05000346/LER-2011-004
| Davis-Besse Nuclear Power Station | |
| Event date: | 07-26-2011 |
|---|---|
| Report date: | 03-06-2012 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(v), Loss of Safety Function 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition |
| Initial Reporting | |
| ENS 47096 | 10 CFR 50.72(b)(3)(v)(A), Loss of Safety Function - Shutdown the Reactor, 10 CFR 50.72(b)(3)(v)(B), Loss of Safety Function - Remove Residual Heat, 10 CFR 50.72(b)(3)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident, 10 CFR 50.72(b)(3)(ii)(B), Unanalyzed Condition |
| 3462011004R01 - NRC Website | |
Energy Industry Identification System (EllS) codes are identified in the text as [XX].
System Description:
The Davis-Besse Nuclear Power Station (DBNPS) Direct Current (DC) electrical power system [El] provides the Alternating Current (AC) emergency power system [EK] with control power. It also provides both motive and control power to selected safety related equipment and preferred AC vital bus power (via inverters). As required by 10 CFR 50, Appendix A, General Design Criteria 17, the DC electrical power system is designed to have sufficient independence and redundancy to perform its safety functions, assuming a single failure.
The 125/250 Volt DC (VDC) electrical power system [EJ] consists of two independent and redundant safety related Class 1 E DC electrical power sources. Each consists of two 125 VDC batteries [EJ-BTRY], one battery charger [EJ-BYC] for each battery, and all associated control equipment and interconnecting cabling. The 250 VDC source is obtained by use of the two 125 VDC batteries connected in series. Additionally, there is one spare battery charger per train, which provides backup service in the event that one of the two preferred battery chargers is out of service. During normal operation, the 125/250 VDC loads are powered from the battery chargers with the batteries floating on the system. In the case of loss of normal power to the battery charger, the DC loads are automatically powered from the station battery. Two redundant 250/125 VDC motor control centers are provided, each of which supplies two 125 VDC essential distribution panels, one 250 VDC / 120 VAC nonessential inverter, two 250/125 VDC emergency lighting feeders, and various 250 VDC oil pump motors.
The station 120 Volt Alternating Current (VAC) electrical power system [EE] consists of four essential instrument distribution panels [EF-PL] each supplied from a 125 VDC/120 VAC inverter [EF-INVT] along with two non-essential uninterruptible instrument distribution panels each supplied from a 250 VDC/120 VAC inverter [EE-INVT] and two non-essential regulated instrument distribution panels [EE-PL] each supplied from a 480/120 VAC static voltage regulator [EE-RG]. The essential instrument distribution panels provide power to components and systems that are essential to plant safety, including the Reactor Protection System (RPS) [JC], the Safety Features Actuation System (SFAS) [JE], and the Anticipatory Reactor Trip System (ARTS). The non-essential 120 VAC instrumentation system provides power to loads necessary for plant operation, but not loads required for safe shutdown or accident mitigation.
Technical Specification(s):
Technical Specification (TS) Limiting Condition for Operation (LCO) 3.8.4 requires two DC electrical power sources be operable while the plant is operating in Modes 1, 2, 3, and 4. With one DC electrical power source inoperable for reasons other than an inoperable battery charger in Modes 1 to 4, TS LCO 3.8.4 Condition B requires the DC electrical power source be restored to Operable status in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. If this action and associated completion time cannot be met, then TS LCO 3.8.4 Condition C requires the plant be placed in Mode 3 in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in Mode 5 in 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. With two DC electrical power sources inoperable, TS LCO 3.0.3 requires action be initiated within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to place the unit in Mode 3 within 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />; in Mode 4 within 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />; and Mode 5 within 37 hours4.282407e-4 days <br />0.0103 hours <br />6.117725e-5 weeks <br />1.40785e-5 months <br />.
DESCRIPTION OF EVENT:
During a Component Design Basis Inspection, NRC inspectors raised concerns regarding the safety- related battery design basis. One aspect of this concern was that non-safety related DC loads, which are powered from the safety-related DC system, could become grounded and impose added loads on the DC buses from which they are powered. In particular, some non-safety related loads such as the reactor coolant pump back-up oil lift pumps [AB-P] and the emergency feed for containment lighting [FH] could be subjected to High Energy Line Break (HELB) and Loss of Coolant Accident (LOCA) environments.
A second aspect of this concern was that automatic transfer switches [EE-ASU] were installed to transfer their non-safety related loads between the two non-safety related inverters. These loads include the station annunciator [IB], the plant computer [ID], non-nuclear instrumentation [JG] and the integrated control system [JA]. Because the inverters are powered by the safety related station batteries, faults on the automatic transfer switches could be transferred from one DC power source to its redundant DC power source, potentially impacting the ability of both safety related battery divisions to perform their safety function. These two concerns were captured as NRC Unresolved Item (URI) 2007-007-05.
As part of the resolution to this URI, NRC Region III personnel requested information from the NRC Office of Nuclear Reactor Regulation (NRR) regarding the electrical separation design and licensing basis of the safety-related batteries. On July 26, 2011, the NRR staff completed their assessment of the issue and provided a copy of their evaluation to the DBNPS staff via the NRC Senior Resident Inspector. Based upon this evaluation from NRR to Region III, the following issues were identified:
1. The Updated Final Safety Analysis Report (UFSAR) states that non-safety related electrical equipment, whose failure under postulated environmental conditions could prevent satisfactory accomplishment of the specified safety-related electrical equipment required safety functions, or mislead an operator, is qualified as required. However, the Reactor Coolant Pump (RCP) backup oil lift pump motors and Containment Emergency Lighting Panel L49E1 are located inside containment and are not environmentally qualified. This could challenge the adequacy of electrical separation between the potentially grounded non-safety related equipment and the safety related batteries, and is inconsistent with the UFSAR.
2. Six automatic transfer switches are installed to automatically transfer non-safety related loads such as Non-Nuclear Instrumentation channels X and Y, the Station Annunciators, the Plant Computer, and the Integrated Control System between Uninterruptible Distribution Panels YAU and YBU.
These panels normally receive power from inverters YVA and YVB, which receive power from the safety related DC power system. If a ground fault existed on one of these loads, the fault could be transferred from one power source to the redundant source, potentially impacting the ability of both safety related DC power sources to perform their required functions. This type of transfer is not permitted by Safety Guide 6, which is referenced by the UFSAR.
Based on this information from the NRC, on July 26, 2011, with the plant operating in Mode 1 at approximately 100 percent power, the breakers for the four RCP backup oil lift pump motors and for the emergency power supply to the Containment Lighting Panel were opened, and one train of instrumentation power was placed on its alternate power source from the AC system, eliminating the potential to impact both trains of the DC power system.
CAUSE OF EVENT:
The plant's design basis is that non-safety related electrical equipment, whose failure under postulated environmental conditions could prevent satisfactory accomplishment of the specified safety-related electrical equipment required safety functions, is qualified as required. However, as stated previously, the RCP backup oil lift pump motors and an emergency supply to a Containment Lighting Panel are located inside containment and are not environmentally qualified. This condition has existed since the original design of the DC System DBNPS in the 1970s. The apparent cause for the inadequate design of the DC System with respect to electrical separation is a lack of analysis and/or documentation to support multiple high impedance faults on safety-related components induced by harsh environments, and their impact on safety-related components.
The automatic transfer switches were installed in the early 1980s in response to NRC Bulletin 79-27, "Loss of Non-Class-1-E Instrumentation and Control Power System Bus During Operation." The intent of Bulletin 79-27 was to ensure that the loss of power to any bus in the plant electric distribution system would not result in control system actions that would cause a plant upset or transient condition requiring operator action concurrent with the loss of control room information upon which these actions would be based. The apparent cause of this issue is also inadequate design analysis in that the requirements of Safety Guide 6 were not addressed during the modification process that installed these switches, and may have been overlooked altogether during the design reviews.
ANALYSIS OF EVENT:
The required mission time for the essential batteries is short for most analyzed events because the Emergency Diesel Generators are designed to start and provide AC power to the battery chargers within 10 seconds. Industry operating experience, research, and testing indicates that the potential for multiple high impedance faults on low voltage AC and DC circuits is not a credible failure mechanism.
Furthermore, if multiple faults were to occur, they would be limited in number, small in magnitude, and short in duration. The essential batteries have sufficient margin to accommodate the unaccounted load if multiple high impedance faults were to occur that are not cleared by protective devices. The battery chargers, which carry the DC and low voltage instrument AC loads once AC power is restored within the short mission time, also have significant margin to accommodate the unaccounted load.
An analysis was performed to determine the incremental conditional core damage probability due to the specified non-safety related loads in containment failing in a harsh environment in a way that would adversely affect all trains of the safety related DC system. This analysis also determined the incremental conditional core damage probability due to one or more automatic transfer switches failing in a manner that would also adversely affect all trains of the safety related DC system. The conclusion of this analysis determined that the combined issues were of very low safety significance.
Reportability Discussion:
These issues with the design of the safety related DC System resulted in potential challenges to the electrical separation between non-safety related equipment and the safety-related batteries/DC System, and to the separation between the two trains of the DC System. Based on these potential challenges, the DC System may not have been able to meet the single failure criterion. Therefore, per the guidance of NUREG-1022, this condition represents an unanalyzed condition that significantly degraded plant safety, and is being reported per 10 CFR 50.73(a)(2)(ii)(B). Similarly, because this condition potentially affected both trains of the DC System, this condition being reported per 10 CFR 50.73(a)(2)(v) as a Reportability Discussion: (continued) condition that could have prevented the fulfillment of the safety function of a system needed to: (A) shutdown the reactor and maintain it in a safe shutdown condition; (B) remove residual heat; (C) control the release of radioactive material; and (D) mitigate the consequences of an accident. Also, because the DC System did not meet the plant licensing basis for operability, and since the plant operated with the subject equipment in this condition, this issue represents operation of the plant in a condition prohibited by the Technical Specifications, and is being reported per 10 CFR 50.73(a)(2)(i)(B). Verbal reporting of these issues as required by 10 CFR 50.72(b)(3)(ii)B) and 10 CFR 50.72(b)(3)(v)(A-D) was completed on July 26, 2011, via Event Number 47096.
CORRECTIVE ACTIONS:
On July 26, 2011, the breakers for the four RCP backup oil lift pump motors and for the emergency power supply to the Containment Lighting Panel were opened to eliminate the possibility of a fault occurring on this equipment because of a harsh environment inside Containment.
Also on July 26, 2011, one train of instrumentation power was placed on its alternate power source from the AC system, eliminating the potential to impact both trains of the DC power system.
On August 3, 2011, the alternate power supply to each of the six automatic transfer switches was isolated, and both trains of instrumentation power were placed on their normal power source from the DC system. This was done to improve the reliability and power quality for the loads by powering them all from the station inverters instead of powering some of the loads from their alternate power supply from the AC power system. It was determined the risk of an event that would result in a reactor trip was higher with one train of instrumentation power on its alternate power source than having the alternate power supply to the automatic transfer switches isolated.
Further modifications were implemented during the October — December 2011 plant mid-cycle outage, providing the alternate power supply from a regulated instrumentation distribution panel. These modifications restored compliance with NRC Bulletin 79-27 for the six loads powered by the automatic transfer switches while maintaining separation of the DC power system trains.
A failure analysis will be developed to ensure that multiple faults from a single harsh environment design basis event will not impact the safety-related DC System.
The cause of these issues was determined to be the result of latent errors. Initiatives have been taken since the time of these errors at the DBNPS to improve performance in regards to engineering rigor, standards and human performance. Therefore no preventive type actions are needed.
PREVIOUS SIMILAR EVENTS
DBNPS Licensee Event Report 2010-003 documented the inoperability of an Auxiliary Feedwater discharge control solenoid valve due to a ground in the non-essential DC System. The ground of 0.38 milliamps, which induced a voltage greater than the design capacity of the position controller board for the valve, had no adverse impact on the DC System. Therefore, the corrective actions taken for this 2010 event could not have been expected to address the design issues with the DC System described above. There have been no other Licensee Event Reports submitted for the DBNPS in the past three years regarding the DC System.