05000261/LER-2003-003

FACILITY NAME (1) DOCKET NUMBER (2) I � LER NUMBER (6 PAGE (3)

SEOUENTOL REVISION

H. B. Robinson Steam Electric Plant, Unit No. 2 05000261

I. DESCRIPTION OF EVENT

During the development and review of an Engineering Change. 'Appendix R Control Room Shutdown Analysis.

two postulated fire-induced transient conditions were identified. These conditions. if not mitigated.

could result in an unrecoverable condition. If a postulated fire were to occur causing specific circuit damage, operator actions to mitigate the transient would have to be taken in less than 10 minutes from the onset of circuit damage. Based on current analysis criteria, operator mitigating actions taken outside the Control Room and required in less than 10 minutes are not considered justifiable due to the limited amount of time that the Control Room Staff would have to detect an equipment malfunction.

determine its effect, and take mitigating actions.

The conditions identified include:

1) A postulated fire event that causes the spurious operation (closing) of LCV-115C. Volume Control Tank (VCT) outlet isolation valve [CB:ISV]. and loss of function for LCV-115B. Refueling Water Storage Tank (RWST) Emergency Makeup to Charging Pump Suction isolation valve [CB:ISV]. This scenario would cause loss of suction to the Charging Pumps [CB:9 in less than one minute and, if operating at the time, could result in the possible loss of the 'A" Charging Pump, which is the credited pump for Appendix R Safe Shutdown.

2) A postulated fire event that causes the concurrent operation of both Pressurizer Power Operated Relief Valves (PORVs). PCV-455C and PCV-455 [AB:PCV]. This scenario could cause the loss of an unrecoverable amount of reactor coolant system (RCS) inventory in less than 10 minutes.

These conditions could occur due to a fire of sufficient magnitude in either Fire Zone 19. Cable Spread Room, or Fire Zone 20. Emergency Switchgear Room. Fire Zones 19 and 20 are part of a large Fire Area.

"A5." which is comprised of 8 additional fire zones, including the Control Room. Hagan Room. Component Cooling Water (CCW) Surge Tank Room, and other areas of the Auxiliary Building second level. Fire Area AS is an Appendix R 111.G.3 Safe Shutdown fire area. requiring alternate or dedicated shutdown from outside the Fire Area.

For this evaluation, an unrecoverable condition is considered a condition which results in fuel clad damage, breach of any primary coolant boundary or breach of the containment boundary.

Case Ho. 1 - LCV-115B and LCV-115C For a postulated fire in Fire Zone 19 or 20. compliance with 10 CFR 50 Appendix R is based on the use of the Dedicated Shutdown System [EK]. including the 'A' Charging Pump. which is supplied power from the Dedicated Shutdown Bus [EK:BU]. Spurious closure of LCV-1158 and LCV-115C would result in the loss of suction to the Charging Pump(s) during this event. Should the "A' Charging Pump be running to support normal operation, the potential exists to damage the pump and associated piping due to the loss of suction, such that the reactor coolant makeup function may not be available during and after the fire event.

Based on the Appendix R Safe Shutdown Analysis, both LCV-115B and LCV-115C could spuriously operate.

resulting in both valves being closed at the same time for a fire in Fire Zone 19 or 20. The Primary FACILITY NAME (1) DOCKET NUMBER (2) � LER NUMBER (6 PRGE_(3) H. B. Robinson Steam Electric Plant, Unit No. 2 05000261 I YEAR SEOUENTLAL NUMBER Water [AB] and Boron Injection Systems [CA] are not part of the Appendix R Safe Shutdown Analysis, and are therefore not assumed to function during or after the postulated fire. The Charging Pumps are designed without high discharge pressure or low suction pressure pump protection. During normal operation, any two of the three pumps may be running.

In this postulated case, off-site power is assumed to be available, supplying power to the Emergency and Dedicated Shutdown Busses. The 'A' Charging Pump is supplied electrical power from the Dedicated Shutdown Bus, and the "B" and "C' Charging Pumps are supplied electrical power from Emergency Bus El and E2 [EK:BU). respectively. With off-site power available under this scenario. Reactor Coolant Pump (RCP) seal [AB:SEAL] cooling is provided by the CCW System [CC] via thermal barrier cooling. Additionally.

the "B" or "C" Charging Pumps. if unaffected by the initial consequences of the fire and off-site power remained, could be available for RCP seal cooling.

The loss of suction to the Charging Pumps (spurious closing of LCV-115B and LCV-115C) has been addressed in the Engineering Change. Review of cable routing for LCV-115B and LCV-115C found no other plant Fire Zones where a similar problem exists.

Case No. 2 - PORVs PCV-455C and PCV-456 The second postulated scenario is spurious opening of Pressurizer PORVs. PCV-455C and PCV-456. This case identifies a potential uncontrollable loss of reactor coolant inventory. This is because both of the Pressurizer PORVs and the Block Valves. RC-535 and RC-536 [AB:ISV], are open and cannot be closed due to the required assumptions associated with the postulated fire event.

RC-535 and RC-536 are motor operated valves which are supplied electrical power from Motor Control Center (MCC)-6 [EC:MCC]. which is supplied electrical power from Emergency Bus E-2. As such, a Loss of Offsite Power must be assumed concurrent with the postulated fire. Because the postulated fire may damage Emergency Diesel Generator (EDG) [EK:DG] circuits. including the EDG output breakers [EK:BKR].

the EDGs cannot be credited for this fire scenario. � As such, the normally opened Block Valves. RC-535 and RC-536. cannot be closed due to the loss of electrical power to MCC-6.

The Pressurizer PORVs are closed by de-energizing 125VDC (EJ) power that supplies their circuits.

However, this manual action taken outside the Control Room is expected to be completed in approximately 10 minutes following entry into the safe shutdown procedures. It is likely the Pressurizer level will be outside the indicating range following the opening of the PORVs. Therefore, the operator actions will not occur quickly enough to maintain Pressurizer level within range.

Review of cable routings for PCV-455C and PCV-456 found that they are also routed in other Fire Zones:

however, in these cases other mitigating factors, such as the availability of Safety Injection (SI) ROL preclude them from being a concern.

II. CAUSE OF EVENT

Guidance for performance of the original fire-induced circuit failures in the Safe Shutdown Analysis is considered unclear. That guidance was not clear pertaining to the number and type of fire-induced circuit failures to be assumed during a fire event. This. in turn, influenced the mechanical-hydraulic cases which were evaluated to support Appendix R performance goals and objectives. For purposes of the hydraulic cases considered. time equals zero at the onset of the postulated fire-induced circuit failures. The lack of evaluation for these new scenarios has existed since the original analysis.

Revalidation of the entire original analysis is currently in progress.

The current Safe Shutdown Analysis references Generic Letters 81-12. "Fire Protection Rule,' and 86-10.

"Implementation of Fire Protection Requirements.' in the reference section. which specified different criteria. The Safe Shutdown Analysis requires that fire-induced circuit failures consider any and all one at a time." It is not known whether this was intended to be sequential with time to recover from one before proceeding to the next. or if the events were to be postulated concurrently.

The root cause of this event is considered to be the unclear guidance provided in the original Appendix R Safe Shutdown Analysis for postulated fire-induced circuit failures. The corrective action to prevent recurrence is the establishment of clear guidance on the performance of circuit analysis for safe shutdown purposes and to ensure the program is in alignment with this guidance.

III. ANALYSIS OF EVENT

No actual fire events or loss of safe shutdown capability have occurred. The identified conditions are postulated fire-induced scenarios that could cause the Appendix R performance goals and objectives to not be met. An engineering review of this condition was conducted that included three distinct elements: 1) Review the Appendix R design and licensing basis requirements. 2) Review the current design and licensing basis to insure appropriate design considerations are factored into the Safe Shutdown Analysis. and 3) Incorporate results/conclusions of the design review.

For a postulated fire in Fire Zones 19 and 20 (Fire Area AS). the licensing and design basis for achieving safe shutdown conditions are embodied in 10 CFR 50. Appendix R. Section III.G.3. This section requires alternate or dedicated shutdown capability due to the inherent damage to both trains of safety related equipment in these fire zones. A Dedicated Shutdown System is essentially a minimum capability safe shutdown train independent of normal shutdown trains. This is commonly referred to as the Alternate "A," Safe Shutdown Method in the Appendix R Safe Shutdown Analysis.

Dedicated Shutdown Procedure (DSP)-002 is the procedure that provides the necessary instructions for achieving Hot Shutdown conditions for this postulated fire event. For purposes of maintaining reactor coolant inventory. DSP-002 directs starting the 'A' Charging Pump and isolating the RCS [AB] subsequent to the discovery of the postulated fire.

In this postulated fire event, the RCS provides core cooling by maintaining sufficient reactor coolant inventory. Loss of Offsite Power disables the RCPs [AB:P]. leaving only natural circulation flow as the means of heat transport from the reactor core to the Steam Generators [AB:SG]. Hot and cold leg temperature sensors [IM:TI] provide the monitoring of this heat transfer. while Pressurizer level [IM:LI] and pressure sensors [IM:PE) provide indication of system inventory and pressure conditions.

Loss of reactor coolant inventory is to be limited to only RCP seal leakage. This is accomplished by removing power from the letdown isolation valves [A8:ISV], thereby causing their closure. � The FACILITY NAME (1) � DOCKET NUMBER (2) � LER NUMBER (6j � PAGE (3) H. B. Robinson Steam Electric Plant, Unit No. 2 � 05000261 � Pressurizer PORVs are deactivated (within 10 minutes of entry into DSP-002) to the closed position and only the Pressurizer Safety Valves [AB:RV] to the Pressurizer Relief Tank [AB:TK] will be available for primary system pressure relief. The excess letdown line [A8:ISV] is also blocked by the de-energization of the isolation valve, thereby causing it to close. Additional RCS vent paths. such as the Reactor Head and Pressurizer Vents, are blocked closed by de-energizing the system isolation valves [AB:15V].

Following reactor trip, the secondary system will be used to remove decay heat, causing shrinkage of the RCS liquid volume during cooldown. As mentioned above. RCP seal leakage will cause a further reduction in the primary system inventory. Additional borated water from the RWST [BO:TK] is added to the system by means of Charging Pump *A.' Reactor coolant makeup by use of the Charging Pump will utilize the normal charging flow path into the RCS via the Regenerative Heat Exchanger [180:HX). In addition, some of the charging water is utilized to maintain RCP injection seal flow.

These functional requirements must be maintained independent of the fire-induced circuit failure(s) resulting from the postulated fire. In the FPP-RNP-100, Rev. 6. '10 CFR 50 Appendix R Long-Term Compliance Safe Shutdown Component Index.' components LCV-115B. LCV-115C. PCV-455C. and PCV-456 are identified as spurious components.

For both scenarios, the original analysis assumed that appropriate operator actions could be taken prior to the postulated fire-induced circuit failures that would result in operation beyond the allowable operating limits. Therefore, no hydraulic analyses were performed or required for some cases where two concurrent spurious operations could be postulated. Review of the original Safe Shutdown Analysis and supporting calculations support this fact. No prior hydraulic analyses could be found to establish the technical basis for loss of RCS inventory due to spurious actuation of the Charging Pump suction valves.

Pressurizer PORVs. or the Excess and Normal Letdown valves. However, there are examples of hydraulic analysis for two concurrent spurious actuations such as the Reactor Head or Pressurizer Head Vent Isolation Valves.

It was apparently assumed that no fire-induced circuit failures would render safe shutdown equipment inoperable, as long as manual action could be taken early in the event. This apparent assumption in the design was not documented. The need to perform hydraulic analyses in support of this assumption was not consistently applied.

Case No. 1 - LCV-115B and LCV-115C Vendor information and industry experience support the ability of positive displacement Charging Pumps to run for a limited period of time without suction and not cause sufficient damage to the operating pumps that would prevent them from providing flow after being restarted. The head of water developed from the RWST and location of CVC-358. LCV-1158 by-pass valve from RWST [CB:V], above the elevation of the pumps. provide for a positive suction supply to the pumps. This head will help to push air from the pumps. Local control in the Charging Pump Room is available to the operators to start and control the pumps as needed because only two of the three pumps are operating at the start of the event. The non- running pumps are expected to remain full of water and not entrained with air. Once the supply is restored to the pump(s). they will be capable of supplying water into the system. Should the non- running pump be available to start, normal flow into the system is expected because the pump should FACILITY NAME (1) DOCKET NUMBER (2) H. B. Robinson Steam Electric Plant, Unit No. 2 05000261 LER NUMBER (S PAGE (3) remain full of water. If one of the previously operating pumps is started, then a forward flow of water is still expected. DSP-002 already directs a prompt realignment of suction to the Charging Pumps from the RWST using manual valve CVC-358. Therefore. on a qualitative basis this potential concern would not result in a significant increase in risk in comparison with prior estimates.

Mechanical engineering thermal hydraulic analyses described in an on-going Engineering Change have determined the potential exists to lose the "A' Charging Pump assuming the pump is running during normal operation. Based on this analysis, loss of suction to the pump would occur in less than one minute following closure of LCV-115C and loss of function for LCV-115B. Catastrophic failure of the pump is not expected to occur for at least 15 minutes following loss of suction. The pump would be able to function when later called upon. but at a reduced efficiency due to air entrainment. The potential exists that the plant would be in an unrecoverable condition because the "A" Charging Pump is the only means of reactor coolant makeup during this postulated fire. However, further evaluation has revealed that the postulated failures result in minimal damage to the Charging Pumps and will not preclude the "A" Charging Pump from performing its intended design function during the event. Stopping the Charging Pumps at the onset of fire in the affected areas provides a preventative measure to preclude pump damage. keep it water solid, and maintain the "A" Charging Pump available for use to makeup RCS Inventory as needed.

A catastrophic failure of the Charging Pump is not expected to occur while operating with a loss of suction for approximately 15 minutes based on H.R. Robinson Steam Electric Plant (HBRSEP). Unit No. 2.

experience in internal valve train and packing wear, characteristics and principles of operation of the pumps. and previous operating experience. Ten minutes is considered a reasonable time period for the operators to recognize the situation and stop the operating Charging Pump(s). The pump vendor. Union Pump Company, provided insights into this scenario and concurred that the pumps would not be expected to experience a catastrophic failure during this time period. In addition, after a period of approximately 36 minutes the Charging Pumps would be called upon to provide for makeup capability to the RCS.

Case No. 2 - PORVs PCV-455C and PCV-456 It has been determined through calculation and a simulator run that mitigating actions currently proceduralized in the Dedicated Shutdown Procedure DSP-002 to isolate spuriously opened PORVs are adequate to prevent core damage, whether one or two PORVs spuriously open. Therefore, this new potential concern would not result in any significant increase in estimates of risk in comparison with prior estimates.

A calculation has been prepared to address the potential for both Pressurizer PORVs. PCV-455C and PCV- 456. to be open. This calculation concluded that the reactor core would remain covered during the time it would take for operator actions to remove power to the PORVs, causing them to go closed. This calculation assumed a two phase flow through the PORVs, and used a simplified model of only the Reactor Vessel and Pressurizer. It ignored the large volume of fluid in the RCS piping and Steam Generators.

The calculation started with approximately 82.000 lbs mass above the fuel, while the RCS contains closer to 202.000 lbs mass above the fuel. Additionally, a simulator run for the event revealed that only steam flow would result through two open PORVs at less than half the amount of mass loss assumed in the calculation. It also showed the Pressurizer level during the event went from a starting point of 53% to FACILITY NAME (1) � DOCKET NUMBER (2) � LER NUMBER (6) � PAGE (3) H. B. Robinson Steam Electric Plant, Unit No. 2 05000261 2003 - 003 - 00 _ approximately 31% in 90 seconds. back up to 89% in 450 seconds, and was at 86% at 600 seconds due to void formation in the reactor head and with the fuel still covered. The simulator run resulted in a total RCS mass loss of 9%. Both the calculation and simulator run accounted for reactor head voiding.

Even with both PORVs and Block Valves open after manual actions are taken to remove power from the PORVs. sufficient RCS inventory remains to prevent the reactor core from being uncovered. Each PORV and its associated Block Valve are in series, so closure of either one removes the leakage path.

The issue of PORV spurious operation was previously addressed in correspondence with the NRC. In a letter dated November 21. 1985. the NRC approved the methodology to close PORVs PCV-455C and PCV-455 early in the fire event. That letter states the method of "ensuring prevention of fire induced spurious operations of these applicable high/low pressure interface valves is acceptable." As such, the Dedicated Safe Shutdown procedures provide a means to accomplish this and operators routinely train on this procedure.

Fire Protection Fire Zones 19 and 20 are protected by a full area fire detection system [KP] and automatic Halon suppression system � The detection system for each fire zone is provided with two trains of detection. Actuation of both trains of detection will cause the Halon system to automatically discharge. The Halon system is a total flooding suppression system consisting of a main and reserve bank of cylinders [MTK]. This redundancy in suppression capability also minimizes system out of service time. Detection system design information identifies that for each fire zone, the number of detectors actually installed exceeds the required minimum number of detectors. Upon actuation of a fire alarm by one of the detection trains, the Control Room will initiate an investigation and appropriate fire brigade response.

Procedural guidance already in place requires that upon the loss of either the fire detection/actuation system or the fire suppression system for the affected fire zones, a continuous fire watch will be put in place.

The permanent fire loading in Fire Zone 19 is considered -high." while the fire loading in Fire Zone 20 is considered -moderate." Existing plant procedures contribute to the fire safety of the plant by controlling the use and storage of combustibles, maintaining housekeeping standards, and controlling sources of ignition. In addition, non-qualified IEEE-383 cables in Fire Zones 19 and 20 are coated with a fire retardant that will slow the propagation of fire between circuits.

Fire Zones 19 and 20 are adjacent to each other. Access into Fire lone 19 is from Fire Zone 20. Four unannounced fire drills have been conducted in these fire zones in the last two years. Fire drill response times for each fire zone show an operator on the scene between 1 and 7 minutes. This response time starts when the initial alarm is received in the Control Room. In each of these drills, the fire brigade was on the scene between 10 and 13 minutes from the sounding of the plant fire alarm.

EPRI document 1003326. "Characterization of Fire-Induced Circuit Faults - Results of Cable Fire Testing," discusses spurious actuation of devices in electrical circuits due to fire-induced damage to electrical cables. This document includes recent fire testing of circuits. Section 12.2.5 gives ■

• PROUTY NAME (1) H. B. Robinson Steam Electric Plant, Unit No. 2 DOCKET NUMBER (2) LER NUMBER (6 results of the time to cable failure and Section 12.2.6 provides information on spurious actuation. For the types of cables originally installed at HBRSEP. Unit No. 2 (thermoplastic). the test results give an average time to cable failure in 15 minutes. The average time to spurious actuation is 25 minutes. with an average spurious duration of less than 3 minutes. These values support the fact that. on average.

sufficient time exists for the execution of manual actions prior to initiation of spurious operations.

and that when spurious operations occur, they are short in duration.

Conclusion It is highly unlikely that these events would have led to unrecoverable conditions. Loss of both Charging Pump suction valves would have resulted in minimal damage to the operating Charging Pumps prior to manual actions being taken to restore the flow path. Therefore, there would be no significant increase in risk from this event.

In the case of the PORVs. it has been shown by calculation and a simulator run that the manual actions to remove power and close the valves can be achieved prior to core uncovery with no resulting core damage. The simulator run shows the conservative nature of the calculation with respect to water remaining above the fuel. Therefore. there would be no significant increase in risk from this event.

Cable testing shows that, on average, sufficient time exists for the completion of manual actions prior to initiation of spurious operations. and that when spurious operations occur, they are short in duration.

With the existence of the detection and suppression system limiting fire spread. it is also unlikely that fire damage would prevent automatic SI initiation immediately following the opening of both PORVs.

SI operation will stabilize the event.

The compensatory changes made in FP-001. 'Fire Emergency.- to add preemptive Control Room operator actions for a fire in Fire Zones 19 and 20. provide the ability to cope with these postulated fire events as an interim step. These preemptive actions provide sufficient protection until a cohesive plan is in place to deal with these and any future issues identified by the ongoing Appendix R Safe Shutdown Analysis revalidation.

This event is being reported in accordance with 10 CFR 50.73(a)(2)(v)(A) and (M. any event or condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to shutdown the reactor and maintain it in a safe shutdown condition or remove residual heat.

IV. CORRECTIVE ACTIONS

Interim Mitigating Strategy Following discovery of this condition. FP-001 was revised to take preemptive Control Room operator action for a fire in Fire Zones 19 or 20. These actions are 1) To verify the 'A' Charging Pump is not an operating pump in order to mitigate damage to the pump.

maintain it water solid, and enable the pump to remain available for RCS inventory makeup as needed.

and 2) To verify Block Valves RC-535 and RC-536 are closed to prevent an initial open RCS vent path upon concurrent spurious opening of both Pressurizer PORVs and Loss of Offsite Power.

Operations Night Order 03-024 was issued November 19. 2003 directing each Operating Shift to review the changes made to FP-001.

In addition, to reduce exposure to the potential effects of a fire from transient combustible materials.

the administrative available limits for the affected fire zones were reduced to 50 percent of the normally allowed loadings.

Long-Term Mitigating Strategy Progress Energy recently completed a position paper on Fire-Induced Circuit Failures for Appendix R purposes to be considered at all Progress Energy nuclear operating facilities. This paper clearly requires two postulated fire-induced circuit failures to be considered at the system level in the Appendix R Revalidation Project at each site. This position paper defines the number and type of circuit failures to consider. HBRSEP. Unit No. 2. will complete reanalysis of the Appendix R Program utilizing the criteria specified in the Progress Energy position paper and the information contained in the investigation into this nuclear condition report (NCR 111308). Additional design documents will be modified as needed.

The Appendix R Safe Shutdown Analysis Revalidation Project is currently ongoing, with a projected completion date in March 2005. Project Instructions specifically address the methodology and treatment of spurious operation of equipment. These instructions state that two spurious concurrent mal- operations of equipment must be considered in the circuit analysis for cables and equipment being credited for shutdown of the plant. Project Instructions also identify hydraulic analyses that must be considered. Plant modifications are anticipated following completion of the full revalidation project.

However, with the expected complexity. implementation of resulting modifications will begin, at the earliest, during Refueling Outage 23 in Fall 2005 and continue thereafter until completion.

V. ADDITIONAL INFORMATION

A review of recent (past three years) events at HBRSEP. Unit No. 2. for conditions that could have prevented the fulfillment of a safety function was conducted.

containment pressure relief penetration. Upon discovering the failure, the control switch was repaired and the system was restored to operable status. Investigation of the event determined that an inappropriate design change occurred in about 1980. which when coupled with the switch failure, caused the loss of safety function. While the cause was a deficient design change, it would have had no impact on these two Appendix R analyses and could not have led to earlier discovery or correction of these two vulnerabilities.