05000413/LER-2012-002
| Docket Number | |
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability |
| 4132012002R00 - NRC Website | |
Event Description:
It was discovered that the existing Solid State Protection System (SSPS) (semi-automatic test) logic test and Westinghouse "7300" series channel operational test (COT) surveillance procedures for the "Safety Injection on 2/4 Low Pressurizer Pressure" function do not provide sufficient overlap to functionally test some of the SSPS wiring used for channel combination logic. The inadequate surveillance testing constitutes a failure to meet the Limiting Condition for Operation, resulting in past operation prohibited by Technical Specifications, and common cause inoperability of an independent train or channel.
Event Cause:
The apparent cause was a functional design deficiency by the vendor in the specific test circuitry used to verify the SSPS logic.
Corrective Actions:
Testing was conducted to verify the function of the affected SSPS wiring.
BACKGROUND
The following information is provided to assist readers in understanding the condition described in this Licensee Event Report (LER). Applicable Energy Industry Identification System [EIIS] and component codes are enclosed within brackets. Catawba unique system and component identifiers are contained within parentheses.
Solid State Protection System [JC](SSPS):
The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided.
The SSPS performs the decision logic for most Engineered Safety Features (ESF) equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.
The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate function best serves to alleviate the condition and restore the unit to a safe condition.
Each SSPS train has a built in testing device that can test the decision logic matrix functions and the actuation devices while the unit is at power.
When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.
Safety Injection - Pressurizer Pressure-Low is one of the SSPS input signals. This signal provides protection against the following accidents: inadvertent opening of a steam generator (SG) relief or safety valve; steam line break (SLB); spectrum of rod cluster control assembly ejection accidents (rod ejection); inadvertent opening of a pressurizer relief or safety valve; loss of coolant accidents (LOCAs); and SG tube rupture.
EVENT DESCRIPTION
On September 26, 2012, site Engineering personnel determined that the existing SSPS logic test (semi-automatic test) and 7300 channel operational test (COT) surveillance procedures for "Safety Injection on 2/4 Low Pressurizer Pressure" function may not provide sufficient overlap to confirm function for some of the SSPS wiring used for channel combinational logic. This condition was subsequently confirmed by site Engineering personnel in consultation with the vendor (Westinghouse) SSPS Engineer.
The condition was determined to impact both SSPS trains of both Units for the specific function. The SSPS design uses a combination of two 2/3 and one 2/2 SSPS logic circuits on two separate logic cards to develop the 2/4 logic for Safety Injection on Low Pressurizer Pressure.
The arrangement uses external wires on the back planes of the cards to distribute some of the four input signals to the appropriate logic cards. For this specific function and current design, positive verification of annunciator and/or .status indications during the 7300 Pressurizer Pressure-Low Channel COT's does not functionally test some of the logic input wiring paths to the logic cards. Current SSPS logic testing, using the built in semi-automatic tester, verifies the correct logic from the logic input to the appropriate logic outputs, but also does not functionally test the external wiring.
Subsequent to the discovery of the condition, it was recognized that applicable surveillance requirements for LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation and LCO 3.3.2, "Engineered Safety Features Actuation System Instrumentation," were not met for both Unit 1 and Unit 2 SSPS trains, resulting in entry into LCO 3.0.3 at 1515 hours0.0175 days <br />0.421 hours <br />0.0025 weeks <br />5.764575e-4 months <br /> on 9/26/12 for both units. Following successful verification of the exited LCO 3.0.3 at 2132 hours0.0247 days <br />0.592 hours <br />0.00353 weeks <br />8.11226e-4 months <br /> on 9/26/12, prior to a power reduction being required. Unit 1 exited LCO 3.0.3 at 2203 hours0.0255 days <br />0.612 hours <br />0.00364 weeks <br />8.382415e-4 months <br /> on 9/26/12, prior to a power reduction being required. Train 1A and train 2A SSPS testing was completed on 9/27/12 and LCO 3.3.1 and LCO 3.3.2 were exited.
The condition was discovered on 9/26/12. Site level Reportability discussions began immediately. Fleet level discussions to ensure consistency were initiated and the Reportability determination was completed on 10/18/12 concluding testing had not been performed and represented a condition prohibited by Technical Specifications.
RNRC FORM 366A U.S. NUCLEAR REGULATORY COMMISSION In that the condition existed on both units prior to discovery, the inadequate surveillance testing constitutes a failure to meet Limiting Condition for Operation (LCO) 3.3.1 and 3.3.2, and resulted in past operation prohibited by Technical. Specifications, satisfying reporting criterion 10 CFR 50.73(a)(2)(i)(B). The condition is also reportable as a result of common cause inoperability of an independent train or channel (reporting criterion 10 CFR 50.73(a)(2)(vii)).
CAUSAL FACTORS
It was determined that the external wiring of the "Safety Injection on 2/4 Low Pressurizer Pressure" function and the associated selector switch wiring inside the SSPS was an original design provided by Westinghouse during the construction of the plant. Surveillance testing procedures failed to account for this unique design and failed to test accordingly.
Duke Energy performed an extensive review of logic schematics and surveillance procedures as required by Generic Letter (GL) 96-01, "Testing of Safety-Related Circuits," however, the wiring issue for the Safety Injection Low Pressurizer Pressure function was not identified.
The apparent cause is a functional design deficiency by the vendor in the specific test circuitry used to verify the Safety Injection Pressurizer Pressure Low Pressure logic. The Semi-Automatic Tester was designed by Westinghouse and is considered as an integral function in the overall SSPS design. The failure of Duke Energy personnel to discover the condition during the original test procedure preparation/review and the later GL 96-01 review are considered to be contributors.
CORRECTIVE ACTIONS
Immediate Corrective Actions:
1.R Conduct a functional test utilizing simulated inputs to verify affected SSPS wiring. (Train 1B and 2B was completed on 9/26/12; Train lA and 2A was completed on 9/27/12) Subsequent Corrective Actions:
satisfy Technical Specification Surveillance Requirements for Safety Injection on Low Pressurizer Pressure. (Complete) 2. The Catawba Nuclear Station SSPS design was reviewed for other cases where a similar issue exists, and none were found. The extent of condition review was limited to the SSPS circuits because these circuits are specific only to SSPS design in the use of combination logic cards to achieve protection; and therefore not applicable to other RPS/ESF circuits.
3. Implement design changes and hardware (cards) and surveillance procedures to modify the testing method eliminating the semi automatic testing function. (Complete for Unit 1)
SAFETY ANALYSIS
The SSPS remained capable of performing its safety function, as demonstrated by subsequent functional testing of the affected SSPS wiring. Therefore, this condition had no impact on nuclear safety.
ADDITIONAL INFORMATION
To determine if this condition is recurring, a search of the Catawba Nuclear Station Problem Identification Process (PIP) database was conducted for a time period covering five years prior to the condition.
The PIP searches do not show any previous history or identification of inadequate testing pertaining to the specific issue identified at the Catawba Nuclear Station for Safety Injection Low Pressurizer Pressure logic testing. Therefore, this condition is not considered recurring.
This condition did not constitute a Safety System Functional Failure.
There were no releases of radioactive materials, radiation overexposure, or personnel injuries associated with this condition.