05000482/LER-2005-004
| Docket Numbersequential Revmonth Day Year Year Month Day Yearnumber No. N/A 05000 | |
| Event date: | 05-10-2005 |
|---|---|
| Report date: | 07-08-2005 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition 10 CFR 50.73(a)(2)(V) 10 CFR 50.73(a)(2)(v)(C), Loss of Safety Function - Release of Radioactive Material |
| 4822005004R00 - NRC Website | |
Background:
The emergency exhaust system (EES) [EIIS: VF] exhausts from the auxiliary building following a loss of coolant accident (LOCA) and processes the air through a charcoal adsorber train prior to releasing it to the atmosphere through the unit vent. The EES also exhausts a limited amount of air from the fuel building following a LOCA to prevent excessive negative pressure in the auxiliary building.
The EES serves the auxiliary building only following a LOCA to assure that all emergency core cooling system (ECCS) leakage to the auxiliary building atmosphere and the containment air purged via the hydrogen purge system are processed. All ductwork which is not required for operation of the emergency exhaust system and penetrates the auxiliary building boundary is automatically isolated. These nonessential systems are provided with two motor-operated dampers [EIIS: DMP] in a series arrangement at the boundary penetrations. These dampers will close automatically following receipt of a safety injection signal (SIS). The emergency exhaust system maintains a negative pressure in the auxiliary building to assure that all leakage is into the building.
Two auxiliary building boundary penetrations are part of the main condenser air removal filtration system [EIIS: SH].
Ductwork directs non-condensable gasses from the main condenser [EIIS: COND] to the auxiliary building penetration. Two motor-operated dampers in each penetration, one powered from safety train A and one powered from safety train B, close on a SIS to isolate the auxiliary building boundary as described above.
An integrated system test demonstrates the operation of the valves, pump circuit breakers and the automatic loading of emergency core cooling system (ECCS) components on the emergency diesel generators by introducing a SIS and simultaneously simulating a loss of offsite power to the vital electrical busses. The electrical bus supplying power to the damper motor operators would be shed by the load shedder emergency load sequencer (LSELS) and then re-loaded, if the safety injection SIS is still present, with power supplied by the emergency diesel generator.
Plant Conditions Prior to the Event:
Mode — 6 Power — 0% RCS temperature was approximately 90 degrees F at atmospheric pressure.
Event Description:
On May 10, 2005, during Wolf Creek Generating Station (WCGS) refueling outage number 14, technical specifications surveillance testing simulating a LOCA coincident with a lose of off-site power was being conducted. It was noted that the four dampers required to close to isolate the auxiliary building from the main condenser air removal filtration system had not fully closed, but were in mid-position. A review of the test sequence revealed that the loss of off-site power portion of the test was initiated while the damper was stroking to the closed position.
Event Description Continued:
If power is lost to the electrical bus during the stroking operation, the motor operator would stop.and the damper would remain in its current position until the power to the bus was restored by the LSELS. Then the motor should restart and move the damper to its required closed position. The damper motor operator electrical circuitry design was investigated and it was determined that the current design did not allow the motor to receive power following the restoration of power to the electrical bus. The failure of the dampers to fully close, and not reach a fully closed condition once power is restored, would occur only when electrical power is lost while the damper is in mid-position.
If the loss of off-site power would occur either prior to or coincident with a SIS signal, or if the damper has reached its fully closed position prior to the loss of off-site power, then the damper will close or remain closed and the auxiliary building boundary will be isolated as required.
The original design indicates the dampers would have closed on a SIS, and if power would have failed during any intermediate position of the stroke, the damper would have closed upon restoration of power. In 1981, a design change was issued which interlocked the condenser vacuum pumps and the condenser air removal filtration fans with the system discharge dampers that close on a SIS. This design change created the problem resulting in the dampers not fully closing once power is restored, if the damper motors lost power in mid-position.
Basis for Reportability:
This condition is being reported pursuant to 10 CFR 50.73 (a)(2)(i)(B), "Any operation or condition prohibited by the plant's Technical Specifications" and 10 CFR 50.36 (c)(2), limiting condition for operation of a nuclear reactor not met. Technical Specification (TS) Limiting Condition for Operation (LCO) 3.7.13, Emergency Exhaust System, requires two trains to be operable while in MODES 1 through 4. An EES train is considered operable when, in addition to other components, its associated dampers are operable. Condition B of TS 3.7.13 requires that if two EES trains are inoperable due to an inoperable auxiliary building boundary in MODE 1 through 4, then the boundary must be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Since this design inadequacy occurred in 1981, WCGS operated in a condition prohibited by Technical Specifications.
This event is also being reported pursuant to 10 CFR 50.73(a)(ii)(B), "Any event or condition that resulted in the nuclear power plant being in an unanalyzed condition that significantly degraded plant safety." Since the design inadequacy involved dampers in both safety trains, this portion of the auxiliary building boundary isolation system, which is required to meet the single failure criterion does not do so. The additional radioactive release path allowed by open dampers has not been previously evaluated in the radiological analysis of engineered safety features component leakage following a LOCA.
This event is also being reported pursuant to 10 CFR 50.73(a)(2)(V), "Any event or condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to ... control the release of radioactive material." The intended safety function (isolation of the auxiliary building boundary following a LOCA) could not be fulfilled since dampers in both trains were incapable of closing if power was lost while the valve was in mid-position.
Root Cause:
The root cause of this condition is design inadequacy. Since the relevant design change occurred in 1981, the circumstances surrounding the design change process and the specific reason for the error could not be determined.
Corrective Actions:
A design change was prepared to correct the design inadequacy. This design change was installed and tested to ensure proper operation on May 13, 2005.
Safety Significance:
The safety significance of this condition is considered to be low. The specific sequence of events that revealed this condition during testing is unlikely to occur during an accident situation. The design issue resulting in the damper failing to close occurs only when the loss of off-site power occurs while the damper is in mid-stroke. It does not occur if the loss of off-site power occurs prior to or coincident with the SIS when the damper is full open, or after the damper has completed stroking and is closed. The stroke time for these dampers is observed to be very shirt, estimated to be approximately two to five seconds. Therefore, for the dampers to fail to close due to this design issue, a loss of off-site power would have to occur after two seconds, but not later than five seconds after the initiation of a SIS.
Previous Occurrences:
A search of internal operating experience identified three previous occurrences of design inadequacies resulting in either unanalyzed conditions or conditions that could have prevented the fulfillment of a required safety function. In the 10 CFR 50, Appendix R minimum cable separation criteria. In LER 2001-01-00, use of incorrect values in calculations resulted in several safety related instruments being mounted below the projected post accident flood level. In LER 2002-004-01, failure to consider cable-to-cable interactions in the original plant design resulted in the inability to satisfy post-fire safe shutdown requirements.