05000482/LER-2010-001
| Wolf Creek Generating Station | |
| Event date: | 01-21-2010 |
|---|---|
| Report date: | 03-22-2010 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(vi) 10 CFR 50.73(a)(2)(v), Loss of Safety Function 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability |
| 4822010001R00 - NRC Website | |
PLANT CONDITIONS PRIOR TO EVENT:
MODE - 1 Power - 100
EVENT DESCRIPTION:
On January 21, 2010, the operating experience (0E30255) was placed into the corrective action program. On February 4, 2010, a review of the operating experience determined that the design and normal operation of the MFW pumps at Wolf Creek Generating Station (WCGS) could result in a condition that does not conform to the WCGS Technical Specification (TS) Table 3.3.2-1, Function 6.g., Trip of All Main Feedwater Pumps. During plant startups, the non-operating main feedwater (MFW) pump [EllS Code: SJ-P] in the reset condition results in two inoperable motor driven auxiliary feedwater (AFW) pump [EllS Code: BA-P] auto-start channels. There is no TS Condition for two MFW pump trip channels inoperable. Limiting Condition for Operation (LCO) 3.0.3 specifies that when an associated Action is not provided, action shall be initiated within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to place the plant in Mode 3 in 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />. Action had not previously been taken as required by the TSs.
Industry operating experience, 0E30255 dated December 16, 2009 identified that a design feature of each main feedwater (MFW) pump can provide a status indication that the MFW pump is in service when the MFW pump may not actually be supplying water to the steam generator. In this condition, if the MFW pump in service tripped, the motor driven AFW pumps would not receive an auto-start signal from the trip of both MFW pumps as required by the WCGS Technical Specifications. A MFW pump is in service when the pump's stop valves are open, the governor control valves are either in manual or automatic control and feedwater is being supplied to the steam generators.
The operating experience provided reference to Watts Bar Nuclear Plant licensee event reports for a similar event.
Further research identified on August 7, 2008, the Nuclear Regulatory Commission (NRC) issued Watts Bar Nuclear Plant — NRC Integrated Inspection Report 05000390/2008003. In that report, the NRC informed Tennessee Valley Authority (TVA) that plant operation did not conform to TS 3.3.2 Function 6.e., Trip of All Turbine Driven Main Feedwater Pumps, when a non-operating MFW pump is reset within the Limiting Condition for Operation (LCO) Applicability. TVA had considered the associated AFW auto-start channel (the Watts Bar design has one Function 6.e. channel per MFW pump) operable; however, NRC informed WA that a non-operating MFW pump in the reset condition impacts operability of the AFW auto-start channel due to the false (i.e., invalid) indication of the MFW pump status.
Dates of Major WCGS Occurrences Since Refueling Outage 15 (approximately 3 years) Date Event October 6, 2006 MFW pump removed from service while shutting down for Refueling Outage 15 November 11, 2006 Reset MFW pump for placing into service while restarting from Refueling Outage 15 January 11, 2008 MFW pump removed from service while shutting down for forced outage for gas voiding in suction piping of Emergency Core Cooling System January 17, 2008 Reset MFW pump for placing into service while restarting from a forced outage for gas voiding in suction piping of Emergency Core Cooling System May 15, 2008 Reset MFW pump for placing into service while restarting from Refueling Outage 16 A trip of both MFW pumps is an indication of a loss of MFW and the subsequent need for some method of decay heat and sensible heat removal to bring the reactor back to no load temperature and pressure. Each turbine driven MFW pump is equipped with two pressure switches (that provide one actuation signal in separation group 1 and one in separation group 4) on the oil line for the speed control system. These pressure switches (FCPSL0025, FCPSL0026, FCPSL0125, and FCPSL0126) measure hydraulic trip header pressure for the MFW pump turbine stop valve control fluid. When a feedwater pump turbine trip signal is received by the turbine, the hydraulic trip fluid pressure is vented and the pressure switches detect the low pressure condition. A low pressure signal from either of these pressure switches indicates a trip of that pump's turbine. Two operable channels per MFW pump satisfy redundancy requirements with one-out-of-two logic in the same separation group on both pumps required for signal actuation. A trip of both MFW pumps starts the motor driven AFW pumps. This actuation function is item 6.g. in TS Table 3.3.2-1.
Function 6.g. must be operable in Mode 1. This anticipatory trip results in the intact steam generators being provided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident. In Mode 2, AFW actuation due to a trip of all MFW pumps is normally blocked. Blocking of this trip function is permitted just before shutdown of the last operating MFW pump and the restoration of this trip function just after the first MFW pump is put into service following SR 3.3.2.8. In Modes 3, 4, and 5, the MFW pumps are normally shut down, and thus pump trip is not indicative of a condition requiring automatic AFW initiation.
During low-power plant startup operations or during operation with one MFW pump secured at reduced power levels (typically less than 65% rated thermal power), only one MFW pump is feeding flow to the steam generators.
Typically, the other MFW pump turbine is placed in a "Reset" condition with its stop valves open just prior to placing the MFW pump in service. This condition utilizes hydraulic trip fluid to keep the stop valves open, which appears to reflect an operating MFW pump to the hydraulic pressure switches. In the event that the operating MFW pump turbine receives a trip signal, all main feedwater flow would cease, but since the off-line MFW pump turbine is in the "Reset" condition, the Function 6.g. actuation logic would not be satisfied, and an auto-start signal to the motor driven AFW pumps would not be initiated.
A low MFW pump hydraulic oil pressure is a "direct" indication that the MFW turbine is tripped but an "indirect" indication of the MFW pump capability to supply feedwater to the steam denerators. The MFW pump turbine hydraulic oil pressure provides a false indication of an MFW pump's capability to supply feedwater to the steam generators when the MFW pump turbine is "Reset" in Mode 1 but the pump is not actively supplying flow to the steam generators. This situation is routinely created during normal plant startup when one MFW pump is in operation but the other MFW pump turbine has been "Reset" for various maintenance and operational activities.
When the MFW pump turbine has been "Reset" but is not providing flow to the -steam generators, both pressure channels for that pump should be considered inoperable. With both channels inoperable, LCO 3.0.3 would be required to be entered since there is no Condition for two channels inoperable on the same MFW pump (separate Condition entry for Condition J would allow separate entries for one inoperable channel per MFW pump).
During the process of removing a MFW pump from service in Mode 1 and prior to placing a MFW pump into service in Modes 1 and 2, its turbine control circuitry is placed in a "Reset" condition (FCHIS0018 on MFW pump 'A', FCHIS0118 on MFW pump 'B') such that the two oil pressure switch channels (FCPSL0025 and FCPSL0026 on MFW pump� FCPSL0125 and FCPSL0126 on MFW pump 'B') on that pump continue to experience oil pressures indicative of an operating pump and, therefore, would not satisfy the AFW start function actuation logic (one tripped channel on each MFW pump in the same separation group will initiate an auxiliary feedwater actuation signal to start the motor driven AFW pumps). This ESFAS function (TS Table 3.3.2-1, Function 6.g.) is an anticipatory start signal for which no credit is taken in any safety analysis. The safety analyses credit actuation of the motor driven AFW pumps upon a low-low steam generator water level signal in any steam generator and after a safety injection signal.
BASIS FOR REPORTABILITY:
TS 3.3.2, Engineered Safety Feature Actuation System (ESFAS) Instrumentation, Table 3.3.2-1, Function 6.g., Auxiliary Feedwater — Trip of all Main Feedwater Pumps, requires 2 channels per pump operable in Mode 1. With one pressure channel inoperable, TS 3.3.2 Condition J must be entered, the inoperable channel must be tripped in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> per Required Action J.1 or the plant must be in Mode 3 in 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> per Required Action J.2.
With one MFW pump turbine in "Reset" in MODE 1 and not supplying flow to the steam generators, two channels are inoperable. Since no Condition is provided within LCO 3.3.2 for two inoperable channels for Function 6.g., that situation is beyond the governance of LCO 3.3.2, and therefore an entry into LCO 3.0.3 would be required. The latter requires preparation for a plant shutdown in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and the plant to be in Mode 3 within 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />.
WCGS had two inoperable channels in this function on multiple occasions during the previous three years that exceeded a duration of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Per NUREG-1022 Section 3.2.2, any entry into LCO 3.0.3 that lasts (or would have lasted) greater than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> such that shutdown actions were (or would have been) required to be initiated is reportable. This situation is, therefore, reportable under 10 CFR 50.73(a)(2)(i)(B).
Since a single condition (starting one MFW pump with its turbine "Reset" or the process of securing one MFW pump and no flow is being provided to the steam generators) would have caused two independent, separation group 1 and group 4 channels in the TS 3.3.2 actuation Function 6.g to be inoperable in a system designed to remove residual heat such that the auto-start signal from Function 6.g would not have functioned, this event is reportable under 10 CFR 50.73(a)(2)(vii).
Updated Safety Analysis Report (USAR) Section 7.4, Systems Required for Safe Shutdown, provides a discussion of those systems necessary to achieve a safe shutdown under normal plant conditions, post-accident (DBA) conditions, and post-fire conditions. ESFAS Instrumentation is not listed in USAR Table 7.4.5 as a system necessary to achieve safe shutdown. The AFW System is listed in USAR Table 7.4.5. All three redundant AFW trains were operable and met LCO 3.7.5.
The AFW trains are the equipment that satisfies the criterion for systems needed to shutdown the reactor and maintain it in a safe condition. If a loss of heat sink event had occurred, the safety function (removal of sensible and residual decay heat from the Reactor Coolant System) would have been successfully performed by three redundant, operable AFW trains and accident mitigation would have been achieved via an automatic AFW actuation signal (AFAS) on a steam generator (SG) low-low water level condition.
The safety function is item (B) of 10 CFR 50.73(a)(2)(v), remove residual heat. Item (D) does not apply since the TS Table 3.3.2-1 Function 6.g. does not mitigate the consequences of any accident. Consequences are defined in regulatory space (such as 10 CFR 50.59) as radiological doses (NUREG-1022 discusses item (D) only with respect to containment isolation and emergency filtration which mitigate doses). If a loss of heat sink event had occurred, the safety function (removal of sensible and residual decay heat from the RCS) would have been successfully performed by three redundant, operable AFW trains and accident mitigation would have been achieved via an automatic AFW actuation signal (AFAS) on a SG low-low water level condition. This is the signal credited in the primary side cooldown accident analyses of USAR Section 15.1 and the primary side heatup accident analyses of USAR Section 15.2. For other accidents, safety injection or loss of offsite power (which would have started the turbine driven AFW pump) signals would have provided an AFAS. The manual AFW start circuitry was also available. These are functions 6.a. through 6.f. of TS Table 3.3.2-1. Per Section 3.2.7 of NUREG-1022 and 10 CFR 50.73(a)(2)(vi), component failures need not be reported under 10 CFR 50.73(a)(2)(v) if redundant equipment in the same system was operable and available to perform the required safety function. All three redundant AFW trains were operable and met LCO 3.7.5. The AFW trains are the equipment that satisfies the safety function, not the auto-start circuitry. An analogy can be drawn from the application of the pertinent Technical Specifications. An instrumentation problem does not direct a cascade to the LCO for the actuated equipment. The actuated end devices (AFW pumps, valves, flow paths) are not rendered inoperable by an instrumentation issue involving one non-credited actuation signal. While there was no redundancy for TS Table 3.3.2-1 Function 6.g., that instrumentation function is not what removes decay heat. Therefore, WCNOC does not believe this condition to be reportable under 50.73(a)(2)(v). However, recent reporting precedence has shown that functions have been interpreted to be broader than those relied on in the USAR Chapter 15 accident analyses.
USAR Section 7.3.8 identfies the specific functions which rely on the ESFAS for initiation. Included in this list are the motor driven auxiliary feedwater pumps. This section does not specifically indicate whether the function is required to mitigate any transient or accident that is not describe in USAR Chapter 15. Discussions with the NRC Senior Resident Inspector on March 15, 2010 indicated that a 50.72(b)(3)(v) notification should have been made for the
- March 2, 2010 reset of the "A" MFW pump (10 seconds) based on the system (instrumentation) required by TSs and the function being required during any plant mode or accident situation as described or relied on in the plant safety analysis report or required by the regulations. Therefore, based on this discussion, industry precedence, and corrective actions from a severity level IV non cited violation from NRC Integrated Inspection Report 2009005, this event is also being reported under 50.73(a)(2)(v)(D).
CAUSE:
The cause of this event was a continuing and evolving understanding of the TSs that existed, which led to not meeting what was originally believed to have been the intent of TS 3.3.2, Table 3.3.2-1, Function 6.g. and the licensing basis associated with the Auxiliary Feedwater Actuation Signal Motor (AFASM) function upon a loss of main feedwater flow.
A contributing cause was the original plant design did not allow for compliance with TS 3.3.2, Table 3.3.2-1, Function 6.g. and Condition J during plant startups and shutdowns.
On March 2, 2010, WCGS experienced a reactor trip caused by the loss of the "A" MEW pump. A license amendment request was submitted to the NRC on March 3, 2010 requesting changes to TS 3.3.2, Condition J, to provide a Condition that addresses more than one inoperable MEW pump trip channel. WCNOC requested that the amendment request be approved on an emergency basis in accordance with 10 CFR 50.91(a)(5). Amendment No.
187 for the requested change was approved on March 5, 2010.
Procedures SYS AE-121, "Turbine Driven Main Feedwater Pump Startup," and SYS AE-320, "Turbine Driven Main Feedwater Pump Shutdown," were revised to provide guidance for placing motor driven auxiliary feedwater (AFW) pump auto-start channels for the second MEW pump being placed into service or for the first MEW pump being removed from service (if removal could take longer than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />) while in Mode 1 into a tripped condition. In Mode 1 with one MEW pump in service and the second MEW pump in the process of being placed into service or for the first MEW pump being removed from service (if removal could take longer than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />), a start of the motor driven AFW pumps would occur if the in service MEW pump were to fail.
SAFETY SIGNIFICANCE:
The design basis events which impose initiation of the AFW System requirements are loss of normal main feedwater, main feed line or main steam line break, loss of offsite power, and small break loss of coolant accident.
These design bases event evaluations assume actuation of the AFW System due to loss of offsite power signal, steam generator water level - low-low or a safety injection signal. The anticipatory motor driven AFW pump auto start signals from the MEW pumps are not credited in any design basis accidents and are, therefore, not part of the primary success path for postulated accident mitigation.
OPERATING EXPERIENCE/PREVIOUS EVENTS:
None.