05000269/LER-2004-003

EVALUATION:

BACKGROUND

This event is reportable per 10CFR 50.73 (a)(2)(v) D as a loss of safety function of a system needed to mitigate the consequences of an accident.

In the event of an accident, the Reactor Building Spray (RBS) [EIIS:BE] and Reactor Building Cooling (RBC) [EIIS:BK] Systems provide containment atmosphere cooling. RBS also provides iodine removal capability. The limiting design basis accidents for these systems are the loss of coolant accident (LOCA) and the steam line break (SLB) inside containment.

The RBS System consists of two separate trains, each of which shares a suction source with a corresponding train of the Low Pressure Injection (LPI) [EIIS:BP] system. The RBS System is an Engineered Safeguards (ES) [EIIS:JE] System. RBS Train 'A' is actuated by ES Digital Channel 7 and RBS Train 'B' is actuated by ES Digital Channel 8. ES actuation of a RBS Train can occur either automatically due to containment pressure exceeding 10 psig, or manually by operator action.

Oconee work control processes use a version of the ORAM-Sentinel software to perform assessments on scheduled work activities for Maintenance Rule purposes. As such, ORAM-Sentinel is a risk management tool, not a Technical Specifications (TS) compliance tool. However, ORAM-Sentinel is modeled to detect certain conditions that are unacceptable by rule rather than by risk.

Having both trains of RBS out of service simultaneously is one of these rule based conditions. For recurring activities, the computerized schedule contains codes which indicate the Maintenance Rule availability of affected components. The ORAM-Sentinel software also allows manual entries to document unscheduled equipment failures. This allows look-ahead schedule reviews to evaluate the risk impact of a discovered failure or an unscheduled activity on previously scheduled activities.

PT/1/A/0152/012, LPI Valve Stroke Test, is a periodic test which strokes valves in the LPI System to verify their operability.

Among the valves stroked in the test are 1LP-21 and 1LP-22. 1LP-21 isolates the pump suction path from the Borated Water Storage Tank (BWST) to the 1 1A1 LPI and I1A' RBS trains, and 1LP-22 isolates suction on the I1B' LPI and '113' RBS Trains. Therefore, stroke testing each valve will render the associated trains Inoperable per TS while the valve is not open. Because the time required to stroke each valve full cycle is short, the trains have been considered available for Maintenance Rule purposes while performing this portion of the test. Therefore, this procedure was coded as available during ORAM-Sentinel risk assessment evaluations.

TS Limiting Condition for Operation (LCO) 3.6.5 contains the requirements for RBS and RBC System Operability. In Modes 1 and 2, the LCO requires two RBS trains to be Operable. If one train of RBS becomes Inoperable in Modes 1 or 2, the Required Action is restoration within 7 days.� If both trains of RBS become Inoperable in Modes 1 or 2, then LCO 3.0.3 must be entered immediately, which requires unit shutdown to Mode 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, to Mode 4 within 18 hours2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br />, and to Mode 5 within 37 hours4.282407e-4 days <br />0.0103 hours <br />6.117725e-5 weeks <br />1.40785e-5 months <br />.

Operations personnel officially track entry into TS conditions using a Technical Specifications Tracking Log. This is a paper system using a notebook with a log sheet to document each entry into a TS condition. In addition, a computerized program, Technical Specification Action Item Log (TSAIL), is under development and is available for general use. Some shift personnel use TSAIL to generate entries in the computerized Reactor Operators' log. Currently site processes and management expectations do not require TSAIL to be used in "real time" (i.e.

before the actual removal from service of the equipment). One advantage of TSAIL is that it automatically checks against items already logged as out of service, and identifies all applicable TS conditions.

Each shift crew includes several licensed Senior Reactor Operators (SROs), several licensed Reactor Operators (R0s) and several non­ licensed Nuclear Equipment Operators (NE0s). SRO positions include the Operations Shift Manager (OSM), a Work Control Center SRO (WCC SRO), and, on each unit, a Control Room SRO (CRSRO). Each unit also has an RO "at the controls" (OATC) and a Balance of Plant (BOP) RO.

Prior to this event Unit 1 was operating at 100% power with no safety systems or components out of service that would have contributed to this event.

EVENT DESCRIPTION

On 9-11-04 Instrument and Electrical Maintenance (I&E) commenced IP/O/A/0310/012 D, "ES System Logic Subsystem 1 RB Spray Channel 7 Online Test."� Subsequently alarms indicated problems with a power supply associated with a logic module and the ES Odd Digital Channels were declared inoperable. This resulted in the associated components (for ES Channels 1,3, 5 and 7) being declared inoperable including 1A RBS Train.

During the shift turnover meeting, at approximately 19:15, Ul CRSRO and OSM discussed that PT/1/A/0152/012, "LPI System Valve Stroke Test," scheduled to be performed on nightshift, would not be able to be performed due to "outstanding ES issues" and "workload". The WCC SRO delayed performance of the PT to the next day or night.

During nightshift, an ORAM-Sentinel computerized schedule look­ ahead risk assessment was performed considering ES Channel 7 and RBS Train 1A out of service. Because the RBS train is considered available while the LPI System Valve Stroke Test is in progress, this risk look-ahead did not indicate an unacceptable condition.

After performing the schedule look-ahead, the nightshift Operations Nuclear Equipment Operator (NEO) Supervisor obtained a copy of PT/1/A/0152/012 and prepared a copy of the Pre-Job Brief for this evolution. This package was later turned over to the Dayshift NEO Supervisor.

Following troubleshooting and temporary repairs, ES Channels 1,3, and 5 were declared operable at 02:07 on 9-12-04. ES Channel 7 remained inoperable pending repair/replacement of a defective electronic module.

During turnover on 9-12-04, the nightshift Operators turned over to the dayshift Operators that PT/1/A/0152/012 was not performed yet due to "lack of resources". However, no tie was discussed between the ES Digital Channel 7 problem and the delayed PT. During a morning meeting for dayshift, there was no mention of any intent to perform of PT/1/A/0152/012 but it was noted that the 1A RBS Train was inoperable due to ES Digital Channel 7 being out of service.

Day shift personnel performed another Risk assessment look ahead, which again showed no unacceptable condition associated with PT/1/A/0152/012.

On 9-12-04 at 14:00 a Work Control Center (WCC) Senior Reactor Operator (SRO) dispatched a NEO with PT/1/A/0152/012 (LPI System Valve Stroke Test) to the Unit 1 Control Room. The NEO was instructed to work with

• the Ul CRSRO to complete the portion of the PT applicable to electrically operated valves.

At about 14:30 a Pre-Job Brief for PT/1/A/0152/012 was held in Unit 1 Control Room. Attendees: Ul CRSRO, Ul BOP, OTG NEO.

The LPI System Valve Stroke Test was begun. The 1A RBS Train was removed from service for this test while 1LP-21 was stroked, after which it was returned to service with respect to this test. The train remained out of service due to the problems with ES Channel 7.

At 15:55 1B RB Spray Train was declared removed from service to stroke 1LP-22.

According to data from the Operator Aid Computer, at 15:56:16 1LP­ 22 indication changed from Open to Not Open, indicating the start of the valve stroke. At 15:56:36 1LP-22 indicated CLOSED. At 15:57:06 1LP-22 indicated NOT CLOSED, showing that the valve had started to re-open and at 15:57:36 1LP-22 indication changed from Not Open to Open showing that the full stroke was complete. Thus the total time the valve did not indicate full open was 80 seconds.

The valve indicated full closed for only 30 seconds.

At 15:58 1B RB Spray Train was declared back in service following the stroke of 1LP-22.

At 16:10 an Operator began to make a TSAIL entry for 1B RBS Train being out of service. TSAIL indicated a potential loss of safety function condition. The Operator discovered that another TSAIL entry showed 1A RBS train out of service due to the ES Channel 7 problem. That operator recognized that both trains of RBS had been out of service during the stroke test on 1LP-22 and notified the OSM and STA.

This event placed the unit in TS 3.0.3 for the duration of the valve stroke. The Operators recognized that during this time the RBS could not perform its intended safety function. At 19:14 on 9­ 12-04 an 8-Hour Non-Emergency ENS notification per 10CFR 50.72 (b) (3) (v) (D) was completed. NRC Event Number 41037 was assigned.

Subsequently at 20:39 1A RBS Train was declared operable following repairs to a power supply associated with ES Digital Channel 7.

CAUSAL FACTORS

Two root causes were identified for this event.

The first root cause of the entry into TS LCO 3.0.3 was determined to be a procedure use and adherence error. One primary barrier to prevent inadvertent deviation from TS is operator awareness of the status of the systems on his/her unit. Due to the potential for memory lapse and/or mis-communication to affect that awareness, an administrative procedure exists which requires review of the TS Tracking Log for items already in effect prior to authorizing removal of TS components from service.

When the decision was made to perform the LPI Valve Stroke Test, Control Room SRO failed to recall that the 1A RBS Train was already out of service. However the inappropriate action which is the first Root Cause of the event is that the Unit 1 CRSRO also forgot to perform the administrative review the TS Tracking Log, as required by administrative procedure. This inappropriate action is a root cause since it was the last line of defense and should have prevented the event from occurring.

A second root cause is an inadequate failure modes and effects review.

Per an administrative directive on the Maintenance Rule, in order for an SSC to be considered available during online testing, any contingencies must be evaluated to consider the time necessary for restoration of the SSC function with respect to the time at which performance of the function would be needed. It states: "The SSC must be able to perform its intended function without degradation of its performance after its recovery (restoration).

The procedure for performing the valve stroke contains a limit and precaution directing the operator to restore the component to its required position upon ES actuation. Engineering concluded that the valve would be repositioned as soon as possible and used engineering judgment to conclude that the affected pumps would not be damaged by inadequate suction before flow was restored. On this basis Engiheering determined the affected valves and associated trains to be available during the LPI Valve Stroke Test. Therefore the work order for the LPI Valve Stroke Test was coded to indicate that the SSCs being tested were "Available" in accordance with the Maintenance Rule.

However, during further review after this event, Operations management determined that it is not "virtually certain" that an operator would immediately re-open 1LP-22 upon ES actuation. If an event occurred during online testing which required actuation of RBS with 1LP-22 closed, Operations management concluded it could take several minutes before the operator repositioned the valve to open. Engineering does not have vendor data to support operation of the RBS pumps for such a period of time with no suction source.

Therefore it must be assumed that the associated pump may be damaged before the realignment is complete. Therefore the affected train should not be considered "Available".

If the work order had been coded to indicate the associated RBS Train "not available", while the other RBS train was flagged as out of service due to the inoperable ES channel, the ORAM-Sentinel reviews that were performed would have identified the test as creating an unacceptable condition, and the PT would have been deferred until a more appropriate time.

Therefore the second root cause is that the PT was erroneously coded as available, due to inadequate analysis of the potential failure modes.

An additional barrier could have prevented the event but was not in use. The TSAIL program is a computerized version of the TS Tracking Log but is officially under development. Therefore, site processes and management expectations do not require its use in "real time" (i.e. before the actual removal from service of the equipment). Operators discovered this event by making an "after the fact" TSAIL entry. If the Operators had made a real time entry, this event would have been prevented. Therefore, TSAIL represents a "missing barrier" in this event.

CORRECTIVE ACTIONS

Immediate:

1. Per the test procedure, the Operators reopened 1LP-22, which restored the 1B train of RBS to operable status.

Subsequent:

1. While making a routine "after the fact" TSAIL entry, the Operators recognized the event and made appropriate declarations and notifications.

Planned:

1.Licensed Operators involved in this event will receive counseling or other disciplinary action as appropriate per established Duke Power policies.

2.Change Work Order Coding for PT/*/A/0152/012 LPI valve stroke procedures on all three units to make RBS and LPI pumps "Not Available" in ORAM-Sentinel during stroke tests on suction valves.

3.Perform an extent of condition review to identify any work order models for valve stroke PTs coded as "Available" during stroke tests. Review these valves to ensure they are properly evaluated for availability of the SSC. Give special attention to valves which require TS or Selected Licensee Commitment (SLC) entry during testing and valves on the suction side of pumps with automatic start signals. Based on this review, correct availability codes as applicable.

4.Revise administrative procedures to implement a Management expectation that Operators will make documentation entries in TSAIL prior to rendering equipment out of service which would result in entry into TS or SLC conditions.

There are no NRC Commitment items contained in this LER.

SAFETY ANALYSIS

As stated above, this event involved the fact that both trains of the Reactor Building Spray System (RBS) were declared inoperable concurrently. One train (1A) was out of service for maintenance and troubleshooting. The second train (1B) was logged as inoperable for a period of three minutes. A review of computer indication of the actual valve position indicates that the total time the valve did not indicate full open was 80 seconds. The valve indicated full closed for only 30 seconds.

With the valve closed, both the 1B RBS pump and 1B LPI pump suctions were isolated. If an event is postulated with an ES actuation during this short time, the affected B train LPI and RBS pumps might be damaged beyond use before the suction path could be restored.

If the 1B LPI pump experienced damage, the LPI safety function is assumed to be performed by ES Channel 3 and the 1A train of LPI, which were operable.

If the 1B RBS pump experienced damage, while the ES Channel 7 circuit was also out of service, the RBS safety function would not be performed automatically. Therefore this event has conservatively been considered a Safety System Functional Failure.

From a risk perspective, this short loss of the RBS safety function had negligible impact for four reasons:

1.The RBS has no impact on the calculated Core Damage Frequency (CDF) at Oconee and as such the RBS system is not included in the Level One PRA model.

2.The RBS system has no significant impact on the calculated Large Early Release Frequency (LERF). For a large dry containment such as Oconee has, the LERF is dominated by containment bypass sequences. Loss of both trains of the RBS system would have no impact on these types of sequences.

3.Additionally, while the RBS system can be used for containment pressure control with the LPI system, its main function is to scrub fission products from the containment atmosphere. The reactor building cooling units are the primary pressure controlling equipment.

4. The short duration (logged as 3 minutes, but actually only 80 seconds) ensures that the risk impact is negligible.

In addition, it was concluded that there was a high probability for restoring the RBS function. ES Channel 7 was inoperable for both automatic and manual actuation of the channel as a whole. However, the components remained manually operable from their individual ES control panels (RZ modules). The EOP contains steps that would direct the Operators to manually actuate the individual Channel 7 (Train A) RBS components. Operations Staff estimated this would not occur until about 15 to 20 minutes into the postulated event.

Therefore, an engineering analysis was performed to look at LOCA/SLB containment response with no credit for RBS flow for 20 minutes. For LOCA scenarios, the engineering analysis found that a 20 minute delay in RBS actuation has no impact on containment response to a LOCA.

For SLB scenarios inside containment, the engineering analysis found that this delay would allow the containment peak pressure and temperature to exceed the Environmental Qualification (EQ) envelope slightly for scenarios involving a range of small SLB sizes. This might be expected to slightly increase the possibility of an EQ related failure of EQ equipment within the RB. However, due to the overall low risk associated with this event, the potential for impact on EQ equipment within the RB was not evaluated further.

In conclusion, the risk impact of this event was very small due to the short duration of the period of vulnerability, the limited contribution of RBS to core damage or dose release scenarios, and the high expectation of manual initiation of the 1A train of RBS after only a short delay. Therefore, there was no impact on the health and safety of the public due to this event.

ADDITIONAL INFORMATION

There were no releases of radioactive materials, radiation exposures or personnel injuries associated with this event.

This event is not considered reportable under the Equipment Performance and Information Exchange (EPIX) program.

NM.�