ML040280188

From kanterella
Jump to navigation Jump to search
Letter to Mullikin, NRC from Sullivan, Brookhaven National Laboratory, Re Triennial Fire Protection Baseline Inspection, Fort Calhoun Nuclear Station, IR 05000285-03-002
ML040280188
Person / Time
Site: Fort Calhoun Omaha Public Power District icon.png
Issue date: 01/07/2003
From: Sullivan K
Brookhaven National Lab (BNL)
To: Mullikin R
NRC Region 4
References
FOIA/PA-2003-0358, Job Code J-2843 IR-03-002
Download: ML040280188 (15)
v  d  e


Text

.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

e.*.m Energy Scriens amd Technology Department BROQKaffFA4EN NATT ONPL LABORATORY January 7, 2003 Mr. R Mullildn U.S. Nuclear Regulatory Comimission Revion IV

.D Box QBbOi Upton, NY 1173I 00a-.

Phonp 631 S447S9615 Fax 631 S44-5569=-

lcsbbnLVv. -

TOM6d by Brookhaverf Science ssocdaes for tie U.S. Departnent cf Eergyj Wwwbndgo t

.4~~~~~

I 611 Ryan Plaza Drive, Suite 400 Arlingt n, Texas

Reference:

Triennial Fire Protection Baseline MIspection, Fort Calhoun Nuclear Station.

Inspection Report No.: 50-285/2003-002

Dear Mr. Mullilin:

The enclosed technical letter report (MLR) describes the results of my activities during the Triennial Fire Protectigi.

Baseline Inspection performed at the Fort Callhon Nuclear Station (FCNS) during the period of December 16 - 20 06 2002. Per your request, my evaluation focused on a review of the post-fire safe shutdown capability of selected fire sf areas of FCNS for compliance with the requirenents of Section M.G.2 of Appendix R to I OCFR50.

It was a pleasure to work with you and other members of the inspection team. Please do not hesitate to contact me at 631-344-7915 if you have any additional questions or comments.

SinceIly, KeNneth

.U1aS Nuclear & Infratrcture System Division cc:

D. Diamond (w/o Enc.)

J. Higgins W. Horak (w/o Enc.)

D. Norkin, (NRC)

II/T

BROOKHAVEN NATIONAL LABORATORY Energy Sciences & Technology Department Report Input to U.S. Nuclear Regulatory Commission Region IV Triennial Fire Protection Baseline Inspection of Fort Calhoun Nuclear Station (JCN: J-2843 Task Order 10)

Facility:

NRC Inspection Report No.:

Inspection Conducted:

NRC Inspectors:

Fort Calhoun Nuclear Station (FCNS) 50-285r2003-002 December 16 - 20,2002 R. Mullilin RIV/DRS (Team Leader)

R. Nease RIV/DRS L Willoughby NRC Resident Inspector, FCNS BNL Technical Specialist:

K Sullivan le4 Date

Introduction From a review of the licensee's fire protection program documentation, including its [PEEE, Safe Shutdown Analysis, and Fire Hazards Analysis, and from a walk-down of the facility, the inspection team determined that a fire in the following fire areas would pose a greater risk to plant safety when compared to the risk of fire in other plant locations identified by the licensee as meeting the requirements of Section III.G.2 of Appendix R to 10 CFR 50 (i.e., areas not requiring implementation of an alternative shutdown capability from outside the main control room such as the main control room or cable spreading room):

1. Fire Area 6 Auxiliary Building Basement Level
2. Fire Area 36A East Switchgear Area
3. Fire Area 46 Turbine Building As a result, the above areas were selected for detailed review by the inspection team. While each of these areas was reviewed by the team, the BNL technical specialist primarily focused on the licensee's ability to achieve and maintain hot shutdown conditions in the event of fire in Fire Areas 6 and 36A In addition to their fire risk significance, these areas were selected because they contained cables needed to assure the operation of redundant trains of equipment and systems required to achieve and maintain hot shutdown conditions. Further, preliminary review of plant documentation and in-plant walk-downs indicated that redundant trains of cables may be susceptible to damage as a result of fire in these locations (ie., cables of redundant shutdown equipment did not appear to be provided with fire protection features sufficient to satisfy Section llI.G.2 of Appendix R to 10 CFR 50).
1. Systems Required to Achieve and Maintain Post-Fire Safe Shutdown
a. Inspection Scope For the selected fire areas, the inspection team reviewed the licensee's post-fire safe shutdown analysis (SSA) to determine if systems and components needed to achieve and maintain safe shutdown conditions in each of the selected fire areas had been properly identified.
b. Findings Requirements The systems used to achieve post-fire safe shutdown must be capable of achieving the following performance goals:

Reactivity control capable of achieving and maintaining cold shutdown reactivity conditions.

Reactor coolant makeup capable of maintaining water level within the level indication of the pressurizer at all times during shutdown operation.

Process monitoring capable of providing direct readings to perform and control the above two functions.

Supporting functions capable of providing the process cooling, lubrication etc. necessary to permit operation of the equipment used to achieve safe shutdown.

The equipment and systems used to achieve and maintain hot shutdown conditions must be free of fire damage. Additionally, the equipment and systems used to achieve and maintain cold shutdown conditions must be either free of fire damage or the damage must be limited so that repair of the systems necessary to achieve and maintain cold shutdown conditions, from either the control room or emergency control station(s), can be completed within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

During post-fire safe shutdown, the reactor coolant system process variables must be maintained within those predicted for a loss of normal AC power, and the fission product boundary integrity must be maintained (i.e. there shall be no damage to the fuel cladding); and the integrity of containment and primary coolant system pressure boundary must be maintained.

The following paragraphs provide a summary the licensee's approach to meet the above post-fire safe shutdown performance goals, as referenced in its Appendix R Safe Shutdown Analysis (EA-FC-89-055, Rev. 11, November 30, 2002).

Reactivity Control Function The reactivity control function is required to maintain the reactor core in sub-critical conditions (Keff< 0.99) from reactor trip through cold shutdown. This requires compensating for any positive reactivity increases due to Xenon decay, Reactor Coolant System (RCS) cooldown, or any boron dilution in the RCS. Initial reactivity control will be provided by automatic or manual reactor trip using the control rod system. Additional boration necessary to assure adequate reactivity shutdown margin during cooldown and subsequent xenon decay will be provided by supplying boric acid from the boric acid storage tanks (BAST) to the charging pumps via a gravity feed line. Injection of borated water into the RCS by the charging pumps compensates for reactivity increases due to Xenon decay and RCS temperature decreases.

Reactor Coolant System Inventory Control Reactor coolant system (RCS) inventory makeup is required to compensate for shrinkage of primary reactor coolant volume during cooldown and any RCS fluid losses. In the event of fire in Fire Area 6, the licensee credits the availability of a single train of the Chemical and Volume Control System (CVCS). Specifically, for a fire in this area the licensee's Safe Shutdown Analysis (SSA) credits Charging Pump IC, drawing suction from the either the boric acid storage tanks or the Safety Injection and Refueling Water Storage Tank (SIRWT), for accomplishing the RCS inventory control function. During normal plant operations, any one of the three available positive-displacement charging pumps would be running with its suction aligned to the Volume Control Tank (VCT). However, since the VCT inventory is not sufficient to provide makeup to compensate for primary system contraction due to cooldown, for post-fire safe shutdown, the charging pump suction must be aligned to either the BAST or the SWIRT.

Reactor Coolant System Pressure Control The auxiliary spray system, pressurizer PORVs, pressurizer heaters and pressurizer safeties are credited for accomplishing the Reactor Coolant System (RCS) pressure control function RCS depressurization will be accomplished using the auxiliary pressurizer spray system or the pressurizer PORVs. The pressurizer code safeties are available to provide over pressure protection of the pressurizer and RCS. RCS pressurization may be accomplished by the pressurizer heaters Two of the heater banks (PI and P2) are credited in the licensee's analysis.

Decay Heat Removal and Secondary Side Pressure and Level Control Following a reactor scram, decay heat will be removed from the reactor via the steam generators by natural circulation cooldown. The natural circulation capability of the RCS provides a means of decay and sensible heat removal when the reactor coolant pumps are not running. During natural circulation, adequate primary to secondary heat transfer, RCS subcooling, and make-up inventory must be maintained. The Auxiliary Feedwater (AFW) system is required to control steam generator inventory discharged as steam via manual operation of the main steam relief valves (MS-291 and MS-292). The licensee credits manual operation of these valves to allow plant cooldown to 3000 F. For cooldown below 300° F the RCS is placed on shutdown cooling. The AFW system consists of one motor-driven pump and one turbine-driven pump. The Emergency Feedwater Storage Tank (EFWST) serves as the initial source of secondary water to the EFW system. The Raw water ORM) system serves as a backup source of water to the EFWST.

Process Monitoring The following process monitoring instrumentation is available:

Source Range Flux Pressurizer Pressure and Level

These instruments provide the minimum process monitoring capability required to achieve and maintain the reactor coolant makeup, pressure control, and decay heat removal functions.

Additionally, the process monitoring instrumentation supports monitoring of natural circulation conditions, core reactivity and RCS sub-cooling margin.

Essential Support Systems The systems and equipment used to achieve the safe shutdown functions require miscellaneous supporting functions, such as acddc power, lubrication, HVAC, and process cooling. The support systems are required to maintain acceptable performance of the safe shutdown components. The required safe shutdown support systems include:

  • Electrical power distribution system
  • Raw water system
  • Various plant HVAC systems Emergency Lighting Communications systems Cold Shutdown The reactor coolant system temperature and pressure will be reduced by natural circulation cooldown using the main steam relief valves described above. Once the RCS temperature has been reduced to less than 3000 F and RCS has been reduced to less than 250 psia, and the Shutdown Cooling (SDC) System is initiated. During cold shutdown the SDC system uses one of the two low-pressure safety-injection (LPSI) pumps to circulate reactor coolant through the tube side of one of the two available SDC heat exchangers, and back to the RCS. In lieu of the Component Cooling System, the licensee credits the Raw Water system to provide cooling to the shell side of the heat exchangers. The SDC system will be used to reduce RCS temperature and maintain cold shutdown.
c. Conclusions The licensee appears to have properly identified the systems needed to achieve and maintain safe shutdown conditions in the event of fire. No findings of risk significance were identified.
2. Fire Protection of Safe Shutdown Systems (Reviewed by other inspection team members)
3. Post-fire Safe Shutdown Capability
a. Inspection Scope On a sample basis, an evaluation was performed to verify that systems and equipment identified in the licensee's SSA as being required to achieve and maintain hot shutdown conditions would remain free of fire damage in the event of fire in Fire Areas 6 and 36A.

These areas were selected because they are risk significant and because they contained cables and/or equipment needed to assure the operation of redundant trains of the CVCS system, which is relied on to accomplish the hot shutdown function of RCS inventory control in the event of fire in either of these areas. The evaluation included a review of cable routing data depicting the location of power and control cables associated with selected CVCS system components. Additionally, on a sample basis, the team also reviewed the licensee's analysis of electrical protective device (e.g., circuit breaker, fuse, relay) coordination and the adequacy of electrical protection provided for non-essential cables which share a common enclosure (e.g.,

cable tray) with cables of equipment required to achieve and maintain safe shutdown conditions.

b. Findings Overall Approach 10 CFR 50.48, '"Fire Protection," and Appendix R to 10 CFR 50, "Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979" establish specific fire protection features required to satisfy General Design Criterion 3, "Fire Protection" (GDC 3, Appendix A to 10 CFR 50).Section I.G of Appendix R requires fire protection features be provided for equipment important to safe shutdown. An acceptable level of fire protection may be achieved by various combinations of fire protection features (barriers, fire suppression systems, fire detectors, and spatial separation of safety trains) delineated in Section EI.G.2.

For areas of the plant where compliance with the technical requirements of Section III.G.2 can not be achieved, licensees must either seek an exemption from the specific requirement(s) or provide an alternative shutdown capability in accordance with Sections Il.G.3 and M.L of the regulation.

The results of the licensee's analysis for compliance with Section III.G of Appendix R (safe shutdown analysis or SSA) are documented in Engineering Analysis EA-FC-89-055, "10 CFR 50 Appendix R Scfe Shutdown Analysis. " Revision 11 of this document, dated November 30, 2002, was provided for review by the inspection team. The overall approach of this analysis is to determine the fire-induced losses for a fire in each fire area and then assess the plant impact given those loses. Since the potential for fire to cause a loss of offsite power had not been specifically evaluated, the SSA assumes (Section 4.2) that offsite power may or may not be available. Consistent with the requirements of Appendix R, the analysis assumes that all cables located in a fire area are lost during a fire. In Section 6.4.2 the SSA states that if a component has a cable in the fire area under consideration, the component was considered to be lost or was considered to operate in a manner opposite to its required function for safe shutdown (ie., mal-operate or spuriously actuate). For example, if a control cable of a motor-operated valve was found to be susceptible to fire damage, the analyst assumed that the cable damage would cause the valve to fail or mal-operate in an undesired manner for safe shutdown. In addition, Section 6.4.2 of the SSA further states that all components which are lost due to fire are considered to spuriously actuate. This approach eliminates the need to perform detailed circuit failure analyses to determine the specific effects fire-induced circuit faults (hot-shorts, open circuits, and shorts to ground) may have on equipment availability/performance.

The interrelation between various systems required to achieve and maintain safe shutdown, has been depicted on safe shutdown logic diagrams (SLDs) developed as part of the licensee's SSA.

For each of the selected fire areas, the licensee provided the inspection team with color-coded versions of these drawings. For each fire area, the color-coded SSDs graphically illustrate the primary equipment (e.g., flowpath pumps and valves) that may be impacted / damaged as a result of fire, as well as the primary equipment that will be relied on to accomplish each of the required shutdown functions (reactivity control, RCS inventory control, decay heat removal, etc.). It should be noted that the SLDs only depict the "front-line" or "primary" components of each required shutdown system. Secondary components, such as relays, instrumentation and automatic actuation interlock circuits that could impact the operation of these primary components are not depicted on the SLDs. The impact of fire damage to cables associated with these secondary components was evaluated as part of a separate supporting calculations EAFC-97-044, "10 CFR 50 Appendix R Cable Identification."

With regard to criteria governing the separation of redundant trains of shutdown cables, Section 6.4.1 of the SSA states that in order for cables of redundant shutdown equipment to be available during a fire, at least one of the following criteria must be met:

the redundant equipment cables must be located in a different fire area there must be a minimum of twenty-feet of horizontal separation between redundant equipment cables with no intervening combustibles with suppression and detection have an exemption which documents the configuration as being acceptable protected by a 1-hour barrier (im conjunction with an automatic suppression and detection system) or 3-hour rated barrier.

The above criteria appear to be consistent with the requirements of Section II.G.2 of Appendix R.

General Finding Relative to Manual Operator Actions As described in the following paragraphs the shutdown strategies developed by the licensee for Fire Areas 6 and 36A were found rely on the use of manual operator actions as a means of recovering from the effects of fire damage to cables of redundant trains of equipment required to achieve and maintain hot shutdown conditions. In Section 6.4.2 of the SSA the licensee provides a justification of its approach by stating that the use of manual operator recovery actions is consistent with NRC guidance provided in an internal NRC Memorandum from P Mattson to R. Voliner dated July 2, 1982, which states:

"Section III G. 1 of Appendix R states that one train of systems neededfor hot shutdown must be free offire damage. Thus, one train of systems neededfor hot shutdown must be operable during andfollowing afire. Operability of the hot shutdown systems, Including the ability to overcome afire or fire suppressant-induced maloperation of hot shutdown equipment and the plant 's power distribution system, must exist without repairs. Manual operation of valves, switches and circuit breakers is allowed to operate equipment and isolate systems and is not considered a repair. However, the removal offusesfor isolation is not permitted All manual operations must be achievable prior to the fire or fire suppressant induced maloperations reaching an unrecoverable plant condition."

A clarification of the staff position described in this internal memorandum was provided to industry in a letter from J. Hannon (NRR) to A. Marion (Nuclear Energy Institute) dated May 16, 2002, which states:

"The context of the internal memorandum was to define a repair as compared to approving manual actions. The regulation specifically requires that if in afire area where redundant safe shutdown trains are both present, and a maloperation on one of the redundant trains could occur, the cables must be protected using the separation requirements of Section IIIG.2 ofAppendixR to 10 CFR Part 50.

Manual actions are not an accepted means of meeting III. G.2 criteria for circuits that could prevent operation or cause maloperation. Note that Section III. G.2 specifically addresses the case in which redundant safe shutdown trains are in the same fire area Section III.G. 1 of Appen&x R, is discussed in the above guidance, and requires that one train of equipment must remain free offire damage in the control room or emergency control station(s). This may occur ifapostulatedfire could damage or cause maloperation of only one of the redundant trains of equipment or cables in afire area and the other train, cables, and equipment, remain unaffected by the fire and are located in differentfire areas. Automatic functions were not required to be protected The manual actions discussed in this memorandum allow operators to manually start pumps and operate valves in the control room. Thus, in this case, manual actions are allowed to accomplish shutdown using the unaffected train. Addiftonally, manual actions are acceptable to meet the Alternative Shutdown (ASD) requirements of Section II. G.3 of Appendix R to 10 CfR Part 50."

In addition, with regard to the generic use of manual actions to achieve safe shutdown for fire events, this letter (Hannon, May 16, 2002) firther states:

The NRC and NEl differ in their perspectives regarding the generic use of manual actions to satisfy the requirements of Section III. G. 2 ofAppendix R to 10 CFR Part 50.

Section III.G.2 states "Except asprovidedfor in paragraph G.3 of this section, where cables orequipment, including associated non-safety circuits that couldprevent operation or cause maloperation due to hot shorts, open circuits, or shorts to ground, of redundant trains of systems necessary to achieve and maintain hot shutdown conditions are located within the same fire area outside ofprimary containment, one of thefollowing means of ensuring that one of the redundant trains is free offire damage shall be provided:

a Separation of cables and equipment and associated non-safety circuits of redundant trains by afire barrier having a 3-hour rating. Structural steel forminga part of or supporting such fire barriers shall be protected to provide fire resistance equivalent to that required of the barrier;

b. Separation of cables and equipment and associated non-safety circuits of redundant trains by a horizontal distance of more than 20 feet with no intervening combustible orfire hazards. In addition, fire detectors and an automatic fire suppression system shall be installed in the fire area; or
c. Enclosure of cable and equipment and associated non-safety circuits of one redundant train in afire barrier having a 1-hour rating. In addition, fire detectors and an automaticfire suppression system shall be installed in thefire area."

Manual action to respond to a maloperation is not listed as an acceptable methodfor satisfying this requirement. Therefore, the use of manual actionsfor complying with Section III.G. 2 requires staff approval by issuance of an exemption prior to implementation The Commission contemplated the difflculty associated with meeting such specific protection requirements in Section III.G.2, andprovided an alternative method in Section III. G. 3, which permits the use of manual actions under certain conditions (described in Section JILL).

In response to the inspection team's concerns, licensee representatives stated that just prior to the inspection (December 2, 2002) they had initiated a Condition Report (CR) to resolve these issues (CR No. 200204129). Actions to be taken under this CR include an in-depth review of operator actions including timing, resource requirements, operator knowledge/training, and feasibility. In addition, the licensee plans on developing an operational guide (procedure) that addresses manual actions.

1. Fire Area 6 The licensee's SSA states that operation of one of three positive displacement charging puwps (CH-1A, CH-IB or CH-IC) is sufficient to achieve and maintain hot shutdown conditions in the reactor. Since control cables associated with pump CH-IA (cable nos.: EA3637 and EA3639) and control cables associated with pump CH-IB (cable nos.: EB3640 and EB3642) are located in this area, the operation of pumps CH-lA and CH-lB may be impacted by fire. As a result, the SSA credits the use of Charging Pump 1-C (CH-1C) for accomplishing the hot shutdown function of RCS inventory control.

From a review of the licensee's SSA and supporting calculations, including cable routing information contained in calculation EA-FC-97-044, "10 CFR 50 Appendix R Cable Identification,' the inspection team determined that the credited method of accomplishing the hot shutdown function of RCS Makeup Capability (CVCS system) may be vulnerable to loss as a result of fire in this area. Specific scenarios identified by the team include:

1.1 Gas Binding of ChargiWng Pump The three charging pumps share a common suction path from the Volume Control Tank (VCT).

During normal plant operations only one of the three pumps will be operating, drawing suction from the VCT through a normally open, motor-operated valve (LCV 218-2). Since letdown from the RCS to the VCT is promptly isolated after a reactor trip, there is a potential for the cover gas in the VCT to be drawn into the operating charging pump(s) if LCV 218-2 were to remain open. If this were to occur, the operating charging pump(s) would be lost due to gas binding. This scenario is described in Section 2.300 of the licensee's CVCS System Training Manual as follows: "With LCV-218-2 open and the VCT empty, it is very likely that air/gas bindingof the chargingpumpswill occur. Thiswill result in a loss of charging..." If CH-1C was operating at the time of the fire, failure to promptly close LCV 218-2 could result in a loss of the credited method of accomplishing the RCS makeup shutdown function. Although the design of the CVCS includes automatic protection circuitry that would cause LCV-21$-2 to close in response to a low VCT level (approx. 3.2% level in VCT), this circuitry is vulherable to damage as a result of fire in Fire Area 6 and, therefore, operation of this automatic protection feature can not be credited. Although the licensee states that operators would have approximately 50 minutes to perform manual actions to close the VCT outlet valve (assuming one charging pump is running, and less than 20 minutes if two charging pumps are running), the SSA for this fire area (Section 7.3)states that since manual actions to close this valve (LCV-218-2) may not be possible due to a lack of emergency lighting, manual operation of this valve is not credited in the analysis. In addition, since LCV-218-2 is normally in the open position and VCT level instrumentation may be unavailable or provide an erratic indication due to fire damage, it is not clear how'this condition would be reliably detected by the operators in sufficient time to perform actions needed to prevent gas binding of the pumps.

During the inspection, the potential for gas binding (due to VCT draij down) to lead to pump damage was discussed with licensee represent ves on two separate occasions. Since these discussions led to widely differing views (one rNresentative stated gas binding would not damage the pump and another equally qualified individual stated the pump would be permanently damaged very quickly) the inspection team requested an analysis of the impact this event may have on pump operability. Although the licensee did not provide any objective information (calculation, manufacturer data, etc.) to show that the positive displacement pumps would not be damaged as a result of gas-binding, the inspection team proceeded on the assumption the the pumps would not be damaged, and reviewed the operator actions that would be necessary to restore operation of the credited charging pump (CH-lC). Fromthis review, the inspection team concluded that operators would need to bleed/purge air locally at the pumps. This would require operators to traverse the fire affected area (Fire Area 6). The inspection team also noted that although the stated purpose of Station Fire Plan SO-G-28 is "to provide plant operators with a list of safe shutdown equipment which may be dconaged/lost on afire area basis and to identify manual actions which may be taken to restore lost safe shutdown equipment" the potential for fire to cause a loss of charging in Fire Area 6 is not addressed in this document.

1.2 Loss of Suction Path to Charging Pumps Although the licensee's analysis (FC06355, Rev.9, Section 5.1.14) includes a discussion of the effects thst a spurious Safety Injection Actuation Signal (SIAS) may have on shutdown capability, the analysis does not identify the specific areas where a fire could cause a SIAS to be initiated. Therefore, a spurious SIAS should be assumed to occur as a result of fire in this (or any other) area. If a SIAS signal were generated, all three charging pumps would automatically start, the VCT outlet valve would close and the charging pump suction would be aligned to the boric-acid storage tanks (BAST) via (normally closed) gravity feed valves (HCV-258 and HCV-265). However, since cables associated with both HCV-258 and HCV-265 are also subject to damage in this area, the automatic functioning of these valves can not be credited. Under this condition, all three pumps could be subject to damage/loss as a result of a loss of pump suction (pump start without an assured suction path). With regard to its discussion of a spurious safety injection signal, the licencee's analysis (FC06355, Rev.9, Section 5.1.14) states: "For this analysis a Safety Injection Actuation Signal (SMAS) is considered to be the spurious event... The three Charging Pumps share a common suctionpathfrom the VCT. Spurious closure'ofLCV 218-2 (which is located in thesuction path) could cause damage to and loss of all three pumps.

Therefore, these pumps are susceptible to a single spurious operation of a valve. However, (as documented in EA-FC-89-055O for areas where this valve is lost, the HPSI system is available to maintain RCS inventory. "

The impact of fire in Fire Area 6 to the High Pressure Safety Injection (HPSI) system is depicted in a color-coded Appendix R logic diagram developed by the licensee (Appendix R Logic Diagram, Fire Area 6, Figure 4, CAD File: OPFIG4.DGN). Contrary to the statements contained in Section 5.1.14 of FC06355, this diagram does not show a single success path of the HPSI system to be free of fire damage in the event of fire in this area. During the inspection licensee representatives stated that in the event all charging was lost, one of the HPSI success paths, using HPSI Pump SI-2C could be made available through the use of manual operator actions to mitigate the effects of fire damage to HPSI flowpath valves HCV307, HCV383-2, and HCV-305 or HCV-304. In addition, as described above, since the potential for fire to cause a loss of charging in Fire Area 6 is not addressed in Station Fire Plan SO-G-28, this procedure does not identifyr manual actions needed to restore operation of the HPSI system.

Based on the above, the inspection team was not able to conclude that a single success path for accomplishing the hot shutdown function of RCS inventory makeup would remain free of fire damage.

2. Fire Area 36A A fire in this area could also lead to a loss of all charging capability in a manner similar to that described above for Fire Area 6. In the event of fire in this area charging pump CH-IB is credited for shutdown. Charging pumps CH-IA and CH-IC have control circuits routed through this area and are subject to spurious start as a result of fire damage. Therefore, if CH-1B is operating at the time of the fire, a condition could be generated where all three pumps are running with the VCT outlet valve open. If this were to occur the time available for operators to manually isolate the VCT would be significantly reduced to approximately 10 minutes. As for Fire Area 6, the SSA for this fire area (Section 7.20 ) does not credit manual operation of the VCT outlet valve. Should the VCT drain down prior to isolation of the VCT outlet valve all three charging pumps could be lost due to gas binding. In addition, from a review of cable routing information contained in ES-FC-97-044, the inspection team determined that pressurizer back-up heater banks RC4-1, RC4-2, RC4-3 and RC4-4 are subject to spurious operation as a result of fire in this area. Should this occur, there is a potential for the PORV to open in response to the elevated pressure in the pressurizer. If the resilting loss of RCS inventory due to PORV actuation were to occur at a time when all of the credited makeup capability is unavailable (due to gas binding of the charging pumps) a fire in this area could have a significant effect on shutdown capability.

Although an operator would not need to re-enter a fire affected area to perform actions necessary to restore pump operation (e.g., purge the pump) an operator may need to enter this fire area to perform other manual actions. Since this fire area is protected by a total flooding halon system, operator access to the area may be hampered. Although the licensee stated that manual actions should not be needed for at least 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after fire initiation, the licensee could not provide a technical basis (such as a thermal hydraulic time line that defines time available to perform manual operator actions in consideration of worst case fire conditions/scenario) for this assumption

3. Diagnostic Instrumentation The licensee's post-fire safe shutdown strategy is "symptom-based" and, therefore, relies heavily on having sufficient instrumentation available to enable operators to properly detect fire-induced mal-operations and implement the actions needed to defeat them in a timely manner.

The success of this approach is largely dependent on the instrumentation being available to ensure prompt detection of any mal-operations that may occur. This type of instrumentation is referred to as "diagnostic instrumentation." As stated in Generic Letter 86-10, "diagnostic instrumentation" is instrumentation needed to assure proper actuation and functioning of safe shutdown equipment and support equipment (e.g., flow rate, pump discharge pressure). The specific diagnostic instrumentation needed depends on the design of the shutdown capability.

From a review of the licensee's documentation (SSA and required equipment list) and.

discussions with the licensee's stafl it does not appear that "diagnostic instrumentation" needed to assure implementation of the licensee's "symptom-based" shutdown strategy, has been fully evaluated for the effects of fire damage. A specific example was identified during the review of the potential for fire to cause a loss of all charging capability due to depletion of the VCT and subsequent gas binding of the operating charging pump(s). Since VCT level instrumentation may not be available or may provide incorrect indications, as a result of fire damage in Fire Area 6, operators may not have sufficient information to identify the need to close VCT outlet valve LCV-21 8-2.

c. Conclusion

Based on the findings described above, the inspector could not conclude that licensee's strategy for achieving and maintaining post-fire safe shutdown conditions satisfies the criteria of Section lI.G of Appendix R to 10 CFR 50.

4. Alternative Shutdown (ASD) Capability (Reviewed by other inspection team members)
5. Operational Implementation of ASD Capability (Reviewed by other inspection team members)
6. Communications for Performance of ASD Capability (Reviewed by other inspection team members)
7. Emergency Lighting for Performance of ASD Capability (Reviewed by other inspection team members)
8. Cold Shutdown Repairs (Reviewed by other inspection team members)
9. Fire Barriers and Fire Area/Zone/Room Penetration Seals (Reviewed by other inspection team members)
10. Fire Protection Systems. Features and Equipment (Reviewed by other inspection team members)
11. Compensatory Measures (Reviewed by other inspection team members)
12. Identification and Resolution of Problems (Reviewed by other inspection team members)

Partial List of Persons Contacted' D. Buell FCS Fire Protection Program Lead E. Matzke Station Licensing J. Brown Operations E. Davis Mechanical Engineer - Design Engineering T. Peterson Electrical Design Engineer Partial List of Documents Reviewed EA-FC-89-055, IOCFR50 Appendix R Safe Shutdown Analysis EA-FC-97-044, 10CFR50 Appendix R Cable Identification FC06355, 10CFR50 Appendix R Functional Requirements and Component Selection Drawing Series 0139-00514.000, Appendix R Logic Diagrams, Fire Areas 6, 36A and 46 EA-FC-91-084, Breaker Fuse Coordination Study EA-FC-89-050, Updated Associated Circuits Analysis SO-G-28, Station Fire Plan AOP-6 'Fire Emergency" System Training Manual Condition Report No. 200204129, 12/02/02 Letter dated May 16, 2002, From J. Hannon (NRC) to A. Marion (NEI)

Subject:

Use of Manual Actions to achieve Safe Shutdown for Fire Events

Retrieved from "https://kanterella.com/w/index.php?title=ML040280188&oldid=5407719"