ML20212F192: Difference between revisions

From kanterella
Jump to navigation Jump to search
(StriderTol Bot insert)
 
(StriderTol Bot change)
 
Line 52: Line 52:
4 At the request of the NRC Office of Nuclear Reactor Regulation, the Engineering Technology Division of Brookhaven National Laboratory (BNL) performed an independent review of the post fire safe shutdown methodology and analysis of associated circuits documented in Revision 4 of the
4 At the request of the NRC Office of Nuclear Reactor Regulation, the Engineering Technology Division of Brookhaven National Laboratory (BNL) performed an independent review of the post fire safe shutdown methodology and analysis of associated circuits documented in Revision 4 of the
                       -Susquehanna Steam Electric Station Fire Protection Review Report, dated May 1993. This review concentrated on an evaluation of post fire safe shutdown capability, associated circuits, and the licensee's separation analysis methodology.
                       -Susquehanna Steam Electric Station Fire Protection Review Report, dated May 1993. This review concentrated on an evaluation of post fire safe shutdown capability, associated circuits, and the licensee's separation analysis methodology.
Based on the results of a preliminary review of Revis:on 4 of the FPRR, by letter dated February 3, 1995, BNL submitted a Request for Additional Information (RAI) to NRR. Following its review, NRR forwarded 61: equest to the licensee, and by letter dated May 22,1995, PP&L provided its
Based on the results of a preliminary review of Revis:on 4 of the FPRR, by {{letter dated|date=February 3, 1995|text=letter dated February 3, 1995}}, BNL submitted a Request for Additional Information (RAI) to NRR. Following its review, NRR forwarded 61: equest to the licensee, and by {{letter dated|date=May 22, 1995|text=letter dated May 22,1995}}, PP&L provided its
                       - reponse. T'        S.      .- - -    s  --d' May 22,1995 response identified several additional issues > ' .a wo@d squim funk chuhE                              H '"' letter dated June 28,1995, BNL submitted a seco . RM 1 EM 'd.id was the faru ar&d th.
                       - reponse. T'        S.      .- - -    s  --d' May 22,1995 response identified several additional issues > ' .a wo@d squim funk chuhE                              H '"' {{letter dated|date=June 28, 1995|text=letter dated June 28,1995}}, BNL submitted a seco . RM 1 EM 'd.id was the faru ar&d th.
                       - To obtu deu ,4 rif.totJn : &W csoesid? Mied during the review of the PP&L
                       - To obtu deu ,4 rif.totJn : &W csoesid? Mied during the review of the PP&L
                         .su' WNi, BNL ud NG ; ww nt w M i.W y trer, de on two separate occasions. These
                         .su' WNi, BNL ud NG ; ww nt w M i.W y trer, de on two separate occasions. These
                       - me up were unduct d ai hw Headgw,us in hockv;" , Maryland on August 29,1995, and at the lir, ,
                       - me up were unduct d ai hw Headgw,us in hockv;" , Maryland on August 29,1995, and at the lir, ,
* 9tmem.; immyMrh emen ori knw M,1996. Dy letter dated April 23,1996, PP&L pr.nUm .. : ; we ta * <tiwsed in th . mis, and during the January 26,1996 meetinr,.
* 9tmem.; immyMrh emen ori knw M,1996. Dy {{letter dated|date=April 23, 1996|text=letter dated April 23,1996}}, PP&L pr.nUm .. : ; we ta * <tiwsed in th . mis, and during the January 26,1996 meetinr,.
                         'The results of the our evaluation of the Cusquehanna Steam Electric Station FPRR Revision 4 and subsequent licensee submittals described above, were documented in a Draft Technical Evaluation
                         'The results of the our evaluation of the Cusquehanna Steam Electric Station FPRR Revision 4 and subsequent licensee submittals described above, were documented in a Draft Technical Evaluation
~
~
Line 71: Line 71:
NRC Information Notice 92-18) to the extent that the licensee's evaluation of this concern (Calculation EC-013-085) did not provide sufficient definitive information necessary to fully endorse its disposition of valves potentially affected by the failure mode described in NRC Information Notice (IN) 9218.
NRC Information Notice 92-18) to the extent that the licensee's evaluation of this concern (Calculation EC-013-085) did not provide sufficient definitive information necessary to fully endorse its disposition of valves potentially affected by the failure mode described in NRC Information Notice (IN) 9218.
: 2.      Evaluation of the potential for spurious opening of Suppression Pool Drain Valves HV-15766, HV 15768 and HV-15769 (Unit 1) and valves HV-25766, HV-25768 and HV-25769 (Unit 2), as a result of a control room fire. Fire-induced spurious opening of these valves could cause the Suppression Pool to drain down to Liquid Radwaste, thereby affecting the performance of Emergency Core Cooling System (ECCS) purr.ps used for post fire safe shutdown. None of the potentially affected valves are capable of being electrically isolated from the control room (e.g., by means ofisolation/ transfer switches) and at least one vaJve must remain closed to prevent flow diversion from the suppression pool.
: 2.      Evaluation of the potential for spurious opening of Suppression Pool Drain Valves HV-15766, HV 15768 and HV-15769 (Unit 1) and valves HV-25766, HV-25768 and HV-25769 (Unit 2), as a result of a control room fire. Fire-induced spurious opening of these valves could cause the Suppression Pool to drain down to Liquid Radwaste, thereby affecting the performance of Emergency Core Cooling System (ECCS) purr.ps used for post fire safe shutdown. None of the potentially affected valves are capable of being electrically isolated from the control room (e.g., by means ofisolation/ transfer switches) and at least one vaJve must remain closed to prevent flow diversion from the suppression pool.
On July 25,1996, the open issues described in the Draft BNL TER were discussed during a telephone conference held between the BNL reviewer, representatives of NRR, and the licensee, and on September 4,1996 the BNL reviewer participated in an additional telephone conference with representatives of NRR and the licensee. During this discussion, the licensee presented proposed strategies for: (a) resohing the open TER items, and; (b) resching an additional vulnerability invohing the potential for spurious operation of non-essential coolant injection systems (i.e., injection systems not credited in the safe shutdown analysis) to cause a reactor overfill condition. The licensee committed to provide a detailed description of each issue and proposed methods of resolution in a formal response to NRR The Draft TER open issues are principally the result of certain inappropriate assumptions used by the licensee during its evaluation of spurious equipment operations that may occur as a result of fire-induced " hot short" type cable faults. By letter dated December 6,1996, the licensee provided its revised criteria for fire-initiated spurious operations end described its methods for resohing the remaining open issues.
On July 25,1996, the open issues described in the Draft BNL TER were discussed during a telephone conference held between the BNL reviewer, representatives of NRR, and the licensee, and on September 4,1996 the BNL reviewer participated in an additional telephone conference with representatives of NRR and the licensee. During this discussion, the licensee presented proposed strategies for: (a) resohing the open TER items, and; (b) resching an additional vulnerability invohing the potential for spurious operation of non-essential coolant injection systems (i.e., injection systems not credited in the safe shutdown analysis) to cause a reactor overfill condition. The licensee committed to provide a detailed description of each issue and proposed methods of resolution in a formal response to NRR The Draft TER open issues are principally the result of certain inappropriate assumptions used by the licensee during its evaluation of spurious equipment operations that may occur as a result of fire-induced " hot short" type cable faults. By {{letter dated|date=December 6, 1996|text=letter dated December 6,1996}}, the licensee provided its revised criteria for fire-initiated spurious operations end described its methods for resohing the remaining open issues.
This Technical Evaluation Report (TER) documents the results of the BNL evaluation of the Susquehanna Steam Electric Station Appendix R Safe Shutdown Analysis, as documented in Revision 4 of the FPRR and the subsequent PP&L submittals described above, including Spurious Operations Criteria (PLA-4505), dated December 6,1996.
This Technical Evaluation Report (TER) documents the results of the BNL evaluation of the Susquehanna Steam Electric Station Appendix R Safe Shutdown Analysis, as documented in Revision 4 of the FPRR and the subsequent PP&L submittals described above, including Spurious Operations Criteria (PLA-4505), dated December 6,1996.
The licensee has developed three shutdown methods, designated Paths 1,2 and 3, which are capable of bringing the plant to a cold shutdown condition in the event of fire. Paths I and 3 consist of the Automatic Depressunzation System (ADS) and Core Spray System (CSS), Divisions I and II respectively. In general, Paths 1 and 3 (ADS / CSS) are used in the event of fire in areas in wh'ch habitability and control from the Control Room are assured. Since use of ADS / CSS would allow reactor coolant process variables to vary from those normally predicted for a loss of normal a.c.
The licensee has developed three shutdown methods, designated Paths 1,2 and 3, which are capable of bringing the plant to a cold shutdown condition in the event of fire. Paths I and 3 consist of the Automatic Depressunzation System (ADS) and Core Spray System (CSS), Divisions I and II respectively. In general, Paths 1 and 3 (ADS / CSS) are used in the event of fire in areas in wh'ch habitability and control from the Control Room are assured. Since use of ADS / CSS would allow reactor coolant process variables to vary from those normally predicted for a loss of normal a.c.
Line 85: Line 85:
actuations of equipment as a result of fire and potential for loss of remote shutdown capability
actuations of equipment as a result of fire and potential for loss of remote shutdown capability
           - concerns described in IN 92-18.
           - concerns described in IN 92-18.
As a result ofissues identified in the drall BNL TER and subsequent communications between the licensee and NRR, by letter dated December 6,1996 the licensee submitted revised criteria governing its evaluation of fire induced spurious operations. A review of these criteria found them to include technically sound assumptions for evaluating fire-induced spurious actuations, and implementation required the licensee to effect di.qes to both the plant design and abnormal operating procedures la order to satisfy the post ftre safe shutdown criteria of Sections III.G and III.L to Appendix R to 10 CFR 50.
As a result ofissues identified in the drall BNL TER and subsequent communications between the licensee and NRR, by {{letter dated|date=December 6, 1996|text=letter dated December 6,1996}} the licensee submitted revised criteria governing its evaluation of fire induced spurious operations. A review of these criteria found them to include technically sound assumptions for evaluating fire-induced spurious actuations, and implementation required the licensee to effect di.qes to both the plant design and abnormal operating procedures la order to satisfy the post ftre safe shutdown criteria of Sections III.G and III.L to Appendix R to 10 CFR 50.
In general, the licensee's post fire safe shutdown methodology and analysis of associated circuits, as amended to include consideration ofits revised criteria governing the evaluation of fire-induced spurious operations, was found to satisfy the requirements of Section III.G and III.L to Appendix R to 10 CFR 50 and is, therefore, acceptable except for the following:
In general, the licensee's post fire safe shutdown methodology and analysis of associated circuits, as amended to include consideration ofits revised criteria governing the evaluation of fire-induced spurious operations, was found to satisfy the requirements of Section III.G and III.L to Appendix R to 10 CFR 50 and is, therefore, acceptable except for the following:
           . 1.          During a September 4,1996 telephone conference, the licensee stated that mitigating inadvertent condensate injection is not time critical (approximately I hour would be availt.ble to take mitigating action) and would be addressed procedurally by incorporating manual operator actions into existing procedures. In its December 6,1996 st bmittal, however, the licensee states that an analysis of this concern is yet to be performed. Pending NRC review i
           . 1.          During a September 4,1996 telephone conference, the licensee stated that mitigating inadvertent condensate injection is not time critical (approximately I hour would be availt.ble to take mitigating action) and would be addressed procedurally by incorporating manual operator actions into existing procedures. In its December 6,1996 st bmittal, however, the licensee states that an analysis of this concern is yet to be performed. Pending NRC review i
Line 266: Line 266:
and RHR will be available for suppression pool cooling during hot shutdown. As RCS pressure is reduced to less than 98 psig, RHR will also be available for the shutdown cooling mode of operation.                        -
and RHR will be available for suppression pool cooling during hot shutdown. As RCS pressure is reduced to less than 98 psig, RHR will also be available for the shutdown cooling mode of operation.                        -
As decribed in NRC IN 92 18, however, there is a potential for fire induced hot shorts to occur in the control circuits of certain motor operated valves (MOVs) needed to shutdown the reactor and maintain it in a safe condition prior to their isolation at the RSP. Since the faulted miition would cause thennal overload, with limit and ten.ue switch protect.'on bypassed, spurious valve operations                        ,
As decribed in NRC IN 92 18, however, there is a potential for fire induced hot shorts to occur in the control circuits of certain motor operated valves (MOVs) needed to shutdown the reactor and maintain it in a safe condition prior to their isolation at the RSP. Since the faulted miition would cause thennal overload, with limit and ten.ue switch protect.'on bypassed, spurious valve operations                        ,
.                                could possibly result in mechanical damage to the valve. By letter dated April 23,1996, PP&L provided the results ofits evaluation of thl concern (ref: PP&L Calculation EC-013 0859, Attachment C). A detailed discussion of the licensee's approach for resolving this concem is provided in Section 3,3,3 below.-
.                                could possibly result in mechanical damage to the valve. By {{letter dated|date=April 23, 1996|text=letter dated April 23,1996}}, PP&L provided the results ofits evaluation of thl concern (ref: PP&L Calculation EC-013 0859, Attachment C). A detailed discussion of the licensee's approach for resolving this concem is provided in Section 3,3,3 below.-
All components on the RSPs are designated as Path 2 Safe Shutdown Componentif Support systems, such electrical motive or control power, for the front line systems described above may also be used                        i l                                to suppor* Safe Shutdown Paths I or 3.- Therefore, these components are designated as multi path
All components on the RSPs are designated as Path 2 Safe Shutdown Componentif Support systems, such electrical motive or control power, for the front line systems described above may also be used                        i l                                to suppor* Safe Shutdown Paths I or 3.- Therefore, these components are designated as multi path
                               - components, e.g. Path I and 2 or Path 2 and 3 The licensee states that these components have been                            :
                               - components, e.g. Path I and 2 or Path 2 and 3 The licensee states that these components have been                            :
Line 328: Line 328:
The initial review of Revision 4 to Susquehanna Steam Electnc Station (SSES) Fire Protection Review Report (FPRR), identified questions and concerns regarding certain assumptions used by the licensee in its analysis of potential fire induced ;purious operations. Spcifically, the review identified examples where redundant valves rnay be subject to spurious actuations (i.e. undesirable change of position) as a result of a single hot short on each of their respective control circuits. Although the control circuits of redundant valves may be subject to damage by the same fire, in its initial evaluation of this issue, the licensee stated: "For both valves to open simultaneously, a hot short on each valve is required. NRC Generic Letter 8610 does not require the assumption of multiple hot shorts for non-hl/lo pressure interfaces. Therefore, one of these two valves is assumed to remain closed." In                      i subsequent meetings and correspondence, the staffinformed the licensee ofits concern thet the app'ication of this assumption may result in an inability to adequately demonstrate compliance with                  .
The initial review of Revision 4 to Susquehanna Steam Electnc Station (SSES) Fire Protection Review Report (FPRR), identified questions and concerns regarding certain assumptions used by the licensee in its analysis of potential fire induced ;purious operations. Spcifically, the review identified examples where redundant valves rnay be subject to spurious actuations (i.e. undesirable change of position) as a result of a single hot short on each of their respective control circuits. Although the control circuits of redundant valves may be subject to damage by the same fire, in its initial evaluation of this issue, the licensee stated: "For both valves to open simultaneously, a hot short on each valve is required. NRC Generic Letter 8610 does not require the assumption of multiple hot shorts for non-hl/lo pressure interfaces. Therefore, one of these two valves is assumed to remain closed." In                      i subsequent meetings and correspondence, the staffinformed the licensee ofits concern thet the app'ication of this assumption may result in an inability to adequately demonstrate compliance with                  .
Sections Ill.G.2 and III.L of Appendix R to 10 CFR 50.
Sections Ill.G.2 and III.L of Appendix R to 10 CFR 50.
By letter dated December 6,1996, the licensee submitted revised criteria it had developed and
By {{letter dated|date=December 6, 1996|text=letter dated December 6,1996}}, the licensee submitted revised criteria it had developed and
-              employed for the analysis of potential spurious operations. The revised criteria specify the ability to              ;
-              employed for the analysis of potential spurious operations. The revised criteria specify the ability to              ;
mitigate, on a one at a' time basis, any and all rpurious operations having the potential to impact safe            #
mitigate, on a one at a' time basis, any and all rpurious operations having the potential to impact safe            #
Line 350: Line 350:
In the event of fire in the control room (Fire Area CS 9), there is a potential for fire initiated
In the event of fire in the control room (Fire Area CS 9), there is a potential for fire initiated
* hot shorts" to occur between control wiring and power sources for certain motor operated valves (MOVs) relied on to achieve and maintain safe shutdown conditions in the reactor. To assure that thermal overloads do not prevent the MOVs from' performing their intended safety function during an accident, SSES has bypassed the thermal overload protection for MOVs. Further, at SSES the location of the thermal overload contacts in the MOV control circuitry would be ineffective in mitigating the effects of hot shorts even if the thermal overloads were not bypassed. Similarly, the location in the MOV control circuitry oflimit and torque switch contacts renders these protective devices ineffective in mitigating the effects of fire induced hot shorts in the associated control circuits of MOVs. Although the MOVs may be capable of being electrically isolated from the fire affected area (e.g., Control Room Area CS 9), due to the absence of thermal overload protection, there is a potential for the hot shorts to cause mechanical valve damage before the deciolon to abandon the control room has been made and the operator has actuated the transfer switches and taken local control at the Remote Shutdown Panel (RSP). Additionally, in cases where manual local operation of the MOVs is relied on to mitigate potential spurious actuations resulting from a fire in areas outside the Control Room, there is a potential for fire induced hot shorts to cause valve damage and rews the MOV inoperable prior to its operation.
* hot shorts" to occur between control wiring and power sources for certain motor operated valves (MOVs) relied on to achieve and maintain safe shutdown conditions in the reactor. To assure that thermal overloads do not prevent the MOVs from' performing their intended safety function during an accident, SSES has bypassed the thermal overload protection for MOVs. Further, at SSES the location of the thermal overload contacts in the MOV control circuitry would be ineffective in mitigating the effects of hot shorts even if the thermal overloads were not bypassed. Similarly, the location in the MOV control circuitry oflimit and torque switch contacts renders these protective devices ineffective in mitigating the effects of fire induced hot shorts in the associated control circuits of MOVs. Although the MOVs may be capable of being electrically isolated from the fire affected area (e.g., Control Room Area CS 9), due to the absence of thermal overload protection, there is a potential for the hot shorts to cause mechanical valve damage before the deciolon to abandon the control room has been made and the operator has actuated the transfer switches and taken local control at the Remote Shutdown Panel (RSP). Additionally, in cases where manual local operation of the MOVs is relied on to mitigate potential spurious actuations resulting from a fire in areas outside the Control Room, there is a potential for fire induced hot shorts to cause valve damage and rews the MOV inoperable prior to its operation.
By letter dated April 23,1996, PP&L provided the results ofits evaluation of this concern (ref: PP&L Calculation EC-013 0859, Attachment C). Additionally, the licensee's revised criteria for spurious operations (
By {{letter dated|date=April 23, 1996|text=letter dated April 23,1996}}, PP&L provided the results ofits evaluation of this concern (ref: PP&L Calculation EC-013 0859, Attachment C). Additionally, the licensee's revised criteria for spurious operations (


==Reference:==
==Reference:==
Line 400: Line 400:


==Reference:==
==Reference:==
PP&L letter dated December 6,1996, Attachment A, " Associated Circuits - Spurious Operation).
PP&L {{letter dated|date=December 6, 1996|text=letter dated December 6,1996}}, Attachment A, " Associated Circuits - Spurious Operation).
The control circuits of all three valves in question are susceptible to common-cause damage due to a single fire. Therefore, there is a potential for all three valves to be susceptible to fire-induced spurious actuation (open)in the event of a control room fire. Although the spurious operation (opening) of all three valves as a result of fire damage is unlikely, to mitigate the potential for drain 23
The control circuits of all three valves in question are susceptible to common-cause damage due to a single fire. Therefore, there is a potential for all three valves to be susceptible to fire-induced spurious actuation (open)in the event of a control room fire. Although the spurious operation (opening) of all three valves as a result of fire damage is unlikely, to mitigate the potential for drain 23


Line 484: Line 484:
==Reference:==
==Reference:==
NRC Information Notice 92 18)
NRC Information Notice 92 18)
By letter dated April 23,1996 PP&L provided the results ofits evaluation of this concern (ref: PP&L Calculation EC 013 0859, Attachment C). Additionally, the licensee's revised criteria for spurious operations (
By {{letter dated|date=April 23, 1996|text=letter dated April 23,1996}} PP&L provided the results ofits evaluation of this concern (ref: PP&L Calculation EC 013 0859, Attachment C). Additionally, the licensee's revised criteria for spurious operations (


==Reference:==
==Reference:==

Latest revision as of 14:55, 5 May 2021

Rev 1 to, Review & Evaluation of PP&L Fire Protection Review Rept,Rev 4 Susquehanna Steam Electric Station Safe Shutdown Capability-10CFR50,App R, 'Post-Fire Safe Shutdown Methodology & Analysis of Associated Circuits.'
ML20212F192
Person / Time
Site: Susquehanna  Talen Energy icon.png
Issue date: 03/31/1997
From: Fresco A, Sullivan K
BROOKHAVEN NATIONAL LABORATORY
To:
NRC (Affiliation Not Assigned)
Shared Package
ML20212F151 List:
References
NUDOCS 9711040206
Download: ML20212F192 (30)


Text

, ., .

BROOKHAVEN NATIONAL LABORATORY DEPARTMENT OF ADVANCED TECHNOLOGY

-ENGINEERING TECHNOLOGY DIVISION REVIEW AND EVALUATION OF PENNSYLVANIA POWER & LIGHT COMPANY FIRE PROTECTION REVIEW REPORT, REVISION No. 4 SUSQUEHANNA STEAM ELECTRIC STATION SAFE SHUTDOWN CAPABILITY - 10CFR50 APPENDIX R Post-Fire Safe Shutdown Methodology and Analysis of Associated Circuits Revision 1 March 1997 Preparri'By: K. Sullivan A. Fresco Prepared For: U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation 4

9711040206 971021 PDR ADOCK 05000387 F. PDR . ENCIOSUPI

.c

?

CONTENTS Section II.Qs - Page.

-1 . Backgrou nd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1.1 Executive Su mmary . . . . . . . . . . . . . . . . . . . . . . -. . . . . . . . . . . . . . . . . . . . . . 3 l.2 Review Criteria . . ' . . . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2. Post fire safe shutdown capability , , . . . . . . . . . , . . . . . . . . . .- . . . . . . . . . . . 5

~

2.1. Separation of Safe Shutdown Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 Post Fire Safe Shutdown Methodology - Genaal Plant Areas ~. . . . . . . . . . . . . . 5

- 2.2.1 Analysis Methodology' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3 '~ Safe Shutdown Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 12.3.1 Evaluation of Post Fire Safe Shutdown Systems . . . . . . . . . . . . . . . . . . . . . . . _. 8 2.4 Alternate Shutdown capability . . . , . . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . . 12 2.4.1 Areas Requiring Alternate Shutdown Capability . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.2 Safe Shutdown Procedures and Manpower . . . . . . . . . . . . . . . . . . . ; . . . . . . . 14

2. 4.3 ' 1t e pai rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ~ 15 3 Evaluation of associated circuits . . . . . . . . . . , . . . . . . . . . , . . . . . . . . . . . , . . 16

. 3.1 Common Power Supply Associsted Circuit Concern , . . . . . . . . . . . . . . . . . . 16 -

3.2 Coinmon Enclosure Associated Circuit Concern . . . , . . . . . . , . . . . . . . . , 16 3.3 Spurious Signal Concern . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.3.1 Flow Diversion Paths and High/ Low Pressure Interfaces . . . . . . . . . . . . . . . . 18 .

3.3.2 Spurious Operation of ADS Valves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . 18 3.3.3 Protection from Loss of Remote Shutdown Capability , . . . . . . . . . . . . . . . . . 19 -

3.3.4 Evaluation of Suppression Pool Drain Valves . . . . . . . . . . . . . . . . . . . . . . . . 23 3.3.5 Potential for spurious operation of non-essential injection systems 24' 3.3.5.1 Inadvertent Feedwater Initiation . . . . . . . . . . . . . . , , , . . . . . . . . . . , . . . . . . , , 24 3.3.5.2 Spurious Operation of the High Pressure Coolant Injection System (HPCI) . . 25  ;

3.3.5.3 Inadvertent Condensate Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 ,

3.4 Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 -

- 4.- - Conclu sions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 7 4.1 Post fire Safe Shutdown Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 4.1.2 Manual Ope: or Actions Prior to Control Room Evacuation . . . . , . . . . . . . . 27 4.2 Evaluation of Associated Circuits . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . , . . . 28

5. Open issu es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . 2 8 h

i

r t

I.- BACKGROUND As a result of a special NRC team inspection conducted in 1985, Unresolved item (URI 387 and '

388/85 06-01) was initiated to document the inspection team's conclusion that the Fire Hazard Analysis for the Susquehanna Steam Electric Station (SSES) Units 1 and 2, did not adequately _  ;

, demonstrate compliance with the technical requirements of 10 CFR 50 Appendix R.  ;

In response to URI 387 and 388/85-06-01, on June 30,1988, the licensee, Pennsylvania Power and  ;

t Light Company (PP&L), submitted Revision 3 of the Fire Protection of the Fire Protection Program -

Report (FPRR) to the NRC for review. On August 9,1989 the NRC Office of Nuclear Reactor -

-Regulation (NRR) issued its Safety Evaluation (SE) of Revision 3 to the FPRR.

In Inspection Report Nos. 50-387/92 23 and 50-388/92 23, an NRC Region I in'pection team noted that the licensee's post fire safe shutdown methodology had not been evaluated in the August 9,1989 SE issued by NRR, and that Revision 4 to the FPRR was under review by NRR at that time,. As a result of this finding, by memorandum dated October 14,1992, NRC Region I requested NRR to evaluate the safe shutdown methodology docun,ented in Revision 4 of the FPRR.

4 At the request of the NRC Office of Nuclear Reactor Regulation, the Engineering Technology Division of Brookhaven National Laboratory (BNL) performed an independent review of the post fire safe shutdown methodology and analysis of associated circuits documented in Revision 4 of the

-Susquehanna Steam Electric Station Fire Protection Review Report, dated May 1993. This review concentrated on an evaluation of post fire safe shutdown capability, associated circuits, and the licensee's separation analysis methodology.

Based on the results of a preliminary review of Revis:on 4 of the FPRR, by letter dated February 3, 1995, BNL submitted a Request for Additional Information (RAI) to NRR. Following its review, NRR forwarded 61: equest to the licensee, and by letter dated May 22,1995, PP&L provided its

- reponse. T' S. .- - - s --d' May 22,1995 response identified several additional issues > ' .a wo@d squim funk chuhE H '"' letter dated June 28,1995, BNL submitted a seco . RM 1 EM 'd.id was the faru ar&d th.

- To obtu deu ,4 rif.totJn : &W csoesid? Mied during the review of the PP&L

.su' WNi, BNL ud NG ; ww nt w M i.W y trer, de on two separate occasions. These

- me up were unduct d ai hw Headgw,us in hockv;" , Maryland on August 29,1995, and at the lir, ,

  • 9tmem.; immyMrh emen ori knw M,1996. Dy letter dated April 23,1996, PP&L pr.nUm .. : ; we ta * <tiwsed in th . mis, and during the January 26,1996 meetinr,.

'The results of the our evaluation of the Cusquehanna Steam Electric Station FPRR Revision 4 and subsequent licensee submittals described above, were documented in a Draft Technical Evaluation

~

Report (TER) which was subsequently forwerded to the NRC Technical Monitor on July 22,1996,

. A: documented in the Draft TER, the following issues remained open as a result of our review:

1 i .

- * ,- a-"y-,r- r'g- - + , ~

) *- - r w- g- y

1. Protection from Loss of Remote Shutdown Capability due to Fire Induced Circuit Faults -

(

Reference:

NRC Information Notice 92-18) to the extent that the licensee's evaluation of this concern (Calculation EC-013-085) did not provide sufficient definitive information necessary to fully endorse its disposition of valves potentially affected by the failure mode described in NRC Information Notice (IN) 9218.

2. Evaluation of the potential for spurious opening of Suppression Pool Drain Valves HV-15766, HV 15768 and HV-15769 (Unit 1) and valves HV-25766, HV-25768 and HV-25769 (Unit 2), as a result of a control room fire. Fire-induced spurious opening of these valves could cause the Suppression Pool to drain down to Liquid Radwaste, thereby affecting the performance of Emergency Core Cooling System (ECCS) purr.ps used for post fire safe shutdown. None of the potentially affected valves are capable of being electrically isolated from the control room (e.g., by means ofisolation/ transfer switches) and at least one vaJve must remain closed to prevent flow diversion from the suppression pool.

On July 25,1996, the open issues described in the Draft BNL TER were discussed during a telephone conference held between the BNL reviewer, representatives of NRR, and the licensee, and on September 4,1996 the BNL reviewer participated in an additional telephone conference with representatives of NRR and the licensee. During this discussion, the licensee presented proposed strategies for: (a) resohing the open TER items, and; (b) resching an additional vulnerability invohing the potential for spurious operation of non-essential coolant injection systems (i.e., injection systems not credited in the safe shutdown analysis) to cause a reactor overfill condition. The licensee committed to provide a detailed description of each issue and proposed methods of resolution in a formal response to NRR The Draft TER open issues are principally the result of certain inappropriate assumptions used by the licensee during its evaluation of spurious equipment operations that may occur as a result of fire-induced " hot short" type cable faults. By letter dated December 6,1996, the licensee provided its revised criteria for fire-initiated spurious operations end described its methods for resohing the remaining open issues.

This Technical Evaluation Report (TER) documents the results of the BNL evaluation of the Susquehanna Steam Electric Station Appendix R Safe Shutdown Analysis, as documented in Revision 4 of the FPRR and the subsequent PP&L submittals described above, including Spurious Operations Criteria (PLA-4505), dated December 6,1996.

The licensee has developed three shutdown methods, designated Paths 1,2 and 3, which are capable of bringing the plant to a cold shutdown condition in the event of fire. Paths I and 3 consist of the Automatic Depressunzation System (ADS) and Core Spray System (CSS), Divisions I and II respectively. In general, Paths 1 and 3 (ADS / CSS) are used in the event of fire in areas in wh'ch habitability and control from the Control Room are assured. Since use of ADS / CSS would allow reactor coolant process variables to vary from those normally predicted for a loss of normal a.c.

power, the licensee requested a deviation from the requirements of Sections III.G and III.L of 2

l

=

LAppendix R to 10 CFR 50 (Deviation Request No. 33). This request was approved by the staffin a

. Safety Evaluation dated August 9,1989. The basis for staff acceptance of this deviation is predicated on licensee assertions that its safe shutdown analysis had demonstrated that during implementation of this shutdown methodology (i.e., ADS / CSS) there will be no fuel clad damage, no rupture of any primary coolant' or containment boundary, and the level of coolant will always be maintained above the top of the core.

- Path 2 consists of the use of the Reactor Core Isolation Cooling (RCIC) System and the Suppression l Pool Cooling Mode of the Residual Heat Removal System (RHRS). Path 2 is used for fires in Fire Area CS 9, which is the only area for which evacuation of the Control Room and implementation of an alternative shutdown capability may be required in the event of fire. As part of this review, the .

capability of each shutdown path to meet the post fire safe shutdown performance goals of 10 CFR 50 Appendix R was evaluated.

1.1 - Executive Summary At the request of the NRC Office of Nuclear Reactor Regulation, BNL performed an independent review of the post fire safe shutdown methodology and analysis of associated circuits documented in Revision 4 of the Susquehanna Steam Electric Station Fire Protection Review Report, dated May 1993. The results of the 9NL evaluation were documented in a Draft TER which was forw2rded to the NRC Technical Momtor on July 22,1996. Salient issues identified during this review include the suitability of certain assumptions used by the licensee during its evaluation of potential spurious  :

actuations of equipment as a result of fire and potential for loss of remote shutdown capability

- concerns described in IN 92-18.

As a result ofissues identified in the drall BNL TER and subsequent communications between the licensee and NRR, by letter dated December 6,1996 the licensee submitted revised criteria governing its evaluation of fire induced spurious operations. A review of these criteria found them to include technically sound assumptions for evaluating fire-induced spurious actuations, and implementation required the licensee to effect di.qes to both the plant design and abnormal operating procedures la order to satisfy the post ftre safe shutdown criteria of Sections III.G and III.L to Appendix R to 10 CFR 50.

In general, the licensee's post fire safe shutdown methodology and analysis of associated circuits, as amended to include consideration ofits revised criteria governing the evaluation of fire-induced spurious operations, was found to satisfy the requirements of Section III.G and III.L to Appendix R to 10 CFR 50 and is, therefore, acceptable except for the following:

. 1. During a September 4,1996 telephone conference, the licensee stated that mitigating inadvertent condensate injection is not time critical (approximately I hour would be availt.ble to take mitigating action) and would be addressed procedurally by incorporating manual operator actions into existing procedures. In its December 6,1996 st bmittal, however, the licensee states that an analysis of this concern is yet to be performed. Pending NRC review i

L 3 L

I

~ *1'r

ye v,--.y p w-g-,- g y

  • 6*--W 7-+4T-U t *T' ' ' *" } $

and acceptance of the PP&L analysis of this concern, it is recommended that the potential for reactor overfill condition due inadvertent condensate injection remain Open.

1.2 Review Criteria The criteria used in reviewing the licensee's submittal are contained in the following documents: -

1. " Fire Protection Program foi 7-perating Nuclear Power Plants," 10CFR50 Appendix R, (45 FR76611, November 19,19s0, and 46 FR 44735, September 8,1981).
2. Generic Letter 81-12, dated February 20,1981.
3. NRC Memorandum To: D.G. Eisenhut From: R.J. Mattson,

SUBJECT:

" Fire Protection Rule Appendix R" dated March 22,1982 (Clarification of Generic letter 81-12),

4. NRC Memorandum TO: R.H. Vollmer, From: R.H. Mattson,

SUBJECT:

" Position Paper on Allowable Repairs for Alternative Shutdown and the Appendix R Requirements for Time Required to Achieve Cold Shutdown," dated July 21,1982.

5. Generic Letter 83 33, dated October 19,1983.
6. NRC IE Information Notice 84-09, " Lessons learned from NRC inspections of Fire Protection Safe Shutdown Systems."
7. NRC IE Information Notice 85-09, " Isolation Transfer Switches and Post-Fire Safe Shutdown Capability."
8. Generic Letter 86-10. " Implementation of Fire Protection Requirements," April 24,1986.

4

2. POST-FIRE SAFE SHUTDOWN CAPABILITY 2,1 Separation of Safe Shutdown FunctiODS I Where components of redundant trains of systems necessary to achieve and maintain hot shutdown condit'rs are located within the same fire area outside primary containment, the licensee, Pennsylvania Power and Light (PP&L) has provided one of the following means of ensuring that one train of safe shutdown equipment remains free of fire damage: (1) Separation of equipment, cabling and associated circuits of redundant safe shutdown systems by a fire barrier having a 3-hour fire rating;(2) Separation ofequipment cabling and associated circuits of redundant safe shutdown systems by a horizontal distance of more than 20 feet free ofintervening combustibles or fire hazards.

In addition, automatic fire detection and suppression systems are installed in such areas; and (3)

Separation of equipment, cabling, and associated circuits of redundant safe shutdown systems by a fire barrier having a 1-hour fire rating. In addition, automatic fire detection and suppression systems  ;

are installed in the area. i Fire Area CS 9, which is comprised of the Main Control Room and twelve (12) associated Fire Zones  ;

is the only area requiring an alternative shutdown capability. In the event a disabling fire in this area causes the Main Control Room to be evacuated, operators would manually scram both units, close the Main Steam Isolation Valves (MSIVs), and man each unit's remote shutdown panels located in l separate fire areas (Fire Zone 1-D2 in Unit I and Fire Zone 2-2A in Unit 2). Additionally, to enable ,

manual control of the Control Structure HVAC system, operators would also man the alternate control structure HVAC control panel located in Fire Zone 0-29B. The control functions and indications provided at the remote shutdown panels are capable of being electrically isolated from the main control room. Further discussion of the alternate shutdown capability is presented below in Section 2,4, " Areas Where Alternative Shutdown is Required."

The licensee's criteria for providing fire protection for safe shutdown functions satisfiesSection III.G of Appendix R, and, therefore, is acceptable.

2.2 Post-Fire Safe Shutdown Methodolouv - GeneraLPlant Areas 2.2.1 Analysis Methodology The licensee's methodology for assessing compliance with the separation / protection requirements of.

Section III.G of Appendix R consisted of:

1, Determining the functions required to achieve and maintain safe shutdown (e.g, reactivity control, reactor coolant makeup and pressure control, decay heat removal, etc.),

2. Identifying systems and components capable of performing the necessary shutdown functions, i

1 $

l l

3 1

3.  ! Grouping the selected systems into various shutdown paths, consisting of two redundant primary safe shutdown pa+hs (Paths 1 and 3) and one alternative shutdown

- path (Path 2),-

4. Identifying safe shutdown cable, raceway and electrical components,
5. Grouping specific plant locations into fire areas,

- 6.- Identifying for each fire area, one or more paths capable of satisfying each required  ;

shutdown function,  ;

7.- Evaluating potential cable and component interactions (i.e., non-compliances),

8. Relocating cabics r.nd equipment, providing fire barriers, fire detection and fire suppression systems so as to meet the separation / protection requirements of Appendix R Section III.G or poviding justification where deviations from these requirements 4 occur.

On the basis of this methodology, and subject to the previously approved deviations from the requirements of Section III.G and III.L the licensee's analysis methodology conforms to the requirements of Appendix R to 10 CFR 50 for protection of safe shutdown capability and is, therefore, acceptable.

2.3 Safe Shutdown Canability The licensce's safe shutdown analysis demonstrated that sufficient redundancy exists for systems needed for safe shutdown. - The safe shutdown analysis included components, cabling, and support equipment needed to achieve safe shutdown. Thus, in the event of a fire anywhere in the plant, at least one train of systems _would be available to achieve and maintain safe shutdown conditions. The-availability of these systems includes the components, cablin;, and support equipment necessary to achieve cold shutdown. Support equipment includes associated electrical distribution systeins, and the necessary ventilat.N systems.

The licensee has performed an electrical separation study to ensure that at least one train of the above

. equipment is available in the event of a fire in areas that might affect these components. Safe shutdown equipment and cabling were identified and traced through each fire area from the component to the power source. Associated circuits whose fire-induced .purious operation could

- affect safe shutdown were identified by a system review to determine those companents whose mal-operation could anet the safe shutdown capability.

To separate redundant divisions of'4e shutdown equipment, PP&L has selected twc primary safe

' shutdown paths < The first path is she Division I train of ADS / CSS, Alternate Shutdown Cooling and Suppression Pool Cooling and the second path is the Division 11 train of ADS / Core Spray System, Alternate Shutdown Cooling and Suppression Pool Cooling. These paths are identified as Path I and 6

j

Path 3 respectively. These shutdown paths are incorporated into symptom based emergency _

L operating procedures and off normal procedures.- ?n general, Paths l'and 3 (ADS / CSS) are used in the event of fire in areas in which habitability and control from the Control Room are assured. Since -

use of ADS / CSS would allow reactor coolant process variables to vaiy from those normally predicted for a loss of normal s c. power, the licensee requested a deviation from the requirements of Sections

- III.G and III.L of Appendix R to 10 CFR 50 (Deviation Request No. 33). This request was -

approved by the staffin a Safety Evaluation dated August 9,1989. As indicated in the staffs safety 1 evaluation, acceptance of this deviation is based, in part, on licensee statements that its safe sht.tdown analysis has demonstrated that during implementation of this m*.hodology (i.e., ADS / CSS) there will be no fuel clad damage, no rupture of any primary coolant or containment boundary, and the level of '

coolant will always be maintained above the top of the core.

- In Calculation EC-013-0979, " Safe Shutdown Paths for Fires Outside and Inside Control Room",

Rev; 0, dated 1/13/95, the licensee states that it has assumed a loss of offsite power (LOOP) to occur

concurrently with a fire in any location. Since a LOOP will result in the simultaneous SCRAM of both units, and closure of the MSlVs of both units, the assumption of a LOOP requires the post-fire safe shutdown methodology to be cap. ' le of accomolishing the simultaneous shutdown of both units, ,

regardless of fire location. Additionally, except for alternative shutdown Path 2, the licensee has provided protection on a divisional basis. Therefore, only one division of Emergency Diesel Generators (2 EDGs) can be assumed operable. With orJy two EDGs avr.ilable, there is not sufficient capacity to shutdown both units using Path I or 3 (ADS / Core Spray). For this assumed scenario, (i.e., a LOOP for any fire and only two EDGs available) PP&L has determined that the non-fire affected unit (unit affected by the LOOP only) could be brought tc .rY shutdown conditions using RCIC or HPCI, in accordance with LOOP procedures ON-104-001.nd ON-204-001. The licensee states that it has evaluated the availability of these systems in the event of fire in opposite unit fire areas. This evaluation determined The followirig:

  • RCIC will be available for shutdown of Unit 1 in the event of fire in Unit 2/ Division I fire areas a HPCI will be available for shutdown of Uniti in the event of fire in Unit 2/ Division 2

, Fire A +.ts i .

RCIC will be available for shutdown of Unit 2 in the event of fire in Unit 1/Disision I fire areas

. HPCI will be available for shutdown of Unit 2 in the event of fire in Unit 1/ Division 2 Fire Areas -

In summary, to simultaneously achieve safe shutdown of both units in the event of fire not requiring i alternative shutdown, Path 1 or Path 3 (ADS / CSS) is used for the fire affected unit, and the High i Pressure Coolant Injection (HPCI) and associated support systems or the Reactor Core Isolation Cooling (RCIC) and associated support systems together with Path 1 or Path 3 components for Alternate Shutdown Cooling and Suppression Pool Cooling for the opposite unit depending on the 7

i

~ . - - - _ . . ._. . _

fire location. In the event of fire in " common" areas (i.e., areas shared between units), the fire or non.

fire unit can not be distinguished. The licensee states that its evaluation of these areas has determined

- that fire will not impact more than HPCI or RCIC ci one unit.

Fire Area CS 9, which consists of the main Control Room and associated fire zones, is the only area outside primary containment that does not estisfy the separation requirements of Section III.G.2 of Appendix R. Further discussion of the alternate shutdown capability is presented below in Section 2.4, " Areas Where Alternative Shutdown is Required."

The major systems or components which comprise the safe shutdown capability for Units 1 and 2 include:

e' Control Rod Drive (CRD) System (SCRAM function)

  • Nuclear Boiler instrumentation (portions) -
  • Suppression Pool Monitoring Instrumentation
  • Reactor Building Heating, Ventilating, and Air Conditioning (HVAC) (portions)
  • Emergency Senice Water System (ESWS) and ESWS Pumphouse HVAC
  • Diesel Generators and Support Systems using two diesel generators per unit (all diesel generators for alternative shutdown).

.' Reactivity Control: capable os achieving and maintaining cold shutdown reactivity conditions.

8

i

  • Decay IIcat Removal: capable of removing decav heat and provide sufficient capability to allow the transition fro,i hot to cold shutdown conditions.
  • Process Monitoring: capable of providing direct readings of the process variables necessary to perform and control the above functions.
  • Support Funellons: capable of providing the process cooling, lubrication, motive power, etc., recessary to permit the operation of the equipment used for the above safe thu;down functions 2.3.1.1 Reactivity Control Function Reactivity control on all paths is performed by ponions of the Reactor Protection System, the Control Rod Drive System (SCRAhi function), and ti,e End of Cycle Recirculation Pump Trip. These systems are used to assure that the reactor will scram on high reactor vessel pressure, low reactor vessel water level (ILel 3) or manually. For :he Alternative Shutdown Path, the reactor is scrammed manual!., from the hiain Control Room.

The licensee states that alternate means for achieving reactor SCRAM and verification of control rod insertion are available outside of the Control Rvom.

2.3.1.2 Reactor Coolant Makeup and Pressure Control Function For shutdown Paths 1 and 3, reactor coolant makeup is provided by different divisions of the Core Spray System. The reactor is depressurized within ' 0 minutes following reactor scram using the Automatic Depressurization System (ADS) Safety Relief Valves (SRVs), as described in Deviation Reque< "o. 33. As per this praiously approved deviation, reactor coolant makeup is provided by differe risions of Core Spray while the reactor depressurization function is provided by the ADS valves.

For alternative shutdown Pau 2, reactor coolant makeup is provided by RCIC tr. king suction from the preferred source, the CST, and RHR injection taking suction from the suppression pool. The suction path for the RCIC pump may be transferred from the CST to the suppression poolif necessary. ,

Reactor coolant makeup for all paths is onserved by closure of the MSiVs. Thus, the shutdown paths are the same, whether or not off site power is ava!!able. The MSIVs isolate on the following signals: loss of off-site power, manual is31ation signal, and low vacuum in the main condenser.

On Path 2, reactor depressurization and pre.,sure controlis perforn'6 by operating one of three Main Steam Relief W.lves (MSRW) from the remote shutdown panels or by opera'ing one of three ADS 9

- ., - - - _ - - _- . .__.- = -_ - . - -- -

s SRVs locally from the Relay Rooms. Over pressurintion protection prior to depressurintion of the reactor pressure vesselis provided by the self actu:t'ng pressure mode of the htSRVs.

2.3.1.3 DecayIIcat Removal For alternate shutdown Path 2, reactor decay hvat is removed by the self actuating mode ofMSRV operation. Specifically, during high pressure isolation operation, decay heat is removed from the reactor through the htSRVs with the suppression pool as a heat sink using the RIIR suppression pool cooling mode (hot shutdown) and the RIIR normal shutdown cooling mode of operatiori(cold shutdown). The RCIC system is only credited for mainterance of coolant inventory. While some of the decay heat will be transferred from the vessel to the suppression pool through the RCIC pump turbine exhaust line the amount ofdecay heat removed is significantly less than the total decay heat generated in the reactor core. As a result, the remainder of the decay heat must be transferred to the suppression pool through operation of the hiSRVs and the RHR/RHRSW systems then iransfer the decay heat from the suppression pool to the ultimate heat sink. Sin,e .he RCIC system can not complete the entire function of transferring the 6ay heat load to the uldmate i, cat sink, it is not considered as a decay heat removal system. During cold sSutdown, decay heat removal is achieved by utilizing the normal shutdown cooling mode, i e., the RilR system injecting directly to and from the reactor pressure vessel together with the RIIR Service Water System to cool the RHR heat exchanger, For Paths I and 3, reactor decay hea* Is transferred to the suppression pool by depiessurizing the reactor vessel following a reactor scram using the Automatic Depressurlation System (ADS) Safety Relief Valves (SRVs). Reactor coolant makeup is provided by different divisions of Core Spray while the reactor deptessurintion function is provid.:! by the ADS valves. The suppression poolis then cooled using the suppression pool cooling mode of RHR with one loop of suppression pool cooling for each path. If cooldown of the reactor pressure vessel (RPV)is required but cannot be accomplished using normal shutdown cooling, alternate shutdown cooling is used in conjunction with the Core Spray System (CSS) and the ADS SRVs. To enter alternate shutdown cooling, the reactor head vents, the hiSIVs, the main steam line drain lines, and the Residual Heat Removal (RHR) steam condensing mode lines must .t11 be closed. The SRVs are then opened, and one core spray pump taking suction from the suppression pool slowly increases reactor water level. The suppression po 'l cooling mode of RHR is then initiated. The reactor water level is slowly raised to about 131 inches to flood the main steam lines and to establish a flow path through the open SRVs and back to the suppression pool. During cold shutdown, decay heat removal is achieved by utilizing the normal shutdown cooling mode, i.e., the RHR system injecting directly to and from the reactor pressure vessel together with the RHR Service Water System to cool the RHR heat exchanger.

In the event of a reactor trip coincident with a loss of off she power, decay heat will initially be removed by natural circulation within the reactor and mechanical operation of the hiain Steam Relief Valves (RVs). Steam discharged from the RVs is condensed in the suppression pool. Cooling cf the suppression pool will b+ accomplished by the RHR system in the suppression pool cooling mode.

The licensee states that separate analyses performed by General Electric (GE), demonstrate that one ,

10

RHR heat exchanger loop, in the suppression pool cooling mode, is sufficient to maintain suppression pool temperatures within acceptable limits. Ther,e ealyses include the case where low pressure injection systems are used to accomplish safe shutdown.

. I 2.3.1.4 Process Monitoring The process monitoring capability provided to accomplish post fire safe shutdown includes the l following instmmentction: )1

+

Reactor Pressure  ;

+

Reactor Water Level

  • Suppression Pool Temperature i

+  ; Supprusion Pool Level

- Drywell Temperature  ;

  • Drywell Pressure j J

Both suppression pool temperature and level may be monitored at the remote shutdown panel.  ;

However, in the event of a control room fire there la a potential for loss of both divisions of  :

suppression pool temperature and level indication. In the event that both divisions of suppression ,

pool temperature indication at the remote shutdown panels f41, suppression pool temperature may be Inferred from suppression chamber atmosphere temperature and atmosphere pressure indication j which are also available at the remote shutdown panel. Because the chamber remains a relatively

- constant volume, the pool heat up or cooldown rate will be related to these two parameters. This i deviation (Deviation Request No.2) was previously reviewed and approved by the staffin a separate  !

safety evaluation dated August 9,1989.

For Paths I and 3, which consist of the ADS / CSS method, the reactor is scrammed on either high I reactor pressure or low water level by the Nuclear Boiler Instmmentation. The high pressure scra,n protects the RPV on high pressure and maintains the potential suppression pool temperature within acceptable limits. The low water level scram ensures integrity of the fbel rods. In addition, for Paths  ;

i I and 3, reactor vessel makeup on low reactor water level must occur autorr.atically. Reactor water levelinstrumentation provides the ADS / CSS initiation. Pressure instrumentation is required to permit ,

core spray initiation at lower pressure, in the event of a fire in the Upper or Lower Relay Room  ;

which disables the low pressure pennissive for core spray operation, the permissive can be bypassed ,

in the Control Room.

For Alternate Shutdown Path 2, Reactor Pressure Vessel (RPV) level is monitored using the wide range level instrumentation available at the remote shutdown panel. However, due to the inherent  :

- inaccuracy of wide range leM*mmentation as pressure decreases, additional instrumentation may be necessary to support commencmg RHR Shutdown Cooiing for cold shut d own. To provide this - .

i additional capability, PP&L has included procedural guidance (

Reference:

SSES Procedures ON.100 009, Rev.3 and ON 200-009, Rev. 3) for l&C technicians to install temporary remote (reactor) level 11 4

3

,,w--ee.e -or,,r., +s -. - . - ,, ,ea eb -ar v m e.

i i

i and temperature Indication. The licensee states that the use of this temporary instrumentation is only l necessary to support the accomplishment of cold shutdown and is not required to achieve and  ;

maintain hot shutdown conditions. A detailed discussion of this approach is preseted below in i Section 2.4.3 ' Repairs".  !

1 2.3.1.5 Support Functions i Support Ametions either ra'nove heat or supply power to the process systems perfoming shutdown >

- Ametions of rw ;tivity control, reactor coolant makeup, reactor depressurization and heat removal.  ;

The RHR Servk e ' Water System (RHRSWS) removes heat from the suppression pool during the suppression pool cooling mode and removes heat directly from the reactor loop through the RHR ,

heat exchanger during the shutdown cooling mode. The Emergency Service Wster System (ESWS) l provides cooling for equipment thiough the appiopriate room coolers in the Reactor Building.- The

- Control Structure HVAC cools the Control Structure. Power is supplied by the diesel generators and ,

the batteries to the various components through the AC and DC distribution systems.

l The support Ametions for the Altemate Shutdown Path (Path 2) include the following:

l. RHR Service Water which removes heat from the suppression pool during the suppression pool cooling mode of RHR operation (hot shutdown) and directly from the reactor loop through the RHR Shutdown Heat Ex(hst ;er during the Shutdown Cooling mode of RHR operation (cold shutdown).
2. Emergency Service Water which provides cooling for equipment through the i appropriate room coolers (such as the RCIC and RHR pump rooms).
3. Control Structure HVAC which cools the Control Structure.
4. Diesel Generators and batteries which supply power to the various components  ;

through the AC and DC power distribution systems.

The licensee states that communications necessary to coordinate operator activities outside the c.ontrol room are available and emergency lighting undts having an 8-hour rating are provided to enable operators to perform required post. fire safe shutdown operatloas. With regard to communications, the licensee states that its Appendix R Voice Powwed Communication System

provides uninterruptible communication from the Control Room and Remote Shutdown Panel (RSP) to numerous locations throughout the plant where manual actions may be required in the event of

. postulated Are in various fire zones. No power is required to operate the system.

e 5

. . j 2.4 Ahernate Shutdown Capability l In the event of a fire in Fire Arn CS 9 requires evacuation of Control Room personnel, the control {

room operators would manually scram both units and operate from each unit's remote shutdown panels located in Fire Zone 1 2D (Unit 1) and Fire Zone 2 2A (Unit 2). Control room operators  ;

would also operate the alternate control structure HVAC control panel (Fire Zone 0 298) to take 7 manual control of the CSHVAC neensary to support safe shutdown. l

?

The only action normally credited prior Io control room evacuation is a manual trip of the reactor. In  !

its submittal dated December 6,19% the licensee requested credit also be given for additional _

operator actions prior to leaving the Control Room. - Specifically, the licensee requested approval to l allow SCRAM of both units; closure of the MSIVs; closure of the feedwater discharge valves; and  !

tripping of the feedwater turbine. These actions are deemed necessary to prevent a vessel overfill t condition that may be caused by fire Induced spurious operation of the feedwater flow controller  !

during fudwater system coastdown. Since all actions, including the manual scram of the ructor, can ~

be accomplished in rapid succession by a single operator at one location, this approach provides a suitable means of precluding potential spurious operations that could affect the shutdown capability,  ;

while satisfying the staffs concem for limiting the number of actions within the control room prior to l evacuation. ,

The alternate shutdown system includes isolation / transfer switches to provide electrical isolation of i safe shutdown components from the fire affected arms. PP&L states that the design of the  ;

Isolation / transfer capability complies wuh the operability requirements of alternate shutdown systems outlined in Information Notice (IN) 85 09. In addition to providing electrical isolation, the  ;

isolation / transfer capability also supplies redundant fusing for safe shutdown components, thereby, precluding the need to replace fuses following transfer. Once the isolation / transfer capability is actuated at the Remote Shutdown Panels, RCIC will be available to provide high pressue makeup  !

and RHR will be available for suppression pool cooling during hot shutdown. As RCS pressure is reduced to less than 98 psig, RHR will also be available for the shutdown cooling mode of operation. -

As decribed in NRC IN 92 18, however, there is a potential for fire induced hot shorts to occur in the control circuits of certain motor operated valves (MOVs) needed to shutdown the reactor and maintain it in a safe condition prior to their isolation at the RSP. Since the faulted miition would cause thennal overload, with limit and ten.ue switch protect.'on bypassed, spurious valve operations ,

. could possibly result in mechanical damage to the valve. By letter dated April 23,1996, PP&L provided the results ofits evaluation of thl concern (ref: PP&L Calculation EC-013 0859, Attachment C). A detailed discussion of the licensee's approach for resolving this concem is provided in Section 3,3,3 below.-

All components on the RSPs are designated as Path 2 Safe Shutdown Componentif Support systems, such electrical motive or control power, for the front line systems described above may also be used i l to suppor* Safe Shutdown Paths I or 3.- Therefore, these components are designated as multi path

- components, e.g. Path I and 2 or Path 2 and 3 The licensee states that these components have been  :

1 L - evaluated for any impacts due to a fire in Fire Area CS 9, and are assured to be available. l 13 ,

--.. . _ . _, J, . . - , ~ . .

.,#.- ..__, - - -.J.m...__._,, , - - s .-,,--,-,,A, . _ . , - . - - . .-_..x--,_-,,- -.--

I u

i i

2.4.1 Areas Requiring Alternate Shutdown Capability f

The licenses has identified portions of the Control Stmeture as not satisfying the separation i requirements of Section 111.0.2 of Appendix R. For this area (Fire Area CS 9) attemative shutdown  ;

capability has been provided to address the requirements of Socilons III.G.3 and Ill.L of Appendix R.  !

Fire Area CS-9, which is referred to as the " Control Room," c >nsists of the following fire zones:- a

- Fire Zone Description j 0-26A Storage Room-0-20E . Service Room l 026F Vestibule

' 0-26G Omce Room - f 0-26H. ControlRoom l 0 261~ Office Room- ,

0 26J Vestibule  !

026K Technical Support Center 0 26L Conference Room l 0-26M Office Room Somt 0 26N ' Control Room Unit 1 Soffit 0 26P Control Room Unit 2 Soffit 0 26R Office Room Soffit <

t 2.4.2 Safe Shutdown Procedures and Manpower To achieve post Are safe shutdown conditions from outside the main control room the licensee has developed symptom-based off normal plant operating procedures ON-100-009 and ON 200-009, <

" Control Room Evacuation," for Units I and 2 respectively. Each of the control room evacuation procedures is designed to shut down the plant from outside the control room by using the reniote shutdown panels and manual operations in the plant. Since the control room will be evacuated, each unit will be implementing its respective procedure at the same time. Transfer of control to the remote  !

shutdown panels bypasses main control room devices and transfers control of affected components - .

control power to alternate supplies. The procedures contain the steps necessary to implement the .

. attemative shutdown capability from ; emote locations outside the main control room. The licensee  !

- states that sufficient plant staff and time are available to accomplish safe shutdown.

i 14

-%%.,w% -.,-r, ,,w . , - , , , , . --

---.%.y-.-,. ,- .~,-2 --

.-r..~

I

. i Control of each unit using safe shutdown Path 2 is established at the Remote Shutdown Panels.  !

Additional manual operator actions that may be necesary to ensure shutdown system operability, j

have been identified by the licensee in its FPRR. These actions have been incorporated into its  ;

symptom based off normal operating procedures and incLde: }

i a) De-energizing the Reactor Protection System power supply to verify reactor scram and MSIV closure, b) Establishing local control of the Control Structure HVAC system.  !

c) Establishing local control of the Diesel Generators. i d) De-energizing the Reactor Recirculation Pump by tripping the pump's motor-generator power  !

feed breaker, e) Installing temporary reactor level and temperature indication, as required, to support the  :

accomplishment of cold shutdown conditions (see Section 2.4.3 below)  !

' 2.4.3 Repairs .

-i The licensee has stated, in its response /:.ted May 22.1995, to a staff RAI that no repair activities I are required to achieve either hot or cold shutdown conditions. However, as discussed in Section-2.3.1.4 above, a review of alternative shutdown procedures ON 100-009 and ON 200-009 identified steps directing the installation of temporary reactor level and temperature indication by Instrument and Control (l&C) technicians. For Alternate Shutdown Path 2, RPV level is monitored using the wide range level instrumen*ation available at the remote shutdown panel. However, wide range level instrumentation is increasingly less accurate as pressure decreases Since the operating procedures for RHR Shutdown Cooling require the operator to increase level to between 90 and 100 inches, ,

additional instrumentation may be necessary to support commencing RHR Shutdown Cooling for cold shutdown. The licensee states that the use of this temporary instrumentation is only necessary to support the accomplishment of cold shutdown and is not required to a hieve and maintain hot r shutdown conditions. Since these actions are only necessary to suppor, the accomplishment of cold shutdown and are not required to achieve and maintain hot shutdown conditions, they appear to be -

acceptable.

- Based on the results ciur review, and subject to the previously approved deviations from re ,

requirements of Section Ill.G of Appendix R to 10 CFR 50, we find the systems identified by the licensee for achieving and maintaining safe shutdown in the event of a fire acceptable. Additionally, the methodology used to ensure adequate fire prutection for these safe shutdown systems conforms ,

- to Appendix R to 10 CFR 50 and is, therefore, acceptable.

9 15 e ~ 4 -e w-, -- w ww.e *mr,-,-mm--w'.- nr ev w-- e v- - vv ww-<%. W<e--,ww--w--,,rsm-r,---rr--,- --w-+m~~..+-m--,. ., e--=,&,------ --,4---- ,-e w er -ww .

3. EVALUATION OF ASSOCIATED CIRCUITS 3.1 Common Power Supply Associated Circuit Concem The common power supply associated circuit concern arises when equipment required for safe shutdown shares a common power source (e.g., swiichgear, MCC, circuit breaker or fuse panel) wiih non safe shutdown equipment and fire induced electrical faults in the non esser.tlalloads will cause a loss of the power source due to inadequate fire protection features (i.e. protection per Section Ill.G of Appendix R) or circuit protective device coordination. Circuits associated by common power supply are those circuits not required for safe shutdown but are powered from safe shutdown buses.

Safe Shutdown buses are those buses which provide electrical power to components necessary for post fire safe shutdown. Proper coordination of electrical protection devices of safe shutdown buses provides assurance that in the event of a fire induced fault on connected cabling, the protective device located nearest the fault will operate prior to any protective device located upstream of a seguired power source.

1... licensee states that as part of the conduct ofits safe shutdown separation analysis it has identified all required electrical power sources (buses) and all circuits from those buses were analyzed for their safe :hutdown function. All circuits not required for safe shutdown were identified and whenever such non essential cables entered a fire zone where the required shutdawn path was the same as the safe shutdown path assigned to the bus, an analysis was performed to verify acceptable coordination between the load side circuit intermpting device (i.e., circuit breaker, fuse, etc.) and the main feeder breaker to the bus. Wherever acceptable coordination between these devices did not exist, the licensee states in :ts submittal dated May 22,1995, that appropriate modifications were performed to preclude any impact to safe shutdown.

In its May 22,1995 submittal, the licensee further states that it has evaluated for the effects of fire-induced multiple high impedance faults (MillF) on associated circuits of safa shutdown power supplies that were capable of sustaining damage in each fire area. For all safe shutdown buses it was determined that the total MillF current, when added to the total running current of the bus, did not exceed the long-time trip setting of the bus main breaker.

The licensee's method ofidentifying and resoNing potential common power supply associated circuit concerns conforms to the requirements of Section Ill.G and Ill.L of Appendix R to 10 CFR 50 and guidance provided by the staffin Generic Letter 81 12 for protection of safe shutdown capability and is, therefore, acceptable.

3.2 Common Enclosure Associated Circuit Concern:

The common enclosure associated circuit concern occurs when non safe shutdown circuits are routed together with cables of required equipment and they are not provided with a suitable level of electrical protection, or fire can destroy both circuits due to inadequate fire protection features.

16

4 In its submittal dated May 22,1995, the licensee states that all electrical distribution equipment and -

cabling is provided with suitably sized electrical fauh protective devices which provide the necessary degree of protection from electrical fault and overload conditions. Additionally, the licensee states  !

that all safety related or affiliated cables at SSES are qualified to IEEE Std. 383 and suitable fire protection features (e.g. fire barriers, and penetration designs) are provided to preclude fire  !

propagation between enclosures of redundant divisions.

The licensee's method of protection for the common enclosure associated circuit concern conforms to the requirements of Section 111.0 and III.L of Appendix R to 10 CFR 50 and guidance provided by the staff in Generic Letter 81 12 for protection of safe shutdown capability and is, therefore, acceptable.  ;

1,3 Spurious Signal Concern l

The initial review of Revision 4 to Susquehanna Steam Electnc Station (SSES) Fire Protection Review Report (FPRR), identified questions and concerns regarding certain assumptions used by the licensee in its analysis of potential fire induced ;purious operations. Spcifically, the review identified examples where redundant valves rnay be subject to spurious actuations (i.e. undesirable change of position) as a result of a single hot short on each of their respective control circuits. Although the control circuits of redundant valves may be subject to damage by the same fire, in its initial evaluation of this issue, the licensee stated: "For both valves to open simultaneously, a hot short on each valve is required. NRC Generic Letter 8610 does not require the assumption of multiple hot shorts for non-hl/lo pressure interfaces. Therefore, one of these two valves is assumed to remain closed." In i subsequent meetings and correspondence, the staffinformed the licensee ofits concern thet the app'ication of this assumption may result in an inability to adequately demonstrate compliance with .

Sections Ill.G.2 and III.L of Appendix R to 10 CFR 50.

By letter dated December 6,1996, the licensee submitted revised criteria it had developed and

- employed for the analysis of potential spurious operations. The revised criteria specify the ability to  ;

mitigate, on a one at a' time basis, any and all rpurious operations having the potential to impact safe #

shutdown that may be initiated by fire in any fire area.

As part ofits Appendix R safe shutdown separation analysis, the licensee states that it has analyzed safe shutdown and associated circuit cables for potential spurious signal concerns. During this evaluation all circuits which could cause undesirable spurious operations were identified and evaluated for potential fire damage. With the exception ofcomponents which comprise a higMow '

pressure interface boundary the licensee's evaluation considered any and all spurious operations that '

may occur as a result of a single fire, on a one at a time basis (i.e., non-concurrent). That is, for each fire area all potential spurious operations that may occur as a result of a postulated fire were identified, and corrective actions were implemented as needed on a one at-a time basis. The fire-initiated fault was assumed to exist until action was taken to negate the effects of spurious actuation.

The fire was not postulated to eventually clear the fault. For redundant components which form a-higMow pressure interface boundary, the evaluation considered the potential for concurrent, simultaneous, spuriou operations.

17 ,

When cables of equipment whose spurious operation could affect safe shutdown were identified, the licensee states that they were then included as requi.ed cables into the Appendix R separation analysis. Examples ofitems included in this group of components are: (1) High/ Low pressure interface components; (2) Flow diversion components that could divert flow from either the RPV or from safe shutdown systems; and (3) Spurious opening of SRV's which :ould deplete the motive steam force required to drive the high pressure make up systems or significantly reduce vessel inventory without a readily available source orlow pressure make-up. Whenever identified, such cables and equipment were then added to the safe shutdown component list and evaluated in the same manner as components required to achieve and maintain safe shutdown of the reactor in the event of fire. For all components on the safe shutdown component list, the cabling required for operation, or any cabling that could either directly or indirectly cause the maloperation of components required for post fire safe shutdown, was identified. Following their identification the licensee states that appropriate evaluatinns or modifications were performed to ensure the units can successfully achieve and maintain safe shutdown conditions.

3.3.1 Flow Diversion Paths and I!.igh/ Low Pressure Interfaces Flow diversion has the potential to prevent safe shutdown by diverting flow from a safe shutdown system or causing a loss of coolan from the RPV The licensee states that it has performed an analysis in which the RPV and all safe shutdown systems were reviewed for potential flow diversion paths. Flow diversion paths wert determined by reviewing all penetrations of the reactor pressure vessel and all safe shutdown syst:m flow paths. In determining the spurious operation potential of cables for components comprisir.g a High/ Low pressure interface, the licensee states that multiple, simultaneous, hot shorts were considered. During the evaluation, the hot short cor'dition was assumed to exist until action is taken to isolate the circuit from the fire afrected area, or other actions as appropriate, have been taken to negate the :.*ects of spurious actuation. The fire was not postulated to eventually clear the hot short. When cables of equipment whose spurious operation could affect safe shutdown were identified, they were then included as required cables into the Appendix R separation analysis. Whenever identified, such cables and equipment were then added to the safe shutdown cor ponent list and protected in tha same manner as components required to achieve and maintain safe shutdown. Where necessary, plant modifications have been implemented to pwelude the spurious operaticn (e.g., fire barrier wrap or routing the circuit of concern in a dedicated conduit that does not contain any other normally energized circuits that could cause a spurious actuation) or spurious operation of these valves will be mitigated by procedural actions such as de-energizing and isolating circuits of the affected valves and manually operating the valve locally using the hand wheel.

3.3.2 Spurious Operation of ADS Valves A Control Room fire could result in spurious actuation cf ADS valves resulting in a loss of motive steam necessary to drive RCIC. For this to occur, however, at least two (2) hot shorts of the proper polarity on the ADS actuation circuitry, in conjunction with the simultaneous spurious operaten of a Core Spray or RHR pump would be required. If this combination of circuit faults were to occur, or, if the two hot shorts were to occur at a time when the operator was initiating the PHR pump at the 18

remote shutdown station, motive steam to drive RCIC would be lost. In the unlikely event that this scenario were to occur, the licensee states that the loss of RCIC would he mitigated by use of the RHR system in the LPCI mode ftom the remote shutdown panel and, therefore, would not afect the ability to achieve and maintain safe shutdown conditions.

3.3.3 Protection from Loss of Remote Shutdown Capability due to Fire Induced Circuit Faults

(

Reference:

NRC Information Notice 92 18)

In the event of fire in the control room (Fire Area CS 9), there is a potential for fire initiated

  • hot shorts" to occur between control wiring and power sources for certain motor operated valves (MOVs) relied on to achieve and maintain safe shutdown conditions in the reactor. To assure that thermal overloads do not prevent the MOVs from' performing their intended safety function during an accident, SSES has bypassed the thermal overload protection for MOVs. Further, at SSES the location of the thermal overload contacts in the MOV control circuitry would be ineffective in mitigating the effects of hot shorts even if the thermal overloads were not bypassed. Similarly, the location in the MOV control circuitry oflimit and torque switch contacts renders these protective devices ineffective in mitigating the effects of fire induced hot shorts in the associated control circuits of MOVs. Although the MOVs may be capable of being electrically isolated from the fire affected area (e.g., Control Room Area CS 9), due to the absence of thermal overload protection, there is a potential for the hot shorts to cause mechanical valve damage before the deciolon to abandon the control room has been made and the operator has actuated the transfer switches and taken local control at the Remote Shutdown Panel (RSP). Additionally, in cases where manual local operation of the MOVs is relied on to mitigate potential spurious actuations resulting from a fire in areas outside the Control Room, there is a potential for fire induced hot shorts to cause valve damage and rews the MOV inoperable prior to its operation.

By letter dated April 23,1996, PP&L provided the results ofits evaluation of this concern (ref: PP&L Calculation EC-013 0859, Attachment C). Additionally, the licensee's revised criteria for spurious operations (

Reference:

Letter dated December 6,1996, Attachment A) requires damaging hot chorts described in NRC IN 92 18 to be addressed for: (1) Control Room circuits that are electrically isolated by actuation of a remotely actuated isolation transfer switch and (2) for MOV circuits wh the potential to be damaged by fires inside or outide the Control Room whose mitigating action involves the manual local operation of the MOV.

PP&L has performed an evaluation (Calculation EC 013 0730) to identify potential MOVs susceptible to this failure mode. This initial evaluation determined that 39 valves on Unit I and 40 valves on Unit 2 are susceptible to fire induced hot shorts having a potential to result in mechanical valve damage before the operator has actus:ed the transfer switches and taken control at the RSP.

For each of the valves requiring a mitigating action to preclude an impact on safe shutdown capability, a review of possible solution options was performed. This system review reduced the number of potential problem valves from 39 to 11 for Unit I and from 40 to 11 for Unit 2. A modification review determined that all 22 valves can be modi 6ed to mitigate the effects of MOV hot shorts by making wiring alterations without running new cables. The identified valves, their 19

t associated post fire safe shutdown system, and method of remlution are delineated in Tables 1 and 2 below. ,

The licensee states that resolution of this issue is possible at SSES due to the redundancy prosided in >

its attemative shutdown system (Shutdown Path 2) and the comprehensiveness ofisolation capability provided on the RSP. Should a hot short damage any one of the valves required for the expected r alternative shutdown lineup prior to isolation at the RSP, the following options are available to operators using equipment and symptom based procedures provided at the RSP:

(1) The licensee has identified RCIC system valves could be damaged as a result of the ,

failure mode described above. If any one of these valves is damaged as a result of an IN 92 18 fire scenario prior to isolation at the RSP, RCIC may not be available for use at the RSP, thus impacting the RPV pres 2ure control and inventory make up safe

. shutdown fbnctions. If this were to occur, however, the reactor could be depressurized using ADS valves available at the RSP, and vessel inventory makeup -

could be accomplished using RilR in the LPCI mode. By using RHR in the alternate shutdown cooling mode suppression pool cooling can be accomplished using the same flow path.

(2) If the normal RHR shutdown cooling mode is lost due to MOV failure prior to isolation, the licensee states that the Alternate Shutdown Cooling flowpath for RHR can be used. In this mode, RHR takes suction from the suppression pool and routes the flow through the RHR her, exchanger.

(3) If RHR Suppression Pool Cooling capability is lost due to MOV failure, the licensee states that the Altemate Shutdown Cooling mode of RHR can also be used.

1 l

20

i UNIT 1 VALVES REQUIRING MODIFICATION FOR IN 9218 CONCERNS Systems YaheID Function Dispoaltion Resolutloa 11 % 151  !!X Outlet Wlve Alternate Shutdown (Path 2) Relocate Torque / Limit F0038 RCIC MOVs may te damaged Switches '

as a result ofIN 9218 acenario RIIR 11W151 Pmp IB Supp Pool prior toisolation at RSP* Relocate Torque / Limit F004B Suction Valve flowever,if tius were to occur Sw tches reactor could be depressurized

. . using SRVs available on RSP, .

!!%I51 Injection inboard Rl!Rin LPCImode for RPV Rewire existmg m. terposing F015B ino. valve makeup,and suppression,nool "I'Y' cooling accomplished by 11W151 Injection outboard allemate shutdown cooling made Relocate Torque / Limit Fol7B iso. valve of RIIR. To preserve this Switches capability damage to the RIIR 11%151 IIX Inlet Valve system valves shown here must Relocate TorqudLimit F047B t* prevented. Au valves are Switches required to be available to 11%I51 ItX Dypass Wlve *P "

Relocate Torque / Limit F048B t f kat vak Switches low pressure makeup.

11 % RIIRllX IB SW Wlve must open to allow kl(RSW l1210B Inlet Wlve RIIRSW flow through RIIRIIX. Relocate Torque / Limit Damage to valve must be Switches 11 % RilRIIX 1B SW prevented.

18215B Outlet Wlve RX RECIRC 11 % l43 RX Re:irc Pmp B Wlve located inside CONTMT Relocate Torque / Limit F023B Suction Wlve and must close to prevent short Switches cycling of shutdown cooling flow. Inability to close will affect Dl!R capability of Rl(R 11 % ESW Spray Pond Nonnally open, required closed.

ESW 01222B Bypass Valve Damage to valve must be Relocate Torque / Limit prevented Switches XIV. ESW Spray Pond Normally closed. required opert 01224BI llender Wlve Damage to valve must be prevented.

Table 1: PP&L Resolution for Potentially Affected Unit 1 Valves (Ref: IN 92-18) 21

P UNIT 2 VALVES REQUIRING MODIFICATION FOR IN 9218 CONCERNS 5)steen VaheID Function Dispositica Ruolution IIV 251 F003A IIX Outlet W1ve Ahemate Shutdown (Path 2)RCIC Relocate Torgatimit Switches MOVs may be damaged as a result RIIR ofIN 92 Ig noenario prior to llV 251 T004A Pmp th Supp isolation at RSP. Ilowever,if this Relocate Torqwtimit Switches Pool Suction were to occur reactor could be Wlve depreuurized using SRVs available on RSP RIIR in LICImode for IIV 251 F01$A Injection inboard RPV maLeup,and suppreuion pool Rewire edsting interpomns iso. salve cooling accomplished by alternate rele)$

shutdown cooling mode of RitR. To ,

liv 251 IU17A trsection outboard premene this capability, damage to Relocate TorqueLimit Swikhes iso talSe RilR eystem valves shown here must be prevented. All valves are

!!V 251 T047A  !!XInlet Valse required to be available to support Re;ocate Torqwtimit Switcha operation of Ri[R eystem for decay ,

heat removal or low preuvre IIVl$1ID48A ItX Dypus Wlve makeup. Relocate Torqwtimit Switches ifV 21210A RilR !!X 2A SW Wlve must open to allow RIIRSW ,

RilRSW Inlet Wise flow through RIIR 1(X. Damage to Relocate Torgatimit Switches ilV 21215A R1IR IIX 2A SW Outlet Wlve RX REC.!RC IIV 243 T023A RX Recirc Pmp A Wlve located inside contmt. and Relocate Torquetimit Switches Suction Wlve must close to prevent short cycling of shutdown cooling flow. Inabihty to close will afTect D!lR capability of RIIR liv 01222A ESW Spray Pond Normally open; required closed. Relocate Torqatimit Switches ESW Bypass Wlve Damage to valve must be prevented.

IIV 01224AI ESW Sprey Pond Normally closed, required open. Rewire edsting interposing liender Wlve Damase to valve must be prevented, releve ,

Table 2: PP&L Resolution for Potentially Affected Unit 2 Valves (Ref: IN 9218) 22

,,,<-,r -- , - - . , - - - > - , - , - - e men---

In addition to the above listed valves, the licensee has elected to modify the circuits for the following two RIIR system valves for each unit:

Unit 1 :

RIIR valve IF006D (Pump IB Shutdown Cooling Suction Valve), and RilR valve IF0280 (Div. Il Suppression Pool Cooling Block Valve)

Unit 2:

RilR valve 2F006A (Pump 1 A Shutdown Cooling Suction Valve), and RIIR valve 2F028A (Div. I Suppression Pool Cooling Block Valve)

The licensee states that modifications to the four valves listed above (2 per unit) will enhance its shutdown capability by preserving the ability to operate one valve in each of the two potential Dow diversion paths off the main RIIR LPCI flowpath.

Based on the above, we conclude that pending installation of required modifications the PP&L disposition of valves potentially affecto.' by the failure mode described in NRC Information Notice 9218 is acceptable.

3.3.4 PP&L Evaluation of Suppression Pool Drain Valves During the initial review of PP&L Calculation EC-013 0859, (included as Appendix C " Resolution of the MOV "llot Shon" issue NRC Information Notice 9218" to the April 231996 submittal), it was noted that a control room fire could result in the inadvertent spurious opening of Suppression Pool Drain Valves IIV 15766, IIV 15768 and liv-15769 (Unit 1) and valves liv 25766,IIV 25768 and IIV 25769 (Unit 2). Although the licensee's es aluation concluded that the spurious opening of these valves could cause the suppression pool to drain down to liquid radwaste and affect the performance of ECCS pumps required for post fire safe shutdown, based on an apparent misinterpretation of the guidance contained in the staffs response to Question 5.3.10 of Generic Letter 8610, the analysis criteria in place at that time did not consider the spurious / operation of more than one valve to be a credible event.

Subsequent to its initial evaluation, the licensee has revised its criteria for evaluating potential spurious operations to require all potential spurious operations to be addressed and the effects of each mitigated on a one at-a time basis unless faults in a single cable can cause the spurious operation of multiple components, if a single cable fault can cause the spurios operation of multiple components the spurious operations must be addressed simultaneously (

Reference:

PP&L letter dated December 6,1996, Attachment A, " Associated Circuits - Spurious Operation).

The control circuits of all three valves in question are susceptible to common-cause damage due to a single fire. Therefore, there is a potential for all three valves to be susceptible to fire-induced spurious actuation (open)in the event of a control room fire. Although the spurious operation (opening) of all three valves as a result of fire damage is unlikely, to mitigate the potential for drain 23

i

. . t I

i down of the suppression pool, the licensee states that it has implemented procedural actions which  !

- require one of the valves to be ensured closed by local manual operator action. ,

i Based on the above, the licensee's method of resolving potential spurious operations that may cause j drain down of the suppression pool, conforms to Appendix R requirements for protection of safe shutdown capability and 1s, therefore, acceptable, i 3.3.5 Potential for spurious operation of non essential coolant injection systems (i.e., injection l systems not credited in the safe shutdown analysis) to cause a reactor overfill condition.

1 Section Ill.L.7 of Appendix R to 10 CFR 50 requires that safe shutdown equipment and systems for  !

each fire area be known to be isolated frem associated non safety circuits in the fire area so that hot shorts, open circuits, and shorts to ground in the associated non safety circuits will not prevent the ,

operation ofrequired safe shutdown equipment.

In the event of a Control Room fire at SSES, there is a potential for inadvertent initiation of certain rmtor coolant injection systems which, while not required to accomplish safe shutdown, could adversely affect the shutdown capability by causing a vessel overfill condition and flooding of the main steam lines with high pressure water. The licensee had not originally considered the potential for .

reactor vessel flooding due to the inadvertent initiation ornon essential injection systems.

Subsequent to its original submittal (FPRR Rev. 4) and discussions with the staff, the licensee has i revised (expanded) its definition of spurious components requiring evaluation to include components whose inadvertent operation could result in a reactor overfill condition. Specific systems of concern at  ;

SSES include: Feedwater, Condensate, and llPCI. The potential impact on safe shutdown capability and licensee proposed strategies for handling the inadvertent initiation of each of these systems were ,

discussed during a telephons conference on September 4,1996, and in its submittal dated December 6,1996, the hcensee provided a formal response to this concern. .

3.3.5.1 Inadvertent Feedwater Initiation The SSES design employs steam-driven feedwatet pumps. Since these pumps are not electrically powered they will continue tu provide flow during feedwater system coast down as long . ruTicient steam is available. The concern with this configuration is that a fire-induced spurious signal on the feedwater pump control circuit, located in the control room, could enuse a false demand for the steam-driven pumps to inject coolant at maximum capacity. If this were to occur, operators would have a very short time frame to implement mitigating actions, which include closing the Main Steam Isolation Valves (MSIVs), closing of the feedwater discharge valves, and tripping the feedwater turbine from outside the' main Control Room (per Generic Letter 86-10, tripping the reactor is the

, only operator action typically permitted to be credited prior to control room evacuation). In its  :

submittal dated December 6,1996 the licensee requested credit also be given for additional operator i actions prior to leaving the Control Room. Specifically, the licensee requested approvatt o allow

- SCRAM of both units; closure of the MSIVs; closure of the feedwater discharge valves; and tripping  !

of the feedwater turbine, 24 ,

i 1

.--,+,_n. r..~. ~~~4 4 _ i,,__~.g, #.,r ,,e_~m.,-mw-,,,m_, _.~_.,.r---y,.,,,,,.,,.c, . , , , . , , , . ~~

As described in Section 2.4, all of the mitigating actions described above, including a manual scram of the reactor, can be accomplished in rapid succession by a single operator from his/her normal position in the Control Room. Since the additional actions can be accomplished by a single operator in rapid succession, this approach provides an acceptable means of ensuring that reactor overfill due to inadvertent initiation of the feedwater system will be precluded, and is, therefore, acceptable.

3.3.5.2 Spurious Operation of the liigh Pressure Coolant injection System (IIPCI)

Inadvertent initiation of the llPCI system and concunent loss of the 54" high water trip for liPCI as a result of a Control Room fire could, in a short time period (approximately 3 minutes), cause a vessel overfill condition to tne point where IIPCI would be disabled and the main steam lines would be filled with high pressure water. In its submittal dated December 6,1996, the licensee states that its evaluation of thl concern has determined that there are three possible scenarios that could lead to inadvertent initiation of the liPCI system: (1) Multiple hot shorts and concurrent loss of the 54" IIPCI trip; (2) A single hot.short on Division 11 de control circuit for IIPCI automatic initiation logic; or (3) Sequential selected cable faults on the llPCI Division 11 de control circuitry. The licensee's assessment of each of these scenarios is evaluat:d in the following para;;raphs:

3.3.5.2.1 Inadvertent IIPCI initiation due to multiple hot shorts and concurrent loss of the 54" llPCI trip.

Under this scenario, inadvertent initiation ofilPCI would be possible if a fire were to cause individual hot shorts on the start circuitry for three components (IIPCI Aux. Pump, [which would open the IIPCI Control and Stop Valves), IIPCI Steam Admission Valve and IIPCI Pump Discharge Valve) along with a concunent loss of the 54" IIPCI trip due to fire damage.

Controls for all of the IIPCI components described above are contained in a single control cabinet (Control Room Panel I/2C601). Therefore, in order for this scenario to occur, the fire must be sufficiently limited so that only the selected portions of the circuitry are damaged without damaging circuitry that would prevent system operation, yet, at the same time, the fire must also be extensive enough to result in a condition that requires the Control Room to be evacuated.

The licensee states that the effects of this situation could be mitigated through a plant modification to provide a keylocked switch for each unit which would inhibit IIPCI operation. The switch would be located outside the control room, in the lower relay room for each unit and would be activated by an operator traversing to the remote shutdown panel following control room evacuation. liowever, failure of th's switch during normal plant operations, would also render liPCI unavailable for service should it be called upon to function during other accident conditions.

4 The licensee estimates the probability of switch failure to be 2 x 10 / quarter, Given the low probability of the postulated fire scenario (multiple hot shorts and concurrent loss of the 54" IIPCI trip, without damage to the llPCI flow contioller or any other control circuits that could prevent the system from operating) there is concern that installation of the modification could result in a situation where the probability of switch failure and subsequent loss of fiPCI during normal plant operations is 25

r i

i higher than the probability of the failure that it was designed to prevent, resulting in a condition that I is contrary to overall nuclear safety.  ;

In order for this scenario to occur, the fire must cause multiple hot shorts and a concurrent loss of the 54" HPCI trip, without damaging the HPCI flow controller or any other control circuits that could ,

prevent the system from operating. Modifications capable of mitigating this highly unlikely event  !

(installation of a keylocked switch to inhibit HPCI operation), while ponible, coald result in a i condition that is contrary to os erall nuclear safety. On this basis, we agree with the licensee's evaluation and conclude that no funher evaluation or modifications should be required to address this  !

potential Are scenario. [

. a 3.3.5.2.2 Inadvertent HPCI initiation due to a single hot shon on Division 11 de control circuit [

for the HPCI automatic initiation logic.

To prevent inadvertent HPCI injection as a result of this scenario the licensee has proposed a ,

modification which will preserve the availability of the 54" high water level trip. Specifically, the proposed modification would place one of the two relays required to be energized to initiate the 54" trip (the Division I de relay circuit) on separate fbsmg isolated from the potential for Control Room fire damage. The licensee states that this modification would allow the HPCI system to function in the automatic mode controlling level between .38" and +54" during a Control Room evacuation. The

. licensee's evaluation and approach to resolving this concern conforms to the requirements of Appendix R to 10 CFR 50, and is, therefore, acceptable.

3.3.5.2.3 Inadvertent HPCI initiation due to sequential selected cable faults.

Sequential, selected, cable faults on the HPCI Sivision 11 dc control circuitry could cause inadvertent  ;

o HPCI initiation. Specifically, selected cable faults on the Division !! de control circuitry that initiate the system for 25 to 30 seconds and then are overcome by a fault to ground which disables the 54" trip within the next 30 to 40 seconds, could cause inadvenent initiation of the HPCI system.

Controls for all of the HPCI components described above are contained in a single control cabinet (Control Room Panel 1/2C601). Therefore, in order for this scenario to occur the fire must be sufficiently limited so that only the selected portions of the circuitry are damaged without damaging circuitry that would prevent system operation, yet at the same time, the fire must also be extensive enough to result in a condition that requires the Control Room to be evacuated.

The licensee states that the effects of this situation could be mitigated through a plant modification to provide a keylocked switch for each unit which would inhibit HPCI operation. However, as i described in paragraph 3.3.5.2.1 above, installation of this modification could result in a situation ,

. where the probability of switch failure and subsequent loss of HPCI during normal plant operations is higher than the probability of the failure that it was designed to prevent, resulting in a condition that is contrary to overall nuclear safety, i

26

,__ .__,_.__-.__.___4.__., . _.__.. _ ___._._ _,_. _ _ _

1 i

. l

- On this basis, we agree with the licensee's evaluation and conclude that no further evaluation or modifications should be required to address this potential fire scenario.

3.3.5.3 Inadvertent Condensate injection At the time of the September 4,1996 telephone conference, the licensee stated that mitigating '

inadvertent condensate injection is not time critical (approximately I hour would be available to take  ;

mitigating action) and could be addressed procedurally by incorporating manual operator actions into <

existing procedures. In its December 6,1996 submittal, however, the licensee does not address this  ;

concern. Rather, it states that an analysis is to be performed, and if the results of the analysis are not  :

favorable and additional analyses are required, NRC will be notified.  !

Pending NRC review r.ad acceptance of the PP&L analysis of this concern, it is recommended that this issue remain Open.

3.4 Modifications ,

in Calculation No. EC-013 0859, Revision I, Appendix A, " Control Room Appendix R Compliance Report," the licensee has identified modifications made to resolve postulated cable faults for the case of a fire in Fire Area CS 9, the Main Control Room. The modifications consist ofinstalling 2

provisions to isolate various circuits from the Main Control Room to prevent spurious operations or the installation of temperature switches for HVAC fans to automatically maintain desired room i temperatures. Modifications required to meet the requirements of Section 111.0.2 of Appendix R are identified in Revision 4 of the FPRR or in deviation requests which have been accepted by the staffin j the August 9,1989 or March 29,1993 SEs.  ;

4.. CONCLUSIONS ,

4.1. Post fire Safe Shutdown Capability On the basis of our review of the methodology presented in the Susquehanna Steam Electric Station i Appendix R Safe Shutdown Analysis documented in Revision 4 of the Fire Protection Review Report (FPRR) and the subsequent PP&L submittals described in Section 1 above, and subject to the previously approved deviations from certain technical requirements of Sections Ill.G and III.L of Appendix R to 10 CFR 50, we find the systems identified by the licensee for achieving and maintaining safe shutdown in the event of a fire acceptable. Additionally, the methodology used to ensure adequate fire protection for these safe shutdown systems conforms to Appendix R to 10 CFR

- 50 and is, therefore, acceptable ~. ,

4.1.2 Manual Operator Actions Prior to Control Room Evacuation in its submittas dated December 6,- 1996, the licensee requested credit be given for additional operator .1 actions prior to leaving the Control Room. Specifically, in addition to initiating a manual scram of  ;

27

.~. _. _ . _ . _ . _ . - -.; _. . . . _ . - _ _ _ . _ - . _ _ _ _ _ _ _ _ . _ . _ - _ ~ _:

both units the licensee requested that closure of the MSIVs; closure of the feedwater discharge _

l valves; and tripping of the feedwater turbine aho be allowed prior to control room evacuation. These {

actions are deemed necessary to prevent a vessel overfill condition that may be caused by spurious  !

operation of the feedwatw flow controller during feedwater system coastdown. Since all actions, i including the manual scram of the reactor, can be accomplished in rapid succession by a single  !

operator at one location, this approach provides a suitable means of precluding potential spurious i operations that could affect the shutdown captbility while satisfying the staffs concern for limiting the i number of actions within the control room prior to evacuation.  ;

4.2. Evaluation of Associated Circuit The licensee's method ofidentifying and resolving potential associated circuit concerns conforms to the requirements of Section 111.0 and Ill.L of Appendiw R to 10 CFR 50 and staff guidance provided in Generic Letter 81 12 for the protection of safe shutdown capability and is, therefore, acceptable.

4.2.1. Protection from Loss of Remote Shutdown Capability due to Fire Induced Circuit Faults j

(

Reference:

NRC Information Notice 92 18)

By letter dated April 23,1996 PP&L provided the results ofits evaluation of this concern (ref: PP&L Calculation EC 013 0859, Attachment C). Additionally, the licensee's revised criteria for spurious operations (

Reference:

Letter dated December 6,1996, Attachment A) requires damaging hot shorts l described in NRC Information Notice 92 18 to be addressed for: (1) Control Room circuits that are l electrically isolated by actuation of a remotely actuated isolation transfer switch and (2) for MOV i circuits with the potential to be damaged by fires inside or outside the Control Room whose mitigating action involves the manuallocal operation of the MOV, Calculation EC 013 0859.  ;

Attachment C, identifies valves requiring modification to ensure the safe shutdown capability will not ,

be adversely affected by the MOV circuit fault scenario presented in IN 92 18. A complete listing of 1 these valves, including their function and disposition is provided in Tables I and 2 above. Pending installation of required modifications described in the April 23,1996 submittal, the PPAL disposition of valves potentially affected by the failure mode described in NRC Information Notice 92 18 is l acceptable,

5. OPEN ISSUES 5.1 - NRC review and acceptance of the PP&L analysis of the potential for inadvertent condensate injection (Section 3.3.5.3 above)

- At the time of the September 4,1996 telephone conference, the licensee stated that mitigating inadvertent condensate injection is not time critical (approximately I hour would be available to take mitigating action) and could be addressed procedurally by incorporating manual operator actions into existing procedu'esL in its December 6,1996 submittal, however, the licensee does not address this concern. Rather, it states that an analysis is to be performed, and if the roults of the analysis are not favorable and additional analyses are required, NRC will be notified.

28 L

. - - - . - . - _ . =-.._-..~..a.. .. . _ - . - . . - - - - - . . . . .