ML050540476
| ML050540476 | |
| Person / Time | |
|---|---|
| Site: | Hatch  |
| Issue date: | 10/31/2003 |
| From: | NRC/RGN-II |
| To: | |
| References | |
| FOIA/PA-2004-0277, IR-03-006 | |
| Download: ML050540476 (10) | |
See also: IR 05000321/2003006
Text
2
SUMMARY OF FINDINGS
IR 05000321/2003-006, 05000366/2003-006; Southern Nuclear Operating Company;
7/7-11/2003 and 7/21-25/2003; E. l. Hatch Nuclear Plant, Units 1 and 2; Triennial Fire
Protection
The report covered a two-week period of inspection by three regional inspectors and a
contractor from Brookhaven National Laboratory. Three Green non-cited violations (NCVs) and
four unresolved items with potential safety significance greater than Green were identified. The
significance of most findings is indicated by their color (Green, White, Yellow, Red) using IMC 0609, "Significance Determination Process" (SDP). Findings for which the SDP does not apply
may be Green or be assigned a severity level after NRC management review. The NRC's
program for overseeing the safe operation of commercial nuclear power reactors is described in
NUREG-1 649, "Reactor Oversight Process," Revision 3, dated July 2000.
A. NRC-Identified and Self-Revealing Findings
Cornerstone: Mitigating Systems
- URI. The team identified an unresolved item in that a local manual operator action, to
prevent spurious opening of all eleven safety relief valves (SRVs) during a fire event,
would not be performed in sufficient time to be effective. Also, licensee reliance on this
manual action for hot shutdown during a fire, instead of physically protecting cables from
fire damage, had not been approved by the NRC.
This finding is unresolved pending completion of a significance determination. In
response to this potential issue, the licensee promptly moved the manual action step to
the front of the Fire Procedure to enable operators to accomplish the action much
sooner during a fire event. This finding was determined to have potential safety
significance greater than very low significance because of the use of manual actions in
lieu of physical protection as required by 10 CFR 50 Appendix R, Section III.G.2.
(Section 1R05.05.b.1)
URI. The team identified an unresolved item in that a fire in Fire Area 2104 could
cause all eleven SRVs to open at a time when residual heat removal (RHR) system
may not be available. To mitigate this event, the licensee's safe shutdown analysis
report (SSAR) credits the use of Core Spray Loop A to provide reactor coolant makeup.
However, the licensee did not provide any objective evidence (e.g., specific calculation
or analysis) which demonstrated that, assuming worst-case fire damage in Fire Area
2104, the limited set of equipment available would be capable of mitigating the event in
a manner that satisfies the shutdown performance goals specified in Appendix R,
section L.1.e to 10CFR 50.
This finding is unresolved pending completion of the NRC review of a calculation of
record which demonstrates the capability of the Core Spray system to mitigate the
above event. This finding was determined to have potential safety significance greater
than very low significance because of a lack of a calculation of record and
3
documentation of the limited set of equipment that would be credited for safe shutdown
under these conditions. (Section 1R.05.03.b)
URI: The team identified an unresolved item in connection with the implementation of
design change request (DCR)91-134, SRV Backup Actuation via Pressure Transmitter
Signals. The installed plant modification failed to implement the one-out-of-two taken
twice logic that was specified as design input requirements in the design change
package. Additionally, implementation of a two-out-of-two coincident taken twice logic,
has introduced a potential common cause failure of all eleven SRVs because of fire
induced damage to two instrumentation circuit cables in close proximity to each other.
This finding is unresolved pending completion of a significance determination. This
finding is greater than minor because it impacts the mitigating system cornerstone. This
finding has the potential for defeating manual control of Group "A" SRVs that are
required for ensuring that the suppression pool temperature will not exceed the heat
capacity temperature limit (HCTL) for the suppression pool. (Section 1R21.01)
- Green. The team identified a finding with very low safety significance in that a local
manual operator action to operate safe shutdown equipment was too difficult and was
also unsafe. The licensee had relied on this action instead of providing physical
protection of cables from fire damage or preplanning cold shutdown repairs. However,
the team judged that some operators would not be able to perform the action.
This finding involved a violation of 10 CFR 50, Appendix R, Section III.G.1 and
Technical Specification 5.4.1. The finding is greater than minor because it affected the
availability and reliability objectives and the equipment performance attribute of the
mitigating systems cornerstone. Since the licensee could have time to develop and
implement cold shutdown repairs to facilitate accomplishment of the action, this finding
did not have potential safety significance greater than very low safety significance.
(Section 1R05.05.b.2)
- Green. The team identified a finding with very low safety significance in that the
licensee relied on some manual operator actions to operate safe shutdown equipment,
instead of providing the required physical protection of cables from fire damage, and
without NRC approval.
This finding involved a violation of 10 CFR 50, Appendix R, Section III.G.2. The finding
is greater than minor because it affected the availability and reliability objectives and the
equipment performance attribute of the mitigating systems cornerstone. Since the
actions could reasonably be accomplished by operators in a timely manner, this finding
did not have potential safety significance greater than very low safety significance.
(Section 1R05.05.b.3)
- Green. The team identified a finding with very low safety significance in that emergency
lighting was not adequate for some manual operator actions that were needed to
support post-fire operation of safe shutdown equipment.
4
This finding involved a violation of 10 CFR 50, Appendix R, Section III.J. The finding is
greater than minor because it affected the reliability objective and the equipment
performance attribute of the mitigating systems cornerstone. Since operators would be
able to accomplish the actions with the use of flashlights, this finding did not have
potential safety significance greater than very low safety significance. (Section
1R05.07.b)
B. Licensee-Identified Violations
None
REPORT DETAILS
1. REACTOR SAFETY
Cornerstones: Initiating Events, Mitigating Systems and Barrier Integrity
11R05 FIRE PROTECTION
The purpose of this inspection was to review the Hatch Nuclear Plant fire protection program
(FPP) for selected risk-significant fire areas. Emphasis was placed on verification that the post-
fire safe shutdown (SSD) capability and the fire protection features provided for ensuring that at
least one redundant train of safe shutdown systems is maintained free of fire damage. The
inspection was performed in accordance with the Nuclear Regulatory Commission (NRC)
Reactor Oversight Program using a risk-informed approach for selecting the fire areas and
attributes to be inspected. The team used the licensee's Individual Plant Examination for
External Events and in-plant tours to choose four risk-significant fire areas for detailed
inspection and review. The fire areas chosen for review during this inspection were:
_. Fire Area 2016, West 600 V Switchgear Room, Control Building, Elevation 130 feet.
Fire Area 2104, East Cableway, Turbine Building, Elevation 130 feet.
Fire Area 2404, Switchgear Room 2E, Diesel Generator Building, Elevation 130 feet.
Fire Area 2408, Switchgear Room 2F, Diesel Generator Building, Elevation 130 feet.
The team evaluated the licensee's FPP against applicable requirements, including Operating
License Condition 2.D, Fire Protection; Title 10 of the Code of Federal Regulations, Part 50 (10
CFR 50), Appendix R; 10 CFR 50.48; Appendix A of Branch Technical Position (BTP) Auxiliary
and Power Conversion Systems Branch (APCSB) 9.5-1; related NRC Safety Evaluation
Reports (SERs); the Hatch Nuclear Plant Updated Final Safety Analysis Report (UFSAR); and
plant Technical Specifications (TS). The team evaluated all areas of this inspection, as
documented below, against these requirements.
Documents reviewed by the team are listed In the attachment.
VOW Systems Required to Achieve and Maintain Post-Fire Safe Shutdown
a. Inspection Scope
The licensee's Safe Shutdown Analysis Report (SSAR) was reviewed to determine the
components and systems necessary to achieve and maintain safe shutdown conditions
in the event of fire in each of the selected fire areas. The objectives of this evaluation
were as follows:
(a) Verify that the licensee's shutdown methodology has correctly identified
the components and systems necessary to achieve and maintain a safe
shutdown condition.
2
(b) Confirm the adequacy of the systems selected for reactivity control,
reactor coolant makeup, reactor heat removal, process monitoring and
support system functions.
(c) Verify that a safe shutdown can be achieved and maintained without off-
site power, when it can be confirmed that a postulated fire in any of the
selected fire areas could cause the loss of off-site power.
(d) Verify that local manual operator actions are consistent with the plant's
fire protection licensing basis.
b. Findings P
The team identified a potential concern whefe4he licensee used manual actions to
disconnect terminal board sliding links in order to isolate two 4-20 Ma instrumentation
control loop circuits in order to prevent the spurious actuation of eleven SRVs. This
issue is discussed in section 1R05.03.b of the report.
.02 Fire Protection of Safe Shutdown Capabilitv
a. Inspection Scope
For the selected fire areas, the team evaluated the frequency of fires or the potential for
fires, the combustible fire load characteristics and potential fire severity, the separation
of systems necessary to achieve safe shutdown (SSD), and the separation of electrical
components and circuits located within the same fire area to ensure that at least one
SSD path was free of fire damage. The team also inspected the fire protection features
to confirm they were installed in accordance with the codes of record to satisfy the
applicable separation and design requirements of 10 CFR 50, Appendix R, Section 1Il.G,
and Appendix A of BTP APCSB 9.5-1. The team reviewed the following documents,
which established the controls and practices to prevent fires and to control combustible
fire loads and ignition sources, to verify that the objectives established by the
NRC-approved fire protection program (FPP) were satisfied:
- Updated Final Safety Analysis Report (UFSAR) Section 9.1-A, Fire Protection
Plan
- Administrative Procedure 40AC-ENG-008-OS, Fire Protection Program
- Administrative Procedure 42FP-FPX-01 8-OS, Use, Control, and Storage of
Flammable/Combustible Materials
- Preventive Maintenance Procedure 52PM-MEL-01 2-0, Low Voltage Switchgear
Preventive Maintenance
The team toured the selected plant fire areas to observe whether the licensee had
properly evaluated in-situ fire loads and limited transient fire hazards in a manner
consistent with the fire prevention and combustible hazards control procedures. In
addition, the team reviewed the licensee's fire safety inspection reports and corrective
action program (CAP) condition reports (CRs) resulting from fire, smoke, sparks, arcing,
and overheating incidents for the years 2000-2002 to assess the effectiveness of the fire
prevention program and to identify any maintenance or material condition problems
related to fire incidents.
3
The team reviewed fire brigade response, fire brigade qualification training, and drill
program procedures; fire brigade drill critiques; and drill records for the operating shifts
from January 1999 - December 2002. The reviews were performed to determine
whether fire brigade drills had been conducted in high fire risk plant areas and whether
fire brigade personnel qualifications, drill response, and performance met the
requirements of the licensee's approved FPP.
The team walked down the fire brigade equipment storage areas and dress-out locker
areas in the fire equipment building and the turbine building to assess the condition of
fire fighting and smoke control equipment. Fire brigade personal protective equipment
located at both of the fire brigade dress-out areas and fire fighting equipment storage
area in the turbine building were reviewed to evaluate equipment accessibility and
functionality. Additionally, the team observed whether emergency exit lighting was
provided for personnel evacuation pathways to the outside exits as identified in the
National Fire Protection Association (NFPA) 101, Life Safety Code, and the
Occupational Safety and Health Administration (OSHA) Part 1910, Occupational Safety
and Health Standards. This review also included examination of whether backup
emergency lighting was provided for access pathways to and within the fire brigade
equipment storage areas and dress-out locker areas in support of fire brigade
operations should power fail during a fire emergency. The fire brigade self-contained
breathing apparatuses (SCBAs) were reviewed for adequacy as well as the availability
of supplemental breathing air tanks and their refill capability.
The team reviewed fire fighting pre-fire plans for the selected areas to determine if
appropriate information was provided to fire brigade members and plant operators to
facilitate suppression of a fire that could impact SSD. Team members also walked down
the selected fire areas to compare the associated pre-fire plans and drawings with as-
built plant conditions. This was done to verify that fire fighting pre-fire plans and
drawings were consistent with the fire protection features and potential fire conditions
described in the Fire Hazards Analysis (FHA).
The team reviewed the adequacy of the design, installation, and operation of the manual
suppression standpipe and fire hose system for the control building. This was
accomplished by reviewing the FHA, pre-f ire plans and drawings, engineering
mechanical equipment drawings, design flow and pressure calculations and NFPA 14
for hose station location, water flow requirements and effective reach capability. Team
members also walked down the selected fire areas in the control building to ensure that
hose stations were not blocked and to verify that the required fire hose lengths to reach
the safe shutdown equipment in each of the selected areas were available. Additionally,
the team observed placement of the fire hoses and extinguishers to assess consistency
with the fire fighting pre-fire plans and drawings.
b. Findings
No findings of significance were identified.
4
.03 Post-Fire Safe Shutdown Capability
a Inspection Scope
10 CFR 50.48, "Fire Protection," and Appendix R to 10 CFR 50, "Fire Protection
Program for Nuclear Power Facilities Operating Prior to January 1, 1979" establish
specific fire protection features required to satisfy General Design Criterion 3, "Fire
Protection" (GDC 3, Appendix A to 10 CFR 50). Section lll.G of Appendix R requires
fire protection features be provided for equipment important to safe shutdown. An
acceptable level of fire protection may be achieved by various combinations of fire
protection features (barriers, fire suppression systems, fire detectors, and spatial
separation of safety trains) delineated in Section III.G.2. For areas of the plant where
compliance with the technical requirements of Section III.G.2 can not be achieved,
licensees must either seek an exemption from the specific requirement(s) or provide an
alternative shutdown capability in accordance with Sections III.G.3 and 1ll.L of the
regulation.
For each selected fire area, the results of the licensee's analysis for compliance with
Section IIl.G of Appendix R is documented in a SSAR . The overall approach of these
evaluations was to determine the fire-induced losses for a fire in each fire area and then
assess the plant impact given those loses.
On a sample basis, an evaluation was performed to verify that systems and equipment
identified in the licensee's SSAR as being required to achieve and maintain hot
shutdown conditions would remain free of fire damage in the event of fire in the selected
fire areas. The evaluation included a review of cable routing data depicting the location
of power and control cables associated with SSD Path 1 and Path 2 components of the
RCIC and HPCI systems. Additionally, on a sample basis, the team reviewed the
licensee's analysis of electrical protective device (e.g., circuit breaker, fuse, relay)
coordination.
b Findings
Capability of Equipment Credited in SSAR to Mitigate the Spurious Actuation of Eleven
Introduction: The team identified a potential concern where the licensee used manual
actions to disconnect terminal board sliding links in order to isolate two 4 to 20 ma
instrumentation control loop circuits In order to prevent the spurious actuation of eleven
SRVs. The disconnection of terminal board sliding links is considered a repair and was
not consistent with the plants licensing basis for achieving and maintaining safe
shutdown conditions. Additionally, the use of manual actions in lieu of providing
protection for the instrumentation loop control circuits was not in compliance with the
requirements of 10 CFR 50 Appendix R. section III.G.2.
Description: The SSAR states that a fire in Fire Area 2104 could cause all eleven SRVs
to spuriously actuate as a result of fire damage to two cables that are located in close
proximity in this area. The specific circuits that could cause this event have been
identified by the licensee (circuit nos.: ABE019CO8 and ABE019CO9). Each of these
two circuits provides a 4 to 20 milliamp instrumentation signal from SRV high-pressure
actuation transmitters (2B21-N127B and 2B21-N127D) to master trip units 2B21-N697B
and 2B21 -N697D, respectively. The purpose of this circuitry is to provide an electrical
backup to the mechanical trip capability of the individual SRVs. In the event of high
reactor pressure, the circuits would provide a signal to the trip units which would cause
all eleven SRVs to actuate (open). The pressure signal from each transmitter is.
conveyed to its respective trip unit via a two-conductor, instrument cable that is routed
through .thisfire area (two separate cables). Each cable consists of a single twisted pair
of insulated conductors, an uninsulated drain wire that is wound around the twisted pair
of conductors, and a foil shield. In Fire Area 2104 the two cables are located in close
proximity, in the same cable tray. Actuation of the SRV electrical backup is completely
ublind" to the operators. Unlike ADS, it does not provide any pre-actuation indication
(e.g., actuation of the ADS timer) or an inhibit capability (e.g., ADS inhibit switch). Since
the operators typically would not initiate a manual scram until fire damage significantly
interfered with control of the plant, its possible that all eleven SRVs could open at 100%
power, prior to scramming the reactor. This scenario could place the plant in an
Unlike a typical control circuit, a direct short or "hot short" between conductors of a 4 to
20 milliamp instrument circuit may not be necessary to initiate an undesired (false high)
signal. For cables that transmit low-level instrument signals, any degradation of the
insulation of the individual twisted conductors due to fire damage may be sufficient to
cause leakage currents to be generated between the two conductors. Such leakage
current would appear as a false high pressure signal to the trip units. If both cables
were damaged as a result of fire, false signals generated as a result of leakage current
in each cable, would actuate the SRV electrical backup scheme which would cause all
eleven of the SRVs to open. The conductor insulation and jacket material of each cable
is cross-linked polyethylene (XLPE). Since both cables are in the same tray and
exposed to the same heating rate, there is a reasonable likelihood that both
instrumentation cables would suffer insulation damage at the same time and both
circuits could fail high simultaneously.
The licensee's SSAR recognizes the potential safety significance of this event and
describes methods that have been developed to prevent its occurrence and/or mitigate
its impact on the plant's post-fire safe shutdown capability should it occur. To prevent
this scenario, the licensee has developed procedural guidance which directs operators
to open link BB-10 in panel 2H11-P927 and link BB-10 in panel 2H11-P928. Opening of
these links would prevent actuation of the SRV trip units by removing the 4 to 20
milliamp signal fed by the pressure transmitters. In the event the SRVs were to open
prior to operators completing this action, the SSAR credits Core Spray loop A to mitigate
the event. However, the inspection team had several concerns regarding the
effectiveness of the licensee's approach. Specific concerns identified by the team
included:
1. The timing of operator actions necessary to prevent the event (the time
from fire detection to the time the two links would be opened);
6
2. Whether the operator actions (opening of links) were consistent with the
plants current fire protection licensing basis with respect to repairs
needed to achieve and maintain hot shutdown conditions.
3. The capability of the limited set of systems and equipment credited in the
SSAR for accomplishing post-fire safe shutdown conditions in the event
of fire in Fire Area 2104 to mitigate the event in a manner that satisfies
the shutdown performance goals specified in Appendix R to 10 CFR 50.
4 The inability of the operations staff to manually control the group A SRVs
that are credited for mitigating a fire in fire area 2104 because of spurious
actuation.
With regard to the timing of operator actions to prevent fire damage from causing all
SRVs to open, during the inspection the licensee performed an evaluation which
estimated that approximately thirty minutes would pass from the time of fire detection to
the time an operator would implement procedural actions to prevent its occurrence
(opening of links). The licensee concurred with the inspection team's concern that this
time (30 minutes) may be too long to provide an effective means of preventing the
actuation. To improve the effectiveness of this action the licensee agreed to enhance
its existing procedures so that the action would be taken immediately following
confirmation of fire in areas where the spurious actuation could occur.
The team considered the operators action of opening terminal board links to be not in
agreement with the plants licensing basis. Current licensing basis documents
(Reference: Georgia Power request for exemption dated May 16, 1986 and a
subsequent Safety Evaluation Report (SER) dated January 2, 1987) characterized the
opening of links as a repair activity that is not permitted as a means of complying with
Section III.G of Appendix R. Based on these documents the opening of links was
considered a repair by both the licensee and the NRC staff in 1987. The licensee could
not provide any evidence to justify why these actions are not characterized as a repair
activity in its current SSAR. In response to this inspection finding, the licensee initiated
a Condition Report (CR 2003800152, dated 7/24/03) to evaluate actions to open links, in
order to determine if they are necessary to achieve hot shutdown, and if an exemption
from Appendix R is required.
Because there is a potential for all SRVs to spuriously actuate as a result of fire in Fire
Area 2104 at a time when RHR is not available, the SSAR credits the use of Core Spray
Loop A to accomplish the reactor coolant makeup function. During the inspection, on
7/24/03, the licensee voluntarily performed a simulator exercise of an event which
caused all 11 SRVs to open. During this exercise, simulator RPV level instruments
indicated that Core Spray would be capable of maintaining level above the top of active
fuel. However, the licensee did not provide any objective evidence (e.g., specific
calculation or analysis) which demonstrated that, assuming worst-case fire damage in
Fire Area 2104, the limited set of equipment available would be capable of mitigating
the event in a manner that satisfies the shutdown performance goals specified in
Appendix R, section L.1 .e to 1OCFR 50.
_ r
7
The licensee's failure to implement the design input requirements of one-out-of-two
taken twice logic for DCR 91-134 resulted in the following problem. The logic installed
for the SRVs was a two-out-of-two coincident taken twice logic in addition to a one-out-
of-two coincident taken twice logic. The team determined that the two-out-of-two
coincident logic input from trip unit master relays K31OD and K335D represented a
common cause failure for both group "A"SRVs for a fire in fire area 2104. Specifically,
cable ABE01 9C08 associated with pressure transmitter 2B21-N127B current loop, and
cable ABE019CO9 associated with pressure transmitter 2B21-N127D current loop, are
both routed in the same cable tray in fire area 2104. Both shielded twisted pair
instrument cables are unprotected from the effects of a fire in this fire area. Fire
-induced insulation damage to both cables could result in leakage currents which causes
the instrument loops to fail high. This failure mode simulates a high nuclear boiler
pressure condition which would initiate SRV backup actuation of group "A"SRV 2B21-
F013F and 2B21-FO13G. Spurious actuation of both SRVs for a fire in fire area 2104
defeats the capability to manually control these SRVs as is required per the SSAR.
Analysis: This finding is greater than minor because it affected the availability and
reliability objectives and the equipment performance attribute of the mitigating systems
cornerstone. In order to achieve safe shutdown conditions for a fire in any of the fire
areas chosen for review, manual control of two SRVs is required. For Path 1 group "A
SRVs 2B21-FO13B and 2B21-FO13F are required to remain manually operable.
Additionally, for Path 2 group "A"SRVs 2B21-F013D and 2B21-F013G are required to
remain manually operable. These actions are necessary to ensure that the suppression
pool temperature will not exceed the heat capacity temperature limit (HCTL) for the
suppression pool. One SRV ( per Path) is opened to manually control depressurization
approximately two and a half hours after event initiation in order to maintain the
suppression pool below the HCTL. The second SRV is opened approximately four
hours to allow use of the alternate shutdown cooling mode of operation.
Enforcement: 10 CFR 50 Appendix R,section L.1.e states that during the post fire
shutdown, the reactor coolant system process variables shall be maintained within
those predicted for a loss of normal AC power. This finding was determined to have
potential safety significance greater than very low significance because of a lack of a'
calculation of record and documentation of the limited set of equipment that would be
credited for safe shutdown under these conditions. Pending completion of the NRC
review of a calculation of record which demonstrates the capability of the Core Spray
system to mitigate spurious actuation of eleven SRVs, this issue is identified as URI 50-
366/2003006-01, Capability of Equipment Credited in SSAR to Mitigate the Spurious
Actuation of Eleven SRVs.
04/05 Operational Implementation of Alternative Shutdown Capability
a. Inspection Scope
The selected fire areas that were the focus of this inspection all involved reactor
shutdown from the control room. None involved abandoning the control room and
alternative safe shutdown from outside of the control room. However, the licensee's