United States Nuclear Regulatory Commission - Protecting People and the Environment

Information Notice No. 99-17: Problems Associated With Post-Fire Safe-Shutdown Circuit Analyses

UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C. 20555-0001

June 3, 1999

NRC INFORMATION NOTICE 99-17: PROBLEMS ASSOCIATED WITH POST-FIRE SAFE-SHUTDOWN CIRCUIT ANALYSES


Addressees

All holders of operating licenses for nuclear power reactors, except those who have permanently ceased operations and have certified that fuel has been permanently removed from the reactor.

Purpose

The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice (IN) to alert addressees to potential problems associated with post-fire safe-shutdown circuit analysis. These potential problems could result in a vulnerability to fire-induced circuit failures that could prevent the operation or lead to malfunction of equipment necessary to achieve and maintain post-fire safe shutdown. It is expected that recipients will review the information for applicability to their facilities and consider actions, as appropriate, to avoid similar problems. However, suggestions contained in this information notice are not NRC requirements; therefore, no specific action or written response is required.

Description of Circumstances

The Office of Nuclear Reactor Regulation (NRR), the NRC regional offices, and licensees have found plant-specific problems related to potential fire-induced electrical circuit failures that could prevent operation or cause malfunction of equipment needed to achieve and maintain post-fire safe shutdown. Examples of problems reported by the licensees follow.

Associated Circuits

In Licensee Event Report (LER) 50-382/97-020-01 of March 16, 1998, Entergy Operations, Inc., the licensee for Waterford Steam Electric Station, Unit 3, reported that a fire in the switchgear room could potentially result in the momentary loss of both trains of safety-related static uninterruptible power supplies (UPS). The licensee attributed this condition to a combination of the inherent design of the UPS units and unprotected UPS associated circuits that were not separated in accordance with the regulatory requirements of Appendix R to 10 CFR Part 50. The licensee concluded that this condition would not necessarily have prevented safe shutdown of the plant in the event of a fire, but could have resulted in recurring instances of the load breakers isolating the faults and the UPS units momentarily shutting down to clear the faults, which could have continued after control was transferred to the remote shutdown panel. The licensee's corrective measures included replacing a UPS, rerouting cables, and enhancing operator response procedures.

Cable Routing and Separation and Wiring Errors

In LER 50-266/99-002 of April 14, 1999, Wisconsin Electric, the licensee for Point Beach Nuclear Plant, reported that it had discovered that a cable necessary to provide a plant parameter to support post-fire safe shutdown was not routed independent of the appropriate fire zone. According to the licensee, this condition occurred because a previous modification failed to provide for the cable routing necessary to meet the safe shutdown evaluation. The licensee is considering either rerouting the cable or protecting the cable with a 3-hour fire-rated barrier.

In LER 50-454/97-023-01 of March 4, 1998, Commonwealth Edison Company, the licensee for Byron Nuclear Power Station, Unit 1, reported that, because of a wiring error that occurred during the installation of a design change, the 1B emergency diesel generator (EDG) may not have continued to operate in the event of a fire in certain fire zones. Specifically, a normally connected wire was mistakenly removed and the intended wire, which remained, cross-tied both EDG DC control power supplies. Therefore, certain fires could have resulted in the loss of both control power circuits for the EDG, leaving the EDG without any control power and unable to respond as designed. The licensee revised its procedures for verifying design changes, rewired the affected diesel controls, performed a wiring verification, and walked down all EDG local panels.

Fire-Induced Hot Shorts

In LER 50-341/98-003-01, of July 31, 1998, Detroit Edison, the licensee for Enrico Fermi 2, reported that during an investigation of a previous LER, it discovered that a combination of multiple fire-induced hot shorts could open a drain path and cause a loss of condensate storage tank (CST) inventory required for dedicated shutdown. During a later review of its corrective actions for this previous condition, the licensee determined that the corrective actions were not adequately incorporated into the dedicated shutdown procedure. Specifically, under the revised procedure, the valve that was susceptible to spurious opening would be closed before electrical power was disconnected. Therefore, a fire-induced hot short could cause the valve to reopen until it was de-energized. According to the licensee, it also previously failed to identify the normal supply to the high pressure coolant injection (HPCI) system and the reactor core isolation cooling (RCIC) system as potential CST drain paths because it assumed that when the HPCI pump was shutdown, flow through the pump would stop. Finally, the licensee previously failed to recognize that a RCIC gravity drain path could be opened to the suppression pool by a hot short. The licensees corrective actions included adding new manual actions to the abnormal operating procedures, designating access routes and installing emergency lighting, reviewing other valves for susceptibility to fire-induced spurious operation, and other Appendix R reassessment activities.

Evaluations of Spurious Operations

In LER 50-255/97-008 of October 10, 1997, Consumers Power Company (CPC), the licensee for Palisades Nuclear Power Plant, reported that it had failed to properly evaluate the potential for spurious opening of certain service water (SW) cross-tie valves as a result of fire-induced hot shorts. According to the licensee, had a spurious opening of the SW cross-tie valves occurred due to the effects of a fire, loss of component cooling water inventory to the lower pressure SW system could occur in as little as 25 seconds without any approved Appendix R coping scenarios in place to mitigate the condition. The licensee implemented a number of corrective actions including isolating the air supply to the SW cross-tie valves to remove the possibility of spurious operations of the valves.

As another example, in LER 50-255/97-10 of October 30, 1997, CPC reported that its Appendix R analysis was in error in that it accounted for the fire-induced spurious opening of only two of the four main atmospheric steam dump valves (ASDVs) in the event of a control room or cable spreading room fire. According to the licensee, it should have accounted for all four main ASDVs and the turbine bypass valve spuriously opening as a result of fire-induced hot shorts. The cause of this condition was a cable that was not identified as a field run on the circuit diagram. According to the licensee, fire scenarios involving this condition could have lead to fuel clad damage. As a result of a new evaluation, the licensee revised its procedures to cope with all four ASDVs opening in the event of a fire.

Motor Operated Valve Evaluations

In LER 50-293/97-029 of January 19, 1998, Boston Edison Company, the licensee for Pilgrim Nuclear Power Station, reported that it had determined that the shutdown cooling (SDC) suction isolation valves were vulnerable to mechanical damage from a potential failure mode involving hot shorts. According to the licensee, this condition could have caused spurious operation of these SDC motor operated valves (MOVs) during a control room or cable spreading room fire, resulting in damage to either valve such that the operators could not change the position of the valves. As a result, the SDC mode of the residual heat removal system would not be available to support the safe cooldown of the plant. As a temporary corrective action, the licensee opened breakers to de-energize the valves, placing them in a fail-safe, isolated condition, and maintaining containment integrity. As a permanent corrective action, the licensee is considering converting the temporary modification to a permanent plant modification, or modifying the control circuits to eliminate the postulated failure mode.

Transfer and Isolation Capability

In LER 50-461/97-021 of August 25, 1997, Illinois Power, the licensee for Clinton Power Station, reported that a control circuit fed from the 125 volt direct current (DC) control power fuse for the Division 1 EDG feed breaker was routed through the main control room (MCR) but did not include isolation contacts at the remote shutdown panel (RSP) transfer switch to allow isolation of the MCR wiring/controls while operating from the RSP. According to the licensee, in the event of a MCR fire, concurrent with the loss of offsite power, the fire could damage the circuit, causing multiple DC ground faults, the loss of control power for the Division 1 EDG feed breaker, and a loss of power to Division 1 equipment. To resolve this condition, the licensee rewired the control circuit at the RSP so that it included isolation contacts from the transfer switch.

As another example, in LER 50-461/98-013 of April 20, 1998, Illinois Power reported that fire-induced electrical short circuits during a MCR fire could prevent the operation of the RCIC system from the remote shutdown panel. According to the licensee, two cables interfacing with the control circuit for the RCIC turbine would not isolate from the control room when the remote transfer switch was operated. As a corrective action, the licensee will modify the interface of two General Electric (GE) transient analysis recording system cables with the remote shutdown panel. In a letter dated July 9, 1998, GE informed the staff that it had reviewed the Clinton LER and conducted a sample review of GE design documents and was not able to confirm or refute the existence of similar problems at other plants.

Fuse/Breaker Coordination

As reported in LER 50-353/99-001, on January 19, 1999, during an engineering review at the Limerick Generating Station, Unit 2, PECO Nuclear, the licensee, determined that a fire in the reactor enclosure cooling water (RECW) equipment area could cause fire-induced damage to an auto-start pressure switch in the control circuit for a RECW pump. According to the licensee, the damage could create a hot short that would cause the pump to auto-start if the pump control switch was in the "run" or "auto" position. In addition, the licensee determined that the same fire could induce a fault in the 480 VAC power cable to the pump motor which could open the load center beaker to its associated motor control center (MCC). The licensee concluded that the fire could result in the loss of equipment required for post-fire safe shutdown. The licensee attributed this condition to inadequate circuit breaker coordination. In response to this condition, the licensee reset the MCC breaker settings and revised the appropriate design calculations. The licensee will also review and upgrade, as necessary, all safety-related breaker coordination calculations.

High Impedance Faults

In LER 50-397/98-006-01 of July 23, 1998, Washington Public Power Supply System, the licensee for Washington Nuclear Plant, Unit 2, reported that it had found discrepancies in low voltage bus calculations during a review of Appendix R calculations for high impedance faults. According to the licensee, the calculation errors could have resulted in overloading of certain buses due to fire-induced faults and the loss of safe shutdown capability. The licensee conducted a review of its documentation and calculations, and revised its safe shutdown procedures to prevent low voltage buses from becoming overloaded due to fire induced faults.

High-Pressure/Low-Pressure Interfaces

On February 27, 1997, Commonwealth Edison Company reported that during a review of the Quad Cities Appendix R Conformance Safe-Shutdown Analysis, plant personnel discovered that the reactor water cleanup (RWCU) system had been identified as a high-pressure/low-pressure interface requiring isolation during certain design-basis fires (LER 50-265/97-006). The licensee stated that a postulated design-basis fire could have caused multiple spurious operations of certain RWCU system valves, potentially allowing a loss of reactor coolant inventory in excess of design basis limits. Specifically, failure to properly isolate the RWCU system could have prevented station operators from attaining safe-shutdown before the reactor water level reached the top of the active fuel. The resolution of the potential RWCU blowdown path was to ensure that the system would be manually isolated during design basis fires. The licensee revised the appropriate safe shutdown-related documents and procedures.

Discussion

The regulatory requirements, the regulatory guidance, and the NRC staff's positions on post-fire safe shutdown are contained in various NRC documents; including General Design Criterion (GDC) 3, "Fire protection" of Appendix A to Part 50 of Title 10 of the Code of Federal Regulations (10 CFR Part 50); 10 CFR 50.48, "Fire protection"; 10 CFR Part 50, Appendix R, "Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979"; Branch Technical Position APCSB 9.5-1, Appendix A, "Guidelines for Fire Protection for Nuclear Power Plants Docketed Prior to July 1, 1976"; and NUREG-0800, "Standard Review Plan." The extent to which these requirements or guidelines are applicable to a specific nuclear power plant depends on plant age, commitments established by the licensee in developing the fire protection plan, and the license conditions pertaining to fire protection. One of the objectives of these requirements and guidelines is to provide reasonable assurance that fire-induced circuit failures (e.g., hot shorts, open circuits, and shorts to ground) that could adversely affect the ability to achieve and maintain post-fire safe shutdown will not occur.

The risk and safety significance of circuit analysis problems is dependent on a number of factors including, for example, the importance of the circuit to the post-fire safe shutdown capability, the type and configuration of the circuit, and the potential circuit failure modes. The NRC staff did not conduct detailed risk assessments of the events and inspection findings discussed in this information notice. However, in view of these reports of circuit analysis problems, and a number of similar reports, the NRC staff is treating this issue generically. The staff is interacting with the reactor industry and other interested stakeholders to develop effective, realistic, deterministic and risk-informed solutions to the circuit analysis issues. On July 23, 1998, the staff conducted a public workshop to discuss with the public and the nuclear reactor industry a variety of safety, technical, and regulatory matters associated with post-fire safe shutdown circuit analyses. The underlying objectives of the workshop were to bound any issues, to achieve an understanding of the industry positions on the issues, and to impart the staff's understanding of the issues. The discussions focused on safety, technical and regulatory issues; the assumptions that go into circuit analyses; and the terminology used to discuss circuit analyses. To help resolve issues associated with post-fire safe shutdown circuit analyses, the Boiling Water Reactor Owners' Group (BWROG) established an Appendix R Committee and the Nuclear Energy Institute (NEI) formed a Circuit Analysis Issue Task Force. NEI is developing a risk-based methodology for addressing fire-induced circuit failures. This effort involves identifying potential circuit failure modes for specific conditions and arrangements, developing risk-informed methods for assessing the likelihood of fires in plant-specific locations and their potential to cause multiple circuit failures, and developing deterministic circuit failure analysis methods that could be applied to plant-specific configurations that are not screened by the assessment of circuit failure modes or the risk assessment. The BWROG is developing generic definitions, assumptions, and positions related to a deterministic fire-induced circuit failure analysis methodology.

This information notice establishes no new NRC requirements; therefore, no specific action or written response is required by this notice. However, recipients are reminded that they are required by 10 CFR 50.65 to take industry-wide operating experience (including information presented in NRC information notices) into consideration when setting goals and performing periodic evaluations. If you have any questions about the information in this notice, please contact one of the technical contacts listed below or the appropriate NRR project manager.

  signed by

David B. Matthews, Director
Division of Regulatory Improvement Programs
Office of Nuclear Reactor Regulation

Technical contacts: Patrick M. Madden, NRR
301-415-2854
E-mail: pmm@nrc.gov
  Leon E. Whitney, NRR
301-415-3081
E-mail: lew1@nrc.gov

Attachment: List of Recently Issued NRC Information Notices

Page Last Reviewed/Updated Tuesday, February 11, 2014