05000220/LER-2003-004

From kanterella
Jump to navigation Jump to search
LER-2003-004,
Event date:
Report date:
Reporting criterion: 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications
10 CFR 50.73(a)(2)(vii), Common Cause Inoperability
2202003004R00 - NRC Website
v  d  e

I. Description of Event

Introduction On August 13, 2003, at approximately 0430 hours0.00498 days <br />0.119 hours <br />7.109788e-4 weeks <br />1.63615e-4 months <br /> with the plant operating at 100 percent power, fuses F20, F21, F24, and F25 were pulled In accordance with Clearance NO3-13-004 to support the replacement of Emergency Cooling (EC) system initiation logic time delay dropout (TDDO) relay 11K62A under Work Order 02-04949-00.

Removal of these fuses de-energized 125 VDC Battery #11 power to EC solenoid valves39-056 and 39-06G. The clearance identified the plant impact to be the insertion of a half EC system initiation signal. The clearance did not address its effect on the EC Isolation function.

EC System Description The EC system is a standby system for the removal of fission product decay heat without the loss of reactor water inventory following a reactor scram, when the main condenser is not available as a heat sink or In the event of a loss of reactor feedwater. In addition, the EC system aids the Core Spray and Automatic Depressurization systems by providing core cooling following a loss-of-coolant accident (LOCA). The EC system consists of two independent systems (loops), and included in each loop are two emergency condensers, two motor-operated steam supply Isolation valves, an air-operated condensate return Isolation valve, and a condensate return check valve. Note that, for clarity, the two independent EC systems will hereinafter be referred to as EC loops. In the standby condition.

each loop's steam supply isolation valves are maintained open (to keep the condenser tubes flooded) and the condensate return isolation valve is maintained closed. The EC system operates by natural circulation and is automatically initiated on either a high reactor pressure or a low-low reactor water level signal from the Reactor Protection System (RPS). Redundant principal and confirmatory automatic initiation logics are provided to ensure EC initiation capability in the event of a control room fire. Full initiation of the EC system is accomplished by opening the air-operated condensate return isolation valve in both EC loops. The automatic initiation function (i.e., the automatic opening of both EC condensate return isolation valves) uses a one-out-of-two taken twice logic, with either the principal or confirmatory logic being capable of performing the function independently.

Automatic isolation of the EC system occurs on a high steam flow signal from the RPS as sensed by the elbow flow meters and AP transmitters connected to each steam supply line. For a sensed high steam flow condition in a steam line, which would be indicative of an EC system line break, only the affected loop will isolate. Automatic isolation of an EC loop involves closure of both steam supply isolation valves (normally open) and the condensate return isolation valve (open for EC operation only) in the affected loop. The EC condensate return check valve in each EC loop, located inside the containment drywell in-series with the condensate return isolation valve (located outside the drywell), provides redundant isolation protection for the condensate return lines. Redundant principal and confirmatory high steam flow isolation logics are provided to prevent an Inadvertent EC system Isolation due to hot shorts caused by a control room fire. Both the principal and confirmatory logics for the affected EC loop are required to actuate to initiate automatic closure of the associated steam supply and condensate return isolation valves.

The RPS consists of two independent logic channels, and within each logic channel there are two essentially identical subchannels. For the EC system initiation function, the logic channels for both the high reactor pressure and low-low reactor water level parameters are referred to as trip systems and the associated subchannels are referred to as instrument channels in TS Table 3.6.2c. For the EC high steam flow isolation function, each RPS logic channel provides isolation signals to each of the two trip systems In each EC loop referred to in TS Table 3.6.2c, and the RPS subchannels are the instrument channels referred to in TS Table 3.6.2c.

The RPS high steam flow Isolation signals for the EC loops are Initiated from four � transmitters connected to the steam supply lines, with two transmitters (one from each RPS logic channel) connected to each EC loop steam supply line. Each AP transmitter provides the sensor inputs to its respective electronic trip unit and instrument I. Description of Event (ContIc11 channel. As indicated in TS Table 3.6.2c, the high steam flow isolation function has two trip systems per EC loop, with each trip system receiving inputs from both associated instrument channels arranged In a one-out-of-two logic configuration. The trip of either trip system will initiate an Isolation of the associated EC loop.

Component Information Each EC loop contains a normally closed condensate return isolation valve (Loop 11 valve 39-05; Loop 12 valve 39-06) that receives both RPS Initiation and RPS Isolation signals. Each air-operated condensate return Isolation valve is equipped with four solenoid valves installed in series to control the air supply to the air-operator (spring to open/air to close). Two of the solenoid valves are DC operated and two are AC operated. The two AC solenoid valves are normally de-energized to maintain the associated condensate return isolation valve closed. The AC solenoid valves allow each condensate return isolation valve to be operated from its respective remote shutdown panel. Energizing either of the two AC solenoid valves will open the associated condensate return Isolation valve. The DC solenoid valves (Loop 11 solenoid valves39-05G and 39-05H; Loop 12 solenoid valves39-06G and 39-06H) are normally energized to maintain the associated condensate return isolation valve closed.

The RPS initiation logic must de-energize both DC solenoid valves to open the associated condensate return isolation valve, and thereby Initiate the EC loop. TODD auxiliary relays (principal logic relays: 11K61, 11K62, 12K61, and 12K62; confirmatory logic relays: 11K61A, 11K62A, 12101A, and 12K62A) provide a twelve second time delay before de-energizing the DC solenoid valves to prevent unnecessary initiations of the EC system (i.e., the EC system is not needed during anticipated transients when the main condenser remains available for decay heat removal). For compliance with TS Table 3.6.2c, a trip system for the EC initiation function has been determined to be the arrangement of instrument channel trip signals and auxiliary equipment required to initiate the protective action of de-energizing one of the two DC solenoid valves for the condensate return isolation valve in both EC loops.

Each trip system receives inputs from its two associated instrument channels, arranged in a one-out-of-two logic configuration. The actuation of both trip systems is required to initiate a full EC system initiation (i.e., the opening of both condensate return isolation valves). Thus, the EC Initiation function for both the high reactor pressure and low- low reactor water level parameters uses a one-out-of-two taken twice logic. TS Table 3.6.2c requires a minimum of two tripped or operable trip systems with two operable Instrument channels per operable trip system for operability of each parameter of the EC initiation function.

Provided that both associated AC solenoid valves are de-energized, a condensate return isolation valve will close automatically when at least one of the two associated DC solenoid valves energize in response to a high steam flow isolation signal. For compliance with TS Table 3.6.2c, a trip system for the EC high steam flow isolation function, as it applies to closure of a condensate return isolation valve, has been determined to be the arrangement of instrument channel trip signals and auxiliary equipment required to initiate the protective action of energizing one of the two DC solenoid valves. Each trip system receives inputs from its two associated instrument channels (one from each RPS logic channel), arranged in a one-out-of-two logic configuration. Fora given EC loop, the actuation of either trip system will initiate closure of the associated condensate return isolation valve. Thus, the EC high steam flow isolation function for each EC loop uses a one-out-of-two logic. For each of the two EC loops, TS Table 3.6.2c requires a minimum of two tripped or operable trip systems with two operable instrument channels per operable trip system for operability of the EC high steam flow isolation function.

Event

Clearance NO3-13-004 pulled fuses F20, F21, F24, and F25 for the replacement of EC Initiation system (confirmatory) logic TDDO relay 11K62A, which de-energized Battery #11 125 VDC power to DC solenoid valves 39- 05G and 39-06G. DC solenoid valve 39-05G is one of the two DC solenoid valves supplying the Loop 11 EC condensate return isolation valve (39-05) and DC solenoid valve 39-06G Is one of the two DC solenoid valves I. Description of Event (Corgis:11 supplying the Loop 12 EC condensate return isolation valve (39-06). A trip system for the EC initiation function is defined as providing the protective action of de-energizing one of the two DC solenoid valves for the condensate return isolation valve In poll1 EC loops. Thus, in terms of TS 3.6.2c compliance, the impact of pulling the indicated fuses and de-energizing DC solenoid valves39-05G and 39-06G effectively placed one of the two EC initiation trip systems in the tripped condition. Therefore, the clearance correctly identified the plant impact to be the Insertion of a half EC system initiation signal. In accordance with TS Table 3.6.2c, when a trip system is placed in the tripped condition, no further TS actions are required.

Although Clearance NO3-13-004 correctly assessed the Impact of pulling fuses F20, F21, F24, and F25 on the TS 3.6.2c EC initiation function, no similar assessment was performed for the TS 3.6.2c EC high steam flow isolation function, which was also impacted. The clearance reviewers did not recognize that pulling these fuses inhibited the capability of DC solenoid valves39-05G and 39-06G to actuate (energize) to close their respective Loop 11 and Loop 12 EC condensate return isolation valves in response to an EC system high steam flow Isolation signal. A trip system for the EC high steam flow isolation function, as it applies to closure of a condensate return isolation valve, is defined as providing the protective action of energizing one of the two DC solenoid valves. Therefore, during the period the fuses were removed, one trip system in each EC loop for the high steam flow Isolation function was inoperable since the associated Instrument channels and auxiliary equipment were incapable of energizing their respective DC solenoid valve.

Fuses F20, F21, F24, and F25 were pulled at approximately 0430 hours0.00498 days <br />0.119 hours <br />7.109788e-4 weeks <br />1.63615e-4 months <br /> on August 13, 2003 under Clearance NO3- 13-004. Shortly after placement of the clearance, the on-shift Operations crew questioned the validity of the stated plant impact as being limited to a half EC system initiation signal. After contacting an off-shift Senior Reactor Operator for input regarding previous experience with a similar clearance, it was determined that the EC high steam flow isolation logic was also affected. The fuses were re-installed and the clearance was removed at approximately 0538 hours0.00623 days <br />0.149 hours <br />8.895503e-4 weeks <br />2.04709e-4 months <br /> by direction of the Operations Station Shift Supervisor pending investigation and resolution of concerns raised regarding the clearance. Placement of the clearance resulted in one trip system in each EC loop for the high steam flow isolation function in TS Table 3.6.2c being inoperable for approximately one hour and eight minutes. The action statements in TS Table 3.6.2c Note (f) do not apply to this condition, as they only address inoperable instrument channels, not trip systems. Placing the inoperable trip systems in the tripped condition would not be an acceptable option in this situation since this action would isolate both EC loops and inhibit automatic EC initiation.

Consequently, the one-hour shutdown action statement of TS 3.1.3.e should have been entered Immediately in accordance with TSs 3.0.1 and 3.6.2.a(3). Removal of the clearance restored both EC loops to operable status and thereby restored compliance with TS 3.1.3.e since the action statement no longer applied. Because the on-shift Operations personnel did not understand the full scope and impact of the clearance, they did not realize that entry into the one-hour shutdown action statement of TS 3.1.3.e was required.

On November 26, 2003, plant management concluded that both EC loops had been inoperable on August 13, 2003 for a period of approximately one hour and eight minutes. It was determined that one of the two trip systems in each EC loop for the high steam now isolation function was inoperable during this period without having initiated a reactor shutdown within one hour as required by TS 3.1.3.e. The event was determined to be reportable pursuant to 10 CFR 50.73(a)(2)(0(B) and 10 CFR 50.73(a)(2)(vii) based on a detailed review of the design and licensing bases for Notes (a) and (0 to TS Table 3.6.2c. 111s important to note that, with only one of the two high steam flow isolation trip systems inoperable in each EC loop, there was no loss of isolation function as each EC loop remained capable of isolating on a high steam flow isolation signal via the operable trip system. Moreover, the event had no Impact on the capability of the EC condensate return check valve In each EC loop to perform its redundant (single failure) isolation protective function.

NRC FORM MA (14001)

II. Cause of Event

The cause of this event is inadequate performance of the plant and TS impact reviews for the clearance supporting the replacement of the EC system Initiation logic TDDO relay. The reviewers of the clearance did not apply the appropriate rigor to recognize that pulling fuses F20, F21, F24, and F25 Inhibited the capability of DC solenoid valves39-05G and 39-06G to actuate (energize) to close their respective Loop 11 and Loop 12 EC condensate return isolation valves in response to an EC system high steam flow isolation signal. Placement of the clearance resulted in one trip system In each EC loop for the high steam flow isolation function in TS Table 3.6.2c being inoperable for approximately one hour and eight minutes. Because the on-shift Operations personnel did not understand the full scope and impact of the clearance, they did not realize that entry into the one-hour shutdown action statement of TS 3.1.3.e was required.

A contributing cause is inadequate corrective actions for a non-reportable similar previous event, in that the corrective actions were a missed opportunity to avert this event. In 2001, following the replacement of EC system initiation (principal) logic TODD relay 111{62, it was identified that the requirements of TS Table 3.6.2c are confusing and may not properly consider the design of the EC system Isolation logic. As a result, two Deviation/Event Reports (DERs) were initiated to request an evaluation to determine whether additional training/guidance Is needed in the use of TS Table 3.6.2c as It applies to the EC system isolation instrumentation, or whether the TS requirements should be revised. Based on the results of the evaluation, a Licensing Document Change Request (LDCR) was initiated to revise TS Table 3.6.2c and/or the associated TS Bases to clarify the minimum requirements and required actions associated with the instrumentation control logic for the EC initiation and isolation functions. However, no interim training/guidance was provided. The LDCR is currently in process for completion.

Ill. Analysis of Event The event is reportable in accordance with 10 CFR 50.73(a)(2)(i)(B) as "Any operation or condition which was prohibited by the plant's Technical Specifications...." The event occurred because the plant operators did not recognize that pulling fuses F20, F21, F24, and F25, as specified in Clearance NO3-13-004, would result in both EC loops being inoperable and require entry into the TS 3.1.3.e action statement. The event is reportable under this criterion because the allowed one- hour completion time for initiation of a reactor shutdown as specified in the action statement was exceeded by approximately eight minutes.

The event is also reportable in amen:lance with 10 CFR 50.73(a)(2)(vii) as "Any event where a single cause or condition caused at least one independent train or channel to become inoperable in multiple systems or two independent trains or channels to become inoperable in a single system designed to: ...(C) Control the release of radioactive material; or (D) Mitigate the consequences of an accident." The event is reportable under this criterion because pulling fuses F20, F21, F24, and F25 de-energized 125 VDC battery power to EC solenoid valves39-05G and 39-06G. This condition inhibited the capability of the solenoid valves to actuate (energize) to close their respective EC condensate return isolation valves in response to an EC system high steam flow isolation signal. As such, the event resulted in one of the two required instrumentation trip systems (and associated channels) of the EC high steam flow isolation function to be inoperable in both EC loops without having entered the appropriate TS action statement.

The inoperability condition was limited to the loss of the capability to actuate (energize) one of the two DC solenoid valves associated with each condensate return isolation valve. In terms of compliance with TS Table 3.6.2c, this condition resulted in one trip system In each EC loop for the high steam flow isolation function being inoperable. Since only one of the two DC solenoid valves for each condensate return Isolation valve was affected, one solenoid valve remained operable and available to energize to close its respective condensate return Isolation valve on an EC high steam flow isolation signal. Accordingly, the condensate return isolation valves in both EC loops remained capable of closing automatically on a high steam flow isolation signal. Moreover, the condensate return Isolation valves also remained capable of opening automatically on an EC system initiation signal. Given the increased potential for an inadvertent EC initiation, the only Impact on the EC Initiation function of having one de-energized DC solenoid valve in !MC FORM 36BA (1.2001) DOCKET (2) each EC loop was the insertion of a half EC system initiation signal. Therefore, although both EC loops were considered inoperable for one hour and eight minutes, there was no loss of either the EC Initiation or the EC high steam flow isolation functions during this period. In addition, in the unlikely event that a condensate return isolation valve were to fail to close to Isolate an EC system line break, single failure protection is provided by the In-series condensate return check valve that is designed to fulfill the isolation safety function.

A probabilistic risk assessment of this event concluded that the risk of either one or both EC loops failing to isolate Is not risk-significant. Note that the EC condensate return isolation valves are normally closed when the EC system Is in the normal standby condition. As such, automatic closure of a condensate return Isolation valve on a high steam flow isolation signal would only be needed following an event when the EC system is required to operate (i.e., when the main condenser is not available or in the event of a loss of reactor feedwater) coincident with an EC system line break. For the event being reported, both EC loops were determined to be Inoperable for a period of one hour and eight minutes. The probability of a LOCA occurring during this period coincident with the EC system being required and an EC system line break occurring is extremely low, such that the occurrence of the event during the short time period Involved is not considered credible.

Based on the information presented above, the event did not pose a significant threat to the health and safety of plant personnel of the public.

IV. Corrective Actions

1. Clearance NO3-13-003 was removed, which restored both EC loops to operable status, thereby restoring compliance with TS 3.1.3.e since the action statement no longer applied.

2. A written briefing was issued for Operations personnel describing the event and the resolution. This action was an interim preventive measure until the subsequent corrective actions, as described below, are completed.

3. Appropriate Operations personnel have had the proper attributes for performing clearance reviews reinforced with them.

4. A briefing is being provided to Operations Department personnel to clarify the EC system instrumentation initiation and isolation functional requirements and actions for inoperable trip system(s) and instrument channel(s). In addition, the provided information will be incorporated into the Unit 1 operator initial license and continuing training programs.

5. The EC operating procedure will be revised to include a precaution indicating that work on the initiation logic TDDO relays can affect both the EC system initiation and isolation logic circuits.

V. Additional Information

A. Failed Components:

None

B. Previous similar events:

No reportable previous similar events were identified. However, two DERs were Initiated in 2001 identifying a concern that the requirements of TS Table 3.6.2c are confusing and may not properly consider the design of the EC system isolation logic. Based on the results of an evaluation, an LDCR was Initiated to revise TS Table 3.6.2c and/or the associated TS Bases to clarify the minimum requirements and required actions associated with the instrumentation control logic for the EC initiation and isolation functions. However, no interim training/guidance was provided. The corrective actions associated with the two DERs have been determined to be inadequate, In that the corrective actions were a missed opportunity to avert the event described in this LER.

IV. Additional Information (Conttr.1.1 C. � Identification of components referred to in this Licensee Event Report:

Components � IEEE 805 System ID IEEE 803A Function Emergency Cooling System BL N/A 125 VDC Battery EJ BTRY Solenoid Valve BL FSV Fuse BL FU Time Delay Dropout Relay JC RLY, 62 Reactor AC, AD RCT Isolation Valve BL ISV, 20 Main Condenser SG COND Reactor Feedwater SJ N/A Core Spray System BM N/A Automatic Depressurization System BM RV Emergency Condenser BL COND Reactor Protection System JC N/A Control Room NA N/A Containment Drywell NH N/A Flow Meter JC FE AP Transmitter JC PDT Channel JC CHA Nine Mile Point. Unit 1 � 1 05000220 YEAR SEQUENTIAL tin FORM 366A (14001)

Retrieved from "https://kanterella.com/w/index.php?title=05000220/LER-2003-004&oldid=200562"