05000341/LER-2018-006, Emergency Diesel Generator Load Sequencer Inhibits Automatic Start of Residual Heat Removal Pumps Under Certain Scenarios Due to Unrecognized Original Design Defect

From kanterella
(Redirected from 05000341/LER-2018-006)
Jump to navigation Jump to search

Emergency Diesel Generator Load Sequencer Inhibits Automatic Start of Residual Heat Removal Pumps Under Certain Scenarios Due to Unrecognized Original Design Defect
ML18348B118
Person / Time
Site: Fermi DTE Energy icon.png
Issue date: 12/14/2018
From: Polson K
DTE Energy
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
NRC-18-0055 LER 2018-006-00
Download: ML18348B118 (8)
v  d  e


LER-2018-006, Emergency Diesel Generator Load Sequencer Inhibits Automatic Start of Residual Heat Removal Pumps Under Certain Scenarios Due to Unrecognized Original Design Defect
Event date:
Report date:
Reporting criterion: 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications
10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition
10 CFR 50.73(a)(2)(v)(B), Loss of Safety Function - Remove Residual Heat
10 CFR 50.73(a)(2)(vii), Common Cause Inoperability
10 CFR 50.73(a)(2)(ix)(A)
10 CFR 50.73(a)(2)(ii)(A), Seriously Degraded
10 CFR 50.73(a)(2)(viii)(A)
10 CFR 50.73(a)(2)(viii)(B)
10 CFR 50.73(a)(2)(iii)
10 CFR 50.73(a)(2)(iv)(A), System Actuation
10 CFR 50.73(a)(2)(x)
10 CFR 50.73(a)(2)(v)(A), Loss of Safety Function - Shutdown the Reactor
10 CFR 50.73(a)(2)(v), Loss of Safety Function
10 CFR 50.73(a)(2)(i)(A), Completion of TS Shutdown
10 CFR 50.73(a)(2)(i)
3412018006R00 - NRC Website
v  d  e

text

Keith J. Polson Senior Vice President and Chief Nuclear Officer DTE Energy Company 6400 N. Dixie Highway, Newport, MI 48166 Tel: 734.586.6515 Fax: 734.586.1431 Email: keith.polson@dteenergy.com DTE Energy-10 CFR 50.73 December 14, 2018 NRC-18-0055 U. S. Nuclear Regulatory Commission Attention: Document Control Desk Washington, DC 20555-0001

Reference:

Fermi 2 NRC Docket No. 50-341 NRC License No. NPF-43

Subject:

Licensee Event Report (LER) No. 2018-006 Pursuant to 10 CFR 50.73(a)(2)(i)(B), 10 CFR 50.73(a)(2)(ii)(B), 10 CFR 50.73(a)(2)(v)(B), (C), (D), 10 CFR 50.73(a)(2)(vii) and 10 CFR 50.73(a)(2)(ix)(A),

DTE Electric Company (DTE) is submitting LER No. 2018-006, Emergency Diesel Generator Load Sequencer Inhibits Automatic Start of Residual Heat Removal Pumps Under Certain Scenarios Due to Unrecognized Original Design Defect.

No new commitments are being made in this LER.

Should you have any questions or require additional information, please contact Mr. Scott A. Maglio, Manager - Nuclear Licensing, at (734) 586-5076.

Sincerely, Keith J. Polson Senior Vice President and CNO

Enclosure:

Licensee Event Report No. 2018-006, Emergency Diesel Generator Load Sequencer Inhibits Automatic Start of Residual Heat Removal Pumps Under Certain Scenarios Due to Unrecognized Original Design Defect

USNRC NRC-18-0055 Page 2 cc: NRC Project Manager NRC Resident Office Reactor Projects Chief, Branch 5, Region III Regional Administrator, Region III Michigan Public Service Commission Regulated Energy Division (kindschl@michigan.gov)

I

Enclosure to NRC-18-0055 Fermi 2 NRC Docket No. 50-341 Operating License No. NPF-43 Licensee Event Report (LER) No. 2018-006 Emergency Diesel Generator Load Sequencer Inhibits Automatic Start of Residual Heat Removal Pumps Under Certain Scenarios Due to Unrecognized Original Design Defect

NRC FORM 366 U.S. NUCLEAR REGULATORY COMMISSION APPROVED BY OMB: NO. 3150-0104 EXPIRES: 031312020 (04-2018)

Estimated burden per response to comply with this mandatory collection request 80 hours9.259259e-4 days <br />0.0222 hours <br />1.322751e-4 weeks <br />3.044e-5 months <br />.

Reported lessons leamned are incorporated into the licensing process and fed back to LICENSEE EVENT REPORT (LER) industry.

Send comments regarding burden estimate to the Information Services Branch (T-2 F43), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail (See Page 2 for required number of digits/characters for each block) to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office of Information and R.3 or nstucton nd uidnce or ompetig tis orm Regulatory Affairs, NEOB-10202, (3150-0104),

Office ef Mansgement and Budget, At (See NUREG-1022, R.3 for instruction and guidance for completing this form ua s

oo oo cnnorancletndsnt em SeNUE-02 Washingtn, DC 20503. It a moans sed to impose an information collection does not

+4 p

http://www.nrc.gov/readinq-rm/doc-collections/nuregs/staff/srl 022/r3/)

display a currently vald OMB control

number, the NRC may not conduct or sponsor, and a
  • * *person is not required to respond to, the Information collection.
3. Page Fermi 2 05000 341 1

OF 5

4. Title Emergency Diesel Generator Load Sequencer Inhibits Automatic Start of Residual Heat Removal Pumps Under Certain Scenarios Due to Unrecognized Original Design Defect
5. Event Date
6. LER Number
7. Report Date
8. Other Facilities Involved Sequential Rev Month Day Year Facility Name Docket Number Month Day Year Year Number NoN N/A 10 19 2018 2018 006 00 12 14 2018 FaclityName D5h
9. Operating Mode
11. This Report is Submitted Pursuant to the Requirements of 10 CFR §: (Check all that apply) 20.2201(b) j 20.2203(a)(3)(i)

[1 50.73(a)(2)(ii)(A) 50.73(a)(2)(viii)(A) 20.2201(d) 20.2203(a)(3)(ii)

/

50.73(a)(2)(ii)(B) 50.73(a)(2)(viii)(B) 20.2203(a)(1) 20.2203(a)(4) 50.73(a)(2)(iii)

/

50.73(a)(2)(ix)(A)

- 320.2203(a)(2)(i) 1] 50.36(c)(1)(i)(A)

E] 50.73(a)(2)(iv)(A) 50.73(a)(2)(x)

10. Power Level E1 20.2203(a)(2)(ii) 50.36(c)(1)(ii)(A) 50.73(a)(2)(v)(A)

L 73.71(a)(4) 20.2203(a)(2)(iii) 50.36(c)(2)

/

50.73(a)(2)(v)(B) 73.71(a)(5) 20.2203(a)(2)(iv) 50.46(a)(3)(ii)

/

50.73(a)(2)(v)(C)

E] 73.77(a)(1) 000 E

20.2203(a)(2)(v) 50.73(a)(2)(i)(A)

/

50.73(a)(2)(v)(D)

E 73.77(a)(2)(i)

D 20.2203(a)(2)( vi) 0j 50.73(a)(2)(i)(B) 21 50.73(a)(2)(vii)

E13 73.77(a)(2)(ii) 50.73(a)(2)(i)(C)

Other (Specify in Abstract below or in of the following: (1) high pressure coolant injection system (HPCI) ((BJ)), (2) automatic depressurization system (ADS)

((JE)), (3) CS, and (4) LPCI. The ECCS is designed to limit fuel cladding temperature over the complete spectrum of possible break sizes in the nuclear system process barrier, including a complete and sudden circumferential rupture of the largest pipe connected to the reactor vessel.

The safety related function of the EDG System is to provide an onsite standby source of AC electrical power to shutdown and maintain the reactor in a safe condition under all conditions including LOCA coincident with LOP. An EDG must be capable of accepting required loads within the assumed loading sequence intervals and must continue to operate until offsite power can be restored. Proper sequencing of loads, including tripping of nonessential loads, is a required function for EDG operability.

The condition identified on 10/19/18 rendered LPCI incapable of meeting its functional requirement of automatic startup and operation when powered by the EDGs under certain non-simultaneous LOP/LOCA scenarios. Updated Final Safety Analysis Report (UFSAR) Section 6.3.1.4 requires ECCS to be automatically initiated in order to provide cooling to the reactor core under all accident conditions. Technical Specification (TS) Surveillance Requirement (SR) 3.8.1.17.c.2 validates that the EDGs auto-start and energize the auto-connected emergency loads through the load sequencer. Due to the degraded voltage relay load shed signal being present concurrently with the RHR pump start signal, the RHR pump trips, thus all four EDGs and both Divisions of RHR were incapable of performing their required functions for Modes 1, 2 and 3. At the time of discovery, Fermi 2 was in Mode 4, where automatic initiation of LPCI is not required. It was recognized that this condition was present in the past when Fermi 2 was in Modes 1, 2, or 3, where automatic initiation of LPCI was required. For this reason, a past operability review was performed for the last 3 years.

The past operability review concluded that under certain scenarios of a LOP/LOCA event sequence, such as a LOP followed shortly thereafter by a LOCA as in the case of the failed surveillances, the RHR pumps would have started, but then immediately tripped and LPCI would not have been automatically actuated. The UFSAR accident analysis in Chapters 6 and 15 explicitly analyzes a simultaneous LOP/LOCA, but the description of the electrical system in UFSAR Chapter 8 describes other possible event sequences. Therefore, the EDG degraded grid relaying scheme and RHR pumps would not have performed their intended design function under all UFSAR described scenarios during the past operability review period. The condition was determined to be applicable to all four EDGs and all four RHR pumps, thus the inoperability of all four EDGs and all four RHR pumps is reportable under 10CFR50.73(a)(2)(vii) as an event where a single cause or condition caused at least one independent train or channel to become inoperable in multiple systems or two independent trains or channels to become inoperable in a single system designed to mitigate the consequences of an accident. In addition, the condition was determined to be reportable under 10 CFR 50.73(a)(2)(ix)(A) as an event or condition that as a result of a single cause could have prevented the fulfillment of a safety function for two or more trains or channels in different systems.

Technical Specification (TS) 3.3.8.1 requires that the LOP instrumentation shall be operable for a degraded voltage situation with a LOCA while in Modes 1, 2 and 3. According to Limiting Condition for Operation (LCO) 3.3.8.1 Condition A, an inoperable channel shall be restored in 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, and if this timing is not met, then the associated EDG shall be declared inoperable per Condition B. As determined in the past operability review, the EDG degraded grid relaying scheme for all 4 EDGs would not have allowed the RHR pumps to start in certain LOP/LOCA scenarios and thus were inoperable for longer than the times allowed by TS.

TS 3.8.1 requires two EDGs per division to be operable while in Modes 1, 2, and 3. According to LCO 3.5.1 Condition A, if one EDG is inoperable, then correct breaker alignment and indicated power availability for each offsite circuit shall be verified within an hour and every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter. If this timing is not met, Condition G requires the unit to be in Mode 3

within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. As determined in the past operability review, the EDG degraded grid relaying scheme for all 4 EDGs would not have allowed the RHR pumps to start in certain LOP/LOCA scenarios and thus were inoperable for longer than the times allowed by TS.

TS 3.5.1 requires each of the ECCS injection/spray subsystems be Operable while in Modes 1, 2, and 3. According to LCO 3.5.1 Conditions C and K, if two or more low pressure ECCS injection/spray subsystems become inoperable, one ECCS system must be restored to Operable within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, or LCO 3.0.3 shall be immediately entered, requiring the unit to be in Mode 4 within 37 hours4.282407e-4 days <br />0.0103 hours <br />6.117725e-5 weeks <br />1.40785e-5 months <br />. As determined in the past operability review, two or more low pressure ECCS injection/

spray subsystems were inoperable for longer than the times allowed.

The failure to complete the required LCO actions for TS 3.3.8.1, 3.8.1 and 3.5.1, as described above, within their completion time is reportable under 10CFR50.73(a)(2)(i)(B) as a condition which was prohibited by Technical Specifications.

The inoperability of all LPCI pumps and all EDGs during the past three years when Fermi 2 was in Modes 1, 2, or 3 as described above is also reportable under 10 CFR 50.73(a)(2)(v)(B), (C) and (D) as an event or condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to remove residual heat, control the release of radioactive material, and mitigate the consequences of an accident, respectively. The losses of safety function discussed above were not reported as an 8-hour Event Notification under 10 CFR 50.72(b)(3)(v)(B), (C), or (D) since a LOCA is not a credible event in Mode 4, which was the plant status at the time of discovery, and therefore automatic initiation of LPCI is not required.

Based on the UFSAR, during a LPCI failure, the following are relied on to mitigate a LOCA; 4 ADS valves, 2 divisions of CS, and HPCI. For those times during the past three years where HPCI and both divisions of CS were operable (with 4 ADS valves available), Fermi 2 was within the accident analysis basis even with LPCI being unable to automatically start.

However, for those periods when either division of CS or HPCI was inoperable, Fermi 2 was in an unanalyzed condition.

Within the last 3 years, several instances were identified where Division 1 CS, Division 2 CS, or HPCI were unavailable.

Each of these instances represented an unanalyzed condition and is reportable under 10 CFR 50.73(a)(2)(ii)(B). Event Notification 53674 was previously made at 1000 EDT on October 19, 2018 for the corresponding requirement in 10 CFR 50.72 (b)(3)(ii)(B).

SIGNIFICANT SAFETY CONSEQUENCES AND IMPLICATIONS

Engineering evaluation determined that in only certain scenarios, listed below, would the EDG degraded voltage load shed relay scheme trip the RHR pumps, preventing automatic initiation of LPCI:

- LOP followed by a LOCA after the EDG is at rated speed and voltage
- Degraded voltage followed by LOCA after the EDG is at rated speed and voltage
- LOCA followed by a LOP when the EDG is at rated speed and voltage Also, the RHR pumps remained available and could have been manually started from the main control room by Operators during any of the scenarios where the RHR pumps did not automatically start. Manual start of RHR pumps is accomplished utilizing site procedures MOP01 and 23.205. The EDGs remained fully capable to supply all remaining LOP/

LOCA loads throughout all LOP/LOCA scenarios.

Within the last 3 years, several instances were identified where Division 1 CS, Division 2 CS, or HPCI were unavailable.

The instances of multiple ECCS system outages were infrequent and, as stated above, RHR was still available for manual start, therefore any required actuation of the RHR pumps would have been available to mitigate an accident. A risk evaluation was performed to assess the on-line Probabilistic Risk Assessment (PRA) impacts of the degraded condition where automatic start of the RHR pumps would be inhibited. The result of this analysis was a change in Core Damage Frequency (CDF) of approximately 5E-07 per year, and a change in Large Early Release Frequency (LERF) of approximately 7E-08 per year. Changes in CDF below 1.0E-06 per year and changes in LERF below 1.0E-07 per year are considered to be of very low safety significance.

There were no radiological releases associated with this event.

CAUSE OF THE EVENT

The direct cause of the RHR pump trips during surveillance testing was that degraded grid relaying was not blocked during a simulated LOP/LOCA event and generated a load shed signal during load sequencer operation. The load shed signal caused a trip of the RHR pump breaker when attempting to automatically close after EDG output breaker closure, but did not impact other automatic sequenced loads. Further review identified the root cause as being that the original plant design contained an unrecognized latent design defect in the undervoltage protective relaying circuits for the ESF buses. In addition, a design modification performed in 2010 to add a degraded voltage/LOCA relay scheme did not identify the legacy design defect and in fact increased the plant's vulnerability to the original design defect by increasing the overlap between various time delay relays. For this reason, a contributing cause was identified as technical rigor was lacking where design engineers did not perform a comprehensive and objective review for unintended consequences of the modification under all applicable operating scenarios during perforniance of the 2010 modification.

There were no component failures during this event.

CORRECTIVE ACTIONS

A design modification to correct the undervoltage protective relaying circuit design defect was implemented on all four degraded voltage circuits between October 22 and October 24, 2018. Following implementation of the design modification, post-maintenance and LOP/LOCA surveillance testing on all EDGs verified that all RHR pumps successfully started automatically. Analysis included with the design modification also demonstrated that RHR pumps would successfully start automatically under all applicable scenarios. These actions were all completed prior to the end of the refueling outage.

Additional future actions include documentation of how the degraded voltage circuits operate during all operating sequences of LOP and LOCA described, or implied, in the UFSAR into Fermi 2 Base Configuration Design Documents (BCDD) and development of a case study of this event to include with training for all personnel who prepare design modifications.

PREVIOUS OCCURRENCES

No previous site occurrences of reportable conditions were identified where all four RHR pumps were unavailable to start automatically due to a problem with the EDG load sequencer.Page 5

of 5

Retrieved from "https://kanterella.com/w/index.php?title=05000341/LER-2018-006,_Emergency_Diesel_Generator_Load_Sequencer_Inhibits_Automatic_Start_of_Residual_Heat_Removal_Pumps_Under_Certain_Scenarios_Due_to_Unrecognized_Original_Design_Defect&oldid=4947784"