05000498/LER-2013-003

From kanterella
Jump to navigation Jump to search
LER-2013-003, Unanalyzed Condition- Direct Current Ammeter Circuits Without Overcurrent Protection.
South Texas Unit 1
Event date: 10-31-2013
Report date: 12-23-2013
Reporting criterion: 10 CFR 50.73(a)(2)(v), Loss of Safety Function

10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition
Initial Reporting
ENS 49411 10 CFR 50.72(b)(3)(ii)(B), Unanalyzed Condition
4982013003R00 - NRC Website

I. DESCRIPTION OF EVENT

A. REPORTABLE EVENT CLASSIFICATION

This event is reportable pursuant to 10 CFR 50.73(a)(2)(ii)(B), any event or condition that resulted in "The nuclear power plant being in an unanalyzed condition that significantly degraded plant safety.

B. PLANT OPERATING CONDITIONS PRIOR TO EVENT

Units 1 and 2 were operating in Mode 1 at 100% power.

C. STATUS OF STRUCTURES, SYSTEMS, AND COMPONENTS THAT WERE INOPERABLE AT THE

START OF THE EVENT AND THAT CONTRIBUTED TO THE EVENT

No other structures, systems, or components were inoperable at the start of the event that contributed to the event.

D. NARRATIVE SUMMARY OF THE EVENT

On October 7, 2013, the South Texas Project became aware of the Event Notification (49411) from Palo Verde Nuclear Generating Station regarding the unanalyzed condition resulting from control room ampere indications that did not include overcurrent protection. A Condition Report was generated to review operating experience to determine if STP had the same vulnerabilities. The review concluded that the Class-1 E batteries ammeter indications are appropriately isolated locally before being transmitted to Main Control Board CP003 in the Control Room. However, during the course of the review, it was discovered that the non-Class lE batteries ammeter indications had the same condition as described in the industry OE.

On October 22, 2013, a Condition Report was written to further evaluate the extent of condition for the non-Class lE battery systems, which are not credited for Fire Safe Shutdown.

On October 31, 2013, the condition was determined to potential adversely impact the capability to achieve and maintain a safe shutdown condition in the event of a fire. Failure to provide electrical protection to the non-Class 1E, non-safe shutdown, and control room DC ammeter circuits could result in a postulated fault scenario that could induce a secondary fire in another fire area. This could cause the loss of the ability to conduct a safe shutdown as required by 10CFR50 Appendix R. Hourly fire watches were established as compensatory actions. The NRC was notified under Event Notification 49490 - Reportable Event for an unanalyzed condition that significantly degrades plant safety.

E. METHOD OF DISCOVERY

Performance of Industry Operating Experience review.

South Texas Unit 1 05000498 II. EVENT-DRIVEN INFORMATION

A. SAFETY SYSTEMS THAT RESPONDED

No safety systems were required to respond to this event.

B. DURATION OF SAFETY SYSTEM INOPERABILITY

Not applicable

C. SAFETY CONSEQUENCES AND IMPLICATIONS OF THE EVENT

A review of the Palo Verde Event Notification concerning unfused Direct Current (DC) shunt ammeter circuits on station batteries resulting in an unanalyzed condition determined that this was not applicable for the Class 1 E DC systems credited for safe shutdown at STP. The review concluded that the Class-1 E batteries ammeter indications are appropriately isolated locally before being transmitted to Main Control Board CP003 in the Control Room.

An extent of condition review determined that the original plant wiring of the ammeter circuits for the non-Class 1 E batteries were of a similar design to that described in the Palo Verde Event Notification.

Additionally, the control circuit for the Turbine Generator Emergency Lube Oil pump is unfused, protected only by the motor circuit breaker with a trip setting of 350 amps. These non-Class 1 E circuits are not credited for safe shutdown.

It is postulated that a fire in one fire area can damage these circuits and cause short circuits without protection that would overheat the cables and possibly result in secondary fires in other fire areas where the cables are routed. The secondary fires could adversely affect safe shutdown equipment and potentially cause the loss of the ability achieve and maintain a safe shutdown condition in the event of a fire.

The non-Class 1 E battery systems are ungrounded systems for increased reliability. In an ungrounded system, a single ground will not cause the circuit to fail but instead set a new reference ground voltage for the system, however, a second ground of the opposite polarity will then result in a short circuit. This design requires that both the positive and negative leads to the loads be protected by overcurrent devices.

The postulated event of a fire in the control room could cause one of the ammeter wires to short to ground while at the same time, the fire causes another wire from the opposite polarity on the same battery to also short to the ground plane. This would cause a ground loop through the unprotected ammeter wiring which could result in excessive current in the ammeter wiring, potentially causing a secondary fire in the raceway where the cables are routed.

The potential for the ground plane to become a conductor was recently determined to be a credible fault mechanism as published in NUREG/CR-7100, Direct Current Electrical Shorting in Response to Exposure Fire (DESIREE-FIRE), dated April 2, 2012. Prior to this fire testing, fire safe shutdown analysis did not consider the effects of the DC shorts through the ground plane. Since this is recent testing, this failure mode was not considered credible and not taken into account in previous safe shutdown circuit analysis.

STP complies with 10 CFR 50, Appendix R as described in Fire Hazards Analysis Report (FHAR) comparison section 4.1 but is not an Appendix R plant. Based on the common enclosure rule of FHAR section 3.1.3.3, the non-class lE circuits of concern should have fuses and/or circuit breakers that will prevent a postulated fire from spreading to another Fire Area through cable short circuits.

The condition of these un-fused DC circuits could impede the capability to achieve Fire Safe Shutdown by not assuring at least one train of safe shutdown equipment is available as required by the fire hazard analysis.

Because the non-safety DC circuits are not required for safe shutdown, they are not included in the safe shutdown analysis and were not analyzed for impact on fire safe shutdown requirements. FHAR section 3.1.3.3 states that all power circuits in common enclosures are electrically protected with circuit breakers or fuses, which will prevent secondary electrical fires from occurring.

The identified unprotected circuits traverse the following areas required for safe shutdown in the Electrical Auxiliary Building:

Elevation Room Fire Area/Zone 10' 002 Power Cable Vault 02/010 10' 011 Hallway 02/016 21' 102 Train A Cable Spreading Room 64/026 21' 101 HVAC and Elec Area 66/025 35' 215 Plant Computer Room 01/045 35' 201 Train B Elec Penetration Area 03/031 48' 215D Cabling Area 33/018 Failure to provide electrical protection to the non-Class 1E, non-safe shutdown, control room DC ammeter circuits could result in a postulated fault scenario that could induce a secondary fire in another fire area.

The evaluation confirmed that all of the affected fire areas are provided with active fire suppression and fire detection with the exception of Room 011 where the cable is enclosed in conduit. The combination of these systems provides a high level of confidence that a fire will be detected early and provides notification to the Control Room for dispatching the fire brigade. The suppression systems are full coverage systems that can control and/or extinguish the fire prior to the fire brigades arrival.

There were no actual safety consequences of this condition. This is a postulated event and as such did not result in challenges to fission product barriers, control of radioactive materials, or the health and safety of the public.

The design deficiency did not impact the performance of any other component functions and no other safety functions were impacted as a result of this event. The condition would not have prevented the fulfillment of a safety function; and, the condition did not result in a safety system functional failure as defined by 10 CFR 50.73(a)(2)(v).

III. CAUSE OF THE EVENT

The cause of this condition is the original design of the DC circuits did not adequately address fire protection program requirements. The event would have been prevented if the original design included overcurrent protection for the non-Class 1E, non-safe shutdown DC circuits.

IV. CORRECTIVE ACTIONS

As an interim action, hourly fire watches were established in affected fire zones. Fire watches provide additional defense in depth for the fire protection program and support early detection of a fire at the incipient stage. A design change is planned to correct the latent design deficiencies by providing circuit protection on affected ammeter circuits.

V. PREVIOUS SIMILAR EVENTS

There have been no similar reportable events at STP within the last three years.

VI. ADDITIONAL INFORMATION

None South Texas Unit 1 05000498