05000266/LER-2005-003

FACIUTY NAME (1) DOCKET NUMBER (2) LER NUMBER (6 PAGE (3)

Event Description:

On July 15, 2005, at 2245 CDT, with Point Beach Unit 1 at normal full power operation, an evaluation of design data for the Unit 1 Train "A" (1P-15A) Safety Injection [BQ] Pump [P] Motor [MO] indicated that during a design basis accident with degraded safeguards bus [BU] voltage, the motor could trip and lockout on overcurrent prior to the associated safeguards bus stripping on undervoltage. The Safety Injection Pump lockout could then prevent an auto start of the safety injection pump during emergency diesel generator [DG] load sequencing. Based on the results of this evaluation, 1P-15A Safety Injection Pump was declared out of service.

This data, which was provided by an external vendor (Westinghouse), had been obtained as part of an ongoing calculation review project regarding safety related motors (Bolted Fault Project). No other safety related motors were affected by the data provided.

The 1P-15A Safety Injection Pump Motor time overcurrent [51] setpoint was subsequently adjusted based on the revised motor data and 1P-15A was returned tc service on July 17 at 2230 CDT. The Unit 2 Train "A" (2P-15A) Safety Injection Pump Motor time overcurrent setpoint was also reset as a conservative measure.

Subsequent to NMC's evaluation of the Unit 1 Train "A" SI pump motor design data, Westinghouse provided design data for the remaining SI pump motors. On August 1, 2005, at 2000 CDT, an evaluation of the motor design data and the time overcurrent setpoint for both units' Train "B" (1P-15B and 2P-15B) Safety Injection Pump Motors identified a similar condition. During a design basis accident with degraded safeguards bus voltage, 1P-15B or 2P-15B Safety Injection Pump Motors could trip and lockout on overcurrent prior to the respective safeguards bus stripping on undervoltage. The safety injection pump lockout would then prevent an auto start of the associated safety injection pump during emergency diesel generator load sequencing.

1P-15B and 2P-15B Safety Injection Pumps were consequently declared out of service as a result of this new data. The new data also applied to the Unit 2 "A" SI pump motor. However, the overcurrent setpoint on the Unit 2 "A" SI pump motor had been previously reset; and therefore remained operable following evaluation of the new data.

Based on the combined effect of all received design motor data, a condition existed prior to July 15, 2005, which could have impacted the design function of Unit 1 or Unit 2 Safety Injection Pumps during a design basis accident with degraded safeguards bus voltage. Both units' safety injection pumps had the potential to not auto start on the emergency diesel generator loading sequence per design. Therefore, this condition is being reported under 10 CFR 50.73(a)(2)(v)(D) due to the potential to prevent fulfillment of a safety function to mitigate the consequences of an accident. This condition was previously reported via the emergency notification system (Event Number 41885) in accordance with 10 CFR 50.72(b)(3)(v)(D) on August 2, 2005.

The earlier corrective action for Unit 1 and Unit 2 P-15A Safety Injection motors had been completed prior to discovery of the similar condition on the "B" train pumps; therefore, both units' "A" train pumps were operable and capable of fulfilling their design safety function upon discovery of the second condition.

Component and System Description:

The safety injection (SI) pumps are part of the emergency core cooling system (ECCS). The function of the ECCS system is to provide core cooling and negative reactivity to ensure that the reactor core is protected H� FACILITY NAME (1)� DOCKET NUMBER (2)� LER NUMBER (6� PAGE (3) POINT BEACH NUCLEAR PLANT UNIT 1� 05000266 2005 — 003 � 00 after a design basis accident. The ECCS consists of two separate subsystems: SI (high head), and residual heat removal (RHR) (low head) [BP]. Each subsystem consists of two redundant, 100% capacity trains.

The ECCS flow paths consist of piping, valves, heat exchangers, and pumps necessary to provide water from the RWST [TK] into the RCS [AB] during the injection phase and from the containment sump into the RCS during the recirculation phase following the accidents described in this LCO. The major components of each subsystem are the RHR pumps, heat exchangers, and the SI pumps. Each of the two subsystems consists of two 100% capacity trains that are interconnected and redundant such that either train is capable of supplying 100% of the flow required to mitigate the accident consequences.

The ECCS subsystems are actuated upon receipt of an SI signal. If offsite power is available, the safeguard loads start immediately. If offsite power is not available, the Engineered Safety Feature (ESF) buses shed normal operating loads and are connected to the emergency diesel generators (EDGs). Safeguard loads are then actuated in the programmed time sequence. The time delay associated with diesel starting, sequenced loading, upper plenum injection line valve stroke, and pump starting determines the time required before pumped flow is available to the core following a loss of coolant accident (LOCA).

The "A" train time overcurrent relays are Westinghouse type COM-5 relays and the "B" train relays are ABB type 51L relays. The purpose of the relays is to trip the SI pump motor feeder breakers for heavy overloads, while providing a time delay to allow the motor to accelerate and start.

Safety Significance:

The SI subsystem helps to ensure that core cooling acceptance criteria for the ECCS, established by 10 CFR 50.46, will be met following a LOCA. The SI subsystem also limits the potential for a post trip return to power following a main steam line break (MSLB) event and ensures that containment temperature limits are met.

The SI subsystem is credited during a large break LOCA event at full power. This event establishes the requirement for runout flow for the SI pumps. The SI pumps are credited in a small break LOCA event. This event establishes the flow and discharge head at the design point for the SI pumps, as well as the maximum response time for their actuation. The steam generator tube rupture (SGTR) and MSLB events also credit the SI pumps. The small break LOCA and MSLB events establish the maximum response time for the SI pumps.

Due to the redundancy of trains and the diversity of subsystems, the inoperability of one component in a train does not render the SI subsystem incapable of performing its function. Neither does the inoperability of multiple components in the same train. With more than one component inoperable such that both SI trains are not available, the facility would be in a condition outside design and licensing basis.

The newly received motor design characteristics data for the SI motor impacted the starting profile and the motor protection scheme. A comparison of the new motor starting profile against the previously existing protection scheme and the as-left relay settings identified that, during a degraded grid condition coincident with a safety injection, the SI motor breaker could trip on overcurrent and lockout prior to the bus being stripped by the degraded grid relays. Thus, the pump would not automatically restart when voltage was restored to the bus. However, the pump could still be restarted from the control room. The motor would have FACILITY NAME (1) i DOCKET NUMBER (2) LER NUMBER (6 PAGE (3) to be reset at its control switch in the control room before it could automatically restart upon restoration of the bus.

This condition is believed to have existed for all of the SI pump motors since installation of the degraded voltage relays in the mid 1980's.

Resetting the pump control switch requires no diagnosis, is procedurally directed in the PBNP Emergency Operating Procedures (EOPs), is considered "skill of the craft" for plant operators, and is addressed in operator training. Therefore, since the train was properly aligned, no fault is considered to have occurred.

The procedure steps contained within the EOPs would have ensured that the SI trains were started.

However, time validation studies showed that this would not have been accomplished within the times assumed in the accident analyses. Although analyses show that the affect of delaying the onset of SI flow for an additional five seconds is negligible, the manual actions required to be performed would have taken longer than five seconds to accomplish. Even though the delay would have been longer, the time delay for restoring system function in this situation is comparable to the time delay involved with restoring system function during surveillance testing.

The potential for failure existed only under degraded voltage conditions. Under such conditions, the pump would not automatically restart when voltage was restored to the bus; however, it could be restarted from the control room. Plant procedures require the Transmission System Operator to notify the plant whenever degraded voltage conditions are present. Thus, the potential for failure would be known to the operator.

The risk of core damage was evaluated as being less than 1E-7. Therefore, the system could reasonably have been expected to perform its function.

The subsystem was thus considered available for maintenance rule purposes both prior to discovery, and for the time between discovery and start of repairs.

NMC further concludes that the potential SI pump motor failure did not constitute a loss of any safety function; therefore, this condition did not constitute a safety system functional failure.

Cause:

The electrical calculations for PBNP were being completely redone as part of the Bolted Fault project and the Calculation Upgrade project. As part of this effort, plant equipment nameplate and design data was obtained to form master input calculations. The safety-related motor design data contained in plant files was obtained in 1997. However, the data only existed for one train for one PBNP unit. Additionally, discrepancies and inconsistencies were discovered in this 1997 data. Thus, a decision was made to obtain a complete set of data for both units from the original manufacturer.

The safety injection motors consisted of the four original motors manufactured under a Westinghouse production batch 67 series shop order and a spare which was installed on 1P-15A under a production batch 77 series shop order. In early July 2005, draft safety injection motor data was received. This data was significantly different from the 1997 data, and was only for shop order 77 motors. The transmittal stated that the data was conservative for the four motors manufactured under shop order 67. On July 15, 2005, a conference call was held with the vendor, who stated that the shop order 77 data was accurate and that FACILITY NAME (1) i DOCKET NUMBER (2) LER NUMBER (6 PAGE (3) further work would be required to determine the shop order 67 design data. During the conference call, PBNP staff questioned the significant difference in data. The vendor explained that several motor designs were kept under a single shop order and surmised that the 1997 data was provided for the wrong motor.

The data obtained in 1997 was from the same vendor but a different group. The vendor further explained that the data currently being provided was verified against original PBNP construction records to ensure the correct motor data was calculated.

The apparent cause of this event was failure, in 1997, to validate the design information against actual construction records.

Corrective Action:

Actions to correct the condition include calculations to be created as part of the Bolted Fault Project. These activities were entered into the plant's corrective action system (CAP 033426, CAP 065765, CAP 066104, and corrective action CA 031027).

As stated in the "Event Description" above, motor design data was purchased for all safety-related motors except the service water pump motors, for which newer motor data was already available. The resultant analysis of the purchased data is expected to identify whether any similar conditions exist with other safety-related motors. Motor design data for the service water pump motors is planned for review during development of the electrical system model calculation.

Upon discovery of this condition, the affected SI pumps were declared out of service and the associated 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> technical specification action condition was entered to restore the ECCS train to service.

• An engineering calculation and setpoint changes were subsequently completed for the SI pump motor breakers. The time-delay settings addressed by the setpoint changes were implemented on the pump motor breakers. A five minute post maintenance run of the SI pumps was performed to confirm operability.

The time delay relay setting for the breakers was changed, thus providing proper coordination during a degraded voltage event coincident with safety injection actuation. The pump breaker will no longer trip during under the postulated scenario and remains fully capable of performing its safety related function.

An engineering evaluation was completed to evaluate the new data on the SI pump motors (longer motor acceleration time, etc). The evaluation concluded that all accident analysis capabilities would be maintained based on the new motor data and that diesel generator transient response loading remains within diesel capabilities.

Following completion of these activities, all SI pumps were restored to operable status.

Previous Similar Events:

A review of recent LERs (past three years) identified no previous similar events.