06-06-2005 | ( NRC Event #41362) concerning a single failure vulnerability between essential buses. NMC staff determined the single point vulnerability was applicable between the 4.16 kV vital bus circuit breakers 152-610 and 152-511 for the Monticello Nuclear Generating Plant ( MNGP). MNGPs single point vulnerability issue was reported on February 4, 2005. The apparent cause of the single point vulnerability issue was a failure to recognize an original plant construction design, which was noncompliant to 10CFR50 Appendix A "General Design Criteria." Further evaluation of the issue revealed previously undiscovered 10CFR50 Appendix R non-compliance implications. This Appendix R non-compliance was reported on February 23, 2005, and both issues were documented under LER 2005-001 Revision 0 on April 4, 2005. The apparent cause of the Appendix R vulnerability is a failure to implement original Alternate Shutdown System (ASDS) design recommended by General Electric Safe Shutdown Analysis reports.
NMC performed a comprehensive review of the ASDS isolation adequacy as part of the extent of condition review.
On April 5, 2005 as a result of this review, NMC identified an additional related issue. Station personnel discovered that the Bus 16 source to Load Center #104 had a similar potential vulnerability with the ASDS isolation design that could result in Load Center #104 being locked out in the event of a Control Room or Cable Spreading Room fire. This extent of condition issue was reported on April 5, 2005 to the NRC in Event notification #41567. A contributing cause of the Appendix R vulnerabilities was a failure to recognize Appendix R circuit design noncompliances during the initial implementation of the Appendix R rule by MNGP staff. Plant modifications have been completed to remove the 10CFR50 Appendix R vulnerabilities. |
---|
Description On February 4, 2005, with the plant operating at 98% power in Run Mode, NMC reviewed an event at Crystal River (#41362) concerning a single failure between essential buses. NMC determined the single point vulnerability was applicable between the 4.16 kV [EA] vital bus circuit breakers 152-610 and 152-511 for MNGP. The 1AR transformer [XFMR] supply breaker [BKR] to Buses [BU] 15 and 16 are 152-511 and 152-610 respectively. The over current relays for these breakers share common circuitry between current transformers and other devices.
Activation of the over current relays [51] will initiate a respective Bus (15/16) lockout. The single failure vulnerability that could cause false activation of the over current relays is a hot short. This single point vulnerability issue was reported under event notification #41374. Technical Specification (TS) 3.9.B.3 was entered for Emergency Diesel Generators (EDGs) [EK] inoperability since these were the most limiting components affected, and an orderly shutdown was initiated. The 1AR transformer and its associated current transformer (CT) circuits were isolated by opening the respective breakers and opening knife switches [89] in the CT circuits thereby restoring operability to associated EDGs. This event was reported in accordance with 10 CFR 50.72 (b)(3)(v)(A, B, C, and D), "Event or Condition that could have Prevented Fulfillment of a Safety Function," and 10 CFR 50.72 (b)(3)(ii)(B), "Any Event or condition that resulted in the nuclear power plant being in an unanalyzed condition that significantly degraded plant safety." A plant modification has been completed to correct this 1AR relaying and metering vulnerability.
Further evaluation of the single point vulnerability issue revealed previously undiscovered 10 CFR 50 Appendix R non-compliance implications. The 1AR Auxiliary transformer source (breaker 152-610) to safeguards Bus 16 includes current transformers that are used for over-current protection and ammeter [MTR] indication on Control Room panel C-08. A postulated fire in the Control Room/Cable Spreading Room could cause a hot short of the ammeter circuit on the panel C-08. The hot short has the potential to trip breaker 152-610 and cause a Bus 16 lockout. A transfer to the ASDS [JC] panel control would not override the Bus 16 lockout. Therefore, the Control Room/Cable Spreading Room fire, along with the Bus 16 lockout, would prevent control of Division II equipment from both the Control Room and ASDS panel. This Appendix R non-compliance was reported under event notification #41436 on February 23, 2005. On February 23, 2005, the ASDS Panel was declared inoperable and a Limiting Condition of Operation (LCO) entered per TS 3.13.A.2. Breaker 152-610 (1AR to Bus 16) was racked out and a knife switch was opened removing the hot short potential from the ammeter circuit. The ASDS Panel was declared operable and the LCO was exited. An Engineering Change Notice (ECN) was completed to correct this Appendix R vulnerability.
On April 1, 2005 during an ASDS Functional Test, Operators in the Control Room observed indications of Bus 16 voltage, LC-104 current, #12 EDG frequency and #12 EDG voltage. The Operators questioned these instrument indications. Concurrently, MNGP Engineering personnel were performing a review of the ASDS as part of the corrective actions for Revision 0 of this LER. This ASDS review encompassed the Control Room observed instrument indications. On April 5, 2005 at 1600, with the plant at 0% power in Shutdown Mode, NMC confirmed a second breaker was affected by the same cause as Revision 0 of this LER, an unisolated ammeter circuit. The other indications of Bus 16 and #12 EDG were evaluated and determined to be acceptable. The Control Room Operators and the comprehensive ASDS review independently identified this deficiency with the LC-104 ammeter circuit.
The Bus 16 source (Breaker 152-609) to Load Center #104 had a similar potential vulnerability with the ASDS isolation design that could result in Load Center #104 being locked out in the event of a Control Room or Cable Spreading Room fire. The MNGP Appendix R Safe Shutdown Analysis for Control Room/Cable Spreading fire assumes a loss of control of Division I and II equipment from the Control Room, however safe shutdown is achieved remotely from the ASDS panel. The ASDS design would not impede the ability to safely shutdown and maintain the plant in a shutdown condition in the event of a Control Room/Cable Spreading Room fire using selected Division II equipment.
Contrary to the ASDS design, it was discovered that an unisolated metering circuit from the 152-609 circuit could result in Load Center #104 being locked out in the event of a Control Room/Cable Spreading Room fire. Load Center #104 supplies power to Appendix R credited Motor Operated Valves and other safe shutdown support equipment. The bus lockout was not isolated by the ASDS transfer switches, therefore, this condition could result in failure of Load Center #104 to re-energize during the implementation of the Shutdown Outside Control Room procedure resulting in the loss of credited ASDS shutdown equipment.
There were no equipment failure(s) associated with the identified single point vulnerability or ASDS circuit isolation conditions.
Event Analysis
The initial single failure design deficiency is a noncompliance with 10CFR50 Appendix A, "General Design Criteria for Nuclear Power Plants." The subsequent issues constitute a non-conformance to 10CFR50 Section II I.G.3 Appendix R Safe Shutdown Analysis ASDS design requirements.
In accordance with 10 CFR 50.72 (b)(3)(v)(A, B, C, and D), "Event or Condition that could have Prevented Fulfillment of a Safety Function," and 10 CFR 50.72 (b)(3)(ii)(B), "Any Event or condition that resulted in the nuclear power plant being in an unanalyzed condition that significantly degraded plant safety," an eight-hour event notification was made to the USNRC, due to the potential loss of the buses resulting in the potential loss of systems which are required to provide safety functions and due to placing the plant in an unanalyzed condition that could degrade plant safety. Per 10 CFR 50.73 (a)(2)(v)(A, B, C, and D) and 10 CFR 50.73 (a)(2)(ii)(B), a Licensee Event Report is required for this event.
The event is classified as a safety system functional failure.
Safety Significance
The following is an assessment of the safety significance associated with single failure and fire vulnerabilities at the MNGP.
At MNGP, a cable traversing fire zones 14A (TB 931 - Div II 4kV area), 19A & B (TB 931E), and 17 (TB 941 cable way) can cause a lockout of emergency electrical Buses 15 and 16, if a hot short occurs. In addition, a fire in the Control Room (fire zone 8) or Cable Spreading Room (fire zone 9) can also cause Buses 15 and 16 to lockout.
Safety Significance is assessed for fires that could cause these bus lockouts through hot shorts in any of these fire zones. The assessment used an analysis model that included fires and credits Reactor Core Isolation Cooling (RCIC) [BN] manual operation, improved reliability of alternate injection valves, charging division 11250 VDC batteries [EJ] through jumpers from non-emergency diesel generator DG-13, and a fire truck supply to the fire protection system [KP] which can be used as an alternate injection source.
If a propagating fire occurs in the cable spreading room, with an assumed loss of offsite power, a loss of power to High Pressure Coolant Injection [BJ], RCIC, and all Division I equipment is also assumed to occur. However, Division II Core Spray [BM], Residual Heat Removal (RHR) [BO], RHR Service Water [BI], Safety Relief Valves [RV], and the EDG & EDG-Essential Service Water [BI] will remain available. If the lockout of Buses 15 and 16 occurs and remains locked out long term, then the Division II equipment identified above is lost, but manual RCIC operation remains available, and depressurization is available (Division II 250V DC batteries are available and can be charged by the non-essential DG). Because depressurization is available, reliable makeup capability remains available from the diesel fire pump [P] and fire pump truck(s).
The station performed a risk model based on the issue and potential event. The most likely scenarios generated by the model involve a fire that causes a hot short in the turbine building and automatic transfer switch Y21 independently fails or transformer YO1 fails or EDG-11 fails. Therefore, this event results in a change to core damage frequency (CDF) of 9.9 E-8 per year.
Based on this information, the issue of single failure and fire vulnerability of redundant electrical safety buses has been determined to be of low safety significance at MNGP.
Cause
The apparent cause of the single point vulnerability issue was a failure to recognize an original plant construction design was not compliant to 10CFR50 Appendix A "General Design Criteria.
The apparent cause of the Appendix R vulnerabilities was a failure to completely implement the original ASDS design recommended by General Electric Safe Shutdown Analysis reports (1982-1984). The original design recommendation would have isolated these cables.
A contributing cause of the Appendix R vulnerabilities was a failure to recognize Appendix R circuit design noncompliances during the initial implementation of the Appendix R rule by MNGP staff.
Corrective Action An immediate action to isolate the 1AR transformer was performed until the plant could perform a required modification.
A plant modification was completed to remove the 1AR relaying and metering vulnerability.
A plant modification was completed to remove the metering circuit at Load center #104.
An Engineering Change Notice to the plant modification for the single point vulnerability was completed for the ASDS isolation issue by disconnecting cable (A610-008/3) at Bus 16.
An engineering review of the ASDS design has been performed to validate compliance with originally proposed General Electric design recommendation.
Failed Component Identification N/A
Previous Similar Events
A review of the Station Corrective Action Program identified one similar event, "ASDS design deficiency results in vulnerability to a single hot short during Control Room/Cable Spreading Room fire." This issue was identified during an engineering review performed in 2001, hot short vulnerabilities were discovered in the Alternate Shutdown System (ASDS) in the event of loss of offsite power. This condition was reportable, and LER 2001-06 was submitted by MNGP. This was a missed opportunity by the station to identify the issue with ASDS during the extent of condition review for LER 2001-06. As a result, the station has performed a review of the ASDS system to ensure the system complies with the General Electric design recommendation.
|
---|
|
|
| | Reporting criterion |
---|
05000328/LER-2005-001 | Unit 2 Reactor Trip Following Closure of Main Feedwater Upon Inadvertent Opening of Control Breakers | 10 CFR 50.73(a)(2)(iv)(A), System Actuation 10 CFR 50.73(a)(2)(v), Loss of Safety Function | 05000388/LER-2005-001 | DDegradation of Primary Coolant Pressure Boundary due to Recirculation Pump Discharge Valve Bonnet Vent Connection Weld Flaw | 10 CFR 50.73(a)(2)(ii)(A), Seriously Degraded | 05000423/LER-2005-001 | | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000455/LER-2005-001 | Unit 2 Automatic Reactor Trip Due to Low Steam Generator Level resulting from a Software Fault on the Turbine Control Power Runback Feature | | 05000370/LER-2005-001 | Automatic Actuation of Motor Driven Auxiliary Feedwater Pumps During Outage | | 05000244/LER-2005-001 | Failure of ADFCS Power Supplies Results in Plant Trip | | 05000247/LER-2005-001 | 0Technical Specification Prohibited Condition Due to Exceeding the Allowed Completion Time for One Inoperable Train of ECCS Caused by an Inoperable Auxiliary Component Cooling Water Check Valve | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000529/LER-2005-001 | REACTOR HEAD VENT AXIAL INDICATIONS CAUSED BY DEGRADED ALLOY 600 COMPONENT | 10 CFR 50.73(a)(2)(v), Loss of Safety Function 10 CFR 50.73(a)(2)(ii)(A), Seriously Degraded | 05000336/LER-2005-001 | | | 05000266/LER-2005-001 | | 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition | 05000269/LER-2005-001 | | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000289/LER-2005-001 | | | 05000293/LER-2005-001 | | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident | 05000298/LER-2005-001 | Reactor Scram due to Reactor Level Transient and Inadvertent Rendering of High Pressure Coolant Injection Inoperable | 10 CFR 50.73(a)(2)(iv)(A), System Actuation 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident | 05000331/LER-2005-001 | | 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition | 05000315/LER-2005-001 | Reactor Trip Following Intermediate Range High Flux Signal | | 05000316/LER-2005-001 | Reactor Trip from RCP Bus Undervoltage Signal Complicated by Diesel Generator Output Breaker Failure | 10 CFR 50.73(a)(2)(iv)(A), System Actuation 10 CFR 50.73(a)(2)(v)(A), Loss of Safety Function - Shutdown the Reactor 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000317/LER-2005-001 | Main Feedwater Isolation Valve Inoperability Due to Handswitch Wiring | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000323/LER-2005-001 | TS 3.4.10 Not Met During Pressurizer Safety Valve Surveillance Testing Due to Random Lift Spread | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000333/LER-2005-001 | Inoperable Offsite Circuit In Excess of Technical Specifications Allowed Out of Service Time | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000352/LER-2005-001 | Loss Of Licensed Material In The Form Of A Radiation Detector Calibration Source | | 05000353/LER-2005-001 | Core Alterations Performed With Source Range Monitor Alarm Horn Inoperable | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000306/LER-2005-001 | | 10 CFR 50.73(a)(2)(v)(C), Loss of Safety Function - Release of Radioactive Material 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000361/LER-2005-001 | | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | 05000362/LER-2005-001 | Emergency Diesel Generator (EDG) 3G003 Declared Inoperable Due to Loose Wiring Connection on Emergency Supply Fan | | 05000263/LER-2005-001 | | | 05000456/LER-2005-001 | Potential Technical Specification (TS) 3.9.4 Violation Due to Imprecise Original TS and TS Bases Wording | | 05000454/LER-2005-001 | Failed Technical Specification Ventilation Surveillance Requirements During Surveillance Requirement 3.0.3 Delay Period | | 05000282/LER-2005-001 | | 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition 10 CFR 50.73(a)(2)(v), Loss of Safety Function | 05000286/LER-2005-001 | Plant in a Condition Prohibited by Technical Specifications due to Error Making Control Room Ventilation System Inoperable | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000400/LER-2005-001 | Reactor Auxiliary Building Emergency Exhaust System Single Failure Vulnerability | | 05000395/LER-2005-001 | Emergency Diesel Generator Start and Load Due To A Loss Of Vital Bus | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | 05000382/LER-2005-001 | RCS Pressure Boundary Leakage Due to Primary Water Stress Corrosion Cracking of a Pressurizer Heater Sleeve | 10 CFR 50.73(a)(2)(ii)(A), Seriously Degraded | 05000305/LER-2005-001 | | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000369/LER-2005-001 | Reactor Coolant System Leakage Detection Instrumentation Inoperable | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000266/LER-2005-002 | | 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition | 05000255/LER-2005-002 | | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000361/LER-2005-002 | Missing Taper Pins on CCW Valve Cause Technical Specification Required Shutdown | 10 CFR 50.73(a)(2)(i)(A), Completion of TS Shutdown | 05000370/LER-2005-002 | Ice Condenser Lower Inlet Door Failed Surveillance Testing | | 05000353/LER-2005-002 | High Pressure Coolant Injection System Inoperable due to a Degraded Control Power Fuse Clip | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident | 05000263/LER-2005-002 | | | 05000454/LER-2005-002 | One of Two Trains of Hydrogen Recombiners Inoperable Longer Than Allowed by Technical Specifications Due to Inadequate Procedure | | 05000244/LER-2005-002 | Emergency Diesel Generator Start Resulting From Loss of Off-Site Power Circuit 751 | | 05000362/LER-2005-002 | Emergency Containment Cooling Inoperable for Longer than Allowed by Technical Specifications | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000247/LER-2005-002 | DTechnical Specification Prohibited Condition Due to Exceeding the Allowed Completion Time for One Inoperable Train of ECCS Caused by Gas Intrusion from a Leaking Check Valve | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | 05000306/LER-2005-002 | | 10 CFR 50.73(a)(2)(v)(C), Loss of Safety Function - Release of Radioactive Material 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(i)(A), Completion of TS Shutdown | 05000265/LER-2005-002 | Main Steam Relief Valve Actuator Degradation Due to Failure to Correct Vibration Levels Exceeding Equipment Design Capacities | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(i)(A), Completion of TS Shutdown | 05000286/LER-2005-002 | • Entergy Nuclear Northeast Indian Point Energy Center 450 Broadway, GSB P.O. Box 249Entergy Buchanan. NY 10511-0249 Tel 914 734 6700 Fred Dacimo Site Vice President Administration July 5, 2005 Indian Point Unit No. 3 Docket Nos. 50-286 N L-05-078 Document Control Desk U.S. Nuclear Regulatory Commission Mail Stop O-P1-17 Washington, DC 20555-0001 Subject:L Licensee Event Report # 2005-002-00, "Automatic Reactor Trip Due to 32 Steam Generator Steam Flow/Feedwater Flow Mismatch Caused by Low Feedwater Flow Due to Inadvertent Condensate Polisher Post Filter Bypass Valve Closure." Dear Sir: The attached Licensee Event Report (LER) 2005-002-00 is the follow-up written report submitted in accordance with 10 CFR 50.73. This event is of the type defined in 10 CFR 50.73(a)(2)(iv)(A) for an event recorded in the Entergy corrective action process as Condition Report CR-IP3-2005-02478. There are no commitments contained in this letter. Should you or your staff have any questions regarding this matter, please contact Mr. Patric W. Conroy, Manager, Licensing, Indian Point Energy Center at (914) 734-6668. Sincerely, 4F-/t R. Dacimo Vice President Indian Point Energy Center Docket No. 50-286 NL-05-078 Page 2 of 2 Attachment: LER-2005-002-00 CC: Mr. Samuel J. Collins Regional Administrator — Region I U.S. Nuclear Regulatory Commission U.S. Nuclear Regulatory Commission Resident Inspector's Office Resident Inspector Indian Point Unit 3 Mr. Paul Eddy State of New York Public Service Commission INPO Record Center NRC FORM 3660 U.S. NUCLEAR REGULATORY COMMISSION APPROVED BY OMB NO. 3150-0104 EXPIRES: 06/30/2007 (6-2004) Estimated burden per response to comply with this mandatory collection request 50 hours.RReported lessons teamed are incorporated into the licensing process and fed back to Industry. Send comments regarding burden estimate to the Records and FOIA/Privacy Service Branch (T-5 F52), U.S. Nuclear Regulatory Commission, Washington, DC 29555-0001, or by InternetLICENSEE EVENT REPORT (LER) e-mail to Infocoilectsenrc.gov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-l0202, (3150-0104), Office of Management and Budget, Washington, DC 20503. If a means used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person Is not required to respond to, the Information collection. 1. FACIUTY NAME 2. DOCKET NUMBER 3. PAGE INDIAN POINT 3 05000-286 10OF06 4. TITLE Automatic Reactor Trip Due to 32 Steam Generator Steam Flow/Feedwater Flow Mismatch Caused by Low Feedwater Flow Due to Inadvertent Condensate Polisher Post Filter Bypass Valve Closure | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | 05000287/LER-2005-002 | Unit 3 trip with ES actuation due to CRD Modification Deficiencies | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | 05000336/LER-2005-002 | | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications |
|