05000390/LER-2017-009
| Watts Bar Nuclear Plant, Unit 1 | |
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(ii) 10 CFR 50.73(a)(2)(v)(B), Loss of Safety Function - Remove Residual Heat 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition |
| 3902017009R00 - NRC Website | |
comments regarding burden estimate to the Information Services Branch (T-2 F43), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
3. LER NUMBER
2017 - 00 009
I. PLANT OPERATING CONDITIONS BEFORE THE EVENT
Watts Bar Nuclear Plant (WBN) Unit 1 was at 100 percent rated thermal power (RTP) . WBN Unit 2 was in Mode 5.
II. DESCRIPTION OF EVENT
A. Event Summary On July 12, 2017, at 1238 Eastern Daylight Time (EDT), Watts Bar Nuclear Plant (WBN) determined that a preliminary analysis shows adequate Essential Raw Cooling Water (ERCW) {EIIS:BI} flow may not be available during dual unit limiting design basis conditions of one unit in Hot Shutdown on Residual Heat Removal (RHR) cooling when the other unit experiences a Loss of Coolant Accident (LOCA). Based on preliminary analysis, during a Unit 1 LOCA, Unit 1 receives adequate flow when following existing procedural guidance. However, Unit 2 may not receive adequate flow to meet cool-down requirements with design basis maximum temperatures. During a Unit 2 LOCA, however, current procedural guidance was found not adequate to ensure the proper system alignment to establish correct ERCW Component Cooling Water (CCS) {EIIS:CC} Heat Exchanger {EIIS:HX} A and B flow rates for either units cool down requirements.
This event is being reported to the Nuclear Regulatory Commission (NRC) under 10 CFR 50.73(a)(2)(ii)(B) as an unanalyzed condition that significantly degraded plant safety and under 10 CFR 50.73 (a)(2)(v)(B) and (D) as an event or condition that could have prevented fulfillment of a safety function.
B. Inoperable Structures, Components, or Systems that Contributed to the Event No inoperable equipment contributed to this event.
C. Dates and Approximate Times of Occurrences Date Event 10/20/15 WBN Unit 1 receives license Amendment 104 to revise the Technical Specifications (TS) for CCS and ERCW to support Dual Unit Operation.
10/22/15 WBN Unit 2 receives operating license 11/19/15 Post Issuance Change (PIC) 65699 revises Design Change Notice (DCN) 62151 to address ERCW alignment for Dual Unit Operation. Emergency procedure impacts not properly addressed.
5/23/16 WBN Unit 2 is critical for the first time 7/12/17 Condition Report (CR) 1316395 is generated to document ERCW design issue.
7/14/17 Procedures 1-E-0 and 2-E-0, Reactor Trip or Safety Injection, are revised to address proper position of ERCW outlet valves from the CCS heat exchangers.
D. Manufacturer and Model Number of Components that Failed During the Event There were no failed components that contributed to this event.
comments regarding burden estimate to the Information Services Branch (T-2 F43), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
E. Other Systems or Secondary Functions Affected
No other systems or secondary functions were affected .
F. Method of discovery of each Component or System Failure or Procedural Error The issues described in this LER were discovered during the development of a revised ERCW flow model.
G. Failure Mode and Effect of Each Failed Component No actual equipment failures occurred during this event.
H. Operator Actions
No actual event was ongoing related to this report.
I. Automatically and Manually Initiated Safety System Responses Not applicable.
III. CAUSE OF THE EVENT
A. The cause of each component or system failure or personnel error, if known.
The ERCW and CCS systems were designed originally for maximum flexibility, not complete train separation and independence. Once train independence was established as a standard for the Nuclear Industry, a decision was made to preserve the physical configuration of the system and still maintain a design that provided safe reliable operation. This design contained an error that was not discovered until recently when the condition documented in CR 1316395 was brought to light.
The decision to preserve the ERCW original cross tied design was made under the assumption that the design basis was met with existing structures, systems, and components (SSCs). However, the design basis was not met due to a single failure in another system, and therefore, an HU knowledge based error caused the ERCW system to not be in conformance with the design basis.
B. The cause(s) and circumstances for each human performance related root cause.
Station procedure preparers assumed the emergency procedures affected by the design change for dual unit ERCW operation would be captured by a separate license amendment request for dual unit operation and did not list them on the DCN impact sheet. As a result, emergency procedures were not properly revised.
comments regarding burden estimate to the Information Services Branch (T-2 F43), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to NEOB-10202, (3150-0104). Office of Management and Budget, Washington, DC 20503. If a means used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
IV. ANALYSIS OF THE EVENT
The WBN plant is provided with a common ERCW system serving both units. Eight ERCW pumps are provided, with two pumps aligned to each 6.9 kV Shutdown Board (SDBD) and aligned to two ERCW trains A and B. The ERCW system supplies cooling water to the Component Cooling Water System (CCS) heat exchangers, the containment spray heat exchangers, the emergency diesel generators, containment coolers, and various other system loads.
The CCS is an intermediate cooling loop cooled by the ERCW system. Three CCS heat exchangers serve both units aligned into two trains. CCS heat exchangers A and B serve Train A for Units 1 and 2, respectively, and CCS heat exchanger C serves Train B for both units. The CCS heat exchangers provide heat removal for the Residual Heat Removal (RHR) heat exchangers, the Spent Fuel Pool heat exchanger, the Chemical and Volume Control System (CVCS), various pump coolers, and various other loads. ERCW flow to the CCS heat exchangers is controlled using the discharge flow control valves, which can be either set to operating conditions or can be positioned to one of two preset opening positions.
The limiting design for both the ERCW and CCS systems is a normal shutdown on one unit with a design basis Loss of Coolant Accident (LOCA) on the other unit. The operation of the RHR system on the unit in shutdown and the transition to cold leg recirculation heat load on the RHR heat exchanger(s) for the LOCA unit represent the maximum heat load that is applied to the CCS system.
During normal operation, ERCW flow is modulated to the CCS heat exchangers to allow the CCS temperature to be maintained in an optimal operating band. Because heat loads during normal operation are low, ERCW flow would be maintained at flows lower than during an accident to allow for optimal CCS system operation. Two separate, but related issues are identified in this event.
The design of the ERCW/CCS heat exchanger interface is shown in the Figure below. While the supply side of ERCW to the CCS heat exchanger is in a classic Train A and Train B configuration, the discharge of the CCS heat exchangers has a cross train alignment. CCS heat exchanger B (Train A for Unit 2) is aligned to the ERCW Train A discharge. The ERCW discharge for CCS heat exchanger A (Train A for Unit 1) and the ERCW discharge for CCS heat exchanger C (Train B for both units) discharge to ERCW Train B. This results in Train B CCS Heat exchanger C and Train A CCS heat exchanger A discharging to Train B. The design concern identified is if a non-limiting failure, such as failure of CCS flow to CCS heat exchanger C were to occur, Train B for CCS would be non-functional. With ERCW flow still being provided to CCS heat exchanger C, the back pressure would be high enough to prevent sufficient ERCW flow through CCS heat exchanger A. The discharge isolation valves for the CCS heat exchanger A were not set sufficiently open to account for this backpressure concern.
A closely related issue identified during the ERCW model review was that for an accident on Unit 2, no provisions existed in the Emergency Operating Instructions (EOIs) for adjusting ERCW flows to the Train A CCS heat exchangers by opening the ERCW to the CCS heat exchanger discharge control valves to one of the desired pre-set opening positions to support accident operation (minimum analysis required ERCW flow of 3500 gpm). These valve position adjustments should have been performed in procedure 2-E-0, Reactor Trip of Safety Injection. Without repositioning these valves in advance of switchover to recirculation, unacceptably high temperature in the CCS system may occur following transfer to recirculation post LOCA. The required valve repositioning steps were also incorrect in 1-E-0 for Unit 1, but supported an alignment yielding adequate flow for Unit 1. The failure to properly revise the emergency comments regarding burden estimate to the Information Services Branch (T-2 F43), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
procedures for Unit 2 is related to a failure to properly document impacts in the design change associated with configuring WBN to dual unit operation.
A detailed engineering review of the positions of the ERCW discharge valves from the CCS heat exchangers was performed from the time period that Unit 2 initially went critical on May 23, 2016 until correction of this issue via E01 revisions. This review documented in a past operability evaluation determined that in all cases, ERCW flow through Train B (CCS heat exchanger C) would have been adequate for accident conditions on either Unit 1 or Unit 2.
This same review for Train A (CCS heat exchangers A and B) was also performed. This review determined that inadequate ERCW flow would have been present without operator diagnosis for approximately 0.252 years for a large break LOCA on Unit 2.
A secondary issue is that for this event, the non-accident unit would be assumed to be operating on RHR shortly after a plant shutdown. Operations personnel on the non accident unit would see rising RCS Temperature. The normal action for this observation would be to raise the RCS flow through the RHR heat exchanger and lower the flow that is bypassing the heat exchanger. This would continue until the RHR heat exchanger outlet is full open and the bypass is full closed. At this point, there would be maximum RCS flow through the RHR heat exchanger. With maximum heat input from the RCS through the RHR heat exchanger and inadequate ERCW cooling to the A CCS heat exchanger, CCS temperature will begin to rise. Alarms would be received on CCS heat exchanger outlet temperature and would be expected to result in ERCW realignment to provide higher flow. Therefore, alarms would result in operator action to manage system temperatures by procedure.
V. ASSESSMENT OF SAFETY CONSEQUENCES
As described in the previous section, the ERCW system Train A was not able to perform its safety function for a design basis accident on Unit 2 for about 0.252 years. A probabilistic risk assessment (PRA) performed determined that the increase in core damage frequency (CDF) for a large break LOCA over the period of interest for Unit 2 with Train A out of service for 0.252 years and Train B out of service for maintenance only to be less than 1E-7, which is low.
A. Availability of systems or components that could have performed the same function as the components and systems that failed during the event Train A ERCW was not able to perform its safety function for a design basis accident on Unit 2 for about 0.252 years. During this time, Train B ERCW remained able to perform its safety function for a design basis accident except for a period of less than 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br /> based on operator logs.
B. For events that occurred when the reactor was shut down, availability of systems or components needed to shutdown the reactor and maintain safe shutdown conditions, remove residual heat, control the release of radioactive material, or mitigate the consequences of an accident At the time this issue was identified, Unit 2 was in Mode 5. Unit 1 remained capable of safe shutdown at the time of identification.
C. For failure that rendered a train of a safety system inoperable, an estimate of the elapsed time from the discovery of the failure until the train was returned to service comments regarding burden estimate to the Information Services Branch (T-2 F43), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
3. LER NUMBER
2017 - 00 009 From the time of issue identification until corrective actions were in place was less than three days.
VI. CORRECTIVE ACTIONS
This event was entered into the Tennessee Valley Authority (WA) Corrective Action Program and is being tracked under Condition Reports (CRs) 1316395 and 1319469.
A. Immediate Corrective Actions
Upon identification of the issue, plant emergency operating instructions were promptly revised to require proper positioning of the ERCW discharge control valves from the CCS heat exchangers in the event of an accident. These actions addressed both the design issue and the procedural error issue.
B. Corrective Actions to Prevent Recurrence or to Reduce Probability of Similar Events Occurring in the Future Plant design standards will be revised to specify any new design for safety related systems shall not be cross trained (cross tied).
VII. PREVIOUS SIMILAR EVENTS AT THE SAME SITE
analysis for 10 CFR 50, Appendix R contained a non-conservative time for isolation of the Volume Control Tank (VCT) following a postulated fire in room 737.0-A1A. Multiple fire-induced failures were postulated to result in a loss of suction to the Centrifugal Charging Pumps (CCPs), which could cause RCP seal damage and loss of RCS inventory. Fire modeling subsequently determined that for any credible combination of failures or equipment spurious operation that the CCPs would remain operable. This issue was determined to be the result of a latent engineering error associated with the original Appendix R analysis performed for Unit 1.
VIII. ADDITIONAL INFORMATION
None.
IX. COMMITMENTS
None.
comments regarding burden estimate to the Information Services Branch (T-2 F43), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to NEOB-10202. (3150-0104), Office of Management and Budget, Washington, DC 20503. If a means used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
Figure