IR 05000298-04-008; 04/5/2004 - 07/02/2004; Cooper Nuclear Station; Triennial Fire Protection Inspection, Problem Identification and Resolution

ML042020285
Person / Time
Site:	Cooper
Issue date:	07/19/2004
From:	Laura Smith Division of Reactor Safety IV
To:	Edington R Nebraska Public Power District (NPPD)
References
IR-04-008
Download: ML042020285 (27)
v • d • e

Text

July 19, 2004

SUBJECT:

COOPER NUCLEAR STATION - NRC TRIENNIAL FIRE PROTECTION INSPECTION REPORT 05000298/2004008

Dear Mr. Edington; On April 23, 2004, the Nuclear Regulatory Commission (NRC) completed the onsite portion of the triennial fire protection inspection at the Cooper Nuclear Station. Preliminary results of the onsite inspection were discussed with Mr. S. B. Minahan, Acting Site Vice President and other members of your management and staff on April 22, 2004. Subsequent to the onsite portion of the inspection, you provided additional information regarding the findings. Additional in-office inspection was performed May 10 to July 1, 2004. The enclosed inspection report documents the inspection findings, which were discussed via teleconference on July 2, 2004, with Mr. S. B. Minahan, General Manager, Power Operations, and other members of your management and staff in a final exit meeting.

During this triennial fire protection inspection, the inspection team examined activities conducted under your license as they relate to safety and compliance with the Commissions rules and regulations and the conditions of your license. The inspection consisted of selected examination of procedures and records, observations of activities and installed plant systems, and interviews with personnel.

This report documents two findings, which were evaluated under the risk significance determination process as having very low safety significance (green). The NRC has also determined that violations are associated with these findings. The violations are being treated as noncited violations (NCVs), consistent with Section VI.A of the Enforcement Policy. The NCVs are described in the subject inspection report. If you contest the violations or significance of the NCVs, you should provide a response within 30 days of the date of this inspection report, with the basis for your denial, to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington, DC 20555-0001, with copies to the Regional Administrator, U.S.

Nuclear Regulatory Commission, Region IV, 611 Ryan Plaza Drive, Suite 400, Arlington, Texas 76011; the Director, Office of Enforcement, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; and the NRC Resident Inspector at the Cooper Nuclear Station facility.

Nuclear Public Power District-2-In accordance with 10 CFR 2.390 of the NRCs "Rules of Practice," a copy of this letter and its enclosure will be available electronically for public inspection in the NRC Public Document Room or from the Publicly Available Records (PARS) component of NRCs document system (ADAMS). ADAMS is accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).

Sincerely,

//RA//

Linda Joy Smith, Chief Plant Engineering Branch Division of Reactor Safety Docket: 50-298 License: DPR-46

Enclosure:

NRC Inspection Report 05000298/2004008 w/attachment: Supplemental Information

REGION IV==

Docket(s):

50-298 License(s):

DPR-46 Report No.:

05000298/2004008 Licensee:

Nebraska Public Power District Facility:

Cooper Nuclear Station Location:

Brownville, Nebraska Dates:

April 5 - 23, 2004 (onsite); May 11 - July 1, 2004 (In-office inspection);

July 2, 2004 (Telephone exit)

Inspectors:

R. Nease, Team Leader, Plant Engineering Branch R. Mullikin, Senior Reactor Inspector, Plant Engineering Branch P. Goldberg, Reactor Inspector, Plant Engineering Branch Accompanying Personnel:

G. Waig, Reactor Systems Engineer, Division of Incident Response Operations, NRC Contractor:

K. Sullivan, Brookhaven National Laboratory Approved By:

Linda Joy Smith, Chief Plant Engineering Branch

Enclosure

SUMMARY OF FINDINGS

Cooper Nuclear Station

NRC Inspection Report 05000298/2004008 IR 05000298/2004008; 04/5/2004 - 07/02/2004; Cooper Nuclear Station: Triennial Fire Protection Inspection, Problem Identification and Resolution.

The report covered an announced inspection by three region-based fire protection inspectors, one accompanying personnel from NRCs incident response operations and one contractor.

Two Green noncited violations were identified. The significance of most findings is indicated by its color (Green, White, Yellow, Red) using Inspection Manual Chapter (IMC) 0609,

"Significance Determination Process" (SDP). Findings for which the SDP does not apply may be green or be assigned a severity level after NRC management review. The NRC's program for overseeing the safe operation of commercial nuclear power reactors is described in NUREG-1649, "Reactor Oversight Process," Revision 3, dated July 2000.

NRC-Identified Findings

Cornerstone: Mitigating Systems

Green.

The team identified a noncited violation of Section III.G.2 of Appendix R to 10 CFR Part 50 for failure to ensure that redundant trains of safe shutdown systems in the same fire area were free of fire damage. For example, cables associated with the automatic depressurization system were not physically protected from fire damage, leaving them vulnerable to spurious operation. The licensee credited manual actions to mitigate the effects of fire damage in lieu of providing the physical protection required by 10 CFR Part 50, Appendix R, Section III.G.2.

This finding is of greater than minor safety significance because it impacted the mitigating systems cornerstone objective to ensure the availability, reliability, and capability of systems that respond to external events (such as fire) to prevent undesirable consequences. The team found that the manual operator actions implemented to mitigate the effects of fire damage were reasonable (as defined in of NRC Inspection Procedure 71111.05, Fire Protection), and could be performed within the analyzed time limits. Therefore, in accordance with of NRC Inspection Procedure 71111.05, the finding was determined to be of very low safety significance (green), and the significance determination process was not entered.

(Section 1R05.1)

Cornerstone: Mitigating Systems

Green.

The team identified three examples of a noncited violation of Technical Specification 5.4.1.d for failure to provide adequate instructions in Emergency Procedure 5.4 Fire-S/D, Fire Induced Shutdown From Outside Control Room, Revision 3. In the first example, the licensee failed to provide adequate instructions to operators to assure that high pressure coolant injection flow would be secured within analyzed times in order to prevent reactor vessel overfill and subsequent damage to safety relief valves. In the second example, the licensee failed to provide adequate instructions to operators to ensure the main steam isolation valves were closed in order to prevent feedwater from overfilling the reactor vessel and damaging safety relief valves. In the third example, the licensee failed to provide adequate instructions to ensure operators would correctly position 14 motor-operated valves (required for achieving and maintaining safe shutdown) from motor-control centers. Operating motor-operated valves in this manner bypasses the valves protective features, leaving them vulnerable to damage by over-thrust. This finding has cross-cutting aspects in the area of human performance.

This finding is of greater than minor safety significance because it impacted the mitigating systems cornerstone objective to ensure the availability, reliability, and capability of systems that respond to external events (such as fire) to prevent undesirable consequences. The team leader and the senior reactor analyst, performed a Phase 3 risk assessment for each of these examples using INEEL/EXT-02-10307,

SPAR-H Human Reliability Method, dated May 2004, and determined that the significance of each of these findings was very low (green). This very low significance can be attributed to a low initiating event frequency and low probability of circuit failures which would cause spurious operation. (Section 1R05.4)

REPORT DETAILS

REACTOR SAFETY

1R05 Fire Protection

The purpose of this inspection was to review the Cooper Nuclear Station fire protection program for selected risk-significant fire areas. Emphasis was placed on verification of the licensees post-fire safe shutdown capability. The inspection was performed in accordance with the NRC regulatory oversight process using a risk-informed approach for selecting the fire areas and attributes to be inspected. The team leader and a Region IV senior reactor analyst used the Individual Plant Examination for External Events for the Cooper Nuclear Station to choose several risk-significant areas for detailed inspection and review. Inspection Procedure 71111.05, Fire Protection, requires selecting three to five fire areas for review. The three fire areas reviewed during this inspection were:

• RB-FN, Northeast Corner the Reactor Building, Elevation 903'6"

• RB-M, Reactor Building, Elevation 931'6"

• RB-V, Reactor Building, Elevation 976" For each of these fire areas, the inspection focused on fire protection features, systems and equipment necessary to achieve and maintain safe shutdown conditions, and licensing basis commitments.

In accordance with NRC Inspection Procedure 71111.05, dated March 6, 2003, the evaluation did not include a comprehensive review of the potential impact of fire-induced failures in associated circuits of concern to post-fire safe shutdown. In response to a March 2001 voluntary industry initiative, the scope of NRC Inspection Procedure 71111.05 has been temporarily reduced pending the resolution of specific review criteria for fire-induced circuit failures of associated circuits.

Documents reviewed by the team are listed in the attachment.

.1 Systems Required to Achieve and Maintain Post-Fire Safe Shutdown

a. Inspection Scope

The team reviewed the licensee's methodology for achieving and maintaining post fire safe shutdown described in "Cooper Nuclear Station Safe Shutdown Analysis Report, dated April 30, 2003," to ensure that at least one post-fire safe shutdown success path was available in the event of a fire in each of the selected areas. The team focused on the following functions that must be available to achieve and maintain post-fire safe shutdown conditions:

• Reactivity control capable of achieving and maintaining cold shutdown reactivity conditions,

• Reactor coolant makeup capable of maintaining the reactor coolant inventory,

• Reactor heat removal capable of achieving and maintaining decay heat removal, and

• Supporting systems capable of providing all other services necessary to permit extended operation of equipment necessary to achieve and maintain hot shutdown conditions.

To assure the licensee had properly identified the components and equipment necessary to achieve and maintain safe shutdown conditions in the fire areas selected for review, the team reviewed piping and instrumentation diagrams for the systems required for performing above-listed functional requirements. In addition, plant drawings, operating procedures, and other relevant documents were reviewed to verify the flow paths and operational characteristics of those systems relied on to accomplish the above listed safe shutdown functions.

b. Findings

Introduction:

The team identified a noncited violation of Section III.G.2 of 10 CFR Part 50, Appendix R, for failure to ensure that redundant trains of safe shutdown systems in the same fire area were free of fire damage. For example, cables associated with the automatic depressurization system were not physically protected from fire damage, leaving them vulnerable to spurious operation. The licensee credited manual actions to mitigate the effects of fire damage in lieu of providing the physical protection required by 10 CFR Part 50, Appendix R, Section III.G.2. The team determined that the violation was of very low safety significance (green).

Description:

The licensee implemented Emergency Procedure 5.4POST-FIRE, Post Fire Operational Information, for use in the event of a fire in areas of the plant that do not require alternative shutdown. For a fire in Fire Area RB-M, Procedure 5.4POST-FIRE, Attachment 19, directed operators to perform several manual actions outside of the control room, such as the opening and closing of breakers and the pulling of fuses to prevent spurious operation of the automatic depressurization system valves.Section III.G.2 of 10 CFR Part 50, Appendix R requires that cables whose fire damage could prevent the operation or cause maloperation of safe shutdown functions be physically protected from fire damage by one of three methods specified. The use of manual actions to mitigate the effects of fire damage to these cables is not listed as an acceptable method for satisfying this requirement. In some instances, the NRC has accepted (in formal exemption/deviation approvals and in safety evaluation reports)plant-specific manual actions for mitigating the effects of fire damage. However, the team found that licensee did not have formal approval from the NRC for the use of these manual operator actions. The team reviewed the manual operator actions and determined that they met the criteria for being reasonable as described in Attachment 2 of Inspection Procedure 71111.05. Therefore, these proceduralized manual operator actions could also be considered compensatory measures if permitted by the licensees fire protection program. The team reviewed the fire protection program and found that there was no prohibition on using manual operator actions as compensatory measures.

Based on this, the team concluded that no immediate safety concern existed. The

licensee entered this finding into their corrective action program as Notification 10309276.

Analysis:

This finding is of greater than minor safety significance because it impacted the mitigating systems cornerstone objective to ensure the availability, reliability, and capability of systems that respond to external events (such as fire) to prevent undesirable consequences. Specifically, a fire in Fire Area RB-M has the potential to cause damage to circuits which could adversely affect the ability of the licensee to prevent the spurious and uncontrolled opening of the automatic depressurization valves.

The team reviewed Emergency Procedure 5.4POST-FIRE and stepped through the manual actions directed in the procedure with licensee operations personnel. The team found that the manual operator actions were reasonable (as defined in Enclosure 2 of Inspection Procedure 71111.05), and could be performed within the analyzed time limits.

Since the manual operator actions were considered reasonable, the significance determination process was not entered. The team determined that this finding is of very low safety significance (green) in accordance with the guidance in Enclosure 2 to Inspection Procedure 71111.05.

Enforcement:

Appendix R,Section III.G.2 to 10 CFR Part 50 requires that cables whose fire damage could prevent the operation or cause maloperation of safe shutdown functions be physically protected from fire damage. Contrary to this requirement, the licensee implemented a methodology that utilized manual operator actions to mitigate the effects of fire damage in lieu of providing physical protection from fire damage. This is a violation of 10 CFR Part 50, Appendix R, Section III.G.2. The Green finding is an indicator that while compensatory measures in the form of manual actions have been implemented and are reasonable, the licensee has not met the requirements of Section III.G.2 of Appendix R. Because this finding is of very low safety significance and has been entered into the licensees corrective action program, this violation is being treated as a noncited violation, consistent with Section VI.A of the NRC Enforcement Policy: NCV 05000298/2004008-01, Failure to ensure redundant safe shutdown systems located in the same fire area are free of fire damage.

.2 Fire Protection of Safe Shutdown Capability and Post-fire Safe Shutdown Circuit

Analysis

a. Inspection Scope

For each of the selected fire areas, the team reviewed licensee documentation to verify that at least one train of equipment needed to achieve and maintain hot shutdown conditions was free of fire damage in the event of a fire in the selected fire areas.

Specifically, the team examined (on a sampling basis) the separation of safe shutdown cables, equipment, and components within the same fire areas. The team also reviewed the adequacy of selected electrical protective devices (e.g., circuit breakers, fuses, relays), breaker coordination, and the adequacy of electrical protection provided for nonessential cables, which share a common enclosure (e.g., cable trays) with cables of equipment required to achieve and maintain safe shutdown conditions. The evaluation included a review of cable routing data depicting the location of power and

control cables associated with selected components of the shutdown systems. The team also reviewed the protection of diagnostic instrumentation required for safe shutdown for fires in the selected areas.

The team reviewed the licensees methodology for meeting the requirements of 10 CFR 50.48, 10 CFR Part 50, Appendix R, and the bases for the NRCs acceptance of this methodology as documented in NRC safety evaluation reports. In addition, the team reviewed license documentation, such as, the Updated Final Safety Evaluation Report, submittals made to the NRC by the licensee in support of the NRCs review of their fire protection program, and exemptions from NRC regulations to verify that the licensee met license commitments.

b. Findings

No findings of significance were identified.

.3 Alternative Safe Shutdown Capability

a. Inspection Scope

The team reviewed the licensees alternative shutdown methodology to determine if the licensee properly identified the components and systems necessary to achieve and maintain safe shutdown conditions from the remote shutdown panel and alternative shutdown locations in the event of a fire in the control room, requiring control room evacuation. The team focused on the adequacy of the systems selected for reactivity control, reactor coolant makeup, reactor heat removal, process monitoring and support system functions. The team verified that hot and cold shutdown from outside the control room can be achieved and maintained with off-site power available or not available. The team verified that the transfer of control from the control room to the alternative locations was not affected by fire-induced circuit faults by reviewing the provision of separate fuses for alternative shutdown control circuits. The team also reviewed plant Technical Specifications and applicable surveillance procedures to verify incorporation of operability testing of alternative shutdown instrumentation and transfer of control functions.

b. Findings

No findings of significance were identified.

.4 Operational Implementation of Alternative Safe Shutdown

a. Inspection Scope

The team reviewed the systems required to achieve alternative safe shutdown to determine if the licensee had properly identified the components and systems necessary to achieve and maintain safe shutdown conditions from the remote shutdown panel.

The team also focused on the adequacy of the systems to perform reactor pressure

control, reactor makeup, decay heat removal, process monitoring, and support system functions. The team reviewed Emergency Procedure 5.4 Fire-S/D, Fire Induced Shutdown From Outside Control Room, Revision 3, which would be used by operators to shut down the reactor in the event of a fire with evacuation of the control room. The team also walked through the procedure with licensed operators to determine its adequacy to direct safe shutdown.

b. Findings

Introduction:

The team identified three examples of a noncited violation of Technical Specification 5.4.1.d for failure to provide adequate instructions in Emergency Procedure 5.4 Fire-S/D, Fire Induced Shutdown From Outside Control Room. In the first example, the licensee failed to provide adequate instructions to operators to assure that high pressure coolant injection (HPCI) flow would be secured within analyzed times in order to prevent reactor vessel overfill and subsequent damage to safety relief valves.

In the second example, the licensee failed to provide adequate instructions to operators to ensure the main steam isolation valves (MSIVs) were closed in order to prevent feedwater from overfilling the reactor vessel. In the third example, the licensee failed to provide adequate instructions to ensure operators would correctly position 14 motor-operated valves (MOVs) from motor-control centers. The third example of this noncited violation has cross-cutting aspects in the area of human performance.

Description Example 1 - Failure to Secure High Pressure Coolant Injection (HPCI): In the first example, the licensee failed to provide adequate instructions to operators in Emergency Procedure 5.4FIRE-S/D, to ensure that HPCI flow to the reactor pressure vessel was reduced or terminated prior to exceeding system design limits, which could overfill the reactor pressure vessel and challenge safety relief valve system operability. Damage to the safety relief valves could result in an unisolable leak in containment. The team reviewed the licensees safe shutdown analysis report, Cooper Nuclear Station Safe Shutdown Analysis Report, dated April 30, 2003, and found that HPCI must be secured within 10 minutes of starting to ensure that reactor pressure vessel overfill would not occur. The alternative shutdown panel operators were not directed to secure HPCI until Step 2.6 of Attachment 1 to Emergency Procedure 5.4FIRE-S/D, which the team determined could have been completed in approximately 13 minutes after reactor scram if no coordination with other operators was required. However, whether offsite power is or is not available, the alternative shutdown panel operators must stop after Step 2.1 (approximately 5 minutes after reactor scram), until the control building operator performing Attachment 3 of Emergency Procedure 5.4FIRE-SD, has loaded the 4160V 1G Bus onto Diesel Generator 2. The team walked-through and timed operator actions described in Attachment 3, and noted that the control building operator would have informed the alternative shutdown panel operator that Bus 1G was powered from Diesel Generator 2 ( Step 1.1.9) in approximately 11 minutes after reactor scram. Therefore, the alternative shutdown panel operator would have had to stop after Step 2.1 for approximately 5 minutes until the control building operator had completed loading Bus 1G onto Diesel Generator 2. This delay would have resulted in the alternative

shutdown panel operator securing HPCI at approximately 16 minutes after reactor scram, which exceeds the 10-minute analyzed requirement. The team noted that additional coordination between the control building operator (performing Attachment 3)and the diesel generator operator (performing Attachment 4) must occur; which will result in additional delay in establishing control of HPCI.

The licensee agreed with the teams conclusion, and posted compensatory measures, The licensee entered this issue into their corrective action program as Notification 10307660. The procedure was revised to relocate operator steps while the team was still onsite.

Example 2 - Failure to Close Main Steam Isolation Valves (MSIVs): In the second example, the licensee failed to provide adequate instructions to operators in Emergency Procedure 5.4FIRE-S/D, to ensure the MSIVs were closed in order to prevent feedwater from overfilling the reactor vessel and challenging safety relief valve system operability.

Damage to the safety relief valves could result in an unisolable leak in containment.

The team reviewed the licensees safe shutdown analysis report, Cooper Nuclear Station Safe Shutdown Analysis Report, dated April 30, 2003, and found that it assumed feedwater flow to the reactor vessel would be terminated shortly after the initiation of the event due to operators (in the control room) manually closing the MSIVs which isolates steam to the turbine-driven feedwater pumps. The team found that Emergency Procedure 5.4FIRE-S/D, did not direct operators to close MSIVs in the control room prior to evacuating. Operators were directed to ensure the MSIVs were closed in Step 1.1.3 of Attachment 3 of this procedure, which the team determined would occur at approximately 18 minutes after reactor scram. Other automatic actuations that would secure feedwater flow (such as MSIVs closing on low reactor pressure and feedwater pumps tripping on high reactor vessel level) may not be available because their circuits are not physically ensured to be free of fire damage.

The licensee agreed with the teams conclusion, and posted compensatory measures, This issue was entered into the licensees corrective action program as Notification 10314178. Longer term corrective actions include revising the procedure to add operator steps to close MSIVs prior to evacuating the control room.

Example 3 - Inadequate Instructions to Operators to Ensure Motor-Operated Valves (MOVs) Would be Positioned Correctly During an Alternative Shutdown Event: In reviewing Emergency Procedure 5.4 Fire-S/D, Fire Induced Shutdown From Outside Control Room, the team noted that in Step 1.1.5 of Attachment 2, the operator was directed to close Valves RHR-MO-26B (drywell spray outlet throttle valve), SW-MO-651 (REC HX B Service Water Outlet), and REC-MO-714 (South Crtitical Loop Supply)by depressing the upper contact in motor control center Y for 25 seconds, 33 seconds, and 55 seconds, respectively. During a field walk-through of Attachment 2, the operator misread the procedure and simulated pressing the lower contact, which would have opened Valve RHR-MO-26B rather than closed it. At that time, the inspector stopped and corrected the operator before he continued to simulate opening the other two valves.

The team found that in operating the valves in this manner at the motor control centers, the torque and limit switches do not function to prevent valve over-torque and potential valve damage. The licensee performed a draft engineering evaluation EE 04-046, Appendix R MOV Overthrust Evaluation, in which they evaluated the results of operating MOVs to an overthrust condition as a result of the torque and limit switches being unavailable. In this engineering evaluation, the licensee concluded that for all the valves concerned, the valve would fail without adversely affecting the structural integrity and pressure retaining function of the valve. However, the valve may be damaged such that it may not be able to be repositioned. The team found that in a fire event requiring control room evacuation, 14 MOVs (listed below) could be subject to damage due to being operated from the motor control centers without the protection afforded by limit and torque switches. The licensee verified that none of these MOVs are required to be operated later for achieving and maintaining hot or cold shutdown conditions.

Therefore, the licensee concluded that their ability to achieve and maintain safe shutdown was unaffected by these potential valve failures.

• RCIC-MO-15 Steam Supply Isolation Valve

• SW-MO-37 Loop Crosstie Valve

• RWCU-MO-15 Inboard Isolation

• MS-MO-74 Drain Valve

• RHR-MO-20 Cross-Connect

• RHR-MO-57 Radwaste Isolation

• REC-MO-695 Critical Loop Supply Crosstie

• RHR-MO-26B Drywell Spray Outboard Throttle Valve

• SW-MO-651 REC HX B Service Water Outlet

• REC-MO-714 South Critical Loop Supply

• SW-MO-89B RHR HX B Service Water Outlet

• SW-MO-887 SW Supply to REC South Critical Loop

• SW-MO-889 SW Return From REC South Critical Loop

• RHR-MO-25B RHR Inboard Injection Valve The team also observed the following that could contribute to the likelihood that the operator would operate the valves into an incorrect position:

(1) there was no valve position indication at the motor control center;

(2) there was no indication to tell the operator that the valve had completed its stroke;

(3) there were no labels in the motor control center to indicate which was the open contact and was the closed contact;

(4) there were no labels in the motor control center to indicate the fire safe shutdown position; and

(5) the action verbs in the procedure were not bolded, capitalized, underlined or otherwise emphasized as in other operating procedures.

By implementing the above-described operating philosophy for MOVs necessary for achieving and maintaining safe shutdown in the event of a fire requiring control room evacuation, the licensee relied on operators manually operating these MOVs correctly 100% of the time. The team considered it unlikely that all operators would operate all of the above valves (outside the control room, in a high stress situation) correctly every time, and that reliance on this methodology (including poorly written procedures and the

lack of valve position indication at the motor control center) for reaching safe shutdown conditions was unrealistic.

The licensee agreed that improvements could be made to reduce the likelihood that operators would mal-operate the above-listed MOVs, and entered this issue into their corrective action program as Notification 10309670. As a short-term corrective action, ownership of the procedure was transferred to the operations department, who on April 29, 2004, revised the procedure to highlight operator action verbs in accordance with their standard for operating procedures. Additional actions considered by the licensee include

(1) adding labels to the motor control center contacts to identify those which are used for achieving fire safe shutdown using Emergency Procedure 5.4FIRE-S/D; and

(2) adding ammeters at the motor control centers so that operators will be aware when the valve begins to reach an over-torque condition.

Analysis:

The team leader and senior reactor analyst evaluated the significance of each example of the noncited violation separately, as there was not enough information available to determine if these three performance deficiencies were the result of a single common cause. Each was determined to have a very low significance (green), as discussed below.

Example 1 - Failure to Secure High Pressure Coolant Injection (HPCI): The team leader and senior reactor analyst determined that this finding had a safety significance that was greater than minor, because it impacted the mitigating systems cornerstone and affected its objective to ensure the availability, reliability, and capability of the systems that respond to external events (such as fire events) to prevent undesirable consequences. Using the INEEL/EXT-02-10307, SPAR-H Human Reliability Method, dated May 2004, and the following assumptions, the team leader and senior risk analyst performed a risk evaluation that resulted in this finding having a very low (green)significance. Because the risk is less than 1E-7, large early release frequency does not need to be considered.

• Procedure is available, but steps are performed too late to secure HPCI in the time required by analysis in order to prevent overfill of the reactor vessel

• Operators received adequate training on the procedure as written

• Time is not available to perform the steps as written

• Ergonomics and communications are poor

• Likelihood of a fire in the control room severe enough to cause evacuation of the control room is 3.5E-5 (Individual Plant Examination for External Events for the Cooper Nuclear Station)

• Likelihood that HPCI will spuriously start is 2E-2 (high confidence value for thermoset cables; NEI 00-01, Rev 0)

• Likelihood that reactor Level 8 trip circuitry is defeated is 2E-2 (high confidence value for thermoset cables; NEI 00-01, Rev 0)

• Likelihood that reactor vessel overfill causes at least one safety relief valve to stick open is E-1

• Likelihood that operators in the alternative shutdown panel would fail to diagnose reactor overfill and fail to execute mitigating actions is 1.1E-2 (nominal value from Appendix H of SPAR-H Human Reliability Method)

Example 2 - Failure to Close Main Steam Isolation Valves (MSIVs): The team determined that this finding had a safety significance which was greater than minor, because it impacted the mitigating systems cornerstone and affected its objective to ensure the availability, reliability, and capability of the systems that respond to external events (such as fire events) to prevent undesirable consequences. Using INEEL/EXT-02-10307, SPAR-H Human Reliability Method, dated May 2004, and the following assumptions, the team leader and risk analyst performed a risk evaluation that resulted in this finding having a very low (green) significance. Because the risk is less than 1E-7, large early release frequency does not need to be considered.

• Procedure is available, but steps are performed too late to ensure that MSIVs are closed in order to prevent feedwater from overfilling the reactor vessel

• Operators received adequate training on the procedure as written

• Time is not available to perform the steps as written

• Ergonomics and communications are poor

• Likelihood of a fire in the control room severe enough to cause evacuation is 3.5E-5 (Individual Plant Examination for External Events for the Cooper Nuclear Station)

• No loss of offsite power

• Likelihood that feedwater control will send a spurious signal (2 out of 3 logic) to feedwater pump to remain running at full flow (high confidence value for thermoplastic) is 3E-2

• Likelihood that low pressure setpoint (primary containment isolation 1 out of 2 taken twice) will fail to automatically close MSIVs is E-2 (high confidence value for thermoplastic cables; NEI 00-01, Rev 0)

• Likelihood that reactor vessel overfill causes at least one safety relief valve to stick open is E-1

• Likelihood that operators in the alternative shutdown panel would fail to diagnose reactor overfill and fail to execute mitigating actions is 1.1E-2 (nominal value from Appendix H of SPAR-H Human Reliability Method)

Example 3 - Inadequate Instructions to Operators to Ensure Motor-Operated Valves (MOVs) Would be Positioned Correctly During an Alternative Shutdown Event: The team leader and senior reactor analyst determined that this finding had a safety significance that was greater than minor, because it impacted the mitigating systems cornerstone and affected its objective to ensure the availability, reliability, and capability of the systems that respond to external events (such as fire events) to prevent undesirable consequences. If the reactor building operator performing 2 to Emergency Procedure 5.4FIRE-S/D fails to open either SW-MO-887 (service water supply to reactor equipment cooling, south critical loop) or SW-MO-889 (service water return from reactor equipment cooling, south critical loop), cooling to the HPCI pump room is not available. In a station blackout evaluation the licensee

determined that, without room cooling, the HPCI controller will fail after 30 minutes of HPCI pump operation. The team leader, assisted by the senior reactor analyst, performed a risk assessment using INEEL/EXT-02-10307, SPAR-H Human Reliability Method dated May 2004, and determined that the significance of this finding was very low (green). Because the risk is less than 1E-7, large early release frequency does not need to be considered. The following assumptions were used in this determination.

Procedure is available, but poorly written

Operator actions to open these valves are complex and taken under high stress conditions

Operator received adequate training

Time is available to perform the actions

No valve position indication is available to the operator

Indication of HPCI operation is available at the alternative shutdown panel

An alternative, proceduralized method of reactor cooling is available though the use of the reactor depressurization and low pressure injection systems

Likelihood of a fire in the control room severe enough to cause evacuation =

3.5E-5 (Individual Plant Examination for External Events for the Cooper Nuclear Station)

Likelihood of the reactor building operator mis-positioning either SW-MO-887 or SW-MO-889 = 1E-1

Likelihood that operators in the alternative shutdown panel would fail to diagnose HPCI failure and fail to execute mitigating actions= 1.1E-2 (nominal value from Appendix H of SPAR-H Human Reliability Method)

Enforcement:

Cooper Nuclear Station Technical Specification 5.4.1 states that written procedures shall be established, implemented, and maintained covering fire protection program implementation. Contrary to this requirement, the team found three examples where the licensee failed to provide an adequate procedure in the event of a fire requiring control room evacuation and remote shutdown. Specifically, Emergency Procedure 5.4 Fire-S/D, Fire Induced Shutdown From Outside Control Room, did not provide operators with adequate instructions in order to achieve and maintain safe shutdown conditions. This is a violation of Cooper Nuclear Station Technical Specification 5.4.1 with three examples. Because this finding is of very low safety significance and has been entered into the licensees corrective action program, this violation is being treated as a noncited violation, consistent with Section VI.A of the NRC Enforcement Policy: NCV 05000298/2004008-02, Three examples of a noncited violation of Technical Specification 5.4.1.d for failure to provide adequate instructions in Emergency Procedure 5.4 Fire-S/D, Fire Induced Shutdown From Outside Control Room. Specifics of each example of this noncited violation are provided below.

In the first example, the procedural steps to take control of HPCI were not located early enough in the procedure to meet the time requirements of the Cooper Nuclear Station Safe Shutdown Analysis Report. In the event of a fire requiring control room evacuation and causing a loss of offsite power, operators would have secured HPCI in approximately 15 minutes, whereas the Cooper Nuclear Station Safe Shutdown Analysis Report assumed HPCI would be secured in 10 minutes to prevent reactor vessel overfill.

Therefore the procedure did not adequately implement the requirements of the licensees fire protection program. This is the first example of a violation of Cooper Nuclear Station Technical Specification 5.4.1.

In the second example, the licensee failed to provide steps in Emergency Procedure 5.4 Fire-S/D, Fire Induced Shutdown From Outside Control Room, to direct operators to close the MSIVs prior to evacuating the control room. The Cooper Nuclear Station Safe Shutdown Analysis Report assumed MSIVs were closed upon reactor scram to prevent feedwater from overfilling the reactor vessel. Furthermore, in a letter dated December 2, 1983, the licensee stated that the MSIVs would be closed prior to evacuating the control room. The NRC subsequently accepted this methodology in a safety evaluation report issued on April 16, 1984. The team found the procedure did not adequately implement the requirements of the licensees fire protection program. This is the second example of a violation of Cooper Nuclear Station Technical Specification 5.4.1.

In the third example, the licensee failed to provide adequate instructions in Emergency Procedure 5.4 Fire-S/D, Fire Induced Shutdown From Outside Control Room, to ensure that operators will manually operate 14 motor-operated valves (MOVs) required for achieving and maintaining hot shutdown conditions in the correct positions.

Specifically, the licensees procedure directed operators to open and close certain MOVs from motor control panels, without valve position indication, or labels on the contacts. Operating the MOVs in this manner, bypasses the valves protective features, leaving them vulnerable to damage, and not able to be repositioned, if taken to the incorrect position. This is the third example of a violation of Cooper Nuclear Station Technical Specification 5.4.1.

.5 Communications

a. Inspection Scope

The team reviewed the communication systems required to implement fire fighting and operations to achieve and maintain a safe shutdown condition. The team reviewed the plant radio system which was to be used by operations personnel to perform an alternative shutdown outside of the control room. The team reviewed the design of the radio system to

(1) ensure the radio system was sufficient to support alternative shutdown operator actions, and

(2) ensure that damage from a control room fire will not impact the performance of the rest of the system. The team also reviewed the use of the portable radio system for use during fire fighting activities. The portable communication systems were reviewed for the impact of any damage which could results from fires in the selected fire areas on the functions they systems were intended to support, and to ensure that the design of the systems was adequate to support operator and fire brigade actions, as applicable.

b. Findings

No findings of significance were identified.

.6 Emergency Lighting

a. Inspection Scope

The team reviewed the adequacy of emergency lighting for performing actions required in Procedure 5.4FIRE-S/D, Fire Induced Shutdown From Outside Control Room, Revision 03, which included access and egress routes. The team reviewed test procedures, test data, and battery trending to verify that the individual battery operated units were able to supply light for the required 8-hour period. The team also reviewed emergency light drawings. The following specific documents were reviewed:

7.3.12.2, "Safe Shutdown BBESI Emergency Lighting Unit Examination and Maintenance," Revision 8 15.EE302, "90 Second Emergency Lighting Functional Test," Revision 15

b. Findings

No findings of significance were identified.

.7 Cold Shutdown Repairs

a. Inspection Scope

The team reviewed the licensee's safe shutdown analysis and plant procedures for responding to fires and implementing safe shutdown activities in order to determine if any repairs were required in order to achieve cold shutdown. The licensee had designated four systems potentially requiring repair. The four repairs included the diesel fuel oil transfer pump cable replacement, the 125vdc and 250vdc battery charger cable replacement, the battery room fan cable replacement, and restoration of the service air compressor to provide control air for long term operation of ADS valves. The repairs were potentially required in order to reach cold shutdown based on the safe shutdown methodology implemented. The team verified that the replacement cables and tools were available and the procedure to install it would work. The team also evaluated whether cold shutdown could be achieved within the required time using the licensee's procedures and repair methods.

b. Findings

No findings of significance were identified.

.8 Compensatory Measures

a. Inspection Scope

The team verified, by sampling, that adequate compensatory measures were put in place by the licensee for out-of-service, degraded, or inoperable fire protection features and post-fire safe shutdown equipment, and systems. The team reviewed the items on the fire impairment list in effect at the time of the inspection and compared them to the fire areas receiving hourly fire watch rounds. The team reviewed the fire protection impairment list to verify that the impairments had been entered into the licensees corrective action program and that corrective actions to restore the impaired equipment were timely and appropriate.

b. Findings

No findings of significance were identified.

.9 Fire Protection Systems, Features, and Equipment

a. Inspection Scope

For the selected fire areas, the team evaluated the adequacy of selected fire protection features, such as fire suppression and detection systems, fire area barriers, penetration seals, and fire doors. The team observed the material condition and configuration of the installed fire detection and suppression systems, fire barriers, and construction details and supporting fire tests for the installed fire barriers. In addition, the team reviewed license documentation, such as NRC safety evaluation reports and deviations from NRC regulations and the National Fire Protection Association codes to verify that fire protection features met license commitments.

b. Findings

No findings of significance were identified.

OTHER ACTIVITIES (OA)

4OA2 Problem Identification and Resolution

The third example of the noncited violation described in Section 1R05.4 (NCV 05000298/2004008-02) has cross-cutting aspects in the area of human performance.

4OA6 Exit Meeting

The team leader presented inspection results to Mr. J. Roberts, Director, Nuclear Safety Assurance and other Cooper Nuclear Station staff on April 22, 2004, and to Mr. S. B.

Minahan, Acting Site Vice President and other members of his staff on April 23, 2004.

Licensee staff and management acknowledged the findings. On July 2, 2004, the team

leader discussed the inspection findings with Mr. S. B. Minahan, General Manager, Power Operations and other members of Cooper Nuclear Station management and staff in a final exit meeting. The team leader confirmed that proprietary information examined by the team during the inspection was returned to the licensee.

ATTACHMENT:

SUPPLEMENTAL INFORMATION

KEY POINTS OF CONTACT

Licensee

P. Fleming, Licensing Manager

S. Freborg, Acting Engineering Support Department Manager

T. Hough, Engineering Support Department Supervisor

J. Lechner, Senior Staff Engineer

K. Newcombe, Station Fire Marshall

K. Parkinson, NPPD Contractor

J. Roberts, Director Nuclear Safety Assurance

T. Shudak, Fire Protection Program Engineer

K. Sutton, Risk Management Supervisor

B. Victor, Senior Licensing Engineer

NRC

J. Bongarra, Engineering Psychologist, Office of Nuclear Reactor Regulation

R. Bywater, Senior Risk Analyst, Region IV

S. Cochrum, NRC Resident Inspector at the Cooper Nuclear Station

D. Frumkin, Fire Protection Engineer, Office of Nuclear Reactor Regulation

M. Runyan, Senior Risk Analyst, Region IV

T. Scarbrough, Senior Mechanical Engineer, Office of Nuclear Reactor Regulation

S. Schwind, NRC Senior Resident Inspector at the Cooper Nuclear Station

ITEMS OPENED AND CLOSED

Items Opened

none

Items Opened and Closed

05000298/2004008-01

NCV

Failure to ensure redundant safe shutdown systems

located in the same fire area are free of fire damage.

(IR05.1)05000298/2004008-02

NCV

Three examples of a noncited violation of Technical Specification 5.4.1.d for failure to provide adequate

instructions in Emergency Procedure 5.4 Fire-S/D, Fire

Induced Shutdown From Outside Control Room. (Section

1R05.4)

-2-

Items Closed

none

DOCUMENTS REVIEWED