05000528/LER-2012-005
| Palo Verde Nuclear Generating Station (Pvngs) Unit 1 | |
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications |
| 5282012005R01 - NRC Website | |
All times are Mountain Standard Time and approximate unless otherwise indicated.
1. REPORTING REQUIREMENT(S):
This Licensee Event Report (LER) is being submitted pursuant to 10 CFR 50.73(a)(2)(i)(B) for a condition prohibited by Technical Specification Limited Condition for Operation (LCO) 3.3.11, Remote Shutdown System (RSS). Because each of the deficient RSS control circuits identified in this LER existed since original plant design, the LCO Required Actions were not completed within the allowed completion times.
On December 14, 2012, Palo Verde Nuclear Generating Station (PVNGS) determined that the train B pressurizer (PZR) backup heater control circuit isolation features may not properly isolate the circuit during a control room (CR) fire event. In response, each PVNGS unit entered LCO 3.3.11, Condition B, at 1530 on December 14, 2012. On December 17, 2012, at 2247, each unit exited LCO 3.3.11, Condition B, when procedure changes were issued that provided alternate methods for operation of the train B PZR backup heaters during a CR fire event.
On January 29, 2013, during ongoing reviews of RSS control circuit design, two additional conditions were identified where control circuit isolation features may not properly isolate the circuit during a CR fire event. Specifically, the control circuits for letdown isolation valve CHB-UV-515 and reactor coolant pump seal bleed-off CIV CHB-UV-505 were found to have similar deficiencies with the circuit isolation features. In response, each PVNGS unit entered LCO 3.3.11, Condition B, at 1805 on January 29, 2013. On February 1, 2013, at 1742, each unit exited LCO 3.3.11, Condition B, when procedure changes were issued that provided alternate methods of control circuit isolation for the two chemical and volume control system (CVCS) isolation valves during a CR fire event.
I Subsequently, on August 7, 2013, five additional RSS control circuits were identified in which control circuit isolation features may not properly isolate the circuit during a CR fire event. The five additional RSS control circuits described in this LER supplement were identified during comprehensive extent of condition reviews prescribed by the root cause investigation to confirm circuit isolation design features are adequate to isolate the specified control circuits during a CR fire event. The three units entered LCO 3.3.11 Condition B for the five circuits on August 8, 2013, and exited the LCO on August 24, 2013, after procedure changes were implemented which prescribed alternative methods of isolation or control.
LCO 3.3.11 requires that the remote shutdown system (RSS) instrumentation functions in Table 3.3.11-1 and each RSS disconnect switch and control circuit shall be operable.
Condition B of LCO 3.3.11 requires that, if one or more RSS disconnect switches or control circuits are inoperable, either restore the required switch(s)/circuit(s) to operable status within 30 days or issue procedure changes that identify alternate disconnect methods or I control circuits within 30 days. If neither action is completed within 30 days, Condition C then requires the unit be in Mode 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and be in Mode 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
2. DESCRIPTION OF STRUCTURE(S), SYSTEM(S) AND COMPONENT(S):
The RSS provides the CR operator with sufficient instrumentation and controls to place and maintain the unit in a safe shutdown condition from a location other than the CR. In the event that the CR becomes inaccessible, the operators can establish control at the remote shutdown panel and place and maintain the unit in Mode 3. Disconnect switches are provided for specified train B components to isolate the local portion of each control circuit from the CR portion of the control circuit. The disconnect switches prevent spurious operation of components during a CR fire event and ensure credited components will function to provide for safe shutdown from the remote shutdown panel. The disconnect switches have two positions: the Remote/Local (R/L) position which enables operation from both CR and local controls and the Local position which isolates the control circuit from potential CR fire induced circuit faults and allows local operation only. Not all controls and control circuit disconnect switches are located at the remote shutdown panel. Some controls and disconnect switches are operated locally at the electrical switchgear, motor control centers, and other local stations.
The CR fire abnormal operating procedure, 40A0-9ZZ19, provides directions upon discovery of a control room fire to achieve a safe shutdown of the reactor which includes tripping the reactor, isolation of RSS control circuits, evacuation of the control room, and operation of the shutdown plant from the remote shutdown panel.
The operability of the RSS control and instrumentation functions ensures there is sufficient information available and sufficient equipment control available to bring the plant to, and maintain it in, Mode 3 should the CR become inaccessible. The required controls, instrumentation, and disconnect switches are those necessary for reactivity control (initial and long term), reactor coolant system (RCS) (EIIS: AB) pressure control, decay heat removal, RCS inventory control and support systems for the above functions which include the essential spray pond system, essential cooling water system, and onsite electrical power system including the diesel generators.
The RCS pressure control remote shutdown function is facilitated by RCS pressure and PZR (EIIS: AB) level instrumentation at the remote shutdown panels and local controls for the train B PZR backup heaters and train B PZR auxiliary spray valve. Key PZR functions include maintaining required RCS pressure during steady state operation and limiting the pressure changes caused by reactor coolant thermal expansion and contraction that may occur while shutting down and cooling down the plant. Two groups of PZR backup heaters are designated as the class 1 E heaters. The class 1 E PZR backup heaters are normally de- energized but can be manually energized or automatically energized by a low PZR pressure signal or a high PZR level error signal. The train B PZR backup heaters are the designated safe shutdown heaters for a CR fire event.
The RCS inventory control remote shutdown function is supported by a number of CVCS (EIIS: CA) components which limit losses of RCS coolant and provide makeup capability during remote shutdown operations. The CVCS controls the purity, volume and boric acid content of the reactor coolant. Reactor coolant is removed from the RCS loop 2B cold leg via the letdown portion of the CVCS system. After leaving the RCS, letdown process flow passes through the regenerative heat exchanger in containment where heat is transferred from letdown to the charging flow and then through letdown isolation valve CHB-UV-515 and containment isolation valves (CIVs) CHA-UV-516 and CHB-UV-523 to the letdown heat exchanger in the auxiliary building where letdown process temperature is further reduced prior to filtering and deionization and collection in the volume control tank (VCT) (EIIS: CB).
The coolant charging pumps take suction on the VCT and pump coolant back to the RCS loop 2A cold leg. The charging system also provides flow to the PZR auxiliary spray and reactor coolant pump (RCP) (EIIS: AB) seal injection systems. The RCP seal injection process flow is regulated to the pump seals to flush the seals with low temperature, filtered coolant. During normal operations, a portion of the seal injection flow from each RCP is returned to the VCT as RCP seal bleed-off via CIVs CHB-UV-505 and CHA-UV-506. When the seal bleed-off CIVs are closed, RCP seal bleed-off flow is directed to the reactor drain tank in containment or can be isolated by the operator.
The following is a discussion of the systems related to the five additional RSS control circuits included in the scope of this LER supplement that were identified in the extent of condition reviews:
- CR normal heating, ventilation, and air conditioning (HVAC) system (EIIS: VI)
- Containment spray (CS) system (EIIS: BE)
- Control building essential HVAC (EllS: VI) involving Class '1E batteries (EllS: EJ) and Class 1 E engineered safety features (ESF) (EIIS: JE) switchgear RCS hot leg sample (EIIS: KN) line CIVs.
The CR normal HVAC system consists of a normal air handling unit (AHU) and fan, duct work, and dampers which replenish and condition CR air during normal operations. A separate CR essential filtration system (CREFS) provides two redundant trains for filtration and cooling when conditions require their actuation. The normal CR HVAC AHU shares duct work with the Train B CREFs. Upon receipt of a safety injection actuation signal (SIAS), CR ventilation isolation actuation signal (CRVIAS), control room essential filtration actuation signal (CREFAS), or a loss of power (LOP) signal, a redundant pair of safety- related electro-pneumatic supply dampers and a redundant pair of safety-related electro- pneumatic return dampers isolate the CR normal AHU from the Train B CREFS. The train B supply and return CR normal AHU isolation dampers, HJB-M01 and HJB-M55 respectively, have a RSS isolation function in the CR fire safe shutdown analysis to ensure the dampers close to prevent the spread of smoke.
The CS system sprays borated water into the containment atmosphere in the event of a Loss of Coolant Accident (LOCA) or a Steam Line Break Accident (SLBA) within the containment to reduce containment pressure and temperature and limit the leakage of airborne activity from the containment. Additionally, CS removes heat from containment following a LOCA by circulation of coolant from the recirculation sumps to the shutdown cooling heat exchangers (SDHXs) and back to the containment spray nozzles. The CS pumps and SDHXs are also used to support the shutdown cooling function to cooldown the RCS to achieve safe shutdown for normal operations, analyzed accidents, or abnormal occurrences, such as a CR fire. A SDHX bypass valve can be used to direct CS pump discharge flow to bypass the SDHX to control RCS cooldown. The functions of the train B CS pump and SDHX support cooldown of the plant in the CR fire safe shutdown analysis and includes the RSS isolation function for the train B SDHX bypass valve, SIB-HV-693, to ensure the ability to close the valve during a CR fire to prevent inventory loss via a CS spurious actuation through the train B CS header.
Four Class 1 E batteries provide instrumentation and control power required for analyzed accidents. Each is housed in its respective battery room located in the 100 foot elevation of the control building. An essential battery room exhaust fan is provided for each battery room to prevent accumulation of hydrogen during Class 1 E battery operation and starts automatically upon receipt of a LOP or SIAS. The channel B and D essential battery room exhaust fans, HJB-J01B and HJB-J01A respectively, have an RSS isolation function in the CR fire safe shutdown analysis to ensure fan availability during a CR fire.
Redundant ESF Class 1E 4160 volts alternating current (VAC) (EIIS: EB) switchgear and 480 VAC electrical (EIIS: ED) switchgear are located in the 100 foot elevation of the control building in corresponding ESF switchgear rooms. The Class 1 E switchgear distribute power for operation of ESF equipment required to mitigate the consequences of analyzed accidents. The control building ESF switchgear room AHUs, cooled by respective redundant trains of essential chilled water (EIIS: KM), provide required cooling to the ESF switchgear rooms to support the safety function of the Class 1 E switchgear. The train B control building ESF switchgear room AHU fan, HJB-Z03, has an RSS isolation function in the safe shutdown CR fire analysis to ensure fan availability during a CR fire.
The RCS hot leg sample line contains two solenoid actuated CIVs, one inside containment, SSA-UV-203, and one outside containment, SSB-UV-200, which close automatically upon a receipt of a Containment Isolation Actuation Signal (EIIS: BD). The RCS hot leg sample line CIVs have an RSS isolation function in the CR fire safe shutdown analysis to ensure they can be operated during a CR fire to obtain an RCS sample for boron concentration analysis beginning two hours into the CR. fire event.
3. INITIAL PLANT CONDITIONS:
On December 14, 2012, January 29, 2013, and August 7, 2013, PVNGS Units 1, 2, and 3 were in Mode 1 (Power Operation), at 100 percent power and normal operating temperature and pressure. There were no structures, systems, or components inoperable that contributed to the event.
4. EVENT DESCRIPTION:
On December 14, 2012, during reviews of control circuit drawings for a pending procedure change, a licensed shift manager (SM) determined that the train B PZR backup heater control circuit design did not meet isolation capability requirements because the associated RSS disconnect switch RCB-HS-100-5-2 does not adequately separate a part of the CR circuits from the local circuits. The SM entered the condition into the PVNGS corrective action program and informed CR personnel of the condition. In response, each PVNGS unit declared the affected RSS control circuit inoperable and entered LCO 3.3.11, Condition B, at 1530 on December 14, 2012.
To comply with LCO 3.3.11 Condition B.2, the CR Fire abnormal operating procedure, 40A0-9ZZ19, was revised to provide an alternate method for operation of PZR backup heaters during a CR fire event and then, on December 17, 2012, at 2247, each unit exited LCO 3.3.11, Condition B.
1 On January 29, 2013, during ongoing reviews of RSS control circuit design, the SM discovered two additional RSS control circuits associated with a CVCS letdown isolation valve and a CVCS CIV that do not completely isolate the CR circuits from the local circuits.
Specifically, disconnect switch CHB-HS-515-2 for letdown isolation valve CHB-UV-515 and disconnect switch CHB-HS-505-2 for RCP seal bleed-off CIV CHB-UV-505 do not meet isolation capability requirements because the disconnect switch does not adequately separate a part of the CR circuits from the local circuits. The SM entered the condition into the PVNGS corrective action program and informed CR personnel of the condition. In response, each PVNGS unit declared the affected RSS control circuits inoperable and entered LCO 3.3.11, Condition B, at 1805 on January 29, 2013.
1 To comply with LCO 3.3.11 Condition B.2, procedure 40A0-9ZZ19 was revised to provide an alternate method to isolate the control circuits for the two affected CVCS isolation valves, CHB-UV-515 and CHB-UV-505, and then, on February 1, 2013, at 1742, each unit exited LCO 3.3.11, Condition B.
On August 7, 2013, at 2144, comprehensive extent of condition reviews were completed to confirm circuit isolation design features are adequate to isolate the specified control circuits during a CR fire event, as prescribed by the root cause investigation for this issue. The reviews identified five additional RSS control circuits in which control circuit isolation features may not properly isolate the circuit during a CR fire event in which faulted conditions could occur prior to isolation of the circuits from the CR. The five addition RSS control circuits included the following:
The train B CR normal AHU isolation dampers (HJB-M01 and HJB-M55) The train B SDHX bypass valve SIB-HV-693 The channel B and D battery room essential exhaust fans HJB-J01B and HJB-J01A The train B control building ESF switchgear room AHU fan HJB-Z03 The RCS hot leg sample line CIVs SSB-UV-200 and SSA-UV-203 In response, each PVNGS unit declared the affected RSS control circuit inoperable and entered LCO 3.3.11, Condition B, on August 8, 2013, at 0215 for four of the circuits. The LCO was not entered until 1300 on August 8 for the train B SDHX bypass valve circuit until further review was completed that concluded that circuit was also inoperable.
Each unit exited LCO 3.3.11, Condition B on August 24, 2013, at 1705 after procedure 40A0-9ZZ19 was revised to provide alternate methods of isolating or controlling the affected circuits as described below:
Alternative instructions were provided to open the power supply disconnect switches for control power to the train B supply and return CR normal AHU isolation dampers to ensure spurious operations do not occur.
Alternative instructions were provided to open the breaker for the train B CS system spray header isolation valve to prevent its opening to ensure the credited function of the CR fire analysis for the train B SDHX bypass valve is performed.
Alternative contingency instructions were provided to replace the fuses that may have blown on affected RSS control circuits as a result of the CR fire prior to operation of the associated RSS disconnect switches. The alternative contingency instructions for fuse replacement are provided for the RSS control circuits for the B and D battery room essential exhaust fans, the ESF switchgear room AHU fan, and RCS hot leg sample line CIVs. If needed, the fuse replacements would successfully restore the functions of the components following operation of the RSS disconnect switches.
5. ASSESSMENT OF SAFETY CONSEQUENCES:
The events did not result in a challenge to the fission product barriers or result in the release of radioactive materials; and the events did not adversely affect the safe operation of the plant or health and safety of the public.
The events did not result in a potential for a transient more severe than those analyzed in the Updated Final Safety Evaluation Report chapters 6 and 15. The analysis of record for the limiting 10 CFR 50 Appendix R event (fire in the CR with stuck open atmospheric dump valve) met the acceptance criteria for the limiting fire scenario without the use of the PZR heaters for a four hour duration. A four hour duration would allow sufficient time for Operations personnel to determine the loss of local PZR heater breaker control and then manually close the breaker in the switchgear room adjacent to the remote shutdown panel area.
For the two affected CVCS valves, the postulated fire induced control circuit fault will result in the valve control circuits being de-energized and the valves failing in the closed position.
The failed closed position of these valves is consistent with the direction in the procedure, 40A0-9ZZ19 which provides guidance to isolate each of the two flow paths, CVCS letdown and RCP seal bleed-off.
Similarly, the loss of the five additional RSS control circuits were evaluated and would not have a significant impact on the ability to implement the CR fire safe shutdown analysis:
The train B supply and return CR normal AHU isolation dampers would have failed to the required closed position stated in the CR safe shutdown analysis and therefore, the credited function to isolate the CR normal AHU would have been met.
The procedure 40A0-9ZZ19 already contained guidance to take positive control of the train B CS system spray header isolation valve to prevent its opening, which would ensure the credited function of the CR fire analysis for the train B SDHX bypass valve to prevent an inventory loss.
The shortest duration to reach a 2 percent (%) hydrogen concentration accumulation in the battery rooms is 234 hours0.00271 days <br />0.065 hours <br />3.869048e-4 weeks <br />8.9037e-5 months <br /> with no battery room fan running with the battery on an equalizing charge. This duration permits adequate time to diagnose and restore the battery room essential exhaust fans' supporting functions while maintaining hot shutdown and achieving cold shutdown conditions within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
The loss of the train B ESF switchgear room AHU due to a CR fire would not result in the ESF switchgear rooms exceeding their design temperature.
The effect on RCS sampling capability would not directly impact the reactivity safety function. RCS sampling capability is a monitoring function and would be expected to be restored following discovery and diagnosis of the blown RSS control circuit fuses.
Adequate shutdown margin would have been maintained during a CR fire event with existing steps in procedure 40A0-9ZZ19. CR operators immediately trip the reactor and verify full strength control element assemblies are fully inserted prior to evacuating the CR. Procedure steps also ensure borated water sources are used for RCS make-up and boron dilution sources are isolated to preclude an RCS boron dilution event.
Therefore, the RSS control circuit deficiencies addressed in this LER would not have contributed to a measurable amount of increased risk for core damage or a large early release event.
I The design deficiencies for the affected RSS control circuits did not impact the performance of any other component functions and no other safety functions were impacted as a result of this event. The conditions would not have prevented the fulfillment of a safety function (no safety system functional failure) as defined by 10 CFR 50.73 (a)(2)(v).
6. CAUSE OF THE EVENT:
The cause of the event was an original latent design deficiency that did not meet the 10 CFR 50 Appendix R isolation design criteria. Additionally, the extent of condition reviews of control circuits performed during the 2007 root cause evaluation for a similar event, reported in LER 50-528/2007-002-00, were conducted without adequate comprehensive review and independent verification.
7. CORRECTIVE ACTIONS:
Corrective actions revised the procedure 40A0-9ZZ19 to add alternative instructions to restore RSS control circuit functions, as described above. These procedure changes allowed the units to exit LCO 3.3.11, Condition B, for each circumstance within 30 days.
Comprehensive extent of condition reviews have been completed to confirm circuit isolation design features are adequate to isolate the specified RSS control circuits during a CR fire event as required by TS 3.3.11. These circuit evaluations included analysis of 192 control circuit drawings and independent verifications using enhanced circuit analysis methods to ensure comprehensive review of the design. The evaluations identified the five additional RSS control circuits in which control circuit isolation features may not properly isolate the circuit during a CR fire event discussed above.
Design modifications are planned to correct the latent design deficiencies for the non- conforming pressurizer back-up heater, CHB-UV-505, and CHB-UV-515 RSS control circuits. Final corrective actions for the five additional non-conforming RSS control circuits will be based on evaluations to determine whether to implement design modifications or other appropriate alternatives. The alternatives may include licensing bases or procedure changes.
8. PREVIOUS SIMILAR EVENTS:
In the past three years, PVNGS reported an event which affected the remote shutdown system function of the unit 3 train B PZR auxiliary spray valve, CHB-HV-203. That event was caused by inadequate post maintenance testing (LER 50-530/2010-001-00). The corrective actions from the previous event would not have prevented this event.
In 2007, LER 50-528/2007-002-00 was submitted to report a condition with the RSS control circuit isolation capability which is similar to the conditions reported in this LER. The extent condition reviews from the 2007 event did not prevent this event because the reviews were conducted without adequate comprehensive review and independent verification. I