, or will explain why it does not include, a generic evaluation methodology of e

the potential for indirect fire-induced physical damege of equiprnent to interfere with or prevent the achievement and maintenance of post-fire safe shutdown [e.g.,

i

" mechanistic" failures of motor operated valves (MOVs) (as chscussed in Information Notice 92-18, " Potential for Loss of Remote Shutdown Capability During a Control Room Fire"), or mechanical pump damage from a fire-induced spurious pump start with both j

the pump discharge and minimum flow valves closed.)

Considering that Appendix R, Section Ill.G.2. specifies that hgth cables and equipment e

(including associated non-safety circuits) of redundant trains shall be free of fire damage 1

(i.e., able to perform their intended functions), the methodology document will address the acceptable limit or extent of fire-induced damage to redundant train power, indication and control circuits.

ATTACHMENT 4

f 4

, Willidentify manual action considerations to be addressed to ensure comprehensive e

and effective analysis of both redundant train and attemative/ dedicated post-fire safe shutdown capabilities, such as:

Operator actions to address reactor transients from the panels in the control e

room (before the control room evacuation decision is made) and from the remote /altemative/ dedicated shutdown stations in the plant.

Personnel hazards (radiation, steam, heat, smoke, fire, heights, etc.)

The limits on shutdown procedure complexity when the following human factors e

issues are considered: training, walkdown, and simulation frequency and depth (relative to operator familiarity with the manual actions and the locations at which they are conducted); communications equipment and their limitations and adequacy; on shift staffing requirements; numbers of independent operators; procedural action timing requirements; and plant conditions (lighting, temperature, noise, etc.); procedure feasibility, and the availability and practicality of the application of operator aids.

The availability of materials for, and practicality of procedures for cold shutdown repairs. This discussion willinclude a definition of the term " cold shutdown repair" as distinct from the definition of the term " manual action."

Discussions / definitions of terms such as " remote control," " local control," " manual control," " remote shutdown panel," and " remote shutdown location," and any limitations on remote or local actions basti on the type of shutdown being conducted (redundant train /altemative/deorcated).

I u