05000250/LER-2011-002
| Turkey Point | |
| Event date: | 8-11-2011 |
|---|---|
| Report date: | 10-10-2011 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(v)(B), Loss of Safety Function - Remove Residual Heat |
| Initial Reporting | |
| ENS 47147 | 10 CFR 50.72(b)(3)(v)(B), Loss of Safety Function - Remove Residual Heat, 10 CFR 50.72(b)(3)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident |
| 2502011002R00 - NRC Website | |
DESCRIPTION OF THE EVENT
On August 11, 2011, with Unit 3 at 100% power, at approximately 1625 hours0.0188 days <br />0.451 hours <br />0.00269 weeks <br />6.183125e-4 months <br /> inspection personnel were performing eddy current testing on the 3B Component Cooling Water (CCW) heat exchanger (HX) [CC, HX].
The 3B CCW HX had been isolated, leaving the 3A and 3C CCW HXs in service. Personnel performing the Reactor Control Operator noted an increase in CCW head tank [CC, TK] level and a rise in CCW outlet temperature. At approximately 1635, a Senior Nuclear Plant Operator (SNPO) arrived in the CCW HX room.
The SNPO noted that the differential pressure indicators [BI, PDI] for both Intake Cooling Water (ICW) [BI]/CCW basket strainers [BI, BSKT, STR] indicated zero psid, and zero gpm flow was indicated through the tube side of the 3A and 3C CCW FIXs. The SNPO reviewed indications with control room Senior Reactor Operator personnel and concluded that valve 3-50-406 (CCW/ICW Outlet CV-3-2202 Bypass Valve [BI, V]) was closed. The SNPO was directed to open valve 3-50-407 (CCW/ICW outlet Spool Piece Downstream Isolation Valve [BI, ISV]). At approximately 1646, valve 3-50-407 was opened and ICW flow was restored.
Subsequent investigation identified that valve 3-50-406 (manually operated butterfly valve) had failed in the closed position. Failure of this valve isolated the discharge flow path from the CCW FIXs. Unit 3 ICW flow was lost for approximately 28 minutes when valve 3-50-406 failed in the closed position.
The event was reported (Event Notification 47147) to the NRC in accordance with 10 CFR 50.72(b)(3)(v)(B) and 10 CFR 50.72(b)(3)(v)(D). Condition Report 1677185 was initiated to determine causes and corrective actions. This report is submitted in accordance with 10 CFR 50.73(a)(2)(v)(B) and (D).
CAUSE OF THE EVENT
The root cause of the event was identified as follows:
Inadequate evaluation of a configuration change in 2005 resulted in the creation of a single failure vulnerability.
A contributing cause was identified as follows:
Station personnel failed to adequately risk rank a known condition resulting in low corrective maintenance prioritization.
ANALYSIS
Background
The ICW System provides cooling water to the safety-related CCW HXs and the Turbine Plant Cooling Water (TPCW) HXs [KB, HX]. A separate ICW System is provided for each nuclear unit. The TPCW System is intended to serve non-safety-related functions only.
The ICW System includes three ICW pumps [BI, P], tie headers, two independent supply headers, piping, valves, basket strainers, and those components required to take ICW from the plant cooling canals [BS] via the intake structure and supply the CCW and TPCW Systems and return the ICW to the plant cooling canal system.
The ICW System safety function is to remove the heat load from the CCW System during accident conditions to support both reactor [AC] heat removal and containment [NH] heat removal requirements.
The ICW quality related functions are to remove the heat load from the CCW System to support spent fuel cooling [DA] requirements, remove the heat load from the CCW System to achieve and maintain safe (cold) shutdown during plant fires that require control room [NA] evacuation, with or without concurrent loss of offsite power, to remove the heat load from the CCW System to achieve and maintain safe (hot) standby during plant fires not requiring control room evacuation with or without concurrent loss of offsite power, and to remove the heat load from the CCW System during refueling operation (Mode 6) to support the core decay heat removal requirements.
The non-nuclear safety functions of the ICW System are to remove the turbine plant heat load from the TPCW System to support turbine plant operation during normal, shutdown and refueling operations, and to remove the CCW System heat loads during normal and shutdown conditions to support normal containment heat removal and reactor power operation, including radwaste system operation.
The ICW System is required to be capable of performing its safety functions assuming a single active failure. To accommodate single active failures, the ICW supply headers to the CCW heat exchangers are cross-connected in an "open-system" configuration during normal plant operation. This requirement is necessary because at least one pump, one header, and two CCW heat exchangers are required for 100% post-accident heat removal capability. The ICW headers may be cross-connected via either, or both, of the cross-connects located between the pump discharge and the CCW heat exchangers.
Analysis of Design Change As originally licensed, the ICW System included redundant pumps and supply piping, cross-tie valves, and isolation valves to maintain system operation while a portion of the system was removed from service for maintenance. The original design relied on a single discharge valve downstream of the CCW HXs to control flow and then a single pipe to the discharge canal. Flow control was provided by fail-as-is pneumatic control valve CV-*-2202 [BI, FCV] (* is a unit designator and is either 3 or 4 depending on unit) which was located in the 30 inch branch line containing valves *-50-405 and *-50-407. A normally closed bypass valve (*-50-406) was also included in the system to allow the control valve to be removed from service for maintenance. In this original configuration, ICW flow blockage would occur if valve *-50-405, *-50-407, or CV-*-2202 failed closed, or piping downstream of the valves were blocked. The configuration of the ICW System downstream of the CCW HXs was not described in the Updated Final Safety Analysis Report.
During a design review of the system in the mid-1980s, it was discovered that the ICW System could not accommodate the single active failure of CV-*-2202 to provide the flow control function during a design basis accident. Valve CV-*-2202 normally operated in a throttled position during normal plant operation and would be required to move further open during design basis accidents in response to increasing heat transfer to the CCW System. The design review focused on the ability of the system to accommodate single active failures consistent with the design basis of the ICW System.
To resolve the single active failure concern with CV-*-2202, FPL assessed the impact on plant operation associated with opening *-50-406 (the CV-*-2202 bypass valve). The design change opened the bypass valve and left CV-*-2202 in service to control flow and maintain CCW temperature within limits during design basis accident conditions. With valve *-50-406 now open, the temperature control loop maintained CV-*-2202 closed during normal plant operation. This configuration was consistent with the original design in that a single valve (albeit a non-regulating valve) controlled ICW discharge flow to the canal. The design basis requirement that the system be capable of performing its design basis function with a single active failure was upheld with this change.
In 1996, design change packages were approved to permanently remove valve CV-*-2202 from the ICW System piping on each unit replacing the control valve on each unit with a piping spool piece [BI, PSP].
The design changes did not modify the existing normally open position of the CV-*-2202 inlet and outlet isolation valves, *-50-405 and *-50-407. The as-left configuration maintained *-50-406, *-50-405, and *- 50-407 open even though adequate system performance had been maintained by the flow through valve *- 50-406 alone. There was no design requirement established in the modification to leave valves *-50-405 and *-50-407 open as a parallel flow path converging with flow from *-50-406 to the common discharge pipe. The design basis requirement that the system be capable of performing its design basis function with a single active failure would be upheld with or without the additional branch flow path in service.
In 2005, the configuration of the ICW System was changed to require *-50-407 to be normally closed. This was desired to improve the flow split between CCW and TPCW. This change returned the system to its original configuration in that a single valve was used to control ICW discharge flow to the canal. This change was an improvement over the originally licensed design in that the system could perform its design basis function and comply with the established single failure criterion. There was no design requirement to leave a second branch flow path in service in the licensing basis or the design of record (1996 modification).
As such, the 2005 change to isolate the *-50-405/407 branch line and balance ICW System flows was done as a procedure change and not considered to be a design change or licensing basis change for the ICW System. A Change Request Notice (CRN) was made to show *-50-407 as normally closed. Neither the procedure change nor CRN evaluated the changed flow condition through *-50-406 (discussed below) or the vulnerability to a single passive failure. The CRN process used for the change was used (prior to 2010) to make changes that were administrative in nature. This process has been rendered obsolete.
The current engineering change process would require that an Engineering Change — Design Change Package (EC-DCP) be prepared to change the normal position of valve *-50-406 or for a similar configuration change. The process contains requirements for consideration of hydraulic conditions and single point vulnerabilities during the development of the EC-DCP. The only other vehicle available for changing a plant drawing is the Engineering Change — Document Change Request (EC-DCR). The EC- DCR is controlled by procedure EN-AA-204-1100, Document Change Request. The scope of this procedure is strictly limited to document changes that are administrative or have been evaluated via controlled processes such as an Item Equivalency Evaluation or EC-DCP. Section 4.3 further states that no physical change may be directed or justified by a DCR. Based on the above, no changes are proposed within the design change process to prevent a similar event.
Analysis of Valve Failure Valve Actuator Design Valve 3-50-406, is a 24 inch Henry Pratt Model 2FII flanged butterfly valve. It is operated by a Model MDT-4 manual operator. This is a "traveling nut" type actuator with link-lever that provides characterized closure, which means the disc travel slows down in relation to the rotation of the handwheel as it approaches the closed position. This is accomplished by a linkage mechanism consisting of a handwheel, which rotates a shaft (screw rod) that transmits the torque to a slider nut (Figure 1). The nut, guided by a "slide tube" on both the top and the bottom, in turn converts its linear motion into rotational motion of a lever that is joined to the nut by a link assembly (one on top and one on the bottom) connected by eccentric bearings. The lever is joined to the valve stem by a parallel key that slides through a keyway in the lever's bore and the end of the stem. The linear path of the nut is limited by stops that restrain the lever's motion to a 90 degree rotation of the valve disc.
Section A - A Figure 1: MDT-4 Actuator, Valve Closed Position Valve Closure Upon Failure When the actuator cover was removed for inspection, the lever was found severed along the outer edges of the two keyways, as seen in Figure 2. With the lever broken in this manner, the stem, disengaged, was free to rotate in a counter-clockwise direction to the closed position while the actuator sub-components remained in the open position.
Figure 2: Severed Lever Upon a break of an actuator component that disengages the valve stem from the actuator, a normally open butterfly valve (for most designs) is expected to go to the closed position as a result of the hydrodynamic forces acting on the disc.
The total dynamic torque acting on a butterfly valve disc consists of the bearing torque, the packing torque, and the hydrodynamic torque. Only the bearing torque and packing torque act against the valve closing direction. The disc of the Pratt 2FII design is symmetric (lens type). Flow around a butterfly valve produces both lift and drag forces similar to the forces acting on an airplane wing. The non-uniform pressure distribution on the upstream and downstream faces of the disc have a resultant force that does not pass through the stem axis, as shown in Figure 3.
Figure 3: Hydrodynamic torque illustration For valves that have an offset with the shaft downstream, the hydrodynamic forces tend to open the valve up to about 80 degrees, beyond which the valve will tend to go closed. For symmetrical discs with no offset, the hydrodynamic torque is theoretically zero in the full open position and a maximum at about 70 degrees.
However, for a valve with a fluttering condition, a small angle is all it takes for the disc of an unrestrained valve to proceed to the closed position.
Valve Flutter A valve flutter condition existed since at least 2001. For a butterfly valve symmetric disc to flutter, two conditions have to be present: 1) worn valve/actuator components with excessive clearances allow slop and 2) process flow does not have a uniform velocity profile (upstream and downstream flow disturbances are present). The first condition is met by the measurement of actuator components indicating wear.
Analysis indicates that the flow conditions — upstream and downstream flow disturbances and high flow rates due to closing 3-50-407 — favor an altering and increased hydrodynamic torque component on 3-50- 406. The combination of these conditions and the actuator wear were the cause of the flutter. A doubling in fluid velocity (torque component) is the cause of added stress that the valve was not designed to handle for a sustained period of time. For the original flow path configuration (through 3-50-405 and 3-50-407), flow velocity was within the intended design of the inline butterfly valves.
Valve Failure Analysis A failure analysis of the severed actuator lever was conducted by a vendor. Visual examination of the actuator's internal components revealed fracture of the lever as shown in Figure 2 above. Plant information indicates that the lever is constructed of Ductile Iron per ASTM A 536, Grade (65-45-12). The fracture path intersected two 90° corners of the lever's two keyways. Only one of these keyways had been loaded with a key.
Based on the appearance of the fracture surface, the presence of flash rust on the opposite end of the fracture initiation site, and the observed wear patterns, the lever failed by progressive crack growth typical of fatigue. Additionally, the lever was identified as gray cast iron instead of ductile iron. Cast iron exhibits lower strength and toughness than ductile iron, making it more susceptible to brittle failure. The weaker material is but a small contributor, as a ductile iron lever would only have delayed the valve's ultimate failure.
Reportability For the approximately 28 minutes that flow was lost through the CCW HXs, there was a loss of function of the ICW System. As the ICW System is used to remove residual heat and mitigate the consequence of accidents, the event is reportable in accordance with 10 CFR 50.73(a)(2)(v)(B) and (D):
Any event or condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to:
(A) Shut down the reactor and maintain it in a safe shutdown condition; (B) Remove residual heat; (C) Control the release of radioactive material; or (D) Mitigate the consequences of an accident.
ANALYSIS OF SAFETY SIGNIFICANCE
This event resulted in a loss of Unit 3 ICW cooling to the Unit 3 CCW HXs. The conditional core damage probability (CCDP) for this event is 4E-05, assuming no recovery of ICW. This CCDP value was generated using the NRC's Turkey Point PRA model (SPAR model). A procedure review showed that good procedural guidance exists to respond to this event, and simulator exercises revealed that there is ample time to perform the recovery. Further, in the actual event, ICW was successfully recovered in 28 minutes. A preliminary analysis of the event using EPRI HRA (Human Reliability Analysis) methodology, gives a probability of 1.4E-03 for the operator failing to restore ICW. If this HRA probability is used in conjunction with the SPAR CCDP for the loss of ICW event with no credit for ICW recovery, the total CCDP is (4E-05)*(1.4E-03) = 5.6E-08, well below the NRC threshold for additional inspections of 1E-06.
CORRECTIVE ACTIONS
Corrective actions are in accordance with Condition Report 1677185 and currently include the following:
1. The alternate discharge flow path through *-50-407 was opened on both units and retained in service via a temporary configuration change.
2. The actuator of valve 3-50-406 was repaired.
3. Revise the procedure for procedure control to require Engineering review of procedure revisions that change plant configuration. The revision will further provide guidance for Engineering to identify and evaluate any configuration change that could create a single point vulnerability.
4. Issue and implement Engineering Change to support an open ICW discharge flow path through both *-50- 406 and *-50-407.
5. Revise the system and program health reporting procedure to require validation of risk ranking for work orders.
6. Review open green and white work orders to validate current risk ranking.
7. Revise and implement Engineering and Operations initial and continuing training programs regarding butterfly valve failure modes and effects of these valves failing closed.
FAILED COMPONENTS IDENTIFIED: Lever from Henry Pratt MDT4 Valve Actuator PREVIOUS SIMILAR EVENTS None