ML20151A751
| ML20151A751 | |
| Person / Time | |
|---|---|
| Site: | Limerick  |
| Issue date: | 04/04/1988 |
| From: | Kowalski S PECO ENERGY CO., (FORMERLY PHILADELPHIA ELECTRIC |
| To: | Russell W NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION I) |
| References | |
| 215, NUDOCS 8804070225 | |
| Download: ML20151A751 (7) | |
Text
,
o PHILADELPHIA ELECTRIC COMPANY 2301 M ARKET STREET P.O. BOX 8699 PHILADELPHI A. PA,19101 u ni.u.au APR 4 1988 S. J. KOW ALSKI Vic E PR EllOENT mens as see ass eine Mr. William T. Russell Regional Administrator U. S. Nuclear Regulatory Ccmnission Region 1 Attn: Doctrnent Control Desk Washington, DC 20555
Subject:
Significant Deficiency Report No. 215 Appendix R Safe Shutdown Capability Fire Area 75 Lirnerick Generating Station, Unit 2 NRC Construction Permit No. CPPR-107
References:
a) Interim Report dated December 2, 1987 b) 10CFR 50.73 Report (LER) dated November 18, 1987 c) Reply to Notice of Violatlon, J. S. Kemper, PECo to W. T. Russell, USNRC dated February 5, 1988 File:
QUAL 2-10-2 (SDR No. 215)
Dear Mr. Russell:
In ccinpilance with 10CFR50.55(c), we are submitting our final Signif! cant Deficiency Report concerning the subject Appendix R Safe Shutdcwn Capability for Fire Area 75.
An interim report (reference a) was previously submitted to your office.
The attached final report also addresses the results of the corrective actions taken for Unit 1 as identlfled in the License Event Report and the Reply to Notice of Violation (references b and c).
We trust that this satisfactorily resolves the item.
If further information is required, please do not hesitate to contact us.
Sincerely, s
DMS/ss/03118801
\\
AttactTnent opy to: Addressee United States Nuclear Regulatory Ccmnission y
j Region 1 j
631 Park Avenue f
King of Prussia, PA 19406 lk \\
E. M. Kelly, LGS Senior Resident Site Inspector, Unit 1
\\
r hskent S he Innctor, M 2 j
8804070225 8804i[4-n PDR ADOCK 05000353 q
Significant Deficiency Report - SDR No. 215 Appendix R Safe Shutdown Capability Fire Area 75 Limerick Generating Station, Unit 2 NRC Construction Permit No. CPPR-107 I
i Description of Deficiency Section 3.2.1, Item 17 of the Limerick FPER (Fire Protection Evaluation Report) commits to identifying and analyzing all non-Class lE circuits where failure could affect operation of safe shutdown equipment.
Contrary to the commitment, cables 20M014 B(C,D,E), 20M015 B(C,D,E), 20M016 B(C,D,E), and 20M017 B(C,D,E) were not properly evaluated during the performance of the Limerick Safe Shutdown Fire Analysis.
Because these cables were i
not properly identified and analyzed as safe shutdown cables, the effect of a fire on these cables was not considered.
These cables are all located in Fire Area 75, the Service i
Water Pipe Tunnel.
An Appendix R design basis fire in that area is assumed to cause shorting between the internal conductors of these cables which would cause spurious trip signals to all four diesel generators (D/G's).
These trip signals would occur via the fire suppression system accuation trip shown on Drawing 8031-E-591, Sheet 2.
]
Had Limerick Unit 2 been in operation, and an Appendix R fire in Fire Area 75 occurred, Shutdown Methods A, B, and R would have still been available.
Required operator action to restore the D/G's would have been to:
- 1) trip the power source breaker to the fire suppression trip circuit at Panel 20Y202, 2) reset the D/G trip signal at the local D/G control panel, and 3) manually restart the D/G via the control switch either in the control room or at the D/G local panel.
These actions would not be required for more than several hours after the D/G's tripped because the 1
DC systems used to achieve and maintain hot shutdown via Shutdown Methods A, B and R would be unaffected within this scenario.
Had these cables been identified properly in the original associated circuit analysis, the above steps to restore D/G l
operation would have been incorporated into the appropriate Special Events procedures when they are written.
During the identification of safe shutdown cables and the
]
associated circuit analysis, all cable failures that could have caused safe shutdown equipment to be disabled were to be identified.
Tr3 basis used to exclude these associated circuits from the safe shutdown cable database was that if non-safe shutdown cables were isolated from the safe shutdown cables via a Class lE isolation device, then their failure could not propagate back into the safe shutdown circuitry.
In the case of the D/G l
fire protection flow switch circuitry, the non-Class lE flow I
switch circuit was wired to the coil of the Class lE isolation relay, and the Class lE D/G trip circuit was wired to the relay l
. l contact.
The non-Class lE labeling of the cable led the safe shutdown reviewer to erroneously conclude that electrical isolation was provided.
However, this configuration does not provide isolation because it does not p*teclude the non-Class lE 4
circuit from functionally affecting the Class lE circuit.
The same situation was identified on the Unit 1 D/G circuits i
and was reported to the NRC via an LER dated November 18, 1987.
4 1
The cables of concern for Unit 1 are 10M014 B(C,D,E), 10M015 B(C,D,E), 10M016 B(C,D,E), and 10M017 B(C,D,E).
Corrective Action As permanent corrective action, for both units, the D/G control circuits have been redesigned to remove the fire suppression flow switch trip signal.
These trips have already been removed on Unit 1 under Modification 87-5457.
In addition, as action to prevent recurrence, we have re-reviewed the electrical schematic drawings and the application of Class lE isolation relays at Limerick Units 1 and 2 to ensure that the funtional association which occurred in the D/G fire protection flow switch circuitry is a unique case.
The criteria for safe shutdown cable selection has also been reviewed to verify its adequacy.
Safety Implications The modification to remove the D/G fire protection flow switch eliminates an automatic D/G trip from occurring should the fire suppression system actuate or an Appendix R fire occur in Fire Area 75.
The consequences of this modification have been i
reviewed, and it has been determined that this modification will not jeopardize the ability of the D/G's to perform their safety function.
l A Class lE/non-Class lE relay interface review was performed i
j to determine the effects of the root cause deficiency.
All safety related and most non-safety related relay coils and their
]
output contacts and the input contacts to all safety related relay coils were reviewed with respect to the classification of the circuits to which they are connected.
Pour relay coil and i
contact arrangements were defined j
1) a non-Class lE coil with non-Class lE contacts, 2) a non-Class lE coil with Class lE contacts, with or
.l without non-Class lE contacts, 3) a Class lE coil with Class lE contacts, and j
4) a Class lE coil with non-Class lE contacts, with or without Class lE contacts.
With respect to the particular deficiency discussed above, the D/G fire protection flow switch circuitry contains a relay t
i
i I
j j
which, prior to corrective action, would have been identified as f
an arrangement 2.
)
Further, the relay interface review identified five arrangement 2 cases, per unit, in addition to the D/G fire i
protection flow switch case.
These cases have been evaluated and i
determined to be acceptable because they do not degrade the Class
)
1E system nor prevent safe shutdown in the event of a fire.
A e
i tabulation of each case follows.
l 4'
Case 1
]
Reference Drawings: E-392 Relay Numbers:
27-A(B,C,D)Y24801 59-A(B,C,D)Y24801 i
81-A(B,C,D)Y24801 f
Coil Function:
Protective relays that are energized on
[
undervoltage, overvoltage, and underfrequency conditions on the power supplies to the RPS and UPS distribution panels.
i Contact Function:
Provide signal to shunt trip coil to RPS and UPS distribution panel feeder breakers.
{
j Significance Even though the coils of these relays are 1
in a non-Class lE scheme the relays are j
qualified.
There are two redundant sets i
)
of relays on each of the RPS power l
l supplies.
Because the relays are i
j protective relays, there is no failure of 1
the non-Class lE scheme that would
(
)
prevent the relays from performing their l
l trip function.
The failure of one of the redundant relays in the energized
}
position would trip the RPS panel power l
supply and would result in a half scram.
i Failure of one of the protective relays t
{
in the de-energized position would net
]
prevent the redundant, qualified relay from tripping the power supply on undervoltage, overvoltage or l
underfrequency conditions,
~i Case 2 l
Reference Drawinge E-464 sheets 2 and 3 Relay Numbers:
105-11708 l
105-11808 Coil Function:
Auxiliary relays that are energized as part of logics that provide a start signal for drywell chillers.
i Contact Function:
Provide close signal to the drywell l
chiller feeder breakers on energization and provide trip signal to the drywell I
chiller feeder breakers on de-energization.
Significance:
The failure of the relay in the energized position closes the drywell breaker enabling the chiller to operate.
The i
failure of the relay in the de-energized position trips the drywell chiller breaker disabling chiller operation.
The drywell chillers are not safety related.
If the chillers were operating at the
[
time of an accident (LOCA) signal, the breaker would trip as designed.
The failure of the chillers to operate during l
other accident conditions is not a safety f
concern because the drywell chillers are i
not required for safe shutdown or to
}
mitigate the consequences of an accident.
l The failure of the chillers to operate j
during normal operating conoitions could result in the plant being shutdown due to excoeding the Technical Specification i
limits for average drywell temperature.
l This parameter is monitored in the Control Room.
[
t Case 3 j
Reference Drawings: M71-48(5)
M71-65(5)
E-591 sheet 2 Relay Numbers:
M2A M4A 74AC Coil Function:
Auxiliary relays that are energized by the overload heaters for the standby jacket cooling pump motor and the standby lube oil pump motor, and loss of 480V power to D/G auxiliaries.
.s
' Contact Function:
Provide annunciation of overload of standby jacket cooling pump motor, overload of standby lube oil pump motor and loss of 480V power to D/G auxiliaries.
Significance:
The failure of the relays in the energized position will erroneously activate alarms on the D/G alarm panels.
I The failure of the relays in the de-energized position will prevent annunciation of an overload condition on either of the auxiliary pumps and a loss of AC power to the D/G auxiliaries if any of these conditions should occur.
The D/Gs are designed to provide emergency power to the safeguard buses within ten seconds of receiving an emergency start signal, and can perform this safety function with the failure of these relays in any position.
Therefore, the D/G annunciators and the auxiliaries affected by the subject relays are not required for the D/Gs to perform their safety function.
Case 4 Reference Drawings: E-171 E-160 sheet 2 Relay Numbers:
186-11502 (09) 186-11602 (09) 186-11702 (09) 186-11802 (09)
Coil Function:
Auxiliary lockout relays which are energized by the safeguard transformer primary relay protection (differential current).
Contact Function:
Provide trip signal and interlock to close coil of the feeder breakers associated with each Class lE 4kV bus.
Significance:
The failure of the relays in the energized position would trip and isolate the preferred offsite power supply and transfer the bus to either the alternate offsite power supply, if available, or to the D/G, the safety related power supply
- to the bus.
The failure of the relay in the de-energized position would remove the differential protection from the safeguard transformer and leave it vulnerable; however, the differential protection is backed up by the overcurrent protection scheme which is Class lE.
Case 5 Reference Dravings: E-509 sheets 1,2 and 3 Relay Numbers:
03-0V247W (X,Y,Z)
Coil Function:
The relay coil is energized by a pressure switch that detects increasing carbon dioxide pressure for the Cardox system in the Cable Spreading Room.
Contact Function:
Energize auxiliary relays that will close steam isolation dampers to the Cable Spreading Room.
Significance:
The failure of the relay in the energized position will close the Control Enclosure steam flooding dampers which is the safe position allowing the Cardox system to suppress a fire.
the failure of the relay in the de-energized position would not prevent the steam flooding dampers from performing their function because redundant circuit components will ensure damper closure.
The above arrangement 2 cases are acceptable because:
- 1) the relays are qualified and their contacts provide isolation between Class lE and non-Class lE circuits and 2) no failure of the non-Class lE circuit (fire related or otherwise as specifically described above) can degrade the Class 1E system nor prevent any safeguard equipment from performing its safety function.
In addition, the safe shutdown cable database selection criteria was reviewed, and it has been determined that the criteria accurately identifies the cables that are required to b.
included in the safe snutdown cable database.
DMS/dddO3248801
- _ _ _ _ _ _