05000285/LER-2007-004
| Docket Number Sequential Revmonth Day Year Year Month Day Yearnumber No. 05000 | |
| Event date: | 04-12-2007 |
|---|---|
| Report date: | 06-11-2007 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability |
| 2852007004R00 - NRC Website | |
BACKGROUND
The containment spray (CS) system is designed to limit containment pressure increase and reduce leakage of airborne radioactivity from containment by providing a means for cooling the containment during design basis accidents (DBAs). This system reduces the leakage of airborne radioactivity by effectively removing radioactive particulates from the containment atmosphere following a loss-of-coolant accident (LOCA). Removal of radioactive particulates is accomplished by spraying water into the containment atmosphere. The particulates become attached to the water droplets which fall to the floor and are washed into the containment sump. Either train of CS is capable of fulfilling the system's design function.
Pressure reduction is accomplished by spraying cool, borated water into the containment atmosphere which provides a means for cooling the containment atmosphere. Heat removal is accomplished by recirculating and cooling the water through the shutdown heat exchangers. In addition, the containment air cooling and filtering system is also designed for containment heat removal. The CS system is a two header system. Each CS header is normally isolated by a CS header isolation valve, HCV-344 or HCV-345. Either CS header is fully capable of mitigating the consequences of the analyzed DBAs. The CS headers are supplied from two of the three CS pumps via a common header.
EVENT DESCRIPTION
On April 12, 2007, during preparations for performing OP-ST-ESF-0010, "Channel B Safety Injection, Containment Spray and Recirculation Actuation Signal Test," the operating crew identified a condition that would render both trains of the CS system inoperable during the performance of the surveillance test. The crew also identified that the same condition would exist during the performance of OP-ST-ESF-0009, "Channel A Safety Injection, Containment Spray and Recirculation Actuation Signal Test.
The control logic of the CS system was modified during the 2006 refueling outage resulting in the CS header isolation valves being interlocked with the pump on the opposite train. The 'A' pump circuit breaker has to be closed and a containment spray actuation signal (CSAS) present for CS header isolation valve, HCV-345, to open and the 'EV pump circuit breaker and a CSAS present for CS header isolation valve, HCV-344, to open.
During the performance of the subject surveillance tests a CSAS is generated; therefore, the diesel generator (DG) associated with the train being tested needs to be taken out of the automatic mode to prevent inadvertent starting of the DG during the test. The CS header isolation valve being tested is placed in the closed override position. The logic was designed to prevent one CS pump from supplying both CS headers, resulting in a potential runout condition.
This logic and the design of the surveillance tests resulted in both trains of the CS system being inoperable for a period of time (about 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />) during the test. Therefore during the conduct of these tests the CS system would have failed to provide spray flow during a design basis accident (DBA) with coincident loss of offsite power until actions were taken by the operators to restore the system to operation. This event is reportable per 10 CFR 50.73(a)(2)(v)(D) and 10 CFR 50.73(a)(2)(vii).
The condition with HCV-344 was introduced by a plant modification installed in 1990 (MR-FC-90-053 "Containment Spray Header Valve HCV-344 Interlock") which was extended to HCV-345 by a second modification in 2006 (EC27582).
Figure 1 shows the configuration of the ESF logic as originally designed and installed. Figure 2 shows the ESF logic following the 1990 modification (MR-FC-90-053). Figure 3 shows the ESF logic following the 2006 modification.
SI-3C Power: DG-2
- � HCV-344
TO OPEN:
SI-3B 0 86A/CSAS Power: DG-2 AC-4A
- �
- �
- � $I-3A H CV-345 Power: DG-1 TO OPEN:
86B/CSAS0 AC 4B
- �
CONTAINMENT SPRAY
SYSTEM INTERLOCKS
ORIGINAL DESIGN
Figure 1 Original Design
- SI-3C Power: DG-2 HCV-344 i To open:
3 (86A/CSAS or 86B1/CSAS) and SI-3B SI-3B & SI-3C circuit breakersPower: DG-2 HCV-345
TO OPEN:
SI-3A 86B/CSAS or Power: DG-1 86A1/CSAS During OP-ST-ESF-0010 1 HC-345 is placed in OVERRIDE which prevents opening on CSAS (step 7.1.10) 2 DG-2 control is placed in LOCAL, therefore SI-3B & 3C will not start if needed (step 7.1.14) CONTAINMENT SPRAY 3 In this configuration HCV-344 will not open with a CSAS demand due to SYSTEM INTERLOCKSSI-3B & 3C being out of service.
POST 1990 MODIFICATION This configuration applies to OP-ST-ESF-0010 only.
Figure 2 — Post 1990 Modification SI-3C Power: DG-2 Removed from Automatic Actuation in EC 27582 HCV-344 To open:
(86A/CSAS or
- 3I 86B1/CSAS) and SI-3B circuit SI-3B 2 breaker closed Power: DG-2 O AC-4A 1
- HCV-345 to open:
SI-3A (86B/CSAS or 86A1/CSAS) andO SI-3A circuit breaker Power: DG-1 closed AC 4BDuring OP-ST-ESF-0010 1 HC-345 is placed in OVERRIDE which prevents opening on CSAS (step 7.1.10) 2 DG-2 control is placed in LOCAL, therefore SI-3B is lost not powered CONTAINMENT SPRAY 3 In this configuration HCV-344 will not open with a CSAS demand due to SYSTEM INTERLOCKS SI-3B being out of service. POST 2006 MODIFICATION The same applies for the opposite train tested in OP-ST-ESF-0009 Figure 3 — Post 2006 Modification The 2006 modification removed the breaker contact for CS pump SI-3C from the CS header isolation valve HCV- 344 control circuit and added the circuit breaker contact for CS pump SI-3A to the CS header isolation valve HCV- 345 control circuit. This affected procedures OP-ST-ESF-0009 and OP-ST-ESF-0010 as follows:
During the performance of procedure OP-ST-ESF-0009, the diesel generator, DG-1, control is placed in LOCAL, therefore SI-3A would not start if a DBA were to occur coincident with a loss of off-site power. The HCV-344 control switch is then placed in override, maintaining the valve closed and eliminating its ability to open during an accident when a CSAS is received. Since SI-3B is the only CS pump that is operable during the performance of the test, HCV-345 will not open since SI-3A will not start. Therefore, both valves will remain closed even if SI-3B has been started.
Before the 2006 modification this condition was not present because HCV-345 would have opened on CSAS since SI-3A interlock was not in the valve control circuit.
During the performance of procedure OP-ST-ESF-0010, the diesel generator, DG-2, control is placed in LOCAL, therefore SI-3B will not start if a DBA were to occur coincident with a loss of off-site power. The HCV-345 control switch is then placed in override, maintaining the valve closed and eliminating its ability to open during an accident when a CSAS is received. Since SI-3A is the only CS pump that is operable during the performance of the test, HCV-344 will not open since SI-3B will not start. Therefore, both valves will remain closed even if SI-3A has been started.
This condition has existed since modification MR-FC-90-053 was installed in 1990.
CONCLUSION / ROOT CAUSE
An interaction table created in the modification package (MR-FC-90-053) specifically to address operability of components during surveillance test lineups was based on the assumption that availability of off-site power is sufficient to ensure pump operability during testing and that the DGs do not have to be operable. Therefore, the root cause for this event was an oversight error in evaluating the operability of components during performance of surveillance tests for modification MR-FC-90-053. Although the proper techniques were used to identify the components that would be operable during testing, an incorrect assumption for operability was used.
A contributing cause for this event was time pressure on the original modification (MR-FC-90-053), with the plant unable to return to power operation without completion of this modification. The procedures affected by this modification were not included with the modification. This prevented review by the station modification acceptance and review team which bypassed a potential barrier to catch this problem. When the affected procedures were listed in the acceptance for operability for the modification, OP-ST-ESF-0010 was not identified as an affected procedure, which bypassed a potential for the onsite plant review committee to catch this procedural problem in a review.
A contributing cause for this error was system complexity and uniqueness. The cross train component of the design of the pump runout protection system creates the complicating factors of bus assignment for the surveillance test, when one train is taken out of service for testing. This alignment is unique in the safeguards system and presents difficulties for both operations and design in addressing testing lineups and changes to the system.
A contributing cause was reliance on adequacy of existing design. EC27582 was duplicating an existing interlock from MR-FC-90-053. Because of this, it appears that less scrutiny (questioning of design) than normal was applied during the design phase of the modification.
CORRECTIVE ACTIONS
As immediate corrective action, OP-ST-ESF-0009 and 0010 were revised to eliminate the problem.
In addition, the following corrective actions will be taken:
1. Revise appropriate design procedures to specifically prompt design engineers of configuration changes affecting complex systems, or systems with more than one train, (e.g. engineered safeguards system) to consider the system response to a DBA occurring during surveillance testing and ensure the system remains operable. This will be completed by August 31, 2007.
2. Identify other safeguards systems that may have cross-train interlocks and review surveillance tests on the CS and the systems identified to verify that the minimum requirements for operability are maintained during surveillance testing. This will be completed by September 30, 2007.
Other actions related to this issue will be controlled by the stations corrective action system.
SAFETY SIGNIFICANCE
The CS system would not have been capable of automatically responding to a CSAS only if a DBA occurred concurrent with either a loss of offsite power or failure of the containment spray pump breaker to close during the surveillance testing. Plant operators, in accordance with their training, would have terminated surveillance testing and entered the standard post-trip actions Emergency Operating Procedure, EOP-00, and manually returned the closed valve and the emergency diesel generator to normal mode which would have enabled CS flow. Potentially adverse consequences would be minimized by the EOPs and associated operator training in place. The containment heat removal capability of the containment air recirculation and cooling system, which is an independent safeguards system available for a loss of coolant accident (LOCA), further reduces the safety significance of the temporarily disabled spray flow condition.
The surveillance tests are performed at a quarterly frequency. The CS system was unavailable for about 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> during the performance of each test. The likelihood of an accident with either a loss of offsite power or failure of the containment spray pump breaker to close during the surveillance test is very low. Therefore, the effect to the public would have been minimal.
SAFETY SYSTEM FUNCTIONAL FAILURE
This event does result in a safety system functional failure in accordance with NEI-99-02.
PREVIOUS SIMILAR EVENTS
There have not been any events in the last three years resulting from inadequate design affecting system operability during surveillance testing.