05000266/LER-2001-005

From kanterella
(Redirected from ML030870834)
Jump to navigation Jump to search
LER-2001-005,
Docket Number
Event date: 2-9-2001
Report date: 01-28-2002
Reporting criterion: 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident
Initial Reporting
2662001005R00 - NRC Website
v  d  e

DOCKET NUMBER (2) LER NUMBER (6) _PAGE (3)

Event Description:

While conducting a self-initiated, voluntary review and revision of the Point Beach Nuclear Plant (PBNP) PRA model, including the auxiliary feedwater system (AFWS) (BA) portion of that model, Nuclear Management Company (the licensee for PBNP) engineers revealed a previously unidentified vulnerability. NMC observed that the air operated valves {V} in the minimum flow recirculation piping for the AFWS pumps (P) were not modeled within the PRA. The recirculation line provides a flow path back to the condensate storage tanks. This recirculation path is provided to ensure adequate flow through the AFWS pumps to prevent hydraulic instabilities and to dissipate pump heat during low AFWS flow conditions. The isolation valves in the recirculation line are operated with Instrument Air (IA) {LD} and are designed to fail close. Therefore, if the AFW pump discharge valves had been throttled or closed and the recirculation valves had closed (either before or after the discharge valves were closed) due to a hypothesized loss of IA, the AFW pumps could have been placed in a condition of reduced or insufficient pump flow. NMC further identified that a loss of offsite power (LOOP) could also initiate the event since the IA compressors are tripped on under-voltage and not automatically re-powered from a safeguards bus. Certain design basis accidents assume a LOOP. A loss of IA would also cause a loss of normal feedwater and would initiate a dual unit trip. During these transients, the AFWS pumps will start injecting into the steam generators {SG}. Early in the emergency operating procedures (EOPs), which would be entered as a result of the reactor trip transient, the plant operators are directed to control flow to the steam generators to maintain desired level and to prevent overcooling of the RCS (AB). This may include shutting off flow to one or both steam generators by either securing the pump(s) or shutting an AFW pump discharge valve. At the time of discovery, the EOPs did not contain information addressing the requirement to maintain a minimum amount of flow through the pump. If flow from any AFWS pump is reduced too low (as would occur if the AFWS discharge valves are closed) and the recirculation valves had closed (either before or after the discharge valves were closed) due to a hypothesized loss of IA and the operators fail to identify the lack of recirculation flow, then the associated pump could fail in a very short period of time. This failure mode (common loss of IA and similar operator response to high steam generator level or overcooling of the RCS) could potentially result in the failure of more than one or all of the AFW pumps.

On November 29, 2001, a corrective action report (CR 01-3595) was initiated to document this condition. During the internal screening of this report, the AFWS was determined to be operable and capable of performing its safety function to provide water to the steam generators for decay heat removal. However, since we had determined that the potential loss of IA, in conjunction with inappropriately directed operator action, could have affected multiple trains of a safety related system, we conservatively concluded that this condition should be reported. An ENS notification (EN#38525) was made at 1705 CST pursuant to 10 CFR 50.72(b) (3)(v)(D) for "a condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to:...(D) Mitigate the consequences of an accident. This vulnerability appears to be applicable to this situation in that EOP-0, "Reactor Trip or Safety Injection" and EOP 0.1 "Reactor Trip Response" did not include explicit operator directions regarding the concern for maintaining adequate minimum AFWS pump flow. As a result, there was some probability that operator action could have prevented the AFWS from completing its safety function. At 1746 on November 30, 2001, the ENS event notification was supplemented to further clarify the discussion of the specific failures postulated and to reiterate that the loss of IA affects only the AFWS pump recirculation valves and not the air operated discharge valves. The discharge valves fail open on loss of instrument air and have nitrogen backup.

Cause:

The apparent cause of this condition was the failure to recognize that the lack of guidance within the EOPs, in conjunction with action directed by the EOPs, could exacerbate an event that included a loss of IA. The PBNP abnormal operating procedure, AOP-5B, "Loss Of Instrument Air," addresses the vulnerability of the AFWS system to the fail closed minimum recirculation air operated valves. That procedure includes specific directions to gag open the AFWS recirculation valves using the valve handwheels. However, the timing of that step in this procedure was such that action at that point may occur after the operator has already taken action to throttle back on the AFWS pump discharge flow. The significance of the timing of these actions was realized by the NMC in its self-initiated, voluntary review and update of the PRA. This condition had not been identified in the baseline PRA.

Operator training included lesson plans which identified the need and basis for maintaining minimum flows through the AFWS pumps and discussed the opening and closing logic for the recirculation valves. Operating crew simulator training included loss of instrument air scenarios. However, the specifics of the simulator program are such that failing closed the recirculation valves and shutting the AFWS discharge valves does not automatically fail the AFW pump.

Therefore, the crew simulator training may not have sensitized the operators to this vulnerability.

The PRA's capacity to integrate system performance with potential human actions to obtain a spectrum of plant responses allowed for identification of this vulnerability. The NMC has concluded that this vulnerability would not likely have been identified through normal surveillance or quality assurance activities. The root cause investigation of this condition identified that previous reviews in this area were generally focused on the necessity of providing adequate flow to the steam generators to remove decay heat. Because of the small margin in the capacity of the motor driven AFWS pumps in particular, it is essential in many scenarios that the recirculation valves are shut in order to assure adequate flow to the steam generators.

Corrective Actions:

  • A Root Cause Evaluation (RCE 01-069) Team was chartered to evaluate the vulnerability and why the risk significance of this condition was not recognized previously. The report of this team is scheduled to be provided for senior management review in late January 2002. The preliminary findings of this team with regard to root cause and contributing factors are included in the "Cause" section of this report.
  • Beginning at 1520 on November 30, 2001, the operating crews were briefed on the concerns identified with a loss of IA and AFWS pump requirements to maintain adequate minimum pump flow. Temporary information tags were placed adjacent to the Control Room controls for all four AFW pumps to provide a reminder of the minimum flow requirements for each AFW pump.
  • Temporary procedure changes were completed on November 30 to EOP-0, "Reactor Trip or Safety Injection" and EOP 0.1 "Reactor Trip Response," to reflect the guidance provided earlier to operators via the temporary information tags. On December 14, 2001, these changes were made permanent. The step was added as a foldout page item so that operators would stop the pumps any time the minimum flow requirements were not met.
  • Each operating crew received just in time training, briefings and simulator training concerning this event scenario to reinforce proper AFWS flow control.
  • On December 20, 2001, EOP 0 and EOP 0.1 were further revised to link problems with IA as indicated by the IA header pressure low alarm with the continuing need to closely monitor and maintain adequate AFWS pump flows.

This revision was also included in ECA 0.0, "Loss of All AC Power",

  • Plant modifications to enhance system reliability, including providing a backup air or nitrogen supply to the minimum recirculation valves, are being evaluated.
  • Simulator modifications to enhance modeling the potential failure of the AFWS pumps following loss of instrument air scenarios are being pursued.

FACILITY NAME (1) PAGE (3) LER NUMBER (6) DOCKET NUMBER (2) Point Beach Nuclear Plant, Unit 1 05000266 Component and System Description:

The following component and system description comes from Section 10.2 of the PBNP FSAR. A diagram of the major AFWS flowpaths is provided on the last page of this LER.

The auxiliary feedwater system consists of two electric motor-driven pumps, two steam turbine-driven pumps, pump suction and discharge piping, and the controls and instrumentation necessary for operation of the system. Redundancy is provided by utilizing two different pumping methods, two different sources of power for the pumps, and two sources of water supply to the pumps. The AFWS is categorized as seismic Class I and is designed to ensure that a single fault will not obstruct the system function.

One AFWS water source uses a steam turbine-driven pump for each unit with the steam capable of being supplied from either or both steam generators. Each turbine driven pump is capable of supplying 400 gpm of feedwater to its dedicated unit, or 200 gpm to each steam generator through normally throttled motor-operated discharge valves. The feedwater flowrate from the turbine-driven auxiliary feedwater pump depends on the throttle position of these motor operated valves (MOVs). Each pump has an AOV controlled recirculation line back to the condensate storage tanks to ensure minimum flow to dissipate pump heat. The pump drive is a single-stage turbine, capable of quick starts from cold standby and is directly connected to the pump. The turbine is started by opening either one or both of the isolation valves between the turbine supply steam header and the main steam lines upstream of the main steam isolation valves. The turbine and pump are normally cooled by service water with an alternate source of cooling water from the firewater system.

The other AFW source is common to both units and uses two similar motor-driven pumps each capable of obtaining its electrical power from the plant emergency diesel generators. Each pump has a capacity of 200 gpm with one pump capable of supplying the "A" steam generator in either or both units through an AOV back-pressure control valve and normally closed MOVs and with the other pump capable of supplying the "B" steam generator in either or both units through an AOV back-pressure control valve and normally closed MOVs.

Both back-pressure control valves fail open when instrument air to the valves is lost. The discharge valves are provided with a backup nitrogen supply to provide pneumatic pressure in the event of a loss of instrument air. This backup supply assures that the discharge valves do not move to the full open position which, combined with low steam generator pressures, may cause the pump motor to trip on over-current due to high flow conditions. Each pump has an AOV controlled recirculation line back to the condensate storage tanks to ensure minimum flow to prevent hydraulic instabilities and dissipate pump heat. The discharge headers also provide piping, valves, and tanks for chemical additions to any steam generator. The pump bearings are ring lubricated and bearing oil is cooled by service water.

The water supply source for the auxiliary feedwater system is redundant. The normal source is by gravity feed from two nominal capacity 45,000 gallon condensate storage tanks, while the safety-related supply is taken from the plant service water system whose pumps are powered from the diesel generators if station power is lost.

Safety Assessment:

Any complete loss of IA for a significant time is expected to result in a reactor trip and an AFW start signal due to a loss of normal feedwater (the normal feed water regulating valves fail close on loss of air). Under this postulated condition, all components of the AFWS are now and continue to be fully capable of performing their design functions supporting automatic starting and supplying sufficient flow to the steam generators to mitigate any transient or accident by removal of decay heat. It is the continued function of the AFWS, in response to directed operator actions to control AFWS flow and the lack of specific guidance contained within the original EOPs regarding a loss of IA, that is the issue identified in this event report.

FACILITY NAME (1) DOCKET NUMBER (2) LER NUMBER (6) Point Beach Nuclear Plant, Unit 1 05000266 A PRA assessment of the possible failure modes and effects associated with an IA failure identified a previously unrecognized vulnerability. This failure would have been caused by a combination of a design limitation, a specific sequence of postulated operator actions, and a lack of clear guidance within the EOPs. This combination could have resulted in failure of one or more of the AFW pumps due to aggressive AFW flow reduction (as may be expected in response to a steam generator overfill or RCS over-cooling) after automatic system start and flow had been established. The likelihood of success or failure in the postulated scenario is highly dependent upon plant transient response (which may vary with the nature of the initiating event, initial power levels, etc.) and operator response.

Operator response is highly dependent upon prior training, procedural usage, system knowledge and awareness, experience, and other human effectiveness (HE) factors. It should be noted that a control board alarm is provided (Instrument Air Header Pressure Low) to alert the operator to the existence of an initiating condition for this event and that established plant procedures direct the restoration of IA (both Emergency Operating Procedures and Abnormal Operating Procedures), and the manual gagging open of the minimum flow recirculation valves in the event that IA cannot be promptly restored (AOP 5B). PBNP has experienced partial losses of IA, including one event involving the loss of all off-site power and another involving a low IA header pressure alarm following a reactor trip. In each of these cases the operators demonstrated the ability to cope with the loss of IA casualty and recover IA header pressure before it had an adverse affect on plant equipment or response.

Preliminary PRA results show that the vulnerability described in this LER, prior to the procedural changes, was potentially risk significant. Although the initiating event frequencies are low to moderate, the unrecoverable IA scenario was risk significant due to the consequences of a total loss of all AFW pumps requiring feed and bleed without the pressurizer PORVs (AOVs which fail closed). The risk results are highly dependant upon human interactions. PBNP operators are trained on AFW system operations and have experience with degraded IA scenarios. Because of this training and experience, we believe it is reasonable to assume that the operators would have successfully handled this combination of conditions in the unlikely event that it would have occurred.

Although the AFWS met, and continues to meet all of its design and licensing requirements, the initiating event of a loss of IA, in conjunction with a misaligned procedure, had the potential to affect redundant trains of the AFWS, a safety-related system. Since it could be postulated that the same operator action could have impacted all the AFWS pumps, there is some probability that the result could have been the complete loss of the AFWS safety-related function.

Accordingly, we have also identified this event as a possible safety system functional failure.

Similar Occurrences:

A review of recent LERs (past two years) identified the following event which was also determined to involve the potential for a loss of safety function:

LER NUMBER Title 266/2001-002-00 Use of the Steam Generator Blowdown Isolation Interlock Defeat Switch Could Result in Loss of Safety Function

  • � .....f:=---::;..- �
  • --: �
  • '.-:.-
  • .
  • I �
  • � . � a P oint B e a ch N u cle a r Pla nt , U nit 1

FACILITY NAM

E (1) W IC

FORM

366A � U .S .

N

UCLEAR REGULATO

RY CO

M M

ISSIO

N (7 -2001) L IC E N SE E E V E N T R E P O R T {LER) O N T IN U

ATIO

N .

. � ..

  • 1.':.. o'"'. ctc,a,,,oti .., � .. ONLY � ....

..

  • FOR INFORMATION � g :-... �
  • � . �
  • � ' �
  • �(I) ' � ' � ' � ' ._ � .,
  • � 1 � 1------1..
  • � :.1 e — FEED. �
  • . � .

I.'

  • � "
  • WATER ..' � T.-411 �
  • � 420 . �
  • LO
  • . � . � .

Q a 0_ --,

  • 0 0 .0 I.

11401 - ..

  • i � '
  • '
  • � . � - �
  • � 1.,4NAlo
  • - , KA . -677.1,1— moo- ! ' �
  • 1P29 . � I �
  • � - �
  • 14. �
  • -I. � 4 � l-1 :'. � ' � :, ' SiVii iMIVE.N..

AUXILIARY FEED PLIMp , �

  • ,
  • .
  • � . � 1004003, _11 FC : _,'

' � i � I � . � 11.

  • 09
  • 1. 7 ' �
  • � TN
  • ‘,---4°-9?---.

.. 4 MOV

  • � .

2019 � -17;46 � . :. �

  • . � MAIN �
  • .
  • � , - � .,
  • � i MS
  • ,
  • 2062 , :.' , .
  • � i � l
  • , .1- � C..- 'i
  • � 1 � 1-44' �
  • 1004.
  • 4021 ohov.

' � .

/ 3te.mi‘N

GENERATOR

'IA

  • . � I ' �
  • � MAIN � - � .

� t- 1-l— FEED

  • : . �
  • � , � WATER �
  • ' �
  • � I � .

.. � ,...

  • � .. � .. �
  • � 4.„...1kcs
  • ' � %---*-,-(
  • . � ..
  • , Ile � .top :

.

  • f
  • ---41-- CT.T �
  • � .. IAOV-4002 �
  • 'I �
  • ,-
  • Fo �
  • .1-71 11-411*---1 /,.
  • . � STEAM �
  • ' 20 0V . � - 202 � :

640 -- isavIOa WATER ,. � . � 401a � . �

  • +7-, 7—I.,' 1-77-71.
  • -
  • j-----.--,-
  • � Seismic
  • Class 1.. �
  • '
  • 45. 000
  • ' ...,2*/21_0N.
S
...TAN I.

9, -n g, (,)

  • - ..,
  • , � cv
  • � Ito �
  • ..40.19 � ..

,i �

  • � . � . �
  • ..,/ . � - �
  • � . � .

(.1338P )7."."'- ‘L' - � / � ..",

  • -
  • � = � : �
  • 31i � 11..' - � - �
  • � . � .
  • . ELECTRIC
  • � XRIAy .r � FEED � I � . � .
  • � ' R0:40 1 .--
  • . 1
  • -i
  • -&1t :.-r " - .

.. �

  • � ' �
  • - 1 � 'I
  • -- -
  • - 1402 MOV 4029 mov 4022 --.

D OCKET NUM BER (2)

  • . �
  • � - ' $1-E.;GENERATORref " I.
  • 2 ..

� .:. --4 I �

  • MAIN 1-1— � FEED - �
  • � 1 � ' � WATER � . .., ,
  • -^.. � .., 2401 �
  • '
  • � pc.esiol RIO -i
  • � .. � ' 1.
  • � :

IZ■3 � -- ./F13. 4012 � ..

.

  • � CV � 100 iLI � "1-, .

Acv. 034 � oti . :_,..

  • ..:. � ,- � ---:' 6E7ViGE F. � 4.coo; � . WATER (P3aA
  • , � 1, . :1----4,-;.i..-p.---
  • ..',.

.

  • � . � .T , ■ ' - ' ELEcTRIC AUXIQAITY
  • FEED PUMP � 112 � . ' � 131)
  • '.,FC �
  • 417' ---r741-°C:8C.ST
  • . �
  • � - /3-1FAXIs
  • aE'■EM
  • r0A 1-r2i;j" � 2:1-07 �
  • 26.40:v . � [
  • 2-45 � 2-105
  • I � I' FEED' .

45,000 , 3ALLQN - , .

  • TANK ...S TANK ' .

N 0 0 1 (7) 0 LT1 e 0 .0 �

LER NUM

BER (6) �

  • - [ r
  • � .

_ l � 1-1- -

  • .2400
  • I , �
  • DC.-A "Aro . WATER.

1 , ,A0V-4007. � . �

  • 2 mov-,417.1-4.

,- SERVICE '

  • WATER ..tbos. �
  • 1— � '
  • /— . � I.

SEQ

UENTIAL

N UM

BER

L

  • L . � . � i , tle � ,s. too � 2 mov 1
  • I
  • .r1—I � .1=t124P.- . �
  • - � '-..- F. � :: � .-_,T1--- --- Salsa* � tot E
  • ASI IebnIo0 valves 2411 � 2444 �
  • � Class � ., AF-sv.lom v.6.e., LO � ,
  • DC.A': �
  • � i � , � ■noul m nGImrl _ , � _ ,._ � 2-32 �
  • � 2- 102
  • I UNIT i CONTAINMENT � Lo � :. �
  • .
  • . 2P29 .. MAIN STEAM � . � Icleienco M 217 SA. 1 0 2 DO .0 � 172 — � 4 � May
  • 2-108 FOR INFORMATION
  • ONLY STEAM DRIVEN � 2019 � .-0C-B . � AU9111.1.49tY FEED PUMP � z- , f C � . � " .1----L - � - � 2ao..tcos � .a m5 I- CST � .. � 2002 � -
  • )6-4111
  • - MAIN STEA

ISIO

N N UM

BER

0) 0

TI

PAGE (3) �I ������ �� ��

Retrieved from "https://kanterella.com/w/index.php?title=05000266/LER-2001-005&oldid=199844"