05000413/LER-2013-001
| Catawba Nuclear Station, Unit 1 | |
| Event date: | 08-13-2013 |
|---|---|
| Report date: | 10-10-2013 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(v), Loss of Safety Function 10 CFR 50.73(a)(2)(v)(A), Loss of Safety Function - Shutdown the Reactor |
| 4132013001R00 - NRC Website | |
BACKGROUND
This event is being reported under the following criteria:
10 CFR 50.73(a)(2)(i)(B), any operation or condition which was prohibited by the plant's Technical Specifications (TS).
10 CFR 50.73(a)(2)(v), any event or condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to: (A) Shut down the reactor and maintain it in a safe shutdown condition; (B) Remove residual heat; (C) Control the release of radioactive material; or (D) Mitigate the consequences of an accident.
Catawba Nuclear Station Units 1 and 2 are Westinghouse four-loop Pressurized Water Reactors (PWRs) [EllS:
RCT].
The onsite standby power source for each 4160 volt Engineered Safety Features (ESF) bus [El IS: BU] at Catawba is a dedicated Diesel Generator (DG) [EllS: EK]. For each unit, DGs A and B are dedicated to ESF buses ETA and ETB, respectively. A DG starts automatically on a Safety Injection (SI) signal (i.e., low pressurizer pressure or high containment pressure) or on an ESF bus degraded voltage or undervoltage signal. After the DG has started, it will automatically tie to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with an SI signal. With no SI signal, there is a ten-minute delay between the degraded voltage signal and the DG start signal. The DGs will also start and operate in the standby mode without tying to the ESF bus on an SI signal alone. Following the trip of offsite power, a sequencer [EllS: EK] strips loads from the ESF bus. When the DG is tied to the ESF bus, loads are then sequentially connected to its respective ESF bus by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG by automatic load application.
In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a Loss of Coolant Accident (LOCA).
Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the DG in the process. Approximately one minute after the initiating signal is received, all loads needed to recover the unit or to maintain it in a safe condition are returned to service.
Each DG must therefore be capable of starting, accelerating to rated speed and voltage, and connecting to its respective ESF bus on detection of bus undervoltage. This must be accomplished within 11 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses.
TS 3.8.1, "AC Sources - Operating" delineates requirements for the DGs. Two DGs are required to be operable in Modes 1, 2, 3, and 4. With one DG inoperable (Condition B), the inoperable DG must be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (Required Action B.4). In addition, when a DG is inoperable, Surveillance Requirement (SR) 3.8.1.1 (verify correct breaker alignment and indicated power availability for each offsite circuit) must be performed for the offsite circuit(s) within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter (Required Action B.1). With two DGs inoperable (Condition E), one DG must be restored to operable status within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> (Required Action E.1).
If any of these Required Actions are not accomplished within their specified Completion Times (Condition G), the affected unit must be placed in Mode 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (Required Action G.1) and in Mode 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> (Required Action G.2). In addition, because the DGs provide emergency AC power to certain TS required systems that are shared between the Catawba units, the cascading effects on these shared systems' TS and their supported systems' TS must also be considered when one or more DGs become inoperable.
SR 3.8.1.2 verifies that each DG starts from standby conditions and achieves steady state voltage >/= 3950 V and loaded and operates for >/= 60 minutes at a load >/= 5600 kW and every 31 days in accordance with the Surveillance Frequency Control Program.
SR 3.8.1.17 verifies that with the DG operating in the test mode and connected to its bus, an actual or simulated ESF actuation signal overrides the test mode by returning the DG to standby operation and automatically energizing the emergency load from offsite power. This SR is performed every 18 months in accordance with the Surveillance Frequency Control Program. The TS Bases for SR 3.8.1.17 defines standby operation as "the DG running at rated speed and voltage with the DG output breaker open". Rated speed and voltage are 450 rpm (corresponding to 60 Hz) and 4160 V, respectively. NRC Regulatory Guide 1.9, "Application and Testing of Safety-Related Diesel Generators in Nuclear Power Plants" specifies an acceptable range of frequency and voltage of +/- 2% and +/- 10%, respectively, of nominal values during loading and transients.
On August 13, 2013 when this issue was determined to be reportable, both units were in Mode 1 at 100% power.
No other structures, systems, or components were out of service that had any effect on the event.
EVENT DESCRIPTION
Date/Time Event (Some event times are approximate.) 06/18/13/1738 Problem Investigation Process (PIP) C-13-05044 was generated. This PIP was written to document an Engineering evaluation that was conducted in response to a question raised by Maintenance during training. A review of the DG control circuitry identified a discrepancy between the electrical drawing configuration and published vendor literature.
The vendor documentation stated that the DG will return to pre-position voltage and frequency if an emergency signal is received while the DG is being tested. However, it was determined that frequency will not return to its pre-position setting if the DG is operating at full load and paralleled to offsite power. Frequency will be outside of the required range for standby conditions. Operating outside of the TS required frequency range renders the DG inoperable.
2240 An Immediate Determination of Operability (IDO) was performed. The conclusion of the IDO was that the DGs were Operable but Degraded/Non-Conforming (OBDN) based on the fact that the DGs can meet SR 3.8.1.17 as long as DG load is maintained below a threshold value when paralleled to offsite power during testing. The threshold load value varies with each DG as determined by DG setup.
Operations revised the procedures for DG monthly surveillance testing to require declaring the affected DG inoperable during the test.
06/18/13 — 08/13/13 Engineering and Regulatory Affairs continued to review this issue and determined that it was LER reportable. For the previous three-year period, the occasions where each DG was operated during testing at greater than the threshold load value were reviewed. One instance was found on Unit 2 where a DG was unknowingly inoperable during testing and the opposite train DG was simultaneously inoperable. It was as follows:
10/10/12 — DG 2A was run for testing from 0247 to 0454. From 09/28/12 at 1919 to 10/24/12 at 2221, DG 2B was inoperable due to a failed tachometer relay power supply.
(The failed tachometer relay power supply and its effect on DG 2B operability was previously reported in LER 414/2012-001 (ADAMS accession number ML12363A018).) In addition, because SR 3.8.1.1 was not performed within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> when the DGs were unknowingly inoperable during testing, this constituted a violation of TS 3.8.1 for both units.
CAUSAL FACTORS
The cause of this issue is an inadequate original design. The original vendor design drawing, which dates back to 1979, shows the pre-position initiation circuitry that provides a signal to the voltage regulator and governor controls. The basic design work on the DG controls was performed by the vendor. Duke Energy then completed the control system design. The design flaw apparently was passed on from the vendor to Duke Energy and was not recognized by either during the design of the system. Once the design was obtained from the vendor and completed by Duke Energy, review of the control system apparently was inadequate to identify the design flaw. Furthermore, validation of the written vendor description of the controls against the actual electrical schematics did not occur, or if it did occur, it was inadequate. As a result, the pre- position circuit was never energized to return the DG to the required TS frequency. Contributing to this issue is the fact that the LOCA-only portion of ESF testing is performed with the DG only loaded to 2000 kW. This does not place the controls in their expected configuration during worst case surveillance testing. Thus, the DG controls were not adequately challenged to verify that they return the DG to standby operation as required by SR 3.8.1.17.
CORRECTIVE ACTIONS
Immediate:
1. An IDO was performed and it was concluded that the DGs were OBDN.
Subsequent:
1. The procedures for DG monthly surveillance testing were revised to require declaring the affected DG inoperable during the test.
Planned:
1. The Unit 1 DG controls will be revised per the station work control process (Unit 2 is being completed during the current refueling outage) such that if the DG is running paralleled to offsite power at full load, the pre-position control circuit will energize to reset the controls to their required settings upon actuation of the DG load sequencer.
2. The Unit 1 procedure for ESF testing will be revised per the station procedure control process (Unit 2 was completed during the current refueling outage) to load the affected DG to full load before initiating the LOCA-only portion of the test.
There are no NRC commitments contained in this LER.
SAFETY ANALYSIS
There was minimal safety significance to this event. The DGs were operable except for those time periods when they were being tested while operating paralleled to offsite power at greater than the threshold load value. During these time periods, the duration of inoperability was much less than the 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed by TS 3.8.1, Condition B. Safety related components supplied by the DGs were evaluated for impact due to the potential overfrequency condition that could have occurred following a DBA. These components included motor-operated valves, certain air-operated valves (the impact on these air-operated valves is due to the increase in upstream air pressure as a result of the overfrequency condition on the instrument air compressors), electric motors, pumps, inverters, battery chargers, and batteries. In all cases, sufficient margin was associated with the operation of these components such that their design functions would not have been impeded as a result of the potential overfrequency condition. The batteries themselves are immune to AC frequency variations. In addition, during these time periods, the Standby Shutdown System (SSS) remained functional. The SSS is designed to mitigate the consequences of certain postulated fire, security, and station blackout incidents by providing the capability to maintain Mode 3 conditions and by controlling and monitoring vital systems from locations external to the main control room.
At Catawba, each DG is the assured source of emergency power to its associated unit and train related Nuclear Service Water System (NSWS) pump. An inoperable DG renders its associated NSWS pump inoperable.
Because the NSWS pumps are shared between the Catawba units, both units must initially enter the appropriate NSWS TS Condition when a pump becomes inoperable. Therefore, situations can occur where cross-train and cross-unit inoperabilities can result in a loss of safety function due to the shared nature of the NSWS and its effect on supported systems. Three such instances were discovered during the previous three-year period. They occurred on 03/01/11, 04/12/11, and 10/17/12. All three instances were of short duration (approximately 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> or less). These durations were within the allowance of LCO 3.0.3 for plant shutdown.
Therefore, this event is considered to have no significance with respect to the health and safety of the public.
ADDITIONAL INFORMATION
Within the previous three years, there were LER events involving DG inoperability due to failed subcomponents. However, these events did not involve legacy design issues dating back to the original design. Therefore, corrective actions taken as a result of those events could not have prevented this event from occurring. This event is therefore considered to be non-recurring.
Energy Industry Identification System (EllS) codes are identified in the text as [EllS: XX]. This event is considered reportable to the INPO Consolidated Event System (ICES) (formerly called the Equipment Performance and Information Exchange (EPIX) program).
This event is considered to constitute a Safety System Functional Failure. There was no release of radioactive material, radiation overexposure, or personnel injury associated with the event described in this LER.