05000285/LER-2006-002
| Docket Numbersequential Revmonth Day Year Year Month Day Yearnumber No. 05000 | |
| Event date: | 07-07-2006 |
|---|---|
| Report date: | 04-30-2008 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(v)(B), Loss of Safety Function - Remove Residual Heat |
| 2852006002R01 - NRC Website | |
BACKGROUND
The Auxiliary Feedwater (AFW) system is provided for storage, pumping and delivery of makeup water to the steam generators in order to remove decay heat if the Main Feedwater (MFW) System is not available. The AFW system consists of one emergency feedwater storage tank; one motor-driven (FW-6) and one turbine-driven (FW-10) AFW pump; one non-safety-related, diesel-driven AFW pump (FW-54) ; one non-safety-related diesel fuel oil transfer pump and day tank; non-safety-related fuel oil piping and valves; remotely operated flow control valves; interconnecting piping to the MFW system and piping to the auxiliary feedwater nozzles in the steam generators. FW-6 and 10 are the safety related AFW pumps.
The minimum flow recirculation valve for FW-6 is FCV-1368. The minimum flow recirculation valve for FW-10 is FCV-1369.
FW-54 is the startup auxiliary feedwater pump. FW-54 takes a suction from the condensate storage tank and discharges to the normal feedwater header. FW-54 and its associated equipment are not safety related.
The AFW system provides a redundant means of supplying one or both Steam Generators (SGs) with feedwater. Operation of the safety related portion of the AFW system is automatically initiated on a low steam generator water level or manually initiated as follows:
- Automatic initiation via an Auxiliary Feedwater Actuation Signal (AFAS).
- Automatic start signals to the safety-related pumps (FW-6 and FW-10). -
- Manual initiation from the Control Room.
- Manual initiation from alternate shutdown panel for FW-10 and the AFW injection valves.
- Locally at each pump The system is designed to add feedwater to either or both steam generators under any condition, including the loss of all electrical power along with the loss of the MFW system and the loss of the main steam piping downstream of the main steam isolation valves. The AFW system fulfills both safety-related and non-safety-related functions. See Figure 1.
EVENT DESCRIPTION
From original construction until 1998, the Updated Final Safety Analysis Report (USAR) Section 9 (Auxiliary Systems) Part 4 (Auxiliary Feedwater System) was unclear about the function of the safety related AFW pump recirculation valves (FCV-1368/1369). The text had stated, "The system can be operated without the recirculation valves." It was unclear if this meant without recirculation available, i.e., with the recirculation valves closed, or if it means without the recirculation valves available, i.e., failed open and unable to close on demand. The context of the USAR implied that the availability of the recirculation valves is irrelevant to the system performing its design function, so long as the fail position of the recirculation valves protects the pumps from damage. The valves (FCV-1368/1369) themselves have always been safety related from a pressure boundary and pump protection perspective, however, the ability of FCV-1368 to close on demand was not a recognized safety function.
Maximum SG pressure was given as 1000 psig in the original USAR, and the pump was considered to have ample discharge head to provide adequate accident mitigating flow regardless of flow diverted through the recirculation path. The valve and its actuating logic circuitry were designed to be normally open, with no instrument air or power to the solenoid or its associated flow transmitter loop required. The valve was designed to fail open upon loss of air or power from the time of original construction. Until 1989 no analyses had been conducted to conclude that the recirculation valves should be required to close following an AFAS. The air supply and associated actuation circuitry were appropriately classified as non safety related.
Stone and Webster Company (SWEC) prepared calculation 17321.01-PM-5 (FCS calculation number FC05365) in April, 1989. This assumed both AFW recirculation valves (FCV-1368/1369) are open and 200 gpm AFW flow required with SG pressure equal to 1015 pounds per square inch absolute (psia). In December of 1989 calculation FC05361 replaced FC05465. It also assumed that FCV-1368 and FCV 1369 were failed open and 200 gallons per minute (gpm) was available as required at 1015 psia in the SG.
In March of 1990, MR-FC-85-128 was installed, which included an update to FIC-1368 (the controller for FCV-1368) and its associated power supply components. To maintain system reliability, these were procured to safety related quality standards, though the need for the recirculation valve control loop to remain operable post-accident had not yet been identified.
In 1992, safety related air accumulators and check valves were added to the air supplies to each AFW recirculation valve. This work was part of modification MR-FC-88-017, which installed FW-54. This modification increased the overall reliability of the AFW system. The modification repeated the conclusion of the calculation of record, FC05361. FC05361 concluded that the AFW pumps could still fulfill their safety function with their recirculation valves open. However, the margin of safety would be increased if the recirculation valves were available assuming a loss of instrument air. Therefore, accumulators and check valves were added to the recirculation valve air supply. This enhanced their reliability. The parts were installed as safety related components.
Condition Report (CR) 199700457 written in April, 1997 questioned the bases of calculation FC05361 regarding SG pressure and required AFW flow. The calculation did not account for the Main Steam Safety Valve (MSSV) three percent setpoint tolerance or the additional three percent MSSV back pressure accumulation which made the maximum SG pressure higher than accounted for by the calculation.
Calculation FC05361 revision 4 was issued in May, 1997. This revision to FC05361 corrected errors in the previous revision and concluded that FCV-1368 needed to be closed to supply sufficient flow to the SGs during certain AFW demand scenarios. Revision 4 used the corrected value of 1056 psia maximum SG pressure, versus 1015 psia used in the original calculation. At this time, the ability to close FCV-1368 was recognized as a safety-related function. In 1998 the USAR was changed to explicitly state that the recirculation valve for FW-6 had to be closed to provide design flow at design pressure. Design engineering mechanical personnel preparing and reviewing the calculation consulted with design engineering electrical personnel as to the safety classification of the components controlling the FCV 1368 closing function. This consultation was brief, informal, and not documented. No formal multidisciplinary review of the calculation was conducted to comprehensively evaluate the safety classification of the control circuitry. It was concluded that FCV-1368's closing function was safety related based on the safety related air accumulators and safety related power supply to the solenoid controlling the FCV-1368 air supply.
During equipment train reviews by the Equipment Reliability Optimization Project (EROP) in July, 2006, it was noted that flow transmitter FT-1368 was supplied from non-safety related Instrument Bus 1 (AI 42A). CR 200602855 was issued.
On July 7, 2006, at 1700 CDT FW-6 was declared inoperable. At 1856 CDT on July 7, 2006, an eight (8) hour notification was made to the NRC Headquarters Operation Office (H00) per 10 CFR 50.72 (b)(3)(v)(B). This report is being made per 10 CFR 50.73(a)(2)(v)(B).
CONCLUSION
Revision 4 to calculation FC05361, issued in May 1997, concluded that the FCV-1368 closure function was safety-related. However, engineering department procedures and processes did not provide clear direction as to the appropriate process to employ when a change to a credited design function and/or safety classification was discovered.
Further, had clear procedural direction existed at the time of discovery it is possible that such a review by appropriate engineering disciplines would have identified that the original analysis in calculation FC05365 did not incorporate the appropriate maximum SG pressure then existing in the USAR.
Therefore, the lack of appropriate engineering processes is identified as the Root Cause of this condition.
CORRECTIVE ACTIONS
FW-6 was determined to be operable on July 8, 2006, following further engineering evaluation. A safety-related power supply was provided to FCV-1368 during the 2006 refueling outage.
Procedure PED QP-3, "Calculation, Review and Approval" procedure was issued on March 4, 2008 to ensure that appropriate engineering processes are used when a design function/safety classification change is discovered.
Procedure changes to prevent recurrence of this type event have been implemented.
SAFETY SIGNIFICANCE
While the failure of instrument bus number 1 during an auxiliary feedwater demand could result in inadequate performance of FW-6 for the purpose of decay heat removal, the likelihood of such failure is very small. Electrical components designated as safety related are qualified in accordance with IEEE (Institute of Electrical and Electronics Engineers) 344-1975 (Seismic Qualification of Class lE Equipment) and IEEE 323-1983 (Standard for Qualifying 1E Equipment for Mild and Harsh Environment). Additional research for the non-safety related control loop components for FCV-1368 has indicated that there is documentation to demonstrate that the non-safety related control loop components for FCV-1368 were purchased as safety related devices. Further, review of seismic documentation for the control loop components identified seismic qualification reports or equivalent documentation for all of the control devices. All of these devices are seismically mounted and are located in a,mild environment. It has been concluded that the control loop devices were purchased and mounted as safety related devices and will perform in an acceptable manner, without failure, in the event of an auxiliary feedwater demand scenario.
Non-safety related instrument bus AI-42A and associated components including inverter #1, bypass transformer EE-4S, associated power and control cables and distribution circuit breakers are all designated as non-safety related. However, they are expected to perform reliably in a manner consistent with safety related counterparts for the following reasons: 1) all components are virtually identical to corresponding components in safety related instrument buses. Inverter #1 was designed and built to the same level of quality as the safety related inverters and is seismically mounted. 2) Inverter #1 is located such that separation is maintained from instrument power of the opposite train.
3) Non-safety related Instrument Bus #1 is mounted in a panel which is identical to safety related instrument bus panels. 4) Cables for Instrument Bus #1 are identical in quality to those used for safety related bus applications. 5) Inverters and breakers are maintained and tested to the same level of rigor as safety related devices. 6) Non-safety related bus components have historically performed at a high level since their installation in the mid 1980s. 7) The power source for Inverter #1 is DC Bus #1, a highly reliable source of power, backed up by a safety related battery, which also supplies the safety related inverters.
In addition, the non-safety related components discussed above are tested and maintained in a manner similar to that of safety related components of the same function.
These arguments support the conclusion that continued high reliability of the non-safety related instrument bus is expected. In addition, for the period of time that this condition continues to exist, the likelihood of failure of the instrument bus during an auxiliary feedwater demand scenario is not significantly different from the safety related instrument buses; therefore, this condition did not have an impact on the health and safety of the public.
SAFETY SYSTEM FUNCTIONAL FAILURE
This event does result in a safety system functional failure in accordance with Nuclear Energy Institute (NEI) 99-02, "Regulatory Assessment Performance Indicator Guideline".
PREVIOUS SIMILAR EVENTS
AUXILIARY FEEDWATER DIAGRAM
FW- FW- 6631317 04 No Normally isolated because the addition ofW N ,CONDENSATEN { Condensate to the EFWST will alter the FW- LCV- FW- FILL chemistry of the AFW System.
653 1173 661 HCV-1040NFW-654 c=,
DEMIN WATER FILL
NORMALLY ISOLATED
BECAUSE LCV-1189 HCV- HCV- STEAMFCV- MS-164XFW- LCV- FW 652 WON'T MAINTAIN ERWST > FW- 1103 13861101662 1189 55,000 GALLONS 149
- FW-162 V HCV-1041 A/BFP EMERG FILL 1.4 1.4 FW-1275 FW- FW- ' CONNECTION 615 151 RC-2A 630 YCV-1045A HCV-1105 HCV- HCV- NG-132 FCV-1368 FW- FW-170 1107B 1107A 173 F 71 FW-164 4FW-54 DISCHGN2 FW 350 HCV- FW-19 1384 FW-1109 EMERG FW 1FW-745FW-6TOPAGE TK FW-169 YCV-1045-B(MO GAL FW-1110 -339 0 FC-1368
- 46 FW-744 0 FC-1369 oc (STEAMjr4T4 FW-163 FW-1316 IX) FW-174 FW 172 HCV-1042 A/BHCV- HCV-FW FW 1108B 1108A349 FW-10 Z FW-900 FVV- - RC-26 RW EMERG FILL 614 152
CONNECTION
C FW-150 0 1106 FW-161
MAIN
Fvv. FW FCV- HCV- HCV- 672 1369 136 1102 1104 1385 YCV-1045 TO FW-10TO ATM Figure 1