ML050540297
| ML050540297 | |
| Person / Time | |
|---|---|
| Site: | Hatch  |
| Issue date: | 09/29/2003 |
| From: | Casey Smith NRC/RGN-II |
| To: | Ogle C, Payne D NRC/RGN-II |
| References | |
| FOIA/PA-2004-0277, IR-03-006 | |
| Download: ML050540297 (9) | |
Text
Charles R. Oale - SDP Phase 1 anCl Hatch I FV1 minor uuestion worKsneet rage I I C* re R al SO hs n -aclIll' io usinwrsetru
_3 From:
To:
Date:
Subject:
Caswell Smith ; ?I Charles Ogle; Charlie Payne 9/29/03 2:51 PM SDP Phase 1 and Hatch TFPI Minor Question Worksheet Please see the attached. Chuck, I do not know when the licensee discovered this problem. Per GL 91-18, the licensee should have performed a 10 CFR 50.59 Evaluation to assess the compensatory corrective actions Incorporated in the Fire Protection prodedure. This is the objective evidence that would provide us with this Information. I did not review this during the inspection because of time constraints.
1)
FIRE PROTECTION MC 0612 APPENDIX B Minor Questions Worksheet
Reference:
Triennial Fire protection Inspection Plant:
Hatch Nuclear Plant Report No.: IR 50-321, 366/2003-006 Performance Deficiency: The licensee's fire protection program mitigation strategy for ensuring the ability to safely shutdown the plant during a fire in Fire Area 2104 was impacted by the installation of a plant modification. The modification was installed such that thermal damage to instrumentation cables associated with the mod could cause all eleven SRVs to open. The licensee's manual actions to be taken in response to this condition were not timely, were encumbered by poor environmental conditions, and were not approved by the NRC.
Description 1
Inadequate Plant Modification In 1992 the licensee developed and implemented a plant modification which installed a non-safety related Rosemount 1154GP electronic pressure transmitters on each of the four main steam lines to monitor the nuclear boiler pressure and provide backup actuation of eleven SRVs at or near their respective mechanical set points. The backup actuation was in addition to the mechanical actuation mode of the SRVs and was intended to mitigate the effects of corrosion induced set point drift of the SRVs. The SRVs will relieve nuclear boiler pressure either by normal mechanical action or by automatic action from an electro pneumatic control system energized from the pressure transmitters. The installed plant modification has two instrument circuits from the pressure transmitters on two steam lines running in the same cable tray in Fire Area 2104 within close proximity to each other. Neither of these instrumentation cables were protected from fire damage in accordance with the requirements of 10 CFR 50 Appendix R, Section Ill.G.2.
A credible fire in this area will damage the cable insulation of both of these instrument circuits and create abnormal leakage currents. Additionally, because analog instrument circuits transmits low level electrical signals, leakage currents caused by cable insulation damage can measurably impair circuit performance in a manner that has functional implications. Excess leakage currents will cause the instrument loops to fail high which is indicative of high nuclear boiler pressure and will result in the electro pneumatic control system opening all eleven SRVs. The sensor initiated logic, provided by the four pressure transmitters for actuating all eleven SRVs, was not installed in accordance with the specified design changes. Specifically, the installed coincident logic input from instrumentation loops 2B21 -Ni 27B and 2B21 -127D is not in accordance with the specified design input requirements. It is also the cause for the SRVs opening spuriously because of fire induced insulation damage to these two instrumentation loops cables. Correct installation of the specified actuation logic for the SRVs would not have created this particular failure mode. Consequently, this design deficiency has resulted in all eleven SRVs becoming susceptible to spuriously opening, because of fire
induced insulation damage to these two instrumentation cables, for a fire in Fire Area 2104.
Simultaneous opening of all eleven SRVs will result in the sudden depressurization of the nuclear boiler with a loss of reactor coolant inventory, along with a loss of manual control of the SRVs. Manual control of the SRVs is required to ensure that the suppression pool heat capacity temperature limit will not be exceeded. (See Inspection Report 50-321, 366/03-06, section 1 R21.01.b for additional details).
UFSAR Section 15.2.8.1 states that the inadvertent opening of one SRV, (Event 22),
results in the transfer of a significant amount of mass and energy to the suppression pool from the nuclear boiler which loses reactor coolant inventory. This is one of the events addressed in the UFSAR Section with respect to the suDpression pool heat capacitv limit. The simultaneous opening of all eleven SRVs should be considered a large loss of a coolant accident (LOCA). A LOCA should be prevented from occurring during a fire event in order to comply with the requirements of 10 CFR 50, Appendix R, Section III.L.Section III.L requires that, during a post-fire shutdown, the reactor coolant system process variables (e.g., reactor vessel pressure and water level) shall be maintained within those predicted for a loss of normal alternating current power. Having all eleven SRVs opened during a fire would challenge this requirement. Loss of manual control of the SRVs will also challenge the suppression pool heat capacity temperature limit and result in degrading the performance of (1) the Core Spray System which is required for reactor coolant inventory make up, and (2) the Suppression Pool Cooling System and Containment Spray Cooling System both of which are required for containment heat removal functions.
The licensee does not have a calculation of record or an approved analysis which demonstrates that the Core Spray System is capable of mitigating the effects on the nuclear boiler, and the structural integrity of the containment, that is caused by spurious opening of all eleven SRVs with the reactor at 100% power. Sudden de-pressurization of the nuclear boiler as a result of fire induced damage has not been analyzed by the licensee.
2 Inadequate Compensatory Corrective Actions The licensee upon identifying the above consequences of the installed modification implemented compensatory corrective actions which were intended to preclude the spurious opening of all eleven SRVs. This corrective action was incorporated in Fire Procedure, AOP 34AB-X43-001 -2, Version 10.8, dated May 28, 2003, which stated in step 9.3.2.1 that: 'To prevent all eleven SRVs from opening simultaneously, open links BB-10 in Panel 2H11-P927 and BB-10 in Panel 2H11-P928."
These manual actions of opening the links described in step 9.3.2.1 were sufficiently far back in the procedure that it created doubts, to the inspectors walking down the procedure, as to whether or not these manual actions could be completed in time to prevent potential fire damage to the instrumentation cables of concern. Prior to the end of the inspection it was concluded by the team that these manual actions would not have been performed early enough during the fire event to preclude spurious opening of all eleven SRVs. The procedure was revised to ensure that these manual actions would be completed in a timely manner, and provided reasonable assurance that the SRVs would
not be spuriously opened as a result of fire damage to the instrumentation circuit cables.
In addition, performance of these manual actions was encumbered by a lack of adequate lighting to facilitate successful completion of the actions. The terminal block points were also not adequately labeled in order to ensure that the operators could correctly identify the terminal links that were required to be removed to prevent spurious opening of the SRVs.
The licensee did not obtain NRC approval for these manual actions, in lieu of providing physical protection from fire damage for the instrumentation cables, as is required by 10 CFR 50 Appendix R, Section III.G.2.
Licensing Basis/Requirements:
Operating License Condition 2.C. (3)(a), Fire Protection; Title 10 of the Code of Federal Regulations, Part 50 (10 CFR 50), Appendix R; 10 CFR 50.48; Appendix A of Branch Technical Position (BTP) Auxiliary and Power Conversion Systems Branch (APCSB) 9.5-1; related NRC Safety Evaluation Reports (SERs); the Hatch Nuclear Plant Updated Final Safety Analysis Report (UFSAR); and plant Technical Specification (TS).
Minor Questions:
Question (1) Could the finding be reasonably viewed as a precursor to a significant event?
NO Question (2)
If left uncorrected, would the finding become a more significant safety concern?
NO Question (3)
Does the finding relate to performance indicators that would have caused the PI to exceed a threshold?
NO Question (4)
Is the finding associated with one of the below cornerstone attributes and does the finding affect the associated cornerstone obiective?
YES - The team determined that this finding was associated with the "design control, equipment performance, and procedure quality" attributes. It affected the objective of the initiating events cornerstone to limit the likelihood of events that challenge critical safety functions as well as the mitigating systems cornerstone to ensure the availability, reliability, and capability of systems that respond to initiating events, and is therefore greater than minor.
CORNERSTONE OBJECTIVES AND ATTRIBUTES:
REACTOR SAFETY CORNERSTONE
Initiating Events Cornerstone: OBJECTIVE: to limit the likelihood of those events that upset plant stability and challenge critical safety functions during shutdown as well as power operations.
Attributes:
Design Control:
Protection Against External Factors:
Configuration Control:
Equipment Performance Procedure Quality Human Performance:
Initial Design and Plant Modifications Flood Hazard, Fire, Loss of Heat Sink, Toxic Hazard, switch yard Activities, Grid Stability Shutdown Equipment Lineup, Operating Equipment Lineup Availability, Reliability, Maintenance, Barrier Integrity (SGTR, ISLOCA, LOCA (S,M,L),
Refueling/fuel handling equipment Procedure Adequacy Human Error Mitigating Systems: OBJECTIVE: to ensure the availability, reliability, and capability of systems that respond to initiating events to prevent consequences (i.e., core damage).
Attributes:
Design Control:
Protection Against External Factors:
Configuration Control:
Equipment Performance Procedure Quality:
Human Performance:
Initial Design and Plant Modifications Flood Hazard, Fire, Loss of Heat Sink, Toxic Hazard, Seismic Shutdown Equipment Lineup, Operating Equipment Lineup, Availability, Reliability Operating (Post Event) Procedure (AOPs, SOPs, EOPs); Maintenance and Testing (Pre-event) Procedures Human Error (Post Event), Human Error (Pre-event)
Because the answer to Questions (4) was "YES," the finding should be considered greater than minor. Go to MC-0609, App. A.
SDP PHASE 1 SCREENING WORKSHEET FOR IE. MS. and B CORNERSTONES Reference/Title (LER #, Inspection Report #, etc): Fire Induced Damage to Instrument Cables Spuriously Opens Eleven SRVs AND Suddenly Depressurizes Nuclear Boller.
Performance Deficiency (concise statement clearly stating the deficient licensee performance): I The licensee's fire protection program mitigation strategy for ensuring the ability to safely shutdown the plant during a fire in Fire Area 2104 was impacted by the installation of a plant modification. The modification was installed such that thermal damage to instrumentation cables associated with the mod could cause all eleven SRVs to open. The licensee's manual actions to be taken in response to this condition were not timely, were encumbered by poor environmental conditions, and were not approved by the NRC.
Factual Description of Identified Condition (statement of facts known about the finding, without hypothetical failures included):See description and examples In the "Minor Questions" form and In IR 50-321, 366/2003-006 System(s) and train(s) degraded by Identified condition: SRVs, Core Spray System, Suppression Pool Cooling and Containment Spray Cooling Sub-systems which are both operating modes of the RHR system, and potentially others.
Ucensing Basis Function of System(s) or Traln(s) (as applicabre):Safe Shutdown during a fire.
Other Safety Function of System(s) or Train(s) (as applicable):
Maintenance Rule category (check one): _x_ risk-significant non-risk-significant Time that Identified condition existed or Is assumed to have existed: More than 30 days Functions and Cornerstones degraded as a result of this Identified condition (check V)
INITiATING EVENT CORNERSTONE Transient Initiator contributor (e.g., reactor/turbine trip, loss offsite power)
... X. Primary or Secondary system LOCA Initiator contributor (e.g., RCS or main steam/feedwater pipe degradations and leaks)
MITIGATION SYSTEMS CORNERSTONE BARRIERS CORNERSTONE
____X__ Core Decay Heat Removal Degraded Initial Injection Heat Removal Degradec Primary (e.g., Safety In])
_X_ Low Pressure High Pressure Secondary - PWR only (e.g., I
_X_ Long Term Heat Removal Degraded (e.g.,
ECCS sump recirculation, suppression pool cooling)
Reactivity Control Degraded RCS LOCA Mitigation Boundary Degraded (e.g., PORV block valve, PTS issue)
__.X_ Containment Barrier Degraded Reactor Containment Degraded Actual Breach or Bypass
%FW)
X_ Heat Removal, Hydrogen or Pressure Control Degraded Control Room, Aux Bldg, or Spent Fuel Bldg Barrier Degraded Fuel Cladding Barrier Degraded
_X__ Fire/Flood/Seismic/Weather Protection Degraded Page 1 of 3 0609, App A, Aft 1 Issue Date: 03/18/02
0609, App A, Aft 1 Issue Date: 03/18/02
SDP PHASE 1 SCREENING WORKSHEET FOR IE, MS, and B CORNERSTONES Check the appropriate boxes v If the finding Is assumed to degrade:
- 1.
fire protection defense In depth (DID), detection, suppression, barriers, fire brigade. STOP. Go to IMC 0609, Appendix F 1
- 2.
the safety of a shutdown reactor. STOP. Go to IMC 0609. Appendix G 1
- 3.
the safety of an operating reactor, Identify the degraded areas:
Initiating Event Mitigation Systems RCS Barrier Fuel Barrier Containment Barriers
- 4.
Two or more of the above areas degraded STOP. Go to Phase 2
- 5.
If only one of the above areas Is degraded, continue only In the appropriate column below.
Initiating Event
- 1. Does the finding contribute to the likelihood of a Primary or Secondary system LOCA Initiator?
If YES-Stop. Go to Phase 2 If NO, continue
- 2. Does the finding contribute to both the likelihood of a reactor trip AND the likelihood that mitigation equipment or functions will not be available?
If YES-Stop. Go to Phase 2 If NO, continue
- 3. Does the finding Increase the likelihood of a fire or Intemal/extemal flood?
if YES -Use the IPEEE or other existing plant-specific analyses to Identify core damage scenarios of concern and factors that Increase the frequency. Provide this Input for Phase 3 analysis.
If NO, screen as Green Mitigation Systems
- 1. Is the finding a design or qualification deficiency confirmed not to result In loss of function per GL 91-18 (rev 1)?
If YES -
screen as Green If NO, continue
- 2. Does the finding represent an actual loss of safety function of a System?
If YES-Stop. Go to Phase 2 If NO, continue
- 3. Does the finding represent an actual loss of safety function of a single Train, for > Its Tech Spec Allowed Outage Time?
If YES-Stop. Go to Phase 2 If NO, continue
- 4. Does the finding represent an actual loss of safety function of one or more non-Tech Spec Trains of equipment designated as risk significant per 10CFR50.65, for >24 hrs?
If YES-Stop. Go to Phase 2 If NO, continue
- 5. Does the finding screen as potentially risk significant due to a seismic, fire, flooding, or severe weather Initiating event, using the criteria on page 3 of this Worksheet?
If YES -
Use the IPEEE or other existing plant-specific analyses to Identify core damage scenarios of concern and provide this Input for Phase 3 analysis.
If NO, screen as Green RCS Barrier or Fuel Barrier
- 1. RCS Barrier Stop.
Go to Phase 2
- 2. Fuel Barrier screen as Green Containment Barriers
- 1. Does the finding only represent a degradation of the radiological barrier function provided for the control room, or auxiliary building, or spent fuel pool, or SBGT system (BWR)?
If YES -
screen as Green If NO, continue
- 2. Does the finding represent a degradation of the barrier function of the control room against smoke or a toxic atmosphere?
If YES -
Stop. Go to Phase 3 If NO, continue
- 3. Does the finding represent an actual open pathway In the physical Integrity of reactor containment or an actual reduction of the atmospheric pressure control function of the reactor containment?
If YES -
Stop. Go to Appendix H of IMC 0609 If NO, screen as Green Page 2 of 3 0609, App A, Aft 1 Issue Date: 03/18/02
SDP PHASE 1 SCREENING WORKSHEET FOR IE, MS, and B CORNERSTONES Seismic, Fire, Flooding, and Severe Weather Screening Criteria
- 1. Does the finding involve the loss or degradation of equipment or function specifically designed to mitigate a seismic, flooding, or severe weather Initiating event (e.g., seismic snubbers, flooding barriers, tornado doors)? (Equipment and functions for the mitigation or suppression of fire initiating events, such as thermal wrap or sprinkler systems, should be evaluated using IMC 0609 Appendix F and are not evaluated here)
If YES -
continue to question 2 If NO -
skip to question 3
- 2. If the equipment or safety function is assumed to be completely failed or unavailable, are ANY of the following three statements TRUE? The loss of this equipment or function by itself, during the external initiating event it was intended to mitigate a) would cause a plant trip or any of the Initiating Events used by Phase 2 for the plant in question; b) would degrade two or more Trains of a multi-train safety system or function;
.c) would degrade one or more Trains of a system that supports a safety system or function.
If YES -
the finding is potentially risk significant due to external initiating event core damage sequences - return to page 2 of this Worksheet If NO, screen as Green
- 3. Does the finding involve the total loss of any safety function, identified by the licensee through a PRA, IPEEE, or similar analysis, that contributes to external event initiated core damage accident sequences (i.e., Initiated by a seismic, fire, flooding, or severe weather event)?
If YES -
the finding is potentially risk significant due to external initiating event core damage sequences - return to page 2 of this Worksheet If NO, screen as Green Result of Phase I screening process:
Screen as Green Go to Phase 2 Go to Phase 3 Important Assumptions (as applicable):
Page 3 of 3 0609, App A, Aft 1 Issue Date: 03/18/02