05000269/LER-2003-001
| Oconee Nuclear Station, Unit 1 | |
| Event date: | |
|---|---|
| Report date: | |
| 2692003001R00 - NRC Website | |
EVALUATION:
BACKGROUND
This event is reportable per 10CFR50.73(a)(3)(ii)(B), Unanalyzed Condition.
The Standby Shutdown Facility (SSF) [EIIS:NB] provides an alternate and independent means to achieve and maintain a Hot Standby condition for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for all three of the Oconee Units following sabotage, flooding, or a design basis (10CFR50, Appendix R) fire. The SSF is credited as the coping source of alternate AC power and decay heat removal during a station blackout event. It also provides defense in depth for a tornado event. During any of these scenarios, Operators will be sent to the SSF to operate the alternate shutdown train if normal shutdown equipment is inoperable.
The SSF is the designated method of safe shutdown for fires in all areas of the plant except for transformer CT4 and areas containing equipment associated with the SSF. These areas are the SSF, the West Penetration Room of any Unit, and certain Cable trenches. For a fire in those areas, the Oconee Fire Protection Plan credits "normal" Oconee safety system equipment controlled from the Oconee Control Room as one "train" for safe shutdown.
The SSF System includes a diesel generator for power and an Auxiliary Service Water Pump for decay heat removal and service water. In addition, the lower level of each Unit's Reactor Building contains a Reactor Coolant Make-Up (RCMU) Pump, powered and controlled from the SSF. In the event that High Pressure Injection (HPI) [EIIS:CB/BG], the normal make up system, becomes inoperable during an SSF event, the RCMU Pump is designed to supply Reactor Coolant Pump seal injection flow and make-up flow to compensate for the decrease in Reactor Coolant System (RCS) [ECCS:AB] volume due to system cool down. The SSF also provides controls for RCS isolation valves to maintain RCS inventory loss within the capacity of the RCMU Pump.
The electrical cabling used to control the "normal" shutdown train from the Control Room (herein referred to as "normal shutdown cabling") is routed separately from the electrical cabling used to accomplish a shutdown from the SSF (herein referred to as "alternate safe shutdown cabling"). Some components which perform routine operational functions are also part of the SSF alternate train and are capable of being powered and controlled from either the existing station electrical systems or the SSF electrical system. The control cables from the control room to these components are routed via the SSF so that, when the SSF is in the standby mode, these components may only be operated from each Unit's Control Room. The transfer of control capability between the Control Room and the SSF is accomplished via a keyed interlock.
When control is transferred to the SSF, the normal shutdown cable circuits are isolated and de-energized. Control of these components is then exercised by the operator in the SSF through dedicated alternate safe shutdown cabling.
10CFR50 Appendix R, Sections III G.3 and III L, apply to plants that used Alternate Shutdown as a means to provide safe shutdown train separation. 10CFR50 Appendix R, Section III.G.3, contains a requirement that for areas where alternate shutdown is credited, fire detection and a fixed suppression system shall be installed in the area, room, or zone under consideration.
10CFR50, Section III (L.7), contains a requirement: "... the isolation of these associated circuits from the safe shutdown equipment, shall be such that a postulated fire involving associated circuits will not prevent safe shutdown.
Generic Letter 86-10, "Implementation of Fire Protection Requirements," Interpretation 5, allows evaluation by a fire protection engineer to determine where partial suppression and detection is adequate to protect against the hazards in an area.
USNRC Branch Technical Position 9.5-1, Appendix A states that "Automatic water sprinkler systems should be provided for cable trays outside the cable spreading room...." Additionally, Duke's February 1982 Branch Technical Position 9.5-1 submittal states that "Detector locations are selected based on engineering judgment to protect vital equipment.
Oconee Technical Specifications (TS) 3.10.1 Condition C requires that the SSF RCMU Pump be operable when any Unit is in a Mode 3 Condition or above. Should the RCMU Pump be determined to be inoperable, TS 3.10.1 Required Action C.1 requires that the RCMU Pump be restored to an operable status within 7 days. TS 3.10.1 further requires that the affected Unit be placed in a Mode 4 Condition (Hot Shutdown) within 84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> if the RCMU Pump cannot be restored to an operable status following this 7 day period.
At the time this condition was identified, Oconee Units 1 and 2 were operating in a Mode 1 condition at approximately 100 percent power. Oconee Unit 3 was in Mode 5 (start-up after refueling). No safety systems or components were out of service that would have contributed to this event.
EVENT DESCRIPTION
Oconee currently has in progress an Oconee Appendix R Reconstitution Program. As a result of this program, a procedure change was being processed. While verifying the technical basis for one of the steps in the procedure revision, Engineer A, a fire protection engineer, discovered that drawings indicated several normal shutdown cables were routed from the Control Rooms to the SSF via the Turbine Building. Site fire protection engineers had previously believed that these cables were routed via the Auxiliary Building.
However, physical cable walkdowns performed on these normal shutdown cables determined that there are several hundred feet of cable in the Turbine Building in areas that are not protected by fire suppression or detection systems. There are locations along the cable routing that contain only one Unit's cables, two Unit's cables, and all three Unit's cables. Therefore Engineer A realized that the potential existed for fire damage to occur prior to transfer of control. Depending on the postulated location of the fire, one, two, or all three Oconee Units could be affected.
These cables provide the normal shutdown control path for several valves normally controlled from the control room but which have control transferred to the SSF during an Appendix R event. These valves are:
- 1, 2, and 3 RC-5 and 6 (pressurizer sample valves),
- 1, 2, and 3 RC-4 (pressurizer power operated relief valve isolation valve), 12
- 1, 2, and 3 HP-3 and 4 (RCS letdown cooler outlet isolation valves), and
- 1, 2, and 3 HP-20 (Reactor Coolant Pump seal return line isolation valve).
Due to the design of the control circuits, two conductors in different valve circuits making contact will not result in spurious operation unless additional shorts are postulated.
However, if the right two conductors on the same valve short together, it is possible to result in a spurious operation. This raised the possibility that a fire induced "hot short" could occur in a portion of the normal shutdown control circuit that would bypass the torque and limit switches in the open direction, resulting in either a stall condition for the valve actuating motor (typically resulting in a burnt out motor) or an over thrust of the valve/actuator combination. Either condition could render the valve incapable of operating when necessary after the SSF is placed in service.
The SSF related function of these valves is to close in order to limit flow from the RCS so that RCS losses are within the capacity of the SSF RCMU Pump. The failure of one or more of these valves to close could potentially cause RCS leakage to exceed the capability of the RCMU Pump. This could possibly result in the RCMU Pump being unable to maintain RCS inventory and could eventually result in loss of decay heat removal.
Therefore, fire induced damage of these cables could potentially affect the ability of the SSF to achieve and maintain safe shutdown in accordance with 10CFR50 Appendix R. Operations shift personnel were notified and the SSF RCMU Pump for each Oconee Unit was declared inoperable at 1115 am on 6/4/03.
The cables are non-conforming with respect to 10CFR 50, Appendix R requirements for the separation of control circuits for motor operated valves powered from the SSF. This condition is similar to an example given in NUREG 1022, Section 3.2.4 (fire barrier missing such that the required degree of separation for redundant safe shutdown trains is lacking). Therefore it was reported under 50.72(b)(3)(ii)(B) UNANALYZED CONDITION via the Emergency Notification System at 1903 hours0.022 days <br />0.529 hours <br />0.00315 weeks <br />7.240915e-4 months <br /> on 6/4/03, and was documented as event # 39903.
Engineering performed an operability evaluation which concluded that a fire watch patrol performed once every 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> in the area that the control cables run was an adequate compensatory measure to reduce the likelihood and severity of a fire. This will ensure that transient combustibles are kept to a minimum and that no unauthorized hot work is performed in the vicinity that could cause a fire.
Following the acceptance of this operability evaluation by Operations and implementation of the fire watch, the SSF RCMU Pump was declared operable but non-conforming at 2047 on 6/5/03 and the TS condition was exited.
CAUSAL FACTORS
The apparent cause of this condition is a historic design deficiency existing since the SSF was declared operational in October 1986.
The original SSF design considered it not credible that a hot short could occur inside a multi-conductor armored cable that bypassed the actuator torque and limit switches resulting in permanent damage to either the actuator or the valve as a result of a fire- induced hot short. When the Appendix R Safe Shutdown Analysis team performed the safe shutdown analysis in the mid 1980s, this was also the case. When the industry was informed that this phenomenon could fail safe shutdown valves in inappropriate positions through NRC Information Notice 92-18, the Duke response stated that armored cable would not be susceptible to this problem.
Because the normal shutdown cables would be separated from the control circuits when the SSF transfer process was completed, and because "smart hot shorts" were not considered credible during the SSF design, the SSF designers were of the opinion that fire damage to these cables could not cause damage to the motor operated valves. The decision process to locate the normal shutdown cables in the Turbine Building did not properly consider the timing of a fire, the ability to detect a fire, or the potential to cause damage to either the valve motor actuator or the valve as a result of a fire-induced spurious actuation as a result of a hot short.
Additionally, the routing of these normal shutdown cables in the turbine building was not well documented at the time the original Appendix R Safe Shutdown Analysis was performed. As a result, the analysis team believed that these cables were routed through another fire zone and therefore did not recognize the exposure of these cables to damage during a Turbine Building fire. Had this been realized, it is expected that fire detection and fire suppression for the area would have been addressed.
A search of prior events which have occurred at Oconee within the previous 24 months revealed two similar events. LERs 269/2002-01, submitted on May 6, 2002, and 269/2002-02, Revision 1, submitted June 12, 2002, both addressed design analysis oversights which also impacted the ability of the SSF to function properly during certain scenarios. The design oversights involved in these two events and the current event were all historical, such that corrective actions from these events could not have prevented the other events. The current event was discovered as an indirect result of the Oconee Appendix R Reconstitution Program. This project should satisfactorily identify and address any remaining issues with the SSF design for Appendix R events.
CORRECTIVE ACTIONS
Immediate:
A fire watch patrol was established on a once per six hour frequency. These fire watch patrols will remain in effect until appropriate permanent corrective actions are in place to mitigate this condition.
Subsequent:
Circuit analysis and walkdowns of the normal shutdown cables determined those portions of the normal shutdown cable circuits that are routed through the Equipment Rooms and Cable Rooms are protected from fire damage by operable fire detection and suppression systems installed in these rooms. Those portions of the normal shutdown cables routed through the Unit Control Rooms 12 are protected by fire detection systems. Duke had previously received an NRC approved exemption from Appendix R requirements for the installation of an operable suppression system' in the Oconee Control Rooms. In addition, the Control Rooms are continuously staffed by experienced and trained operators. Based upon this information, no compensatory actions are required to protect the normal shutdown cables routed to the Equipment Rooms, Cable Rooms and Control Rooms.
The potential for the initiation of a fire in the areas of the Turbine Building through which these cables are routed was conducted by the Oconee Fire Protection Engineer. The assessment included consideration of various fire ignition sources; flammable and combustible material loading; and the effectiveness of available fire detection, suppression, and extinguishment equipment in the area. The assessment concluded that the risk of fire in these areas of the Turbine Building is small due to the limited number of fire ignition sources and low flammable/combustible material loading. The assessment further notes that the probability for early detection of a fire is greatly increased because these areas are routinely and heavily traveled by station personnel who have been trained to immediately notify the Control Room via the emergency phone number upon the detection of any fire.
These areas of the Turbine Building are readily accessible to fire hose streams from several hose reel stations. Once a fire has been detected, it can be suppressed and extinguished using available manual suppression means.
Planned:
1. Continue completion of the Oconee Appendix R Reconstitution Program. This project should satisfactorily identify and address any remaining issues with the SSF design for Appendix R events.
2. Oconee will implement an appropriate permanent resolution to this issue. Options to be considered include, but are not limited to, installing fire detection/suppression in the area, and/or rerouting the affected cables.
1 Letter from H. R. Denton (NRC) to W. 0. Parker (Duke), dated 2/2/82, Exemption Granted From Requirements of 10CFR50, Appendix R, Item III.G.3, Fixed Suppression System for Oconee Control Rooms 12 Corrective action 2 is considered a NRC Commitment item. There are no other NRC Commitment items contained in this LER.
SAFETY ANALYSIS
This event did not include an actual Safety System Functional Failure. However, it did address a low probability vulnerability to fire damage that potentially might have resulted in a Safety System Functional Failure.
The original analyses for Oconee Appendix R fires included consideration of the effects of one worst case spurious actuation.
Engineering analyses concluded that cable and conductor failures were not credible for Oconee due to armor sheathed cable construction. Subsequent to the initial Appendix R analyses, NRC Generic Letter 86-10, addressing "hot shorts," was issued. Duke's evaluation of Generic Letter 86-10 reaffirmed that the construction of the metallic armor jacketed control cables, used for motor operated valves, precluded cable to cable shorts. This evaluation concluded that the most likely failure mode was conductor short to the grounded armor during a fire, thus causing the failure of the associated control power fuse, failing the valve "as is.
The cable construction of the control circuitry wiring for each of the Unit 1, 2, 3 HP-3, HP-4, HP-20, and RC-4 valve circuits has 37 conductors surrounded by metallic armor sheathing. The control circuitry wiring for each of the Unit 1, 2, and 3 RC-5 and RC-6 valve circuits is similarly constructed with 19 conductors surrounded by metallic armor sheathing. These cables are manufactured such that any two conductors along the length of the cable are not in the same orientation of the cross sectional area nor are any two conductors paired to be along side each other. The likelihood of an actual spurious actuation occurring by two specific conductors shorting together by being spatially in the same orientation of the cable at the exposure to the fire and not initially shorting to ground has a very low probability (0.075 spurious valve actuations per damaged circuit2).
2 EPRI TR-1006961, "Spurious Actuation of Electrical Circuits Due to Cable Fires," Final Report, dated May 2002 These physical attributes of the cable construction would indicate that a fire exposure at any random location along the length of the cable would cause the most outer conductor, closest to the armor sheathing, to have its insulation heated first such that it would make contact. Once the conductor voltage can overcome the decreased resistance of the decomposing insulating material an electrical short to ground will occur and cause the control power circuitry fuse to fail. A fuse failure prior to an intra-conductor short would prevent any spurious actuation of the valve's motor contactor.
The predominant cable type for motor operated valve controls at Oconee is PVC insulated, galvanized metallic armor surrounding individual conductors. PVC insulation has an ignition temperature of 735 degrees Fahrenheit3. EPR Hyperlon insulated control circuit cables are used for valves 1, 2, 3 HP-3, HP-4, HP-20, RC-4, RC-5 and RC-6. Insulating material made of EPR Hyperlon has a higher ignition temperature than PVC.
A series of experimental fire tests4 were conducted involving energized electrical circuits using Oconee motor operated valve control circuit cable and circuit design (which include control power transformers that limit available fault current and voltage).
Based upon the test results, demonstrating the robust fire resistance characteristics of the cable, fire induced spurious valve actuations are not expected to occur. One of these experimental tests demonstrated that under conditions of extreme physical abuse (e.g., a right angle bend of the cable in the tray, without limiting current circuit design, conducted under severe exposure to fire) fire induced spurious valve actuation could occur. Thus, while the probability of fire induced spurious actuation cannot be ruled out, it is not expected to occur under plant conditions.
Based upon the conservatisms in test methodologies, it has been estimated that a period in excess of 30 minutes is required to cause a fault in the Unit 1, 2, 3 HP-3, HP-4, HP-20, RC-4, RC-5 and RC-6 valve control circuit cables.
3 R. J. Budnitz, "Spurious Actuation of Electrical Circuits Due to Cable Fires:
Technical Investigator's Report," Future Resources Associates, study managed by EPRI in coordination with NEI 4 Budnitz 12 Fire brigade drills have been practiced in the areas of the Turbine Building in which these normal shutdown cables are subject to fire damage with response times of less than 20 minutes. The brief response time allows the fire brigade to get positioned and initiate mitigating actions prior to fires becoming fully developed; therefore it is not expected that these cables will be exposed to the temperature at which cable degradation occurs (threshold temperatures greater than 700 degrees Fahrenheit) for any significant duration.
The Oconee SSF license basis is based upon the fact that Oconee is designed to be able to mitigate the effects of one single spurious actuation following the 10 minutes allowed for SSF activation.
Analysis5 of the risk significance of various sequences involving the routing of normal shutdown cables in the Turbine Building was conducted. Although a fire without detection could fail a normal shutdown cable in the Turbine Building, analysis determined that each of the scenarios analyzed had the following multiple defense- in-depth features:
- the fire would have to be large enough to damage multiple cables,
- spurious operation of the motor operated valves controlled by these cables would have to occur prior to fire detection and manning of the SSF, and
- each of the sequences analyzed had multiple recovery paths to prevent core damage.
For the excess letdown scenario, recovery of Emergency Feed Water [EIIS:BA], or the automatic or manual closure of valve HP-5 will prevent core damage. For the pressurizer power operated relief valve (PORV) isolation valve scenario, the PORV could reclose or HPI can be recovered to prevent core damage. These defense-in- depth features result in a low overall risk for this condition.
Considering the low probability of a fire located in the applicable area of the turbine building, the potential for discovery and extinguishment of the fire before cable damage occurs, the relative low probability of a "smart short" damaging a valve rather than causing the control power fuse to fail, and the potential for 5 Calculation: SAAG 774, "Fire PRA for SSF Cable Issue in ONS Turbine Building" 12 either automatic or manual isolation using a redundant valve, the risk assessment found the overall impact on core damage frequency to be 1.9E-07/year and large early release frequency to be 3.6E- 09/year6 .
Therefore, this event is considered to have minimal safety significance with respect to the public health and safety.
ADDITIONAL INFORMATION
There were no releases of radioactive materials, radiation exposures or personnel injuries associated with this event.
This event is not considered reportable under the Equipment Performance and Information Exchange (EPIX) program.
Energy Industry Identification System (EIIS) codes are identified in the text within brackets [1.
12 6 SAAG 774