IR 05000298/2008007
ML080790476 | |
Person / Time | |
---|---|
Site: | Cooper |
Issue date: | 03/19/2008 |
From: | Caniano R Division of Reactor Safety IV |
To: | Minahan S Nebraska Public Power District (NPPD) |
References | |
EA-07-204 IR-08-007 | |
Download: ML080790476 (36) | |
Text
UNITE D S TATES NU CLEAR R EGULATOR Y C OMMIS SI ON rch 19, 2008
SUBJECT:
COOPER NUCLEAR STATION - NRC TRIENNIAL FIRE PROTECTION FOLLOWUP INSPECTION REPORT 05000298/2008007; PRELIMINARY GREATER THAN GREEN FINDING
Dear Mr. Minahan:
On March 18, 2008, the U.S. Nuclear Regulatory Commission (NRC) completed an inspection at your Cooper Nuclear Station. The enclosed report documents the inspection findings, which were discussed in a debrief meeting at the end of the onsite inspection on March 18, 2008, with Mr. S. Minahan, President-Nuclear and CNO, and other members of your staff during an exit meeting conducted via conference call.
The inspection was conducted to gain a more complete understanding of the circumstances surrounding an unresolved item (URI) identified during the 2007 triennial fire protection inspection (Inspection Report 05000298/2007008) in order to determine the significance and the appropriate enforcement action. Specifically, that inspection identified that two different procedures used by operators to bring the plant to a safe shutdown condition in the event of certain fire scenarios could not be performed as written. Procedure steps to reposition 10 motor operated valves at the motor starter cabinets were incorrect because they were for a different circuit configuration. The procedure errors were not recognized by plant personnel during verification and validation efforts because an unwritten policy prohibited opening these cabinets to prevent events.
The attached report discusses a finding that was preliminarily determined to have greater than very low safety significance. This finding was assessed based on the best available information, including influential assumptions, using the applicable Significance Determination Process (SDP). We will continue to review information as it becomes available, and have already taken the action of sending a Senior Reactor Analyst to the plant on March 5, 2008, in order to begin assembling additional information needed to refine the preliminary results of our analysis. The final resolution of this finding will convey the increment in the importance to safety by assigning the corresponding color i.e., [(white) a finding with some increased importance to safety, which may require additional NRC inspection; (yellow) a finding with substantial importance to safety that will result in additional NRC inspection and potentially other NRC action; (red) a finding of high importance to safety that will result in increased NRC inspection and other NRC action]. This finding, which has existed since 1997, has preliminary Greater Than Green safety significance because it involves risk factors that were not dependent on
Nebraska Public Power District -2-specific fire damage. The scenarios of concern involve larger fires in specific areas of the plant which trigger operators to implement fire response procedures to place the plant in a safe shutdown condition. Since some of those actions could not be completed using the procedures as written, this would challenge the operators ability to establish adequate core cooling.
This finding was evaluated to determine whether the circumstances warranted enforcement discretion. The NRC Enforcement Policy contains guidance to consider enforcement discretion for certain fire protection issues identified at reactor sites where the licensee has committed to adopting a risk-informed fire protection program in accordance with 10 CFR 50.48(c). While the licensee has committed to adopting a risk-informed fire protection program, the NRC has concluded that the circumstances surrounding this issue did not satisfy one of the criteria in the Policy. In particular, this NRC-identified finding resulted from weaknesses in your routine procedure verification and validation process, as well as inadequate actions to address two previous NRC-identified violations. There were also two additional missed opportunities for you to have identified this issue, including a Quality Assurance audit and a self-assessment that each focused on identifying problems with the feasibility of manual actions on the two procedures in question. The NRC has concluded that your routine processes should have identified this problem. Therefore, one of the enforcement discretion criteria was not met. The enclosed report provides additional details about the circumstances that led to this conclusion.
We acknowledge the position you provided, informally on February 7, 2008, and formally on the docket in your March 10, 2008 letter, regarding the applicability of the Interim Enforcement Discretion Policy to the apparent violation discussed in this report. The information you provided in the earlier document was considered during our decision-making process. The rationale for our decision that the Interim Enforcement Discretion Policy does not apply to this finding is documented in the attached report. You are encouraged to continue to dialog on this aspect within the NRCs formal process for reaching a final decision on this finding. Our final disposition of the apparent violation will also address your March 10, 2008 letter.
While this finding must be assessed for risk significance using fire significance determination tools, the causes, as we understand them, are not unique to your fire protection program. This issue appears to represent an additional example of recent findings that related to inadequate procedure quality.
This finding does not represent an immediate safety concern because your staff promptly corrected the procedures.
One apparent violation associated with this finding is being considered for escalated enforcement action in accordance with the NRC Enforcement Policy. The current Enforcement Policy is included on the NRCs web site at http://www.nrc.gov/reading-rm/adams.html.
In accordance with Inspection Manual Chapter 0609, we intend to complete our evaluation using the best available information and issue our final determination of safety significance within 90 days of this letter.
The significance determination process encourages an open dialog between the staff and the licensee; however the dialogue should not impact the timeliness of the staffs final determination. Before we make a final decision on this matter, we are providing you an opportunity (1) to present to the NRC your perspectives on the facts and assumptions used by the NRC to arrive at the finding and its significance at a Regulatory Conference or (2) submit your position on the finding to the NRC in writing. If you request a Regulatory Conference, it
Nebraska Public Power District -3-should be held within 30 days of the receipt of this letter and we encourage you to submit supporting documentation at least 1 week prior to the conference in an effort to make the conference more efficient and effective. If a Regulatory Conference is held, it will be open for public observation. If you decide to submit only a written response, such submittal should be sent to the NRC within 30 days of the receipt of this letter.
Please contact Linda J. Smith at (817) 860-8137 within 10 days of the date of this receipt of this letter to notify the NRC of your intentions. If we have not heard from you within 10 days, we will continue with our significance determination and enforcement decision and you will be advised by separate correspondence of the results of our deliberations on this matter.
Since the NRC has not made a final determination in this matter, no Notice of Violation is being issued for this inspection finding at this time. In addition, please be advised that the number and characterization of apparent violations described in the enclosed inspection report may change as a result of further NRC review.
In accordance with 10 CFR 2.390 of the NRC's "Rules of Practice," a copy of this letter and its enclosure will be available electronically for public inspection in the NRC Public Document Room or from the Publicly Available Records (PARS) component of NRC's document system (ADAMS). ADAMS is accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).
Sincerely,
/RA/
Roy J. Caniano, Director Division of Reactor Safety Docket: 50-298 License: DPR-46
Enclosure:
Inspection Report 05000298/2008007 w/Attachment: Supplemental Information
REGION IV==
Docket.: 50-298 License: DPR-46 Report: 05000298/2008007 Licensee: Nebraska Public Power District Facility: Cooper Nuclear Station Location: P.O. Box 98 Brownville, Nebraska Dates: January 7 through March 18, 2008 Team Leader: J. M. Mateychick, Senior Reactor Inspector, Engineering Branch 2 Inspectors: N. OKeefe, Senior Reactor Inspector, Engineering Branch 2 D. Loveless, Senior Reactor Analyst Approved By: Linda Joy Smith, Chief Engineering Branch 2 Division of Reactor Safety-1- Enclosure
SUMMARY OF FINDINGS
IR 05000298/2008007; 01/07/08 - 03/18 /08; Cooper Nuclear Station: Triennial Fire Protection
Follow-up Inspection The report covered a 2-month period of inspection follow-up and significance determination efforts by region-based inspectors and senior risk analysts. One finding was identified with an associated apparent violation, which was determined to have preliminary greater than very low safety significance. The significance of most findings is indicated by its color (Green, White,
Yellow, Red) using Inspection Manual Chapter 0609, "Significance Determination Process."
Findings for which the significance determination process does not apply may be green or be assigned a severity level after NRC management review. The NRC's program for overseeing the safe operation of commercial nuclear power reactors is described in NUREG-1649, "Reactor Oversight Process," Revision 3, dated July 2000.
NRC-Identified and Self-Revealing Findings
Greater Than
- Green.
An apparent violation of 10 CFR Part 50, Appendix B, Criterion V, was identified for failure to ensure that some steps contained in Emergency Procedures at Cooper Nuclear Station would work as written. Inspectors identified that steps in Emergency Procedure 5.4POST-FIRE, Post-Fire Operational Information, and Emergency Procedure 5.4FIRE-S/D, Fire Induced Shutdown From Outside Control Room, intended to reposition motor operated valves locally, would not have worked as written because the steps were not appropriate for the configuration of the motor starter circuits. 10 CFR Part 50, Appendix B, Criterion V was not met because these quality-related procedures would not work to allow operators to bring the plant to a safe shutdown condition in the event of certain fires. This finding had a cross-cutting aspect in Problem Identification and Resolution, under the Corrective Action Program attribute, because the licensee did not thoroughly evaluate the 2004 NRC violation to address causes and extent of condition. (P.1.c - Evaluations)
This finding is of greater than minor safety significance because it impacted the Mitigating Systems cornerstone objective to ensure the availability, reliability, and capability of systems that respond to external events (such as fire) to prevent undesirable consequences. This finding affected both the procedure quality and protection against external factors (such as fires) attributes of this cornerstone objective.
This finding was determined to have a preliminary Greater Than Green safety significance during a Phase 3 evaluation using best-available information. This problem, which has existed since 1997, involves risk factors that were not dependent on specific fire damage. The scenarios of concern involve larger fires in specific areas of the plant which trigger operators to implement fire response procedures to place the plant in a safe shutdown condition. Since some of those actions could not be completed using the procedures as written, this would challenge the operators ability to establish adequate core cooling.
Upon identification of this issue, the licensee took immediate compensatory actions to notify operations of the procedural problems, establish a roving fire watch, issue a night order to communicate to all operating crews, and change the procedures. Both emergency procedures have been revised to assure correct valve alignment. Therefore, this finding does not represent a current safety concern. (Section 1R05)
B. Licensee-Identified Findings None.
REPORT DETAILS
REACTOR SAFETY
1R05 Fire Protection
.1 Two Procedures Contained Inadequate Steps to Locally Operate Valves
a. Scope
The inspectors performed follow-up inspection activities to determine whether the issues discussed in Unresolved Item 05000298/2007008-01, Inadequate Post-Fire Safe Shutdown Procedures (EA-070204), involved a violation of NRC requirements, and to assess the safety significance of the issues.
The inspectors reviewed Emergency Procedure 5.4POST-FIRE, "Post-Fire Operational Information," and Emergency Procedure 5.4FIRE-S/D, Fire Induced Shutdown From Outside the Control Room, as well as documentation of efforts to verify and validate (V&V) that the procedure steps were feasible. These V&V efforts were compared to the requirements of Procedure 0.4A, Procedure Change Process Supplement. The inspectors also reviewed the results of Quality Assurance audits and self-assessments performed since 2004 concerning the feasibility of manual actions for these procedures.
The results of the root cause evaluation for this finding and the initial corrective actions taken to address this issue were reviewed. The inspectors verified that this issue was not a current safety concern, based on a review of corrective actions. Corrective actions taken for two previous violations, issued against the same procedures, were also reviewed. A list of specific documents reviewed is in the Attachment.
b. Findings
Introduction.
An apparent violation of 10 CFR Part 50, Appendix B, Criterion V, with a preliminary Greater Than Green significance, was identified for failure to ensure that some steps contained in Emergency Procedures at Cooper Nuclear Station would work as written. Inspectors identified that steps in Emergency Procedure 5.4POST-FIRE, Post-Fire Operational Information, and Emergency Procedure 5.4FIRE-S/D, Fire Induced Shutdown From Outside Control Room, intended to reposition motor operated valves locally, would not have worked as written because the steps were not appropriate for the configuration of the motor starter circuits. 10 CFR Part 50, Appendix B, Criterion V was not met because these quality-related procedures would not work to allow operators to bring the plant to a safe shutdown condition in the event of certain fires.
This finding has a cross-cutting aspect in Problem Identification and Resolution, under the Corrective Action Program attribute because the licensee did not thoroughly evaluate the 2004 NRC violation to address causes and extent of condition. (P.1.c - Evaluation)
Description.
Post-fire safe shutdown strategies at the Cooper Nuclear Station require equipment operations to be performed in accordance with one of two emergency procedures. For most fire areas, plant shutdown is performed using Emergency Procedure 5.4POST-FIRE, "Post-Fire Operational Information," in conjunction with other plant procedures. For fire areas where fires might necessitate evacuation of the control room, alternate shutdown is performed using Emergency Procedure 5.4FIRE-S/D, "Fire Induced Shutdown From Outside the Control Room."
During the triennial fire protection inspection, the team performed a walkthrough of Emergency Procedure 5.4POST-FIRE for selected fire areas by observing plant operators simulate actions required by the procedure. This procedure required operators to stroke multiple motor-operated valves (MOVs) to their required positions from each valves motor starter cabinet. The procedure steps direct operators to open the motor starter cabinet, remove the control power fuses then press an open or closed contactor for a specified amount of time to stroke the valve to the required position.
During the procedure walkthrough, operators did not open some MOV motor starter cabinets because of concerns of potential equipment upsets, including a plant trip hazard. The team requested a table top review of the MOV circuit drawings. As a result, four 125 Vdc motor-operated valves were identified for which the operators would not have been able to perform the procedure steps as written (RHR-MO-67, RHR-921MV, RWCU-MO-18, and MS-MO-77). These four valves had motor starter circuits that were different than most of the other dc MOV circuits in that they had motor starters designed without separate control power fuses. The team concluded that pulling the fuses as directed in the operating instructions would have removed motive power, so the valves would not stroke. There were no indications available to allow operators to determine whether the actions were successful or not, and the procedure did not require local verification that the valves were actually in the correct position. Once the fuses are removed, valve position indication in the control room is not available.
The licensees extent of condition review identified procedural errors for six additional MOVs. These six valves required operators to simultaneously depress either two or three contactors, to successfully reposition the valves. The procedure directed operators to depress a single open or closed contactor. Again, operators would not be able to tell that their actions were unsuccessful, and the actual position would not be verified. Five of the valves required two contactors to be pressed simultaneously to stroke the valve (HPCI-MO-14, HPCI-MO-16, RHR-MO-25A, RHR-MO-25B and RR-MO-53A). The sixth valve (RHR-MO-17) required three contactors to be pressed simultaneously to stroke the valve. One of the valves (RHR-MO-25B) is operated in the same manner during alternative shutdown in accordance with Emergency Procedure 5.4FIRE-S/D, which contained the same procedural error. The procedural errors impacted the response to fires in 14 separate fire areas, each involving one to five valves in numerous combinations (Fire Areas CB-A, CB-A-1, CB-B, CB-C, CB-D, RB-F, RB-FN, RB-DI (SE), RB-DI (SW), RB-J, RB-K, RB-M, RB-N and TB-A).
The major impact of being unable to operate the valves as required could be that operators would think they aligned the valves, they would later need to establish core injection, but would be unable to do so.
Adequacy of Corrective Actions to Address Previous Violations The inspectors reviewed the corrective action taken in response to violations identified during the 2004 triennial fire protection inspection, and concluded that the licensee was not rigorous. In the case of RHR-MO-25B, the corrective action to label the contactors needed to operate the valve did not identify and label one of the contactors needed to operate the valve. NCV 2004008-02 involved several examples of problems with the adequacy of instructions in Emergency Procedure 5.4Fire-S/D, Fire Induced Shutdown From Outside Control Room, Revision 3. This included steps to operate MOVs locally at the motor starter cabinets that required operating contactors which were not properly labeled. The inspectors identified that for RHR-MO-25B, the licensee installed one open and one closed contactor label, when two contactors were actually required to be operated simultaneously to reposition the valve. The licensee was required to use procedures and drawings to verify that the labels would be correct. The inspectors concluded that proper verification of the labeling should have included reviewing drawings to understand how the circuits functioned. This should have led the licensee to recognize that multiple contactors must be operated to open or close this MOV. This should also have triggered a change to Emergency Procedure 5.4FIRE-S/D to ensure that the steps were correct for operating this valve. After the corrective actions for this violation were completed, neither the labeling nor the procedure was adequate to allow operators to locally operate this MOV. The inspectors determined that this was a missed opportunity to have recognized that there were other MOV motor starters with configurations for which the procedure would not work as written.
Similarly, NCV 2004008-01 involved a failure to ensure redundant safe shutdown systems located in the same fire area are free of fire damage. This was a violation because the licensee was relying on manual actions to restore equipment which might be affected by fire damage, rather than to have protected this equipment from fire damage as required. These manual actions were implemented in Emergency Procedure 5.4Post-Fire. This violation was being addressed as part of the licensees conversion to a risk-informed fire protection program. Condition Report 2004-03034 addressed this violation, and included actions to evaluate the feasibility of all of the Emergency Procedure 5.4Post-Fire manual actions against the NRC inspection guidance.
Based on the above, the inspectors concluded that corrective actions to address two prior NRC-identified violations should have identified and corrected the problems identified in this finding. The licensees non-rigorous corrective action was a significant contributor to the failure to identify this finding. Therefore, this finding has a cross-cutting aspect in Problem Identification and Resolution, under the Corrective Action Program attribute. (P.1.c - Evaluation)
Adequacy of Audits, Self-Assessments, and Procedure Quality Reviews The inspectors reviewed the following:
- Quality Assurance Audit 07-01, Fire Protection Program, dated 02/2007
- Self-assessment: Manual Action Feasibility - Review of Cooper Nuclear Station Post-Fire Manual Actions With NRC Inspection Manual Post-Fire Manual Action Feasibility Criteria, dated 5/18/07 Both the 2007 QA audit and the 2007 self-assessment evaluated the feasibility of the actions in Emergency Procedures 5.4POST-FIRE and 5.4FIRE-S/D. These reports concluded that the steps in these procedures were feasible. These conclusions were based on reviewing the procedure steps using the criteria given in NRC Inspection Procedure 71111.05T, as well as the verification and validation requirements in Procedure 0.4A, Procedure Change Process Supplement. Since the inspectors who identified this finding used the NRC guidance to find the problem, it was apparent that the licensees use of this guidance was not sufficiently rigorous to meet the intent of the assessments.
The inspectors reviewed the V&V guidance in Procedure 0.4A, including examples of completed checklists used to V&V Emergency Procedures 5.4POST-FIRE and 5.4FIRE-S/D. The inspectors noted that the checklists were not sufficiently explicit to require that procedure steps be checked in a way that ensured that they would work as written. The checklist items in the Verification and Validation sections checked certain attributes associated with procedure quality, but did not directly or cumulatively ensure that the actions accomplished the intent of the individual steps or the procedure as a whole.
The root cause evaluation performed as part of Condition Report 2007-04155 for this finding identified that Procedure 0.4A was not met for the 10 MOVs affected by this finding. This report noted that Procedure 0.4A did not address how to V&V procedure steps that were being checked by walking down the procedure in the plant when a step required access to the inside of a cabinet that was not to be opened. The root cause evaluation noted that the appropriate method to complete this portion of a V&V should have involved using system drawings and other documents to verify that the steps would work, but the procedure did not directly address this scenario. This root cause evaluation report concluded that the steps affected by this finding had never actually been properly checked.
The root cause evaluation for Condition Report 2007-04155 documented that several opportunities existed which could have identified the Emergency Procedure 5.4 Post-Fire deficiencies. These included the three self-assessments listed above, multiple procedure V&V efforts performed for periodic reviews and procedure changes, periodic operator training conducted on these procedures, as well as during corrective action taken to address NCVs 2004008-01 amd 2004008-02.
Based on the above, the inspectors concluded that the licensees failure to perform adequate V&V reviews to ensure that these procedures were adequate was a significant contributor to the failure to identify this finding.
The licensee issued Licensee Event Report 2007-005-00 related to this issue. This LER is reviewed in Section 4OA2.2 of this report. The licensee has entered this finding into their corrective action program as Condition Report CNS-2007-04155.
Analysis.
This finding is of greater than minor safety significance because it impacted the Mitigating Systems cornerstone objective to ensure the availability, reliability, and capability of systems that respond to external events (such as fire) in order to prevent undesirable consequences. This finding affected both the procedure quality and protection against external factors (such as fires) attributes of this cornerstone objective.
This finding had a cross-cutting aspect in Problem Identification and Resolution under the Corrective Action Program attribute. (P.1.c - Evaluation)
Upon identification of this issue, the licensee took immediate compensatory actions to notify operations personnel of the procedural problems, establish a roving fire watch, issue a night order to communicate to all operating crews, and change the procedures so the steps would work as intended. Both emergency procedures have been revised to assure correct valve alignment. Therefore, this finding does not represent a current safety concern.
a.
Phase 1 Screening Logic, Results, and Assumptions The team evaluated this finding using the "SDP Phase 1 Screening Worksheet for the Initiating Events, Mitigating Systems, and Barriers Cornerstones,"
provided in Manual Chapter 0609, Attachment 4, "Phase 1 - Initial Screening and Characterization of Findings." For this finding, Table 3b. directs the user to Manual Chapter 0609, Appendix F, Fire Protection Significance Determination Process because it affected fire protection defense-in-depth strategies involving post fire safe shutdown systems. However, Manual Chapter 0308, Attachment 3, Appendix F, Technical Basis for Fire Protection Significance Determination Process for at Power Operations, states that Manual Chapter 0609, Appendix F, does not currently include explicit treatment of fires in the main control room.
Manual Chapter 0609, Appendix F, also states that it is beyond the SDP Phase 2 is intended to address findings in a single fire area, and that a broader effort is beyond the intended scope of the SDP Phase 2.
b.
Phase 2 Risk Estimation Based on the complexity and scope of the subject finding and the significance of the finding to main control room fires, the analyst determined that a Phase 2 estimation was not appropriate.
c.
Phase 3 Analysis In accordance with Manual Chapter 0609, Appendix A, the analyst performed a Phase 3 analysis using input from the Nebraska Public Power District, Individual Plant Examination for External Events (IPEEE) Report - 10CFR 50.54(f) Cooper Nuclear Station, NRC Docket No. 50-298, License No. DPR-46, dated October 30, 1996, the Standardized Plant Analysis Risk (SPAR) Model for Cooper, Revision 3.31, dated September 2007, and appropriate hand calculations.
Assumptions:
To evaluate the change in risk caused by this performance deficiency, the analyst made the following assumptions:
1. For all fire zones, with the exception of the main control room, the ignition frequency identified in the IPEEE is an appropriate value.
2. The fire ignition frequency for the main control room (PFIF) is best quantified by the generic value of 1.09 x 10-2/yr.
3. Sixty-four fire scenarios (documented in Table 1) were identified that were predominantly affected by the finding.
4. The baseline conditional core damage probability for a control room evacuation at Cooper is best represented by the generic value of 0.1.
5. The failure of major recovery equipment or significant operator diversion following an evacuation of the main control room would likely result in core damage. This is represented by a conditional core damage probability of 1.0.
6. Any fire in the main control room that goes unsuppressed for 20 minutes will lead to a control room evacuation.
7. Any fire that is unsuppressed by automatic or manual means in the Auxiliary Relay Room, the Cable Spreading Room, the Cable Expansion Room or Area RB-FN will result in a main control room evacuation.
8. The Cooper SPAR model, Revision 3.31 represents an appropriate tool for evaluation of the core damage probabilities associated with postulated fires that do not result in main control room evacuation.
9. All postulated fires in this analysis resulted in a reactor scram. In addition, the postulated fire in Fire Zone 3B resulted in a loss of offsite power.
10. Valves RHR-MO-25A and RHR-MO-25B are low pressure coolant injection system isolation valves. These valves must be opened to provide an injection path to the reactor vessel. These valves can prevent one method of decay heat removal in the alternate shutdown cooling mode of operation.
11. For Valves RHR-MO-25A and RHR-MO-25B, the subject performance deficiency only applies to the portion of the post fire procedures that direct the transition into alternate shutdown cooling. Therefore, the low pressure injection function is not affected.
12. Valve RHR-MO-17 is one of two residual heat removal system shutdown cooling cold-leg suction isolation valves. These valves can prevent decay heat removal in the alternate shutdown cooling mode of operation.
13. Valve RWCU-MO-18 is the outboard isolation valve for the reactor water cleanup system. The system is a closed-loop system outside containment with piping rated at 1250 psig and 575 degrees Fahrenheit.
The isolation of this system is designed to protect the system demineralizer resins and as an isolation for a piping break outside containment. The success or failure of the resins will not affect the likelihood of core damage. The failure of the system piping without isolation would contribute to an intersystem loss of coolant accident.
However, the likelihood that the system piping fails and an automatic isolation is not generated would be very low.
14. Valve MS-MO-77 is a 3-inch main steam line drain. The valve isolates a high pressure drain line heading back to the main condenser. The licensee stated that the failure to isolate this line would not result in a high enough loss of reactor coolant to affect the core damage frequency.
However, the failure to close this valve could result in a transient that was not required by the fire scenario.
15. Valve RR-MO-53A is the discharge isolation valve for Reactor Recirculating Pump 1-A. The failure to close either this valve or Valve RR-MO-43A would result in a short circuit of the shutdown cooling flow to the reactor vessel. The performance deficiency did not apply to Valve RR-MO-43A; however, this valve must be manually operated inside containment.
16. Valve RHR-MO-921MV provides isolation of a 3-inch steam line heading to the augmented offgas system. Just downstream of the valve the piping reduces to a 1-inch diameter line. This line taps off the high-pressure coolant injection pump steam line and terminates in the main condenser high pressure drain header. Because this is a 1-inch line, the valve does not contribute to the large early release frequency except for postulated seismic events. Additionally, inventory losses would be minimal and not affect mitigating systems needed following the subject fire initiation.
Finally, the line would be automatically isolated upon the isolation of the high pressure coolant injection pump steam line. However, the failure to close this valve could result in a transient that was not required by the fire scenario.
17. Valve HPCI-MO-14 provides isolation of the high pressure coolant injection system from the reactor coolant system. The failure to isolate this valve, when required, would result in reactor vessel level increasing in an uncontrolled manner, filling the steam lines and suppressing the steam to all steam driven equipment. This would have the consequence of increasing the core damage probability, because it would result in the loss of all high pressure systems.
18. Valve HPCI-MO-16 provides isolation of the high pressure coolant injection system from the reactor coolant system. The failure to isolate
this valve, when required, would result in reactor vessel level increasing in an uncontrolled manner, filling the steam lines and suppressing the steam to all steam driven equipment. This would have the consequence of increasing the core damage probability, because it would result in the loss of all high pressure systems.
19. Valve RHR-MO-67 provides isolation of the residual heat removal system from radwaste. Post-fire instructions affecting this valve are to assist in placing shutdown cooling in service. Failure of this valve would delay placing shutdown cooling in service and act as a distraction to operators placing the plant in a safe shutdown condition.
20. The exposure time used for evaluating this finding should be determined in accordance with Inspection Manual Chapter 0609, Appendix A, 2, Site Specific Risk-Informed Inspection Notebook Usage Rules. Given that the performance deficiency was known to have existed for many years, the analyst used the 1-year of the current assessment cycle as the exposure period.
21. The fire damage postulated in the Fire Safe Shutdown Analysis and/or procedure actions to disable equipment will render equipment in a given fire zone unavailable for use as safe shutdown equipment.
22. The performance deficiency would have resulted in each of the demanded valves failing to respond following a postulated fire.
23. In accordance with the requirements of Procedure 5.4POST-FIRE operators would perform the post-fire actions directed by the procedure following a fire in an applicable fire zone. Therefore, the size and duration of the fire would not be relevant to the failures caused by the performance deficiency.
24. Given Assumption 23, severity factors and probabilities of non-suppression were not addressed for postulated fires that did not result in main control room evacuation.
Post-Fire Safe Shutdown Calculations (Fire Areas Not Requiring Control Room Evacuation):
The Senior Reactor Analyst used the SPAR model for Cooper Nuclear Station to estimate the change in risk associated with fires in each of the associated fire scenarios (Table 1, Items 1 - 59), that was affected by the finding. Average unavailability associated with testing and maintenance of modeled equipment was assumed, and a cutset truncation of 1.0E-12 was used. For each fire zone of concern, the analyst calculated a baseline conditional core damage probability consistent with Assumptions 8, 9, 20 and 21.
For areas where the postulated fire resulted in a reactor scram, the frequency of the transient initiator, IE-TRANS, was set to 1.0. All other initiators were set to
the house event FALSE indicating that these events would not occur at the same time as a reactor scram. Likewise, for Fire Zone 3B, the frequency of the loss-of-offsite-power initiator, IE-LOOP, was set to 1.0 while other initiators were set to the house event, FALSE.
Consistent with guidance in the RASP Handbook, including NRC document, "Common-Cause Failure Analysis in Event Assessment, (June 2007)," the baseline established for the fire zone, and Assumptions 22, 23, and 24, the SRA modeled the resulting condition following a postulated fire in each fire zone by adjusting the appropriate basic events in the SPAR model. Both the baseline and conditional values for each fire zone are documented in Table 1.
Post-Fire Remote Shutdown Calculations (Control Room Evacuation):
As documented in Assumption 4, the analyst used a value of 0.1 for the baseline conditional core damage probability (CCDPBASE) of a postulated fire leading to main control room evacuation. According to Cooper Nuclear Plant design and the Procedure 5.4FIRE-S/D, the five fire scenarios, numbered 60 - 64 in Table 1, result in a main control room evacuation.
As documented in Assumption 5, the analyst conservatively assumed that upon control room evacuation, operators would be unsuccessful in preventing core damage because of the failure to manipulate Valve RHR-MO-25B. This resulted in a conditional core damage probability (CCDPCASE) of 1.0. Given these assumptions, the change in core damage probability (CDP) for a postulated fire leading to main control room evacuation was calculated as follows:
CDP = CCDPCASE - CCDPBASE
= 1.0 - 0.1
= 9.0 x 10-1 This is the value used in the quantification of all postulated fires leading to control room evacuation as documented in Table 1, Scenario Numbers 60 - 64.
NUREG/CR-2258 provides that control room evacuation would be required because of thick smoke if a fire went unsuppressed for 20 minutes. Given Assumption 6 and assuming that a fire takes 2 minutes to be detected by automatic detection and/or by the operators, there are 18 minutes remaining in which to suppress the fire prior to main control room evacuation being required.
NRC Inspection Manual Chapter 0609, Appendix F, Table 2.7.1, Non-suppression Probability Values for Manual Fire Fighting Based on Fire Duration (Time to Damage after Detection) and Fire Type Category, provides a manual nonsuppression probability (PNS) for the control room of 1.3 x 10-2 given 18 minutes from time of detection until time of equipment damage.
In accordance with Manual Chapter 0609, Appendix F, Task 2.3.2, the analyst determined that a severity factor (SF) of 0.1 for determining the probability that a
postulated fire would be self sustaining and grow to a size that could affect plant equipment.
Using these values, the analyst calculated the main control room evacuation frequency for fires in the main control room (FEVAC) as follows:
FEVAC = PFIF
- SF
= 1.09 x 10-2/yr
- 0.1
- 1.3 x 10-2
= 1.42 x 10-5/yr This value is listed in Table 1, Scenario Number 64.
In accordance with Procedure 5.4FIRE-S/D, operators are directed to evacuate the main control room and conduct a remote shutdown for fires in any of the areas documented in Assumption 7 if plant equipment spuriously actuates/deenergizes or if instrumentation becomes unreliable. Therefore, for all scenarios except a postulated fire in the main control room, the probability of nonsuppression by both automatic or manual means are documented in Table 1, Scenario Numbers 60 - 63, Columns 11 and 12.
Qualitative Factors:
Several of the assumptions above were bounding in nature based on best-available information. Refinements may be possible based on additional information. The assumptions most likely to affect the CDF are documented below:
- Assumption 5: The analyst had assumed that following a main control room evacuation, the scenarios would go to core damage based on the complications resulting from the performance deficiency.
A more detailed evaluation of Procedure 5.4FIRE-S/D, could provide additional insights of the complexities of remote shutdown. It is possible that additional success paths could be identified despite the performance deficiency, which would serve to decrease in the overall risk of the subject finding.
- Assumption 9: The analyst had assumed that all postulated fires result in an initiating event.
This assumption was necessary due to lack of detailed information, but was reasonable because many fires will either cause or indicate the need to shut down the plant. There are expected to be some fire areas where it is not possible for a fire to cause a reactor scram. Fire modeling and evaluation of postulated fire sources versus targets would most likely reduce the overall risk of the subject finding.
- Assumption 21: The analyst assumed that equipment affected by a postulated fire in a given fire zone would always be unavailable for use in effecting safe shutdown.
This assumption provides a bounding case for the evaluation of the subject finding. Fires that may affect plant equipment and the associated safe shutdown procedures may drive operators to abandon equipment within the fire zone as a post-fire strategy. However, more realistic evaluations may identify cases where some of that equipment will not be affected by the fire and would continue to be functional following a postulated fire. Fire modeling and evaluation of postulated fire sources versus targets would help indicate the equipment that might survive certain fire scenarios. Once identified, a human reliability analysis could indicate the probability that operators or other plant recovery personnel would identify and use equipment that was not damaged by fire, if needed. Such action would tend to reduce the overall risk of the subject finding.
- Assumption 23: The analyst had assumed that operators would perform post-fire actions directed by procedures for all postulated fires in the applicable fire zones.
This assumption was used as a bounding case evaluation. However, the initiating event frequency included some fires that would not be of sufficient intensity to cause such fire damage as the bounding case assumed. In these cases, it is possible that operators would make an informed decision not to shut down the plant. Fire modeling and evaluation of postulated fire sources versus targets might reduce the overall risk of the subject finding.
It should be noted that any evaluation of these fires would not be independent of that conducted for Assumption 9. Therefore, the affect on overall risk may not be cumulative.
- Assumption 24: The analyst assumed that severity factors and non-suppression probabilities should not be addressed for fires outside the main control room.
This simplifying assumption was for bounding purposes in evaluation of the subject finding. Fire modeling and evaluation of postulated fire sources versus targets may reduce the overall risk of the subject finding.
It should be noted that any evaluation of these fires would not be independent of that conducted for Assumptions 9 and 23. Therefore, the affect on overall risk may not be cumulative.
Conclusions:
The analyst concluded that the preliminary significance of the subject finding was Greater Than Green. As documented in Table 1, the analyst calculated that the bounding CDF for this performance deficiency was near the Red/Yellow border.
However, the qualitative factors that were not included in the quantitative analysis indicate that the actual change in risk would likely be less than Red.
Additional information and analysis, including detailed fire modeling of the significant fire areas, would be required to refine these results. Based on the information available, this issue will be treated as Greater Than Green, subject to further analysis to determine the final significance.
Fire Area/ Scenari Estimated OMA Additional Scenario Ignition Estimated Shutdow Area/ o Base Case delta-CDF Consider Methods or Descripti Frequen Comment Delta-n Zone Numbe CCDP CCDP Contributi ed from Assumptio on cy CDF Strategy r on the SDP ns RHR A Shut RB-CF 8.62E- 1.30E- HPCI-MO-1C 1 Pump 2.94E-03 3.57E-05 Bounding 1.33E-04 02 14 Room HPCI-2.76E- 1.28E-2A/2C 2 MCC K 3.02E-03 3.03E-07 MO-16 Realistic 9.83E-05
and 2.76E- 1.28E- RHR-MO-MCC Q 3.93E-03 3.95E-07
921 and 2.76E- 1.28E- RWCU-MCC R 3.43E-03 3.44E-07 04 MO-18 1.12E- 1.21E- and MS-MCC RB 1.62E-03
1.46E-07 MO-77 Note :
SAPHIRE 1.12E- 1.21E-MCC S 2.23E-03
2.01E-07 only 1.12E- 1.21E- allows for MCC Y 3.83E-03 3.45E-07 03 one 2.76E- 1.28E- initiator to Panel AA3 9.98E-04 1.00E-07
be set to 1.12E- 1.21E-Panel BB3 9.98E-04
8.98E-08 1.0 since Assumed it won't RCIC 5.27E- 8.27E-RCIC fails subsume Starter 1.32E-03 1.02E-07 due to fire if multiple
Rack in this scenario initiators Assumed Div 1 of 250V Div 2.76E- 1.28E- 250V dc 5.10E-04 5.12E-08 1 Rack 05 04 fails due to fire in this scenario Assumed Div 2 of 250V Div 1.12E- 1.21E- 250V dc 2.09E-04 1.88E-08 2 Rack 03 03 fails due to fire in this scenario
Fire Area/ Scenari Estimated OMA Additional Scenario Ignition Estimated Shutdow Area/ o Base Case delta-CDF Consider Methods or Descripti Frequen Comment Delta-n Zone Numbe CCDP CCDP Contributi ed from Assumptio on cy CDF Strategy r on the SDP ns ASD 1.12E- 1.21E-3.02E-04 2.72E-08 Panels 03 03 7A 14 6.74E-03 1.02E-07 7B 15 1.36E-03 2.05E-08 Open RPS 2.05E- 2.85E- RHR-MO-8C 16 4.15E-03 3.33E-08 CB-A Room 1A 05 05 25B 8D 17 2.42E-03 3.65E-08 and RHR-MO-67 Hallway 2.05E- 2.85E- Method 10B 18 (used CB 1.09E-02 8.74E-08 05 Used corridor)
DC Open Switchgea 3.43E- 3.08E- RHR-MO-8H 19 4.27E-03 2.34E-06 0.2 r 04 03 17, RHR-CB-A-1 Rm 1A MO-25B, Battery 8.74E- 1.03E- and RHR-8E 20 2.25E-03 7.02E-10 0.2 Room 1A 06 05 MO-67 DC Switchgea 1.90E- 5.16E-8G 21 4.27E-03 2.78E-06 Open 0.2 r 03 03 CB-B RHR-MO-Rm 1B 25A Battery 4.81E- 5.73E-8F 22 2.25E-03 4.14E-10 0.2 Room 1B 06 06 8B 23 4.15E-03 6.27E-08 Open RHR-MO-RPS 17, RHR-CB-C 1.53E-8C 24 Room 1A 4.15E-03 6.35E-09 MO-25A, and RHR-MO-67 Open RHR-MO-Auxiliary Use 5.87E- 6.62E- 17, RHR-CB-D 8A 25 Relay 4.02E-03 3.02E-06 5.4FIRE-03 MO-25A, Room S/D and RHR-MO-67
Fire Area/ Scenari Estimated OMA Additional Scenario Ignition Estimated Shutdow Area/ o Base Case delta-CDF Consider Methods or Descripti Frequen Comment Delta-n Zone Numbe CCDP CCDP Contributi ed from Assumptio on cy CDF Strategy r on the SDP ns Assume LOOP with CR Cable Evacuation 5.87E- 6.62E-9A 26 Spreading 6.39E-03 4.79E-06 - EDG-2
Room avail. and uses 5.4FIRE-S/D Assume LOOP with CR Open Evacuation Control 5.87E- 6.62E-10B 27 1.09E-02 8.18E-06 RHR-MO- - EDG-2 Room 03 03 25B avail. and uses 5.4FIRE-S/D Assume LOOP with CR Cable Evacuation 5.87E- 6.62E-9B 28 Expansion 6.89E-04 5.17E-07 - EDG-2
Room avail. and uses 5.4FIRE-S/D Will failing to isolate Shut RR-MO-HPCI-MO-RB-DI RHR Hx 1.41E- 9.03E- 53A impact 2D 29 6.70E-04 5.11E-08 14 (SW) Room B 05 05 LPCI and RR-injection for MO-53A.
non-LOCA scenarios?
Fire Area/ Scenari Estimated OMA Additional Scenario Ignition Estimated Shutdow Area/ o Base Case delta-CDF Consider Methods or Descripti Frequen Comment Delta-n Zone Numbe CCDP CCDP Contributi ed from Assumptio on cy CDF Strategy r on the SDP ns RHR B/HPCI 8.32E- 1.37E-1D/1E 30 4.28E-03 2.30E-05 Pump 03 02 Room CRD 1.40E- 1.40E-2.32E-02 0.00E+00 Room 05 05 2.76E- 1.28E-MCC K 3.02E-03 3.03E-07 04 Will failing 2.76E- 1.28E- to isolate MCC Q 3.93E-03 3.95E-07 RR-MO-
2.76E- 1.28E- 53A impact MRR R 3.43E-03 3.44E-07 LPCI
1.12E- 1.21E- injection for MCC RB 1.62E-03 1.46E-07 non-LOCA
scenarios?
1.12E- 1.21E- Shut MCC S 2.23E-03 2.01E-07 Making 03 HPCI-MO-RB-DI conservativ 1.12E- 1.21E- 14 (SE) 37 MCC Y 3.83E-03 3.45E-07 e 03 and RR-assumption 2A/2C 2.76E- 1.28E- MO-53A.
Panel AA3 9.98E-04 1.00E-07 s that the 04 same 1.12E- 1.21E- damage is Panel BB3 9.98E-04 8.98E-08 03 carried RCIC through all 5.27E- 8.27E-Starter 1.32E-03 1.02E-07 scenarios
Rack in this 250V Div 2.76E- 1.28E- zone.
5.10E-04 5.12E-08 1 Rack 05 04 250V Div 1.12E- 1.21E-2.09E-04 1.88E-08 2 Rack 03 03 ASD 1.12E- 1.21E-3.02E-04 2.72E-08 Panels 03 03 RPS 1.40E- 1.40E- Method 4.15E-03 0.00E+00 Room 1A 05 05 Used Open RHR-MO-Switchgea 3.04E- 1.41E- 17, RHR-RB-J 3A 45 3.71E-03 1.02E-06 0.2 r Rm 1F 05 03 MO-25B, and RHR-MO-67
Fire Area/ Scenari Estimated OMA Additional Scenario Ignition Estimated Shutdow Area/ o Base Case delta-CDF Consider Methods or Descripti Frequen Comment Delta-n Zone Numbe CCDP CCDP Contributi ed from Assumptio on cy CDF Strategy r on the SDP ns Open LOOP -
Switchgea 1.77E- 1.77E-RB-K 3B 46 3.71E-03 0.00E+00 RHR-MO- Licensee r Rm 1G 02 02 25A Identified Conservati Open 3C/3D/3 RB Elev 7.06E- 8.99E- ve 1.13E-02 2.18E-08 RHR-MO-E 932 06 06 Assumptio RB-M 17 and n
RHR-MO-RHR Hx 7.06E- 8.99E- 25B 2B 48 6.70E-04 1.29E-09 Room A 06 06 3C/3D/3 RB Elev 1.22E- 1.38E-1.13E-02 1.81E-08 Open E 932 05 05 RB-N RHR-MO-RHR Hx 1.22E- 1.38E- 25A 2D 50 6.70E-04 1.07E-09 Room B 05 05 Open Condense 4.83E- 6.20E- RHR-MO-TB-A 11D 51 3.10E-03 4.25E-09 r Pit Area 06 06 17, RHR-MO-25A, Reactor 4.83E- 6.20E- and RHR-11E 52 Feedpump 6.25E-03 8.56E-09 06 MO-67 Area Pipe 4.83E- 6.20E-11L 53 6.70E-04 9.18E-10 Chase 06 06 Condense r and 4.83E- 6.20E-12C 54 3.27E-03 4.48E-09 Heater 06 06 Bay Area TB Floor 4.83E- 6.20E-12D 55 3.45E-03 4.73E-09 903 06 06 Turbine 4.83E- 6.20E-13A 56 Operating 5.76E-03 7.89E-09
Floor Non-critical 4.83E- 6.20E-13B 57 3.79E-03 5.19E-09 Swgr 06 06 Room Electric 4.83E- 6.20E-13C 58 8.56E-04 1.17E-09 Shop 06 06
Fire Area/ Scenari Estimated OMA Additional Scenario Ignition Estimated Shutdow Area/ o Base Case delta-CDF Consider Methods or Descripti Frequen Comment Delta-n Zone Numbe CCDP CCDP Contributi ed from Assumptio on cy CDF Strategy r on the SDP ns 4.83E- 6.20E- Cable Fires with 10 minutes to 13D 59 I&C Shop 8.90E-04 1.22E-09 Suppression Manual 06 Damage 1.00E- 1.00E+0 2A-1 60 RB-FN 1.16E-02 5.57E-06 2.00E-02 2.40E-01 NOT Bounding!
Auxiliary 1.00E- 1.00E+0 8A 61 Relay 2.01E-04 4.82E-06 1.00E+00 2.40E-01
Room Cable 1.00E- 1.00E+0 EVAC 9A 62 Spreading 2.05E-04 2.46E-07 5.00E-02 2.40E-01
Room Cable 1.00E- 1.00E+0 9B 63 Expansion 3.45E-04 1.66E-07 2.00E-02 2.40E-01
Room Control 1.00E- 1.00E+0 10B 64 1.42E-05 1.42E-06 1.00E+00 1.00E+00 Room 01 0 Evac Prob
Enforcement.
10 CFR Part 50, Appendix B, Criterion V, Instructions, Procedures, and Drawings, requires that activities affecting quality shall be prescribed by documented instructions, procedures, or drawings, of a type appropriate to the circumstances and shall be accomplished in accordance with these instructions, procedures, or drawings.
Emergency Procedure 5.4 POST-FIRE, Post-Fire Operational Information, and Emergency Procedure 5.4 FIRE-S/D, Fire Induced Shutdown From Outside the Control Room, are designated as quality-related procedures used to implement operator actions to safely shutdown the plant in response to a fire.
Procedure 0.4A, Procedure Change Process Supplement, provides administrative controls over the procedure change process. This procedure requires verification and validation to be performed periodically, when writing a new procedure, when significant changes are made to sequencing of complex steps in existing procedures, and when infrequently used procedures are written or changed. Verification and validation efforts are defined in this procedure as actions to confirm that the procedure steps are usable, accurate, contain the appropriate level of detail, and equipment labels and markings correspond to the actual hardware, and satisfy plant design and licensing basis.
Procedure 0.4A applies to changes to Emergency Procedures 5.4POST-FIRE and 5.4FIRE-S/D.
Contrary to the above, between 1997 and June, 2007, the licensee failed to ensure that Emergency Procedure 5.4POST-FIRE and Emergency Procedure 5.4FIRE-S/D were appropriate to the circumstances. Specifically, the licensee changed these procedures to add steps that were inappropriate to the circumstances because they would not work as written. The licensee failed to properly verify and validate procedure steps in these procedures when the procedure changes were made and on multiple occasions between 1997 and June, 2007. The inadequate steps affected operation of 10 motor operated valves. This finding will be treated as an apparent violation. (AV 05000298/2008007-01, Apparent Violation for Two Inadequate Procedures Used for Safe Shutdown.) (EA-070204)
Discussion of the Applicability of Enforcement Discretion Cooper Nuclear Station has committed to adopt NFPA 805 as allowed by 10 CFR 50.48(c). The NRC Enforcement Policy provides the NRC the option to grant enforcement discretion for certain violations of the requirements in 10 CFR 50.48, Fire Protection, (or fire protection license conditions) that are identified as a result of the transition to a new risk-informed, performance-based fire protection approach included in 10 CFR 50.48(c). Violations identified during the transition process must meet all of the following criteria to qualify for discretion:
- (1) It was licensee-identified as a result of its voluntary initiative to adopt the risk-informed, performance-based fire protection program included under 10 CFR 50.48(c) or, if the NRC identifies the violation, it was likely in the NRC staff's view
that the licensee would have identified the violation in light of the defined scope, thoroughness, and schedule of the licensee's transition to 10 CFR 50.48(c)provided the schedule reasonably provides for completion of the transition within three years of the date of the licensee's letter of intent to implement 10 CFR 50.48(c) or other period granted by NRC;
- (2) It was corrected or will be corrected as a result of completing the transition to 10 CFR 50.48(c). Also, immediate corrective action and/or compensatory measures are taken within a reasonable time commensurate with the risk significance of the issue following identification (this action should involve expanding the initiative, as necessary, to identify other issues caused by similar root causes);
- (3) It was not likely to have been previously identified by routine licensee efforts such as normal surveillance or quality assurance (QA) activities; and
- (4) It was not willful.
The NRC Enforcement Policy also states The NRC may take enforcement action when these conditions are not met or when a violation that is associated with a finding of high safety significance is identified.
The NRC concluded that the circumstances surrounding this issue did not meet Criterion 3 for exercising enforcement discretion because the licensees routine efforts and processes should have identified this problem. Specifically, the licensees routine Quality Assurance (QA) audits, self-assessment activities, and corrective actions for two previous violations should have caused the licensee to identify this issue. The following routine activities should have caused the licensee to have identified this finding:
- Relationship Of QA Audits And Self-Assessment Activities To This Finding.
The licensee performed Quality Assurance audits of the fire protection program in 2004 and 2007, prior to the last two triennial fire protection inspections. These activities failed to identify this issue, even though the 2007 audit specifically reviewed fire response manual action feasibility, and included one of the fire areas affected by this finding. The 2007 audit specifically reviewed the adequacy of corrective actions for the 2004 triennial fire protection inspection findings, but failed to identify that the violation was not corrected for RHR-MO-25B. A reasonably thorough review during these routine QA activities should have been sufficient to identify a problem such as this, as it was not a subtle issue.
In addition, CNS fire protection personnel, with contractor assistance, performed a separate manual action feasibility review in May 2007, using the NRCs inspection guidance and failed to identify this problem. This self-assessment included a review of the adequacy of corrective action for the 2004 NCV. This self-assessment stated:
Procedure 5.4POST-FIRE has been validated per Procedure 0.4A, Revision 11, Validation Check Sheets. This was a walkdown validation and was very comprehensive. This validation identified several changes which were needed to address changes in plant operation over the past several years..., and that the
procedure was extensively reformatted, but because the changes did not change the technical content, no field verifications were performed. The licensee stated that these starter cabinet procedure steps were added in 1997 as part of a validation effort, and had been validated again in 2004, without any discrepancies being noted. The licensee subsequently determined that there were no modifications made which rendered the procedure inaccurate.
The licensees root cause evaluation for this finding, documented in Condition Report 2007-04155, noted:
- From information obtained from interviews, when a walk-through validation is done, it has been common practice at CNS to not open certain electrical cabinets containing switchgear or other electrical components. These cabinets are not opened for reasons of safety, or to minimize risks associated with disturbing items that could result in transients, trips, or scrams. This was the case when 5.4 POST-FIRE was validated at various times prior to 2007 Triennial Inspection.
The cabinets that supposedly contained the control power fuses for the items listed in Table 2 were not opened. Consequently, the actual existence of the control power fuses was not verified. The fuses were presumed to exist inside the closed cabinet since the procedure said they were there.
- It goes on to state: Because of the various do not open cabinets associated with components involved in the 5.4POST-FIRE procedure, a complete walk-through validation of 5.4POST-FIRE had essentially never been done until the 2007 Triennial Inspection. In effect, the simulation of procedural steps that involve components inside a do not open cabinet have been exempted in a walk-through validation.
- The root cause concluded that, because of multiple deficiencies identified during the root cause evaluation, the manual action walkdowns as performed could not identify Emergency Procedure 5.4POST-FIRE manual action deficiencies.
- Several opportunities existed which could have identified Emergency Procedure 5.4 POST-FIRE deficiencies prior to the 2007 Triennial Inspection.
Also, the licensee noted that they failed to identify and correct the steps currently being discussed despite having an action in CR 2004-03034 to evaluate the feasibility of all Procedure 5.4Post-Fire manual actions against the NRC inspection guidance.
- Relationship Of The Corrective Action Process To This Finding The corrective action process is considered by the NRC to be a routine licensee effort.
The following information is evidence that the licensee should have identified the current violation in addressing a similar violation from the previous fire protection inspection.
As discussed above, the licensee did not perform adequate corrective actions for the NCV 2004008-02 for valve RHR-MO-25B. The effort to correctly label the contactors should have resulted in identifying that the procedure steps did not work for this valve.
Similarly, while the licensee was addressing NCV 2008-01, they performed a feasibility
review for the actions of Emergency Procedure 5.4POST-FIRE, which should have resulted in identifying that the procedure steps did not work for all 10 valves affected by this finding.
In response to the current issue, the licensee performed a root cause evaluation, which reached the same conclusion:
- Condition Report 2007-04155 documented that several opportunities existed which could have identified the Emergency Procedure 5.4Post-Fire deficiencies.
- Condition Report 2007-04155 concluded that the licensee failed to identify and correct the procedure steps affected by this finding despite having an action in CR 2004-03034 to evaluate the feasibility of all Procedure 5.4Post-Fire manual actions against the NRC inspection guidance.
The Federal Register Notice which discusses the Interim Enforcement Discretion Policy (dated 6/16/04) states: This interim enforcement policy is consistent with the long-standing policy included in Section VII.B.3, Violations Involving Old Design Issues of the Enforcement Policy addressing discretion when licensees voluntarily undertake a comprehensive review and assessment. This exercise of discretion provides appropriate incentives for licensees initiating efforts to identify and correct subtle violations that are not likely to be identified by routine efforts. This is clearly not the case with this finding, since these procedure problems were neither hard to find, nor subtle old design issues. These deficiencies are representative of current performance.
4OA5 Other Activities
.1 (Closed) Unresolved Item 05000298/2007008-01: Inadequate Post-Fire Safe Shutdown
Procedures.
The issues from this unresolved item are addressed in Section 1R05 above, which is being dispostioned as an Apparent Violation 05000298/2008007-01. This URI is closed.
.2 (Closed) Licensee Event Report 05000298/2007-005-00: Inadequate Post Fire
Procedure Could Have Prevented Achieving Safe Shutdown.
This licensee event report discusses the finding documented and dispositioned in Section 1R05 of this inspection report. No additional issues were raised in that report.
4OA6 Management Meetings
Debrief Meeting Summary On March 3, 2008, the team leader presented the inspection results to Mr. M. Colomb, General Manager of Plant Operations, and other members of licensee management.
During this meeting, the licensee indicated that they intended to request that the NRC staff reconsider the application of enforcement discretion via a docketed letter. The basis for this request was not provided during this meeting. The team confirmed that no proprietary information was reviewed during the inspection.
Exit Meeting Summary
The team leader presented the inspection results to M. Colomb, General Manager of Plant Operations, and other members of licensee management at the conclusion of the inspection in a conference call on March 18, 2008.
ATTACHMENT:
SUPPLEMENTAL INFORMATION
KEY POINTS OF CONTACT
Licensee
- V. Bharbwas, Engineering Support Manager
- K. Billesbach, Quality Assurance Manager
- M. Colomb, General Manager of Plant Operations
- J. Dykstra, Electrical Programs Engineering Supervisor
- R. Estrada, Corrective Action & Assessments Manager
- J. Flaherty, Senior Staff Licensing Engineer
- P. Fleming, Director of Nuclear Safety Assurance
- J. Furr, Assistant Outage Manager
- V. Furr, Risk Management Engineer
- D. Hitzel, Operations
- G. Kline, Director of Engineering
- C. Long, Fire Protection System Engineer
- G. Mace, Nuclear Assessment Manager
- M. Matheson, Senior Staff Engineer - Design Engineering
- K. Millesbach, Quality Assurance Manager
- S. Minahan, Vice-President-Nuclear and CNO
- R. Shaw, Operations Shift Manager
- T. Shudak, Fire Protection Program Engineer
- R. Stephan, Risk Assessment Engineer
- K. Sutton, Risk Management Supervisor
- D. VanDerKamp, Licensing Supervisor
- D. Willis, Operations Manager
NRC
- N. Taylor, Senior Resident Inspector
Attachment
LIST OF ITEMS OPENED, CLOSED, AND DISCUSSED
Opened
- 05000298/2008007-01 AV Inadequate Post-Fire Safe Shutdown Procedures (Section 1R05)
Opened and Closed
None
Closed
- 05000298/2007008-01 URI Inadequate Post-Fire Safe Shutdown Procedures (Section 4OA5.1)
- 05000298/2007005-00 LER Inadequate Post Fire Procedure Could Have Prevented Achieving Safe Shutdown (Section 4OA5.1)
Discussed
None