05000413/LER-2003-002
| Catawba Nuclear Station, Unit 1 | |
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(v), Loss of Safety Function |
| 4132003002R00 - NRC Website | |
BACKGROUND
Catawba Nuclear Station Units 1 and 2 are Westinghouse Pressurized Water Reactors [EIIS: RCT]. Unit 2 has two emergency diesel generators (DGs) 2A and 2B [EIIS: EK]. Each DG is utilized as the standby emergency power source for each 4160-volt emergency bus.
DGs 2A and 2B are dedicated to busses ZETA and 2ETB [EIIS: EB], respectively. Each DG has its own Emergency Ventilation System [EIIS: VJ] for each diesel enclosure which consists of two 50 percent capacity fans [EIIS: FAN], ductwork [EIIS: DUCT], and modulating return air and outside air dampers [EIIS: DMP], arranged to maintain space temperature between 60°F and 120°F when the diesel is operating. Each DG has a separate and complete fuel oil storage and transfer system [EIIS: DC]. The fuel system consists of two 45,000 gallon fuel oil storage tanks [EIIS: TK]. The storage tanks gravity feed the fuel oil day tank through an air operated DG fuel oil tank fill valve [EIIS: FSV]. The fuel oil day tank is sized to allow the DG to run at full load for 60 minutes with additional margin added. The fill valve cycles on day tank level to ensure proper level. The fill valve has a manual bypass valve [EIIS: V], that can be opened to provide fuel oil to the DG.
The design of the 120 VAC Vital Instrumentation and Control Power System [EIIS: EF], has four normally independent and physically separate channels of power for reactor control and instrumentation for Unit 2. Together, the four channels comprise two redundant safety trains. Channels A and C are associated with Train A, and Channels B and D are associated with Train B. Each channel consists of a static inverter [EIIS: INVT], a manual bypass switch [EIIS: JS], and a power panel board [EIIS: BD]. Each inverter can be powered from its respective 125 VDC battery charger [EIIS: BYC], or from its respective 125 VDC vital battery [EIIS: BT]. In the event a static inverter is not available, the associated manual bypass switch is used to transfer the affected power panel board to the non-essential alternate Regulated Power Distribution Center [EIIS: BU], 2VRD. 2VRD is capable of supplying power to one channel at a time.
The inverters are the preferred source of power for the AC vital busses at Catawba. Their function is to provide an uninterruptible source of AC electrical power to the vital busses. When a required inverter becomes inoperable, its associated AC vital bus also becomes inoperable until it can be manually re-energized from its respective voltage regulated transformer. When the AC vital bus is powered from its voltage regulated transformer, it is relying on interruptible AC electrical power.
The Nuclear Service Water System (RN) [EIIS: BI] provides a heat sink for the removal of process and operating heat from safety related components during a design basis accident. During normal operation and during normal plant shutdowns, the RN system also provides this function for various safety related and non-safety related components.
The RN system consists of two independent loops (designated A and B) of essential equipment, each of which is shared between the two units.
Each loop contains two RN pumps [EIIS: P], each of which is provided backup emergency power from a separate DG. Each set of two pumps supplies two trains (1A and 2A, or 1B and 2B) of essential equipment through common discharge piping. While the pumps are unit designated (i.e., 1A, 1B, 2A, 2B), all pumps receive automatic start signals from a safety injection or blackout signal from either unit. Therefore, a pump designated to one unit will supply post-accident cooling to equipment in that loop on both units, provided its associated DG is available.
Technical Specification (TS) Limiting Condition for Operation (LCO) 3.8.1 governs AC Sources - Operating for Modes 1, 2, 3, and 4. LCO 3.8.1 requires in part that two DGs be operable. The inoperability of a DG results in the inoperability of the associated RN Pump [EIIS: BI].
LCO 3.7.8 requires that in Modes 1, 2, 3, and 4 two RN trains be operable. Condition A for this LCO states that with one RN train inoperable, the RN train must be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Condition B states that with the Required Action and associated Completion Time of Condition A not met, the unit must be in Mode 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in Mode 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. Because of the shared nature of the RN system, Required Action A.1 is required to be entered independently for each unit in the event of an inoperable RN train on either unit. In addition, the Bases for TS 3.7.8 states that if a shared RN system component becomes inoperable, or normal or emergency power to shared components becomes inoperable, then the required actions of LCO 3.7.8 must be entered independently for each unit that is in the modes of applicability, unless certain RN system flow restrictions are made as described in the Bases.
At 0945 on February 12, 2003 Unit 2 experienced a loss of vital inverter 2EID resulting in a loss of power to channel IV 120 VAC panel board 2ERPD. 2ERPD provides power to support equipment for the 2B DG. The 2B DG components affected were valve 2FD-62 (DG engine fuel oil day tank fill) which fails closed and dampers 2DSF- D-7 (Diesel Building outside air damper 2B2) and 2DSF-D-9 (Diesel Building outside air damper 2B1) which fail closed. This resulted in declaring the 2B DG inoperable. The 2A DG had been previously taken out of service for routine maintenance. This resulted in both DGs on Unit 2 being declared inoperable. As discussed above, this also resulted in both the 2A and 2B RN pumps being inoperable.
TS 3.7.8 does not provide any actions for two RN pumps being inoperable. RN is a shared system between Unit 2 and Unit 1 so, both units entered TS 3.0.3. Power was restored to 2ERPD at 1028 when the alternate source, 2VRD, was manually aligned to provide power to 2ERPD. At this time both units exited TS 3.0.3.
This event is being reported under 10 CFR 50.73(a)(2)(v)(A & D), "Any event or condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to:
(A) Shut down the reactor and maintain it in a safe shutdown condition; (B) Remove residual heat; (C) Control the release of radioactive material (D) Mitigate the consequences of an accident.
were operating in Mode 1, Power Operation.
EVENT DESCRIPTION
(Dates and times are approximate) Date/Time 02/11/03-0300 02/12/03-0945
Event Description
The 2A DG was removed from service for routine maintenance activities.
Vital inverter 2EID choke fails which deenergizes 120 VAC panel board 2ERPD.
Operations entered abnormal procedure (AP) AP/2/A/5500/029, Loss of Vital or Aux Control Power. Unit 2 entered TS 3.8.9 with 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to restore power to 2ERPD. Unit 2 also enters TS 3.8.7 with 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to restore 2EID to operable status.
02/12/03-0954 02/12/03-1028 02/12/03 Operations opens valve 2FD-63 (2B DG engine fuel oil day tank 2B fill valve bypass). At this time, Operations thought they had exited TS 3.0.3 due to wording in AP/2/A/5500/029.
However, the DG building ventilation outside air dampers (2DSF-D-7 & 2DSF-D-9) were failed closed due to loss of power from 2ERPD.
120 VAC panel board 2ERPD is energized from regulated power source 2VRD. This restores power to the DG building ventilation outside air dampers (2DSF-D-7 & 2DSF-D-9) which restores operability to the 2B DG. This is when Unit 1 and Unit 2 actually exited TS 3.0.3, but this was not known by Operations at the time.
Maintenance replaces the failed choke and an associated transformer on vital inverter 2EID.
The inverter was energized and monitored for proper operation.
02/13/03-0015 � Vital inverter 2EID was aligned to 2ERPD and Unit 2 exited TS 3.8.7.
CAUSAL FACTORS
A review of 2EID's work history and factory analysis of returned components indicated that the cause of the 2EID failure on February 12, 2003 is a fabrication deficiency in choke CH804 which was installed in the inverter on September 11, 2002. Examination of the choke found that during the winding operation in the manufacturing process, the last turn of the second layer winding had not been anchored in place allowing it to slip off of the layer paper and contact the first turn winding of the first layer. When placed in service, this caused the wire's insulation rating to be exceeded. The insulation breakdown allowed electrical shorting to develop between the first and second layer windings. Once the shorting occurred, generated heat led quickly to broader winding failure and loss of the choke's functional ability. The nature of this deficiency would appear to allow the choke to be initially tested with satisfactory results.
According to the manufacturer, the failed choke appears to have been fabricated in the early 1980's based on the type of resin used although the exact date of manufacture could not be determined.
Since the 1980's, material improvements and standards have evolved for items such as the varnishes, wiring, and insulation.
Currently, all tolerances are specified and controlled during the fabrication process. A final quality control inspection process is in place, in addition to the electrical testing previously done.
Revision B of the manufacturer's Quality Control Manual describes the methods by which the program complies with ANSI/ISO/ASQ Q9001:2000, Quality Management Systems-Requirements, ANSI/ASME N45.2-1977, Quality Program Requirements For Nuclear Facilities, 10CFR50-Appendix B, Quality Assurance Criteria For Nuclear Power Plants, and other related quality standards.
CORRECTIVE ACTIONS
Immediate:
1. Power was restored to 2ERPD in accordance with AP/2/A/5500/029.
2. The failed choke from this event and a choke that had been previously replaced were sent to the manufacturer for failure analysis.
Subsequent:
1. Choke CH804 and transformer TX803 were replaced in 2EID. TX803 shares a series winding with CH804, and replacement of TX803 was suggested by the manufacturer since the exact cause of circuit failure could not be immediately determined.
2. The operating temperature of the new CH804 was recorded twice per shift for 7 days. The temperatures did not rise above those recorded after about 2 initial hours of service.
3. The regularly scheduled thermography inspection of 2EID was performed on February 26, 2003. The operating temperature was comparable to those values obtained during the first 7 days of operation.
Planned:
1. Monthly thermography inspections will be performed until all existing vital inverters are replaced on both units.
2. Replacement of the Vital Inverters will be performed under Nuclear Station Modifications (NSMs) CN-11412 and CN-21412. The new inverters have a 40 year qualified life, and should provide reliable service through the life of Catawba Nuclear Station.
3. AP/1(2)/A/5500/029 will be reviewed and revised to ensure that any issues affecting DG operability are identified with appropriate actions for Operations.
The planned corrective actions as well as any future corrective actions will be addressed via the Catawba Corrective Action Program. There are no NRC commitments contained in this LER.
SAFETY ANALYSIS
During this event both Unit 1 DGs (1A & 1B) remained operable along with RN pumps 1A and 1B. The 2B DG was declared inoperable, however, nothing was done to the 2B DG that would have prevented it from receiving its start signal and starting. The fuel oil supply available would have allowed the 2B DG to start and run for 60 minutes before any action would be required by Operations.
Operations opened the manual bypass valve to supply fuel oil to the DG day tank in approximately 9 minutes. The fuel oil supply valve failure would not by itself prevent the 2B DG from performing its intended function since manual operator actions easily restored the fuel supply in the necessary time frame. The DG building ventilation system loss of the outside air dampers would not have prevented the 2B DG from starting and loading its respective safety related 4160 volt bus. The inability of the outside air dampers to open would have caused the DG room temperature to increase to temperatures that would affect electrical equipment in the room.
Some of the critical electrical equipment located in the DG room includes components which have temperature ratings less than the temperatures that could have been reached. This would have 9 affected the ability of the 2B DG to operate for the time period that 2ERPD was deenergized without any operator action. The vital instrument bus, 2ERPD was reenergized in less than an hour.
Therefore, the impact of this event on the ability of the 2B DG to perform its intended function was minimized.
The CDF and LERF significance of this event has been evaluated in a conservative manner and found to result in insignificant increases in the CDF and LERF for the short time period where the 2A DG was inoperable and the 2B DG was technically inoperable. The conditional change in CDF is estimated to be less than 2E-07 and the conditional change in LERF is estimated to be less than 4E-08.
This evaluation does consider the expected reduction in CDF that has been achieved as a result of the RCP seals being upgraded to the high temperature o-ring material.
The primary conservatism in the above evaluation was that the 2B DG was modeled as a start failure of the diesel. The 2B DG was assumed to be unavailable for one hour. This is conservative since the DG would have started and run with power from ERPD unavailable.
Following opening of the fill bypass valve, the DG would continue to run, for awhile, with the outside air ventilation dampers closed.
In conclusion, the overall safety significance of this event was determined to be minimal and there was no actual impact on the health and safety of the public.
ADDITIONAL INFORMATION
A review of LERs from the last three (3) years found no LERs written for failure of a vital inverter. A review of the corrective action program database did yield several instances where choke failures had occurred. With respect to the failures of vital inverter CH804 chokes, this condition is considered a recurring event. However, no known failures of replacement parts supplied by the manufacturer have occurred.
The inverters used at Catawba were manufactured by Solidstate Control, Inc., model number SV12150, Ferroresonant Transformer Based, 15KVA. This type inverter design uses a ferroresonant transformer in the output filter, which is also known as a Constant Voltage Transformer (CVT). The CVT provides harmonic filtering, voltage regulation, and current limiting. The output is controlled without any feedback circuitry to the semiconductor bridge. The voltage regulation provided by the CVT is totally magnetic and requires no electronics. The filter components in the CVT are designated as choke CH804 and transformer TX803.
The Unit 2 vital inverters were manufactured in the late 1970's, and have been installed in the plant and energized since about 1984. Studies performed by EPRI/NMAC have concluded that the failure rate of inverters rises rapidly after 15 years of age. For this reason, a decision was made to replace the existing inverters.
There are no more choke CH804's in stock at Catawba under stock code 54002, which is the stock code of the CH804 installed on September 11, 2002. This is the stock code for part number SCI-T- 851B, which is the original part number for CH804 in a 15 KVA inverter. A stock code 54002 choke would have a manufacture date in the 1980's. Replacement CH804's are now ordered under part number 80-310851-90, also for a 15 KVA inverter only. These carry stock code 54008. There is not a potential to install the old part number choke manufactured in the 1980's again.
Several vital inverters have original CH804's installed, or have a replacement CH804 which is also from the 1980's manufacture period.
Since these CH804's have been in service for quite a while, it does not appear that a fabrication defect exists in these. Ongoing monthly thermography surveys and visual observations of vital inverters will aid in identifying a degrading device, unless the failure is fairly rapid.
Energy Industry Identification System (EIIS) codes are identified in the text as [EIIS: XX]. This event did involve an equipment failure and is reportable to the Equipment Performance and Information Exchange (EPIX) program.
Although the safety impact of this event was minimal, this condition met the reporting criteria of 10 CFR 50.73(a)(2)(v) and therefore will be recorded under the NRC Performance Indicators for Unit 1 and Unit 2 as a Safety System Functional Failure.
There were no releases of radioactive materials, radiation exposures or personnel injuries associated with this event