05000289/LER-2005-002, Regarding Safe Shutdown Analysis for Control Building Fire Area 1 Was Discovered to Have Flaws in the Fire Mitigation Strategy Due to Insufficient Technical Rigor
| ML051800252 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 06/23/2005 |
| From: | Chick G AmerGen Energy Co |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| 5928-05-20167 LER 05-002-00 | |
| Download: ML051800252 (6) | |
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition 10 CFR 50.73(a)(2) 10 CFR 50.73(a)(2)(viii) 10 CFR 50.73(a)(2)(ii) 10 CFR 50.73(a)(2)(x) 10 CFR 50.73(a)(2)(iii) 10 CFR 50.73(a)(2)(iv), System Actuation 10 CFR 50.73(b)(2)(ii) |
| 2892005002R00 - NRC Website | |
text
ae AmerGensu AmerGen Energy Company. LLC Three Mile Island Unit i Route 441 South, P.O Box 480 Middletown, PA 17057 Telephone: 717-948-8000 An Exelon Company June 23, 2005 5928-05-20167 10 CFR 50.73 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, D.C. 20555 THREE MILE ISLAND NUCLEAR STATION, UNIT 1 (TMI-1)
OPERATING LICENSE NO. DPR-50 DOCKET NO. 50-289
SUBJECT:
LICENSEE EVENT REPORT (LER) NO. 2005-002-00 "SAFE SHUTDOWN ANALYSIS FOR CONTROL BUILDING FIRE AREA 1 WAS DISCOVERED TO HAVE FLAWS IN THE FIRE MITIGATION STRATEGY DUE TO INSUFFICIENT TECHNICAL RIGOR" This report is being submitted in accordance with 10 CFR 50.73 (a)(2)(ii)(B). For additional information regarding this LER contact Adam Miller of TMI Unit 1 Regulatory Assurance at (717) 948-8128.
Glen E. C&&k Plant Manager GEC/awm ATTACHMENT: List of Regulatory Commitments cc:
TMI Senior Resident Inspector Administrator, Region I TMI-1 Senior Project Manager File No. 05042
SUMMARY OF AMERGEN ENERGY CO. L.L.C. COMMITMENTS The following table identifies commitments made in this document by AmerGen Energy Co. L.L.C.
(AmerGen). Any other actions discussed in the submittal represent intended or planned actions by AmerGen.
They are described to the NRC for the NRC's information and are not regulatory
commitments
COMMITMENT
COMMITTED DATE l
OR "OUTAGE" No regulatory commitments are being made in this submittal.
N/A
NRC FORM 366 U.S. NUCLEAR REGULATORY COMMISSION
, the NRC may not conduct or sponsor.
and a person Is not required to respond to, the Information collection.
r&lII rrv MrAU= {al t*VV-W=T Oil Iu ac 11
]
bDae = a Three Mile Island, Unit I 05000289 I OF 4 SAFE SHUTDOWN ANALYSIS FOR CONTROL BUILDING FIRE AREA 1 WAS DISCOVERED TO HAVE FLAWS IN THE FIRE MITIGATION STRATEGY DUE TO INSUFFICIENT TECHNICAL RIGOR EVENT DATE 5)
LER NUMBER (6)
REPORT DATE 17)
OTHER FACILITIES INVOLVED (8) i l
FALITY NAME DOCKET NUMBER l
l l l ~SEQUENTIAL REVISION l
ll MONTH DAY YEAR YEAR NUMBER NUMBER MONTH DAY YEAR ll l
FACILlTY NAME DOCKET NUMBER 04 27 2005 2005 002 00 06 23 2005 lOPERATING l l
THIS REPORT IS SUBMITTED PURSUANT TO THE REQUIREMENTSOF 10CFR6 (Check one r more) 0 1)
MODE (9)
N ] l 20.2201(b) l 20.2203(a)(2)(v)
I 50.73(a)(2)fi) 50.73(a)(2)(viii)
POWER l20.2203(a)(1) 20.2203(a)(3)Ci)
X 50.73(a)(2)(ii) l 50.73(a)(2)(x)
LEVEL (10) 1 0 0 j20.20.3(a(2)(1) 20.2203(a)(3)(il) 50.73(a)(2)(iii) 73.71 22203(a)(2)(ii) 20.2203(a)(4) 50.73(a)(2)(iv)
OTHER 20.2203(a)(2)(iii) 50.36(c)(1) 50.73(a)(2)(fv)
OTHEr belo o j
2.:.2203(a)(2)(ty) 50.36(c)(2) 5O.73(a)(2)(Vii) inNR6 rm366A LICENSEE CONTACT FOR THIS LER (121 NAME TELEPHONE NUMBER include Area Code)
Adam W.Miller of TMI-1 Regulator Assurance l17) 948-8128 l
COMPLETE ONE LINE FOR EACH COMPONENT FAILURE DESCRIBED IN THIS REPORT (13)
REPORTABLE REPORTABLE
CAUSE
SYSTEM COMPONENT MANUFACTURER TO EPIX j
CAUSE
SYSTEM COMPONENT MANUFACTURER TO EPIX l
I YES-SUPPLEMENTAL REPORT EXPECTED (14)
EXPECTED I MONTH DAY YEAR YES l
SUBMISSION 1
(I prnmntod F:YPFC.T;:n qI IRMAIRRiew nlATF:l X NO DATE (15)
ABSTRACT (Limit to 1400 spaces, i.e., approximately 15 single-spaced typewritten lines) (16)
On April 27, 2005, a previously unidentified error associated with an Appendix R fire scenario involving multiple high impedance faults (MHIF), in the 306' elevation of the Control Building, was identified. An engineering evaluation has determined that the operations procedure for recovery of vital power for instrumentation and control, following a postulated fire/MHIF scenario in this area, would not be successful. The original evaluation of this fire/MHIF concern (in the 1987 timeframe) considered this event to be very improbable and incorrectly assumed that the recovery of vital power following a bus trip would be successful. The historical procedure incorrectly assumed that DC power (which is assumed lost in the fire) was not required to restart the necessary electrical recovery equipment.
The root cause is determined to be insufficient technical rigor applied in the technical analysis of the MHIF strategy and in the older procedure review process. The corrective action to address the root cause is addressed by IR 213719, which included establishing Exelon technical human factors procedure, HU-AA-1212.
This condition was determined to meet the following reporting criterion: the nuclear power plant being in an unanalyzed condition that significantly degraded plant safety (10 CFR 50.73 (a)(2)(ii)(B)).
DOCKET 12l LER NUMBER (6)
PAGE (3) l SEQUENTIAL l REViSION YEAR I
NUMBER I NUMBER 05000289 2005 002 00 2
OF 4
EVENT DESCRIPTION
Plant Conditions before the event:
Babcock & Wilcox - Pressurized Water Reactor - 2568 MWth Core Power Date/Time: April 27, 2005/approximately 1300 hours0.015 days <br />0.361 hours <br />0.00215 weeks <br />4.9465e-4 months <br /> Power Level: 100% steady state power prior to and during the event Mode: Power Operations On April 27, 2005, a previously unidentified error associated with an Appendix R fire scenario involving multiple high impedance faults (MHIF), in the 306' elevation of the Control Building, was identified. An engineering evaluation has determined that the operations procedure for recovery of vital power for instrumentation and control, following a postulated fire/MHIF scenario in this area, would not be successful. The original evaluation of this fire/MHIF concern (in the 1987 timeframe) considered this event to be very improbable and incorrectly assumed that the recovery of vital power following a bus trip would be successful. The historical procedure incorrectly assumed that DC power (which is assumed lost in the fire) was not required to restart the necessary electrical recovery equipment.
Safe shutdown analysis of fire in the 306' elevation of the Control Building (CB-FA-1) assumes all A train Engineered Safeguards (ES) power (AC, DC, and 125 Volt Vital AC) is lost, since these power supplies have unprotected cables in this fire zone. This area contains both Train A and Train B ES power for control and indication. Train B power must be protected from the effects of a fire in this area to the extent that safe shutdown components depend on B Train electrical power. The cables for the DC and AC to Inverters *[EKIINVTJ B and D (both in Train B) go through this area. The AC cables to Inverters B and D are protected from fire, but the DC cables are not protected from fire.
A fire in CB-FA-1 could cause loss of indication and control needed to maintain the plant in a safe shutdown condition. The AC source to the Inverters could be lost by trip of 1 B ES Motor Control Center (MCC) *[EK/MCC]
due to Multiple High Impedance Faults (MHIF) on unprotected cables fed from lB ES MCC.
The safe shutdown analysis didn't identify that a loss of all four vital buses could occur until B and D vital buses are recovered. The loss of control and indication was not addressed in the 1987 timeframe. There is no documentation acknowledging the condition.
In addition, procedure 1104-45P, uFire Mitigation (Supplement to 1202-31[Fire])," actions for recovering the vital instrument buses were found deficient. The procedure directed the operator to re-energize 1 B ES MCC with the inverters connected to the MCC. Restarting the inverters on the AC source may blow fuses or damage the inverters.
This potential loss of safe shutdown functions was reported to the NRC on 5/3105. The report was made under 10 CFR 50.72(b)(3)(ii)(B) as an unanalyzed condition which could cause loss of safe shutdown functions from the control room and the remote shutdown panel.
104-45P instructs shutting down the reactor, loading B Train ES buses on the Diesel Generator *[EK/DG] then opening the breakers of unprotected DC circuits to protect the B battery, which include the B and D inverter feeds. The inverters continue to operate on AC unless AC is lost. If 1 B ES MCC is lost due to MHIF, the Inverters B and D trip and control and indication are lost in the Control Room and at the Remote Shutdown Panel.
Interruption in the 480 VAC feed to the Inverters must be assumed since 1 B ES Motor Control Center could trip due to Multiple High Impedance Faults (MHIF). The inverters would trip because the switches providing DC feed to the inverters have been opened. Trip of 1 B ES MCC would cause loss of I B and 1 D inverters. IA and 1 C Inverters are not available because A Train power is not protected. Loss of all four inverters would leave the DOCKET 121 LER NUMBER (6)
PAGE (3)
Y SEQUENTIAL I REVSIWON YEAR IN UMBER INUMBER 05000289 2005 002 00 3
OF 4
control room and remote shutdown panels without needed indication and control.
The procedure that opens the DC feed to Inverter 1 B and 1 D was implemented on December 23, 1988. The procedure was implemented instead of a modification to protect the DC Cables in CB-FA-1.
CAUSE OF EVENT
The decision to implement a procedure solution to resolve the Appendix R MHIF trip of the 1 B ES MCC feeder breaker and DC fault concerns for a fire in area CB-FA-1 was flawed because it did not address the consequences of the loss of Control Room and Remote Shutdown indication and controls resulting from the MHIF trip of 1 B ES MCC feeder breaker.
Root Cause:
Insufficient technical rigor applied in the technical analysis of the MHIF strategy and in the procedure review process.
ANALYSIS I SAFETY SIGNIFICANCE The consequence of the deficiency, if the event were to occur, is that the procedures previously in effect were not adequate for reaching safe shutdown. Required instrumentation and control would be lost due to 1 B ES MCC trip.
Overall plant risk is low due to the low probability of a MHIF event, and due to the existence of fire detection and sprinkler systems, and low fire loading in the affected area. The risk has been addressed by the addition of a fire watch that reduces the probability of damage due to fire and the interim procedure that takes post-fire preemptive action to isolate unprotected circuits.
The assessment of low overall risk of MHIF events is consistent with the risk informed approach in NRC Regulatory Issue Summary (RIS) 2004-03. In RIS 2004-03, the NRC states "Multiple high-impedance faults are considered of very low likelihood."
Although overall risk is low, the requirement to address MHIF remains in effect and the corrective actions are directed to achieving compliance.
CORRECTIVE ACTIONS
Immediate and Short Term Actions:
- 1. Established 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> roving fire watch
- 2. Implemented an interim change to procedure 11 04-45P, IC 18035, that takes post-fire preemptive action to isolate unprotected circuits.
Long Term Corrective Actions:
- 1. The corrective action to prevent recurrence has been addressed previously within our corrective action process via IR 213719. The Exelon technical human factors procedure, HU-AA-1212, has been established.
- 2. Install a modification to provide continuous power to vital bus B and D during an Appendix R fire scenario in area CB-FA-1.
DOCKET 12 l
LER NUMBER 16)
PAGE (3) l SEQUENTIAL I REVISION YEAR l
NUMBER I NUMBER 05000289 2005 002 00 4
OF 4
- 3. Re-evaluate MHIF events in all fire zones for similar problems and resolve by a combination of procedure changes, design changes, andlor design analysis.
PREVIOUS OCCURENCES
There were no previous events reported at TMI related to the plant being in an unanalyzed condition related to Appendix R fire protection issues.
ADDITIONAL INFORMATION
A preliminary review was conducted of those fire mitigation procedures, which describe the action to recover a bus that has failed due to a MHIF event. This preliminary review did not identify any additional MHIF problems. A more comprehensive evaluation, described in the "Long Term Corrective Actions" above, is in progress.
- Energy Industry Identification System (EIIS), System Identification (SI) and Component Function Identification (CFI) Codes are included in brackets, [SI/CFI] where applicable, as required by 10 CFR 50.73 (b)(2)(ii)(F).