05000483/LER-2010-002
| Callaway Plant Unit 1 | |
| Event date: | 02-19-2010 |
|---|---|
| Report date: | 04-20-2010 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(v), Loss of Safety Function 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability |
| 4832010002R00 - NRC Website | |
1. DESCRIPTION OF STRUCTURE(S), SYSTEM(S) AND COMPONENT(S)
CONDENSATE AND FEEDWATER SYSTEMS
The function of the condensate and feedwater systems is to supply a sufficient quantity of feedwater to the steam generator secondary side inlet during normal operating conditions and to terminate feedwater flow to the steam generators when feedwater isolation is required. The condensate pumps take suction from the condenser hotwell and the two turbine-driven Main Feedwater Pumps (MFPs) deliver water to the steam generators at elevated temperatures and pressures.
AUXILIARY FEEDWATER SYSTEM
The Auxiliary Feedwater (AFW) system automatically supplies feedwater to the steam generators to remove decay heat from the reactor coolant system upon the loss of the Main Feedwater (MFW) supply.
The Motor-Driven AFW Pumps (MDAFPs) start automatically upon low-low steam generator water level in any steam generator, upon trip of both turbine-driven MFPs, upon actuation of Anticipated Transient Without Scram Mitigation System Actuation Circuitry (AMSAC), and upon actuation by the Loss of Coolant Accident (LOCA) sequencer or shutdown sequencer. The Turbine-Driven AFW Pump (TDAFP) is automatically started by steam generator water level low-low in any two steam generators, undervoltage on either of the 4160V safety-related busses, and upon actuation of AMSAC. All three AFW trains can also be manually actuated.
MAIN FEEDWATER PUMP TURBINE HYDRAULIC TRIP OIL
Hydraulic oil for operation of the MFP turbine stop and control valves is supplied from the MFP Lube Oil System at a pressure of approximately 200 psig. The supply oil is split into two headers. One header supplies Operating Oil and the other supplies Trip Oil. There is a constant flow of oil from the Trip Oil Header back to the oil reservoir.
The Trip Oil Header supplies oil to the operating pistons of the MFP turbine stop valves, opening the stop valves by overcoming valve spring pressure. The Trip Oil Header is vented back into the oil reservoir upon receipt of a MFP trip signal, closing the MFP turbine stop valves.
Each MFP is equipped with two pressure switches on the Trip Oil Header line. These pressure switches (FCPSL0025 and FCPSL0026 on MFP 'A', FCPSL0125 and FCPSL0126 on MFP '13') measure hydraulic Trip Oil Header pressure. Low pressure on a Trip Oil Header indicates loss/trip of the associated MFP for input into the Balance-of-Plant (BOP) Engineered Safety Feature Actuation System (ESFAS).
START OF THE MOTOR-DRIVEN AFW PUMPS UPON TRIP OF BOTH MFW PUMPS A trip of both MFPs at power is an indication of a Loss of MFW (LOMF) and a subsequent need for some method of decay heat and sensible heat removal in order to bring the reactor back to no-load temperature and pressure. As stated previously, a low pressure signal from either of the associated pressure switches indicates a MFP trip.
When the same separation group channel inputs associated with both MFPs are below the trip setpoint, BOP ESFAS will generate an AFW actuation signal (AFAS) to the motor-driven AFW pumps. This AFW actuation function is listed in Callaway Plant Technical Specifications (TS) Table 3.3.2-1 as Function 6.g.
As stated in the Callaway Plant Safety Evaluation Report (SER), NUREG-0830, the AFAS generated upon trip of both MFPs is considered to be an "anticipatory signal" only. No credit is taken for this signal to actuate AFW in the Final Safety Analysis Report (FSAR) accident analyses. The credited actuation of AFW occurs upon Steam Generator low-low water level, a Safety Injection Signal (SIS), or a loss of offsite power (LOOP).
ENERGY INDUSTRY IDENTIFICATION SYSTEM COMPONENT AND SYSTEM INFORMATION
The Energy Industry Identification System (EllS) component and system identifiers for the components described herein are as follows:
System: BA, Auxiliary Feedwater System Component: P, Pump System: JE, Engineering Safety Feature Actuation System System: SD, Condensate System Component: P, Pump System: SJ, Main Feedwater System Components: P, Pump; TRB, Turbine; V, Valve System: SL, Feedwater Pump Turbine Lube Oil System Component: 63, Pressure Switch
2. INITIAL PLANT CONDITIONS
This condition was discovered when the plant was in Mode 1, Power Operation, at 100% power.
As described in Section 3, however, this condition only exists when one MFP is operating and the second MFP in placed in 'Reset'. This was not the case at the time of discovery. Callaway Plant was last in this condition on June 7, 2009.
3. EVENT DESCRIPTION
On December 16, 2009, industry operating experience (OE) was published to inform the industry that a Technical Specification violation at Oconee Nuclear Station potentially had generic applicability to other plants.
This Technical Specification violation was discovered by Oconee on October 21, 2009 and was reported by Upon review of this OE, it was determined that the condition described was also applicable to Callaway Plant.
This condition, as it applies to Callaway Plant, is described as follows.
A trip of both MFPs at power is an indication of a loss of MFW and the subsequent need for some method of decay heat and sensible heat removal. Upon a loss of MFW, the AFW system actuates to supply feedwater to the steam generators. An anticipatory start of AFW upon trip of both MFPs is required by TS Table 3.3.2-1 Function 6.g.
Function 6.g is required to be Operable in Modes 1 and 2. This ensures that the intact steam generators are provided with water to serve as the heat sink to remove decay and sensible heat in the event of an accident.
Since the MFPs are normally shut down in other Modes, a MFP trip in those Modes is not indicative of a condition requiring automatic AFW initiation. Thus, Function 6.g is only required to be Operable in Modes 1 and 2.
In order to avoid inadvertent AFW Actuation Signals during normal startups and shutdowns, this trip function is blocked just before shutdown of the last operating MFP and restored just after the first MFP is put into service following its startup trip test.
During low-power plant startup operations or operation at reduced power levels, only one MFP is needed to supply feedwater to the steam generators, allowing the other MFP to be secured. In this condition, the turbine of the secured MFP is placed in a 'Reset' condition with its stop valves open prior to placing that pump into service. In this 'Reset' condition, the secured MFP stop valves are kept open using the hydraulic trip fluid. Use of the hydraulic Trip Oil in this manner provides the same indication to BOP ESFAS as an operating MFP, even though the pump would not be feeding water to the steam generators. If the operating MFP tripped in this configuration, all MFW flow would cease. Since the 'Reset' MFP would still be providing indication of an operating pump to BOP ESFAS, the AFW actuation logic for Function 6.g would not be satisfied. As a result, the anticipatory AFAS would not be initiated.
Low MFP turbine hydraulic oil pressure is a direct indication that the MFP turbine is tripped. However, MFP turbine hydraulic Trip Oil Header pressure provides a false indication of an MFP's capability to supply feedwater to the steam generators when the MFP turbine is 'Reset'.
Listed below are the instances within the past three years in which one MFP was operating in Mode 1 and the second MFP was secured and in 'Reset'.
Start Time End Time Total Time (hh:mm) 05/08/2007 10:10 05/11/2007 05:08 66:58 03/22/2008 20:38 03/23/2008 16:38 20:00 07/26/2008 07:38 07/26/2008 16:08 08:30 11/07/2008 05:08 11/07/2008 17:38 12:30 11/12/2008 15:56 11/13/2008 05:08 13:12 12/13/2008 01:13 12/13/2008 22:38 21:25 12/23/2008 02:00 12/23/2008 18:08 16:08 02/20/2009 10:52 02/21/2009 23:00 36:08 03/01/2009 22:18 03/04/2009 08:08 57:50 04/15/2009 16:08 04/15/2009 17:08 01:00 06/07/2009 02:16 06/07/2009 05:08 02:52 Cumulatively, this represented 10 days, 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />, and 33 minutes that this condition has existed in the past three years.
Note that Function 6.g was not called upon to provide anticipatory AFW actuation while this condition existed.
In addition, no other systems, structures or components were inoperable and contributed to the condition other than those already discussed in this section.
4. ASSESSMENT OF SAFETY CONSEQUENCES
These events were evaluated with the Callaway Plant Probabilistic Risk Assessment (PRA) model. The evaluation determined the conditional core damage probability (CCDP) of these events was less than 1 E-6 and the conditional large early release probability (CLERP) of these events was less than 1E-7; therefore, these events were of very low risk significance. Use of the PRA model to evaluate the events provides for a comprehensive, quantitative assessment of the potential safety consequences and implications of the events, including consideration of alternative conditions beyond those analyzed in the FSAR. Section 5 contains additional information regarding the availability of MFW and AFW in this condition.
5. REPORTING REQUIREMENTS
This condition is reportable under 10 CFR 50.73(a)(2)(i)(B) as a condition prohibited by Technical Specifications. With one pressure channel per MFP inoperable, TS 3.3.2 Condition J must be entered.
However, placing one MFP turbine in 'Reset' in Modes 1 or 2 (outside the limited Mode 2 allowance given by Note (n) of TS Table 3.3.2-1) effectively renders two pressure channels on the same MFP inoperable. Since no Condition is provided within TS 3.3.2 for two inoperable channels on the same MFP for Function 6.g, this situation is beyond the governance of TS 3.3.2 and entry into Limiting Condition for Operation (LCO) 3.0.3 would be required. As shown in Section 3 of this LER, nine of the eleven instances during which Callaway Plant had two inoperable channels on the same MFP in this function exceeded seven hours, thus exceeding the LCO 3.0.3 Completion Time for Mode 3 entry.
In addition, this condition is reportable under 10 CFR 50.73(a)(2)(vii), Criterion B for common-cause inoperability of two independent channels in a single system. Placing one MFP turbine in 'Reset' caused two independent separation group channels to become inoperable in a system designed to remove residual heat.
This condition is NOT being reported under 10 CFR 50.73(a)(2)(v) for a condition that could have prevented the fulfillment of a safety system function.
Function 6.g provides an anticipatory actuation of AFW. The safety function most closely associated with AFW Actuation is 10 CFR 50.73(a)(2)(v) Criterion B, removal of residual heat. As previously stated, AFW is credited to actuate by an AFAS, generated upon Steam Generator low-low water level, an SIS, or a loss of offsite power. No credit is given for the anticipatory AFW start provided by Table 3.3.2-1 Function 6.g. In addition, manual AFW actuation circuitry was also available. Therefore, in a loss of heat sink event, the function to remove residual and sensible heat would be successfully performed by the three redundant, Operable AFW trains.
As stated in NUREG 1022, component failures need not be reported under 10 CFR 50.73(a)(2)(v) if redundant equipment in the same system was Operable and available to perform the required safety function. All three redundant AFW trains were Operable and available during the periods associated with this condition, and the overall function performed by BOP ESFAS to initiate AFW upon loss of MFW was not lost in this event. Thus, the required safety function was maintained throughout this event.
Similarly, Criterion D, associated with functions needed to mitigate the consequences of an accident, does not apply to Function 6.g. No credit is given to Function 6:g in the accident analysis for accident mitigation or radiological dose containment. Rather, the accident mitigation function is provided by and credited to the AFAS.
6. CAUSE OF THE EVENT
The root cause of this event has been attributed to the lack of sufficiently detailed design basis information regarding TS Table 3.3.2-1 Function 6.g. Specifically, the original and the existing Callaway Plant design basis information associated with pressure switches FCPSL0025, FCPSL0026, FCPSL0125 and FCPSL0126 lacks sufficient detail to ensure that administrative controls were established to maintain the MDAFAS on trip of both MFPs function operable in accordance with TS Table 3.3.2-1 Function 6.g.
A root cause analysis of this event did not find a clear description of the function of pressure switches FCPSL0025, FCPSL0026, FCPSL0125 and FCPSL0126, and of the plant conditions to which they were assumed to respond. This research included reviewing correspondence dating back to 1975, long before Callaway Plant received its full power operating license. Correspondence from this period states only that the MDAFPs were to start on receipt of a low-low level signal from any steam generator, station blackout, trip of both MFPs, or a Safety Injection Signal (SIS).
Section 7.3.9.1.1.a, Section 6.5.2.3.c, and Section 10.4.7.3 of the Callaway Plant Preliminary Safety Analysis Report (PSAR) simply stated that the motor driven pumps are started automatically by loss of both main feedwater pumps. This minimal information has been carried forward to the current FSAR as it pertains to the function of FCPSL0025, FCPSL0026, FCPSL0125 and FCPSL0126: these pressure switches are not mentioned by equipment ID number in the current FSAR. The current FSAR Sections for the ESFAS and AFW systems merely state that a trip of both MFP initiates a MDAFAS.
Section 7.3.2.7 of the Callaway Plant Safety Evaluation Report also states that the signal to initiate AFW when the MFPs are tripped is considered to be an anticipatory signal for which no credit is taken in the accident analysis. However, it discusses little else about the function beyond the permitted short-term blocking of the anticipatory signal during startup and shutdown. Likewise, no additional insight into this function has been found in any iteration or revision of Callaway Plant Technical Specifications.
As a result of this lack of information and understanding, Callaway Plant did not recognize the inoperability of Function 6.g with a MFP in 'Reset' until review of this operating experience.
7. CORRECTIVE ACTIONS
To ensure the Operability of Function 6.g is maintained, Callaway Plant TS 3.3.2 Condition J, and the associated TS Bases will be modified to permit placing both oil pressure channels associated with one MFP in 'Reset' in a tripped condition while the standby MFP is placed in service. As a result, the channels will provide a 'tripped' input to BOP ESFAS, and placing a MFP in 'Reset' would impose a partial AFW actuation status on the plant. A subsequent trip of the operating MFP would then complete the AFW actuation logic, initiating the anticipatory start of the MDAFPs as intended. This License Amendment Request (LAR) has been submitted for NRC review.
In addition, the necessary detail of operability requirements associated with pressure switches FCPSL0025, FCPSL0026, FCPSL0125 and FCPSL0126 will be added into the appropriate Technical Specification Bases, FSAR sections, and plant procedures. By adding the necessary detail regarding the licensing and design basis function for these pressure switches, the function and intent of the anticipatory AFW actuation upon Loss of Main Feedwater will be readily available to plant personnel.
8. PREVIOUS SIMILAR EVENTS
Although the root cause analysis of this event has identified missed opportunities for this condition to have been identified sooner, no similar events are known to have existed at Callaway Plant.
Similar events within the industry are documented in Watts Bar Nuclear Plant LER 05000390/2006-008, Oconee Nuclear Station LER 05000269/2009-002, and Wolf Creek Generation Station LER 05000482/2010- 001.