05000259/LER-2012-001
| Browns Ferry Nuclear Plant (Bfn) Unit 1 | |
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition |
| 2592012001R01 - NRC Website | |
I. PLANT CONDITION(S)
There are multiple plant conditions that were reported by Browns Ferry Nuclear Plant (BFN) on February 5, 2012.
At the time of discovery of the condition occurring on May 11, 2010, BFN, Units 1, 2, and 3, were in Mode 1 at approximately 100 percent rated thermal power.
At the time of discovery of the condition occurring on September 30, 2010, BFN, Units 1, 2, and 3, were in Mode 1 at approximately 100 percent rated thermal power.
At the time of discovery of the conditions occurring on August 22, 2011, BFN, Units 1, 2, and 3 were in Mode 1 at approximately 100 percent rated thermal power.
II. DESCRIPTION OF EVENT
A. Event
A National Fire Protection Association (NFPA) 805 transition review discovered several unanalyzed conditions associated with multiple spurious operation of equipment during postulated Appendix R fires.
On May 11, 2010, at 1715 Central Daylight Time (CDT), it was determined that in the event of an Appendix R fire, multiple hot shorts affecting reactor pressure instrument loops, Safety Relief Valve (SRV) [RV] overpressure logic, or Automatic Depressurization System (ADS) logic could cause as few as 2 and as many as 13 SRVs to spuriously open for certain fire areas (FAs). The current Appendix R safe shutdown analysis only assumed 2 SRVs spuriously open. The issue has significant safety impact due to the potential for a fire scenario to result in multiple SRVs spuriously opening, loss of low pressure inventory makeup, and loss of the condensate system [SD] for inventory makeup, which would challenge adequate core cooling during performance of Safe Shutdown Instructions (SSTs).
On September 30, 2010, at 0959 CDT, it was determined that in the event of an Appendix R fire, fire induced multiple hot shorts could cause both inboard and outboard Residual Heat Removal (RHR) [BO] test return valves [TV], and drywell spray valves [V], and suppression pool spray valves to spuriously open due to damage to the valve control circuit cables. This could result in draining of the Pressure Suppression Chamber (PSC) head tank [TK] and the affected low pressure Emergency Core Cooling System (ECCS) loop piping (RHR or Core Spray (CS) [BM]).
Consequently, the discharge pipe in the credited RHR loop may not be filled and vented when the SS's require the RHR pump [P] to be started. The resulting water hammer could result in piping system damage resulting in loss of core cooling and decay heat removal functions and loss of suppression pool inventory. Additionally, single spurious actuation of CS test return valves, due to fire damage to their control circuits, could have the same results. These issues have significant safety impact since they would challenge the ability to provide adequate core cooling during performance of SSIs.
On August 22, 2011, at 0934 CDT, it was determined that in the event of an Appendix R fire in certain areas, fault propagation during a fire, due to the loss of the breaker control circuit in conjunction with power cable damage, could result in de-energization of the associated 4kV Shutdown Board [EE3]. This condition exists since some 4kV Shutdown Board load breakers [BKR] are not equipped with separate fuses [FU] for trip circuits extending beyond the board. This condition could result in a loss of power to credited safe shutdown equipment that would challenge the ability to provide adequate core cooling during the performance of SSls.
On August 22, 2011, at 0934 CDT, it was determined that in the event of an Appendix R fire in certain areas, Multiple Spurious Operations (MSOs) could result in the Main Steam Isolation Valves (MSIVs) failing to close or to re-open. This potentially results in a challenge to control inventory loss during performance of SSIs.
For the above conditions, roving fire watches have been established in accordance with the Fire Protection Report in order to decrease the probability of a serious fire.
These conditions were originally determined to be not reportable. During subsequent review, the Tennessee Valley Authority (TVA) determined these conditions did meet reporting requirements. These conditions were reported to the NRC on February 5, 2012, at 1706 Central Standard Time (CST).
B. Inoperable Structures, Components, or Systems that Contributed to the Event There were no inoperable structures, systems, or components that contributed to the event.
C. Dates and Approximate Times of Major Occurrences May 11, 2010, at 1715 CDT - It was identified that multiple hot shorts affecting reactor pressure instrument loops, SRV overpressure logic, or ADS logic could cause as few as 2 and as many as 13 SRVs to spuriously open.
September 30, 2010, at 0959 CDT - It was identified that fire induced multiple hot shorts could cause both inboard and outboard RHR test return valves and drywell spray valves, and suppression pool spray valves to spuriously open.
August 22, 2011, at 0934 CDT- It was identified that in the event of an Appendix R fire in certain FAs, fault propagation, due to the loss of the breaker control circuit in conjunction with power cable damage, could result in de-energization of the associated 4kV Shutdown Board.
August 22, 2011, at 0934 CDT� It was identified that MSOs could result in the MSIVs failing to close or to re-open.
February 5, 2012, at 1706 CST� BFN reported conditions to the NRC.
D. Other Systems or Secondary Functions Affected
There were no other systems or secondary functions affected.
E. Method of Discovery
These conditions were discovered during NFPA 805 transition reviews.
F. Operator Actions
There were no operator actions.
G. Safety System Responses
There were no safety system responses.
III. CAUSE OF THE EVENT
A. Immediate Cause
The existing BFN Appendix R analysis did not adequately evaluate fire induced circuit damage.
B. Root Cause
The cause was that the historical design basis did not consider MSOs credible in a fire scenario.
C. Contributing Factors
There were no contributing factors.
IV. ANALYSIS OF THE EVENT
WA is reporting these conditions in accordance with 10 CFR 50.73(a)(2)(ii)(B), as any event or condition that resulted in the nuclear power plant being in an unanalyzed condition that significantly degraded plant safety.
The problem identified involved a series of decisions that occurred over a number of years that eventually caused BFN to be in an unanalyzed condition with respect to Appendix R.
This is a long-standing legacy issue dating back to the original design of the plant. Until the late 1990's when the Electric Power Research Institute performed cable testing, the nuclear industry did not consider MSOs credible. This testing demonstrated that MSOs are not unlikely. In a Safety Evaluation Report dated April 25, 2007, the NRC indicated that BFN's safe shutdown analysis had not adequately evaluated circuits required to mitigate a fire for fire induced spurious operations or malfunctions in order to resolve this issue. BFN indicated that it would follow guidance regarding spurious actuations provided by the NRC generic communications. The NRC published guidance regarding MSOs for plants transitioning to NFPA 805 in Regulatory Guide 1.205, Risk-Informed, Performance-Based Fire Protection for Existing Light-Water Nuclear Power Plants. BFN submitted a letter of intent to adopt NFPA 805 on March 4, 2009. NFPA 805 requires evaluation and disposition of MS0s.
Multiple SRVs Spuriously Open In the event of an Appendix R fire, multiple hot shorts affecting reactor pressure instrument loops, SRV overpressure logic, or ADS logic could cause as few as 2 and as many as 13 SRVs to spuriously open. The current Appendix R safe shutdown analysis only assumes 2 SRVs spuriously open. In this event, a large number of SRVs is assumed to open due to hot shorts in logic systems designed to open SRVs and cause a rapid depressurization.
The ADS system is designed to open 6 SRVs in the event of an accident where high pressure injection cannot maintain water level. Logic relays in the Auxiliary instrument room use low water level and high drywell pressure signals to open 6 valves at the same time. The SRV auto actuation logic uses reactor high pressure signals to open and re-close 13 SRVs in groups to control pressure in an over pressure transient.
In the Appendix R safe shutdown analysis, operators are instructed by the SSIs to align a RHR pump and conduct an emergency depressurization in either 20 minutes or 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> depending on whether high pressure makeup is available. Spurious SRV operation during or after this point in the event, when a RHR pump is aligned and ready, would be consistent with the shutdown strategy and not a concern. However, spurious opening of more than 2 SRVs, before the RHR pump and supporting electrical system are ready, would use up significant reactor pressure vessel (RPV) inventory, and low pressure injection would be required immediately in order to prevent the core from being uncovered and to prevent core damage. Manual initiation of one RHR pump or one CS loop would be sufficient for adequate core cooling when the reactor pressure reached approximately 350 psig. Also, the condensate system, consisting of condensate and condensate booster pumps, would already be running and capable of flooding the core without any operator action as reactor pressure reached approximately 400 psig.
Potential to Drain ECCS Loops Spurious actuation of the CS test return valves, due to fire damage to the control circuits, could result in draining the PSC head tank, which is the source of water to maintain the credited RHR system. Without the volume of the PSC head tank, the credited RHR loop would drain over a period of time until the RHR pump was started.
The low pressure ECCS systems have their discharge headers downstream of the pump discharge check valves. The ECCS keep-fill pressure is maintained normally by the PSC system and backed up by the condensate storage and supply system via manual alignment. The Appendix R (SSI) final alignment for long term core cooling utilizes a RHR pump via Low Pressure Coolant Injection (LPCI) to the RPV, which is recirculated back to the suppression pool via SRV(s) to the suction of the RHR pump. CS is not utilized for injection in the SSIs, but shares the common PSC keep-fill system with RHR, and is analyzed for effects of spurious pump operation. Each low pressure ECCS loop has lines located in lower portions of the system which serve drywell spray or test return to the suppression pool. If these valves open when the associated ECCS pumps are not running, water will rapidly drain from the discharge piping of the affected loop and the PSC head tank. The remaining unaffected low pressure ECCS loops would begin to slowly drain due to loss of the keep-fill capacity of the PSC head tank. This scenario introduces two separate safety issues.
Spurious opening of valves in the non-credited loop In the event of fire damage to control cables, one or more of the non-credited RHR loops or the two CS loops could be rapidly drained by the spurious opening of valves.
If an ECCS pump spuriously starts on a loop that has been drained, a water hammer transient would result and the piping system could rupture. Since no credit is taken for these loops, there is no direct loss of safe shutdown function. However, this scenario could also result in the loss of water from the suppression pool by a gravity drain for breaks below the suppression pool level or by the pump discharge for breaks located at higher elevations.
Opening of valves in any of the ECCS loops will result in draining of the PSC head tank and cause the other loops to slowly drain due to normal leakage. This would not cause a problem where the SSIs require starting the RHR pump in 20 minutes. It could result in some amount of water hammer in cases where the RHR pump is not started for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. This scenario only occurs in FA 8 for the Unit 2 RHR pump 2C.
Spurious opening of valves in the credited loop In the event of fire damage to control cables for valves in the credited loop, the credited RHR loop could be rapidly drained. In scenarios where valves in the credited RHR loop are damaged, one valve in each line is closed from the Motor Control Center using backup controls and the RHR pump is started from the Main Control Room (MCR) [NA] or the 4kV Shutdown Board backup control, depending on the FA.
When the operator starts the credited RHR pump at 20 minutes, a water hammer transient would result and the piping system could be damaged. This could cause a loss of core cooling and decay heat removal functions provided by RHR and cause loss of water from the suppression pool.
Fire damage to breaker control circuits in coniunction with power cable damage There are load breakers on the 4kV Shutdown Boards which do not have separate fuses for elements of the trip circuit external to the board. Fire damage to the control cables for 4kV loads can cause a fault in the trip circuit and clear the fuse without tripping the breaker, disabling it in the closed position. If a fire damages the power cables from the same breaker, a fault can occur which does not clear.
Some 4kV Shutdown Board load breakers are not equipped with separate fuses for trip circuits extending outside of the board. A fire could damage the trip circuit and cause the main trip circuit fuses to clear. If the breaker is closed, or spuriously closes due to damage to the closed circuit, it will become disabled in the closed position and unable to open on a power circuit fault. If the power cables are exposed to the same fire, then cable damage could result in a fault that cannot be cleared by the breaker. This could cause the cables to auto ignite and spread fire to other areas where the cable is routed. A fire could trip the feeder breaker for the 4kV Shutdown Board resulting in the loss of the entire board in FAs where the board is credited for safe shutdown.
Examples of control circuits of concern which have cable routes in the same FAs as the power cables are the pump local control stations. The 4kV Shutdown Board loads susceptible to this issue are the following: all RHR pumps, all CS pumps, and Residual Heat Removal Service Water [BI] pumps B2, C2, and D2.
MSIVs Fail to Close In the event of a serious fire, multiple hot shorts could cause MSIVs to fail open when the Appendix R Safe Shutdown Analysis requires that at least one MSIV in each steam line be closed.
The fire shutdown strategy for all fire areas credits closing the MSIVs in order to control inventory loss. This is accomplished from the MCR except for the fire in FA-16 (Control Building) where it is repeated from Panel 25-32 (Backup Control Panel) on each unit.
Fires at Panel 25-32 and in the reactor building FAs (FA1-3 and FA 1-4, FA 2-3 and FA 2 4, FA 3-3) for each unit can damage cables for both inboard and outboard MSIVs and cause them to fail open.
If MSIVs fail open at the same time that the pressure regulation function of the Electro-Hydraulic Control (EHC) system fails, a large path is established for inventory loss to the main condenser. This would initially result in the rapid depressurization to the condenser with a similar effect on the RPV, as SRVs failing-open. After depressurization, the SSIs for these areas instruct the operators to align one RHR pump in alternate shutdown cooling, which floods the RPV and steam lines with water from the suppression pool and returns water to the suppression pool via the SRVs. If the main steam lines are not isolated, suppression pool inventory would be lost to the condenser at a rate of approximately 9000 gallons per minute. The suppression pool contains approximately 7000 gallons per inch, which would lower the water level by approximately 1.3 inches per minute. The normal water level is about 35 inches above the bottom of the downcomers; therefore, pressure suppression capability would be lost in approximately 27 minutes.
V. ASSESSMENT OF SAFETY CONSEQUENCES
Multiple SRVs Spuriously Open The issue has significant safety impact due to the potential for one fire scenario to affect both the SRV logic and the low pressure system logic. The most significant area is the auxiliary instrument room on each unit. RHR and CS logic in these rooms can affect the low pressure permissive for the injection valves and prevent operation from the MCR.
SSIs credit valve operation locally at the Motor Control Center for these scenarios, which does not assure availability of injection in the short period of time required when an emergency depressurization has occurred. The condensate system and supporting offsite power supplies are not as dependant on circuits in the auxiliary instrument room. The Modular Accident Analysis Program (MAAP) runs performed to support risk evaluations demonstrate, that as long as condensate is available, the full range of SRV spurious operation scenarios will result in adequate core cooling.
There are circuits needed for condensate system success that are located in the auxiliary instrument room of each unit. They are associated with the short cycle valve and the feed pump minimum flow valves. If these valves all fail open, condensate flow will be diverted.
Therefore, there is a probability that condensate would not be available for inventory makeup.
The Core Damage Frequency (CDF) increase was in the range of 1.5E-4/yr to 4.0E-4/yr.
For these MSOs, several MAAP evaluations were conducted to show that even if the MSOs were to occur, the existing SSI procedures provide adequate mitigation strategies to prevent core damage. Given that the SS's are adequate to mitigate MSOs associated with stuck open relief valves, the risk significance of these MSOs is also determined to be less than 1.0E-4/yr.
Potential to drain ECCS Loops Spurious actuation of CS test return valves due to fire damage to control circuits could result in draining the PSC head tank, which is the source of water to maintain the credited RHR system filled and vented. Without the volume of the PSC head tank, the credited RHR loop would drain over a period of time until the RHR pump was started in accordance with the procedure. Concerns of a spurious operation of certain ECCS valves could fail the ECCS keep-fill system and possibly cause a water hammer.
For the potential to drain down the credited ECCS system in certain FAs, evaluation of these FAs showed a fire frequency of above 1.0E-3. However, these frequencies included several conservatism's which leads to the high fire frequency. Removal of some of the conservatism demonstrated that a more realistic evaluation would produce a fire frequency which while still conservative would be less than 1.0E-4/yr.
Fire Damage to Breaker Control Circuits in Conjunction with Power Cable Damage There are load breakers on the 4kV Shutdown Boards which do not have separate fuses for elements of the trip circuit external to the board. Fire damage to control cables for 4kV loads can cause a fault in the trip circuit and clear the fuse without tripping the breaker, disabling it in the closed position. If fire also damages the power cables from the same breaker, a fault can occur which does not clear.
Normally running loads are most likely to experience an un-isolated fault since the circuit breaker is already closed at initiation of the event. The normally running loads for the 4kV Shutdown Boards are separately fused as required. The affected loads above are not normally running and therefore fault propagation is less likely. For fault propagation to occur, the following sequence of events is required:
- The load must be already running, started in response to the event, or started by a hot short in the control circuit.
- A fault must clear the control power fuses without causing the breaker to trip.
- The fire must fault the control power circuit before faulting the cables.
BFN has a mixture of non-qualified and qualified cables. The non-qualified cables which are routed in cable trays are protected with Flamemastic. Given these two facts, possible cable damage due to a credible fire would be delayed. Additionally, fire growth and cable fire spread would provide time for manual suppression activities as well. A 10 minute time to damage is assumed for the identified cables. Control cables and power cables are routed in separate cable trays. It is reasonable to assume that, the Flamemastic coatings on the cable trays will delay the conditions for MSOs for 20 minutes. For transient or cable fires, the non-suppression probability of 0.1 is used to bound the estimate.
A scoping estimate based on conservative frequencies of relevant scenarios indicates that the fire ignition frequency is less than 1.0E-4/yr.
MSIVs Fail to Close In the event of a serious fire, multiple hot shorts could cause the MSIVs to fail open when the Appendix R Safe shutdown Analysis requires at least one MSIV in each steam line to be closed.
The EHC system is not credited in the Appendix R Safe Shutdown Analysis, and therefore is assumed to be failed. However, there is a very high probability that the system will either function to control reactor pressure, or fail the turbine control valves and bypass valves closed, thus isolating the inventory loss path. The cables associated with this EHC failure mode (valves open) are not located in areas where MSIVs are affected except for those associated with reactor pressure signals to the EHC pressure regulator, which are located in the reactor buildings. The signal processing functions of the EHC controls will not use signals which are outside of the normal range. If more than one reactor pressure signal goes out of range, the EHC system will switch to turbine header pressure control signals which are located in the turbine building, away from the MSIV circuits of concern.
Due to the lack of fire damage to the EHC system in FAs that would also affect the MSIVs, it is highly likely that the turbine EHC system pressure regulator will control inventory loss in fire scenarios where the MSIVs cannot be closed from the MCR or the Backup Control Panel.
For the success of the isolation function of the MSIVs, at least one valve for each pair must close and stay closed. Therefore, the failure of both valves constitutes a failure to isolate. Every pair must isolate for overall successful isolation. Subsequently, the scenario that is tied to one of the valves in every pair will become a failure scenario. To identify the total final list of scenarios, each fails to close basic event is queried for the list of scenarios tied to it. Then, a comparison of the scenarios displays the list of scenarios for each pair of MSIVs. A fire in FA 16 (Control Building) is excluded from this evaluation given the MSIVs are closed from Panel 25-32 (Backup Control Panels) for fires in this area. All other FAs were retained and evaluated.
The total fire frequency for all these scenarios does not include manual suppression. BFN has a mixture of non-qualified and qualified cables. The non-qualified cables which are routed in cable trays are protected with Flamemastic; therefore, possible cable damage due to a creditable fire would be delayed. Additionally, fire growth and cable fire spread would provide time for manual suppression activities as well. A 10-minute time to damage is assumed for the identified cables. The non-suppression probability for 10 minutes is 0.3. The value of 0.3 was determined to be appropriate given this credit is applied to all fires without existing suppression credit. This includes transient, cable, and fixed sources.
Ten minutes is used because some of the contributors for the MSIV failure do not have manual suppression credited.
Including the severity factor and automatic suppression, the total fire frequency for the MSIV failure is 1.68E-4/yr for Unit 1. After applying a 0.3 manual non-suppression probability to the fire frequency for scenarios with no manual suppression credited, the frequency for the MSIVs failing to close is determined to be 8.76E-5/yr. The total fire frequency is then multiplied by the worst case Conditional Core Damage Probability (CCDP) of 1.0 to obtain a worst case CDF of 8.76E-5/yr. BFN Units 2 and 3 are similar to BFN Unit 1 and would also be expected to yield frequencies significantly lower than 1.0E 4/yr. In addition, there are additional mitigating systems which may be available for fires in FA 1 and FA 5 that are currently not credited which could reduce the CCDP below the value of 1.0 assumed in this evaluation.
For the above conditions, roving fire watches have been established in accordance with the Fire Protection Report in order to decrease the probability of a serious fire.
VI. CORRECTIVE ACTIONS - The corrective actions are being managed by TVA's corrective action program.
A. Immediate Corrective Actions
There were no immediate corrective actions.
B. Corrective Actions to Prevent Recurrence
The conditions identified in this LER will be resolved as part of the transition to NFPA 805.
VII. ADDITIONAL INFORMATION
A. Failed Components
There were no failed components.
B. Previous Similar Events
A search of BFN LERs for Units 1, 2, and 3 for the last several years did not identify any similar events. However, LER 50-259/2012-002-00 and discovered during NFPA 805 transition reviews.
A search was performed on the BFN corrective action program. There were no previous Problem Evaluation Reports (PERs) associated with these conditions.
C. Additional Information
The corrective action program documents for this report are PERs 229734, 259787, and 424389.
D. Safety System Functional Failure Consideration
These conditions are not considered a safety system functional failure in accordance with NEI 99-02.
E. Scram With Complications Consideration
These conditions did not include a scram.
VIII. COMMITMENTS
There are no commitments in this LER.