IR 05000498/2011006

From kanterella
Jump to navigation Jump to search
IR 05000498-11-006, 05000499-11-006, on 06/13 - 30/2011, South Texas Project Electric Generating Station, Units 1 and 2, Triennial Fire Protection Inspection
ML11223A193
Person / Time
Site: South Texas  STP Nuclear Operating Company icon.png
Issue date: 08/10/2011
From: O'Keefe N
NRC/RGN-IV/DRS/EB-2
To: Halpin E
South Texas
References
IR-11-006
Download: ML11223A193 (35)


Text

UNITED STATES NU C LE AR RE G ULATO RY C O M M I S S I O N ust 10, 2011

SUBJECT:

SOUTH TEXAS PROJECT ELECTRIC GENERATING STATION, UNITS 1 AND 2 NRC TRIENNIAL FIRE PROTECTION INSPECTION REPORT 05000498/2011006 AND 05000499/2011006

Dear Mr. Halpin:

On June 30, 2011, the U.S. Nuclear Regulatory Commission (NRC) completed an inspection at the South Texas Project Electric Generating Station, Units 1 and 2. The enclosed inspection report documents the inspection results, which were discussed with Mr. K. Richards, Senior Vice President, and other members of your staff.

The inspection examined activities conducted under your license as they relate to public health and safety to confirm compliance with the Commissions rules and regulations, orders, and with the conditions of your license. Within these areas, the inspection consisted of examination of selected procedures and representative records, observations of activities, and interviews with personnel.

Based on the results of this inspection, the NRC has identified one issue that was evaluated under the risk significance determination process as having very low safety significance (Green). The NRC has also determined that a violation is associated with this issue. This violation is being treated as a noncited violation, consistent with the NRC Enforcement Policy.

This noncited violation is described in the inspection report. If you contest the violation or significance of this noncited violation, you should provide a response within 30 days of the date of this inspection report, with the basis for your denial, to the Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington DC 20555-0001, with copies to: (1) the Regional Administrator, Region 4; (2) the Director, Office of Enforcement, United States Nuclear Regulatory Commission, Washington, DC 20555-0001; and (3) the NRC Resident Inspector at the South Texas Project Electric Generating Station facility.

STP Nuclear Operating Company -2-In accordance with 10 CFR 2.390 of the NRCs Rules of Practice, a copy of this letter, its enclosures, and your response (if any) will be available electronically for public inspection in the NRC Public Document Room or from the NRC's document system (ADAMS), accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html. To the extent possible, your response should not include any personal privacy or proprietary information so that it can be made available to the Public without redaction.

Sincerely,

/RA/

Neil OKeefe, Chief Engineering Branch 2 Division of Reactor Safety Dockets: 50-498; 50-499 Licenses: NPF-76; NPF-80

Enclosure:

Inspection Report No. 0500498/2011006 and 0500499/2011006 w/Attachment: Supplemental Information

REGION IV==

Dockets: 05000498, 05000499 Licenses: NPF-76, NPF-80 Report Nos.: 05000498/2011006 and 05000499/2011006 Licensee: STP Nuclear Operating Company Facility: South Texas Project Electric Generating Station, Units 1 and 2 Location: FM521 - 8 miles west of Wadsworth, Texas Dates: June 13 - 30, 2011 Team Leader: G. Pick, Senior Reactor Inspector, Engineering Branch 2 Inspectors: S. Graves, Senior Reactor Inspector, Engineering Branch 2 J. Mateychick, Senior Reactor Inspector, Engineering Branch 2 S. Alferink, Reactor Inspector, Engineering Branch 2 S. Makor, Reactor Inspector, Engineering Branch 2 Approved By: Neil OKeefe, Branch Chief Engineering Branch 2 Division of Reactor Safety-2- Enclosure

SUMMARY OF FINDINGS

IR 05000498/2011006, 05000499/2011006; 06/13 - 30/2011; South Texas Project Electric

Generating Station, Units 1 and 2; Triennial Fire Protection Inspection The report covered a triennial fire protection team inspection by specialist inspectors from Region IV. One noncited violation of very low significance (Green) was identified. The significance of most findings is indicated by their color (Green, White, Yellow, Red) using Inspection Manual Chapter 0609, Significance Determination Process. The crosscutting aspect was determined using Inspection Manual Chapter 0310, Components within the Crosscutting Areas. Findings for which the significance determination process does not apply may be Green or be assigned a severity level after NRC management review. The NRCs program for overseeing the safe operation of commercial nuclear power reactors is described in NUREG-1649, Reactor Oversight Process, Revision 4, dated December 2006.

NRC-Identified and Self-Revealing Findings

Cornerstone: Mitigating Systems

Green.

The team identified a noncited violation of License Condition 2.E for the failure to implement and maintain in effect all provisions of the approved fire protection program. Specifically, the team identified two examples of failure to implement timely corrective actions to correct conditions adverse to fire protection.

The first example related to making Procedure 0POP04-ZO-0001, Control Room Evacuation, Revision 33, consistent with the post-fire safe shutdown analysis in order to ensure the actions met critical time requirements. The second example related to not correcting a condition that could disable all three fire pumps simultaneously as a result of fire damage.

Failure to implement timely corrective actions in two instances for conditions adverse to fire protection is a performance deficiency. Both examples of this finding are of greater than minor significance because they impacted the Mitigating Systems cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events (fire) to prevent undesirable consequences. A senior reactor analyst performed Phase 3 significance determination for both examples.

The analyst calculated the risk associated with the first example for the actions taken outside the control room as 2.702E-7. For the second example, the analyst assumed that a fire in Fire Area 67 would damage the electrical control cables for all three fire pumps and require manually starting a fire pump at the fire pump house.

However, it was determined that a delay in fire suppression because of the need to use a fire hose would not result in a plant transient, require evacuation of the control room, or result in damage to any systems and components required for post-fire safe shutdown. Therefore, the senior reactor analyst determined that both examples of this finding are of very low safety significance (Green). The licensee entered this deficiency into the corrective action program as Condition Record 11-10905.

These examples of the performance deficiency had a crosscutting aspect in the area of human performance associated with resources because the licensee did not ensure that resources assigned to correct these deficiencies were adequate to assure nuclear safety. Specifically, the licensee failed to ensure adequate design margins by (1) failing to ensure that operators could perform all necessary manual actions prior to exceeding the regulatory requirements and (2) failing to modify the control circuits for the fire pumps to protect them against fire damage H.2(a)

(Section 4OA2).

Licensee-Identified Violations

None

REPORT DETAILS

REACTOR SAFETY

Cornerstones: Initiating Events, Mitigating Systems, and Barrier Integrity

1R05 Fire Protection

This report presents the results of a triennial fire protection inspection conducted in accordance with NRC Inspection Procedure 71111.05T, Fire Protection (Triennial), at the South Texas Project Electric Generating Station, Units 1 and 2. The inspection team evaluated the implementation of the approved fire protection program in selected risk significant areas with an emphasis on fire-induced circuit failures and operator manual actions, procedures, equipment, fire barriers, and systems associated with assuring safe shutdown capability.

Inspection Procedure 71111.05T requires the selection of three to five fire areas for review. The inspection team used the fire hazards analysis section of the South Texas Project Electric Generating Station Individual Plant Examination of External Events to select the following three risk significant fire areas (inspection samples) for review:

Fire Area 3 Mechanical & Electrical Auxiliary Building Elevation 35; Train B Electrical Penetration Area (Z031); Corridor and Offices at Elevation 35' (Z036); Kitchen (Z038); Train B HVAC Equipment Room (Z039); Train B ESF Switchgear Room (Z042); Channel III Battery and Distribution Room (Z043); Plant Computer Room (Z045); Radwaste Control and Counting Rooms (Z115); Nonradioactive Piping Penetration Area (Z116); Solid Radwaste and Unloading Area (Z117); Volume Control Tank and Valve Rooms (Z119); Service Area and Recycle Holdup Tanks (Z130); Train B Electrical Chase (Z143); and Locker Rooms and Clothing Issue (Z147)

Fire Area 7 Auxiliary Shutdown Panel (Z071)

Fire Area 63 Reactor Containment Building; Elevator No. 3 (Z201); Central Reactor Area (Upper) (Z202); SW Peripheral Area (Z203); NW Peripheral Area (Z204); NE Peripheral Area (Z205); SE Peripheral Area (Z206);

SW Peripheral Area (Z207); NW Peripheral Area (Z208); NE Peripheral Area (Z209); SE Peripheral Area (Z210); SW Peripheral Area (Z211);

NW Peripheral Area (Z212); NE Peripheral Area (Z213); SE Peripheral Area (Z214); SW Peripheral Area (Z215); NW Peripheral Area (Z216);

NE Peripheral Area (Z217); SE Peripheral (Z218); Central Reactor Area (Lower) (Z219); Steam Generator 1D (Z220); Steam Generator 1A (Z221); Steam Generator 1B (Z222); Steam Generator 1C (Z223);

Pressurizer Enclosure (Z224); SE Peripheral Area (Z225); Residual Heat Removal Cubicle, Train A (Z226); Residual Heat Removal Cubicle, Train B (Z227); Residual Heat Removal Cubicle, Train C (Z228);and Regenerative Heat Exchanger Enclosure (Z229)

The inspection team evaluated the fire protection program using the applicable requirements, which included plant technical specifications, Operating License Condition 2.E, NRC safety evaluations and supplements, 10 CFR 50.48, and Branch Technical Position 9.5-1, Appendix A. The team also reviewed related documents that included the updated final safety analysis report Sections 7.1, 9.5 and 13.2; the fire protection report; and the post-fire safe shutdown analysis. The team reviewed licensee implementation of guidance and strategies required by Section B.5.b of the Interim Compensatory Measures Order, EA-02-026, dated February 25, 2002 and 10 CFR 50.54(hh)(2).

The team listed specific documents reviewed in the attachment. Three fire area inspection samples were completed and two B.5.b strategy samples were completed

.1 Protection of Safe Shutdown Capabilities

a. Inspection Scope

The team reviewed the piping and instrumentation diagrams, safe shutdown equipment list, safe shutdown design basis documents, and the post-fire safe shutdown analysis to verify that the licensee properly identified the components and systems necessary to achieve and maintain safe shutdown conditions for fires in the selected fire areas. The team observed walk downs of the procedures used for achieving and maintaining safe shutdown in the event of a fire to verify that the procedures properly implemented the safe shutdown analysis provisions.

For each of the selected fire areas, the team reviewed the separation of redundant safe shutdown cables, equipment, and components located within the same fire area. The team also reviewed the licensees method for meeting the requirements of 10 CFR 50.48; Branch Technical Position 9.5-1, Appendix A; and 10 CFR Part 50, Appendix R, Section III.G. Specifically, the team evaluated whether at least one post-fire safe shutdown success path remained free of fire damage in the event of a fire. In addition, the team verified that the licensee met applicable license commitments.

b. Findings

No findings.

.2 Passive Fire Protection

a. Inspection Scope

The team walked down accessible portions of the selected fire areas to observe the material condition and configuration of the installed fire area boundaries (including walls, fire doors, and fire dampers) and verify that the electrical raceway fire barriers were appropriate for the fire hazards in the area. The team compared the installed configurations to the approved construction details, supporting fire tests, and applicable license commitments.

The team reviewed installation, repair, and qualification records for a sample of penetration seals to ensure the fill material possessed an appropriate fire rating and that the installation met the engineering design. The team also reviewed similar records for

the rated fire wraps to ensure the material possessed an appropriate fire rating and that the installation met the engineering design.

b. Findings

No findings.

.3 Active Fire Protection

a. Inspection Scope

The team reviewed the design, maintenance, testing, and operation of the fire detection and suppression systems in the selected fire areas. The team verified the manual and automatic detection and suppression systems were installed, tested, and maintained in accordance with the National Fire Protection Association code of record or approved deviations, and that each suppression system was appropriate for the hazards in the selected fire areas.

The team performed a walk down of accessible portions of the detection and suppression systems in the selected fire areas. The team also performed a walk down of major system support equipment in other areas (e.g., fire pumps and Halon supply systems) to assess the material condition of these systems and components.

The team reviewed the diesel fire pump flow and pressure tests to verify that the pumps met their design requirements. The team also reviewed the Halon suppression functional tests to verify that the system capability met the design requirements.

The team assessed the fire brigade capabilities by reviewing training, qualification, and drill critique records. The team also reviewed pre-fire plans and smoke removal plans for the selected fire areas to determine if appropriate information was provided to fire brigade members and plant operators to identify safe shutdown equipment and instrumentation, and to facilitate suppression of a fire that could impact post-fire safe shutdown capability. In addition, the team inspected fire brigade equipment to determine operational readiness for fire fighting.

The team observed an unannounced fire drill, conducted on June 28, 2011, and the subsequent drill critique using the guidance contained in Inspection Procedure 71111.05AQ, Fire Protection Annual/Quarterly. The team observed fire brigade members fight a simulated fire on the 60-foot elevation of the electrical auxiliary building in the Train C switchgear room. The team verified that personnel identified problems, openly discussed them in a self-critical manner at the drill debrief, and identified appropriate corrective actions. Specific attributes evaluated were:

(1) proper wearing of turnout gear and self-contained breathing apparatus;
(2) proper use and layout of fire hoses;
(3) employment of appropriate fire fighting techniques;
(4) sufficient firefighting equipment was brought to the scene;
(5) effectiveness of fire brigade leader communications, command, and control;
(6) propagation of the fire into other areas;
(7) smoke removal operations;
(8) utilization of pre-planned strategies;
(9) adherence to the pre-planned drill scenario; and
(10) drill objectives.

b. Findings

No findings.

.4 Protection From Damage From Fire Suppression Activities

a. Inspection Scope

The team performed plant walk downs and document reviews to verify that redundant trains of systems required for hot shutdown, which are located in the same fire area, would not be subject to damage from fire suppression activities or from the rupture or inadvertent operation of fire suppression systems. Specifically, the team verified that:

  • A fire in one of the selected fire areas would not directly, through production of smoke, heat, or hot gases, cause activation of suppression systems that could potentially damage all redundant safe shutdown trains.
  • A fire in one of the selected fire areas or the inadvertent actuation or rupture of a fire suppression system would not directly cause damage to all redundant trains (e.g., sprinkler-caused flooding of other than the locally affected train).
  • Adequate drainage is provided in areas protected by water suppression systems.

b. Findings

No findings.

.5 Alternative Shutdown Capability

a. Inspection Scope

Review of Methodology The team reviewed the safe shutdown analysis, operating procedures, piping and instrumentation drawings, electrical drawings, the updated final safety analysis report, and other supporting documents to verify that hot and cold shutdown could be achieved and maintained from outside the control room for fires that require evacuation of the control room, with or without offsite power available.

The team conducted plant walk downs to verify that the plant configuration was consistent with the description contained in the safe shutdown and fire hazards analyses. The team focused on ensuring the adequacy of systems selected for reactivity control, reactor coolant makeup, reactor decay heat removal, process monitoring instrumentation, and support systems functions.

The team also verified that the systems and components credited for shutdown would remain free from fire damage. Finally, the team verified that the transfer of control from the control room to the alternative shutdown location would not be affected by fire-induced circuit faults (e.g., by the provision of separate fuses and power supplies for alternative shutdown control circuits).

Review of Operational Implementation The team verified that licensed and non-licensed operators received training on alternative shutdown procedures. The team also verified that sufficient personnel to perform a safe shutdown were trained and available onsite at all times, exclusive of those assigned as fire brigade members.

A walkthrough of the post-fire safe shutdown procedure with licensed and non-licensed operators was performed to determine the adequacy of the procedure. The team verified that the operators could be reasonably expected to perform specific actions within the time required to maintain plant parameters within specified limits. Time-critical actions that were verified included restoring electrical power, establishing control at the remote shutdown and local shutdown panels, establishing reactor coolant makeup, and establishing decay heat removal.

The team reviewed manual actions to ensure that they had been properly reviewed and approved and that the actions could be implemented in accordance with plant procedures in the time necessary to support the safe shutdown method for each fire area.

The team also reviewed the periodic testing of the alternative shutdown transfer capability and instrumentation and control functions to verify that the tests were adequate to demonstrate the functionality of the alternative shutdown capability.

b. Findings

No findings.

.6 Circuit Analysis

a. Inspection Scope

The team reviewed the post-fire safe shutdown analysis to verify that the licensee identified the circuits that may impact the ability to achieve and maintain safe shutdown.

The team verified, on a sample basis, that the licensee properly identified the cables for equipment required to achieve and maintain safe shutdown conditions in the event of a fire in the selected fire areas. The team verified that the licensee adequately protected these cables from the potentially adverse effects of fire damage or had analyzed them to show that fire-induced faults (e.g., hot shorts, open circuits, and shorts to ground) would not prevent safe shutdown. For cables that were important to safe shutdown, the team verified that the analysis considered potential spurious operations resulting from fire-induced cable faults.

The team evaluated the cables of selected components from the reactor coolant system (i.e., the pressurizer power-operated relief and block valves) and from the chemical volume and control system. For the sample of components selected, the team reviewed process and instrumentation drawings and electrical elementary and logic diagrams to identify the power, control, and instrument cables necessary to support their operation.

In addition, the team reviewed cable routing information and fire protection feature drawings to verify that the licensee had established fire protection features to satisfy the separation requirements specified in the fire protection license basis.

The licensee credited automatic starting and loading of the emergency diesel generators as part of their post-fire safe shutdown response. The team reviewed the emergency diesel generator control circuits to verify that the automatic starting and loading functions would be isolated from the control room during post-fire safe shutdown.

The team reviewed the licensees progress in identifying and correcting potential multiple spurious operation circuit configurations. The team reviewed the Expert Panel report (documented in Condition Record 08-14399) and conducted an in-depth review of two scenarios in addition to the power-operated relief and block valves. Specifically, the team evaluated the potential spurious closing of the volume control tank isolation valves and the potential to drain the refueling water storage tank to the containment sump by spurious opening of a single valve.

b. Findings

No findings.

.7 Communications

a. Inspection Scope

The team inspected the contents of designated emergency equipment storage lockers and reviewed the alternative shutdown procedure to verify that portable radio communications and fixed emergency communications systems were available, operable, and adequate for the performance of designated activities. The team verified the capability of the communication systems to support the operators in the conduct and coordination of their required actions. The team also verified that the design and location of communications equipment such as radio repeaters and transmitters would not cause a loss of communications during a fire. The team discussed system design, testing, and maintenance with the system engineer.

b. Findings

No findings.

.8 Emergency Lighting

a. Inspection Scope

The team reviewed the portion of the emergency lighting system required for alternative shutdown to verify that the lighting supported the performance of manual actions required to achieve and maintain hot shutdown conditions and illuminated access and egress routes to the areas where manual actions would be required. The team evaluated the locations and positioning of the emergency lights during a walkthrough of the alternative shutdown procedure.

The team evaluated whether the licensee installed emergency lights with an 8-hour capacity, maintained the emergency light batteries in accordance with manufacturer recommendations, and tested and performed maintenance in accordance with plant procedures and industry practices.

b. Findings

No findings.

.9 Cold Shutdown Repairs

a. Inspection Scope

The team evaluated whether the licensee identified repairs needed to reach and maintain cold shutdown and had dedicated repair procedures, equipment, and materials to accomplish these repairs. Using these procedures, the team evaluated whether these components could be repaired in time to bring the plant to cold shutdown within the time frames specified in their design and licensing bases. The team verified that the repair equipment, components, tools, and materials needed for the repairs were readily available and accessible on site.

b. Findings

No findings.

.10 Compensatory Measures

a. Inspection Scope

The team verified that compensatory measures were implemented for out-of-service, degraded, or inoperable fire protection and post-fire safe shutdown equipment, systems, or features (e.g., detection and suppression systems and equipment; passive fire barriers; or pumps, valves, or electrical devices providing safe shutdown functions). The team also verified that the short-term compensatory measures compensated for the degraded function or feature until appropriate corrective action could be taken and that the licensee was effective in returning the equipment to service in a reasonable period of time.

b. Findings

No findings.

.11 B.5.b Inspection Activities

a. Inspection Scope

The team reviewed the licensees implementation of guidance and strategies under the circumstances associated with loss of large areas of the plant due to explosions or fire as required by Section B.5.b of the Interim Compensatory Measures Order, EA-02-026, dated February 25, 2002, and 10 CFR 50.54(hh)(2).

The team reviewed the licensees strategies to verify that they continued to maintain and implement procedures, to maintain and test equipment necessary to properly implement the strategies, and to ensure station personnel remained knowledgeable and capable of implementing the procedures. The team performed a visual inspection of portable

equipment used to implement the strategies to ensure availability and material readiness of the equipment, including the adequacy of portable pump trailer hitch attachments, and verify the availability of on-site vehicles capable of towing the portable pump. The team evaluated the engineering evaluations that demonstrated equipment could perform as expected.

The strategies and procedures selected for evaluation included:

b. Findings

No findings.

OTHER ACTIVITIES

[OA]

4OA2 Identification and Resolution of Problems

Corrective Actions for Fire Protection Deficiencies

a. Inspection Scope

The team selected a sample of condition records associated with the licensee's fire protection program to verify that the licensee had an appropriate threshold for identifying deficiencies. In addition the team reviewed the corrective actions proposed and implemented to verify that they were effective in correcting identified deficiencies. The team also evaluated the quality of recent engineering evaluations through a review of condition records, calculations, and other documents during the inspection. During the 2005 and 2008 triennial fire protection inspections, NRC identified performance deficiencies associated with the fire protection program; during the current inspection, the team reviewed the corrective actions associated with a sample of these performance deficiencies.

b. Findings

Introduction.

The team identified a noncited violation of License Condition 2.E for the failure to implement and maintain in effect all provisions of the approved fire protection program. Specifically, the team identified two examples of failure to implement timely corrective actions to correct conditions adverse to fire protection. The first example related to making Procedure 0POP04-ZO-0001, Control Room Evacuation, Revision 33, consistent with the post-fire safe shutdown analysis in order to ensure the actions met critical time requirements. The second example related to not correcting a condition that could disable all three fire pumps simultaneously as a result of fire damage.

Description.

The team identified two examples where the licensee failed to implement timely corrective actions to correct the performance deficiencies.

Example 1 - Inadequate Fire Protection Alternative Shutdown Analysis During the 2005 triennial fire protection inspection, the team identified an unresolved item associated with the failure to have an adequate written evaluation for a control room fire scenario. Specifically, the licensee credited the performance of eight operator manual actions in the control room prior to evacuation that had not received NRC approval.

NRC issued a noncited violation on May 18, 2006, for the failure to have a post-fire safe shutdown analysis evaluation for the additional control room actions demonstrating that applicable requirements were met. In response to this violation, the licensee submitted a license amendment request on February 4, 2008, requesting approval to credit the eight additional control room actions in the approved fire protection program; however, the licensee subsequently withdrew the license amendment request on June 19, 2008.

The licensee submitted a new license amendment request on June 2, 2011, shortly before this inspection.

During this inspection, the team performed timed operator walk-downs of the alternative shutdown procedure. The team determined that operators completed the manual actions inside and outside of the control room in the amount of time provided in the license amendment request and the thermal-hydraulic analysis. The team noted that these time limits assumed operators completed the unapproved actions prior to evacuating the control room. The team confirmed that for six of the eight unapproved actions, the operators completed the actions in the plant without challenging reactor coolant system parameters or natural circulation. However, the team evaluated the two manual actions that were time-critical for operators to complete in order to avoid challenging natural circulation.

The first critical action consisted of tripping the reactor coolant pumps. With the reactor coolant pumps running, the fire-induced spurious opening of a pressurizer spray valve would result in depressurization of the reactor coolant system. The team identified that depressurization would result in a loss of subcooling margin and voiding in the reactor vessel if the reactor coolant pumps were not tripped quickly enough. During the timed walk down, it took operators approximately 18 minutes to trip the reactor coolant pumps outside of the control room (the approved method). The licensee performed a simplified calculation to determine the impact of tripping the reactor coolant pumps in 18 minutes.

The thermal-hydraulic calculation demonstrated that tripping the reactor coolant pumps within 18 minutes did not result in a loss of subcooling margin or voiding in the reactor vessel.

The team also noted that the depressurization would result in a safety injection signal.

The licensee determined that a successful safety injection would cause the pressurizer level to exceed the indicating level within 30 minutes. The team noted that the alternative shutdown procedure contained instructions for operators to stop the safety injection pumps if needed. The team concluded that operators had adequate time available after stopping the reactor coolant pumps to diagnose the safety injection signal and stop the pumps before exceeding regulatory requirements.

The second time-critical action consisted of placing the charging pump control switches in pull-to-lock. The team identified that a fire-induced spurious opening of the auxiliary pressurizer spray valve could result in a depressurization of the reactor coolant system if a charging pump was running. The licensee performed a hydraulic calculation and determined that no flow through the auxiliary pressurizer spray valve. The licensee documented this deficiency in their corrective action program as Condition Record 11-10905. The licensee submitted a license amendment request for NRC review in which they have requested approval of the revised procedure steps.

Example 2 - Potential for fire damage to disable all three diesel-driven fire pumps The fire suppression water supply system has three diesel engine-driven fire water pumps (PA0121, 0221, and 0421), located in the fire pump house. Only one pump is required to supply water for fixed water suppression systems and fire hoses. All three pumps discharge into a common discharge header that supplies water to an underground fire main loop. The fire water pumps are activated by three methods:

1) Automatic start due to low pressure signal from sensor in pump discharge header 2) Manual remote start in Unit 1 main control room 3) Manual local start within the fire pump house During the previous inspection (June 2008), the team determined that the electrical control cables could be damaged by a fire between the control room and the fire pump house and such damage could prevent both automatic and manual pump starting from the control room. A short to ground on a single cable would prevent the starting of its respective pump. The licensee had routed Cables N0FP1C1SC, N0FP01C2SB, and N0FP01C3SB for each of the three pumps in the same cable trays through nine fire areas (Fire Areas 01, 03, 04, 31, 34, 61, 65, 67, and 70) in the Unit 1 electrical auxiliary building. Damage to these electrical cables would delay fire suppression because no water would be available for the fire suppression system until operators could manually start at least one of the diesel engine-driven fire pumps locally.

During this inspection, the team determined that the licensee had not corrected the performance deficiency and that the licensee continued to rely on a manual operator compensatory action. The need to complete this compensatory action hindered the availability of an operator in the event of a fire to perform other duties. Further, the licensee had not evaluated whether it was appropriate to delay the planned modification that would correct the identified deficiency.

The team reviewed the fire protection quality assurance program, as described in the Operations Quality Assurance Program and implemented by plant procedures.

Procedure 0PGP03-ZX-0002, Condition Reporting Process, Revision 40, stated that condition owners were responsible for ensuring for the proper resolution of conditions, including the timeliness of corrective actions. Further, this procedure defined promptly to mean, As soon as practical based on the risk to safe, reliable plant operation or personal safety.

Analysis.

Example 1 - Inadequate Fire Protection Alternative Shutdown Analysis The failure to implement timely corrective actions to correct conditions adverse to fire protection is a performance deficiency. This finding was of greater than minor safety significance because it impacted the Mitigating Systems cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events (such as fire) to prevent undesirable consequences. Specifically, the licensee failed to demonstrate that post-fire safe shutdown would be achieved by performing the actions in question outside of the control room, as approved.

The significance of this finding could not be evaluated using Inspection Manual Chapter 0609, Appendix F, Fire Protection Significance Determination Process, because the performance deficiency involved a control room fire that led to control room evacuation. A senior reactor analyst performed a Phase 3 bounding evaluation to determine an upper limit for the change in core damage frequency.

The analyst used the fire ignition frequency for the control room (FIFCR) and the relay room (FIFRR) listed in the South Texas Project Electric Generating Station Level 2 Probabilistic Safety Assessment and Individual Plant Examination, dated August 1992, as the best available information. The analyst multiplied the fire ignition frequencies by a severity factor (SF) and a non-suppression probability. The non-suppression probability for the control room (NPCR) and relay room (NPRR) indicated the probability that operators failed to extinguish the fire within 20 minutes (assuming 2 minutes for detection), which required control room evacuation. The resulting control room (FCR-EVAC)and relay room (FRR-EVAC) evacuation frequencies were:

FCR-EVAC = FIFCR

  • SF
  • NPCR

= 4.9E-3/yr

  • 0.1
  • 0.013

= 6.37E-6/yr FRR-EVAC = FIFRR

  • SF
  • NPRR

= 9.84E-5/yr

  • 0.1
  • 0.013

= 1.28E-7/yr The control room had 22 electrical panels and the relay room had 64 electrical panels.

The controls and cables for the pressurizer and auxiliary pressurizer spray valves were located in one panel in the control room. Cables for the pressurizer spray valves were located in one panel in the relay room. Additionally, a hot short would have to occur in a panel to cause a valve to spuriously open. The analyst estimated the conditional probability of this hot short to be 0.6 using accepted industry values.

For the control room, the analyst calculated a bounding change in core damage frequency (CDFCR) by multiplying the control room evacuation frequency by the fraction of panels containing the pressurizer or auxiliary pressurizer spray valves and the probability of at least one hot short. For the relay room, the analyst calculated a

bounding change in core damage frequency (CDFRR) by multiplying the relay room evacuation frequency by the fraction of panels containing the pressurizer spray valves and the probability of at least one hot short.

CDFCR = FCR-EVAC

  • 1/22 * (1 - (0.4)3)

= 6.37E-6/yr

  • 4.3E-2

= 2.7E-7 CDFRR = FRR-EVAC

  • 1/64 * (1 - (0.4)2)

= 1.28E-7/yr

  • 1.3E-2

= 1.7E-9/yr Because the postulated fire ignition frequencies for the control room and relay room were independent of each other, the total change in core damage frequency was determined by a simple addition of the change in core damage frequency from the two rooms calculated separately. The resulting overall change in core damage frequency was calculated to have an upper bound of 2.702E-7/yr.

This frequency was considered to be bounding because it assumed:

  • A fire induced hot short in the applicable cabinets would cause the pressurizer or auxiliary pressurizer spray valves to spuriously open and lead to voiding in the reactor coolant system which challenged natural circulation (i.e., the spurious operation was not mitigated);
  • The conditional core damage probability given either a control room or relay room fire with evacuation and the spurious opening of a pressurizer or auxiliary pressurizer spray valve was equal to one; and
  • The performance deficiency accounted for the entire change in core damage frequency (i.e., the baseline core damage frequency for this event was zero).

In accordance with the guidance in Inspection Manual Chapter 0609, Appendix H, the senior risk analyst screened the performance deficiency for its potential risk contribution to large early release frequency since the bounding change in core damage frequency provided a risk significance estimate greater than 1E-7/yr. Given that South Texas Project has a large, dry containment and that control room abandonment sequences do not include steam generator tube ruptures or intersystem loss of coolant accidents, the analyst determined that this example was not significant with respect to large early release frequency. The analyst determined this example was of very low risk significance (Green). The licensee entered this deficiency into the corrective action program as Condition Record 11-10905.

Example 2 - Potential for fire damage to disable all three diesel-driven fire pumps Failure to implement timely corrective actions to ensure that a fire pump would automatically start upon low pressure in the fire main in the event of a fire is a

performance deficiency. This finding is of greater than minor safety significance because it impacted the Mitigating Systems cornerstone objective to ensure the availability, reliability, and capability of systems that respond to initiating events (fire) to prevent undesirable consequences. Specifically, the licensee did not protect the cables for all three fire pumps in a timely manner. Consequently, a single fire could result in fire damage to all three fire pumps, which prevented automatic or manual operation from the control room.

The senior reactor analyst determined the significance of this finding based on Phase 3 significance determination evaluation. An evaluation of the ignition sources and their potential targets determined that Fire Area 67 (Unit 1 technical support center) contained credible fire scenarios that could endanger the cabling to the fire pumps. The senior reactor analyst screened out the other eight fire areas that contained the cables of concern because no credible fire scenarios exist that impacted the circuits. For this analysis, it was assumed that a fire in Fire Area 67 would damage the electrical control cables for all three fire pumps and require manually starting a fire pump at the fire pump house. However, it was determined that a delay in fire suppression because of the need to use manual fire hoses would not result in a plant transient, require evacuation of the control room, or result in damage to any systems and components required for post-fire safe shutdown. Therefore, the senior reactor analyst concluded that the finding is of very low safety significance (Green). The licensee entered this deficiency into the corrective action program as Condition Record 11-10905. The licensee indicated that they will modify the control circuits by installing fuses such that a single fire will not disable all three fire pumps.

These examples of the performance deficiency had a crosscutting aspect in the area of human performance associated with resources because the licensee did not ensure that resources assigned to correct these deficiencies were adequate to assure nuclear safety. Specifically, the licensee failed to ensure adequate design margins by

(1) failing to ensure that operators could perform all necessary manual actions prior to exceeding the regulatory requirements and
(2) failing to modify the control circuits for the fire pumps to protect them against fire damage H.2(a).
Enforcement.

License Condition 2.E requires, in part, that the licensee implement and maintain in effect all provisions of the approved fire protection program as described in the Final Safety Analysis Report through Amendment 55 and the Fire Hazards Analysis Report through Amendment 7 and as approved in the Safety Evaluation Report (NUREG-0781) dated April 1986 and its supplements. Section 9.5.1 of the Final Safety Analysis Report states the Operations Quality Assurance Plan ensures that regulatory requirements and commitments concerning fire protection are satisfied during plant operations. The Operations Quality Assurance Plan states that procedures shall provide the following administrative controlsactions to be taken to assure timely corrective action on conditions adverse to quality.

Procedure 0PGP03-ZX-0002 implements the Operations Quality Assurance Plan and states that condition owners are responsible for the proper resolution of conditions, including the timeliness of corrective actions. Procedure 0PGP03-ZX-0002 also defines promptly to mean, As soon as practical based on the risk to safe, reliable plant operation or personal safety.

Contrary to the above, from May 18, 2006 to June 30, 2011, the licensee failed to implement and maintain in effect all provisions of the approved fire protection program, since the licensee failed to implement timely corrective actions to correct conditions adverse to fire protection in two instances. Specifically, the licensee did not meet the license basis requirement to shut down the plant by taking a single operator action nor obtain approval to allow for the procedurally required multiple operator actions. Also, the licensee did not protect the fire pump control circuits from fire damage such that automatic starting might not occur. The licensee entered these deficiencies into their corrective action program as Condition Record 11-10905. Because this violation was of very low safety significance and the deficiencies entered into the corrective action program, this violation is being treated as a noncited violation, consistent with the Enforcement Policy: NCV 05000498;05000499/2011006-01, Failure to Timely Correct Conditions Adverse to Fire Protection.

4OA6 Meetings, Including Exit

Exit Meeting Summary

The team presented the inspection results to Mr. K. Richards, Senior Vice President and other members of the licensee staff at an exit meeting held on June 30, 2011.

The inspectors asked the licensee whether any of the material examined during the inspection should be considered proprietary. No proprietary information was identified.

ATTACHMENT:

SUPPLEMENTAL INFORMATION

KEY POINTS OF CONTACT

Licensee Personnel

M. Berg, Manager, Design Engineering
M. Billings, Probabilistic Risk Assessment Engineer
R. Bonifay, Fire Brigade Training
F. Cox, Safe Shutdown Engineer
D. Dayton, Systems Engineer, Emergency Lighting
J. Loya, Licensing Engineer
W. Harrison, Licensing Manager
K. Moayyed-Mohsemi, Electrical Design Engineer
K. Mulligan, Operations Procedure Writer
B. Powell, Operations Equipment
K. Richards, Senior Vice President
A. Roberts, Fire Protection Program Engineer
S. Rogers, Probabilistic Risk Assessment Supervisor
D. Rohan, Operations Procedure Writer
B. Russell, Supervisor, Operations Procedures
M. Ruvalcaba, Manager, Testing/Programs Engineering
R. Savage, Licensing Engineer
J. Trbovich, Electrical Design Engineer
T. VanMeter, Instrumentation and Control Design Engineer
D. Wiegand, Fire Protection Coordinator
R. Wiegand, Electrical Design Engineer

NRC personnel

B. Tharakan, Resident Inspector

LIST OF ITEMS OPENED, CLOSED, AND DISCUSSED

Opened and Closed

05000498/2011006-01 NCV Failure to Timely Correct Conditions Adverse to Fire
05000499/2011006-01 Protection (Section 4OA2)

-2- Attachment

LIST OF DOCUMENTS REVIEWED