05000334/LER-2007-001
| Beaver Valley Power Station | |
| Event date: | 07-13-2007 |
|---|---|
| Report date: | 09-11-2007 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(vii)(D), Common Cause Inoperability 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition |
| 3342007001R00 - NRC Website | |
PLANT AND SYSTEM IDENTIFICATION
Westinghouse-Pressurized Water Reactor {PWR} Emergency Core Cooling System — Low Head Safety Injection System {BP}
CONDITIONS PRIOR TO OCCURRENCE
Unit 1: Mode 1 at 100 percent power.
There were no systems, structures, or components that were inoperable at the start of the event that contributed to the event.
DESCRIPTION OF EVENT
During a review on July 13, 2007 to develop a clearance boundary in preparation to perform a routine quarterly valve stroke surveillance procedure at Beaver Valley Power Station (BVPS) Unit No. 1, a licensed operator questioned whether stroking valve MOV-1S1-890B per the planned surveillance procedure in the Low Head Safety Injection (LHSI) System piping was appropriate with the plant in Mode 1. The planned surveillance was then delayed based on this question, and the issue was entered into the corrective action program for resolution.
BVPS Unit 1 Technical Specification Surveillance Requirement 3.5.2.1 requires that valve MOV-1SI-890B be verified closed with power to the valve operator control circuit removed every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. If MOV-1S1-890B were opened, then the discharge from both LHSI pumps would be aligned to simultaneously inject into the Reactor Coolant System (RCS) Hot Legs and the Cold Legs. [See simplified piping diagram on last page.] Subsequent review confirmed that simultaneously injecting through both the RCS Hot Legs and Cold Legs immediately following a design basis accident Loss of Coolant Accident (LOCA) was not analyzed. It also could not be confirmed that while in this abnormal arrangement (i.e., MOV-1S1-890B energized/open), all design basis accident safety analyses conclusions described in the BVPS Unit 1 Updated Final Safety Analysis Report (UFSAR) could be maintained valid if a LOCA were postulated to occur, resulting in an indeterminate safety analysis conclusion for operation in this abnormal configuration. This concern also applied to the other train for MOV-1SI-890A.
Prior to May 2006, MOV-1SI-890A & B were not credited to open in the BVPS Unit No. 1 LOCA safety analyses, and were valve stroke tested every 18 months during shutdown conditions. The applicable valve stroke surveillance that included MOV-1SI-890A & B had previously contained no special restriction since these two valves were only stroked during a refueling outage where Technical Specification 3.5.2 criteria was not applicable.
Following the extended power uprate implemented during the Spring 2006 refueling outage at BVPS Unit 1, MOV-1SI-890A & B were credited in safety analyses to open approximately 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after a LOCA, with LHSI flow going into the RCS Hot Legs. The periodicity for valve stroke surveillance testing of MOV-ISI-890A & B was changed from 18 months to quarterly in May, 2006 since these valves were now being credited for active post-accident operation and were being added to the ASME Inservice Testing (1ST) program. This IST surveillance procedure change in 2006 did not recognize all of the safety analysis nor the Technical Specification implications of stroking these two valves with the plant in Modes 1-4 (which was previously performed during plant shutdown).
Starting in May, 2006, MOV-ISI-890A & B had both been stroked quarterly with the plant in Mode 1 until July, 2007 (890A five times and 890B four times).
It is noted that BVPS implemented new Improved Standard Technical Specifications (ITS) on June 23, 2007. Although the current ITS Surveillance Requirement 3.5.2.1 criterion for having MOV-1SI-890A & B closed and de-energized is the same criterion as was also contained in the prior LHSI Technical Specification for many years, the recent implementation of ITS and the expanded ITS Bases was a factor in heightening Operations personnel awareness of Technical Specification considerations. This heightened awareness resulted in additional questioning on performing this apparent routine surveillance procedure.
REPORTABILITY
Since simultaneous LHSI injection into both the RCS Hot and Cold Legs immediately following a postulated design basis accident LOCA was not analyzed and current safety analyses conclusions could not be verified for this abnormal system arrangement, it was determined that safety analyses conclusions could not be maintained, and plant operation in this configuration was not acceptable. Thus, each quarterly surveillance that stroke tested either MOV-1SI-890A or B in Modes 1-4 was a potentially unanalyzed condition that significantly degraded plant safety when the valve was out of its normal de-energized/closed position. This condition is reportable pursuant to 10 CFR 50.73(a)(2)(ii)(B).
Although flow from both trains of LHSI would have been available during the prior subject surveillance testing, engineering analysis could not conclude that the available flow could meet safety analyses conclusions. Thus, the design LHSI safety function was not met when either MOV-1S1-890A or B was open/energized. This is a loss of a safety function of a system needed to mitigate the consequences of an accident pursuant to 10 CFR 50.73(a)(2)(v)(D). Similarly, this was also an event where a single cause or condition caused two independent trains to become inoperable in a single system designed to mitigate the consequences of an accident pursuant to 10 CFR 50.73(a)(2)(vii)(D).
Technical Specification 3.5.2 Action Condition A allows one or more Emergency Core Cooling Systems (ECCS) trains to be inoperable for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> provided (per Action Condition C) that at least 100% of the ECCS flow equivalent to a single operable ECCS train remains available. Action C requires verification of 100% of ECCS flow equivalent to a single operable ECCS trains available. Since the value of ECCS flowrate necessary to perform this ECCS safety function in this unanalyzed configuration was indeterminate, the plant would have entered Technical Specification 3.5.2 Action C to enter LCO 3.0.3 immediately. However, each occurrence of the subject valve being out of its normal alignment never lasted more than 30 minutes. Per NUREG-1022, Rev. 2, entry into Technical Specification 3.0.3 is reportable per 10 CFR 50.73(a)(2)(i)(B) if the condition is not corrected within one hour. Thus, the time span where MOV-1SI-890A or B was not in its proper alignment during each quarterly surveillance test between May, 2006 and prior to July, 2007 was not a condition prohibited by plant Technical Specifications since each valve stroke performance took less than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, and is not reportable pursuant to 10 CFR 50.73(a)(2)(i)(B).
CAUSE OF EVENT
The root cause was process weakness of the procedure change, review, and approval process. This process should have triggered further investigation. The current process provides for any additional cross functional reviews deemed necessary by the writer or Independent Qualified Reviewer (IQR). The requirements for cross functional reviews are described in general but do not contain sufficient detail to trigger the necessary reviews.
A contributing cause was determined to be workmanship due to narrow focus. Technical Specification 3.5.2, Emergency Core Cooling Systems, was not reviewed for the procedure revisions that changed Surveillance Test 1OST-47.3F(K). This was a change in frequency of performance, Refueling frequency to Quarterly frequency, that was viewed as an IST change affecting Technical Specification 4.0.5 (ASME surveillance testing). This narrow focus failed to identify Technical Specification 3.5.2 was now applicable when the surveillance was changed to be performed in Modes 1-4. Therefore, the change process focused on the IST Program requirements and Updated Final Safety Analysis Report (UFSAR) and excluded Technical Specification 3.5.2, ECCS. The development and review of the procedure change were narrowly focused and did not identify all applicable Technical Specifications.
SAFETY IMPLICATIONS
A review of the past subject quarterly valve stroke tests showed that the time to energize, stroke test, and de-energize MOV-ISI-890A or B (returning the valve to its normal system arrangement of closed and de-energized) was approximately 15-20 minutes during each quarterly surveillance. Thus, the time that the plant was placed into a condition where safety analyses conclusions were indeterminate was less than one half hour each quarter per valve test.
The plant risk associated with BVPS Unit No. 1 performing the quarterly surveillance that stroke tested either MOV-1SI-890A or B between May 2006 and July 2007, thereby placing the unit in an unanalyzed condition, is considered very low as a result of the relatively short configuration duration of a total of 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> for these surveillances (nine surveillances times approximately 0.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> per surveillance). In addition, control room personnel were aware of the subject valve being stroked and would have promptly recognized the abnormal position of the tested valve during the subsequent performance of emergency operating procedures if a design basis accident had occurred. [It is noted that the MOV-1SI-890A/B design does not contain any automatic opening or closing capability.] Based upon the above, the safety significance of the events was very low.
CORRECTIVE ACTIONS
1. The subject valve stroke surveillance was revised and MOV-1S1-890B was subsequently properly valve stroke tested with the plant in Mode 1 on July 16, 2007. The procedure was revised to declare Train B of LHSI System inoperable and closed MOV-1SI-864B prior to energizing and opening MOV-1SI-890B. This ensures that the remaining train (A) of LHSI flow will inject only into the RCS Cold Legs immediately following a postulated design basis accident, as credited in the safety analyses. Similar changes were made to the surveillance procedures addressing the opposite train (which included MOV-1SI-890A) to address this issue.
2. Training will be developed for Licensed Operators personnel. The intent of this material is to review the condition described here and related conditions recognizing that transient configuration can affect both Technical Specification and design basis.
3. Training will be developed for Independent Qualified Reviewers (IQR) personnel on the lessons learned from this event, including causes and corrective actions.
3. Extent of condition reviews were conducted to evaluate if discrepancies have been made involving entry into Technical Specification Limiting Conditions for Operation (LC0s) when performing IST program changes, valve strokes or for changes moving surveillance from outage conditions to on-line testing. Identified issues were entered into the BVPS corrective action program for resolution.
4. The IQR procedure will be revised to provide detailed guidance to users of the procedure revision process to ensure necessary cross functional reviews occur by the potentially affected disciplines.
Completion of the above and other corrective actions are being tracked through the BVPS corrective action program.
PREVIOUS SIMILAR EVENTS
A review found two prior BVPS Unit 1 and one prior BVPS Unit 2 Licensee Event Reports within the last five years for an event involving inadequate procedure review process.
- BVPS Unit 1 LER 2005-001, "Protection System Channel Delta Temperature Time Constant Switch Found Out of Position." This LER event was a result of inadequate procedure preparation and review process regarding restoration.
- BVPS Unit 1 LER 2003-005, "Non-Conservative Reactor Coolant System Low Flow Reactor Trip Setpoint." This LER event was a result of inadequate process existed to verify RCS flow setpoints.
- BVPS Unit 2 LER 2002-003, "Calibration Discrepancies in Delta Temperature Tau Time Constant Values Used in the Reactor Protection System. The cause of this LER event was non-existent/inadequate process to translate, verify, and review that design requirements are correctly implemented in calibration procedures.
Simplified BVPS Unit 1 Low Head Safety Injection System Piping Arrangement (Normal System Arrangement Shown) RCS Hot Leg Injection MOV-890A * SI-P-1A MOV-864A RCS Cold Leg Injection MOV-864B V�MOV-890C ** RCS Hot Leg Injection MOV-890B * SI-P-1B * Valves 890A and 890B normally closed and de-energized, per Tech Spec SR 3.5.2.1.
- Valve 890C normally open and de-energized, per Tech Spec SR 3.5.2.1.