On April 27, 2005, a previously unidentified error associated with an Appendix R fire scenario involving multiple high impedance faults (MHIF), in the 306' elevation of the Control Building, was identified. An engineering evaluation has determined that the operations procedure for recovery of vital power for instrumentation and control, following a postulated fire/MHIF scenario in this area, would not be successful. The original evaluation of this fire/MHIF concern (in the 1987 timeframe) considered this event to be very improbable and incorrectly assumed that the recovery of vital power following a bus trip would be successful. The historical procedure incorrectly assumed that DC power (which is assumed lost in the fire) was not required to restart the necessary electrical recovery equipment.
The root cause is determined to be insufficient technical rigor applied in the technical analysis of the MHIF strategy and in the older procedure review process. The corrective action to address the root cause is addressed by IR 213719, which included establishing Exelon technical human factors procedure, HU-AA-1212.
This condition was determined to meet the following reporting criterion: the nuclear power plant being in an unanalyzed condition that significantly degraded plant safety (10 CFR 50.73 (a)(2)(ii)(B)).
- DOCKET LER NUMBER (6 PAGE (3)
|
EVENT DESCRIPTION
Plant Conditions before the event:
Babcock & Wilcox — Pressurized Water Reactor — 2568 MWth Core Power Date/Time: April 27, 2005/approximately 1300 hours0.015 days <br />0.361 hours <br />0.00215 weeks <br />4.9465e-4 months <br /> Power Level: 100% steady state power prior to and during the event Mode: Power Operations On April 27, 2005, a previously unidentified error associated with an Appendix R fire scenario involving multiple high impedance faults (MHIF), in the 306' elevation of the Control Building, was identified. An engineering evaluation has determined that the operations procedure for recovery of vital power for instrumentation and control, following a postulated fire/MHIF scenario in this area, would not be successful. The original evaluation of this fire/MHIF concern (in the 1987 timeframe) considered this event to be very improbable and incorrectly assumed that the recovery of vital power following a bus trip would be successful. The historical procedure incorrectly assumed that DC power (which is assumed lost in the fire) was not required to restart the necessary electrical recovery equipment.
Safe shutdown analysis of fire in the 306' elevation of the Control Building (CB-FA-1) assumes all A train Engineered Safeguards (ES) power (AC, DC, and 125 Volt Vital AC) is lost, since these power supplies have unprotected cables in this fire zone. This area contains both Train A and Train B ES power for control and indication. Train B power must be protected from the effects of a fire in this area to the extent that safe shutdown components depend on B Train electrical power. The cables for the DC and AC to Inverters IEK/INVTI B and D (both in Train B) go through this area. The AC cables to Inverters B and D are protected from fire, but the DC cables are not protected from fire.
A fire in CB-FA-1 could cause loss of indication and control needed to maintain the plant in a safe shutdown condition. The AC source to the Inverters could be lost by trip of 1B ES Motor Control Center (MCC) IEK/MCC] due to Multiple High Impedance Faults (MHIF) on unprotected cables fed from 1B ES MCC.
The safe shutdown analysis didn't identify that a loss of all four vital buses could -occur until B and D vital buses are recovered. The loss of control and indication was not addressed in the 1987 timeframe. There is no documentation acknowledging the condition.
In addition, procedure 1104-45P, "Fire Mitigation (Supplement to 1202-31[Fire])," actions for recovering the vital instrument buses were found deficient. The procedure directed the operator to re-energize 1B ES MCC with the inverters connected to the MCC. Restarting the inverters on the AC source may blow fuses or damage the inverters.
This potential loss of safe shutdown functions was reported to the NRC on 5/3/05. The report was made under 10 CFR 50.72(b)(3)(ii)(B) as an unanalyzed, condition which could cause loss of safe shutdown functions from the control room and the remote shutdown panel.
1104-45P instructs shutting down the reactor, loading B Train ES buses on the Diesel Generator IEK/DG] then opening the breakers of unprotected DC circuits to protect the B battery, which include the B and D inverter feeds. The inverters continue to operate on AC unless AC is lost. If 1B ES MCC is lost due to MHIF, the Inverters B and D trip and control and indication are lost in the Control Room and at the Remote Shutdown Panel.
Interruption in the 480 VAC feed to the Inverters must be assumed since 1B ES Motor Control Center could trip due to Multiple High Impedance Faults (MHIF). The inverters would trip because the switches providing DC feed to the inverters have been opened. Trip of 1B ES MCC would cause loss of 1B and 1D inverters. 1A and 1C Inverters are not available because A Train power is not protected. Loss of all four inverters would leave the The procedure that opens the DC feed to Inverter 1B and 1D was implemented on December 23, 1988. The procedure was implemented instead of a modification to protect the DC Cables in CB-FA-1.
CAUSE OF EVENT
The decision to implement a procedure solution to resolve the Appendix R MHIF trip of the 1B ES MCC feeder breaker and DC fault concerns for a fire in area CB-FA-1 was flawed because it did not address the consequences of the loss of Control Room and Remote Shutdown indication and controls resulting from the MHIF trip of 1B ES MCC feeder breaker.
Root Cause:
Insufficient technical rigor applied in the technical analysis of the MHIF strategy and in the procedure review process.
ANALYSIS / SAFETY SIGNIFICANCE
The consequence of the deficiency, if the event were to occur, is that the procedures previously in effect were not adequate for reaching safe shutdown. Required instrumentation and control would be lost due to 1B ES MCC trip.
Overall plant risk is low due to the low probability of a MHIF event, and due to the existence of fire detection and sprinkler systems, and low fire loading in the affected area. The risk has been addressed by the addition of a fire watch that reduces the probability of damage due to fire and the interim procedure that takes post-fire preemptive action to isolate unprotected circuits.
The assessment of low overall risk of MHIF events is consistent with the risk informed approach in NRC Regulatory Issue Summary (RIS) 2004-03. In RIS 2004-03, the NRC states "Multiple high-impedance faults are considered of very low likelihood.
Although overall risk is low, the requirement to address MHIF remains in effect and the corrective actions are directed to achieving compliance.
CORRECTIVE ACTIONS
Immediate and Short Term Actions:
1.Established 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> roving fire watch 2. Implemented an interim change to procedure 1104-45P, IC 18035, that takes post-fire preemptive action to isolate unprotected circuits.
Long Term Corrective Actions:
1. The corrective action to prevent recurrence has been addressed previously within our corrective action process via IR 213719. The Exelon technical human factors procedure, HU-AA-1212, has been established.
2. Install a modification to provide continuous power to vital bus B and D during an Appendix R fire scenario in area CB-FA-1.
3. Re-evaluate MHIF events in all fire zones for similar problems and resolve by a combination of procedure changes, design changes, and/or design analysis.
PREVIOUS OCCURENCES
There were no previous events reported at TMI related to the plant being in an unanalyzed condition related to Appendix R fire protection issues.
ADDITIONAL INFORMATION
A preliminary review was conducted of those fire mitigation procedures, which describe the action to recover a bus that has failed due to a MHIF event. This preliminary review did not identify any additional MHIF problems. A more comprehensive evaluation, described in the "Long Term Corrective Actions" above, is in progress.
- Energy Industry Identification System (EIIS), System Identification (SI) and Component Function Identification (CFI) Codes are included in brackets, [Sl/CFI] where applicable, as required by 10 CFR 50.73 (b)(2)(ii)(F).
|
|---|
|
|
| | | Reporting criterion |
|---|
| 05000328/LER-2005-001 | Unit 2 Reactor Trip Following Closure of Main Feedwater Upon Inadvertent Opening of Control Breakers | 10 CFR 50.73(a)(2)(iv)(A), System Actuation
10 CFR 50.73(a)(2)(v), Loss of Safety Function | | 05000388/LER-2005-001 | DDegradation of Primary Coolant Pressure Boundary due to Recirculation Pump Discharge Valve Bonnet Vent Connection Weld Flaw | 10 CFR 50.73(a)(2)(ii)(A), Seriously Degraded | | 05000423/LER-2005-001 | | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident
10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000455/LER-2005-001 | Unit 2 Automatic Reactor Trip Due to Low Steam Generator Level resulting from a Software Fault on the Turbine Control Power Runback Feature | | | 05000370/LER-2005-001 | Automatic Actuation of Motor Driven Auxiliary Feedwater Pumps During Outage | | | 05000244/LER-2005-001 | Failure of ADFCS Power Supplies Results in Plant Trip | | | 05000247/LER-2005-001 | 0Technical Specification Prohibited Condition Due to Exceeding the Allowed Completion Time for One Inoperable Train of ECCS Caused by an Inoperable Auxiliary Component Cooling Water Check Valve | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000529/LER-2005-001 | REACTOR HEAD VENT AXIAL INDICATIONS CAUSED BY DEGRADED ALLOY 600 COMPONENT | 10 CFR 50.73(a)(2)(v), Loss of Safety Function
10 CFR 50.73(a)(2)(ii)(A), Seriously Degraded | | 05000336/LER-2005-001 | | | | 05000266/LER-2005-001 | | 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition | | 05000269/LER-2005-001 | | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000289/LER-2005-001 | | | | 05000293/LER-2005-001 | | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident | | 05000298/LER-2005-001 | Reactor Scram due to Reactor Level Transient and Inadvertent Rendering of High Pressure Coolant Injection Inoperable | 10 CFR 50.73(a)(2)(iv)(A), System Actuation
10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident | | 05000331/LER-2005-001 | | 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition | | 05000315/LER-2005-001 | Reactor Trip Following Intermediate Range High Flux Signal | | | 05000316/LER-2005-001 | Reactor Trip from RCP Bus Undervoltage Signal Complicated by Diesel Generator Output Breaker Failure | 10 CFR 50.73(a)(2)(iv)(A), System Actuation
10 CFR 50.73(a)(2)(v)(A), Loss of Safety Function - Shutdown the Reactor
10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000317/LER-2005-001 | Main Feedwater Isolation Valve Inoperability Due to Handswitch Wiring | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000323/LER-2005-001 | TS 3.4.10 Not Met During Pressurizer Safety Valve Surveillance Testing Due to Random Lift Spread | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000333/LER-2005-001 | Inoperable Offsite Circuit In Excess of Technical Specifications Allowed Out of Service Time | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000352/LER-2005-001 | Loss Of Licensed Material In The Form Of A Radiation Detector Calibration Source | | | 05000353/LER-2005-001 | Core Alterations Performed With Source Range Monitor Alarm Horn Inoperable | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000306/LER-2005-001 | | 10 CFR 50.73(a)(2)(v)(C), Loss of Safety Function - Release of Radioactive Material
10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000361/LER-2005-001 | | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | | 05000362/LER-2005-001 | Emergency Diesel Generator (EDG) 3G003 Declared Inoperable Due to Loose Wiring Connection on Emergency Supply Fan | | | 05000263/LER-2005-001 | | | | 05000456/LER-2005-001 | Potential Technical Specification (TS) 3.9.4 Violation Due to Imprecise Original TS and TS Bases Wording | | | 05000454/LER-2005-001 | Failed Technical Specification Ventilation Surveillance Requirements During Surveillance Requirement 3.0.3 Delay Period | | | 05000282/LER-2005-001 | | 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition
10 CFR 50.73(a)(2)(v), Loss of Safety Function | | 05000286/LER-2005-001 | Plant in a Condition Prohibited by Technical Specifications due to Error Making Control Room Ventilation System Inoperable | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000400/LER-2005-001 | Reactor Auxiliary Building Emergency Exhaust System Single Failure Vulnerability | | | 05000395/LER-2005-001 | Emergency Diesel Generator Start and Load Due To A Loss Of Vital Bus | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | | 05000382/LER-2005-001 | RCS Pressure Boundary Leakage Due to Primary Water Stress Corrosion Cracking of a Pressurizer Heater Sleeve | 10 CFR 50.73(a)(2)(ii)(A), Seriously Degraded | | 05000305/LER-2005-001 | | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000369/LER-2005-001 | Reactor Coolant System Leakage Detection Instrumentation Inoperable | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000266/LER-2005-002 | | 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition | | 05000255/LER-2005-002 | | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident
10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000361/LER-2005-002 | Missing Taper Pins on CCW Valve Cause Technical Specification Required Shutdown | 10 CFR 50.73(a)(2)(i)(A), Completion of TS Shutdown | | 05000370/LER-2005-002 | Ice Condenser Lower Inlet Door Failed Surveillance Testing | | | 05000353/LER-2005-002 | High Pressure Coolant Injection System Inoperable due to a Degraded Control Power Fuse Clip | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident | | 05000263/LER-2005-002 | | | | 05000454/LER-2005-002 | One of Two Trains of Hydrogen Recombiners Inoperable Longer Than Allowed by Technical Specifications Due to Inadequate Procedure | | | 05000244/LER-2005-002 | Emergency Diesel Generator Start Resulting From Loss of Off-Site Power Circuit 751 | | | 05000362/LER-2005-002 | Emergency Containment Cooling Inoperable for Longer than Allowed by Technical Specifications | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident
10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000247/LER-2005-002 | DTechnical Specification Prohibited Condition Due to Exceeding the Allowed Completion Time for One Inoperable Train of ECCS Caused by Gas Intrusion from a Leaking Check Valve | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000306/LER-2005-002 | | 10 CFR 50.73(a)(2)(v)(C), Loss of Safety Function - Release of Radioactive Material
10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications
10 CFR 50.73(a)(2)(i)(A), Completion of TS Shutdown | | 05000265/LER-2005-002 | Main Steam Relief Valve Actuator Degradation Due to Failure to Correct Vibration Levels Exceeding Equipment Design Capacities | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident
10 CFR 50.73(a)(2)(vii), Common Cause Inoperability
10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications
10 CFR 50.73(a)(2)(i)(A), Completion of TS Shutdown | | 05000286/LER-2005-002 |
•
Entergy Nuclear Northeast
Indian Point Energy Center
450 Broadway, GSB
P.O. Box 249Entergy Buchanan. NY 10511-0249
Tel 914 734 6700
Fred Dacimo
Site Vice President
Administration
July 5, 2005
Indian Point Unit No. 3
Docket Nos. 50-286
N L-05-078
Document Control Desk
U.S. Nuclear Regulatory Commission
Mail Stop O-P1-17
Washington, DC 20555-0001
Subject:L Licensee Event Report # 2005-002-00, "Automatic Reactor Trip Due to 32 Steam
Generator Steam Flow/Feedwater Flow Mismatch Caused by Low Feedwater
Flow Due to Inadvertent Condensate Polisher Post Filter Bypass Valve Closure."
Dear Sir:
The attached Licensee Event Report (LER) 2005-002-00 is the follow-up written report
submitted in accordance with 10 CFR 50.73. This event is of the type defined in 10 CFR
50.73(a)(2)(iv)(A) for an event recorded in the Entergy corrective action process as Condition
Report CR-IP3-2005-02478.
There are no commitments contained in this letter. Should you or your staff have any questions
regarding this matter, please contact Mr. Patric W. Conroy, Manager, Licensing, Indian Point
Energy Center at (914) 734-6668.
Sincerely,
4F-/t
R. Dacimo
Vice President
Indian Point Energy Center
Docket No. 50-286
NL-05-078
Page 2 of 2
Attachment: LER-2005-002-00
CC:
Mr. Samuel J. Collins
Regional Administrator — Region I
U.S. Nuclear Regulatory Commission
U.S. Nuclear Regulatory Commission
Resident Inspector's Office
Resident Inspector Indian Point Unit 3
Mr. Paul Eddy
State of New York Public Service Commission
INPO Record Center
NRC FORM 3660 U.S. NUCLEAR REGULATORY COMMISSION APPROVED BY OMB NO. 3150-0104 EXPIRES: 06/30/2007
(6-2004)
Estimated burden per response to comply with this mandatory collection
request 50 hours.RReported lessons teamed are incorporated into the
licensing process and fed back to Industry. Send comments regarding burden
estimate to the Records and FOIA/Privacy Service Branch (T-5 F52), U.S.
Nuclear Regulatory Commission, Washington, DC 29555-0001, or by InternetLICENSEE EVENT REPORT (LER) e-mail to Infocoilectsenrc.gov, and to the Desk Officer, Office of Information
and Regulatory Affairs, NEOB-l0202, (3150-0104), Office of Management and
Budget, Washington, DC 20503. If a means used to impose an information
collection does not display a currently valid OMB control number, the NRC
may not conduct or sponsor, and a person Is not required to respond to, the
Information collection.
1. FACIUTY NAME 2. DOCKET NUMBER 3. PAGE
INDIAN POINT 3 05000-286 10OF06
4. TITLE Automatic Reactor Trip Due to 32 Steam Generator Steam Flow/Feedwater Flow Mismatch Caused
by Low Feedwater Flow Due to Inadvertent Condensate Polisher Post Filter Bypass Valve Closure | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | | 05000287/LER-2005-002 | Unit 3 trip with ES actuation due to CRD Modification Deficiencies | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | | 05000336/LER-2005-002 | | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications |
|