05000275/LER-2011-002
| Diablo Canyon Power Plant Unit 1 | |
| Event date: | 01-10-2011 |
|---|---|
| Report date: | 12-16-2011 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(v)(C), Loss of Safety Function - Release of Radioactive Material 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition |
| Initial Reporting | |
| ENS 46531 | 10 CFR 50.72(b)(3)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident, 10 CFR 50.72(b)(3)(ii)(B), Unanalyzed Condition |
| 2752011002R02 - NRC Website | |
I. Plant Conditions
At the time of the event, Units 1 and 2 were in Mode 1 (Power Operation) at approximately 100 percent reactor power with normal operating reactor coolant temperature and pressure.
H. Description of Problem
A. Background
The function of the ABVS is to filter air from the area of the active emergency core cooling system (ECCS) components during the recirculation phase of a loss of coolant accident (LOCA). The ABVS also provides environmental control of temperature and humidity in the ECCS pump room areas as well as the general auxiliary building areas. The ABVS is designed, built, and installed as Design Class I and is required to meet single failure criteria. All dampers fail in the positions required for emergency conditions. If a damper failure position is normally open, two dampers are mounted in parallel. Conversely, if the damper failure position is normally closed, two dampers are mounted in series. The specific flowpaths established by the ABVS are dependent on the ventilation system's operating mode, which are defined as Building Only, Building and Safeguards, and Safeguards Only.
Building Only Mode: In this mode, supply air is provided by one of the two full capacity supply fans (whichever is selected to operate). Supply ventilation is routed to selected areas of the auxiliary building via the supply ducts. Exhaust air is collected by the nonsafeguards exhaust ducts and routed through Dampers M-4A and M-4B to the suction of one of the two full capacity exhaust fans.
Building and Safeguards Mode: With the ABVS System in the Building Only Mode, it will automatically shift to the Building and Safeguards Mode in the event that the system's control logic receives either a safety injection signal or an ECCS motor start signal. This mode may also be manually selected using a control switch on the main control board. In this mode, supply air is provided by both supply fans and is distributed to both general building areas and to the ECCS pump room areas. The general building area exhaust air is then collected by the nonsafeguards exhaust ducts and routed through Dampers M-4A and M-4B to the suction of both Exhaust Fans E-1 and E-2. The ECCS pump room areas exhaust air is collected by the safeguards ducts and routed through the engineered safety feature (ESF) filtration train containing charcoal adsorber (with "s" signal) or through the non-ESF filtration train (without "s" signal) to the suction of both full capacity exhaust fans.
Safeguards Only Mode: With the ABVS in the Building and Safeguards Mode, it will automatically shift to the Safeguards Only Mode in the event that a supply or exhaust fan has failed. In this mode, supply ventilation is provided by the operable supply fan. Supply ventilation is distributed to the ECCS pump room areas only. Exhaust ventilation is collected by the safeguards ducts and routed through the ESF filtration train containing charcoal adsorber (with "s" signal) or through the non-ESF filtration train (without "s" signal) to the suction of the operable exhaust fan.
Dampers M-4A and M-4B Function: Dampers M-4A and M-4B are series dampers in the nonsafeguards ducting that provide the exhaust flowpath from the general building areas. They are open in Building Only or Building and Safeguards Modes and closed in Safeguards Only Mode. The dampers are redundant to ensure that when safeguards system operation requires them to close, at least one will close. The control circuits for two dampers are redundant and separate to further ensure reliability.
B. Event Description
On the morning of January 10, 2011, the Unit 2 ABVS was in Building Only Mode with Exhaust Fan E-1 in service. Both Supply Fans S-33 and S-34 were out of service for regularly scheduled maintenance. Removal of both ABVS supply fans is permitted by DCPP TS LCO 3.7.12 Bases. At 1140 PST, Operations Services commenced a routine quarterly pump test on Containment Spray Pump (CSP) 2-1. When CSP 2-1 was started, the ABVS automatically attempted to transition to Building and Safeguards Mode. However, sensing that both supply fans were out of service, the ABVS control system immediately aligned to Safeguards Only Mode as designed. During this transition, Dampers M-4A and M-4B closed to isolate the nonsafeguards flowpath. At approximately 1320 PST, Operations Services completed the pump test and secured CSP 2-1. Because the ABVS mode selector switch was still in Building Only Mode, the system automatically realigned to this mode upon securing CSP 2-1. At 1321 PST, the control room received an ABVS system alarm, indicating that Damper M-4A was not open as required for Building Only Mode. Approximately 35 seconds later, the control room received another alarm indicating that Exhaust Fan E-1 had shutdown, initiating entry into TS LCO 3.0.3 at 1321 PST. Sensing the loss of an exhaust fan, the ABVS control system attempted to autostart the standby Exhaust Fan E-2. At 1323 PST, the control room received a third alarm indicating that Fan E-2 had also shutdown. At that time, all Unit 2 ABVS supply and exhaust fans were not in service. The operators entered the annunciator response procedure, performed a status reset of the control logic in the control room, and selected ABVS Exhaust Fan E-2, resulting in the restart of ABVS Exhaust Fan E-2. TS LCO 3.0.3 was subsequently exited at 1342 PST. This event affected only the Unit 2 ABVS.
Following the event, PG&E investigated the cause of the failure and reviewed the design of the ABVS. The investigation revealed that the design of the ABVS control logic allowed the event that occurred on January 10, 2011, by tripping the operating exhaust fan when a suction damper is not fully opened. Sensing the loss of an exhaust fan, the ABVS control system attempts to autostart the standby exhaust fan but will block the standby exhaust fan when an M-4 suction damper is not fully opened. At this point, the control logic will be faulted and prevent both exhaust fans from starting and will not respond to an ESF pump start or safety injection signal until operators reset the control logic. Investigation also revealed that the single failure vulnerability existed only with the ABVS selected to the Building Only Mode.
The single failure vulnerability was determined to be part of the original plant design for both DCPP Units 1 and 2.
Replacement of the control system, which was issued in 2009 for Unit 1 and 2008 for Unit 2, focused on maintaining identical control logic and consequently failed to identify and correct the single failure vulnerability. The Unit 2 ABVS Damper M-4A failure to fully open was determined to be due to leakage past the piston seal of the damper actuator.
C. Status of Inoperable Structures, Systems, or Components that Contributed to the Event Unit 2 ABVS Damper M-4A Actuator Piston Seal leaked.
D. Other Systems or Secondary Functions Affected
No additional safety systems were adversely effected by this event.
E. Method of Discovery
Control room alarms alerted operators to the loss of ABVS on Unit 2.
F. Operator Actions
Selected the ABVS Safeguards Only Mode, reset the ABVS control logic, and selected ABVS Exhaust Fan E-2, restarting Fan E-2.
G. Safety System Responses
None.
III. Cause of the Problem
A. Immediate Cause
The Unit 2 ABVS failure occurred due to ABVS Damper M-4A failing to fully open upon a control system demand signal concurrent with the existence of a previously unrecognized single failure design vulnerability.
B. Cause
1. The apparent cause of the loss of both trains of ABVS was a nonconforming condition in the plant ABVS design. This portion of the ABVS system did not meet the single failure criteria.
2. DCPP's licensing basis allowing ABVS manual actions, when automatic action was not available, was not clear.
3. The apparent cause for the failure to identify and correct the single failure vulnerability when preparing the design of the replacement ABVS control system was that the DCPP design change process was limited to the modification and did not search for legacy issues while performing failure modes and effects analyses.
4. The apparent cause of the Unit 2 ABVS Damper M-4A leakage past the damper actuator piston seal is presumed to be use of the seal beyond its defined service life, contrary to requirements of the DCPP preventative maintenance program for this seal. PG&E left the seal in service beyond its defined service life due to a 2007 personnel error which incorrectly closed the maintenance order to replace the seal.
IV. Assessment of Safety Consequences
Based on a review of the event, the Unit 2 ABVS Exhaust Fans, E-1 and E-2, were not operable and available to automatically perform the required safety function. This event could have occurred on either unit due to the single failure vulnerability. The ABVS controls the release of radioactivity, mitigates the consequences of an accident by maintaining the ABVS exhaust fans were not operating for a very brief period of time, the ESF features for this system were capable of performing their design safety functions via manual operator initiation. ABVS control room alarms alert operators to problems with the ABVS. Operating procedures direct operators to reset the control logic and reestablish the ABVS operation at control panels located within the control room. Consequently, this brief loss of ABVS is not considered risk significant and would not have adversely effected the health and safety of the public.
3. RADE — ow lin
V. Corrective Actions
Plant operators selected the ABVS to Safeguards Only Mode, reset the ABVS control logic, and restarted ABVS Exhaust Fan E-2. A shift order was issued directing that the Units 1 and 2 ABVS be kept in either the Building and Safeguards Mode or the Safeguards Only Mode. By keeping the ABVS in the Building and Safeguards Mode or the Safeguards Only Mode, the single failure vulnerarbility is precluded. In addition, the actuator for damper M-4A was replaced.
B. Corrective Actions to Prevent Recurrence (CAPR) 1. Modified the ABVS system design such that it meets the single failure design requirements.
2. Revise.licensing basis by clearly describing the ABVS and requirements to allow crediting manual operation if automatic actuation is unavailable.
3. Revise the design change process to include a design evaluation of new and old failure modes based on the current licensing and design bases.
4. The employee that incorrectly closed the order in 2007 was remediated on the maintenance order closure procedural requirements.
VI. Additional Information
A. Failed Components
Unit 2 ABVS Damper M-4A Actuator Piston Seal
B. Previous Similar Events
None
C. Industry Reports
None