05000346/LER-2003-014
Docket Number | |
Event date: | 10-17-2003 |
---|---|
Report date: | 12-16-2003 |
Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(v), Loss of Safety Function 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition |
3462003004R00 - NRC Website | |
DESCRIPTION OF OCCURRENCE:
On October 15, 2003, with the plant in Mode 5, when Steam and Feedwater Rupture Control System (SFRCS) [JB] Actuation Channel 1 was re-energized following de- energization for maintenance, Logic Channel 1 unexpectedly re-energized in a blocked condition. This unexpected block was then entered into the Corrective Action Program (CR 2003-08887) for further investigation. On October 17, 2003, while performing the initial investigation, it was discovered that depending on the different operating configuration conditions, any of the four logic channels could be re-energized in a blocked condition. The SFRCS design requires that the SFRCS perform its functions in the event of a Loss Of Offsite-Power (LOOP). If an SFRCS actuation were to occur due to a steam line rupture followed by a LOOP, upon the restoration of power, Logic Channel 3 and 4 could re-energize with the low steam line pressure block initiated (Logic Channels 1 and 2 are battery backed and not expected to lose power and then re- energize during a LOOP). Subsequent investigation determined that the effects on plant operation are limited to a rupture on Once Through Steam Generator 2 (OTSG) [AB-HX] with Logic Channel 4 re-energizing in a blocked configuration.
Accordingly, this condition was reported to the Nuclear Regulatory Commission (NRC) per 10 CFR 50.72(b)(3)(ii)(B) on October 17, 2003, Notification Number 40256.
The SFRCS is a nuclear power plant protection system required to actuate Auxiliary Feedwater (AFW) [BA] to feed the OTSG to remove reactor decay heat during periods when normal feedwater supply has been lost and/or upon loss of power to the four reactor coolant pump (RCP) motors [AB-MO]. One AFW supply is normally aligned to each OTSG, and crossover piping may be used to direct feedwater from either source to either OTSG. The SFRCS is intended to isolate steam and main feedwater lines to mitigate overcooling events caused by steam depressurization.
The SFRCS consists of two independent redundant protection channels (Actuation Channels 1 and 2). Each protection channel consists of two electrically independent complementary logic channels (Logic Channels 1 through 4).
Actuation Channel 1 is comprised of Logic Channels 1 and 3 and Actuation Channel 2 is comprised of Logic Channels 2 and 4. Each of the four Logic Channels is powered by four separate essential sources [EF]. Two are from battery-backed inverters [EF-INVT] (Logic Channels 1 and 2) and the other two are Emergency Diesel Generator (EDG) [EK-DG] backed (Logic Channels 3 and 4).
In the case of LOOP, Logic Channels 1 and 2 will be transferred without interruption to the battery backed inverters, while Logic Channels 3 and 4 will be without power for approximately ten seconds until the EDGs are generating power. After the return of power, the SFRCS is expected to automatically reset to its normal mode of operation. The SFRCS system contains a Power-On-Reset (POR) circuit whose purpose is to restore the SFRCS to a "Normal" (Unblocked) state.
The trip output of each complementary logic channel is combined in each channel in a two-out-of-two logic (AND Gate), such that the SFRCS will initiate an Actuation Channel trip if both of the complementary logic channels trip. The SFRCS functions as a "de-energize to trip system," by de-energizing the SFRCS output relays in each of the logic channels upon a trip command. Similarly, DESCRIPTION OF OCCURRENCE (continued):
the removal of power, or loss of power, or test of one complementary logic channel de-energizes the associated relays, without causing an SFRCS initiation (since two-out-of-two logic is not met).
The SFRCS provides a shutdown block feature to allow blocking the OTSG High Level and Low Pressure Trips during normal plant startups or shutdowns. No change in Steam or Main Feedwater valve positioning will occur with the 'blocking' of the SFRCS trip signal.
A design deficiency was discovered, in that if an SFRCS actuation were to occur due to a steam line rupture followed by a LOOP, there is the potential that upon restoration of power, Logic Channel 3 or 4 could re-energize with the low steam line pressure block initiated on the affected OTSG. (Only one Logic Channel could re-energize in the blocked condition at a time since Logic Channel 3 receives permission to block from OTSG 1 pressure and Logic Channel 4 receives permission to block from OTSG 2. Both OTSGs are not assumed to have line ruptures at the same time.) This condition could cause an inappropriate SFRCS response due to the SFRCS module re-energizing in the blocked state and the response of the SFRCS caused by the loss of all RCPs, resulting from the LOOP. There is a Power On Reset (POR) circuit which is intended to restore the SFRCS to a known state when it is re-energized. However, with the design deficiency there was the potential that each of the SFRCS Logic Channels could be re-energized in the block condition.
Following the Davis-Besse Nuclear Power Station (DBNPS) June 9, 1985, Loss of Feedwater Event (Reference DBNPS LER 85-013), the SFRCS was re-designed in accordance with a modification (87-1107) which included a complete replacement of the SFRCS cabinets. The condition identified above was introduced as part of the new design and implemented with the replacement of the SFRCS Cabinets.
As stated above, on October 17, 2003, ,SFRCS Actuation Channels 1 and 2 were declared inoperable and the NRC was conservatively notified within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> in accordance with 10 CFR 50.72(b)(3)(ii)(B), an unanalyzed condition that significantly degrades plant safety.
After further evaluation it has been determined that the repowering of the subject SFRCS trips in the blocked condition mimics a condition described in the Updated Safety Analysis Report (USAR) that has been previously analyzed in the analysis of single failure criteria with a failure of EDG 2. However, because the SFRCS no longer meets its single failure criterion, this condition represents an unanalyzed condition (per the guidance of NUREG-1022, "Event Reporting Guidelines 10CFR 50.72 and 50.73"), and therefore, is being conservatively reported in accordance with 10 CFR 50.73(a)(2)(ii)(B).
Technical Specification 3.3.2.2, Steam and Feedwater Rupture Control System Instrumentation, requires the selected channels to be operable with their trip setpoints within the allowable values identified in the specification. These requirements are applicable while the plant is in Modes 1, 2 and 3. Due DESCRIPTION OF OCCURRENCE (continued):
to this condition existing in the SFRCS since the cabinets were installed in accordance with Modification 87-1107, this condition represents an operation or condition prohibited by the Technical Specifications and is also reportable in accordance with 10 CFR 50.73(a)(2)(i)(B).
This condition has been reviewed and determined to not be reportable in accordance with 10 CFR 50.73(a)(2)(v) as an event or condition that could have prevented fulfillment of a safety function. The safety function of the SFRCS, stated above, is to actuate AFW to feed the OTSG to remove reactor decay heat during periods when normal feedwater supply has been lost and/or the loss of power to the four RCP motors. Because the AFW/OTSG System is designed to meet the single failure criteria, the second train will supply sufficient residual heat removal (using the guidance in NUREG-1022, "Event Reporting Guidelines 10 CFR 50.72 and 50.73," it is not necessary to assume an additional random single failure in that system). As later discussed in this LER, the scenario associated with Actuation Channel 2 has been evaluated and is in the DBNPS USAR (with the exception that the failure of EDG 2 provides the scenario instead of the SFRCS re-energizing in the blocked configuration). Flow to the affected OTSG by AFW was assumed to continue until terminated by operator action at 10 minutes after the break initiation.
APPARENT CAUSE OF OCCURRENCE:
The primary cause of the design deficiency was less than adequate original design consideration in that the designers failed to consider the timing issues associated with the SFRCS logic gates and complete re-energization of the SFRCS 28 VDC and 48 VDC power supplies and removal of the battery-backed power supplies. This lack of consideration resulted in a condition in which the power supply energization time allowed the logic gates to energize in different configurations.
This design became inadequate when the original design was changed from battery-backed auctioneered power supplies for the four individual logic channels to powering channels 3 and 4 from interruptible power sources backed by EDGs. Previously, the loss of power to a logic channel would have required multiple failures of safety-related components whereas currently the loss of power to channels 3 and 4 during LOOP is a design attribute. This design inadequacy was introduced with implementation of the modification to replace the SFRCS cabinets in 1988.
In addition to the primary cause, two contributing causes were identified:
less than adequate post modification testing in design consideration and work practices - inattention to detail.
A review of the modification (87-1107) to replace the SFRCS cabinets did not identify appropriate post modification testing for the re-energization issues initiated by the modification. However, it should be noted that due to the inconsistency with which the logic channels assume the blocked condition after re-energization, a post modification test may not have identified a problem with re-energization of the logic channels in a blocked condition.
APPARENT CAUSE OF OCCURRENCE (continued):
The ultimate responsibility for ensuring that components are properly designed for their application lies with Engineering. However, during procedure development and performance, opportunities were presented in which Maintenance and Operations personnel could and should have questioned steps with procedures which allowed the logic channels to be re-energized in a "Blocked" or "Unblocked" configuration.
ANALYSIS OF OCCURRENCE:
The SFRCS is a protection system required to actuate AFW to the OTSGs to remove reactor decay heat during periods when normal feedwater supply has been lost and/or upon loss of power to the RCP motors. Crossover piping exists that may be used to direct feedwater from either AFW source to either OTSG. The SFRCS also functions to isolate steam and main feedwater lines to mitigate overcooling events caused by steam depressurization.
If an SFRCS actuation were to occur due to a Main Steam [SB] Line or Main Feedwater [SJ] Line rupture followed by a LOOP, the potential exists where upon the restoration of power, Logic Channels 3 or 4 could re-energize in a blocked configuration. However, after further investigation, the only design basis event affected is a rupture on OTSG 2 with Logic Channel 4 re-energizing in the blocked configuration. If this occurred, Auxiliary Feedwater Pump 2 would continue to feed the faulted OTSG. A similar condition does not occur on Actuation Channel 1 because the valves are DC powered and will continue to actuate after the LOOP occurs.
The failure can be assumed to occur on one Actuation Channel at a time. For Actuation Channel 1, even though it will respond to a low pressure on both OTSG 1 and OTSG 2, the permission to block capability is based on OTSG 1 pressure.
For Actuation Channel 2, the block permit is from OTSG 2 pressure. Therefore, a low pressure on OTSG 1 can only impact Actuation Channel 1. A low pressure on both OTSGs can occur if there is a break at the turbine, which will allow blowdown of both OTSGs. However, this is an isolable break and both steam generators will re-pressurize after Main Steam Isolation Valve [SB-ISV] closure. This will reset the block as pressure reaches the switch reset value.
The scenario associated with Actuation Channel 2 is evaluated in the DBNPS USAR with the exception that the failure of EDG 2 provides the scenario instead of the SFRCS re-energizing in the blocked configuration. In the USAR description, flow to the affected OTSG by AFW was assumed to continue until terminated by operator action at 10 minutes after the break initiation. The continued feeding was added to previous blowdown by maintaining steam flow out of the break at the maximum AFW flow rate for the 10 minute transient duration. This represented a depressurized steam generator but does not take credit for any subsequent Reactor Coolant System [AB] cooldown which would be caused by the continued feed flow.
ANALYSIS OF OCCURRENCE (continued): � .
The risk significance of this event can be estimated using the frequency of a steam line break inside containment, the probability of a loss of offsite power following a trip, and an estimate of the probability the operator fails to terminate feeding. Combining the initiating frequency and the probabilities, a frequency of approximately 5 E-9 per year is estimated for this event, which is a very small increase in core damage frequency. This frequency conservatively neglects the probability that the seal-in circuit could re-energize in the unblocked condition.
CORRECTIVE ACTIONS:
Following discovery of the condition with the SFRCS System, testing on the spare Logic Module was implemented, and logic gate changes during several simulated block and trip conditions were recorded. During the testing it was identified that the seal-in circuit associated with the block could re-energize in the blocked condition. Based on that testing, Corrective Action to fix the SFRCS logic to prevent the Actuation Channel from re-energizing in a blocked configuration was performed in accordance with the Engineering Change process.
The change simulates the block permit inputs not giving a block permissive until the Power On Reset has timed out, which allows the logic gates to stabilize in the unblocked condition. The change will also prevent the block from being initiated without operator action.
Following the modification, the four SFRCS logic channels were energized using the SFRCS Operating Procedure to verify that SFRCS logic channels did not assume the blocked condition upon restoration of power. The testing successfully demonstrated the re-energizing of each of the four channels in the unblocked condition with the block permissive inputs enabled.
Recent issues with regard to the plant modification program (which includes post maintenance testing), "engineering rigor" and "attention to detail", not just limited to engineering, have been discussed in several condition reports (including the root cause report written to address the significant degradation of the reactor pressure vessel head). Also recent emphasis and training with regard to "attention to detail", "engineering rigor" and "a questioning attitude" have been a focus of Davis-Besse Management. Overall Davis-Besse personnel have assumed ownership of these issues.
FAILURE DATA:
There have been no License Event Reports submitted by Davis-Besse Nuclear Power Station in the last three years, reporting an event due to the SFRCS Logic Channels re-energizing in a "Blocked" condition. Searches conducted on the Corrective Action Program database and records management did not identify other previous similar events in the last three years for which corrective action could have been expected to prevent this occurrence.
Energy Industry Identification System (EIIS) codes are identified in the text as [XX].
NP-33-03-014-00� CRs 03-08917 and 03-08887