:on 960327,noted That Apr Sys May Not Be Single Failure Proof.Caused by Misinterpretation of Design Basis Requirements.Will Revise SBLOCA Long Term Cooling Analysis to Include FWCI as ECCS Sys

ML20148R338
Person / Time
Site:	Millstone
Issue date:	06/30/1997
From:	Robert Walpole NORTHEAST NUCLEAR ENERGY CO.
To:
Shared Package
ML20148R309	List: 05000245/LER-1996-037, :on 960327,noted That Apr Sys May Not Be Single Failure Proof.Caused by Misinterpretation of Design Basis Requirements.Will Revise SBLOCA Long Term Cooling Analysis to Include FWCI as ECCS Sys
References
LER-96-037, LER-96-37, NUDOCS 9707070363
Download: ML20148R338 (4)
v • d • e

text

-

._m..

.__._.m NRC FORM 366 U.S. NUCLEAR REGULATORY COMMISSION d.PPROVED BY OMB NO. 3150-0104 (4-95)

EXPtRES 04/30/98 fN O TO C LECTION REQUEST So o HR5 E O TfD nM"'?o^",'41# "^;aso 70,MUs".f"faS5 ^~ea

~0 LICENSEE EVENT REPORT (LER)

IS!%^VP '0!ffa"#fA1&"W,J "s'o"~^o'a*L*#N" fc

^

EIEe7sts"fcOES?ln'le" ?ET%'lES?r"oE"offo'sE**

l" (See reverse for required number of digits / characters for each block)

FACIUTY NAME (1)

DOCKET NUMBEM (2)

PAGE (3)

Millstone Nuclear Power Station Unit 1 05000245 1 of 4 l

TrrLE t43 Automatic Pressure Relief System May Not Be Single Failure Proof EVENT DATE (5)

LER NUMBER (6)

REPORT DATE (7)

OTHER FACILITIES INVOLVED (8)

MONTH DAY YEAR YEAR SEQUENTIAL REVISION MONTH DAY YEAR FACluTY NAME DOCKET NUMBER NUMBER

"' " "^"'

03 27 96 96 037 03 06 30 97 l

OPERATING THIS REPORT IS SUBMITTED PURSUANT TO THE REQUIREMENTS OF 1o CFR 5: (Check one or more) (11)

MODE (9)

N 20.2201(b) 20.2203(a)(2)(v>

X 50.73(a)(2)(i) 50.73(a)(2)(viii>

l LEVEL (10) 000 20.2203(a)(3)(i)

X 50.73(a)(2)(ii) 50.73(aH2)(x)

POWER 20.2203(a)(1) 20.2203(a)(2)(i) 20.2203(aH3)(ii) 50.73(aH2Hiii) 73.71 20.2203(a)(2)(ii) 20.2203(a)(4) 50.73(a)(2)(iv)

OTHER 20.2203(a)(2)(iii) 50.36(cH1) 50.73(a)(2)(v) specify in Abf. tract below y-

~

20.2203(a)(2)(iv) 50.36(c)(2) 50.73(a)(2)(vii)

LICENSEE CONTACT FOR THIS LER (12)

NAME TELEPHONE NUMBER Unclude A,sa Codel l

Robert W. Walpole, MP1 Nuclear Licensing Manager (860)440-2191 COMPLETE ONE LINE FOR EACH COMPONENT FAILURE DESCRIBED IN THIS REPORT (13)

CAUSE

SYSTEM COMPONENT MANUFACTURER REPORTABLE

CAUSE

SYSTEM COMPONENT MANUFACTURER RuPORTABLE l

To NPROS TO NPROs SUPPLEMENTAL REPORT EXPECTED (14)

EXPECTED MOMTH DAY YEAR SUBMISSION f

YES NO (If yes, complete EXPECTED SUBMISSION DATE).

ABSTRACT (Limit to 1400 spaces, i.e., approximately 15 single-spaced typewritten lines) (16)

On March 27,1996, with the plant shutdown and the reactor in the COLD SHUTDOWN condition, it was postulated that the automatic pressure relief (APR) system [SBl may be vulnerable to a single failure which could prevent more thin one safety / relief valve (SRV) from opening. The APR system rapidly depressurizes the reactor pressure vessel following a small break loss of coolant accident (SBLOCA), to allow coolant injection from low pressure ECCS pumps in the event that the high pressure injection system (i.e., Feedwater Coolant injection (FWCl)) IBJ] fails, and to l

facilitate long-term cooling of the core. The single failure vulnerability of APR invalidated assumptions of the l

op: rating cycle 15 SBLOCA analysis and an operability determination performed for FWCl in 1993. These analyses l

wtre based on the assumption that APR would remain available for accident mitigation and long-term cooling l

coincident with a single failure. Since the APR was not single failure proof and the plant continued to operate without a qualified FWCl system and an ECCS under postulated accident conditions, these events were promptly reported pursuant to 10CFR50.72.

Tha safety significance of these events is considered moderate based on the low probability of a SBLOCA concurrent with the type of failure of APR which would disable more than the required number of SRVs. Corrective actions will include the revision to the SBLOCA analysis, implementation of modifications to the APR system, and preparation of drsign basis summaries for FWCl and APR systems.

9707070363 970630 PDR ADOCK 05000245 S

PDR w

i NRC FORM 36CA U.S. NUCLEAR REGULATORY COMMISSION (4 95) l LICENSEE EVENT REPORT (LER) 1 TEXT CONTINUATION FACILITY NAME (1)

DOCKET NUMBER (2)

LER NUMBER (6)

PAGE (3) i YEAR SEQUENTIAL REVISION Millstone Nuclear Power Station Unit 1 05000245 NUMBER NUMBER 2 of 4 96 037 03 TEXT (If more space is required, use additional copies of NRC Form 366A) (il) j I

j j

l.

Description of Event

1 On March 27,1996,'with the plant shutdown and the reactor in the COLD SHUTDOWN condition, it was postulated that the APR system may be vulnerable to a single failure which could prevent more than one SRV from opening. The APR is an ECCS designed to mitigate the consequences of a SBLOCA. The APR performs this function by rapidly depressurizing the reactor pressure vessel (RPV) following a SBLOCA, to allow coolant injection from the low pressure ECCS pumps (i.e., Low Pressure Coolant injection (LPCI) [BO]

and Core Spray (CS) [BM] pumps) in the event that the high pressure system (i.e., FWCl) fails. The operating cycle 15 SBLOCA analysis did not credit FWCl and assumed that there is no single failure in the APR design which will disable more dan one SRV.

On May 17,1996, during the preparation of an engineering evaluation, it was determined that the APR may not be single failure proof (i.e., a single failure could disable more than one SRV). Since the design basis of Millstone Unit No.1 credits the APR for SBLOCA mitigation, and a single failure may invalidate that assumption, this event was determined to be reportable pursuant to 10CFR50.73(a)(2)(ii) as an unanalyzed condition that significantly compromises plant safety, and was promptly reported pursuant to 10CFR50.72(b)(2)(i).

1 On February 5,1997, with the plant in COLD SHUTDOWN, durinp the on-going engineering review of the APR system, it was determined that the same single failure vulnerability of the APR would not satisfy the long term cooling requirement of the core following SBLOCA. This was immediately reported on February 5, 1997, as a condition that is outside the design basis of the plant.

During the preparation of single failure position / topical papers as part of the 50.54(f) effort, investigation of a sequence of events involving the FWCl and APR systems potentially permitted plant operation outswide of the design basis dependent upon an incomplete operability determination. The operability determination performed during 1993 concluded that safe shutdown could be achieved by the isolation Condenser and the low pressure ECCS systems which are redundant and single failure tolerant. Operation of the low pressure ECCS systems under these conditions requires the APR system to be single failure proof and function to depressurize the reactor prior to initiating low pressure injection. Since it was determined that the APR system is not single failure proof, this operability determination was based on an invalid assumption. The combination of the APR system not being single failure proof, with the conditions allowed by the operability j

I determination, created a condition in which the unit operated without a qualified ECCS injection system for a SBLOCA for operating cycle 15.

11. Cause of Event

The cause of this event was misinterpretation of the design basis requirements for the APR system during a SBLOCA. This resulted in an incorrect assumption during development of the operability determination for the FWCl system.

General Electric (GE) report NEDO-10139, " Compliance of Protection Systems to Industry Criteria: General Electric BWR Nuclear Steam Supply System," dated June 1970, documents the GE analysis of the conformance of various Nuclear Steam Supply Systems to the Requirements of IEEE Standard 279(it should be noted that this is a generic document which is not specific to any one BWR). This report was misinterpreted at Millstone Unit No.1 as being directly applicable to the existing station design and it was j

believed that the APR system, as installed at Millstone Unit 1 conformed to tne system described in the GE PRC FORM 366A (4 95)

.~.

.U.S. NUCLEAR REGut ATORY COMMISSION (4-95)

LICENSEE EVENT REPORT (LER)

TEXT CONTINUATION FACILITY NAME (1)

DOCKET NUMBER (2)

LER NUMBER (6)

PAGE (3)

YEAR SEQUENTIAL REVISION Millstone Nuclear Power Station Unit 1 05000245 NUMBER NUMBER 3 of 4 96 037 03 TEXT (11more space is required, use additional copies of NRC form 366A) (11) report. Given this misinterpretation, it was believed that the Millstone Unit No.1 design was as reliable and as resistant to a single failure as the system described in the GE NEDO-10139 report. Also, this same misinterpretation allowed an incorrect analysis to demonstrate compliance with 10CFR50.46(b)(5), "Long-term cooling," and 10CFR50, Appendix K, "ECCS Evaluation Models."

l11. Analysis of Event The original design basis for the APR did not require APR to be redundant or to meet the single failure criteria by itself. Section VI-2.6.1 of the Millstone Unit No.1 Final Safety Analysis Report (FSAR) from 1968 states the design bases of the APR system as follows: "The automatic pressure relief sub-system is provided for backup to the FWCl discussed in Sub-Section VI-2.5 and performs the function of reactor vessel depressurization for all small area breaks." Section 7.3.1.1.2 of the current Millstone Unit No.1 Updated Final Safety Analysis Report also states, "The automatic pressure relief (APR) system, in combination with the core spray system and/or the low pressure coolant injection system, provides a redundant function to l

that of the feedwater coolant injection system."

Following a SBLOCA, the APR rapidly depressurizes the reactor vessel so that low pressure emergency core

)

cooling systems (e.g., LPCI and CS) can accomplish their safety functions, in the event the APR system j

fails to operate completely or partially (i.e., more than one valve fails to open), the reactor will not depressurize rapidly enough to allow injection from the LPCI and CS pumps for a range of small breaks.

Such injection is necessary for core cooling in the event the FWCl fails to continue to operate. If the SRVs are not capable of depressurizing the RPV following an accident, core cooling pursuant to 10CFR50.46 and 10CFR50, Appendix K is jeopardized. Millstone Unit No.1 has credited the CS system with providing long-term cooling of the reactor core following a LOCA, however, successful and sustained operation of the CS system is contingent upon successful initial depressurization of the RPV and maintaining the RPV in a depressurized state.

The APR and FWCl are not required under the current operating condition.

This event has safety implications since, for a SBLOCA, a failure of the APR concurrent with the unavailability of the feedwater/FWCl system would jeopardize initial and long-term core cooling. However, there were no safety consequences as a result of this event.

IV. Corrective Action

This issue is programmatic. NNECO has previously committed to establish the design basis for safety systems es part of the 50.54(f) review process. Additionally, engineering guidance delineating the detailed requirements for application of the single failure criterion will be prepared and training on the proper application of the single frilure criterion will be conducted for personnel identified by the Manager, Design Engineering. The following j

corrective actions will be implemented prior to startup for operating Cycle 16.

1.

Revise the SBLOCA and long-term cooling analysis to include FWCl as an ECCS system.

2.

Imp!ement modifications to the design of the APR system such that a single active failure will not diseble more than two APR valves.

3. Prepare design basis summaries for FWCl and APR systems.

1 NRG FDRM 366A U.S. NUCLEAR REGULATORY COMMISSION (4 95)

LICENSEE EVENT REPORT (LER)

TEXT CONTINUATION FACILITY NAME (1)

DOCKET NUMBER (2)

LER NUMBER (6)

PAGE (3)

YEAR SEQUENTIAL REVISION Millstone Nuclear Power Station Unit 1 05000245 NUMBER NUMBER 4 of 4 96 037 03 TEXT (If more space is required, use additional copies of NRC Form 366A) (17)

V.

Additional Information

Similar Events

. LER 97-028-00, identification Of Unacceptable Failure Modes Of Safety Related Components Or Systems Resulting From Postulated Failures Of Non-Safety Related Components Manufacturer Data None.

Energy in' ustry identification System (Ells) codes are identified in the text as [XX].

d i

J i

. NRC FORM 366A (4-95)