05000275/LER-2009-002

I.� Plant Conditions Unit.1 was in Mode 1 (Power Operation) at approximately 100 percent reactor power with normal operating reactor coolant temperature and pressure.

Description of Problem

A.� Background The Diablo Canyon Power Plants (DCPP) Units 1 and 2 are Pressurized Water Reactors (PWR) with four Reactor Coolant Loops (RCL)[AB] to circulate reactor coolant to each of the four steam generators (SG)[SG].

Each SG is a vertical U-tube design provided by the Nuclear Steam Supply System (NSSS) vendor, Westinghouse.

The auxiliary feedwater (AFW) system [BA] is a safety-related system that serves as a backup supply of feedwater to the secondary side of the SG.

It maintains the heat sink function of the SGs whenever the Main Feedwater (MFW) system is unavailable.

The AFW system is Design Class I and includes the feedwater process and the power supply portion of the system. The basis for the Class I designation is that the AFW system is considered an engineered safety feature system that is required for safe shutdown of the reactor. It is directly relied upon to prevent core damage and reactor coolant system (RCS) overpressurization in the event of transients, such as a Loss of Normal Feedwater (LONF) or a secondary system pipe rupture.

The AFW system consists of three feedwater supply trains with diverse drive-power sources. One train employs a full capacity, approximately 800 gpm steam turbine-driven pump, AFW Pump 1-1, aligned to all four SGs. The other two trains consist of half-capacity motor-driven AFW pumps, AFW Pump 1-2 and AFW Pump 1-3, each supplying approximately 400 gpm to two of the four SGs, with the capability to be manually aligned to any of the four generators.

The normal operation of the AFW system, which is during startup and shutdown, is to supply the SGs with a secondary heat sink while main feedwater is unavailable. This is done with two motor-driven AFW pumps providing the AFW flow with suction taken from the condensate storage tank (CST) [KA]. If the CST becomes unavailable for any reason, several additional sources of water can be aligned for AFW.

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME (1) DOCKET NUMBER (2) LER NUMBER (6) The LONF analysis assumes that with the limiting single failure of one motor-driven AFW pump, the second motor-driven AFW pump provides the minimum required flow to two of four SGs.

The Feedwater Line Break (FLB) analysis assumes flow to two intact SGs.

No AFW injection is credited until the faulted SG is isolated at ten minutes.

Since the FLB is a limiting loss of secondary heat transfer event, the analysis assumes that only the faulted SG blows down to minimize primary heat removal.

The Main Steam Line Break (MSLB) event establishes the maximum AFW flow imbalance assumed with respect to maximizing the mass and energy release from the faulted SG.

Technical Specification (TS) 3.7.5, "Auxiliary Feedwater System," requires three AFW trains to be OPERABLE in Modes 1, 2, and 3. T.S.3.7.5 Condition B requires entry into a 72-hour Action Statement in Modes 1, 2 or 3, in which the one AFW train that is inoperable must be repaired.

TS.3.7.5 Condition C is entered when two AFW trains become inoperable in Modes 1, 2, or 3, at which time the action statement is entered to be in Mode 3 in six hours and Mode 4 in eighteen hours.

B.� Event Description Prior to the event, auxiliary salt water (ASW) Pump 1-2 was declared inoperable and cleared for planned Maintenance.

On June 29, 2009, at 06:47 PDT, Protection Set 2, Rack 8, failed due to a Loop Calculation Processor (LCP) card failure. Plant operators declared both motor-driven AFW pumps inoperable based on Operating Procedure (OP) AP-5 guidance and training. They determined the operational risk assessment management (ORAM) risk indicator was red. A dedicated operator was stationed to control the affected level control valves (LCV-110 and LCV-113) in manual should the need arise, assuring their full flow capability, thus, allowing AFW pumps to be OPERABLE and exiting the red risk status.

On June 29, 2009, at 07:14 PDT, TS 3.7.5, Condition C, was exited when the first LCV was placed in manual and a dedicated licensed operator assigned to the controls.

On June 29, 2009, at 07:17 PDT, both motor-driven AFW Pumps 1-2 and 1-3 LCVs were taken to manual and plant operators exited TS 3.7.5.

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME (1) DOCKET NUMBER (2) LER NUMBER (6) PAGE (3) On June 29, 2009, at 12:00 PDT plant operators returned ASW 1-2 to service following completion of the planned maintenance outage window.

On June 30, 2009, at 08:26 PDT the Eagle 21 Protection Set II, Rack 8, was returned to service following completion of LCP replacement and satisfactory testing.

C. Status of Inoperable Structures, Systems, or Components that Contributed to the Event The Eagle 21 Reactor Protection System (RPS)[JA] Protection Set II, Rack 8, LCP failure resulted in motor driven AFW Pumps 1-2 and 1-3 being declared inoperable.

D. Other Systems or Secondary Functions Affected No additional safety systems were adversely affected by this event.

E. Method of Discovery The condition was promptly known to the Utility Licensed Plant Operators at the controls due to alarms and indications received in the control room.

F. Operator Actions Utility licensed plant operators transitioned the motor-driven AFW Pumps 1-2 and 1-3 to manual level control mode in accordance with established plant procedures, returning the pumps to operable status.

G. Safety System Responses Operation of the AFW circuit with Eagle-21 Rack Failed (Locked Up):

Eagle-21 is designed to be fail safe for all safety-related channels. If a rack were to lose power or otherwise fail, watchdog circuitry is provided that automatically sends a trip signal to the safety-related outputs to the Solid State Protection System (SSPS). However, the non-safety related outputs such as those used for indication and control are designed to fail "as-is" or freeze at the current value to prevent perturbating the plant.

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME (1) DOCKET NUMBER (2) LER NUMBER (6) PAGE (3) A simplified sketch of the AFW control system is shown below:

Aux FWP 2 PC-86 Discharge It

• High Pressure Select SG 1LM-86APressure Level Comparator MEI Proportional LC-86 HC-86 LevelAux Feed Pp 2 VB-3 0 ControllerBkr Closed El A Setpoint O L/1011 (LREF) Interlock (52-1H-62 Bypass Cut In HIC-70 HSD Pnl480V V ValveC-ne.12/ Position TransmitterAnalog Gate Electro-Valve Power

• C ■ Hydraulic

• C Operator LCV10 Fail Open

• Power to LCV-111 During this event, the Eagle 21 Protection Set II, Rack 8, experienced a "lockup" condition when the LCP failed. As designed, the safety-related outputs went to the "trip" condition and the non-safety outputs failed "as-is." This froze the outputs to the normal operating SG level at approximately 65 percent level. Based on the Scaling Calculations for the loop, this represents approximately 50 percent open on the valves. So if the hand controllers (HCs) on the control room Vertical Board were left in Auto during the time that Rack 8 was locked up and a SG lo-lo level trip occurred, the LCV-110 (SG Loop 1) valve would have been demanded to 50 percent open and the LCV-113 (Loop 4) would be demanded to 50 percent open when the motor driven AFW pumps were started. The other two valves (LCV-111 and LCV-115) would be at 100 percent open and then control on the actual active level control signal.

III.C Cause of the Problem A.C Immediate Cause The Eagle 21 LCP failure caused the SG level control output to lockup at the fail-as-is setpoint of approximately 65 percent in accordance with the design intent.

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME (1) DOCKET NUMBER (2) LER NUMBER (6) The inoperability of the motor-driven AFW valves LCV-110 and LCV-113 automatic level control function is a known condition resulting from the failed automatic level control input that requires licensed plant operator intervention in accordance with approved plant procedures.

B.�Cause The Eagle 21 LCP failure is designed to result in the lockup of the AFW level control ouput signal, therefore, the system performed as designed and operator actions were taken in accordance with approved plant procedures. The cause of the Eagle 21 LCP single failure was entered into the plant problem resolution system for further investigation and resolution.

The motor-driven AFW LCVs are designed to have manual operator control override capability by manual intervention at the manual/auto controller provided to the licensed plant operators in the control room.

Therefore, the Eagle 21 and motor-driven AFW control systems responded in accordance with their design intent.

IV.� Assessment of Safety Consequences There were no safety consequences as a result of this event.

Probabilistic risk assessment (PRA) analysis of conditional core damage probability of this event was found to be approximately 4E-8, based on the timeline provided and the assumed operability of motor-driven AFW pumps with the dedicated operator at the LCVS. The results are low due to the short time (30 minutes) used when both motor driven AFW pumps and one ASW pump were considered inoperable.

The Unit 1 reactor was maintained in Mode 1 at normal pressure and temperature during the event with TS-required equipment operable and the motor-driven AFW Pump 1-3 made available via manual licensed plant operator actions taken in accordance with the TS 3.7.5 Condition C and established plant procedures. Therefore, the consequences of any at-power accidents postulated in the Final Safety Analysis Report (FSAR) Update were precluded.

In the unlikely event of a postulated accident during the short time period of inoperability, the steam-turbine driven AFW Pump 1-1 was operable and capable LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME (1) DOCKET NUMBER (2) LER NUMBER (6) PAGE (3) of providing adequate AFW flow to the four SGs via diverse flow pathways.

Therefore, the AFW system was capable of performing its safety function.

Therefore, the event is not considered risk significant and it did not adversely affect the health and safety of the public.

V.�Corrective Actions A. Immediate Corrective Actions Plant operators entered TS 3.7.5 Condition C and maintained Unit 1 in Mode 1 at normal operating temperature and pressure. The failed Eagle 21 LCP card was replaced.

B. Corrective Actions to Prevent Recurrence (CAPR) None required as the systems involved performed as designed and licensed operator actions were taken in accordance with plant procedures.

VI.�Additional Information

A. Failed Components

Eagle 21 LCP provided by the NSSS Vendor, Westinghouse, board Part# 3D21654G01.

B. Previous Similar Events

None.

C. Industry Reports None.