05000382/LER-2013-003
| Waterford 3 Steam Electric Station | |
| Event date: | 11-16-2012 |
|---|---|
| Report date: | 7-22-2013 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability 10 CFR 50.73(a)(2)(ii)(b) 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident 10 CFR 50.73(a)(2)(ix) 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(v)(B), Loss of Safety Function - Remove Residual Heat 10 CFR 50.73(a)(2)(i)(C), 50.54(x) TS Deviation 10 CFR 50.73(a)(2)(v), Loss of Safety Function |
| 3822013003R00 - NRC Website | |
BACKGROUND — SYSTEM DESIGN Emergency Feedwater (EFW) System [BA, Auxiliary/Emergency Feedwater System (PWR)] The EFW System provides a sufficient supply of cooling water to the Steam Generators [AB, Reactor Coolant System] for the removal of decay heat from the reactor during emergency situations when the Main Feedwater System [SJ, Feedwater System] is not available. The system can also be used during emergency situations to cooldown the Reactor Coolant System (RCS) [AB, Reactor Coolant System (PWR)] to the temperature and pressure required for Shutdown Cooling System (SDC) [BP, Residual Heat Removal/Low Pressure Safety Injection System (PWR)] operation.
The EFW system supplies this demand via three EFW pumps through two supply paths. Both supply paths are supplied with redundant flow control valves and isolation valves, all of which fail open on loss of air. There are backup accumulators that provide a ten-hour nitrogen supply. For certain postulated events, these valves are required to change position for many hours after the safety related nitrogen accumulator is exhausted. Therefore, manual hand wheel operation of these valves may be necessary after a loss of Instrument Air and exhaustion of the 10 hour1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> backup nitrogen supply. The control and isolation valves are arranged such that, in the event of a single failure, water can be controlled to either one or both Steam Generators by operable valves. This includes prevention of overfilling the Steam Generators when the valves fail.
Component Cooling Water System [CC, Closed Component Cooling Water System] The Component Cooling Water (CCW) Cross-Connect valves, CC-114A(B), CC-115A(B), CC-126A(B), and CC-127A(B), isolate to split the CCW trains in the event of a design basis accident. The actuators are supplied by the IA system with a nitrogen gas backup accumulator. These valve actuators fail open on a loss of air and nitrogen; however, the CCW trains may need to be split for the entire accident mission time. If AB CCW pump was being used in place of A or B pump, the valves necessary for AB pump to supply water to its respective train would remain open. This system is an integral part of the Ultimate Heat Sink (UHS) [BS, Ultimate Heat Sink System].
Essential Chillers [KM, Chilled Water System] The Essential Chillers are supplied with cooling water via the CCW system or the Auxiliary Component Cooling Water (ACCW) system [CC, Closed Component Cooling Water System]. The chiller coolant select valves CC-301 A(B), CC-322A(B), ACC-112A(B), and ACC-139A(B) are the supply and return valves which allow either CCW or ACCW to supply cooling water to the Essential Chillers. The valve actuators fail as-is on a loss of air and nitrogen; however, these valves are required to change position several days post-accident to prevent exhausting Wet Cooling Tower basin inventory, which would cause the associated train of the UHS to become inoperable.
The chiller coolant select valves have interlocking limit switches so that the ACCW and CCW cannot supply water at the same time. Additional features are installed to prevent voiding and/or air intrusion.
This is accomplished by (1) an interlock which prevents the operation of the ACCW Chiller Supply and Return Valves without the ACCW pump running, (2) larger tubing on the return valve to ensure it closes prior to the supply valve closure, and (3) an open limit switch which will prevent the ACCW Chiller return valve from opening prior to the opening of the ACCW Chiller supply valve.
Ultimate Heat Sink (UHS) The major, interdependent systems of the UHS are the Auxiliary Component Cooling Water (ACCW) and Component Cooling Water (CCW) systems. The ACCW system is divided into two separate trains, each serving one of the redundant CCW trains. ACCW is pumped by the ACCW pumps through the shell side of the CCW heat exchangers to the Wet Cooling Towers (WCT). The ACCW pumps take suction from the basin of their respective WCT to complete the path to the CCW heat exchanger.
During a Large Break Loss of Coolant Accident (LBLOCA), the volume of water in one WCT basin is sufficient to provide UHS operation for essential loads without makeup based on meeting operability requirements for influencing components and systems. Issues affecting CCW, ACCW, and WCT basin inventory may affect the operability of the UHS based on the circumstances.
INITIAL CONDITIONS
At the time of discovery on November 16, 2012, Waterford 3 was performing refueling outage RF-18 and had defueled the reactor. There were no Technical Specification Limiting Conditions of Operation specific to this condition in effect. There were no components or systems inoperable at the time of discovery that contributed to this event.
EVENT DESCRIPTION
On November 16, 2012 at 03:29 CST, it was identified that the M4 manual override on Auxiliary Component Cooling Water (ACCW) air operated valve ACC-112B did not function. This was discovered while troubleshooting problems with the stroke time of its air operator following actuator rebuild. The M4 manual override is a compact hydraulic control system designed for use with the double acting actuator on ACC-112B. The system uses a bi-directional rotary pump operated by a hand crank (hereafter considered a handwheel) to reposition the valve manually. The malfunction of the M4 manual override was entered into the site corrective action program in Condition Report CR-WF3-2012- 6703. The condition report also identified that periodic testing had not been established on the local manual handwheel function on several safety related Air Operated Valves (A0Vs) that are required to operate after their associated safety related air supply accumulator is exhausted.
UFSAR Table 9.2-4, Failure Modes and Effects Analysis for the CCWS and ACCWS Post LOCA states that loss of instrument air has no effect because the active valves are provided with accumulators and/or springs to ensure proper alignment of the system. Engineering calculations assume leakage depletes the accumulators after a 10 hour1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> mission time and indicate that there are air operated valves with mission times longer than the accumulator capacity. Additionally, the Safety Related Air Operated Valves Design Basis Document states that manual handwheel positioning or refilling nitrogen or air accumulators is required after 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />.
For most of the valves, the license basis documents have not been updated to reflect an accumulator mission time and there was an inadequate review of the substitution of manual operator action outside the control room for automatic action by the AOV. Operating the systems in this manner had not been previously reviewed by the NRC.
Procedure OP-901-511(Instrument Air Malfunction) provides general instructions for recharging the accumulators that is not explicitly intended to be implemented post-accident.
Site testing determined that three of the AOVs would not operate using the manual handwheel because they were mechanically bound. The AOV manual handwheel for EFW-229A was inoperable in Train A.
The AOV manual handwheel for EFW-223B was inoperable in Train B. Since there was one inoperable AOV manual handwheel in each train's flow path from the Turbine Driven Emergency Feedwater Pumps to the Steam Generators, both EFW trains were inoperable.
The M4 manual override was found not functioning on Auxiliary Component Cooling Water (ACCW) air operated valve ACC-112B, which made the Train B Ultimate Heat Sink (UHS) inoperable. The Train A of the UHS had been electively taken out of service as recently as October 10, 2012. It is reasonable to conclude that both trains of the UHS were inoperable during that period.
As noted earlier under system design, the Essential Chillers coolant select valves are required to change position several days post-accident to prevent exhausting Wet Cooling Tower basin inventory.
The valves are high above the floor and it is uncertain that the Essential Chiller coolant select valves could actually be manipulated in the proper sequence and timing using the M4 manual overrides.
Therefore, the viability of the M4 manual override function of the chiller coolant select valves is uncertain. To compensate, a backup air supply system was added to ensure the remote control function will be available when required post-accident.
Since testing of the EFW and ACC valve handwheels had not been previously performed, it cannot be determined how long the condition existed; however, it is reasonable to conclude that the condition existed during recent operating modes where both trains of EFW and UHS were required to be OPERABLE.
Corrective actions were completed to restore operability of the manual handwheels and overrides on the EFW and UHS systems during the on-going refueling outage RF-18, which ended on January 18, 2013 at 05:47. These actions were performed over a period of time and were completed prior to entering operating modes where the systems were required.
REPORTABLE OCCURRENCE
The following information provides the reporting criteria associated with this LER and includes an explanation for the reporting applicability.
10 CFR 50.73(a)(2)(i)(B), Operation or Condition Prohibited by Technical Specifications.
Technical Specification (TS) 3.7.1.2 requires three emergency feedwater (EFW) pumps and two flow paths shall be OPERABLE.
APPLICABILITY: MODES 1, 2, and 3.
ACTION
d. With the EFW system inoperable for reasons other than those described in ACTION (a), (b), or (c), and able to deliver at least 100% flow to either steam generator, restore the EFW system to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in HOT SHUTDOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
TS 3.7.4 requires two Independent trains of ultimate heat sink (UHS) cooling towers shall be OPERABLE with each train consisting of a dry cooling tower (DCT) and a wet mechanical draft cooling tower (WCT) and its associated water basin with:
a. A minimum water level in each wet tower basin of 97% (-9.86 feet MSL).
b. An average basin water temperature of less than or equal to 89°F.
c. Fans as required by Table 3.7-3.
APPLICABILITY: MODES 1, 2, 3, and 4.
ACTION:
a. With 1 UHS train inoperable, restore the inoperable train to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
b. With both UHS trains inoperable, restore at least one UHS train to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
With the EFW and UHS systems inoperable in excess of their Allowed Outage Times (AOT) and failing to take the stipulated ACTION statements, a condition prohibited by Technical Specifications existed.
When tested, two of the EFW valves' (EFW-223B and EFW-229A) manual handwheels were not capable of performing their specified safety function until lubricated because they were mechanically bound. The M4 manual overrides on the Essential Chiller swap valves have not been tested to evaluate their operational readiness and are considered inoperable prior to discovery. Since testing of the EFW and ACCW valve handwheels had not been previously performed, it cannot be determined how long the condition existed; however, it is reasonable to conclude that the condition existed during recent operating modes where both trains of EFW and UHS were required to be OPERABLE.
Also reportable under this criterion is that the M4 manual override was found not functioning on ACCW air operated valve ACC-112B, which made the Train B Ultimate Heat Sink (UHS) inoperable due to its impact on WCT basin inventory during accident conditions. The A train of the UHS had been electively taken out of service for greater than one hour as recently as October 10, 2012. Both trains of the UHS were inoperable based on that condition.
10 CFR 50.73(a)(2)(ii)(b), A condition that results in the nuclear power plant being in an unanalyzed condition that significantly degraded plant safety.
Previous information submitted to the NRC in the Waterford 3 UFSAR states that a loss of instrument air has no effect for the CCW and ACC systems post LOCA because the active valves are provided with accumulators and/or springs to ensure proper alignment of the system. However, calculations provide leakage criteria based on a 10 hour1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> accumulator mission time and the associated Design Basis Document (DBD) states that manual handwheel positioning or refilling of the nitrogen or air accumulators is required after 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> because the mission time of the associated valves is longer than 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. An inadequate application of the 50.59 process occurred in that the current Waterford 3 license basis documents have not been updated to reflect the effect of a loss of instrument air on the CCW and ACC systems, nor was there an adequate review of the substitution of manual operator action outside the control room for automatic action by the AOVs. Operating the systems in this manner was not reviewed by the NRC.
Additionally applicable under this reporting criterion is the inability of the EFW and UHS systems to meet single failure criterion, and that the error in not performing the surveillance tests produced a situation in which two or more safety-grade, functionally related components (UHS and EFW) were inoperable.
10 CFR 50.73(a)(2)(v), A condition that could have prevented the fulfillment of a safety function of a system that is needed to:
(B) Remove residual heat, and (D) Mitigate the consequences of an accident.
Auxiliary Component Cooling Water (ACCW) air operated valve ACC-112B was declared inoperable when its M4 manual override was found not functioning. This also made the Train B Ultimate Heat Sink (UHS) inoperable due its impact on WCT basin inventory during accident conditions. Train A of the UHS had been electively taken out of service as recently as October 10, 2012. Both trains of the UHS were inoperable based on that condition. Additionally, both trains of the UHS were inoperable during plant operation based on not having been tested as required to meet operability requirements.
In addition, the handwheel function of the Essential Chiller Coolant Select valves was too complex to expect successful operation with the current operating procedure after an event. Procedural inadequacy for recharging the valve accumulators prior to accumulator depletion during an emergency could have also prevented an UHS from fulfilling its Safety Function due to the loss of water inventory in the WCT basin during accident conditions.
The above conditions could have prevented the fulfillment of a safety function of the UHS which is needed to remove residual heat and mitigate the consequences of an accident.
10 CFR 50.73(a)(2)(vii), A single cause caused at least one independent train to become inoperable in multiple systems or two independent trains to become inoperable in a single system.
This condition meets both reporting criteria. The failure to test and maintain the capability of the AOV manual operators led to both independent trains in the EFW system to be inoperable and the Train B of the EFW and UHS systems to be inoperable.
As found, the AOV manual handwheels were not known to be able to perform their specified function as designed, tested, and maintained and "could have" not met their required mission times. Nonetheless, when the manual handwheels on the EFW valves were tested, both flow paths to the Steam Generators were found to have been inoperable.
Additionally, the M4 manual overrides on the Essential Chiller Coolant Select valves were not tested to determine the as found condition and thus could have been in a failed condition as well.
In conjunction with this, there had been no action to develop specific procedures, training, or testing for using handwheel overrides in cases where the valve position change is required after the accumulator duration expires. The interlocks and timing features of those valves to address water hammer in the ACCW System may not have been achievable using the M4 manual overrides. There were procedural inadequacies for recharging the accumulators as well. Without a reliable method to reposition the valves, water inventory in the Wet Cooling Tower Basins cannot be sufficiently assured to maintain the UHS system operable.
This reporting criterion is also applicable due the common failure to test and maintain the capability of the AOV manual operators in the Train B of the EFW and UHS systems. This occurred due to the discovered failure on ACC-112B and test failure on EFW-223B.
10 CFR 50.73(a)(2)(ix), A condition that as a result of a single cause could have prevented fulfillment of safety function for two or more trains in different systems.
Procedural inadequacies associated with testing the operability of the manual operator and for re- charging accumulators during an emergency could have prevented fulfillment of Safety Function of multiple systems. These systems include Auxiliary Component Cooling Water, Component Cooling Water, and Emergency Feedwater.
There are no specific procedures, training, or testing for using handwheel overrides in cases where the valve position change is required after the accumulator duration expires. The interlocks and timing features of those valves that were implemented to address water hammer in the ACCW System may not have been achievable using the M4 manual overrides. There were procedural inadequacies for recharging the accumulators as well. Without a reliable method to reposition the valves, water inventory in the Wet Cooling Tower Basins cannot be sufficiently assured to maintain the UHS system operable. Systems that are dependent on the UHS would not have been able to complete the mission time for their safety function.
CAUSAL FACTORS
The apparent cause analysis of CR-WF3-2012-6703 determined that the cause was insufficient rigor during the incorporation of vendor information into plant documentation. In August 1989, EBASCO memorandum PEG-89-433 was prepared as a draft to Safety Analysis Design Basis Document (SADBD), which is a plant document chronicling the safety related functions of Air Operated Valves in the plant. The memorandum represents the earliest example of crediting manual actuation of the subject Air Operated Valves during a Design Basis Accident. Design control measures failed to implement necessary process and design basis document changes associated with use of the Nitrogen Accumulators and reliance on the AOV manual handwheels and overrides to meet design accident requirements. All Affected Documents for incorporation of the EBASCO memorandum into plant documentation had not been identified; allowing UFSAR Table 9.2-4, Failure Modes and Effects Analysis for the CCWS and ACCWS Post LOCA to remain as is without incorporation of these changes. Inservice Testing Requirements were never established for the subject Safety Related Air Operated Valves' handwheel functions. (Due to the historical nature of this issue, no responsible parties were available for interview. As such, this analysis is based solely on available documentation and records available at the time of the analysis.) The cause of the inoperable manual handwheels on EFW-223B and EFW-229A was due to mechanical binding from lack of lubrication.
The cause of the inoperable M4 manual override on ACC-112B was due to an internal component failure within the compact, modular hydraulic control system.
EXTENT OF CONDITION
The extent of condition is limited to the population of valves with mission times greater than their accumulator capacity where the manual handwheels and overrides were not being periodically tested.
The applicable valves are listed below.
ACC-112A (ACCW Header A to Essential Chillers Isolation) ACC-112B (ACCW Header B to Essential Chillers Isolation) CC-301A (CCW Header A Supply to Essential) CC-301B (CCW Header B Supply to Essential) CC-322A (CCW Header A Return from Essential Chillers Isolation) CC-322B (CCW Header B Return from Essential Chillers Isolation) ACC-139A (ACC Header A Return from Essential Chillers Isolation) ACC-139B (ACC Header B Return from Essential Chillers Isolation) CC-114A (CCW Pump A to CCW Pump AB Suction Cross-Connect) CC-114B (CCW Pump B to CCW Pump AB Suction Cross-Connect) CC-115A (CCW Pump AB to CCW Pump A Suction Cross-Connect) CC-115B (CCW Pump AB to CCW Pump B Suction Cross-Connect) CC-126A (CCW Pump A to CCW Pump AB Discharge Cross-Connect) CC-126B (CCW Pump B to CCW Pump AB Discharge Cross-Connect) CC-127A (CCW Pump AB to CCW A Pump Discharge Cross-Connect) CC-127B (CCW Pump AB to CCW B Pump Discharge Cross-Connect) EFW-223A (EFW Header A to SG1 Backup Flow Control) EFW-223B (EFW Header B to SG1 Backup Flow Control) EFW-224A (EFW Header A to SG2 Primary Flow Control) EFW-224B (EFW Header B to SG2 Primary Flow Control) EFW-228A (EFW to SG1 Primary Isolation) EFW-228B (EFW to SG2 Primary Isolation) EFW-229A (EFW to SG1 Backup Isolation) EFW-229B (EFW to SG2 Backup Isolation) The top eight valves listed above are the Essential Chiller Cooler Select Valves. The originating failure was the M4 manual override on ACC-112B. The other seven valves' handwheels were not tested because action was taken to install a backup air supply on the associated Nitrogen accumulators. This eliminated the need to use the M4 manual overrides.
The manual handwheels were tested on the remaining valves listed above to determine their functionality. As noted within this event report, two of the manual handwheels associated with EFW were found inoperable (EFW-223B and EFW-229A). The remaining manual handwheels were successfully operated.
The above conditions and the associated reporting requirements have been factored into this event report.
No other failure to test accumulator dependent AOVs has been identified.
CORRECTIVE ACTIONS
Corrective Actions Taken As previously indicated above, corrective actions were completed to restore operability of the manual handwheels and overrides on the EFW and UHS systems.
It is notable that many of the processes that contributed to this condition no longer exist and, with the creation of new processes that would be used to issue similar documents, it is evident that implemented changes and improvements since the event have helped to resolve this issue. These process changes are credited as the primary corrective action to address the insufficient rigor that was previously applied.
Installed a backup air supply on the Nitrogen accumulators for the Essential Chiller Coolant Select Valves (completed on December 30, 2012). This eliminates the need to use the M4 manual overrides.
This maintains the interlocks and timing features of those valves that were implemented to address water hammer in the ACCW System.
With the exception of the Essential Chiller Select Valves, the Air Operated Valves listed in the Extent of Condition above were stroked using the Manual Override/Handwheel to evaluate for functionality. Two valves that failed to successfully stroke by manual handwheel (EFW-223B and EFW-229A) were repaired.
Procedure OP-901-511(Instrument Air Malfunction) was revised to provide more detailed instructions for use of the local manual handwheel overrides.
Completed corrective action that reviewed information associated with Safety Related AOVs to identify any valves which may require long term repositioning for which insufficient accumulator gas pressure/volume may occur prior to completing their mission. The review determined that information provides an adequate basis for concluding that all air operated valves either have sufficient motive gas for the entire mission time or have handwheel overrides that are accessible and appropriately tested to verify their function.
The design and licensing basis documents have been updated to credit the handwheel override function on each of the valves except for the Chiller Coolant select valves. This included updating the UFSAR to incorporate manual valve operation into the Failure Modes and Effects Analysis for the CCWS and ACCWS Post LOCA table.
A 10CFR50.59 Safety Evaluation was completed to evaluate substitution of manual operator action outside the control room post-accident for the automatic air operator function currently credited in the FSAR.
Planned Corrective Actions
Actions are in place to establish Preventative Maintenance tasks for periodic lubrication and testing of the manual handwheels and overrides associated with this event report.
Action has been assigned to determine the Inservice Testing Requirements of the manual override for the affected valves and to incorporate those requirements into the Inservice Testing Program.
Action has been assigned to update the affected Operations inservice testing procedures.
SAFETY SIGNIFICANCE
Industrial Safety There was no industrial safety significance associated with this issue.
Radiological Safety There was no radiological safety significance associated with this issue.
Nuclear Safety From a risk perspective, problematic scenarios include only those that result in a loss of instrument air (including losses of offsite power and loss of instrument air events). Most design basis accidents that include combinations of a loss of offsite power as well other initiating events are so improbable in risk space that they are not considered further.
The fact that the accumulators would allow continued air operated valve operation for ten or more hours helps to reduce the risk. However, the design basis requirements must still be met. The analyses below address the valves in related groups.
Valves CC-114A, CC-114B, CC-115A, CC-115B, CC-126A, CC-126B, CC-127A, CC-127B:
These CCW train separation valves are normally open and fail open upon a loss of instrument air. Their safety function is to close in response to a safety injection actuation signal to ensure train separation (a design basis requirement). However, the failure to provide train separation should not affect the ability of each train to perform its probabilistic risk assessment function, unless one train suffered a simultaneous rupture such that both trains would be drained and rendered nonfunctional. The frequency of a design basis event coincident with a CCW train piping rupture is so low that it need not be considered further. Therefore there was no quantifiable change to the core damage frequency associated with these valves.
Valves CC-301A, CC-301B, CC-322A, CC-322B, ACC-112A, ACC-112B, ACC-139A, and ACC-139B:
ACCW may be needed during the initial days of a design basis accident to ensure adequate cooling of the safety related chillers. Once major heat loads are reduced, the CCW system, alone, can provide adequate cooling to the chillers. The noted valves are associated with changing the cooling alignment between the ACCW and CCW systems. The accident valve alignment has the chillers aligned to the ACCW system. Since in most instances, in the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of the accident, the cooling water to the chillers will be aligned to the ACCW system (and the valves fail as-is), there would be no quantifiable change to the core damage frequency because of this deficiency. In addition, since heat loads tend to reduce over time, if the swap over to the CCW system had already occurred, there would be little risk to the chillers upon a loss of instrument air. In the very unlikely event that this swap over had occurred, and heat loads increased, the cooling water to the chillers would still be adequate to maintain the chillers in a functional state. Therefore, while there could be some unquantifiable increase to the core damage frequency, it is qualitatively determined that that increase would be very small and much less than E-7/yr.
Valves EFW-223A, EFW223-B, EFW-224A, EFW-224B, EFW-228A, EFW-228B, EFW-229A, and EFW-229B:
These valves are normally open and fail open upon a loss of air supply. Operators use these valves to control EFW flow to the two steam generators and must locally throttle or close the valves with the handwheels when motive air is unavailable. Failure to throttle these valves could result in overfilling the steam generators. Furthermore, from a risk perspective, it is assumed that the overfilling of a single steam generator could cause the EFW AB pump turbine to fail due to water intrusion. Operators could, nonetheless, control steam generator level using alternate means, such as turning on and off the motor driven pumps or adjusting the speed of the turbine driven EFW pump.
In the Waterford PRA model, the only local manipulation of air operated valves using the valve handwheels that is credited is for the EFW flow control valves during loss of motive air or loss of DC power (including Station Blackout (SBO) scenarios). Because SBO scenarios account for almost half of the total plant CDF, the overall result should be the most sensitive to changes made in this part of the model.
The original model included the two local manual actions to control EFW flow—QHFEFWFLOP and QHFEFWSBOR. The latter is specific to SBO sequences while the former is related to loss of control of EFW. For this evaluation, the handwheel failures need to be modeled separately from the human failure event. In the cases with the QHFEFWSBOR event, the logic for the handwheel failures was modeled with an OR gate relating it to the Human Failure Event (HFE). Because the HFE included the manipulation of the steam supply valve to the EFW pump turbine as well as the EFW flow control valves, a hardware failure for the steam supply valve was added with the handwheel logic using a generic failure rate.
For the case involving the other local manual action, QHFEFWFLOP, an additional operator action QHFEFWTOSP had to be added to the fault tree logic to account for manual control of the EFW AB turbine steam supply valve and would only be applicable for Transient initiators (non-LOCA). Hardware failure for the EFW AB turbine steam supply valve was also taken into account.
The baseline CDF for this case was computed to be 3.68E-06/ year when using a truncation in EOOS of E-11. The resulting CDF from having the manual hand-wheels inoperative (as described above) is 3.78E-06/ year giving a delta CDF of 1.0E-07/ year. Applying the Average Weather factor of 1.33 to this delta renders a final delta CDF of 1.33E-07/year. Multiplying this result by the exposure time of one year gives and Incremental Core Damage Probability (ICDP) of 1.33E-07 (ICDP = deltaCDF * exposure time). To account for the contribution from Fire and External Events, this number is assumed to be doubled. This gives a total ICDP of 2.7E-07 which is low safety significance.
Therefore, the risk significance associated with this reported condition is considered low.
SIMILAR EVENTS
A search was performed using the NRC's ADAMS search engine for other similar reported events at Waterford 3. No similar events were identified.
ADDITIONAL INFORMATION
Energy industry identification system (El IS) codes and component function identifiers are identified in the text with brackets [ ].
Reporting Date Discussion The difference between the event date and report date exceeds 60 days because this condition was not recognized as a reportable condition until another review was performed of the available information.
This condition was determined to be reportable on May 23, 2013. Failure to submit LER 2013-003-00 within 60 days has been entered into the corrective action program in CR-WF3-2013-2564.