05000440/LER-2006-003
| Perry Nuclear Power Plant | |
| Event date: | 05-04-2006 |
|---|---|
| Report date: | 07-03-2006 |
| 4402006003R00 - NRC Website | |
I. INTRODUCTION
On May 2, 2006, while performing research for a calculation revision, it was discovered that one circuit of the Division 1 Emergency Diesel Generator (EDG) [DG] Control Room Pull-To-Lock (PTL) control switch [HS] was not designed to isolate the Control Room from the local Division 1 EDG controls in the event of a Control Room fire. On May 4, 2006 at 1430 hours0.0166 days <br />0.397 hours <br />0.00236 weeks <br />5.44115e-4 months <br /> it was determined that this condition violated the Perry Nuclear Power Plant (PNPP) Fire Protection Program and could adversely affect plant shutdown in the case of a Control Room fire. This condition has existed since 1989. A telephone notification (ENS number 42552) was made on May 4, 2006 at 1719 hours0.0199 days <br />0.478 hours <br />0.00284 weeks <br />6.540795e-4 months <br /> for this condition as specified in the PNPP Operating License, paragraph 2.F as a violation of 2.C.6, "Fire Protection". This LER is being written as specified in the PNPP Operating License, paragraph 2.F and Technical Specification 5.6.6.a.
II. EVENT DESCRIPTION
On May 2, 2006, it was discovered that a specific set of Division 1 Emergency Diesel Generator (EDG) Control Room PTL control switch contacts were not designed to isolate the Control Room from the local Division 1 EDG controls in the event of a Control Room fire. The Division 1 EDG Control Room isolation issue associated with the PTL control switch position was identified as a result of performing a design verification of a calculation revision for the Safe Shutdown Capability Report. During the verification process, drawings for the PTL control switch were reviewed. It was then determined that this PTL control switch was not isolated from the Control Room as required by the Fire Protection Program.
On May 4, 2006 at 1430 hours0.0166 days <br />0.397 hours <br />0.00236 weeks <br />5.44115e-4 months <br />, with the plant in Mode 1 at 100% power, it was determined that this condition was a violation of the PNPP Fire Protection Program that could adversely affect plant shutdown in the case of a Control Room fire. A fire induced hot short in the diesel generator logic circuit could result in a failure to start or a spurious trip of the EDG even if control is transferred to local control. In the event of a Control Room fire, a hot short to this lockout circuit could prevent local operation of the Division 1 EDG. This Control Room circuit is not isolated from the EDG local controls. Since 10CFR50 Appendix R Control Room Isolation is only required for the Division 1 EDG, this deficiency is not applicable to the Division 2 and 3 EDGs.
Operating instruction ONI-SPI-A5, "Division 1 EDG Restoration," was revised on May 4, 2006 to lift leads and to verify local control breakers are not tripped in the event of a Control Room evacuation.
III. CAUSE OF EVENT
The root cause of this event is that the design change process in effect during the development and installation of the 1987-1989 design change, DCP 87-276A, allowed a single error to exist throughout the review process and subsequently be installed in the plant. This was due to the following deficiencies:
- Reliance on a single engineer's analysis of Appendix R requirements.
- Not utilizing a design report to detail design features and the changes to the system or component functions.
- Not utilizing project team meetings to provide assurance that all design features were maintained or included into a design change by communicating needs to various team members.
A contributing cause is that the Engineering staffs knowledge of Appendix R requirements for Control Room Isolation was deficient at the time of the modification development and implementation.
IV. EVENT ANALYSIS
The safety significance of this event was determined to be very low.
Appendix R Section III (G)(2) requires that if cables or equipment that could prevent operation or cause improper operation of redundant trains of systems necessary to achieve and maintain hot shutdown conditions due to hot shorts, open circuits, or shorts to ground are located in the same fire area, one train must be protected in accordance with the conditions of this Section (G)(2) or an alternative means of shutdown, independent of the area under consideration, be provided (G)(3). The design must ensure that the safe shutdown capability will not be adversely affected by a fire induced spurious component actuation or signal resulting from the fire. A spurious actuation is a fire-induced fault that causes a component to function in an undesired manner.
Generic Letter 86-10 Section 3.8.4 "Control Room Fire Considerations" states that the damage to the system in the Control Room for a fire that causes evacuation of the Control Room cannot be predicted. A bounding analysis should be made to assure that safe conditions could be maintained from outside the Control Room.
The PNPP design for a fire in the Control Room provides an alternate means of control for the components required for the designated shutdown train. The power and control was designed to electrically isolate the required equipment from the effects of the Control Room fire at the Division 1 Remote Shutdown Panel.
After the equipment is isolated from the Control Room, any fire-induced faults on the circuits in the Control Room should have no impact on the equipment. The design should allow for operation of the required equipment from the Division 1 Remote Shutdown Panel (RSP) or other alternative shutdown location.
Although repairs and operator actions could have been taken to restore the Division 1 EDG if the Control Room fire caused a failure to start or a spurious trip of the Diesel Generator, these activities were not identified in the Fire Protection safe shutdown analysis or associated operating procedures. Therefore, for this issue PNPP did not comply with the Perry Fire Protection Program, and the ability to achieve and maintain safe shutdown in the event of a fire in the Unit 1 Control Room could have been adversely affected.
The assumption for a risk analysis is a fire occurs in the Control Room that could affect the circuitry of the EDGs such that they cannot be operated simultaneously with a loss of offsite power. The significance determination assessment does address issues associated with fire protection programs. However, the process in NRC Inspection Manual Chapter 0609 Appendix F does not currently include explicit treatment of fires in the Control Room, or for fires leading to the abandonment of the Control Room.
A large Appendix R fire in the Control Room is not likely due to limited combustibles and a comprehensive suppression system. To evaluate the impact of the discovered configuration the more likely scenario of an individual Control Room cabinet fire was evaluated. The likelihood of a fire in a control cabinet is 6.0E-5/yr.
The Incremental Conditional Core Damage Probability (ICCDP) for the analyzed configuration is estimated at about 5E-10. With respect to the Incremental Conditional Large Early Release Probability (ICLERP), even if containment failure was guaranteed, ICLERP is bounded at 5E-10.
The safety significance of events with an ICCDP less than 1.0E-6 and an ICLERP less than 1.0E-7 is characterized as having very low safety significance. The worst case scenario for the condition described is several orders of magnitude lower than these values.
Based on the above discussion, the described event has a very low safety significance.
V. CORRECTIVE ACTIONS
Operating instruction ONI-SPI-A5, "Division 1 EDG Restoration," was revised on May 4, 2006 to lift leads and verify local control breakers are not tripped in the event of a Control Room evacuation. These measures provide the interim disposition of the nonconforming condition. Design change documentation to implement Appendix R Control Room isolation features to the EDG PTL control switch circuit will be developed and issued by November 14, 2006. A final resolution to this issue will be a design change to incorporate Appendix R Control Room isolation features to the EDG PTL control switch circuit. The design change is currently scheduled to be implemented by the end of the next refueling outage.
Based on the improvements to the design change processes over the years it is very likely that the design error described in this LER would be prevented today. Secondary reviews, as well as the amount of information and documentation required by the Engineering Change Process, has provided additional barriers that were not in place in the 1987 to 1988 timeframe. Improvements in the Design Change Process made shortly after the implementation of the 1987 —1989 design change provided:
- Additional peer reviews for all design interface reviews. (1990)
- Increased detail in the Design Interface Checklist to assure that the appropriate design interfaces are provided. The Fire Protection Checklist is highly detailed to assure the Fire Protection design features are reviewed. (1990)
- The use of Design Reports to detail out the design functions of the systems. (1995)
- The use of Design Teams to communicate the requirements of each discipline involved with a change.
(1995) A review of systems required for Control Room Isolation was performed to assure that these systems meet Appendix R requirements. No other issues were found as a result of this review.
Additional corrective actions are:
1. Develop an Appendix "R" Control Room Isolation review guide to assist the design reviewer on the various fault concepts such as, hot shorts, open circuits, or shorts to ground, that must be analyzed to assure that the Control Room isolation feature is properly designed or maintained.
2. Incorporate this Appendix R requirement Control Room isolation design feature into the PNPP Design Basis Database for applicable systems.
3. Provide awareness training to the Engineering Staff via an Engineering Support Program continuing training presentation of the Appendix "R" design feature and the methods needed to adequately test to assure that Control Room Isolation feature is fully functional.
4. Revise NOBP-CC-1005, "FENOC Latent Issues Process," to provide improved guidance for performing a Latent Issues Review. This will help identify necessary design features to be reviewed or verified. It is suggested that a guide, similar to the Design Interface Review checklist used at PNPP, provide a guide to establishing the design features that should be considered for a Latent Issues Review. This would help to assure that the less apparent design features, such as, Appendix "R" Control Room Isolation, as well as the more obvious system functions are assessed.
VI. PREVIOUS SIMILAR EVENTS
A search of LERs and the corrective action program over the past 3 years at PNPP found one similar LER had been reported. LER 2006-001 reported a condition of an intemal wiring jumper on a switch in the RSP that was found to be installed incorrectly. The jumper was identified as a result of surveillance testing. The switch contact has the function of isolating Control Room circuitry from the RSP circuitry for the Reactor Core Isolation Cooling (RCIC) turbine exhaust valve. Complete isolation of the Control Room circuitry for the RCIC valve would not have beer, established by transferring control switches to the emergency position.
The cause of the condition was determined to be a wiring drawing error made during manufacture of the panel that resulted in the switch being incorrectly wired. The cause of the wiring error was determined to be a less than adequate vendor drawing review that failed to discover a drawing error on a wiring diagram and less than adequate testing.
Initial corrective actions consisted of correcting the mis-wired jumper in the RSP and contacting the vendor's Engineering Manager, and informing him of the drawing error and the wiring error in the vendor supplied RSP. Further corrective actions included revising RSP surveillances to include testing to verify correct isolation and transfer functions of the Normal/Emergency switches on the RSP to ensure the circuits meet the unique testing requirements for double isolation of the Fire Protection Program, and revising the Updated Safety Analysis Report to clarify information for the RSP that was difficult to locate and information that conflicted with the Supplement to the Safety Evaluation Report (SSER). Corrective actions from LER 2006 001 could not reasonably be expected to have prevented the condition documented in LER 2006-003.
VII. COMMITMENTS
There are no regulatory commitments contained in this letter.
Energy Industry Identification System Codes are identified in the text as [XX].