Part 21 Report - 1998-311
ACCESSION #: 9804230185
LICENSEE EVENT REPORT (LER)
FACILITY NAME: Clinton Power Station PAGE: 1 OF 6
DOCKET NUMBER: 05000461
TITLE: Remote Shutdown Panel Operation of Reactor Core Isolation
Cooling System May be Prevented Following Main Control
Room Fire Due To Supplier Design Lacking Circuit
Isolation
EVENT DATE: 09/29/86 LER #: 98-013-00 REPORT DATE: 04/20/98
OTHER FACILITIES INVOLVED: None DOCKET NO: 05000
OPERATING MODE: 5 POWER LEVEL: 000
THIS REPORT IS SUBMITTED PURSUANT TO THE REQUIREMENTS OF 10 CFR
SECTION:
50.73(a)(2)(ii)
OTHER
LICENSEE CONTACT FOR THIS LER:
NAME: D. L. McMillan, Corrective Action Team
Lead Engineer TELEPHONE: (217) 935-8881,
Extension 3920
COMPONENT FAILURE DESCRIPTION:
CAUSE: SYSTEM: COMPONENT: MANUFACTURER:
REPORTABLE NPRDS:
SUPPLEMENTAL REPORT EXPECTED: NO
ABSTRACT:
With the plant in COLD SHUTDOWN, engineers identified that electrical
short circuits caused by fire-related cable damage following a fire in
the Main Control ROOM (MCR) may prevent the Reactor Core Isolation
Cooling (RCIC) System from being operated from the Remote-Shutdown Panel
(RSP) as designed. The engineers identified that two cables interfacing
with the control circuit for the RCIC turbine cannot be isolated from the
MCR by operation of the remote transfer switch. The cause of this event
is attributed to an error in a supplier design change. Additionally,
corrective actions for previously identified design error were
ineffective in identifying the potential extent of the issue. Corrective
action for this event includes revising the engineering review standard
for fire protection/safe shutdown, performing a comprehensive review of
safe shutdown required equipment circuits for operation from the RSP, and
modifying the RSP interface with the two RCIC cables to provide adequate
isolation. This event is also reportable under 10CFR21.
END OF ABSTRACT
TEXT PAGE 2 OF 6
DESCRIPTION OF EVENT
On March 25, 1998, the plant was in mode 4 (COLD SHUTDOWN) during the
sixth refueling outage, and reactor (RCT) coolant temperature was being
maintained within a band of 95 to 115 degrees Fahrenheit and pressure was
zero pounds per square inch. Engineers were conducting circuit analysis
reviews in response to recommendations in an engineering evaluation
prepared to address an audit finding. At about 1730 hours, the engineers
identified that operation of the Reactor Core Isolation Cooling (RCIC)
System [BN] may not be available from the Remote Shutdown Panel [PL]
(RSP) as designed as a result of electrical short circuits caused by
fire-related cable [CBL] damage (hot shorts) following a fire in the Main
Control Room (MCR). Condition Report (CR) 1-98-03-499 was initiated to
track further investigation and resolution of this issue. Operations was
notified of this condition and placed a restraint against entering Modes
1 (POWER OPERATION), 2 (STARTUP), and 3 (HOT SHUTDOWN). Per Technical
Specification 3.5.3, "RCIC System," the RCIC system is required to be
operable in Modes 1, 2, and 3 with reactor steam dome pressure greater
than 1150 pounds per square inch gage; therefore, there was no immediate
impact on plant operation.
10CFR50, Appendix R, Section III.G.3, requires that remote shutdown
capability be provided for areas which do not meet the physical and
electrical separation requirements of Section III.G.2 of Appendix R. The
remote shutdown capability must be physically and electrically
independent of the area of concern such that one safe shutdown method
remains available from locations outside the area of concern. This
electrical independence criteria includes postulation of the circuit
failure modes described in NRC Generic Letter 86-10, Section 5.3.1. To
mitigate the potential adverse affects of the postulated circuit failure
modes on the selected safe shutdown method, remote transfer contacts are
installed in the control circuits for selected safe shutdown equipment to
isolate the portion of the equipment control circuit from the area of
concern.
Clinton Power Station provides remote transfer capability for the RCIC
system to provide reactor pressure vessel level control for the remote
shutdown method. The engineering reviews discussed above identified that
two cables in the control circuit for the RCIC turbine [TRB] cannot be
isolated from the area of concern (Main Control Room) by operation of the
respective remote transfer switch (HS). The cables are 1RI85B and 1RI85C
which are routed from the RSP, 1c61-P001 to Main Control Room Panel
1H13-P706E.
In August 1985, prior to initial plant fuel load the final revision of
General Electric (GE) Field Deviation Disposition Request (FDDR) LH1-1308
was issued to install interface connections to the RCIC system to provide
inputs for the GE Transient Analysis Recording System (GETARS) (IQ)
equipment. The GE design of this FDDR included connection of signal
monitoring interfaces with the RCIC control and indication circuits
between the MCR multiplexers [MPX] and the RSP. The design did not
provides adequate isolation from some MCR circuits and connecting cables
via transfer switch contacts to address the potential for fire-induced
circuit failure modes. The design lacked isolation for cable 1RI85C
connected to the flow control input at the signal converter [CNV],
1E51-N590, and cable 1RI85B connected to the RCIC turbine EG-M Control
Box, 1351-N591, speed output to the turbine tachometer [TAC]. The FDDR
included specifications for connecting other MCR GETARS inputs to RCIC
signals, but those specifications did include interface modules at the
RSP that provided adequate isolation features.
TEXT PAGE 3 OF 6
On July 9, 1997, an engineering review of Updated Safety Analysis Report
(USAR) Appendix F, "Fire Protection Safe Shutdown Analysis," identified
that operation of the Division 1 Essential Switchgear Heat Removal System
supply air fan [FAN] discharge damper [DMP], 1VX03YA, may not be
available from the RSP following a fire in the MCR due to electric shorts
resulting from fire-related cable damage. On July 16, 1997, CR
1-97-07-164 was initiated to document further evaluation of this issue.
A review to determine the extent of this issue included other heating,
ventilating and air conditioning (HVAC) systems required for safe
shutdown; however, no similar control circuit errors were identified.
The cause of this event was attributed to oversight in the original
design of either the Essential Switchgear Heat Removal System, or the
Remote Shutdown System. This issue was reported in LER 97-019.
On July 31, 1997, engineers were performing a vertical slice review of
selected safe shutdown components in response to audit finding CR
3-97-06-310. During the review, the engineers determined that operation
of the Division 1 Diesel Generator Feed Breaker, 252-DG1KA, may not be
available from the RSP following a fire in the XCR due to electrical
shorts resulting from fire-related cable damage. CR 1-97-07-350 was
initiated to track the investigation and resolution of this issue. This
issue was reported in LER 97-021 and 10CFR21 Report 21-97-040. All
circuits routed through the RSP were reviewed to ensure that a MCR fire
would not prevent operation of those circuits from the RSP, because of
the similarities of LERs 97-019 and 97-021. The review did not identify
any additional circuit design errors that would prevent operation of
components from the RSP.
On September 10, 1997, an engineering evaluation was issued in response
to a corrective action step for audit finding CR 3-97-06-310. The
specific corrective action step required a sample review of safe shutdown
circuit analyses completed by Sargent & Lundy prior to initial plant
operation. The evaluation concluded that the previous review of all
circuits routed through the RSP was not adequate to ensure there was no
potential impact to Remote Shutdown capability, because the review was
inappropriately performed on a schematic level and needed to be continued
at the cable level.
In December 1997, NSED engineers began a more comprehensive review of the
Remote Shutdown System circuits in response to the engineering evaluation
issued on September 10, 1997. During this review on March 25, 1998,
engineers discovered the lack of isolation capability for RCIC cables
1RI85B and 1RI85C as discussed above.
RCIC cables 1RI85B and 1RI85C have lacked proper isolation capability
from MCR circuits since initial plant operation on September 29, 1986,
when the plant was in Mods 5 (REFUELING) for initial plant fuel loading.
At that time reactor coolant temperature was ambient and pressure was
atmospheric.
No automatic or manually initiated safety system responses were necessary
to place the plant in a safe and stable condition. This event was not
directly affected by other inoperable equipment or components.
TEXT PAGE 4 OF 6
CAUSE OF EVENT
The cause of this event is attributed to an error in the design of FDDR
LH1-1308 that was likely the result of inadequate design change controls,
and supplier and Illinois Power design engineers unfamiliarity, prior to
initial plant operation, with the potential failure mechanisms associated
with fire-induced circuit damage.
Factors that may have contributed to the cause of this event include, the
complex circuit design and interface requirements may have contributed to
the possibility of errors; time pressure at the time immediately prior to
plant start-up may have reduced the level of detail of engineering
reviews, and communications between three different engineering
organizations (Illinois Power, Sargent & Lundy, GE) may not have been
rigorous.
Corrective actions for previous LERs 97-019 and 97-021 were ineffective
in identifying the potential extent of this issue for remote shutdown
circuits because the reviews were inappropriately performed on a
schematic level rather than at the cable level.
CORRECTIVE ACTION
Illinois Power will modify the interface of GETARS cables 1RI85B and
1RI85C with the RSP to provide adequate isolation.
Illinois Power will perform a comprehensive review of safe shutdown
required control circuits to ensure that the potential for fire damage in
the Main Control Room is properly evaluated for impact on Safe Shutdown
operation from the RSP.
Engineering standard GD(RS)-01.00, "Fire Protection/Safe Shutdown
Engineering Review Standard," has been revised to provide appropriate
review criteria for changes to the safe shutdown analyzed equipment
specified in USAR, Appendix F. The revision strengthens barriers to
prevent design changes that create a potential for adversely affecting
the post-fire Safe Shutdown Analysis with respect to fire-induced circuit
failures.
Engineering standard EE-01.00, "Safe Shutdown Cable Selection," was
issued to outline rigorous methods for safe shutdown circuit analysis.
Changes to the hardware change program in administrative procedure CPS
1003.01, "CPS Hardware Change Program," require Illinois Power
engineering personnel to perform a review of all supplier design
products. These procedural controls provide significant changes from the
conditions that existed when the error discussed in this report occurred.
TEXT PAGE 5 OF 6
ANALYSIS OF EVENT
This event is reportable under the provisions of 10CFR50.73 (a) (2) (ii)
(B) because the lack of proper isolation for cables 1RI85B and 1RI85C is
not in accordance with the design basis of the plant.
An assessment of the safety consequences and implications associated with
this event identified that this issue has potential safety significance.
In the event of a control room evacuation, the Remote Shutdown System
(RSS) provides the capability for direct manual control of certain
components of the RCIC system. To assure a controlled safe shutdown of
the reactor from outside the MCR, the RSS overrides the usual control
room signals for these components when the appropriate transfer switches
are actuated at the RSP. The RCIC pump, turbine and controls are the
only equipment operated at the RSP capable of ensuring adequate reactor
water inventory is maintained durIng HOT SHUTDOWN.
This event should have no impact on normal plant operation since normal
operations are not conducted from the RSP. However, during abnormal
operations such as a fire in the MCR, operation from the RSP may be
required to achieve safe shutdown of the reactor. At this time, fire
damage to cable 1RI85C causing a short circuit could disable control of
the RCIC pump turbine resulting in a loss of function, or could result in
aberrant flow control with component damage likely. Short circuit damage
to cable 1RI85C could disable the RCIC turbine speed indication on the
Remote Shutdown Panel. Loss of RCIC turbine speed indication would
affect the operators ability to monitor performance of the RCIC turbine.
ADDITIONAL INFORMATION
No equipment failed during this event.
Similar previous events are discussed within this report.
For further information regarding this event, contact D. L. McMillan,
Corrective Action Team Lead Engineer, at (217) 935-8881, extension 3920.
10CFR, PART 21 REPORT 21-98-026
IP has completed the evaluation of this issue and concludes that this
issue should be reported under the provisions of 10CFR21. The following
information is provided in accordance with 10CFR21.21 (d)(4). Initial
notification of this matter will be provided via facsimile of this report
to the NRC operations center in accordance with 10CFR21.21(d)(3) within
two days of the responsible officer approval of this report.
(i) Walter G. MacFarland, Senior Vice President and Chief Nuclear
Officer of IP, Clinton Power Station, Highway 54, 6 Miles East, Clinton,
Illinois, 61727, is informing the Nuclear Regulatory Commission of a
condition reportable under the provisions of 10CFR, Part 21.
TEXT PAGE 6 OF 6
(ii) The basic component involved in this condition is the interface of
cable's 1RI85B and 1RI95C in the Remote Shutdown System in accordance
with FDDR LH1-1308 as discussed in the LER DESCRIPTION OF EVENT section
of this report.
(iii) The design of cables 1RI85B and 1RI85C in the Remote Shutdown
System discussed in this report was supplied to Clinton Power station by
General Electric.
(iv) Cables 1RI85B and 1RI85C in the control circuit for the RCIC turbine
cannot be isolated from the Main Control Room by operation of the remote
transfer switch as designed and required by 10CFR50, Appendix R, Section
III.G.3. The cables are routed from the Remote Shutdown Panel,
1C61-P001, to Main Control Room Panel 1R13-P706E in the Remote Shutdown
System and do not have appropriate isolation from Main Control Room
Circuits.
IP concludes that if this issue had gone uncorrected it could have caused
a loss of the RCIC turbine control following a fire in the Main Control
Room and subsequent use of the RSP. This condition could have resulted
in the inability to control reactor coolant inventory during HOT
SHUTDOWN.
(v) The deficiency in the Remote Shutdown System design was identified
on March 25, 1998, as discussed in the LER DESCRIPTION OF EVENT section
of this report. If determined that this issue was potentially reportable
under the provisions of 10CFR21 at that time. Condition Report
1-98-03-499 was Initiated to track an investigation and resolution of
this issue.
(vi) As discussed in the LER DESCRIPTION OF EVENT section of this report,
LER 97-019 and LER 97-021 (10CFR21 Report No. 21-97-040) discuss similar
events. Corrective action for this issue includes performing a
comprehensive review of safe shutdown control circuits to ensure that the
potential for fire damage in the Main Control Room is properly evaluated
for impact on Safe Shutdown from the Remote Shutdown System. This review
will identify any other similar issues.
IP is not aware of other facilities that could be affected by this
issue.
(vii) Corrective action for this issue is discussed in the LER
CORRECTIVE ACTION section of this report.
(viii) IP has no advice for other purchasers or licensees regarding this
issue.
*** END OF DOCUMENT ***
Page Last Reviewed/Updated Wednesday, March 24, 2021