9 to Fire Hazards Analysis Report, Section 3, Safe Shutdown Systems, Components and Circuits

ML20302A322
Person / Time
Site:	Davis Besse
Issue date:	09/25/2020
From:	Energy Harbor Nuclear Corp
To:	Office of Nuclear Reactor Regulation
Shared Package
ML20302A348	List: ML20302A282 ML20302A284 ML20302A285 ML20302A287 ML20302A289 ML20302A290 ML20302A291 ML20302A293 ML20302A295 ML20302A296 ML20302A297 ML20302A298 ML20302A299 ML20302A300 ML20302A301 ML20302A302 ML20302A303 ML20302A304 ML20302A306 ML20302A307 ML20302A308 ML20302A310 ML20302A311 ML20302A312 ML20302A313 ML20302A314 ML20302A315 ML20302A316 ML20302A317 ML20302A318 ML20302A319 ML20302A320 ML20302A321 ML20302A322 ML20302A323 ML20302A337 ML20302A338 ML20302A339 ML20302A340 ML20302A341 ML20302A343 ML20302A346
References
L-20-234
Download: ML20302A322 (28)
v • d • e

Text

Davis-Besse Unit 1 Fire Hazard Analysis Report DAVIS-BESSE NUCLEAR POWER STATION UNIT NO. 1 SECTION 3.0 SAFE SHUTDOWN SYSTEMS, COMPONENTS AND CIRCUITS 3-0 FHAR Rev 26 10/2014

Davis-Besse Unit 1 Fire Hazard Analysis Report 3.0 Safe Shutdown Systems, Components and Circuits 3.1 Introduction Paragraph 50.48(b) of 10CFR50 became effective on February 17, 1981 and requires all nuclear plants licensed prior to January 1, 1979 to comply with the requirements of Section III.G of Appendix R to 10CFR50.Section III.G.1 requires that fire protection features be provided for those systems, structures and components important to Safe Shutdown. These features must be capable of limiting fire damage so that:

a. One train of systems necessary to achieve and maintain Hot Standby conditions from either the Control Room or Emergency Control Station(s) is free of fire damage, and

b. Systems necessary to achieve and maintain Cold Shutdown from either the Control Room or Emergency Control Station(s) can be repaired within 72-hours.

Additional guidance on the NRC Staffs requirements for Safe Shutdown capability are provided in the following:

IE Information Notice No. 84-09 Generic Letter 81-12, Enclosure 1 Staff Position Generic Letter 83-33 Generic Letter 86-10 3.2 Performance Goals The performance goals for the shutdown functions as specified in Appendix R are:

1. The reactivity control function shall be capable of achieving and maintaining Cold Shutdown reactivity conditions.

2. The Reactor coolant makeup function shall be capable of maintaining the Reactor coolant level within the level indication in the Pressurizer.

3. The Reactor heat removal function shall be capable of achieving and maintaining decay heat removal.

4. The process monitoring function shall be capable of providing direct readings of the process variables necessary to perform and control the above functions.

5. The supporting functions shall be capable of providing the process cooling, lubrication, etc., necessary to permit the operation of the equipment used for Safe Shutdown functions.

6. For fires in alternative fire areas, 10CFR50, Appendix R, Section III.L provides additional performance criteria including the requirement that the alternative or 3-1 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report dedicated shutdown capability be able to achieve cold shutdown conditions within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />; and maintain cold shutdown conditions thereafter.

3.3 Safe Shutdown Functions The specific safe shutdown functions necessary to satisfy the performance goals, stated in Section 3.2 above are discussed below:

3.3.1 Reactor Reactivity Control Safe Shutdown of the Reactor is performed by a manual trip from the Control Room. An automatic trip will occur in the event of Loss Of Offsite Power (LOOP). After a Reactor trip, the reactivity control function must be capable of achieving and maintaining at least a 1% Reactivity Shutdown margin (D k/k) from zero power Hot Standby to Cold Shutdown. The function must be capable of compensating for any reactivity changes associated with xenon decay and the Reactor Coolant temperature decrease which occurs during cooldown to Cold Shutdown conditions.

The Makeup and Purification System (MUPS), High Pressure Injection System (HPIS) and Decay Heat Removal System (DHRS) provide boron injection for subsequent reactivity control during Cooldown. The Makeup Pumps take suction from the Makeup Tank or Borated Water Storage Tank (BWST). The HPIS and DHRS Systems take suction from the BWST. The BWST contains borated water at a concentration controlled by the Technical Specifications.

3.3.2 Reactor Coolant Pressure and Level Control Reactor Coolant pressure control is required to assure that the Reactor Coolant System is operated:

a. Within the technical specifications for Reactor Coolant System pressure requirements;

b. To prevent peak Reactor Coolant System pressure from exceeding 110% of system design pressure; The Reactor Coolant makeup control function shall be capable of assuring that sufficient Makeup inventory is provided to compensate for Reactor Coolant System (RCS) fluid losses due to identified leakage from the Reactor Coolant System water volume during cooldown from Hot Standby to Cold Shutdown conditions, and to compensate for contraction volume of the RCS such that the Reactor coolant level can be maintained within the level indication in the Pressurizer. The systems used for the Makeup function are those previously mentioned for the Reactor reactivity control function (Section 3.3.1). Letdown is not required since the inventory added through making up the contraction volume is adequate for reactivity control if letdown cannot be re-established. RCS inventory will be managed by cooling down the RCS. (Ref.

2.6.P).

During and following a postulated fire concurrent with a Loss Of Offsite Power (LOOP), the RCS will be cooled down by natural circulation. Cooldown will be controlled so as to ensure that subcooling within the RCS is maintained.

The RCS Code Safety Valves, RC13A and RC13B, prevent peak RCS pressure from exceeding 110% of system design pressure.

3-2 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report Note: Log No. 3480, Safety Evaluation of Fire Protection Measures at the Davis-Besse Nuclear Power Station, (Reference 2.5.K) provided additional information concerning the pressurizer level. At Davis-Besse as with other pressurized water reactors, some plant transients of short duration may cause certain reactor coolant process variables and their indications, such as pressurizer level, to exceed those predicted for a loss of offsite power.

These transients would occur for a short period and could result from a delay in reactor trip or from a delay in equipment manipulations such as the time to properly realign auxiliary feedwater valves following fire induced spurious signals. The staff has evaluated the consequences of these transients and concludes that they are not safety significant as long as no unrecoverable plant condition will occur. The NRCs SER went on to state, The staffs conclusion is also based on the statements made by the licensee in its letter dated June 6, 1988, that the capability to return the pressurizer level to within the prescribed instrument indication range, and to restore other process variables to within the range predicted by a loss of offsite power, will be preserved. In addition, the licensee states that the core will not be uncovered and fission product boundary integrity will not be affected during the postulated transient conditions.

3.3.3 Reactor Heat Removal The Reactor (Decay) Heat removal function shall be capable of transferring fission product decay heat from the Reactor Core at a rate such that specified acceptable fuel design limits and design conditions of the Reactor coolant pressure boundary are not exceeded. The function shall be capable of achieving Cold Shutdown.

Decay Heat removal in Hot Standby is accomplished by natural circulation through the use of the Auxiliary Feedwater Pumps supplying water to the Steam Generators from the Condensate Storage Tanks and rejecting heat from the Steam Generators to the atmosphere through the Atmospheric Vent Valves (or the Main Steam Safety Valves as a backup). In the event of a long term plant Cooldown, a backup supply of water to the Auxiliary Feedwater System is provided from the Service Water System, or by manual alignment from the Fire Water System.

The Secondary System pressure in the Steam Generators is maintained within allowable limits during cooldown by operation of the Atmospheric Vent Valves. The Steam Generator water level is maintained by the Auxiliary Feedwater System or the Motor-Driven Feedwater Pump (as an alternate). Decay Heat removal in Cold Shutdown is provided by the Decay Heat Removal System (DHRS) through the Decay Heat Coolers. The Component Cooling Water System (CCWS) provides cooling to the Decay Heat Coolers, and is in turn cooled by the Service Water System (SWS).

3.3.4 Process Monitoring When information on process variables is required by operators to modify Safe Shutdown System alignments or to control Safe Shutdown equipment, such monitoring information must be available from the Control Room or Local Control Stations. The process monitoring function shall be capable of providing direct readings of those plant process variables necessary for plant operators to perform and/or control the identified Safe Shutdown functions. The functions monitored are source range flux, RCS temperature and pressure, Pressurizer level, and Steam Generator level and pressure 3-3 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report 3.3.5 Supporting Systems The systems and equipment used to perform the previous functions require miscellaneous supporting functions. The supporting functions required are process cooling (CCWS and SWS),

area cooling for certain rooms (HVAC) and Essential AC/DC power. Lubrication is covered as part of the Safe Shutdown System components. The supporting functions listed below (as discussed later in this section) shall be available and capable of providing the support necessary to assure acceptable performance of the previously identified Safe Shutdown functions:

a. Component Cooling Water System

b. Service Water System

c. Essential Power

d. HVAC

e. Containment Air Cooling System

f. Control Room Emergency Ventilation System

g. Emergency Diesel Generators 3.3.6 Cold Shutdown within 72 Hours An evaluation was performed to assess the plants ability to achieve cold shutdown within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for the alternative shutdown fire areas (BF, DD, FF, EE, HH, or Q). The evaluation documented that for the worst case overheating and overcooling scenarios, the plant can achieve cold shutdown in approximately 19 hours2.199074e-4 days <br />0.00528 hours <br />3.141534e-5 weeks <br />7.2295e-6 months <br />. The evaluation also demonstrated that even in the unlikely case that the main control room actions are not taken to preclude spurious operation of the PORV prior to control room evacuation, the actions taken from outside the main control room will mitigate the transient, prevent an unrecoverable plant condition, and support achievement of cold shutdown is less that 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Ref. 2.7.H.

3.3.7 High/Low Pressure Interface Valves DH11 DHR Normal Suction Isolation Valve DH12 DHR Normal Suction Isolation Valve The decay heat removal (DHR) system is a low pressure system that interfaces with the reactor coolant system (RCS). The suction side of the decay heat system is isolated from the RCS by two normally closed motor operated valves (MOVs) designated DH 11 and 12. These valves are located in fire area D-4, the incore instrumentation trench area (room 220). As discussed in the Fire Hazards Analysis Report the power cables (three-phase 480 V) for DH11 and DH12 are routed in individual dedicated conduits in Containment until the conduits reach the Penetration Boxes. The Penetration Boxes are separated by over 100 ft. Additionally, except when the valves are being opened or closed, power is removed from these valves. Therefore, a fire in this area will not cause DH 11 and 12 to open and create a LOCA.

3-4 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report Note: The outlet side of the decay heat system relies on two check valves in series to provide isolation from the RCS. Since these are passive valves they will not be affected by a fire.

RC2A Pilot-Operated Relief Valve (PORV)

RC11 PORV Block Valve The pressurizer PORV (RC2A) is normally shut; the block valve (RC11) is normally open and can be shut to isolate flow through the PORV. These valves are located inside the containment.

It can be postulated that a single fire could cause the PORV to operate spuriously and disable the block valve in an open position, resulting in a fire-initiated loss of coolant.

Isolation of the pressurizer PORV flowpath can be achieved by shutting the PORV or block valve electrically, or by failing the PORV (RC2A) shut. For fires that require control room evacuation, (Cable spreading Room or Control Room fires) RC11 should be closed by means of the Control Switch HIS-RC11 (C5705) prior to evacuating the Control Room. Afterwards, the circuit can be isolated from the influence of a fire by operating a Disconnect Switch at CDE-16B, thus ensuring control and indication at MCC E16B. The PORV can also be failed shut by deenerging RC2A.

The power and control cables for the PORV (RC2A) were routed in dedicated conduit (with no other cables) and re-powered to Train 2 (E52B/13). The power and control cables for the PORV block Valve (RC11, Train 1) were also routed in dedicated conduit which approaches the PORV and other Train 1 equipment and conduits within 20 ft. However, there is no other power source in the conduit or at the components which could credibly hot short and cause spurious operation. The Train 1 & 2 penetration boxes are widely separated by over 100 ft. and metal enclosed (E-376). There is no credible fire which could impair both boxes at the same time.

Within the penetration, the PORV power cables are exposed and in close proximity to other train 2 circuits (See E-530).

Modifications were performed to the PORV block valve (RC11) circuitry under MOD 96-0013 to ensure that block valve would not be susceptible to valve or operator damage as a result of a spurious valve operation. Under the modification, torque and limit switch wiring was re-routed so that the control switches would not be bypassed due to a fire-induced hot short.

RC200 PZR SMPL CTMT VNT HDR VLV RC239A PZR VAPOR SMPL VLV RC239B PZR LIQUID SMPL VLV RC4632 Cold Leg SG1-2 Sample Valve In the event that valves RC200, RC239A, RC239B and RC4632 are fire affected, High/Low Pressure Interface isolation can be achieved by shutting manual Valve RC147 (located in Containment, outside the D-Ring). This manual action need not be taken for 8-hours because the Quench Tank has sufficient capacity to hold the discharge from this line for at least 8-hours.

Even if this flow path were opened, no unrecoverable condition would result because the restricting orifice is sized such that one Makeup Pump could easily handle the flow.

RC4608A RCS Loop 1 High Point Vent Valve RC4608B RCS Loop 1 High Point Vent Valve RC4610A RCS Loop 2 High Point Vent Valve RC4610B RCS Loop 2 High Point Vent Valve 3-5 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report RCS Loop 1 and Loop 2 High Point Vent Valves (RC4608A, B and RC4610A, B respectively) are normally closed and are required to remain closed in order to prevent uncontrolled blowdown via the High Point Vents. Each pair of valves per loop are in series and both would be required to open for blowdown to the containment atmosphere to occur.

The vent valves for the Hot Leg High Point Vents are 1-inch diameter solenoids downstream of flow restricting orifices. The flow limitation of the orifice is established by calculation C-NSA-64.02.031 Pressurizer and Hot Leg High Point Vent Flow. The flow orifices of the hot leg vent paths are each designed to limit flow to less than the excess capacity of a single Makeup pump.

Fire damage to the D cable for Valves RC4608A and RC4610A cannot spuriously open the respective valve due to the open control switch in the Control Room. In order for spurious actuation of Valves RC4608A, B or RC4610A, B to occur, 2 concurrent hot shorts of the proper polarity without grounding to the C cable would be required. Since these valves are aligned in series, an inadvertent breach of a High/Low Pressure Interface could only occur in the event of 4 specific concurrent hot shorts of the proper polarity. Loss of control power to C5799 will cause loss of power to RC4608A, B which cannot cause spurious opening of the valves.

Calculation C-NSA-64.02-031 Pressurizer and Hot Leg High Point Vent Flow validates each of the restricting orifices as limited to 44 GPM which is below the 45 GPM excess capacity of the makeup system. Without letdown, makeup capacity will be well in excess of the 45 GPM leakage from the High Point Valves.

3.4 Requirements and Assumptions For the purpose of this review and report for which Safe Shutdown capability will be demonstrated, the following requirements and assumptions must be met:

3.4.1 Requirements

1. An exposure fire involving either transient or in-situ combustibles is postulated to occur in one fire area within the plant at a time.

2. Loss of offsite AC power

a. For alternative shutdown for areas (BF, DD, FF, EE, HH, or Q) the alternative shutdown capability shall accommodate postfire conditions where offsite power is available and where offsite power is not available for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

b. For normal shutdown fire areas, a loss of offsite power is only required to be considered if the fire can cause the loss of offsite power.

3. The capability to achieve and maintain Hot Standby is ensured.

4. For alternative shutdown fire areas (BF, DD, FF, EE, HH, or Q), the plant will be able to achieve cold shutdown within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and will be able to maintain cold shutdown conditions thereafter.

3-6 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report

5. Fission product boundary integrity is assured, i.e., there is no fuel clad damage, rupture of any primary coolant boundary or rupture of the Containment boundary.

6. Unless they are an integral part of, or interface with, other existing safety systems, systems installed to provide post-fire Shutdown capability are not designed to meet the Seismic Category I criteria, single failure criterion, or other design basis event criteria.

7. Those components whose spurious operation (due to the fire) would threaten Safe Shutdown System capability are identified and evaluated.

8. No concurrent or sequential design basis accidents or transients which would not occur as a direct result of these assumptions are assumed.

9. No random single failures other than those which occur as a direct result of the postulated fire are assumed.

3.4.2 Assumptions

1. At the onset of a fire, both trains of systems required operable for Safe Shutdown are functional (i.e. none of the Safe Shutdown System components, except spare or standby components, are assumed to be under maintenance or test.)

2. The plant is operating at 100% power.

3. For the purpose of developing the Safe Shutdown Components List (SSCL) it was conservatively assumed that the fire-induced failure of circuits for all Safe Shutdown components (including spurious components) causes the component to assume the most detrimental position for proper operation of the Safe Shutdown System. However, in the fire area evaluations (Section 4.6), the failure mode of Safe Shutdown components due to fire damage to its circuits was evaluated.

3.5 Safe Shutdown Systems Determination 3.5.1 Introduction The Shutdown analysis utilized herein identifies a minimum set of plant systems (Safe Shutdown Systems) and components necessary to achieve the functional goals and assure compliance to the requirements of Appendix R. An assessment has been made to demonstrate that there is adequate protection of this minimum set of systems from the effects of postulated fires concurrent with the Loss Of Offsite Power (LOOP). This approach yields an adequate and conservative demonstration of the ability to achieve and maintain Safe Shutdown in the event of a fire.

3.5.2 Methodology A review of plant shutdown requirements was performed to identify those systems needed to provide reactivity control, reactor coolant makeup and reactor heat removal when achieving Hot Shutdown and when subsequently achieving Cold Shutdown. Those systems needed to monitor process variables (level, flow, etc.), those systems needed to provide support functions 3-7 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report (cooling, lubrications, etc.) and those systems which could cause automatic actuation (i.e.,

SFRCS, SFAS) of these systems were also identified. All such systems were included as Safe Shutdown Systems.

A review of the plant Piping and Instrument Diagrams (P&IDs) was then performed to identify the components within these systems that are required to achieve each Safe Shutdown function.

The Safe Shutdown Systems necessary to accomplish the required protective functions are delineated in Table 3-1 and are discussed below. Appendix A provides a detailed list of these Safe Shutdown components.

3.6 Safe Shutdown Systems The following is a brief overview of the individual Safe Shutdown Systems used and the functions they provide. This overview covers the basic features of the systems as applicable to this report. For a more detailed description of the systems, their controls and modes of operation, the Updated Safety Analysis Report (USAR) and System Descriptions should be consulted.

3.6.1 Auxiliary Feedwater System (AFWS)

The purpose of the Auxiliary Feedwater System is to provide feedwater to the Steam Generators (SGs) for the removal of decay heat in the absence of main feedwater and to promote natural circulation in the Reactor Coolant System on a loss of all four Reactor Coolant Pumps.

The Auxiliary Feedwater System consists of the following components: two Steam Turbine-Driven Feedwater Pumps (AFP), two Condensate Storage Tanks (CST), suction and discharge water piping, steam piping, valves and associated instrumentation and controls.

The turbines can take steam from either the Main or Auxiliary Steam System. The Auxiliary Steam System will not be available concurrent with a Loss of Offsite Power (LOOP) and was not considered as part of this analysis. Opening of the Auxiliary Feed Pump Turbine Steam Admission Valves allows operation of the Auxiliary Feed Pump Turbines from either their respective SG or the opposite SG. The Auxiliary Feed Pumps can take suction from either the Condensate Storage Tanks, Service Water System, or by manual alignment from the Fire Water Systems. Each pump is capable of discharging the auxiliary feedwater either to its respective SG or the opposite SG through a set of isolation and crosstie valves discharging into the SGs through the Auxiliary Feedwater Header.

Reactor decay heat removal after coastdown of the Reactor Coolant Pumps is provided by the natural circulation characteristics of the Reactor Coolant System. Use of the Auxiliary Feedwater System for Cooldown can be discontinued when the Reactor Coolant System temperature decreases to a point where the Decay Heat Removal System can be placed in service; further Cooldown is accomplished by the Decay Heat Removal System.

The capacity of the Auxiliary Feedwater Pumps was determined by the decay heat removal requirements after Reactor trip at full power. One Auxiliary Feedwater Pump can provide the required Auxiliary Feedwater flow.

3-8 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report Both Steam-Driven Auxiliary Feedwater Pump Turbines are provided with governors used for variable pump speed control. The governors are equipped with a small DC motor which changes the speed setpoint on the turbine control valve, thereby controlling steam flow which regulates the turbine and pump speed. The Turbine is normally operated at the high speed stop and AFW flow is automatically varied to achieve the proper steam generator level by modulating the AFW flow control valve. Speed control can be used if the AFW flow control valve fails (the failure position is open).

The minimum Technical Specification usable volume of water in the Condensate Storage Tanks (CST) is 270,300 gallons. Each AFW pump takes suction from the CSTs which are normally cross- cross-connected.

The Service Water system is available via Valves SW1382 and SW1383 in the event the Condensate Storage Tanks are depleted prior to Cooldown to the point the DHR System can be placed in service.

The Fire Water System is available as an additional backup water supply for a Control Room or Cable Spreading Room fire in the event valve SW 1382 can not be opened due to damage resulting from electrical hot shorts.

A Motor-Driven Feedwater Pump (MDFP) provides a backup means of supplying water to the Steam Generators in the event of a total loss of all Main Feedwater and Auxiliary Feedwater capability.

Normal pump suction is from the CST. Cooling water for the MDFP Lube Oil Cooler is taken from a tap on the pumps first stage discharge. Level control for the selected Steam Generator is accomplished with a modulating control valve.

The MDFP is powered from the 4160V AC Nonessential Switchgear Bus D2. With offsite power available, this bus can be manually loaded onto either the A or B buses. Following a Loss Of Offsite Power (LOOP), the D2 bus can be manually loaded onto either Emergency Diesel Generator (EDG).

The Auxiliary Feedwater System is automatically placed in service by actuation of the Steam and Feedwater Rupture Control System (SFRCS).

3.6.1.1 Emergency Feedwater Facility (EFWF)

The EFWF is a separate concrete building located west of the Auxiliary Building. The building is equipped with a fire detection system which alarms in the Main Control Room, and a fire suppression system fed from the Sites fire protection ring header. Any fire within the building would be contained within the building.

Since the facility was installed after completion of the Appendix R analysis, no credit is taken for it in the FHAR.

3.6.2 Main Steam System (MSS)

For the post-fire scenario, maintenance of the main steam inventory and control of steam generator pressure are required for both Hot Standby and subsequent primary and secondary system cooldown to support the decay heat removal function within the applicable operational limits 3-9 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report The Main Steam System (MSS) consists of two parallel flow paths, one from each Steam Generator to the Main Turbine. The MSS is also designed to deliver motive steam to the Turbine-Driven Auxiliary Feedwater Pumps (AFWPs) in the event that all main feedwater is lost.

Steam to the AFWPs is supplied by a branch connection upstream of the Main Steam Isolation Valves.

In accordance with supporting USAR analysis (Reference 2.3.D, Chapter 15), control of one Steam Generator is sufficient to provide the Reactor heat removal function during natural circulation conditions. The second (idle) steam generator is filled and level maintained to prevent tube stresses in the idle generator during cool down. In alternate shutdown fire areas, two steam generators and associated instrumentation are required to support achieving cold shutdown in 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

On each steam line, a bank of nine ASME code safety valves are installed outside Containment.

The nine safety valves on each line are installed to protect the MSS against overpressure and to provide a combined relieving capacity greater than the maximum steam flow rate.

An atmospheric vent valve is located on each Main Steam Line upstream of the Main Steam Isolation Valve (MSIV). The Atmospheric Vent Valves provide secondary pressure control by manual (hand) control from the Control Room or locally in Fire Area EE. The operation of one Atmospheric Vent Valve is required to achieve Hot Shutdown.

The MSIVs are closed as part of this analysis to ensure controlled cooldown, prevent overfilling of the S/G from the Main Feedwater Pumps by isolating steam to the pumps and maintaining the required steam inventory for the Auxiliary Feedwater Pump.

3.6.3 Reactor Coolant System (RCS)

The Reactor Coolant System (RCS) consists of two similar heat transfer loops connected in parallel to the Reactor Vessel. Each loop contains two Reactor Coolant pumps and a steam generator. In addition, the system includes a Pressurizer with associated code safety valves and a pilot-operated relief valve (PORV). Reactor Coolant System (RCS) instrumentation includes Cold and Hot Leg Temperatures (wide range), RCS Pressure (wide range) and Pressurizer water level.

The natural circulation capability of the plant provides a means of decay heat removal when the Reactor Coolant Pumps are unavailable. Natural circulation flow rates are governed by the amount of decay heat, subcooled margins and steam generator levels. The objectives during natural circulation are to maintain adequate primary to secondary heat transfer, subcooling and inventory.

Steam Generator Thermal Stresses In the event thermal communication between an idle (dry) Steam Generator tubes and shell is lost, the potential exists for the differential thermal expansion between the tubes and shell to place unacceptable thermal stresses on the tubes. These stresses could be either compressive (shell cooling faster than tubes), or tensile (RCS cool down faster than shell).

3-10 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report In fire areas where an over-heating event could occur (i.e., actuations/failures leading to a loss of feedwater, loss of Makeup/HPI, and spurious opening of RCS leak paths (see Ref. 2.6.N)) the potential exists for the idle steam generator to dry out during the initial transient. Under these conditions, it is necessary to re-fill the steam generator in order to prevent excessive tube stresses. Steam Generator Level indication is necessary to support re-fill of the idle steam generator.

Normal Shutdown Fire Areas In normal shutdown fire areas, one steam generator and the instrumentation for the applicable RCS loop is required to provide the necessary heat removal function during natural circulation conditions. The second steam generator and associated SG Level indication is provided in order to ensure that tube stresses are not exceeded in this steam generator.

Alternate Shutdown Fire Areas In order to demonstrate that the plant can depressurize to DHR conditions and achieve cold shutdown conditions within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, it is necessary to have circulation in both RCS loops. For these (alternate shutdown) fire areas, two steam generators are required to provide the necessary heat removal function during natural circulation cool down. The second steam generator and its associated instrumentation are required in order to prevent thermal stresses on the steam generator tubes and to accomplish cool down in 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Steam Generator Pressure, Steam Generator Level, Hot Leg Temperature, and Cold Leg Temperature for both loops is available either in the Control Room or at the ASP, or locally depending upon the affected alternate shutdown fire area.

While in natural circulation, adequate heat transfer and coolant flow are dependent on adequate inventory and pressure control in both the primary and secondary systems. Reactor Coolant System inventory control is normally based on the operation of the Reactor Coolant Makeup and Purification System (MUPS). For the majority of this Appendix R evaluation, RCS inventory control is provided by MUPS. Where MUPS is not available, HPIS is provided.

High pressure seal water from the MUPS is normally injected into the RCS pump cavity to prevent leakage of high temperature Reactor Coolant along the pump shaft. The injection flow splits in the cavity with a portion flowing up through the seals and exiting the controlled bleedoff.

The remaining portion flows down the shaft and into the Reactor Coolant System.

Adequate reactor coolant pump seal cooling is maintained by restoring seal cooling within approximately 70 minutes (for the limiting fire area). Although seal return flow may not be available for all fire areas, adequate seal cooling is conservatively maintained based on:

1) The seals have been demonstrated to withstand RCS temperatures for >8 hrs without seal cooling (ref: 2.3.J).

2) The N-9000 seal elastomers are made of ethylene propylene (EP) which is rated for continuous duty at approximately 350 degrees °F (ref: 2.3.J).

3) Based on simulator testing, the RCS can be cooled down to DHR entry conditions (350°F) within approximately 10 hrs.

4) Prompt restoration of seal injection effectively stops the flow of hot RCS water to the seal package.

3-11 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report

5) Each of the three individual sealing stages are designed to withstand full RCS pressure indefinitely with the RC pump idle and for a limited period of time with the pump running at a nominal 1200 RPM (ref: 2.3.J).

6) Seal cooling restoration will be performed using the guidance of the Byron Jackson technical manual (ref: 2.3.K) to minimize the potential for thermal shock to the seal package. As discussed in B&W N-9000 Seal Evaluation (ref: 2.3.L) the RCP seal materials were selected to provide increased fracture resistance, and in the unlikely event that a carbide ring were to fracture as a result of thermal shock, it is expected that the resulting leakage would be low based on data from the original Byron Jackson seals which have operated with fractured rotating face rings.

The analysis contained in Section 4 provides guidance on what valves need operation to provide seal injection and cooling and procedures direct the Operators to attempt to restore reactor coolant pump seal cooling. Should these actions not be successful, safe shutdown can still be achieved.

Normally, subcooling within the RCS is maintained by controlled operation of the Pressurizer heaters and monitoring of RCS Pressure and Loop Hot Leg Temperature (Th). For this Appendix R analysis, the Essential Pressurizer Heaters do not need to be assured for maintaining Hot Standby.

Deleted.

During and following a postulated fire concurrent with a Loss Of Offsite Power (LOOP), the RCS will be cooled down by natural circulation. Cooldown will be controlled so as to ensure that subcooling within the RCS is maintained.

Overpressurization protection of the RCS is assured by two Pressurizer code safety valves.

The two Pressurizer safety valves are spring-loaded, self-actuated and have a set pressure of 2500 psig. The combined capacity of the valves is equal to or greater than the maximum pressure surge resulting from a complete loss of load without Reactor trip. The Pressurizer PORV is an electrically controlled, pilot-operated, pressure relief valve which has a setpoint of 2450 psig.

For this Appendix R analysis, the availability of the Makeup and Purification System is assured in the majority of the fire areas. In those instances where the Makeup and Purification System is not available and the PORV may be disabled, the Pressurizer Vent Header is assured for RCS depressurization to allow use of the HPI System. Hence, a means of assuring RCS inventory control for Hot Standby is maintained in all fire areas.

3.6.4 Containment Air Cooling System (CACS)

The Containment Air Cooling System consists of three air cooling units and fans. In order to achieve Cold Shutdown with the RCPs tripped, only one Containment Air Cooling (CAC) Unit is required to operate. For the Appendix R analysis, only one CAC unit is required to be assured (Reference 2.6.B). CAC #1 and CAC #2 are the accredited components for shutdown.

3-12 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report 3.6.5 Control Room Emergency Ventilation System (CREVS)

The Control Room Emergency Ventilation System consists of two recirculation centrifugal fans (3300 cfm), two dual condenser air cooling units (water cooled and air cooled), two motor-operated fresh air intake dampers, two sets of filter banks (prefilter, high efficiency absolute filter, and charcoal absorber) and the associated dampers and ductwork.

During normal operation, the CREVS is held in standby. The system is monitored and alarmed for high radiation and equipment malfunction. In the event of a fire with a Loss Of Offsite Power (LOOP), the Control Room Normal Ventilation System is shut down automatically, due to the fact that it is powered solely from offsite power. The CREVS is initiated manually from the Control Room in a closed complete recirculation mode in which outside air is not introduced due to the normally closed position of the outside air dampers. All Control Room Normal Ventilation System outside air dampers will automatically close to minimize the possibility of inhalation of smoke to operating personnel. In the event all Control Room ventilation is lost, the operators may evacuate the Control Room and perform the necessary Shutdown actions locally and at Emergency Control Stations. Procedures are in place to provide guidelines for these actions.

3.6.6 High Pressure Injection System (HPIS)

The HPI System is designed to inject borated water into the RCS to maintain pressurizer level and reactivity control. HPI pumps will automatically start at an RCS pressure of approximately 1600 psig and can also be manually started. To protect the pumps from overheating, a minimum flowpath is provided for each HPI pump to recirculate 35 gpm through restriction orifices back to the BWST. A connection to the Decay Heat Auxiliary Spray Line is provided for Boron Precipitation Control (see Section 3.6.7)

The HPIS provides a redundant means of maintaining RCS inventory control (the Makeup and Purification system is the preferred means.)

Because the Reactor Coolant System normal operating pressure exceeds the operating pressure of the HPIS, a means of lowering RCS pressure needs to be provided when utilizing the HPIS. The Power-Operated Relief Valve (PORV) is the preferred means of depressurization; however, the pressurizer vent header can be used.

3.6.7 Decay Heat Removal (DHRS)

The Decay Heat Removal System is designed to remove decay heat from the Core and reduce the temperature of the RCS during the cold shutdown phase of plant Shutdown.

The DHR System consists of two DHR Coolers, two DHR Pumps and the associated piping, valves and instrumentation necessary for operational control.

During Cold Shutdown operations, Reactor Coolant flows from the RCS to the DHR Pumps through the tube side of the DHR Coolers and back to the RCS. The heat load is transferred by the DHR Coolers to the Component Cooling Water System which circulates on the shell side of the heat exchangers. The inlet line to the DHR system is located on the Hot Leg of the Reactor Coolant System loop 2 while the return line is connected to the Reactor Vessel through the Core flooding lines.

Two Motor-Operated Valves (DH11 and DH12) in series isolate the inlet line to the Decay Heat Removal System from the RCS. The return lines are isolated by check valves in series in each 3-13 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report line. To avoid potential RCS boundary leakage at this High/Low Pressure Interface, both motor-operated valves in the DHR suction line will be kept closed (pre-fire condition) with the corresponding motor control center breaker in the open position. These valves can be bypassed by local manual operation of Valves DH21 and DH23.

A minimum flow return line from the downstream side of each DHR cooler to the corresponding pumps suction line is provided to assure that the DHR pumps do not overheat under low flow conditions.

The DHR System can be placed in operation following RCS cooldown and depressurization on natural circulation.

The HPI and DH systems are used to provide two active means of Boron Precipitation Control (BPC) when concentration of boric acid is possible in the core. This is not needed for post-fire safe shutdown. The primary method uses the discharge of DHR/LPI Pump 1 through a line that bypasses DH-1517 and allows reverse flow through the Decay Heat Drop Line into the RCS once DH-11 and DH-12 are opened. The secondary method is through the normally open cross-connection from the High Pressure Injection Pump 2 discharge to the Auxiliary Spray Line. Manual valves (HP209, HP210, DH200 and DH201) are administratively controlled to prevent over pressurization of the decay heat/low pressure injection system. The secondary method is initiated by piggybacking HPI train 2 to LPI train 2 and opening DH-2735 and DH-2736.

Each DHR pump is sized to deliver sufficient flow through the DHR coolers to meet the plant cooldown requirements.

A seal heat exchanger for each DHR Pump is supported by operation of the Component Cooling Water System.

Makeup to maintain RCS inventory is also provided by the DHR System operating in the DHR/LPI mode for a post-fire scenario when the RCS Pressure is below 200 psig.

3.6.8 Makeup and Purification System (MUPS)

The Makeup and Purification System is normally operated during all phases of plant operation, including Startup, power operation, and Shutdown. The system is also operated during refueling by employing the purification equipment through interconnections to the Decay Heat Removal System.

The Makeup and Purification System is the preferred means of providing Makeup to the Reactor Coolant System.

During normal operation, one Makeup Pump continuously supplies water to the seals of the Reactor Coolant Pumps, and to a Makeup line which is connected to the Reactor inlet by a High Pressure Injection Line. Makeup flow to the Reactor Coolant System is normally regulated by the makeup control valve, which operates on signals from the liquid level controller of the Reactor Coolant System Pressurizer.

The Makeup Pumps are normally aligned to take suction from the Makeup Tank. The Makeup Pump suction will be transferred to the Borated Water Storage Tank (BWST) and the pump recirculatlon rerouted to the BWST following a fire. This is required due to the small volume of the Makeup Tank and unavailability of Makeup Tank level indication.

3-14 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report One Makeup Pump is capable of supplying Reactor Coolant Pump Seal Injection and Makeup flow.

Long term use of RCP seal injection (more than contraction volume) would require a letdown of Reactor Coolant to maintain the desired coolant inventory. This letdown, should it be used, is provided via the MUPS and would be directed to the Clean Waste Receiver Tanks.

3.6.9 Component Cooling Water System (CCWS)

The Component Cooling Water System is a closed-loop supporting system to other Safe Shutdown Systems. Two redundant Trains are available, each consisting of one pump and heat exchanger and associated valves, piping and local instrumentation. The CCW System is provided with three centrifugal pumps which are normally lined up such that one is operating, one is in standby, and one is an installed spare which can be utilized in place of either of the other two CCW pumps.

The CCWS serves as an intermediate heat transfer loop between the various Safe Shutdown components and the Service Water System (ultimate heat sink).

The CCWS provides cooling for the following Safe Shutdown equipment:

1. Decay Heat Removal Coolers

2. HPI Pumps Bearing Oil Coolers

3. Decay Heat Removal Pumps Bearing Housing Coolers

4. Emergency Diesel Generator Jacket Cooling Water Heat Exchangers

5. Makeup Pump Bearing and Gear Lube Oil Coolers One pump and one Component Cooling Water Heat Exchanger fulfill the heat removal function during normal full load operation for various components located in the Auxiliary and Containment Buildings. During plant Cooldown in the DHR mode, two pumps and two heat exchangers are normally available to remove the decay heat. If one of the loops is not operative, one DHR loop is capable of cooling down the primary system. For the purposes of this Appendix R review, only one CCW loop is required operable to achieve Cold Shutdown.

The two component cooling loops are interconnected downstream from the heat exchangers to service one supply header for nonessential loads. The loads considered for use on the nonessential portion of the CCWS are the Seal Return Coolers. Isolation of CCW to the Auxiliary Building Nonessential Header, by operation of Inlet Valve CC1495, must be performed whenever the DHR Cooler is in service. The DHR Cooler Outlet Isolation Valve CC1467 (Train 1), CC1469 (Train 2) must be closed whenever the DHR Cooler is not in service.

CCW to the HPI Pump Bearing Oil Coolers and the DHR Pumps Bearing Housing Coolers are normally valved open to the supply header and they discharge to the suction of the CCW pump with which they are normally associated, so that component cooling water is circulated continuously through these essential loads during normal operation.

3-15 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report 3.6.10 Service Water System (SWS)

The Service Water System provides cooling for the following safe shutdown heat transfer equipment:

1. Component Cooling Water Heat Exchangers

2. Control Room Emergency Ventilation System (CREVS) Condenser Units

3. Containment Air Coolers The system also provides a backup supply of water to the AFW System in the event that the Condensate Storage Tanks are depleted.

The three 600 HP Service Water Pumps are piped to 2 separate interconnected, but isolated supply paths.

Normally two of the three Service Water Pumps and their associated automatic motor-operated strainers will be in operation. One pump will be electrically aligned to the C1 bus and the other to the D1 bus. The Service Water Pumps and strainers are located in the Intake Structure.

To achieve Cold Shutdown or to maintain Hot Standby, one Service Water Pump (primary side) provides water to one CCW Heat Exchanger and one Containment Air Cooler (CAC) (CAC #1 and CAC #2 are the accredited components for shutdown). This pump is also lined up to CREVS Condenser Unit.

In order to assure that one Service Water Pump will provide the necessary cooling for the above-mentioned essential loads, the connection to the TPCW Heater Exchangers must be isolated. In order to avoid Service Water Pump runout, it is necessary to ensure that no more than one Containment Air Cooler is aligned to the Service Water Pump in use. The Appendix R evaluation assures the availability of one of the three Service Water Pumps (or Backup Service Water Pump) at all times. The capability of the SWS to supply Appendix R loads has been evaluated (see Ref. 2.6.Q).

An Alternate Shutdown method, in accordance with Section Ill.G.3 of Appendix R to 10CFR50, has been installed in a separate fire area to provide service water to the plant if a fire disables all three existing service water pumps located in the Service Water Pump Room. The details of this Backup Service Water Pump modification were submitted to the NRC on April 29, 1982 (Reference 2.5.A).

3.6.11 Heating, Ventilation and Air Conditioning (HVAC)

Essential HVAC is provided for area cooling for Safe Shutdown systems/components that generate a large heat load to assure a suitable environment for equipment and personnel. The systems are safety grade and seismic Class I (except Backup SW Pump Room).

The availability of room cooling for the following rooms are assured to support Safe Shutdown:

1. Low Voltage Switchgear Rooms

2. Battery Rooms 3-16 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report

3. Emergency Diesel Generator Rooms

4. AFW Pump Rooms

5. SW Pump Rooms

6. Backup SW Pump Room NOTE: CAC and CREVS Systems are discussed separately.

The following is a brief description of the Safe Shutdown Ventilation Systems:

1. Low Voltage Switchgear Rooms - The Low Voltage Switchgear Rooms have independent outside air intakes and ventilation fans to maintain a suitable environment for essential equipment during emergency conditions. The operation of the system is controlled by a temperature control system.

2. Battery Rooms - Each Battery Room is ventilated by providing an air intake and an independent exhaust fan for normal operation. The air intake fan motor for each room is supplied from an essential motor control center. The exhaust fans are not included in the R analysis as Safe Shutdown equipment.

3. Emergency Diesel Generator Rooms - The Emergency Diesel Generator Rooms are each ventilated by two half-capacity supply air fans to ensure adequate ventilation and safe operation of the diesel generators. The supply fans in the Emergency Diesel Generator Rooms are interlocked with the diesel generators so that the fans operate at any time the diesel generators are operating. The air from the Diesel Generator Rooms is discharged directly to the atmosphere through the roof.

4. AFW Pump Rooms - The ventilation system for the AFW Pump Rooms consists of one 100-percent capacity essential exhaust fan and ductwork per pump room.

Each exhaust fan is automatically started by its pump room temperature switch.

Manual control is also provided to allow for operation override of the room temperature switch.

5. SW Pump Room - The SW Pump Room Ventilation System consists of four essential ventilation fans and associated temperature switches.

6. Backup Service Water Pump Room - The Backup Service Water Pump Room Ventilation System consists of one fan and four dampers.

3.6.12 Emergency Diesel Generators (EDG)

The plant emergency power system includes an onsite independent, automatically or manually starting emergency power source which supplies power to Safe Shutdown equipment if the normal or offsite power sources are unavailable.

The emergency power source consists of two redundant emergency diesel generator units, one connected to the essential 4.16kV Bus C1 and the other connected to the essential 4.16kV Bus D1. The emergency diesel generators are provided as onsite standby power sources to supply 3-17 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report their respective essential buses upon loss of the normal and the reserve power sources. Bus load shedding and isolation, bus transfer to the emergency diesel generator, and pickup of critical loads, is automatic.

Each emergency diesel generator is rated at 2600 kw (continuous rating). The emergency diesel generator is capable of obtaining rated frequency and voltage approximately 10 seconds after the engine start signal is received.

Each emergency diesel engine is equipped with its own auxiliaries. These include starting air receivers, fuel oil, lube oil, cooling water, intake and exhaust system, voltage regulator and controls. Cooling Water is provided from the Component Cooling Water System while electric power for each engines auxiliaries is provided by its own generator and station batteries.

Cranking power for each emergency diesel is supplied from its respective high pressure starting air system. Air for starting a diesel is derived from two air receivers each containing enough high pressure compressed air to provide for five consecutive starts without recharging.

There are two fuel oil storage tanks (Week Tanks) physically separated from each other (each tank is of 40,000 gallon capacity). Each storage tank supplies fuel to one emergency diesel generators day tank. One fuel oil transfer pump per diesel generator provides transfer capability from the storage tank to the individual diesel generator day tank. The 100,000 gallon diesel Oil Tank and Transfer Pumps provide a backup to the Week Tanks.

In addition to the two emergency diesel generators discussed above, Davis-Besse installed a third diesel generator. The third one was installed to meet the Station Blackout Rule, 10CFR50.63. This diesel generator is non-essential and is manually started and manually loaded to the D2 bus. The Station Blackout Diesel Generator (SBODG) is totally self-contained (e.g., cooling water, starting air and fuel). Since it was installed after completion of the Appendix R analysis, no credit for it is taken in the FHAR. A review of the circuits associated with the SBODG shows that the following fire areas contain circuits: FF, II, P, Q and S.

3.6.13 Essential Electrical Distribution System (ESSPWR)

The Essential Electrical Distribution System consists of Essential 4160V, 480V, 240V, and 120V AC power, as well as 125V DC power. The following is a brief description of the various power supplies:

1. 4160 Volt Auxiliary System - Power supply to the 4160 volt system is from two 12/16 MVA bus tie transformers which step down the voltage from 13800 volts to 4160 volts. Each bus tie transformer normally supplies one essential and one nonessential 4160 Volt bus and is available as a reserve source for the other two 4160V buses.

The 4160V auxiliary distribution system consists of four 4160V, 2000 amp buses.

Two essential buses C1 and D1 provide power to engineered safety feature equipment for Safe Shutdown. The essential 4160V buses supply the following loads:

a. Service Water Pumps

b. High Pressure Injection Pumps 3-18 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report

c. Decay Heat Removal Pumps

d. Component Cooling Water Pumps

e. Essential 4160V-480V Unit Substation Transformers

f. Makeup Pumps In addition, a third Service Water Pump and a third Component Cooling Water Pump are provided. Each of these two pumps is connected to two 4.16kV Kirk key interlocked, manually controlled transfer switching breakers. The Kirk key interlock permits only one breaker to be closed at a time. Each pair of breakers is connected to a separate essential 4.16kV bus with electrical interlocks that allow one pump to be operated at a time from each bus.

The 4160 Volt Nonessential Switchgear Buses C2 and D2 supply power to the Backup Service Water Pump and Motor-Driven Feedwater Pump, respectively. Buses C2 and D2 can be manually aligned to Essential Buses C1 or D1 (backfeed).

2. 480V AC Essential Distribution System - The station essential 480V AC distribution system consists of two 1000kVA 4160-480V AC essential unit substations (E1 and F1) for the supply of power to the 480V AC Safety Loads.

Each essential 480V AC unit substation is supplied from its corresponding 4.16kV essential bus through redundant 1200 ampere circuit breakers. One feeder is connected to the primary side of each transformer. The transformer secondary side is connected to the 480V, 1600 amp bus through a 1600 amp circuit breaker. During normal operation, both of the essential unit substation transformers are energized with one transformer carrying the load and the second transformer carrying no load. Transfer from one transformer to the other is by manual control only; automatic transfer is not provided.

The essential 480V AC system contains approximately 30 motor control centers which supply essential station loads. The motor control centers are supplied from the unit substations (E1 and F1).

3. 240V & 120V AC Essential and Nonessential Distribution System - The station essential and nonessential 240V and 120V AC system necessary for Safe Shutdown consists of:

a. Four essential instrument channels each supplied from 125V DC/120V AC inverter.

b. Two 120V AC uninterruptible power supply distribution panels (YAU and YBU) for instrumentation, each supplied from a 250V DC/120V AC inverter.

c. Two essential 120V AC MCCs (YE1 and YF1).

d. Two essential 240V AC MCCs (YE2 and YF2).

3-19 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report

4. 125V DC Distribution System - The station DC equipment consists of:

a. Two 250/125V DC motor control centers.

b. Four station batteries.

c. Six battery chargers.

d. Four 125V DC essential distribution panels.

e. Four 480V AC/125V DC rectifiers.

f. Four 125V nonessential distribution panels.

The system is designed to provide a continuous, reliable, and redundant 250/125V DC power source for control, instrumentation and DC loads required for normal operation and orderly shutdown and control of the station. The system is arranged to form two completely independent load groups. The DC equipment is classified as Class 1E except for nonessential distribution panels.

3.6.14 Process Monitoring The operator requires indication of various plant parameters to perform required system transitions and essential operator actions. A discussion, by Safe Shutdown function, of the necessary instrumentation is provided below.

For the fire scenarios assumed in this analysis, inventory Makeup to the Reactor Coolant System will be from the Borated Water Storage Tank (BWST) through the High Pressure Injection (HPI) System, or the Makeup System, into the Reactor Vessel. No operator actions are expected or anticipated based on direct-reading neutron monitoring to ensure an adequate Safe Shutdown negative reactivity margin. However, Core Source Range Flux Monitors are available for Core activity monitoring in the Control Room. A nonsafety grade, nonseismic source range flux channel is also available outside of the Control Room fire area to provide this information for areas requiring Alternative Shutdown from outside the Control Room.

Various process monitoring functions are required to achieve and maintain the Reactor Coolant Makeup, Pressure Control and Decay Heat removal functions. For the assumed fire scenario, maintenance of Hot Standby requires that Pressurizer level and RCS pressure and temperature instrumentation be available. Reactor Coolant System temperature is maintained during Hot Standby by proper decay heat removal via Steam Generators and operation of the atmospheric vent valves.

Operations personnel, by monitoring of RCS Pressure and Hot Leg Temperature (Th) instrumentation will control the rate of cooldown to assure that appropriate subcooled margin is maintained. Pressurizer level control is controlled by monitoring Pressurizer level instrumentation and manually controlling the HPI or Makeup System flow.

Maintenance of Hot Standby or initial Pressurizer cooldown in the absence of Pressurizer heaters requires the control of the secondary system to compensate for variations in the primary system performance. Monitoring of Steam Generator level and pressure are available to assure 3-20 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report adequate and controlled decay heat removal. The level control is achieved by automatic (or remote manual) control of AFW System flow, based on Steam Generator level indication.

The transition from Hot Standby to Cold Shutdown will utilize the instrumentation discussed above for monitoring of natural circulation conditions, subcooling margin, heat removal and compliance with the plants pressure/temperature limits as they pertain to the low temperature overpressure protection of the Reactor Coolant System (Cold Leg Temperature in conjunction with RCS Pressure).

IE Information Notice No. 84-09 (Reference 2.4.B) provides a list of the minimum monitoring capability the NRC staff considers necessary to achieve Safe Shutdown. For Pressurized Water Reactors, the list includes:

a. Pressurizer pressure and level

b. Reactor Coolant Hot Leg Temperature or exit core thermocouples, and Cold Leg Temperature

c. Steam Generator pressure and level (wide range)

d. Source Range Flux

e. Diagnostic instrumentation for Shutdown systems

f. Level indication for all tanks used A review has been performed to ensure the availability of instrumentation outside of the Control Room that must be monitored based upon a postulated fire within the Control Room. RCS pressure and temperature and Pressurizer level indication exist both inside and outside the Control Room to satisfy categories (a) and (b) above.

The following instrumentation is provided to monitor the necessary variables to meet (c), (d), (e) and (f).

1. Steam Generator Pressure Monitor - Steam Generator outlet pressure indication is available at the Control Room and Auxiliary Shutdown Panels.

2. Steam Generator Level (wide range) Monitor - The startup range monitors which are provided from both the Control Room and Auxiliary Shutdown Panel are used for SSD. In the cooldown mode the AFW System will be operating such that the Steam Generator(s) level is maintained within this monitoring range.

3. Source Range Flux Monitor - Core source range flux monitors are available for Core activity monitoring in the Control Room. A nonsafety grade source range flux indicator is available outside the Control Room to provide this information when Shutdown from outside the Control Room is required.

4. Diagnostic Instrumentation for Shutdown Systems -

a. Diagnostic instrumentation for EDG 1 is available locally at the Emergency Diesel Generator 1-1 Electrical Control & Relay Panel (C3615).

3-21 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report

b. Primary injection diagnostic monitoring (i.e., DHRS/LPIS Flow and Makeup Flow) can be performed by monitoring primary pressure, Hot Leg Temperatures and Pressurizer level from the Control Room or Auxiliary Shutdown Panel to verify adequate primary injection.

c. Additional diagnostic instrumentation for the HPI and Makeup Systems, in the form of flow indication, is available in the Control Room. A means of monitoring HPl Flow is available at the Auxiliary Shutdown Panel.

d. Direct indication of Makeup Pump runout is provided by diagnostic flow instrumentation in the Control Room and discharge pressure indication locally at the Makeup Pumps.

5. Level Indication for Tanks - Level indication, where required, for tanks is provided locally. For example only a small portion of the 500,000-gallon BWST is needed for shutdown therefore level indication is not required. While the Condensate Storage Tanks and EDG Day Tanks are provided with local level gages.

3.6.15 Safety Features Actuation System (SFAS)

The Safety Features Actuation System (SFAS) initiates several accident mitigating actions based on various inputs. The SFAS input signals are as follows:

a. Reactor Coolant System Low and Low-Low Pressure

b. Containment High and High-High Pressure

c. Borated Water Storage Tank Low Level SFAS is not required to achieve safe shutdown in the event of a fire, however, in the event of loss of power to the non-accredited train (e.g. Ch 1/3 or Ch 2/4), SFAS could cause the spurious actuation of the following systems:

Containment Spray (CS)

Decay Heat Removal/Low Pressure Injection (DHR/LPI)

High Pressure Injection (HPI)

This would result in closure of Containment Isolation Valves for the following Safe Shutdown systems:

Component Cooling Water Makeup & Purification (Letdown)

Makeup & Purification (RCP Seal Return)

Makeup & Purification (RCP Seal Injection)

Both channels of SFAS are not assumed to actuate. This is due to the physical arrangement of the power supplies that must be affected. Operator actions (e.g. block the SFAS initiating signal, trip the pump, close a discharge valve, etc.) are taken early in the fire scenario to prevent or mitigate the spurious actuation of individual components that may actuate.

3-22 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report 3.6.16 Steam and Feedwater Rupture Control System (SFRCS)

The Steam and Feedwater Rupture Control System (SFRCS) provides a means of initiating Auxiliary Feedwater (AFW) based on certain parameters that would indicate a rupture in the Main Steam and/or Main Feedwater System. SFRCS also has a set of manual actuation pushbuttons (located in the Control Room). The Serious Control Room Fire procedure, DB-OP-02519, has as the second immediate action to manually actuate SFRCS. This closes the AVVs and MSIVs as well as other actions.

The AFW System can be aligned such that each AFW Pump receives steam from, and provides feedwater to, its associated steam generator or such that both AFW Pumps receive steam from one steam generator and provide feedwater to that generator (feed only good generator). The only signal that results in the feed only good generator alignment is steam generator low pressure. Steam generator low pressure overrides any other signal. All other indications (low steam generator level, reverse main feed line differential pressure, loss of all reactor coolant pumps, high steam generator level and manual actuation) result in each AFW Pump receiving steam from and providing feedwater to its associated steam generator. Loss of power to both SFRCS actuation channel results in the respective Train AFW Pump receiving steam from and providing feedwater to its associated steam generator.

For the purpose of Appendix R analyses, SFRCS is assumed to actuate due to Loss Of Offsite Power resulting in a trip of all four RCPs. For those areas containing SFRCS Circuits, an evaluation is made to determine if the feed only good generator alignment may result due to circuit failure.

3.6.17 Containment Spray The Containment Spray System (CSS) is an engineered safety feature designed to remove the post-loss-of-coolant accident (LOCA) heat release to the Containment. The CSS cools and reduces the pressure in the post-LOCA atmosphere by spraying borated water into the Containment atmosphere. The system is actuated automatically by the Safety Features Actuation System (SFAS). Actuation of the CSS during normal operation could result in a negative pressure in the Containment.

This system is not required to achieve safe shutdown for fire, however, in the event of inadvertent containment spray of containment, the potential exists for containment vessel buckling if a sufficient number of vacuum breakers are not open. This has been evaluated and documented in calculation C-NSA-061.01-007 (Ref. 2.6.M). The calculation evaluated the case of one of two Containment Spray Pumps spuriously starting and five of ten vacuum breakers spuriously closing. It was determined that this scenario would not result in sufficient negative pressure in Containment to cause containment vessel buckling. The calculation did not evaluate less credible scenarios of multiple spurious actuation of two Containment Spray Pumps in conjunction with one or more vacuum breakers closed.

Even though the likelihood of this event is very low, operator actions are taken early in the fire scenario to isolate both containment spray pumps in order to prevent a spurious start of the pumps.

3-23 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report 3.7 Safe Shutdown System Components 3.7.1 Introduction Section 3.6 describes the specific systems which will be utilized to achieve Safe Shutdown.

This section discusses the method of selection of Safe Shutdown components. A Safe Shutdown Components List (SSCL) is included as Appendix A to this report.

3.7.2 Methodology For the Safe Shutdown Systems established in Section 3.6, the following steps were utilized in developing a list of Safe Shutdown components:

1. All active and passive components that are required to function were identified from the P&IDS.

2. The normal flow paths for those systems identified as Safe Shutdown Systems were traced on the P&IDS.

(a) Minimum Complement - Those components identified on the main path such as pumps, valves, blowers, and dampers, which are required to function in order to achieve the system function.

(b) Alternate - Any piece of equipment which does not normally perform that function but can be used as a substitute for another component and still achieve the system function.

(c) Backup - Any piece of equipment whose primary purpose is to provide the same function as a necessary piece of equipment under consideration.

(d) Spurious Actuation - Any component that could spuriously actuate in a position detrimental to proper system operation (either on the main flow path or branch lines), or whose maloperation could result in a breach of the Reactor Coolant Boundary.

Branching lines coming off of the main path that could provide flow diversion were traced to identify those components providing isolation for the main path.

(e) The term High/Low Pressure Interfaces refers to those components which, as a result of a malfunction, may result in the inadvertent blowdown of RCS inventory to a low pressure region such as a low pressure pipe, tank or Containment Atmosphere. Generic Letter 81-12 and Generic Letter 86-10 provide guidance on evaluating these components. The evaluations are found in the fire area sections. These components are listed as H/L Components in Appendix A.

The following are High/Low Pressure Interface Valves:

DH11 RC2A DH12 RC200 3-24 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report RC239A, B RC4608A, B RC4610A, B RC11 RC4632

3. The minimum instrumentation necessary to satisfy the requirements of Appendix R was identified.

4. The minimum components required for assuring Essential Power to energize safe shutdown components in the event of a Loss Of Offsite Power (LOOP) were identified.

The activities performed in this review culminated in the Safe Shutdown Components List (SSCL). All components on the list were designated as required for Hot Standby and/or Cold Shutdown, as applicable. The Safe Shutdown Components List is included as Appendix A to this document.

3.8 Safe Shutdown System Circuits 3.8.1 Introduction The Safe Shutdown Components List (SSCL) was the basic input for the identification of electrical circuits essential to ensure proper equipment performance. The circuits identified included those for power, control and instrumentation.

3.8.2 Methodology The following is a discussion of the steps that were performed to identify the Safe Shutdown circuits and their routings throughout the plant:

1. For each component identified in the SSCL (Appendix A) which has an electrical interface, a review of its Elementary Wiring Diagram (EWD) (Reference 2.1.C) was performed. The block diagram for each component identifies all circuits related to that component. For each component, all circuit cables that ensure operability of the component were identified as required for Safe Shutdown.

Those circuits that are not required for Safe Shutdown include annunciator, computer, motor heater and external monitoring circuits that are electrically isolated from the electrical circuits of concern.

2. The physical cable routings for power, control and instrumentation circuits were identified by reviewing the Electrical Circuit Schedules (Reference 2.1.I) and Electrical Raceway Schedules (Reference 2.1.J). Also included in the identification process were subcomponents, such as junction boxes, terminal boxes, local control panels, relay cabinets, switches and transmitters.

3. The cable routing information, identified from Step 2, was then utilized to trace these cables on the electrical raceway and grounding drawings. Consequently, those fire areas in which safe shutdown circuits traverse, were so identified per circuit.

3-25 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report

4. The tracing of all Safe Shutdown circuits culminated in the development of a database that identifies all raceway routings (by fire area) for all circuits associated with Safe Shutdown components.

From this database, the Circuit/Subcomponent Location Summary by System (Appendix B-1) was generated which includes the following data in a column listing:

a. System performing the Safe Shutdown function

b. Component, and circuits for the component

c. Circuit description

d. Fire areas in which the component and circuits are located

e. Raceway, conduit or cable tray identification

f. Electrical raceway and/or raceway and grounding drawing reference

5. The computer database listing of components, conduits and cable trays was then sorted to list the components and circuits within each fire area by system. This resulted in the Circuit/Subcomponent Location Summary by Fire Area (Appendix B-2).

6. An evaluation was made for each fire area to ensure that the Safe Shutdown functions can be performed for a fire in each fire area. The results of these evaluations are in Section 4.6 of this report.

3.9 Plant Security 3.9.1 Introduction The Security System has been evaluated to determine its adequacy to support Safe Shutdown.

The discussion below provides a description of this system relative to Safe Shutdown, and the basis for the conclusion of its adequacy.

3.9.2 Description If the plant security computer were lost due to a fire, all fire doors would fail in the closed and locked position. This prevents unauthorized entry into rooms or areas of the plant which contain nuclear safety-related equipment or equipment critical to maintaining safe Reactor operation.

Operators carry master keys for all room doors in the plant, thus ensuring access to all areas of the plant where local actions are required. Control of the emergency key rings is maintained in accordance with administrative procedures.

Based on the above, during conditions when the plant security computer is inoperable, access to areas required to safely shut down the plant would be available.

3-26 FHAR Rev 27 10/2016

Davis-Besse Unit 1 Fire Hazard Analysis Report Table 3-1 SAFE SHUTDOWN SYSTEMS AFWS - Auxiliary Feedwater System CACS - Containment Air Cooling System CCWS - Component Cooling Water System CFS - Core Flood System CREVS - Control Room Emergency Ventilation System CSS - Containment Spray System DHRS - Decay Heat Removal EDG - Emergency Diesel Generators ESSPWR - Essential Electrical Distribution System HPIS - High Pressure Injection System HVAC - Heating, Ventilation and Air Conditioning MSS - Main Steam System MUPS - Makeup and Purification System NI/NNI - Process Monitoring RCS - Reactor Coolant System SFAS - Safety Features Actuation System SFRCS - Steam and Feedwater Rupture Control System SWS - Service Water System 3-1-1 FHAR Rev 26 10/2014