05000285/LER-2002-002
| Fort Calhoun Nuclear Station Unit Number 1 | |
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability |
| 2852002002R00 - NRC Website | |
INTRODUCTION
In March of 2002, an NRC inspection team found that a quarterly full flow surveillance test on the Auxiliary Feedwater (AFW) system inappropriately took credit for manual operator action to isolate the full flow test line in the event that AFW flow was needed for an accident. Eliminating this credit rendered both trains of the AFW system inoperable for the length of the test. This test has been performed in this manner since about 1993. A review of procedures has found other testing procedures with problems caused by crediting manual operator actions in lieu of automatic actions. During part of a surveillance test of the Emergency Core Cooling System (ECCS) the pump recirculation line was isolated for a short period of time during the test. During this time, had an accident signal started the ECCS pumps with plant greater than injection pressure the pumps would have run at shutoff head until the operator took action to restore the minimum flow path.
BACKGROUND
The crediting of manual operator actions in place of automatic action affected two safety related systems AFW and ECCS.
AFW
There are two safety-related AFW pumps at the Fort Calhoun Station (FCS), FW-10 and FW-6. FW-10 is a steam turbine driven pump designed to be independent of Alternating Current (AC) power requirements.
FW-6 is driven by an electric motor supplied from one of the station's 4160 volt AC vital buses.
In 1990, a commercial grade, non-safety related, diesel driven AFW pump (FW-54) was added to the feedwater system. FW-54's normal injection path is through the main feedwater system, which is independent of the AFW system. FW-54's water supply is the condensate storage tank. The pump can be cross-connected with the AFW system injection header. FW-54 is used as the normal source of water to the Steam Generators (SG) during low power operation of the plant, i.e., during plant startups and shutdowns.
The AFW feedwater line may be cross-connected to the main feedwater system through a manually operated cross-connect line which is normally isolated by motor operated valve HCV-1384. HCV-1384 has no automatic functions. (See Figure 1) The Auxiliary Feedwater Actuation Signal (AFAS) automatically initiates AFW flow to intact SGs on low SG level. The AFAS channels A and channel B actuate AFW flow for either or both SGs. Redundant contacts from each sensor are arranged in two redundant, two out of four logic matrices that actuate each of the AFAS channels.
The FCS Technical Specification (TS) section related to operability of the safety related AFW pumps, does not allow both FW-6 and FW-10 to be inoperable while in mode 1.
ECCS
The major components of the FCS ECCS include three High Pressure Safety Injection (HPSI) pumps (SI- 2A/B/C), two Low Pressure Safety Injection (LPSI) pumps (SI-1A/B), three Containment Spray (CS) pumps (SI-3A/B/C), and the Safety Injection and Refueling Water Tank (SIRWT).
The normal suction for the HPSI, LPSI, and CS pumps is the SIRWT. The minimum flow recirculation path for the HPSI, LPSI, and CS pumps is through a single line with two isolation valves in series (HCV-385 and HCV-386). When the SIRWT low level signal is received during a Loss Of Coolant Accident (LOCA) and the suction for these pumps shifts to the containment sump, the recirculation valves (HCV-385 and HCV-386) receive a closed signal from their respective channel. (See Figure 2) The FCS ECCS actuation system is composed of two redundant trains ('A' and 'B') of engineered safeguards controls and instrumentation. Each train includes a panel that houses the relays, valve and pump controls, two sequencer panels, and an Emergency Diesel Generator (EDG) panel. When a measured parameter reaches the setpoint for initiation of a safeguards signal on the required number of instrument channels (ordinarily two out of four), the initiating signal lockout relay trips, actuating the associated safeguards functions. For example, the Safety Injection Actuation Signal (SIAS) initiates Safety Injection (SI) and is generated by either a Pressurizer Pressure Low Signal (PPLS) or a Containment Pressure High Signal (CPHS).
Each engineered safeguards controls and instrumentation train includes prime initiation relays, prime actuation relays, derived initiation relays and derived actuation relays. Safeguards actuation signals are generated from logical combinations of initiation signals.
The FCS TS section related to operability of the ECCS pumps, does not allow both trains of HPSI, LPSI, or CS to be inoperable while in modes 1or 2.
History of Crediting Manual Operator Action in Place of Automatic Action NRC Generic Letter (GL) 91-18 Revision 1, provided guidance on the operability of safety related systems.
Specifically, the letter stated that "it is not appropriate to take credit for manual action in place of automatic action for protection of safety limits to consider equipment operable. This does not preclude operator action to put the plant in a safe condition, but operator action cannot be a substitute for automatic safety limit protection. Although it is possible, it is not expected that many determinations of operability will be successful for manual action in place of automatic action. [Such changes] are expected to be a temporary condition until the automatic action can be promptly corrected in accordance with 10 CFR Part 50 Appendix B, Criterion XVI, "Corrective Action."" It is possible that FCS reviewers considered this to apply only to safety limit protection.
In January of 1994, FCS submitted LER 1993-019 because manual actions for maintaining FW-6 and FW- 10 operable during a surveillance test were not outlined in the procedure. One of the causes of that event was "The lack of an established clear direction for declaring equipment inoperable during surveillance testing allowed for interpretations of what constitutes operability in a test configuration.
One of the corrective actions for LER 1993-019 was to create a new Standing Order, SO-G-100, "Operability Dispositions when Calibrating or Testing Safety Related Equipment," on equipment operability during testing. SO-G-100 was implemented on February 10, 1994, and established component/system operability guidelines to be adhered to when calibrating or testing safety related equipment where the equipment to be calibrated or tested is configured such that without manual operator action it would be unable to automatically perform its design function.
SO-G-100 was developed based on the guidance in NRC Generic Letter (GL) 91-18. On July 8, 1994, NRC routine Inspection Report 50-285/94-16 for the period May 8 to June 18, 1994, closed LER 93-019 based on, "the stated corrective actions being appropriate, the corrective actions being inspected during the review of an NRC open item, or the items having been inspected during previous NRC inspections." On the basis of this report, FCS personnel considered the newly developed dedicated operator program to be an acceptable practice for maintaining operability of components during testing.
NRC Information Notice (IN) 97-78, "Crediting of Operator Actions in Place of Automatic Actions and Modifications of Operator Actions, Including Response Times," states, in part, "The original design of nuclear power plant safety systems and their ability to respond to design-basis accidents were described in licensees' FSARs and were reviewed and approved by the NRC. Most safety systems were designed to rely on automatic system actuation to ensure that the safety systems were capable of carrying out their intended functions. In a few cases, limited operator actions, when appropriately justified, were approved.
Proposed changes that substitute manual action for automatic system actuation or modify existing operator actions, including operator response times, previously reviewed and approved during the original licensing review of the plant will, in all likelihood, raise the possibility of a USQ. Such changes must be evaluated under the criteria of 10 CFR 50.59 to determine whether a USQ is involved and whether NRC review and approval is required before implementation.
In response to IN 97-78, on January 29, 1998, FCS determined that the following actions would be taken:
1. SO-G-100 should be revised to provide more clear guidance or possibly remove the allowance for a dedicated operator.
2. A thorough search and review of other procedures containing the use of a dedicated operator be completed to ensure compliance with the intent of IN 97-78.
With respect to item 1, on November 20, 1998, the FCS review determined that:
"SO-G-100 currently contains very clear guidance on what is required when a dedicated operator is to be used. In particular, steps 5.1.1D 1-4 are very specific and require the dedicated operator to be able to carry out his/her duties immediately, if required. This requirement will address the issue identified by the NRC and ensure we are applying their guidance appropriately. No further action is required.
With respect to item 2, on November 20, 1998, the FCS review determined that:
"A search of operations procedures that allow the use of a dedicated operator was conducted. The application of a "dedicated operator" was appropriate and in keeping with the requirements of SO-G- 100. Twenty procedures were affected, not all of which use a "dedicated operator" in the true sense of the word (e.g., the reactor startup procedure requires a "dedicated operator," but this is not the same as the "dedicated operator" discussed in this AR)." An AR is a Action Request. An AR is a FCS internal tracking document.
EVENT DESCRIPTION
In March of 2002, an NRC inspection team found that a full flow surveillance test on the AFW system (SE- ST-AFW-3006, "Auxiliary Feedwater Pump FW-10, Steam Isolation Valve, And Check Valve Tests") inappropriately took credit for manual operator action to isolate the full flow test line in the event that AFW flow was needed for an accident. Eliminating this credit rendered both trains of the safety related AFW system inoperable for the length of the test (about 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />). This test had been performed in this manner since the 1993 time frame. SE-ST-AFW-3006 is a quarterly test.
During the test the AFW system was lined up so that the output of FW-10 flowed through HCV-1384 to the emergency feedwater storage tank. To prevent flow from inadvertently being diverted to the main feedwater system, FW-170 was shut. OP-ST-AFW-3009, "Auxiliary Feedwater Pump FW-6, Recirculation Valve, And Check Valve Tests," performed the same test for FW-6 using a similar lineup. Design conditions for operation of the AFW pumps was simulated by throttling FW-1049 to maintain discharge header pressure at design operating pressure (about 1000 pounds per square inch gage (psig)). An operator was stationed at either FW-1049 or HCV-1384 during this evolution. The operator was to shut the designated valve (HCV-1384 or FW-1049) should a condition occur requiring AFW operation. (See Figure 1) Following the identification of the inappropriate use of manual operator actions in place of automatic action, a comprehensive review of plant testing procedures was conducted to determine if any additional tests were being conducted that inappropriately used manual operator action to maintain equipment operable. The review determined that a second AFW test (IC-ST-AFW-0001, "Auto Initiation of Auxiliary Feedwater Functional Check of Initiation Circuits") used manual operator action in place of automatic action, and one other system was affected by this testing methodology.
IC-ST-AFW-0001 made the AFW system inoperable by overriding automatic initiation of the system while testing the AFAS circuitry. In this instance four override switches were placed in override to ensure that the safety related AFW pumps would not start and that the AFW SG isolation valves (HCV-1 107A/B and HCV- 1108A/B) would not open during the test.
The review also identified surveillance test OP-ST-ESF-0009, "Channel A Safety Injection, Containment Spray and Recirculation Actuation Signal Test," and OP-ST-ESF-0010, "Channel B Safety Injection, Containment Spray and Recirculation Actuation Signal Test," shut one of the ECCS minimum flow recirculation valves for a short period of time during the test. During this time, if an accident signal had started the ECCS pumps (HPSI and LPSI) without having plant pressure sufficiently low to allow injection, the pumps would have been running at shutoff head until the operator took action to restore the minimum flow path. The procedures did have appropriate steps to minimize the time that the pumps would be run in this condition.
NRC permission had not been obtained to allow the use of manual operator actions in place of automatic action for any of these procedures. On April 3, 2002, a review of the reportability of event this event was completed. This is being reported pursuant to 10 CFR 50.73(a)(2)(vii).
SAFETY SIGNIFICANCE
The safety significance discussion of this issue will address the significance to each of the two systems involved. Surveillance tests such as these are not performed simultaneously and therefore the concurrent risk of failure of two systems at the same time need not be addressed.
AFW
The potential impact upon design basis transients/postulated accidents was evaluated. These accidents were grouped into two categories: Anticipated Operational Occurrences (AOOs) that cause loss of main feedwater, and postulated accidents consisting of main steam line/main feed line break initiating events. It was found that the AOOs caused the fastest Reactor Coolant System (RCS) pressurization to the Power- Operated Relief Valve (PORV) setpoint, and that Postulated accidents that caused the fastest SG dryout (i.e., very quick for one steam generator and accelerated for the other).
Several options are available to prevent core damage due to one of the above design basis accidents.
Operator action to restore Auxiliary Feedwater (AFW) before the initiation of core uncovery would prevent core damage. As an alternative, once-through-cooling could be started in accordance with the Emergency Operating Procedures. Although no credit is taken in the design bases, once-through-cooling uses safety grade components and would be successful in the event of a single failure.
AOOs events, concurrent with loss of all feedwater, would result in initiation of core uncovery in approximately one hour. Design basis criteria would be met if once-through-cooling were started within 20 minutes of the initiating event as contained in the Emergency Operating Procedures (EOPs).
Main steam line break, concurrent with loss of all feedwater, would result in initiation of core uncovery in slightly greater than one hour. This includes boil-off time following SG dryout. Once-through-cooling would be successful if it were started within approximately 30 minutes of the initiating event. The available time for main feed line break would be shorter, since some of the feedwater inventory would be dumped out the break.
The net impact of the conservatism in the design basis analysis is such that the dose to the public as a result of delay of auxiliary feedwater concurrent with Design Basis Accident (DBA) would be considerably less than the bounding design basis regulatory dose limits. Crediting condenser partitioning and lower TS primary to secondary leakage alone would offset the delayed loss of crediting SG partitioning. Hence, the delay of auxiliary feedwater from the perspective of the radiological consequences of design basis events would not be of safety significance.
The risk significant events of concern involve a Main Steam Line/Main Feed Line Break or Loss of Main Feedwater initiating event simultaneous with the performance of SE-ST-AFW-3006. The likelihood of this simultaneous occurrence is very small. During this test, the success of the dedicated operator action to isolate the recirculation flow path would be very high, given that the task is simple and unambiguous. This action restores the availability of the electric driven AFW pump. The resulting increase in core damage probability is very small.
In conclusion, sufficient time would be available during the surveillance test for restoration of AFW to be highly probable. An assumption of 15 minutes as the earliest time for operator action would still be sufficient for restoration of AFW. Even if restoration of AFW were delayed, once-through-cooling would be expected to ensure that, when implemented within the prescribed time frame of the EOPs, design basis success criteria were met.
ECCS
SI-1A/B and SI-2A/B/C were simultaneously inoperable during testing per OP-ST-ESF-0009 and -0010 while HCV-385 or HCV-386 was closed. With HCV-385 or -386 closed, the pumps could have been operated at a shutoff-head condition, resulting in overheating & damage to the pumps.
An evaluation of the risk associated with performing OP-ST-ESF-0009 and OP-ST-ESF-0010 found the severe accident risk to be low. The actions of resetting the relays and opening the valve are simple. All indications and controls are grouped together in the same area that the test is being performed. During one simulation, the time from a HPSI pump starting until the time the recirculation isolation valve was open, was 15 seconds.
Therefore this issue had a negligible impact on the health and safety of the public.
CONCLUSION
Because the review of IN 97-78 was performed over four years ago, the individuals involved in the review can not recall their entire thought processes. However, discussions with those personnel revealed that much of the reasoning for accepting the philosophy of SO-G-100 was that it had been in place for several years.
Certain surveillances were performed with dedicated operators to avoid entering shutdown TS Limiting Conditions for Operation (LCOs). Generic Letter 91-18 contained explicit guidance on entry into LCOs for surveillances. It also had a note that it was not the intent for surveillances to cause unnecessary plant shutdowns and that the surveillances should be redefined or receive prior NRC approval.
FCS response to redefining was to institute the dedicated operator program. With the tacit approval (as previously explained) of that philosophy in NRC Inspection Report 50-285/94-16, and absent subsequent questions, the use of dedicated operators was proceduralized to enable testing required by Technical Specifications.
Root Cause
Individuals who performed the review of IN 97-78 incorrectly concluded that the NRC had approved the SO- G-100 philosophy because of NRC Inspection Report 50-285/94-16. With that mindset, FCS rationalized that IN 97-78 requirements were being met by our control of dedicated operators. This resulted in a review that was less than adequate. A proper review should have recommended that each instance of the use of dedicated operators either be eliminated or approved by the NRC in writing via the 10 CFR 50.59 process.
CORRECTIVE ACTIONS
As a result of identifying the inappropriate crediting of manual operators actions in place of automatic action, procedure SO-G-100 was revised to clarify that the crediting of manual actions in place of automatic actions generally requires prior NRC approval and that a 10 CFR 50.59 review of the activity to credit manual actions must be completed prior to crediting manual actions in place of automatic actions.
This issue was reviewed with personnel qualified to perform 10 CFR 50.59 reviews to ensure they understand that crediting of manual actions in place of automatic actions generally requires prior NRC approval.
Other corrective actions related to this issue are being completed in accordance with the FCS corrective action program.
SAFETY SYSTEM FUNCTIONAL FAILURE
This event did not result in a safety system functional failure in accordance with NEI 99-02.
PREVIOUS SIMILAR EVENTS
Steam Generator Steam Generator HCV-1107A � HCV-1108A Inside Containment HCV-1107B � HCV-1108B Outside Containment HCV-1384 FM1 FW-170 Main �il----II
- Feedwater System —[> FW-10 41> _ From FW-54 ---> FW-6 I Emergency Feedwater Storage Tank FW-19 � -->" FW-1049 � J Figure 1 AFW system simplified drawing HCV-385 HCV-386 LCV-383-2 � LCV-383-1 ), -E1 A-E0 Containment Coolers & -4— Spray Reactor Coolant System Reactor Coolant System SI-2B Containment Sump � Figure 2 ECCS simplified drawing