ML033560473
| ML033560473 | |
| Person / Time | |
|---|---|
| Site: | Harris  |
| Issue date: | 11/28/2003 |
| From: | Ogle C Division of Reactor Safety I |
| To: | Scarola J Carolina Power & Light Co |
| References | |
| FOIA/PA-2003-0358 IR-02-011 | |
| Download: ML033560473 (32) | |
See also: IR 05000400/2002011
Text
Carolina Power & Light Company
ATTN: Mr. James Scarola
Vice President - Harris Plant
Shearon Harris Nuclear Power Plant
P. 0. Box 165, Mail Code: Zone 1
New Hill, North Carolina 27562-0165
SUBJECT: SHEARON HARRIS NUCLEAR PLANT - NRC INSPECTION REPORT
50-400/02-11
Dear Mr. Scarola:
On December 20, 2002, the Nuclear Regulatory Commission (NRC) completed a triennial fire
protection inspection at your Shearon Harris Nuclear Plant. The enclosed integrated inspection
report documents the inspection findings which were discussed on that date with you and other
members of your staff.
The inspection examined the effectiveness of activities conducted under your license relating to
implementation of your NRC-approved fire protection program. The inspectors reviewed
selected procedures and records, observed activities, and interviewed personnel.
Based on the results of this inspection, the inspectors identified eight issues of very low safety
significance (Green). Each of these issues was determined to involve a violation of NRC
requirements. However, because of their very low safety significance and because they have
been entered into your corrective action program, the NRC is treating these issues as Non-
Cited Violations (NCVs), in accordance with Section VI.A.1 of the NRC's Enforcement Policy.
In addition, since three of these findings are related to your corrective action for the previous
violation associated with the Thermo-Lag fire barrier assembly between the 'B' train switchgear
room/auxiliary control panel room and the A train cable spreading room, that violation will
remain open. If you deny any NCV in this report, you should provide a response with the basis
for your denial, within 30 days of the date of this inspection report, to the Nuclear Regulatory
Commission, ATTN: Document Control Desk, Washington, D.C. 20555-0001; with copies to the
Regional Administrator, Region II; Director, Office of Enforcement, United States Nuclear
Regulatory Commission, Washington, D.C. 20555-0001; and the NRC Resident Inspector at
the Shearon Harris Nuclear Plant.
In accordance with 10 CFR 2.790 of the NRC's "Rules of Practice," a copy of this letter and its
enclosure will be publicly available in the NRC Public Document Room or from the Publicly
AY
CP&L 2
Available Records (PARS) component of NRC's document system (ADAMS). ADAMS is
accessible from the NRC Web site at http://www.nrc.pov/reading-rm/adams.html (the Public
Electronic Reading Room).
Sincerely,
Charles R. Ogle, Chief
Engineering Branch 1
Division of Reactor Safety
Docket No.: 50-400
License No.: NPF-63
Enclosure: NRC Inspection Report 50-400/02-11
w/Attachment
cc wfencl:
Distribution w/encl:
PUBLIC
OFFICE RII:DRS RI1:DRS RII:DRS RII:DRP RII:DRS RII:DRS RII:DRP
SIGNATURE
NAME RSchin GWiseman PFillion RHagar SWalker DCPayne PFreddckson
DATE 1/_J2003 1J2003 1IJ2003
I/ 1IJ2O3 1LJ2003 1I.J2003 1LJ2003
E-MAIL COPY? YES NO YES NO
N S NO IYES N YES NO I YES NO
.PUBLIC DOCUMENT YES NO I I I I II
n.JrrI'.P.lA~l~ J Lr I - Pwh-
nrlJAUMDKIT r-'UADD -u.. I rDw
-
Vrrl%.,IL MMUrn .Uur I uUtoumaN I NAML; rM:\l1AHlrU-022 IaI .
U.S. NUCLEAR REGULATORY COMMISSION
REGION II
Docket No.: 50-400
License No.: NPF-63
Report No.: 50-400/02-11
Licensee: Carolina Power & Light (CP&L)
Facility: Shearon Harris Nuclear Plant
Location: 5413 Shearon Harris Road
New Hill, NC 27562
Dates: October 21 - 25, 2002 (Week 1)
November 4 - 8, 2002 (Week 2)
December 16 - 20, 2002 (Week 3)
Inspectors: P. Fillion, Reactor Inspector, Region II
R. Hagar, Resident Inspector, Shearon Harris (Week 3 only)
C. Payne, Fire Protection Team Leader, Region II (Week 3 only)
R. Schin, Senior Reactor Inspector, Region II (Lead Inspector)
S. Walker, Reactor Inspector (Week 3 only)
G. Wiseman, Senior Fire Protection Inspector, Region II (Weeks 1
&2)
Accompanying
Personnel: H. Christensen, Deputy Director, Division of Reactor
Safety, Region II (Week 3 only)
C. Ogle, Chief, Engineering Branch 1, Division of Reactor
Safety, Region II (Week 3 only)
N. Staples, Inspector Trainee, Region II (Weeks 1 & 2)
Approved by: Charles R. Ogle, Chief
Engineering Branch 1
Division of Reactor Safety
Enclosure
SUMMARY OF FINDINGS
IR 05000400-02-11; Carolina Power & Light; on 10/21/2002 - 12/20/2002, Shearon Harris
Nuclear Plant, Triennial Baseline Inspection of the Fire Protection Program.
The inspection was conducted by a team of regional inspectors and the Shearon Harris resident
inspector. Eight Green findings, each a Non-Cited Violation (NCV), were identified. The
significance of issues is indicated by their color (Green, White, Yellow, Red) using IMC 0609
"Significance Determination Process" (SDP). Findings for which the SDP does not apply may
be "Green" or be assigned a severity level after NRC management review. The NRC's program
for overseeing the safe operation of commercial nuclear power reactors is described in
NUREG-1 649, "Reactor Oversight Process," Revision 3, dated July 2000.
Inspection Identified Findings
Cornerstones: Mitigating Systems and Initiating Events
Green. An NCV of Shearon Harris Operating License Condition (OLC) 2.F, Fire
Protection Program; and Technical Specification (TS) 6.8.1, Procedures and Programs,
was identified for failing to protect.equipment [motor-operated valve (MOV) 1CS-1 65,
volume control tank (VCT) outlet to charging/safety injection pumps (CSIPs)] from
maloperation due to a fire. Consequently, a fire in any of three different SSA areas of
the reactor auxiliary building (RAB) could result in a reactor coolant pump (RCP) seal
loss of coolant accident (LOCA) with no operable high pressure safety injection.
This finding had a credible impact on safety because it could result in a loss of
equipment that was relied upon for safe shutdown from a fire and could initiate a LOCA
event. However, the finding was of very low safety significance because of the low fire
initiation frequency and probability of spurious actuations, and the effectiveness of
automatic sprinklers, fire brigade, and remaining safe shutdown (SSD) equipment to
limit the effects of a fire and to shut down the nuclear reactor. Therefore, this finding is
characterized as Green (Section 1R05.03.b.1).
[MOVs 1CS-169, CSIP suction cross-connect; 1CS-214, CSIP mini-flow isolation; 1CS-
218, CSIP discharge cross-connect; and 1CS-219, CSIP discharge cross-connect] from
maloperation due to a fire. Consequently, a fire in one SSA area of the RAB could
result in a loss of all charging and high pressure safety injection.
This finding had a credible impact on safety because it could result in a loss of
equipment that was relied upon for safe shutdown from a fire. However, the finding was
of very low safety significance because of the low fire initiation frequency and probability
of spurious actuations, and the effectiveness of automatic sprinklers, fire brigade, and
remaining SSD equipment to limit the effects of a fire and to shut down the nuclear
reactor. Therefore, this finding is characterized as Green (Section 1R05.03.b.2).
[MOVs 1CS-1 66, VCT outlet to CSIPs; and 1CS-1 68, CSIP suction cross-connect] from
2
maloperation due to a fire. Consequently, a fire in one SSA area of the RAB could
result in a loss of all charging and high pressure safety injection.
This finding had a credible impact on safety because it could result in a loss of
equipment that was relied upon for safe shutdown from a fire. However, the finding was
of very low safety significance because of the low fire initiation frequency and probability
of spurious actuations, and the effectiveness of automatic sprinklers, fire brigade, and
remaining SSD equipment to limit the effects of a fire and to shut down the nuclear
reactor. Therefore, this finding is characterized as Green (Section 1R05.03.b.3).
[MOVs 1CC-208, component cooling (CC) supply to RCP seals; and 1CC-251, CC
return from RCP seals] from maloperation due to a fire. Consequently, a fire in one
SSA area of the auxiliary building could potentially result in an RCP seal LOCA.
This finding had a credible impact on safety because it could result in a loss of
equipment that was relied upon for safe shutdown from a fire and could potentially
initiate a LOCA event. However, the finding was of very low safety significance because
of the low fire initiation frequency and probability of spurious actuations, and the
effectiveness of automatic sprinklers, fire brigade, and remaining SSD equipment to limit
the effects of a fire and to shut down the nuclear reactor. Therefore, this finding is
characterized as Green (Section 1R05.03.b.4).
steps and for inadequate corrective action. For a fire in the new auxiliary control panel
(ACP) fire area, certain SSD procedure steps involved excessive challenges to
operators. There was not reasonable assurance that all NLOs could perform the steps
during a fire. Consequently, a fire in the ACP fire area could result in a loss of all
auxiliary feedwater (AFW). The licensee had added these inadequate procedure steps
during this inspection, as part of the corrective action for violation 50-400/02-08-01
regarding an inadequate fire barrier wall.
This finding had a credible impact on safety because it could result in inability to operate
equipment that was relied upon for SSD from a fire. However, the finding was of very
low safety significance because of the low fire initiation frequency, fire brigade, and
remaining SSD equipment to limit the effects of a fire and to shut down the nuclear
reactor. Therefore, this finding is characterized as Green (Section 1R05.04.b.2).
SSD from a fire and for inadequate corrective action. For a fire in certain SSA areas of
the RAB, including the new ACP fire area, there were too many SSD procedure
contingency actions to respond to potential spurious actuations for the one available
SSD NLO to perform all of them. Consequently, equipment that was relied on for SSD
may not be available. The licensee had added some of these procedure steps as part
of the corrective action for violation 50-400/02-08-01 regarding an inadequate fire
barrier wall.
This finding had a credible impact on safety because it could result in inability to prevent
an initiating event or to operate equipment that was relied upon for SSD from a fire.
3
However, the finding was of very low safety significance because of the low fire initiation
frequency, automatic sprinklers, fire brigade, and remaining SSD equipment to limit the
effects of a fire and to shut down the nuclear reactor. Therefore, this finding is
characterized as Green (Section 1R05.04.b.3).
Green. An NCV of TS 6.8.1 was identified for an inadequate procedure for SSD from a
fire. For a fire in two SSA areas of the RAB, the SSD procedure directed operators to
take CSIP suction from the boric acid tank (BAT) even if BAT level indication were lost.
However, the charging volume needed for reactor coolant system (RCS) cooldown
would have emptied the BAT and damaged the CSIP.
This finding had a credible impact on safety because it could result in loss of equipment
that was relied upon for SSD from a fire. However, the finding was of very low safety
significance because of the low fire initiation frequency, automatic sprinklers, fire
brigade, and remaining SSD equipment to limit the effects of a fire and to shut down the
nuclear reactor. Therefore, this finding is characterized as Green (Section 1R05.04.-).
Green. An NCV of OLC 2.F and TS 6.8.1 was identified for failing to provide battery-
backed emergency lights for operators to perform actions for SSD from a fire and for
inadequate corrective action. For a fire in all of the areas inspected in the auxiliary
building, including the new ACP fire area; many SSD procedure operator action
locations did not have the required battery-backed emergency lights. The licensee had
added some of these procedure steps as part of the corrective action for violation 50-
400/02-08-01 regarding an inadequate fire barrier wall.
This finding has a credible impact on safety because it could result in increased risk of
operators failing to perform SSD actions in an accurate and timely manner. However,
the finding was of very low safety significance because operators had flashlights
available which would have enabled them to perform the actions. Therefore, this finding
is characterized as Green (Section 1R05.04.-).
Report Details
1. REACTOR SAFETY
Cornerstones: Initiating Events and Mitigating Systems
1R05 FIRE PROTECTION
.01 Systems Required To Achieve and Maintain Post-Fire SSD Circuit Analysis
a. Inspection Scope
The team evaluated the licensee's approved fire protection program (FPP) against
applicable requirements, including Operating License NFP-63, License Condition 2.F,
FPP; Branch Technical Position (BTP) Chemical Engineering Branch (CMEB) 9.5-1
(NUREG-0800), July 1981; related NRC Safety Evaluation Reports (SERs) in NUREG
1038, and plant Technical Specifications (TS). The team evaluated all areas of this
inspection, as documented below, against these requirements.
The team used the licensee's Individual Plant Examination for External Events (IPEEE)
and in-plant tours to select four risk significant fire areas/zones for inspection. The four
fire areas/zones selected were:
Fire Zone 1-A-4-CHLR; part of Fire Area 1-A-BAL-B:
This fire zone was located on the 261 foot level (ground level) of the auxiliary building. It
was further subdivided in the licensee's Safe Shutdown Analysis (SSA) into SSA areas 1-
A-BAL-B-B1 [including the "A" chiller and motor-driven AFW pump flow control valves
(FCVs)] and 1-A-BAL-B-B2 [including the "B" chiller and turbine-driven TDAFW pump
FCVs]. A significant fire in either of these areas would require shutdown of the unit from
the main control room (MCR) and additional manual operator actions in various areas of
the plant.
- Fire Zone 1-A-4-COM-E; part of Fire Area 1-A-BAL-B:
This fire zone was located on the 261 foot level (ground level) of the auxiliary building. It
was further subdivided in the licensee's SSA to SSA areas 1-A-BAL-B-B4 (including
480V MCC 11B35-SB) and 1-A-BAL-B-B5 (including 480V MCC 1A35-SA). A significant
fire in either of these areas would require shutdown of the unit from the MCR and
additional manual operator actions in various areas of the plant.
- Fire Area 1-A-EPA:
This fire zone was located on the 261 foot level (ground level) of the auxiliary building. It
included electrical penetration room 'A'. A significant fire in this area would require
shutdown of the unit from the MCR and additional manual operator actions in various
areas of the plant.
- Fire Area 1-A-BATB:
2
This fire zone was located on the 286 foot level (above ground level) of the auxiliary
building. It included the 'B' electrical battery room. A significant fire in this area would
require shutdown of the unit from the MCR and additional manual operator actions in
various areas of the plant.
The team reviewed the post-fire SSD capability and the fire protection features to verify
that at least one post-fire safe shutdown success path would be maintained free of fire
damage during a fire in any of the selected fire areas/zones. The team reviewed the
licensee's fire protection program, including the SSA and supporting calculations, to
determine the systems required to achieve post-fire SSD. The team also reviewed the
Safe Shutdown Equipment List, system flow diagrams, and the Fire Hazards Analysis
(FHA) in the Updated Final Safety Analysis Report (UFSAR) for each of the selected fire
areas to evaluate the completeness and adequacy of the SSD analysis and the systems
relied upon to mitigate fires in the selected fire areas. Specific licensee documents and
drawings reviewed during the inspection are listed in the Attachment.
b. Findings
The team found that the licensee's SSA method for dealing with problem cables (i.e.,
cables that were required for control room operation of SSD equipment during a fire in a
certain area but were not physically protected from that fire) was to primarily rely on
operator manual actions (e.g., locally open the breaker to an MOV and locally operate
the MOV using the handwheel). Only if no operator action could be found would the
licensee physically protect the cables. Consequently, the licensee had over 100 local
manual operator actions that they relied on for achieving hot shutdown conditions during
a fire. The licensee had not requested deviation approvals from the NRC for these
operator actions and had not verified or validated the operator actions to the extent that
would have been involved in NRC reviews of deviation requests. This SSD methodology
contributed to the findings and unresolved item (URI) that are described in the following
sections of this report.
.02 Fire Protection of SSD CaDability
a. Inspection Scope
The team reviewed UFSAR Section 9.5.1, Appendix 9.5A, Fire Hazards Analysis (FHA);
the FPP manual; and plant administrative fire prevention/combustible hazards-ignition
source control procedures. This review was to verify that the objectives established by
the NRC-approved FPP were satisfied. The team also toured the selected plant fire
areas observing the licensee's implementation of these procedures. The team also
reviewed the FPP transient combustible permit logs, and fire emergency/incident
investigation reports, for the years 2000-2002. Corrective action program Action
Requests (ARs) resulting from fire, smoke, sparks, arcing, and equipment overheating
incidents for the same period were also reviewed to assess the effectiveness of the fire
prevention program and to identify any maintenance or material condition problems
related to fire incidents.
3
The team reviewed flow diagrams and engineering calculations associated with the 'B'
battery room heating, ventilation, and air conditioning (HVAC) systems. This review was
done to verify that systems used to accomplish safe shutdown would not be inhibited by
a potential hydrogen gas fire in the 'B' battery room due to inoperable ventilation supply
and exhaust fans. The team also reviewed the TS LCO requirements for loss of
ventilation in the 'B' battery room to verify that appropriate timely actions were specified
to ensure that hydrogen gas concentrations generated by the station batteries remained
below explosive limits.
The team toured the plant's primary fire brigade staging and dress-out areas to assess
the condition of fire fighting and smoke control equipment. Fire brigade personal
protective equipment located in brigade staging area lockers was reviewed to evaluate
equipment accessibility and functionality. Additionally, the team examined whether
backup emergency lighting was provided for access pathways to and within the fire
brigade staging and dress-out areas in support of fire brigade operations should a power
failure occur during the fire emergency. The team also observed whether emergency
exit lighting was provided for personnel evacuation pathways to the outside exits as
identified in the National Fire Protection Association (NFPA) 101, Life Safety Code and
Occupational Safety and Health Administration (OSHA) Part 1910, Occupational Safety
and Health Standards. The adequacy of the fire brigade self-contained breathing
apparatus (SCBAs) was reviewed as well as the availability of supplemental breathing air
tanks.
Team members also toured the selected fire areas and compared the associated fire
pre-plans with as-built plant conditions. This was done to verify that they were consistent
with the fire protection features and potential fire conditions described in the UFSAR.
Additionally, the team reviewed drawings and engineering flood analysis associated with
the 261-foot elevation reactor auxiliary building floor and equipment drain system to verify
that those actions required for SSD would not be inhibited by fire suppression activities or
leakage from fire suppression systems.
The team reviewed the fire brigade response procedure, fire brigade organization, and
training and drill program administration procedures. Fire drill critiques of operating shifts
for the period of March 2001 through October 2002 were reviewed to verify that fire
brigade drills had been conducted in high fire risk plant areas. Fire brigade training/drill
records for 2002 were also reviewed to verify that the fire brigade personnel
qualifications, brigade drill response time, and brigade performance met the
requirements of the licensee's approved FPP. Additionally, the team observed a fire drill
to verify the licensee's implementation of the fire brigade organization, training, and drill
program administration procedures. The team observed the actions of the site fire
brigade, offsite fire department, and fire drill monitors; and attended the drill critique.
b. Findings
No findings of significance were identified.
.03 Post-Fire SSD Circuit Analysis
a. Inspection Scope
4
The team reviewed the adequacy of separation and fire barriers provided for the power
and control cabling of equipment relied on for SSD during a fire in any of the selected fire
areas/zones. On a sample basis, the team reviewed the SSA and the electrical
schematics for power and control circuits of SSD components, and looked for the
potential effects of open circuits, shorts to ground, and hot shorts. This review focused
on the cabling of selected components for the charging/safety injection system, AFW
system, and component cooling water (CC) system. The team traced the routing of
cables by using the cable schedule and conduit and tray drawings. Walkdowns were
performed to compare 1-hour and 3-hour barriers (conduit and tray fire barrier wraps) to
barriers indicated on the drawings. Circuit and cable routings were reviewed for the
following equipment: 1CS-169, CSIP suction cross connect MOV; 1CS-168, CSIP
suction cross connect MOV; 1CS-214, CSIP minimum flow MOV; 1CS-217, CSIP
discharge cross connect MOV; 1CS-218, CSIP discharge cross connect MOV; 1CS-219,
CSIP discharge cross connect MOV; 1CS-1 65, volume control tank (VCT) outlet MOV;
1CS-166, VCT outlet MOV; 1CS-278, boric acid tank (BAT) to CSIP MOV; BAT level
instrumentation; 1CC-207, CC supply to RCP seals MOV; 1CC-208, CC supply to RCP
seals MOV; 1CC-252, CC return from RCP seals MOV; 1CC-251, CC return from RCP
seals MOV; 1CC-249, CC return from RCP seals MOV; 1RC-117, pressurizer power-
operated relief valve (PORV) block valve; 1Sl-310, containment sump to 'A' RHR pump
MOV; 1SI-311, containment sump to 'B' RHR pump MOV; motor-driven AFW pump 1A;
motor-driven AFW pump 1B; and turbine-driven AFW pump.
The team also reviewed studies of overcurrent protection on both AC and DC systems to
identify whether fire induced faults could result in defeating the safe shutdown functions.
b. Findings
(1) MOV 1CS-1 65. VCT Outlet to CSIPs
Introduction
The team identified an NCV of OLC 2.F and TS 6.8.1 for failing to protect equipment
[MOV 1CS-165] from maloperation due to a fire. Consequently, a fire in any of three
different areas of the auxiliary building could result in an RCP seal LOCA with no
operable high pressure safety injection.
Description
The team found that the control power cable for charging system MOV 1CS-1 65; which
was relied upon to remain open for SSD during a fire in SSA areas 1-A-BAL-B-B1 and 1-
A-BAL-B-B2, and in fire area 1-A-EPA; was routed through those areas with no fire
barrier. As a result, the control power cable for the MOV was vulnerable to fire-induced
hot shorts which could result in spurious valve operation. The lack of a required fire
barrier was not recognized in the SSA and no procedural guidance was included in AOP-
36, Safe Shutdown Following a Fire, Rev. 21, for operators to prevent maloperation of
1CS-165 prior to damage occurring to SSD equipment. Consequently, a fire in one of
the three SSA areas could cause 1CS-165 to spuriously close, isolate all CSIP suction
flowpaths, and immediately damage the operating SSD CSIP.
5
The SSD analysis for a fire in SSA areas 1-A-BAL-B-B1, 1-A-BAL-B2, or 1-A-EPA was to
rely on SSD Division 2 equipment. This included reliance on CSIP 'B' for RCS makeup
water, RCP seal cooling, reactivity control by boration, and high pressure safety injection.
The SSA assumed that CSIP 'A' was not assured to be unaffected by the fire and CSIP
'C' was not assured to be available. Consequently, a failure of CSIP 'B' could result in a
loss of all charging and high pressure safety injection. Also, for a fire in any of these
three SSA areas, CC flow to the RCP seals was not protected. The team found that the
control power cable to MOV 1CC-207, CC flow to RCP seals, was also routed through
the same three SSA areas in the same cable tray with the control power cable to 1CS-
165. AOP-36 included no operator action to prevent spurious operation of MOV 1CC-
207. Spurious closure of MOV 1CC-207 would stop all CC flow to the seals of all three
RCPs. Thus the potential consequences of a fire in any of the three SSA areas could be
an RCP seal LOCA with no charging or high pressure injection.
Also, the team found that the control power cables for MOVs 1CC-252, CC return from
RCP seals, and 1CC-249, CC return from RCP seals, were routed through SSA area 1-
A-BAL-B-B2 and could be affected by a fire in that area. AOP-36 included an operator
action to prevent spurious actuation of 1CC-252 for a fire in SSA area 1-A-BAL-B-B2.
That action included opening the breaker to MOV 1CC-252 on MCC 1El 2. However, the
SSD NLO would likely not be able to safely do that action during a fire in SSA area 1-A-
BAL-B-B2 because MCC 1El 2 was located in that SSA area. AOP-36 included no
operator action for 1CC-249. Spurious closure of 1CC-252 or 1CC-249 would stop all
CC flow to the RCP seals. The team noted that, while the operator action for 1CC-252
may not be needed for a fire in SSA area 1-A-BAL-B-B2 because the charging system
was supposed to provide RCP seal cooling, this inappropriate procedural action (sending
an operator into an area where there was a fire) could delay the SSD NLO from
performing other procedure actions that were required to achieve SSD.
In addition, the team found that modification ESR 01-00087, which was installed in
January 2002, had affected this condition and missed an opportunity to correct it. ESR
01-00087 changed the CSIP mini-flow path so that it would go to the VCT instead of
going directly to the CSIP suction. Prior to the ESR, if 1CS-1 65 spuriously closed, the
running CSIP would still have some suction although probably not enough to prevent
pump damage. After the ESR, if 1CS-165 spuriously closed, the running CSIP would
have no suction and CSIP failure would be more certain and more immediate. ESR 01-
00087 failed to recognize this effect and missed an opportunity to identify and correct the
condition.
Analysis
This finding had more than minor safety significance because it affected the Mitigating
Systems and Initiating Events objectives of the Reactor Safety Cornerstone. The finding
affected the availability and reliability of systems that mitigate initiating events to prevent
undesirable consequences. It also affected the likelihood of occurrence of initiating
events that challenge critical safety functions. However, the finding was of very low
safety significance because of the low fire initiation frequency and probability of spurious
actuations, and the effectiveness of automatic sprinklers, fire brigade, and remaining
SSD equipment to limit the effects of a fire and to shut down the nuclear reactor.
Therefore, this finding is characterized as Green.
6
Enforcement
OLC 2.F. required that the licensee implement and maintain in effect all provisions of the
approved fire protection program as described in the Final Safety Analysis Report. The
UFSAR, Section 9.5.1, Fire Protection Program (FPP), stated that outside containment,
where cables or equipment (including associated non-essential circuits that could prevent
operation or cause maloperation due to hot shorts, open circuits, or shorts to ground) of
redundant safe shutdown divisions of systems necessary to achieve and maintain cold
shutdown conditions are located within the same fire area outside of primary
containment, one the redundant divisions must be ensured to be free of fire damage.
Section 9.5.1 further stated that if both divisions are located in the same fire area, then
one division is to be protected from fire damage by one of three methods: 1) a three-hour
fire barrier, 2) a one-hour fire barrier plus automatic detection and suppression, or 3) a
20-foot separation with no intervening combustibles and with automatic detection and
suppression.
TS 6.8.1 required procedures as recommended by Regulatory Guide (RG) 1.33 and
procedures for fire protection program implementation. RG 1.33 recommended
procedures for combating emergencies, including fires. The licensee's interpretation of
their fire protection program was that they could and would rely on operator actions in
place of physical protection of SSD equipment (see Section ___). However, the
licensee had failed to provide procedural guidance in AOP-36 for operators to prevent
maloperation of MOV lCS-165.
Contrary to the above requirements, the licensee failed to protect MOV 1CS-165 from
maloperation due to a fire where it was relied on for SSD. Because the licensee entered
the finding into the corrective action program as AR 76260, this item is being treated as
an NCV in accordance with Section VI.A.1 of the NRC's Enforcement Policy. This item is
identified as NCV 50-400/02-11 -01, Failure to Protect MOV 1CS-1 65, VCT Outlet to
CSIPs, From Maloperation Due To a Fire.
(2) MOV 1CS-169. CSIP Suction Cross-connect: MOV JCS-214. CSIP Mini-flow Isolation:
MOV 1CS-218. CSIP Discharge Cross-connect: and MOV 1CS-219, CSIP Discharge
Cross-connect
Introduction
The team identified an NCV of OLC 2.F and TS 6.8.1 for failing to protect equipment
[MOVs 1CS-169, 1CS-214, ICS-218, and i CS-219] from maloperation due to a fire.
Consequently, a fire in one SSA area of the auxiliary building could result in a loss of all
charging and high pressure safety injection.
Description
The team found that the control power cables for charging system MOVs 1CS-1 69, 1CS-
214, 1CS-218, and 1CS-219, which were relied upon to remain open for SSD during a
fire in SSA area 1-A-BAL-B-B5, were routed through that area with incomplete fire
barriers. The control cables were unprotected for about one foot above MCC 1-A35-SA
and inside the MCC.
7
This lack of required fire barriers was recognized in the SSA for 1CS-1 69, 1CS-214, and
1CS-218, and procedural guidance was included in AOP-36 for operators to prevent
maloperation of these valves. However, the procedural guidance was not adequate.
AOP-36 directed operators to go to MCC 1A35-SA and open the breakers for 1CS-169
and 1CS-214 to prevent spurious operation. However, operators would not be able to
safely do that because the actions were in the area of the fire that could cause the
spurious operation. AOP-36 directed operators to go to MCC 1B35-SB, in another room,
to open the breaker for 1CS-218. However, operators would not be able to do that
because the breaker for 1CS-218 was actually located on MCC 1A35-SA. The SSA had
not identified a need for operator action to prevent maloperation of 1CS-219 and AOP-36
included no action steps for that valve.
AOP-36 did include the following guideline for operators: "Monitor for spurious valve and
pump operation which may result in equipment damage (for example, CSIP suction
valves.)" The team noted that closure of a CSIP suction valve could result in pump
damage within seconds; before operators could respond to an annunciator, analyze the
condition, and take action to prevent pump damage. Another AOP-36 guideline was:
'When directed by the Unit Shift Supervisor, then shut down equipment and de-energize
electrical busses located within the fire area.' Operators stated that they would de-
energize MCC 1A35-SA if the fire brigade team leader or another operator told them that
the MCC was on fire or if they observed spurious actuations that could be initiating from
the MCC. However, the team noted that the fire brigade would not arrive and attack the
fire until about 20 minutes after the control room sounded the fire alarm, and spurious
actuations could occur well before that. By procedure, control room operators would
respond to a single fire detector annunciator by sending an NLO to verify that there was
a fire and that the fire was large enough to warrant sounding the fire alarm and calling
out the fire brigade. However, if the control room operators received annunciation from
two or more fire detectors, which would be very likely in the event of fire large enough to
present an operational safety concern, then they would not send an NLO but instead
would immediately sound the fire alarm and call out the fire brigade. So it was likely that
the first visual report on the fire would not be received in the control room until about 20
minutes after the fire alarm. By that time, the fire would have likely filled the room with
smoke so that the fire brigade would not be able to immediately identify if the MCC was
on fire.
The team concluded that it was unlikely that the control room would de-energize MCC
1A35-SA before spurious actuations could occur. Consequently, a fire in this area, near
or in MCC 1A35-SA, could cause any of the four MOVs to spuriously close. Closure of
1CS-214 would stop all mini-flow from all CSIPs. Closure of 1CS-218 or 1CS-219 would
stop charging flow from SSD CSIP 'B'. If such a loss of charging flow or CSIP mini-flow
occurred, operators would receive an alarm in the control room and would probably have
time to diagnose the condition and initiate recovery actions before CSIP damage
occurred. However, closure of 1CS-169 would stop all suction to SSD CSIP 'B' and
immediately damage the pump.
The SSD analysis for a fire in SSA area 1-A-BAL-B-B5 was to rely on SSD Division 2
equipment. This included reliance on CSIP 'B' for RCS makeup water, RCP seal cooling,
reactivity control by boration, and high pressure safety injection. CSIP 'A' was not
assured to be unaffected by the fire and CSIP 'C' was not assured to be available. The
8
team noted that MOVs powered from MCC 1A35-SA could affect CSIP 'A' and CSIP 'C'.
While the SSA did not assure that CC would be available, the team did not identify any
vulnerabilities of CC to a fire in this area. Consequently, the team concluded that the
potential consequences of a fire in SSA area 1-A-BAL-B5 could be a loss of all charging
and high pressure safety injection.
Analysis
This finding had more than minor safety significance because it affected the Mitigating
Systems objectives of the Reactor Safety Cornerstone. The finding affected the
availability and reliability of systems that mitigate initiating events to prevent undesirable
consequences. However, the finding was of very low safety significance because of the
low fire initiation frequency and probability of spurious actuations, and the effectiveness
of automatic sprinklers, fire brigade, and remaining SSD equipment to limit the effects of
a fire and to shut down the nuclear reactor.
During the inspection, a question arose about whether a fire initiating inside an MCC
could credibly cause spurious actuations. A premise was that the power breaker to the
MCC would always trip before spurious actuations could occur. The team noted that the
frequency of a fire initiating inside an MCC was higher than the frequency of a fire
initiating just outside of an MCC, However, after further review, the team concluded that
the frequency for a fire starting outside or inside an MCC would still result in a very low
safety significance for the observed condition. Therefore, this finding is characterized as
Green.
Enforcement
As described in Section lA05.03.b.1 above, OLC 2.F. required that equipment relied
upon for SSD be physically protected against maloperation due to the fire. Also, TS 6.8.1 required procedures for implementing the fire protection program and for combating
fires.
Contrary to the above requirements, the licensee failed to protect MOVs 1CS-169,1CS-
214, 1CS-218, and 1CS-219 from maloperation due to a fire where they were relied on
for SSD. Because the licensee entered the finding into the corrective action program as
ARs 76260 and 80212, this item is being treated as an NCV in accordance with Section
VL.A.1 of the NRC's Enforcement Policy. This item is identified as NCV 50-400/02-11-03,
Failure to Protect Charging System MOVs I CS-169, 1CS-214,1 CS-218, and 1CS-219
From Maloperation Due To a Fire.
(3) MOV 1CS-1 66. VCT Outlet to CSIPs: MOV 1CS-1 68, CSIP Suction Cross-connect: and
MOV 1CS-217. CSIP Discharge Cross-connect
Introduction
The team identified an NCV of OLC 2.F and TS 6.8.1 for failing to protect equipment
[MOVs 1CS-1 66, 1CS-1 68, and 1CS-217] from maloperation due to a fire.
Consequently, a fire in one SSA area of the auxiliary building could result in a loss of all
charging and high pressure safety injection.
9
Description
The team found that the control power cables for charging system MOVs 1CS-1 66,1 CS-
168, and 1CS-217, which were relied upon to remain open for SSD during a fire in SSA
area 1-A-BAL-B-B4, were routed through that area with incomplete fire barriers. The
control cable for MOV 1CS-166 was unprotected for about one foot above MCC 1B35-SB
and inside the MCC. The control power cables for MOVs 1CS-168 and 1CS-217 were
unprotected inside MCC 1B35-SB. This lack of required fire barriers was not recognized
in the SSA and no procedural guidance was included in AOP-36 for operators to prevent
or mitigate maloperation of these valves. Consequently, a fire in this area, near or in
MCC 1B35-SB, could cause 1CS-1 66 or 1CS-168 to spuriously close, which would stop
all suction to SSD CSIP 'A', and immediately damage the pump. If CSIP 'C' were aligned
to be used in place of CSIP 'A', then the fire could cause spurious closure of 1CS-217
and stop charging flow from CSIP C.
The SSD analysis for a fire in SSA area 1-A-BAL-B-B4 was to rely on SSD Division 1
equipment. This included reliance on CSIP 'A' for RCS makeup water, reactivity control
by boration, and high pressure safety injection. CSIP 'B' was not assured to be
unaffected by the fire and CSIP 'C' was not assured to be available. Also, when all three
CSIPs were available, the 'C' CSIP would be aligned to the 'B' train; and it would take
licensee personnel several hours to align the 'C' CSIP to the 'A' train. Consequently, a
failure of CSIP 'A' could result in a loss of all charging and high pressure safety injection.
If CSIP 'C' were aligned to be operating in place of CSIP 'A', and a maloperation of 1CS-
217 caused a loss of charging flow, operators would receive a loss of charging flow alarm
and would probably have time to diagnose and respond to the condition before the CSIP
was damaged.
In addition, the team found that modification ESR 01-00087, which was installed in
January 2002, had affected the significance of the lack of protection for 1CS-166. As
described above for 1CS-1 68, ESR 01-00087 was a missed opportunity to identify and
correct the lack of protection for 1CS-1 66.
Analysis
This finding had more than minor safety significance because it affected the Mitigating
Systems objectives of the Reactor Safety Cornerstone. The finding affected the
availability and reliability of systems that mitigate initiating events to prevent undesirable
consequences. However, the finding was of very low safety significance because of the
low fire initiation frequency and probability of spurious actuations, and the effectiveness
of automatic sprinklers, fire brigade, and remaining SSD equipment to limit the effects of
a fire and to shut down the nuclear reactor. Therefore, this finding is characterized as
Green.
Enforcement
As described in Section 1R05.03.b.1 above, OLC 2.F. required that equipment relied
upon for SSD be physically protected against maloperation due to the fire. Also, TS 6.8.1 required procedures for implementing the fire protection program and for combating
10
fires.
Contrary to the above requirements, the licensee failed to protect MOVs 1CS-1 66, 1CS-
168, and 1CS-217 from maloperation due to a fire where they were relied on for SSD.
Because the licensee entered the finding into the corrective action program as AR
76260, this item is being treated as an NCV in accordance with Section VI.A.1 of the
NRC's Enforcement Policy. This item is identified as NCV 50-400/02-11-04, Failure to
Protect Charging System MOVs 1CS-166, 1CS-168, and 1CS-217 From Maloperation
Due To a Fire.
(4) MOV 1CC-251. CC Return From RCP Seals:
and MOV 1CC-208. CC SuppIV To RCP Seals
Introduction
The team identified an NCV of OLC 2.F and TS 6.8.1 for failing to protect equipment
[MOVs 1CC-251 and 1CC-208] from maloperation due to a fire. Consequently, a fire in
one SSA area of the auxiliary building could potentially result in an RCP seal LOCA.
Description
The team found that the control power cables for CC system MOVs 1CC-251 and 1CC-
208, which were relied upon to remain open for SSD during a fire in SSA area 1-A-BAL-
C, were routed through that area and into MCC 1B31 in that area with no fire barrier.
Fire area 1-A-BAL-C was located on the 286 foot level of the auxiliary building, above
electrical penetration room 'B'. This lack of required fire barriers and need for operator
actions was recognized in the SSA but no procedural guidance was included in AOP-36
for operators to prevent or mitigate maloperation of these valves. Consequently, a fire in
this area could cause I CC-251 or 1CC-208 to spuriously close, which would stop all CC
flow to the RCP seals.
The SSD analysis for a fire in area 1-A-BAL-C was to rely on SSD Division 1 equipment.
This included reliance on CC to cool the RCP seals. CSIP supply to the RCP seals was
not assured to be unaffected by the fire. Consequently, a loss of CC to the RCP seals
could potentially result in a loss of all RCP seal cooling which could in turn result in an
Analysis
This finding had more than minor safety significance because it affected the Initiating
Events objective of the Reactor Safety Cornerstone. The finding affected the likelihood
of occurrence of initiating events that challenge critical safety functions. However, the
finding was of very low safety significance because of the low fire initiation frequency and
probability of spurious actuations, and the effectiveness of automatic sprinklers, fire
brigade, and remaining SSD equipment to limit the effects of a fire and to shut down the
nuclear reactor. Therefore, this finding is characterized as Green.
Enforcement
11
As described in Section 1R05.03.b.1 above, OLC 2.F. required that equipment relied
upon for SSD be physically protected against maloperation due to the fire. Also, TS 6.8.1 required procedures for implementing the fire protection program and for combating
fires.
Contrary to the above requirements, the licensee failed to protect MOVs 1CC-251 and
1CC-208 from maloperation due to a fire where they were relied on for SSD. Because
the licensee entered the condition into the corrective action program as AR 80089, this
item is being treated as an NCV in accordance with Section VL.A.1 of the NRC's
Enforcement Policy. This item is identified as NCV 50-400/02-11-02, Failure to Protect
MOVs 1CC-251 and 1CC-208, CC for RCP Seals, From Maloperation Due To a Fire.
.04 Operational Implementation of SSD Capability
a. Inspection Scope
The team reviewed and walked down the local manual actions, needed to achieve and
maintain hot shutdown, that were described in procedure AOP-036, Safe Shutdown
Following a Fire, Rev. 21, for fires in all of the selected areas/zones as described in
Section 1R05.01.a.
The team also followed up on open violation (VIO) 50-400/02-08-01, Failure to Implement
and Maintain NRC Approved Fire Protection Program Safe Shutdown System Separation
Requirements. That VIO and related White finding had been left open in IR 50-400/02-
08. In a supplement to that IR dated October 4, 2002, the NRC had stated that licensee
modifications had reduced the risk significance of the degraded Thermo-Lag barrier to
that of a Green finding. However, VIO 50-400/02-08-01 was left open pending further
NRC review of licensee corrective actions and the development of internal NRC
inspection guidance, related to use of local manual actions as opposed to one of the
protection methods identified in NRC Position C.5.b.(2) of Branch Technical Position
(BTP) CMEB 9.5-1. During this inspection, the team reviewed and walked down the local
manual actions, needed to achieve and maintain hot shutdown, that were proceduralized
by the licensee during this inspection in AOP-36, Rev. 24, for the new ACP room fire
area. The team performed these reviews and walkdowns using NRC inspection
guidance.
The team reviewed and walked down the manual actions described above to verify that:
- The procedures used for SSD were available to the appropriate staff.
- The procedures used for SSD were consistent with the SSA methodology and
assumptions and also were consistent with fire pre-plan procedures.
- The actions were described in the fire-protection-related licensing-basis
documents.
- The procedures were written so that operator actions could be correctly
performed within the times assumed in the SSA.
12
- Personnel required to achieve and maintain the plant in hot shutdown condition
from the MCR could be provided from normal onsite staff, exclusive of the fire
brigade.
- Operator and fire brigade staffing would be adequate to complete the required
manual actions.
- Operators had sufficient access to the equipment to perform the required actions.
- Access to remote shutdown equipment and operator manual actions would not be
inhibited by smoke migration from one area to adjacent plant areas used to
accomplish SSD.
- The training program for operators included appropriate lesson plans and job
performance measures (JPMs) for SSD activities.
b. Findings
(1) Reliance on Manual Actions In Place of Required Physical Separation or Protection
Introduction
The team identified a URI related to the licensee's reliance on manual actions in place of
the required physical separation or protection.
Description
The team found that the licensee routinely relied on manual actions in place of the
required physical separation or protection. For a fire in SSA areas 1-A-BAL-B-B1, -B2, -
B4, or -B5; AOP-36 included about 39 local manual operator actions to achieve and
maintain hot shutdown. For a fire in the new ACP room, fire area 1-A-ACP, AOP-36
included about 55 local manual operator actions to achieve and maintain hot shutdown.
The local manual actions for each of the areas reviewed are listed in Attachment 2 to this
report. The team assessed that an SSD NLO would reasonably be able to perform each
of the operator actions that were reviewed (except those that are identified below as
findings) during a fire. However, reliance on all of these manual actions in place of
physical separation or protection could increase the risk of failure of SSD equipment to
operate during a fire.
Analysis
This issue could have more than minor safety significance because it could affect the
Mitigating Systems objectives of the Reactor Safety Cornerstone. The issue could affect
the availability and reliability of systems that mitigate initiating events to preclude
undesirable consequences.
Enforcement
As stated in Section 1R05.03.b.1, OLC 2.F. and the licensee's approved FPP required
13
that if both divisions (that could be used for SSD) are located in the same fire area, then
one division is to be physically protected from fire damage by one of three approved
methods. The licensee's approved FPP did not provide for reliance on operator actions
in place of physical separation or protection of SSD equipment. However, the licensee's
incorrect interpretation of their fire protection program was that they could and would rely
on operator actions in place of physical separation or protection of SSD equipment,
without obtaining NRC approval for deviating from the requirements. Consequently, the
licensee had not requested NRC approval for reliance on any operator actions in place of
physical separation or protection.
Per current NRC inspection guidance, this issue will be identified as a URI, pending the
commission's acceptance of a proposed NRC staff initiative to change the related NRC
requirements. It will be identified as URI 50-400/02-11-05, Reliance on Manual Actions
in Place of Required Physical Separation or Protection.
(2) Fire SSD Operator Actions With Excessive Challenges
Introduction
The team identified an NCV of TS 6.8.1 and OLC 2.F for inadequate procedural steps
and for inadequate corrective action. For a fire in the new auxiliary control panel (ACP)
fire area, certain SSD procedure steps involved excessive challenges to operators.
There was not reasonable assurance that all NLOs could perform the steps during a fire.
Consequently, a fire in the ACP fire area could result in a loss of all AFW. The licensee
had added these inadequate procedure steps during this inspection, as part of the
corrective action for violation 50-400/02-08-01.
Description
For a fire in Fire Area 1-A-ACP, AOP-36 steps 2.c and 14.a required the NLO to remove
fuses from transfer panel 1B. Completing these steps would include the following
challenges:
The subject transfer panel was physically located approximately 20 feet from the
ACP room door. With a fire in the ACP room, the area around the transfer panel
could become uninhabitable before the NLO could complete these steps,
because some smoke from the fire could enter the transfer panel area from
around the door while the door was closed, and because smoke would certainly
enter the transfer panel area when the door was opened by the fire brigade to
attack the fire.
- To physically reach the subject fuses, the NLO would need to place his or her
entire body inside a cabinet with an opening that was approximately 15 inches
wide. Also, the inside of the cabinet included energized electrical components on
each side of the cabinet, with about 15 inches of width between them. The
licensee had not ensured that all NLOs were physically capable of safely entering
that cabinet - the team noted that some NLOs were more than 15 inches wide.
- Because the subject fuses were located on a panel inside the cabinet and
14
approximately seven feet above floor level, all but the tallest NLOs would need to
use a narrow, custom-made wooden step-stool inside the cabinet to be able to
reach the fuses. The team noted that the location of the step-stool was not
controlled.
Because the subject fuses were also located behind a plexiglass fuse cover that
was held in place by small metal screws, the NLO would need to raise his or her
hands above the level of his or her head and use a metal screwdriver to remove
the fuse cover. The licensee had not ensured that all NLOs were physically
capable of completing this activity. Furthermore, because this activity involved
manipulating a metal screwdriver inside an energized electrical cabinet, the team
considered the activity to involve a personnel safety hazard.
- To identify the correct fuses to be pulled, the NLO must first identify the cabinet in
which the fuses are located, and then identify the fuses themselves, within that
cabinet. The team observed that the subject cabinet was physically adjacent to
four identical cabinets, that these cabinets were not labeled on the side from
which the NLO would enter, and that the instructions in NLOP-036 did not identify
the subject cabinet. Furthermore, the team observed that the labels which
uniquely identified the subject fuses within the cabinet were difficult to see - they
were partially obscured by cables which had been landed on adjacent terminal
blocks.
The team considered that these challenges were excessive and that there was not
reasonable assurance that all NLOs would be able to perform the actions during a fire.
Consequently, operators would not able to start the turbine-driven AFW pump and the
AFW system could be inoperable. The team concluded that these procedure steps were
inadequate and that they represented inadequate corrective action for violation 50-
400/02-08-01.
Analysis
This finding had more than minor significance because it affected the Mitigating Systems
objectives of the Reactor Safety Cornerstone. The finding affected the availability and
reliability of systems that mitigate initiating events to prevent undesirable consequences.
However, the finding was of very low safety significance because of the low fire initiation
frequency, fire brigade, and remaining SSD equipment to limit the effects of a fire and to
shut down the nuclear reactor. Therefore, this finding is characterized as Green.
Enforcement
As described in Section 1R05.03.b.1 above, OLC 2.F required that equipment relied
upon for SSD be physically protected from the fire. Also, TS 6.8.1 required procedures
for implementing the fire protection program and for combating fires. In addition, OLC
2.F and the UFSAR, Section 9.5.1, FPP, included quality assurance requirements for fire
protection. The FPP stated that a QA program was being used to identify and rectify any
possible deficiencies in design, construction, and operation of the fire protection systems.
Contrary to the above requirements, the licensee failed to protect the turbine-driven EFW
15
pump from effects of a fire where it was relied on for SSD. In addition, the licensee's
corrective actions for a previous violation were inadequate. Because the licensee
entered the finding into the corrective action program as AR 80214, this item is being
treated as an NCV in accordance with Section VI.A.1 of the NRC's Enforcement Policy.
This item is identified as NCV 50-400/02-11-06, Fire SSD Operator Actions With
Excessive Challenges.
(3) Too Many SSD Actions for Operators to Perform
Introduction
The team identified an NCV of TS 6.8.1 and OLC 2.F for an inadequate procedure for
SSD from a fire and for inadequate corrective action. For a fire in certain SSA areas of
the RAB, including the new ACP fire area, there too many SSD procedure contingency
actions to respond to potential spurious actuations for the one available SSD NLO to
perform them all. Consequently, equipment that was relied on for SSD may not be
available. The licensee had added some of these procedure steps as part of the
corrective action for violation 50-400/02-08-01.
Descrintion
The team found that for each fire SSA area inspected, AOP-036 required operators to
complete a relatively large number of manual actions outside the main control room. The
team determined that the normal shift operating crew included four NLOs; three were
assigned to the fire brigade and one was assigned to be the SSD NLO. The local
manual operator actions required to achieve and maintain hot shutdown for each of the
fire areas inspected are listed in Attachment 1 to this report. The most demanding fire
areas were fire area 1-A-ACP, which included about 55 such actions, and fire area 1-A-
BAL-B, which included about 39 such actions.
Also, since the SSA did not ensure that offsite power would not be lost due to a fire in
any of the SSA areas inspected, operators were expected to be able to respond to a loss
of offsite power (LOOP) and reactor trip while performing the fire SSD actions. The team
noted that a LOOP or reactor trip could place even more demands on the one NLO who
was not fighting the fire.
The team found that while most of the manual actions in these SSA areas involved one-
time actions (like opening a breaker), others could require the NLO to monitor plant
conditions and make system adjustments over an extended period of time. The manual
actions which could require dedicated NLO attention, and thus possibly detract from the
successful and timely performance of subsequent required local manual operator
actions, included the following:
In Section 3.0 of AOP-036, which was to be performed for a fire in any of the SSA
areas inspected, Step 13.b(3) required the NLO to establish continuous
communications with the MCR, locally shut 1CS-228 to isolate the normal
charging flow control valve (FCV) and then to locally control charging flow by
throttling the bypass valve,1 CS-227. Both valves were in close proximity and
located in the scalloped area of the 248-ft level in the RAB. This area was
16
located in the radiation-controlled area (RCA) and radiation levels at these valves
were elevated but within 10 CFR 20 limits. A sound powered phone with a long
extension cord was located in the area to allow the NLO to wait in low dose areas
between valve manipulations if the NLO's radio was not functional. However,
local manual operator actions subsequent to this step could be adversely
impacted [e.g., Section 3.0, Step 14.b for locally responding to a failed open
steam generator power operated relief valve (PORV)].
In Attachment 1 of AOP-036, Step 13.c for fire area 1-A-ACP required the NLO to
locally operate a PORV on the C steam generator, to obtain and maintain the
desired RCS temperature. Because the unit would likely not be at steady state
when this action was undertaken, and because a fire in this area may complicate
operator efforts to stabilize the plant, the NLO who undertakes this action may be
required to monitor RCS temperature and make appropriate adjustments to the
PORV position almost continuously and for some time, until the plant is
reasonably stable.
In Attachment 1 of AOP-036, Step 14.b for fire area 1-A-ACP required the NLO to
throttle lAF-149 to maintain level in the C steam generator. For the same
reasons as described above, the NLO who undertakes this action may be
required to continue to monitor steam-generator level and make appropriate
adjustments to the position of 1AF-149 almost continuously and for some time,
until the plant is reasonably stable.
The team found that some of the required manual actions would be completed inside the
RCA, while others would be completed outside the RCA. The team also observed that
completing the manual actions in AOP-036, in the order in which they are described in
that procedure, would require the SSD NLO to enter and exit the RCA several times.
The team noted that:
- some manual actions involved valves identified as potentially contaminated or
located in contamination areas,
- radioactive radon gas can become associated with anyone who passes through
the RCA,
- hand or foot contamination as well as radon gas can cause a portal monitor to
alarm, and
- anyone who is in a portal monitor when it alarms must wait at the exit point for
health physics (HP) technicians to complete a detailed survey to determine the
true cause of the alarm, before proceeding.
The team noted that the licensee had no emergency dosimeters or rapid ingress/egress
procedures in place for use during plant emergency situations. The team therefore
considered that every time the SSD NLO exited the RCA, that NLO may experience a
portal-monitor alarm, and may therefore be forced to wait for HP technicians to arrive at
the exit and complete a detailed survey before proceeding. The team received a portal
monitor alarm on many occasions during this inspection. Operators stated that, if they
17
received such an alarm during a fire, they would wait for an HP technician before
proceeding to perform SSD actions.
The team considered that the manual actions in AOP-036 could not reasonably be
completed by the available staff, because:
- the SSD NLO may be required to complete as many as 55 manual actions,
- several manual actions require dedicated operator attention,
- some of the manual actions could require a considerable amount of time to
complete,
- some manual actions could be delayed by RCA portal-monitor alarms, and
- only one NLO would have been available to complete all safe-shutdown manual
actions.
The team concluded that the SSD NLO may not be able to accomplish some required
manual actions in a timely manner. Consequently, some equipment relied on for SSD
may not be available. For example, the SSD NLO may not be able to respond to a failed
open steam generator PORV, locally throttle a sxteam generator PORV, or throttle AFW.
The team therefore considered AOP-36 to be inadequate.
Analysis
This finding had more than minor significance because it affected the Mitigating Systems
objectives of the Reactor Safety Cornerstone. The finding affected the availability and
reliability of systems that mitigate initiating events to prevent undesirable consequences.
However, the finding was of very low safety significance because of the low fire initiation
frequency, automatic sprinklers, fire brigade, and remaining SSD equipment to limit the
effects of a fire and to shut down the nuclear reactor. Therefore, this finding is
characterized as Green.
Enforcement
As described in Section 1R05.03.b.1 above, OLC 2.F required that equipment relied
upon for SSD be physically protected from the fire. Also, TS 6.8.1 required procedures
for implementing the fire protection program and for combating fires. In addition, OLC
2.F and the UFSAR, Section 9.5.1, FPP, included quality assurance requirements for fire
protection. The FPP stated that a QA program was being used to identify and rectify any
possible deficiencies in design, construction, and operation of the fire protection systems.
Contrary to the above requirements, the licensee failed to protect various equipment from
the effects of a fire where that equipment was relied on for SSD. In addition, the
licensee's corrective actions for a previous violation were inadequate. Because the
licensee entered the finding into the corrective action program as AR AR 80215, this item
is being treated as an NCV in accordance with Section VL.A.1 of the NRC's Enforcement
Policy. This item is identified as NCV 50-400/02-11-07, Too Many SSD Actions for
18
Operators to Perform
(4) Using the BAT Without Level Indication
Introduction
The team identified an NCV of TS 6.8.1 was identified for an inadequate procedure for
SSD from a fire. For a fire in SSA area 1-A-BAL-B, the SSD procedure directed
operators to take CSIP suction from the BAT even if BAT level indication were lost.
However, the charging volume needed for RCS cooldown would have emptied the BAT
and damaged the SSD CSIP.
Description
The team found that, for a fire in SSA area 1-A-BAL-B-B2 or -B3, near the BAT, AOP-36
directed operators to use the BAT as a suction source for the CSIPs even if the BAT
level indication was lost due to the fire. This alignment was to be used in preparation for
and during a cooldown of the RCS. However, the team analyzed that the charging
volume needed for RCS cooldown would have emptied the BAT and damaged the SSD
CSIP.
The SSA stated that, if BAT level indication was lost due to a fire, then the RWST was to
be used as a suction source for the CSIPs. However, this analysis was not implemented
in AOP-36. AOP-36 was inadequate because it failed to recognize that the charging
volume needed for RCS cooldown would have emptied the BAT and damaged the SSD
CSIP.
Analysis
This finding had more than minor significance because it affected the Mitigating Systems
objectives of the Reactor Safety Cornerstone. The finding affected the availability and
reliability of systems that mitigate initiating events to prevent undesirable consequences.
However, the finding was of very low safety significance because of the low fire initiation
frequency, automatic sprinklers, fire brigade, and remaining SSD equipment to limit the
effects of a fire and to shut down the nuclear reactor. Therefore, this finding is
characterized as Green.
Enforcement
As described in Section 1R05.03.b.1 above, OLC 2.F required that equipment relied
upon for SSD be physically protected from the fire. Also, TS 6.8.1 required procedures
for implementing the fire protection program and for combating fires.
Contrary to the above requirements, the licensee failed to protect the BAT level indication
from effects of a fire where it was relied on for SSD, and the AOP-36 reliance on using
the BAT without level indication was inadequate. Because the licensee entered the
finding into the corrective action program as AR 75065, this item is being treated as an
NCV in accordance with Section VI.A.1 of the NRC's Enforcement Policy. This item is
identified as NCV 50-400/02-11-08, Using the BAT Without Level Indication.
19
.05 Emergency Communications
a. Inspection Scope
The team reviewed the adequacy of the communication systems relied upon to
coordinate the shutdown of the unit and fire brigade duties, including the site paging
(PA), portable radio, and sound-powered phone systems. The team reviewed the
licensee's portable radio channel features to assess whether the system and its
repeaters were protected from exposure fire damage. During walkdowns of sections of
the post-fire SSD procedure, the team checked if adequate communications equipment
would be available for the personnel performing the procedure. The team also reviewed
the periodic testing of the site fire alarm and PA systems; maintenance checklists for the
sound-powered phone circuits and amplifiers; and inventory surveillance of post-fire SSD
operator equipment to assess whether the maintenance/surveillance test program for the
communications systems was sufficient to verify proper operation of the systems.
b. Findings
No findings of significance were identified.
a. Inspection Scope
The team reviewed the design and operation of the direct current (DC) emergency
lighting system self-contained, battery powered emergency lighting units (ELUs) as
described in UFSAR Sections 9.5.1 .2.2.e and 9.5.3. During plant walk downs of selected
areas where operators performed local manual actions defined in the post-fire SSD
procedure, the team inspected area ELUs for operability and checked the aiming of lamp
heads to determine if adequate illumination was available to correctly and safely perform
the actions required by the procedures. The team inspected emergency lighting features
along access and egress pathways used during SSD activities for adequacy and
personnel safety. The locations and identification numbers on the ELUs were compared
to design drawings to confirm the as-built configuration. The team also checked if these
battery power supplies were rated with at least an 8-hour capacity. In addition, the team
reviewed the manufacturer's information and the licensee's licensee periodic
maintenance tests to verify that the ELUs were properly designed and were being
maintained in an operable manner.
b. Findings
Introduction
A violation of OLC 2.F was identified for failure to provide fixed, self-contained lighting
with individual eight-hour-minimum battery power supplies in areas that must be manned
for safe shutdown.
Description
20
In the SSA areas in which the team walked down safe shutdown manual actions, the
team identified that the locations for local manual operator actions listed in Attachment 2
to this report would not be illuminated by fixed, self-contained lighting with individual
eight-hour-minimum battery power supplies.
The team observed that about 17 of the locations for local manual operator actions had
no emergency lighting, as identified in Attachment 2. The team also observed that many
more locations for local manual operator actions had fluorescent lights, that would be
powered by the safety-related emergency diesel generators, that could provide
emergency illumination. However, these lights did not meet the requirements for lights
with eight-hour batteries. These locations are separately identified in Attachment 2.
Also, the team noted that the licensee had not requested NRC exemptions from the
requirement to provide lights with eight-hour batteries.
The team also observed that all NLOs routinely carried flashlights and had access to
more flashlights that were stored in the auxiliary building. The team assessed that, by
using a flashlight, the SSD NLO would be able to perform the required actions but that
those actions would take more time to perform when relying on illumination by a flashlight
and could be less reliable.
Analysis
This finding had more than minor safety significance because it affected the Mitigating
Systems cornerstone. The finding affected the availability and reliability of systems that
mitigate initiating events to prevent undesirable consequences. However, the finding
was of very low safety significance because of the low fire initiation frequency and the
effectiveness of automatic sprinklers (in all but the ACP fire area), fire brigade, and
remaining SSD equipment to limit the effects of a fire and to shut down the nuclear
reactor. Therefore, this finding is characterized as Green.
Enforcement
OLC 2. F. and UFSAR Section 9.5.1 stated that BTP 9.5-1 was used in the design of the
fire protection program for safety-related systems and equipment and for other plant
areas containing fire hazards that could adversely affect safety-related systems. BTP
9.5-1, Section C.5.g, "Lighting and Communication," paragraph (1), required that fixed
self-contained lighting consisting of fluorescent or sealed-beam units with individual
eight-hour-minimum battery power supplies should be provided in areas that must be
manned for safe shutdown and for access and egress routes to and from all fire areas.
Contrary to the above requirements, the licensee failed to provide fixed self-contained
lighting consisting of fluorescent or sealed-beam units with individual eight-hour-minimum
battery power supplies in the location of the manual actions identified above and listed in
Attachment 3. Because The licensee entered this finding into the corrective action
program as AR 79047, this violation is being treated as an NCV in accordance with
Section VL.A of the NRC's Enforcement Policy. This item is identified as NCV 50-400/02-
11-09, Failure to Provide Required Emergency Lighting for SSD Operator Actions.
21
.07 Cold Shutdown Repairs
a. Inspection Scope
The team reviewed existing procedures and examined plant equipment to establish that
the licensee had dedicated repair procedures, equipment, and materials to accomplish
repairs of damaged components required for cold shutdown, that these components
could be made operable, and that cold shutdown could be achieved within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The
team examined cold shutdown repair equipment and replacement electrical power and
control cables for systems needed to take the plant to cold shutdown following a large
fire. The team evaluated the estimated manpower and the time required to perform post-
fire repairs for reasonableness.
b. Findings
No findings of significance were identified.
.08 Fire Barriers and Fire Area/Zone/Room Penetration Seals
a. Inspection Scope
The team walked down the selected fire zones/areas to evaluate the adequacy of the fire
resistance of barrier enclosure walls, ceilings, floors, and cable protection. This
evaluation also included fire barrier penetration seals, fire doors, fire dampers, cable tray
fire stops, and fire barrier partitions to ensure that at least one train of SSD equipment
would be maintained free of fire damage from a single fire. The team observed the
material condition and configuration of the installed fire barrier features and also
reviewed construction details and supporting fire endurance tests for the installed fire
barrier features. The team compared the observed fire barrier penetration seal
configurations to the design drawings and tested configurations. The team also
compared the penetration seal ratings with the ratings of the barriers in which they were
installed. In addition, the team reviewed licensing documentation, engineering
evaluations of Generic Letter 86-10 fire barrier features, and NFPA code deviations to
verify that the fire barrier installations met design requirements and license commitments.
b. Findings
No findings of significance were identified.
.09 Fire Protection Systems, Features, and Equipment
a. Inspection Scone
The team reviewed flow diagrams, electrical schematic diagrams, periodic test
procedures, engineering technical evaluations for NFPA code deviations, operational
valve lineup procedures, and cable routing data for the power and control circuits of the
motor-driven fire pump, the diesel-driven fire pump, and the fire protection water supply
system yard mains. The review evaluated whether the common fire protection water
delivery and supply components could be damaged or inhibited by fire-induced failures of
22
electrical power supplies or control circuits and subsequent possible loss of fire water
supply to the plant. Additionally, team members walked down the fire protection water
supply system in selected fire areas to assess the adequacy of the system material
condition, consistency of the as-built configuration with engineering drawings, and
operability of the system in accordance with applicable administrative procedures and
NFPA standards.
The team examined the adequacy of installed fire protection features in accordance with
the fire area and system spatial separation and design requirements in BTP CMEB 9.5-1.
The team walked down accessible portions of the fire detection and alarm systems in
the selected fire areas to evaluate the engineering design and operation of the installed
configurations. The team also reviewed engineering drawings for fire detector spacing
and locations in the four selected fire areas for consistency with the licensee's fire
protection plan and the requirements in NFPA 72E.
The team also walked down the selected fire zones/areas with automatic sprinkler
suppression systems installed to assure proper type, placement and spacing of the
heads/nozzles and the lack of obstructions. The team examined vendor information,
engineering evaluations for NFPA code deviations, and design calculations to verify that
the required suppression system density for each protected area was available.
The team reviewed the adequacy of the design, installation and operation of the manual
suppression standpipe and fire hose system for the selected fire areas. The team
examined design calculations and evaluations to verify that the required fire hose water
flow and sprinkler system density for each protected area were available. The team
checked a sample of manual fire hose lengths to determine whether they would reach
the SSD equipment. Additionally, the team observed placement of the fire hoses and
extinguishers to assess consistency with the fire fighting pre-plan drawings.
b. Findings
No findings of significance were identified.
.10 Compensatory Measures
a. Inspection Scope
The team reviewed the licensee's Fire Protection System Engineering Status Reviews
which identified each fire protection system's performance problems and regulatory
issues. The team also reviewed the Fire Protection Out of Service Log generated for the
last 18 months and associated compensatory measures. The review was performed to
verify that the risk associated with removing fire protection and/or post-fire systems or
components was properly assessed and adequate compensatory measures were
implemented in accordance with the approved fire protection program.
b. Findings
No findings of significance were identified.
23
4. OTHER ACTIVITIES (OA)
40A2 Identification and Resolution of Problems
a. Inspection Scone
The team reviewed the corrective action program procedures and a selected sample of
condition reports associated with the Harris FPP to verify that the licensee had an
appropriate threshold for identifying issues. The team also reviewed licensee audits and
assessments of fire protection and safe shutdown. The team evaluated the
effectiveness of the corrective actions for the identified issues.
b. Findings
The team found that licensee corrective actions for violation 50-400/02-08-01 regarding
an inadequate fire barrier wall were inadequate, in that the licensee's corrective actions
for that violation contributed to three of the findings described above. However, because
the net effect of corrective actions completed to date have significantly reduced the
overall risk related to the finding, violation 50-400/02-08-01 is being closed at this time.
The team also found that licensee audits and self-assessments in the area of SSD were
weak. The audits and self-assessments had not identified the types of findings that this
inspection found. Contributing factors included a lack of attention to detail; for example,
not tracing cable routings or walking down operator actions as was done in this
inspection. In addition, the CP&L corporate Nuclear Assessment Section (NAS) audits of
fire protection at Shearon Harris did not look at SSD. A Peer Report included in the
November 2000 NAS audit of Shearon Harris fire protection stated: "Harris NAS Fire
Protection Program Audits of recent past have not included fire events safe shutdown
within the scope of the audits due to a reliance on engineering self-assessments. It is
the opinion of the auditor that the scope of future Harris NAS Fire Protection
assessments should include fire events safe'shutdown related documentation and
activities." However, the team noted that subsequent NAS audits of Harris fire
protection did not audit SSD.
The team noted that the licensee's initial corrective actions to the findings described in
this report were timely and responsive. The licensee revised SSD procedures three
times during the inspection, made a 10 CFR 50.72 report to the NRC, and stationed an
additional SSD NLO.
40A6 Meetings
Exit Meeting Summary
The team presented the inspection results to you and members of your staff at the
conclusion of the inspection on December 20, 2002. You acknowledged the findings
presented. Proprietary information is not included in this inspection report.
SUPPLEMENTAL INFORMATION
24
Partial List of Persons Contacted
Licensee
D. Baksa, Supervisor, Equipment Perfromance
J. Caves, Licensing Supervisor
R. Duncan, Director of Site Operations
M. Fletcher, Manager, Fire Protection Program
P. Fulford, Superintendent, Design Engineering
C. Georgeson, Supervisor, EI&C Design
W. Gregory, Operations Fire Protection Specialist
W. Gurganion, Manager, NAS
T. Hobbs, Manager, Operations
A. Khanpour, Manager, Engineering
F. Lane, Jr., Senior Nuclear Work Management Specialist
J. Laque, Manager, Maintenance
T. Morton, Site Services Manager
J. Scarola, Site Vice President
B. Waldrep, Plant General Manager
NRC
J. Brady, Senior Resident Inspector, Shearon Harris
H. Christensen, Deputy Director, Division of Reactor Safety (DRS), Region II (RII)
C. Ogle, Chief, Engineering Branch 1, DRS, Ril
Items Opened, Closed, and Discussed
ODened
50-400/02-11-01 NCV Failure to Protect Charging System MOV 1CS-1 65, VCT
Outlet to CSIPs, From Maloperation Due To a Fire (Section
1R05.03.b.1)
50-400/02-11-02 NCV Failure to Protect Component Cooling MOVs 1CC-251 and
1CC-208, CC for RCP Seals, From Maloperation Due To a
Fire (Section 1R05.03.b.2)
50-400/02-11-03 NCV Failure to Protect Charging System MOVs 1CS-169, 1CS-
214, 1CS-218, and 1CS-219 From Maloperation Due To a
Fire (Section 1R05.03.b.3)
50-400/02-11-04 NCV Failure to Protect Charging System MOVs 1CS-1 66, 1CS-
168, and 1CS-217 From Maloperation Due To a Fire
(Section 1R05.03.b.4)
50-400/02-11-05 URI Reliance on Manual Actions in Place of Required Physical
Separation or Protection From a Fire (Section 1R05.04.b.1)
25
50-400/02-11-06 NCV Fire SSD Operator Actions With Excessive Challenges
(Section 1R05.04.b.2)
50-400/02-11-07 NCV Too Many Fire SSD Actions for Operators to Perform
(Section 1R05.04.b.3)
50-400/02-11-08 NCV Using the Boric Acid Tank Without Level Indication (Section
1R05.04.b.4)
50-400/02-11-09 NCV Failure to Provide Required Emergency Lighting for SSD
Operator Actions (Section 1R05.06.b)
Closed
50-400/02-08-01 VIO Failure to Implement and Maintain NRC Approved Fire
Protection Program Safe Shutdown System Separation
Requirements (Section 40A2.b)
Discussed
None
26