05000413/LER-2011-001
| Catawba Nuclear Station, Unit 1 | |
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications |
| 4132011001R00 - NRC Website | |
BACKGROUND
This event is being reported under the following criterion:
10 CFR 50.73(a)(2)(i)(B), any operation or condition which was prohibited by the plant's Technical Specifications (TS).
Catawba Nuclear Station Unit 1 is a Westinghouse four-loop Pressurized Water Reactor (PWR) [EllS: RCT].
The onsite standby power source for each 4160 volt Engineered Safety Features (ESF) bus [El IS: BU] at Catawba is a dedicated Diesel Generator (DG) [EllS: EK]. For each unit, DGs A and B are dedicated to ESF buses ETA and ETB, respectively. A DG starts automatically on a Safety Injection (SI) signal (i.e., low pressurizer pressure or high containment pressure) or on an ESF bus degraded voltage or undervoltage signal. After the DG has started, it will automatically tie to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with an SI signal. With no SI signal, there is a ten-minute delay between the degraded voltage signal and the DG start signal. The DGs will also start and operate in the standby mode without tying to the ESF bus on an SI signal alone. Following the trip of offsite power, a sequencer [EllS: EK] strips loads from the ESF bus. When the DG is tied to the ESF bus, loads are then sequentially connected to its respective ESF bus by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG by automatic load application.
In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a Loss of Coolant Accident (LOCA).
Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the DG in the process. Approximately one minute after the initiating signal is received, all loads needed to recover the unit or to maintain it in a safe condition are returned to service.
TS 3.8.1 governs the DGs. Limiting Condition for Operation (LCO) 3.8.1 requires two operable DGs for each unit that is in Modes 1, 2, 3, and 4. With one DG inoperable, the inoperable DG must be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> per Required Action B.4. If this is not accomplished, the unit must be placed in Mode 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in Mode 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> per Required Actions G.1 and G.2.
The Nuclear Service Water System (NSWS) [EllS: BI] provides a heat sink for the removal of process and operating heat from safety related components during a DBA or transient. During normal operation, and a normal shutdown, the NSWS also provides this function for various safety related and non-safety related components.
The NSWS consists of two independent loops (A and B) of essential equipment, each of which is shared between the two Catawba units. Each loop contains two NSWS pumps [EllS: P], each of which is supplied from a separate DG. Each set of two pumps supplies two trains (1A and 2A, or 1B and 2B) of essential equipment through common discharge piping [EllS: None]. While the pumps are unit designated (i.e., 1A, 1B, 2A, 2B), all train-related pumps receive automatic start signals from a corresponding train-related SI or blackout signal from either unit. Therefore, a pump designated to one unit will supply post-accident cooling to equipment in that loop on both units. For example, the 1A NSWS pump, whose emergency power is supplied by DG 1A, will supply post-accident cooling to NSWS trains 1A and 2A.
One NSWS loop containing two operable NSWS pumps has sufficient capacity to supply post-LOCA loads on one unit and shutdown and cooldown loads on the other unit. Thus, the operability of two NSWS loops assures that no single failure will keep the system from performing the required safety function. Additionally, one NSWS loop containing one operable NSWS pump has sufficient capacity to maintain one unit indefinitely in Mode 5 (commencing 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> following a trip from full power) while supplying the post-LOCA loads of the other unit.
Thus, after a unit has been placed in Mode 5, only one NSWS pump and its associated DG are required to be operable on each loop, in order for the system to be capable of performing its required safety function, including single failure considerations.
TS 3.7.8 governs the NSWS. LCO 3.7.8 requires two operable NSWS trains for each unit that is in Modes 1, 2, 3, and 4. With one NSWS train inoperable, the inoperable NSWS train must be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> per Required Action A.1. If this is not accomplished, the unit must be placed in Mode 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in Mode 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> per Required Actions C.1 and C.2.
The NSWS also supports the Auxiliary Feedwater (AFW) [EllS: BA] and Containment Spray [El IS: BE] Systems since it serves as the assured water source for these systems. TS 3.7.5 governs the AFW System. LCO 3.7.5 requires three AFW trains to be operable in Modes 1, 2, and 3. In Mode 4 when the steam generators are relied upon for heat removal, one motor-driven AFW train is required to be operable. With one AFW train inoperable in Mode 1, 2, or 3 for reasons other than an inoperable steam supply to the turbine-driven AFW pump, the inoperable AFW train must be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> per Required Action B.1. If this is not accomplished, the unit must be placed in Mode 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in Mode 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> per Required Actions C.1 and C.2. TS 3.6.6 governs the Containment Spray System. LCO 3.6.6 requires two containment spray trains to be operable in Modes 1, 2, 3, and 4. With one containment spray train inoperable, the inoperable containment spray train must be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> per Required Action A.1. If this is not accomplished, the unit must be placed in Mode 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in Mode 5 within 84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> per Required Actions B.1 and B.2.
On February 26, 2011, when this event occurred, Unit 1 was in Mode 1 at 100% power operation.
EVENT DESCRIPTION
(Some event times are approximate.) Date/Time Event 02/22/2011/1206 DG 1B was started for its 24-hour run. The 24-hour run is performed every 18 months in accordance with TS Surveillance Requirement (SR) 3.8.1.14.
02/22/2011/1240 The DG achieved full load.
02/23/2011/- 0430 DG voltage, power factor, and load were noted to be swinging outside of the normal control band (load was noted to be changing by approximately 800 kW).
02/23/2011/0432 DG 1B was declared inoperable.
02/23/2011/0509 Problem Investigation Report (PIP) C-11-01407 was written to document the issue.
02/23/2011/---- Troubleshooting subsequently determined that the problem with DG 1B was in the mechanical governor. The governor's speed setting could not be adjusted to the desired value.
02/24/2011/0326 As required by TS, a common mode failure evaluation was completed within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> in order to determine if the problem was transportable to the other DGs (1A, 2A, and 2B).
This evaluation determined that no common mode failure mechanism existed. The decision was made to replace the mechanical governor.
02/25/2011/1500 Catawba held a telephone conference call with the NRC to request enforcement discretion from the applicable TS requirements.
02/25/2011/1655 The NRC verbally granted the requested enforcement discretion.
02/25-27/2011 The replacement of the mechanical governor was completed and the DG 1B 24-hour run was re-performed with successful results.
02/27/2011/1454 DG 1B was declared operable.
03/01/2011 Catawba formally submitted the written request for enforcement discretion.
03/03/2011 The NRC formally documented their approval of the request for enforcement discretion.
CAUSAL FACTORS
The following Most Probable Cause and Root Causes were determined in conjunction with this event:
Most Probable Cause:
The mechanical governor speed setting drifted within the operating range of the primary electronic governor.
Basis:
Approximately 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br /> into the 24-hour operability run for DG 1B, the load began to swing. During troubleshooting activities and subsequent failure investigation, it was determined that the speed setting for the mechanical governor was 451 rpm versus the desired 460 rpm. A separation between the mechanical governor speed setting and the electronic governor speed setting (450 rpm) is desired to prevent the two governors from competing with one another for control of the DG engine. If the electronic and mechanical portions of the governor actuator compete, the governor output (fuel rack position) can vary and cause load oscillations. A small amount of mechanical droop (inherent to the design of the governor actuator) would likely have caused the problem to appear only when the engine was tied to the grid and loaded above a certain value. A friction clutch is used to provide resistance against the speed setting knob to keep it from changing due to vibration. During disassembly at the governor vendor shop, the breakaway torque of this clutch was found to be 3.5 inch-pounds, versus the manufacturer design specification of 4.5 to 5.5 inch-pounds. The lower clutch torque value likely allowed the speed setting to begin to drift down at some point over the nine years this governor actuator had been installed. Recommended owner's group preventive maintenance includes verifying speed knob position and routinely testing the mechanical governor speed setting. Had Catawba followed industry guidance and implemented recommended preventive maintenance, this concern would likely have been identified prior to this event.
Root Cause 1:
Catawba failed to fully comply with or sufficiently justify deviation from the recommendations of the Cooper- Enterprise Preventive Maintenance Program (PMP).
Basis:
The Cooper-Enterprise PMP, which was an outgrowth of the Transamerica Delaval Design Review/Quality Revalidation (DR/QR) document, contained a requirement to check the mechanical governor setting knob position. The Cooper-Enterprise PMP is a living program leveraged by the Owner's Group to foster the reliability of DGs. Catawba maintains this document along with site-specific modifications to it. The Catawba document of record still contains the recommendation for the mechanical governor setting knob check without justification for not completing this action.
The requirement for the mechanical governor setting knob check extends back to the original DR/QR. The original DR/QR was previously incorporated into Catawba's licensing basis via license conditions. Therefore, Catawba was obligated to perform this check until the license conditions were approved by the NRC for deletion in 1994. Subsequent to the deletion of the license conditions, the requirement to perform this check was removed via the Preventive Maintenance Optimization (PMO) project. Catawba had several opportunities during the transition from the DR/QR to the current PMP to recognize that this preventive maintenance action had been removed and to take action to rectify.
Root Cause 2:
Operating experience insights were not adequately applied to the DG PMP.
Basis:
Catawba performs periodic maintenance and testing of the mechanical governor. However, other nuclear stations perform additional activities that Catawba does not. These include the following:
1) Regularly observe the position of the mechanical governor speed setting dial.
2) Routinely test the mechanical governor speed setting to ensure the correct setting is maintained.
Had Catawba been regularly observing the speed knob setting and routinely testing the mechanical governor speed setting, this event could have been averted. Catawba had opportunities to question its DG PMP from various operating experience documents.
CORRECTIVE ACTIONS
Immediate:
1. A Unit Threat Team was formed due to entry into the applicable TS Conditions. A maintenance plan was developed to replace the mechanical governor.
2. Based on available information during the event, Catawba performed a common mode failure analysis as required by TS.
Subsequent:
1. Enforcement discretion was requested and obtained from the NRC to allow an additional 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> prior to having to place Unit 1 in Mode 3.
2. Following replacement of the mechanical governor, DG 1B was tested via re-performance of the 24- hour run and returned to operable status. All applicable TS Conditions were subsequently exited.
3. The failed mechanical governor was sent to the vendor for failure analysis and refurbishment.
Planned:
1. Catawba will implement changes to the DG PMP to regularly observe the position of the mechanical governor speed setting knob and to routinely test the mechanical governor speed setting to ensure the correct setting is maintained.
2. In order to enhance the use of operating experience, Duke Energy will implement a fleet DG Working Group. This Working Group will be responsible for maintaining design expertise regarding all aspects for the various DGs at all Duke Energy nuclear sites. The Working Group will also be responsible for providing a lead role for owners' group interface and for coordination of preventive maintenance activities.
There are no NRC commitments contained in this LER.
SAFETY ANALYSIS
Catawba subsequently determined that even with the problem experienced by the mechanical governor, DG 1B would have been available and would have been able to perform its function had an actual demand occurred (up until the point that DG 1B underwent corrective maintenance to replace the mechanical governor). During the time period that DG 1B was unavailable due to maintenance, the opposite train DG (DG 1A) was operable and would have functioned as designed in the event of a loss of normal power to its essential bus. Therefore, plant response to a DBA, had one occurred, would have been within analysis limits.
Catawba reviewed past test history for the full load rejection test. This test is performed every 18 months as required by TS SR 3.8.1.10. During this test, engine speed control defaults to the mechanical governor. This SR requires DG speed to be maintained
NO
the mechanical governor. For the most recent performances of this test for DGs 1A, 2A, and 2B, the following speed settings were noted (above the desired value of 460 rpm and below the TS limit of 500 rpm):
DG Test Date Mechanical Governor Speed Setting (rpm) 1A 01/08/2011 463.5 2A 04/02/2011 468.0 2B 09/25/2009 463.5 The probabilistic risk analysis and other technical information contained in the enforcement discretion request fully supported the 48-hour extension of the applicable TS Completion Times. The details of the enforcement discretion request can be found in the letter from Duke Energy to the NRC dated March 1, 2011 (ADAMS Accession Number ML110630276). The NRC letter granting the enforcement discretion request was issued on March 3, 2011 (ADAMS Accession Number ML110620718).
This event did not affect the health and safety of the public.
ADDITIONAL INFORMATION
Within the previous three years, there has been one other LER event involving a request for enforcement discretion due to a failed DG component. This event was documented in LER 413/2010-004, "Technical Specification Violation Involving Notice of Enforcement Discretion Due to Failure of Diesel Generator Engine- Mounted Thermocouple". There have also been other LER events involving TS violations. However, the specific circumstances surrounding these events and the corrective actions taken in response to these events could not have prevented this event from occurring. This event is therefore considered to be non-recurring.
However, Catawba is an outlier in the industry with respect to having a 72-hour Completion Time for DGs.
During the late 1990s, other utilities pursued and obtained extended DG Completion Times. Catawba did not pursue a Completion Time extension at that time; however, Catawba did pursue a DG Completion Time extension previously via a Westinghouse Owners' Group program. The extension attempt was unsuccessful due to concerns over its analytical basis. Catawba therefore has limited flexibility due to its 72-hour Completion Time. Catawba is pursuing a design study to support a TS change extending the Completion Time for one inoperable DG.
Energy Industry Identification System (El IS) codes are identified in the text as [EllS: XX]. This event is considered reportable to the Equipment Performance and Information Exchange (EPIX) program.
This event is not considered to constitute a Safety System Functional Failure. This event only affected the operability of DG 1B. DG 1A remained operable throughout this event. It was determined that the condition described in this LER did not extend to the other DGs. There was no release of radioactive material, radiation overexposure, or personnel injury associated with the event described in this LER.