05000414/LER-2012-001

BACKGROUND

This event is being reported under the following criteria:

10 CFR 50.73(a)(2)(i)(B), any operation or condition which was prohibited by the plant's Technical Specifications (TS).

10 CFR 50.73(a)(2)(ii), any event or condition that resulted in: (B) The nuclear power plant being in an unanalyzed condition that significantly degraded plant safety.

10 CFR 50.73(a)(2)(v), any event or condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to: (A) Shut down the reactor and maintain it in a safe shutdown condition; (B) Remove residual heat; (C) Control the release of radioactive material; or (D) Mitigate the consequences of an accident.

Catawba Nuclear Station Units 1 and 2 are Westinghouse four-loop Pressurized Water Reactors (PWRs) [EllS:

RCT].

The onsite standby power source for each 4160 volt Engineered Safety Features (ESF) bus [El IS: BU] at Catawba is a dedicated Diesel Generator (DG) [EMS: EK]. For each unit, DGs A and B are dedicated to ESF buses ETA and ETB, respectively. A DG starts automatically on a Safety Injection (SI) signal (i.e., low pressurizer pressure or high containment pressure) or on an ESF bus degraded voltage or undervoltage signal. After the DG has started, it will automatically tie to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with an SI signal. With no SI signal, there is a ten-minute delay between the degraded voltage signal and the DG start signal. The DGs will also start and operate in the standby mode without tying to the ESF bus on an SI signal alone. Following the trip of offsite power, a sequencer [EllS: EK] strips loads from the ESF bus. When the DG is tied to the ESF bus, loads are then sequentially connected to its respective ESF bus by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG by automatic load application.

In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a Loss of Coolant Accident (LOCA).

Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the DG in the process. Approximately one minute after the initiating signal is received, all loads needed to recover the unit or to maintain it in a safe condition are returned to service.

Each DG must therefore be capable of starting, accelerating to rated speed and voltage, and connecting to its respective ESF bus on detection of bus undervoltage. This must be accomplished within 11 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses.

TS 3.8.1, "AC Sources - Operating" delineates requirements for the DGs. Two DGs are required to be operable in Modes 1, 2, 3, and 4. With one DG inoperable (Condition B), the inoperable DG must be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (Required Action B.4). With two DGs inoperable (Condition E), one DG must be restored to operable status within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> (Required Action E.1). If this is not accomplished (Condition G), the affected unit must be placed in Mode 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (Required Action G.1) and in Mode 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> (Required Action G.2). In addition, because the DGs provide emergency AC power to certain TS required systems that are shared between the Catawba units, the cascading effects on these shared systems' TS and their supported systems' TS must also be considered when one or more DGs become inoperable.

On 09/28/12 when the tachometer relay power supply failure occurred and on 10/23/12 when this event was determined to be reportable, both units were in Mode 1 at 100% power. Except as indicated in the Safety Analysis section of this report, no other structures, systems, or components were out of service that had any effect on the event.

EVENT DESCRIPTION

Date/TimePEvent (Some event times are approximate.) 08/29/12/0022-0225 DG 2B was started and run successfully during its monthly test. (Time indicates DG 2B start/shutdown.) 09/28/12/1919-2128 During the monthly test of DG 2B, an engine tachometer malfunction was noted. A work request/work order was generated to inspect and repair the tachometer during the next DG 2B work window on 10/23/12. At the time, the tachometer malfunction was determined to not affect DG 2B operability. (Time indicates DG 2B start/shutdown.) 09/29/12/1930PProblem Investigation Process (PIP) report C-12-08248 was written to document the issue.

10/02/12/--PPIP C-12-08248 was updated to document the fact that the tachometer had read 0 rpm during the test.

10/23/12/0418PDG 2B was declared inoperable for planned maintenance.

1645PDuring the planned maintenance on DG 2B, Engineering determined that the lack of rpm indication was caused by a failed tachometer relay power supply. A 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> clock per TS 3.8.1 Required Action B.3.1 was started for performing a common mode failure evaluation for DGs 2A, 1A, and 1B.

1731PPIP C-12-08991 was written to document the common mode failure evaluation. At the time, it was believed that the failed tachometer relay power supply would have prevented DG 2B from automatically starting in response to a DBA.

It was subsequently determined that the failed tachometer relay power supply would not have prevented DG 2B from automatically starting; however, it would have prevented the DG's output breaker from automatically closing in response to a DBA.

10/24/12/0322�The common mode failure evaluation was completed. No common mode failure mechanisms were identified.

1534-1850 The failed tachometer relay power supply was replaced. Required testing was completed on DG 2B. (Time indicates DG 2B start/shutdown.) 10/24/12/2221�DG 2B was declared operable.

CAUSAL FACTORS

The root cause of this event was determined to be an inadequate technical evaluation following the DG 2B engine tachometer malfunction on 09/28/12. This was attributed to an inadequate understanding of the relationship between the tachometer dial, the tachometer relay, the tachometer relay power supply, and the interlocks associated with the DG's output breaker (breaker 2ETB-18). Engineering DG subject matter experts and Operations licensed personnel did not recognize that the anomalous engine speed indication affected the automatic operation of the DG's output breaker. The impact of the tachometer malfunction on the ability of the DG's output breaker to automatically close was not recognized until 10/23/12 when the tachometer relay power supply failure was being investigated.

CORRECTIVE ACTIONS

Immediate:

1. Station Management initiated a Unit Threat Team in response to the failed tachometer relay power supply. A maintenance plan was developed to replace the failed component.

Based on available information during the event, Catawba performed a common mode failure evaluation as required by TS.

Subsequent:

Following replacement of the tachometer relay power supply, DG 2B was tested and returned to operable status. All applicable TS Conditions were subsequently exited.

2. The failed tachometer relay power supply was sent to the vendor for failure analysis.

Planned:

Operations will add steps to the DG operating and test procedures to verify the DG running status light is lit and Operator Aid Computer (OAC) on and speed indications are present when the DG is started. This will ensure that the tachometer relay is energized.

2. Engineering will revise the DG Design Basis Document (DBD) to describe the relationship between the tachometer, the tachometer relay, the tachometer relay power supply, and the interlocks associated with the DG's output breaker.

3. Engineering will develop a visible and/or an audible indication for verification of the status of the tachometer relay power supply (local indicating light or priority OAC alarm).

There are no NRC commitments contained in this LER.

SAFETY ANALYSIS

During the time period that DG 2B was inoperable from 09/28/12 to 10/24/12, there was one instance where DG 2A was also inoperable for planned maintenance. This instance began on 10/09/12 at 0400 hours0.00463 days <br />0.111 hours <br />6.613757e-4 weeks <br />1.522e-4 months <br /> and ended on 10/10/12 at 0546 hours0.00632 days <br />0.152 hours <br />9.027778e-4 weeks <br />2.07753e-4 months <br />. Therefore, during this interval, both Unit 2 DGs were simultaneously inoperable. In addition, various Unit 2 and Unit 2/Unit 1 shared Train A TS required equipment was inoperable during the time period that DG 2B was inoperable. This resulted in various Unit 2 and Unit 1 supported system TS requirements being violated during this time period.

Duke Energy used a risk-informed approach to determine the risk significance associated with the vulnerability of the DG 2B output breaker failing to automatically close.

The Incremental Conditional Core Damage Probability (ICCDP) and the Incremental Conditional Large Early Release Probability (ICLERP) associated with this event were evaluated by considering the following:

• The duration of the period of vulnerability of the DG 2B output breaker

• The use of the average maintenance Probabilistic Risk Analysis (PRA) model to represent plant configuration, equipment unavailability, and maintenance activities during this violation The ICCDP associated with this event was determined to be less than 1.0E-06 with the use of the model of record. The ICLERP associated with this event was determined to be less than 1.0E-07.

During the time period that DG 2B was inoperable, the Standby Shutdown System (SSS) remained functional.

The SSS is designed to mitigate the consequences of certain postulated fire, security, and station blackout incidents by providing the capability to maintain Mode 3 conditions and by controlling and monitoring vital systems from locations external to the main control room.

Therefore, this event is considered to have a small risk impact and is of no significance with respect to the health and safety of the public.

ADDITIONAL INFORMATION

Within the previous three years, there have been two other LER events involving DG inoperability due to a failed subcomponent. These events were documented in LER 413/2010-004, "Technical Specification Violation Involving Notice of Enforcement Discretion Due to Failure of Diesel Generator Engine-Mounted Thermocouple", and LER 413/2011-001, "Technical Specification Violation Involving Notice of Enforcement Discretion Due to Failure of Diesel Generator Mechanical Governor". However, those events did not involve the same root cause as this event. This event is therefore considered to be non-recurring.

Energy Industry Identification System (EIIS) codes are identified in the text as [EllS: XX]. This event is considered reportable to the INPO Consolidated Event System (ICES) (formerly called the Equipment Performance and Information Exchange (EPIX) program).

This event is considered to constitute a Safety System Functional Failure during the time period when both DGs were simultaneously inoperable. There was no release of radioactive material, radiation overexposure, or personnel injury associated with the event described in this LER.