IR 05000335/2016012

From kanterella
Revision as of 19:18, 7 July 2018 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
Jump to navigation Jump to search
St. Lucie, NRC Inspection Report 05000335/2016012 and 05000389/2016012, and Preliminary White Finding - Reissued
ML17179A461
Person / Time
Site: Saint Lucie  NextEra Energy icon.png
Issue date: 06/28/2017
From: Munday J T
Division Reactor Projects II
To: Nazar M
Florida Power & Light Co
References
EA-17-013 IR 2016012
Download: ML17179A461 (12)


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION REGION II 245 PEACHTREE CENTER AVENUE NE, SUITE 1200 ATLANTA, GEORGIA 30303-1257 June 28, 2017

EA-17-013

Mr. Mano Nazar President and Chief Nuclear Officer Nuclear Division

Florida Power & Light Co.

Mail Stop: NT3/JW 15430 Endeavor Drive Jupiter, FL 33478

SUBJECT: RE-ISSUED INSPECTION REPORT - ST. LUCIE PLANT - NRC INSPECTION REPORT 05000335/2016012 AND 05000389/2016012 AND PRELIMINARY

WHITE FINDING

Dear Mr. Nazar:

On February 2, 2017, the U.S. Nuclear Regulatory Commission (NRC) issued Inspection Report (IR) 050000335/2016012 in both "Official Use Only - Security Related Information" and

"Publically Available" versions. The Official Use Only - Security Related Information report was categorized in the Agencywide Documents Access and Management System (ADAMS) under Accession Number ML17034A050 and is not available to the public for review. The publicly available version of this report was categorized under ADAMS Accession Number ML17033B599.

After the inspection report was issued, the NRC identified that the inspection report number was incorrect due to an administrative error. Specifically the NRC determined that although a small number of inspection hours were charged to the Unit 2 docket during extent of condition reviews, the report number did not reflect both Unit 1 (05000335/2016012) and Unit 2 (05000389/2016012) dockets. This change does not affect any previously billed hours associated with this inspection. This error is being corrected by reissuing the affected reports and correcting the cover letter subject title to correct the inspection record. This reissued cover letter and attached report does not amend any information in the attached report or change any NRC position that has been communicated in the previously issued report.

Sincerely,/RA/ Joel T. Munday, Director Division of Reactor Projects

Docket No.: 50-335, 50-389 License No.: DPR-67, NPF-16

Enclosure:

NRC IR 05000335/2016012 and 05000389/2016012

w/Attachments:

Supplemental Information Detailed Risk Assessment (OUO-SRI)

cc Distribution via ListServ

(Cover letter and Report w/o Detailed Risk Assessment attachment)

ML17179A461 ADAMS PACKAGE NUMBER: ML17179A497 SUNSI REVIEW COMPLETE SENSITIVE NON-SENSITIVE NON-PUBLICLY AVAILABLE PUBLICLY AVAILABLE Keyword: SUNSI REVIEW COMPLETE OFFICE RII:DRP RII:DRP RII:DRP RII:DRP NAME AWilson LPressley LSuggs /RA LFP1/ JMunday DATE 6/28/2017 6/27/2017 6/27/2017 6/28/2017 Enclosure U.S. NUCLEAR REGULATORY COMMISSION REGION II

Docket Nos: 50-335, 50-389

License Nos: DPR-67, NPF-16

Report Nos: 05000335/2016012, 05000389/2016012

Licensee: Florida Power & Light Company (FP&L)

Facility: St. Lucie Plant, Units 1 & 2

Location: 6501 South Ocean Drive Jensen Beach, FL 34957 Dates: August 21, 2016 - December 19, 2016

Inspectors: T. Morrissey, Senior Resident Inspector S. Roberts, Resident Inspector J. Hanna, Senior Reactor Analyst

Approved by: Joel T. Munday, Director Division of Reactor Projects

SUMMARY

IR 05000335/2016012; August 21, 2016 - December 19, 2016; St. Lucie Nuclear Plant, Unit 1,

Follow-up of Events and Notices of Enforcement Discretion

This report covers approximately a four-month period of inspection by resident inspectors. One finding with preliminary significance was identified by the inspectors. The significance of inspection findings are indicated by their color (Green, White, Yellow, Red) using Inspection Manual Chapter (IMC) 0609, issued April 29, 2015, "Significance Determination Process." The cross-cutting aspect was determined using IMC 0310, "Components Within the Cross-Cutting Areas," dated December 4, 2014. The NRC's program for overseeing the safe operations of commercial nuclear power reactors is described in NUREG-1649, "Reactor Oversight Process," Revision 6.

Cornerstone: Initiating Events

  • To Be Determined (TBD). A self-revealing finding was identified for the licensee's failure to maintain configuration control of the inadvertent energization lockout relay manual synchronization circuitry as required by licensee procedures MA-AA-100 and ADM-08.12, during the October 2013 modification to the Unit 1 automatic main generator synchronization circuit.

The performance deficiency was more than minor because it was associated with the human performance attribute of the Initiating Events Cornerstone and it adversely affected the associated cornerstone objective of limiting the likelihood of events that upset plant stability and challenge critical safety functions because it resulted in an actual plant trip.

The inspectors screened the finding under the initiating events cornerstone using Attachment 4 (October 7, 2016) and Appendix A (June 19, 2012) of Inspection Manual Chapter 0609, "Significance Determination Process" (April 29, 2015). The inspectors determined the finding required a detailed risk evaluation because the finding caused a reactor trip and the loss of mitigation equipment relied upon to transition the plant from the onset of the trip to a stable shutdown condition (e.g. loss of condenser and loss of feedwater). A preliminary significance characterization of White has been assigned. The preliminary finding involved the cross-cutting area of human performance associated with the cross-cutting aspect of avoiding complacency because the individuals involved failed to recognize and plan for the possibility of mistakes, latent issues, and inherent risk and failed to implement human error reduction tools associated with configuration control. (H.12) (Section 4OA3).

REPORT DETAILS

OTHER ACTIVITIES

Cornerstones: Initiating Events, Mitigating Systems, and Barrier Integrity

4OA3 Followup of Events and Notices of Enforcement Discretion

.1 (Closed) Licensee Event Report (LER) 05000335/2016-003-00, Generator Lockout Relay Actuation During Power Ascension Results in Reactor Trip

a. Inspection Scope

On August 21, 2016, during a Unit 1 restart following a maintenance outage, the main generator inadvertent energization lockout relay unexpectedly actuated which caused the main generator to trip resulting in an automatic reactor trip. The relay actuation prevented the automatic transfer of station auxiliaries to the startup transformers and resulted in a LOOP, although offsite power remained available at the switchyard. The inspectors reviewed the LER and associated root cause evaluation (action request (AR)2151217) to verify the accuracy and completeness of the LER and the appropriateness of the corrective actions. The LER was also reviewed to identify any licensee performance deficiencies (PDs) associated with the event. Documents reviewed are listed in the Attachment. This LER is closed.

b. Findings

Introduction:

A self-revealing finding was identified for the licensee's failure to maintain configuration control of an electrical wire during the October 2013 installation of a digital upgrade to the Unit 1 automatic main generator synchronization circuit.

Description:

On August 21, 2016, during a normal power ascension for Unit 1, the reactor tripped, from approximately 38 percent reactor power, when the inadvertent energization generator lockout relay actuated. The relay actuation prevented the automatic transfer of station auxiliaries to the startup transformers which resulted in a complicated trip (i.e. loss of main feedwater, main condenser, offsite power to the safety related buses and all reactor coolant pumps.) Offsite power remained available at the switchyard during this event. Both emergency diesel generators started and powered the safety related buses. Operators manually restored power to the buses after verifying availability.

The main generator inadvertent energization lockout relay was a protective relay that was designed to be armed when the main generator was offline and had a set point of 8000 amps. This protective feature was designed to prevent damage to the main generator, which could be incurred through motoring in the event the output breakers were closed unintentionally with the main generator offline. The synchronization circuit was designed to automatically bypass the inadvertent energization lockout relay when the main generator was synchronized to the grid, using either manual or automatic synchronization methods.

The licensee's investigation found that the inadvertent energization lockout relay remained armed following manual synchronization of the main generator to the electrical grid on August 21, 2016, due to a missing wire in the manual synchronization circuit.

The missing wire prevented the relay from performing its disarming function as required 3 during main generator synchronization. The licensee replaced the missing wire and an appropriate post maintenance test was completed. The licensee performed a root cause evaluation (AR 2151217) and identified one root cause, which was; incorrect removal of a wire during an October 2013 modification to restore the automatic synchronization capabilities of the generator breakers. Corrective actions included: replacement of the missing wire, and implementing procedure guidance for both units to verify the inadvertent energization lockout relay was reset prior to exceeding 8000 amps.

The manual synchronization performed on August 21, 2016, was the first manual synchronization utilized since the digital modification was installed in October 2013. The missing wire did not impact the disarming function of the inadvertent energization lockout relay following automatic synchronization. From June 2010, until automatic synchronization was restored in October 2013, manual synchronization to the grid had been utilized successfully, therefore the wire in question had been properly installed prior to the modification in October 2013.

Licensee procedure MA-AA-100, "Conduct of Maintenance", Revision 15 (2013), Section 5.11, "Configuration Control," stated in part, that each site shall have a configuration control procedure that provided step by step instructions for conducting configuration changes in the plant. The procedure stated that configuration changes included the lifting of leads, and installing and removing electrical jumpers. A "wire" is considered the same as an electrical "lead" or "conductor." Licensee administrative procedure ADM-08.12, "Maintenance Configuration Control", Revision 2 (2013), Section 1.2, "Scope",

included configuration changes such as lifting leads, and installing and removing electrical jumpers. Section 4.1, "Configuration Control', stated in part, to perform all component manipulations and changes per the following: detailed procedure or written instructions.

The digital automatic synchronization modification performed in October 2013 was installed under written instructions as work order (WO) 40038386, which implemented engineering change (EC) 274642, "SYNC/888: Auto Sync Not Working." The instructions directed the de-termination and removal of conductors in the main generator synchronization circuit, however the wire/conductor that was erroneously removed was not within the scope of the WO. The licensee concluded that the wire was removed erroneously. Therefore the removal was not performed in accordance with procedures

MA-AA-100, "Conduct of Maintenance" and ADM-08.12, "Maintenance Configuration Control" which resulted in a loss of configuration control.

In the period between October 2013, and August 21, 2016, the licensee had only utilized the functional automatic synchronization circuit. Therefore when using this method for synchronization the licensee fully met Technical Specification (TS) 3.8.1.1, which required a minimum of two physically independent alternating current (AC) circuits between the offsite transmission network and the onsite Class 1E distribution system in addition to TS 3.8.1.2, for shutdown, that requires one circuit between the offsite and onsite distribution system. Therefore during this period the electrical power systems were capable of performing their specified safety functions as detailed in the Updated Final Safety Analysis Report (UFSAR), Chapter 8, Electric Power.

On August 21, 2016, when the licensee utilized the non-conforming manual synchronization circuit they unknowingly introduced the susceptibility of a LOOP. The manual synchronization was performed at approximately 1202 hours0.0139 days <br />0.334 hours <br />0.00199 weeks <br />4.57361e-4 months <br />. The LOOP occurred at approximately 1926 hours0.0223 days <br />0.535 hours <br />0.00318 weeks <br />7.32843e-4 months <br /> with restoration of offsite power from one electrical bus at approximately 2012 hours0.0233 days <br />0.559 hours <br />0.00333 weeks <br />7.65566e-4 months <br /> and two electrical buses at approximately 4 2036 hours0.0236 days <br />0.566 hours <br />0.00337 weeks <br />7.74698e-4 months <br />. However, up until the actual moment that the inadvertent relay actuation occurred the electrical system could have performed its specified safety function.

TS 3.8.1.1 Limiting Condition of Operation (LCO) condition d, stated that with two of the

required offsite AC circuits inoperable restore within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or be in Hot Standby with 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The licensee was in Hot Standby immediately following the reactor trip and restored the operability of two offsite AC circuits in approximately 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> and 34 minutes, from initial susceptibility until full restoration, and therefore, did not violate the TS and LCO requirements.

Analysis:

The failure to maintain configuration control of the inadvertent energization lockout relay manual synchronization circuitry wire as required by licensee procedures MA-AA-100 and ADM-08.12 was a performance deficiency (PD). Specifically, this failure to maintain configuration control resulted in an erroneously removed wire from the manual synchronization circuitry which resulted in a reactor trip. The PD was more than minor because it was associated with the human performance attribute of the Initiating Events Cornerstone. The PD adversely affected the cornerstone objective of limiting the likelihood of events that upset plant stability and challenge critical safety functions because the PD resulted in an actual reactor trip with complications.

The inspectors screened the finding using Inspection Manual Chapter (IMC) 0609, "Initial Characterization of Findings," Attachment 4, (October 7, 2016), under the initiating events cornerstone because the event resulted in a transient with a reactor trip, loss of offsite power and loss of feedwater. Attachment 4 of IMC 0609, then routed the screening to IMC 0609, Appendix A, "The Significance Determination Process (SDP) for Findings At-Power," (June 19, 2012). Using IMC 0609, Appendix A, "Exhibit 1 -

Initiating Events Screening Questions," under B. "Transient Initiators" the inspectors determined the finding required a detailed risk evaluation because the finding caused both a reactor trip and the loss of mitigation equipment relied upon to transition the plant from the onset of the trip to a stable shutdown condition (e.g. loss of condenser and loss

of feedwater).

A preliminary significance characterization has been assigned, however the characterization is not yet finalized. The finding does not represent an immediate safety concern because the main generator synchronization circuit has been restored to allow automatic bypassing of the inadvertent energization lockout relay during manual as well as automatic synchronizations.

A Regional SRA performed the detailed risk assessment by using the NRC's Standardized Plant Analysis Risk (SPAR) model for St. Lucie Unit 1 and setting the Plant Centered LOOP frequency equal to 1.0 because the event actually occurred. The initial result was approximately 2E-5 (Yellow). The dominant risk sequence was a Plant Centered LOOP 02-11 where CST depletion occurs and long term heat removal fails.

This type of sequence contributed 80 percent (1.4E-5 / 1.73E-5) of the total internal events CDF. Through a visit to the St. Lucie site involving simulator observations, plant walkdowns, procedure reviews and interaction with NextEra risk staff, the analyst further refined the analysis and gave additional credit for operator actions for:

  • Condensate Storage Tank refill from one of a number of potential sources, including crosstie capability from Unit 2, depressurization of the steam generators and using tools and apparatus as described in 10 CFR 50.54(hh)(2), commonly known as B.5.(b) equipment, or Mitigating Strategies-FLEX equipment. A comprehensive Human Error Probability representing any/all of 5 those three potential sources was created using the SPAR-H methodology and assigned a value of 1E-2.
  • Propping open doors and installing temporary ventilation for the Reactor Auxiliary Building electrical equipment rooms. Certain accident sequences in the risk results had failures of the 5A and 5B exhaust fans which would ultimately cause failure of electrical equipment and consequently the mitigating system equipment which is powered by it. A Human Error Probability which would limit room heat up < 120F was created using the SPAR-H methodology and assigned a value of

1E-1.

When applied to the cutset results, these two additional factors reduced the calculated CDF to 2E-6. The detailed risk evaluation was completed on December 5, 2016, and was peer reviewed by another SRA on December 14, 2016. Please refer to the Detailed Risk Assessment in the Attachment accompanying this inspection report for the complete analysis.

Subsequently the licensee performed additional analyses that appeared to show the risk was less than 1E-6 (Green). The SRA continued to engage the licensee in discussions and perform sensitivity analyses based on the licensee's input to verify the initial result continued to be valid, i.e., White. The factors that the licensee asserted should be given additional credit for in the risk model (and which the NRC agreed with) were:

  • Condensate Storage Tank unavailability was changed from 1.6E-1 to 8E-3, based on historical data provided by the licensee from the last 3 years.
  • Recovery factor for Loss of Offsite Power Sequences was set equal to 1E-1. (Historically the SPAR models have included recovery credit for Station Blackout sequences, but not for LOOP sequences.)
  • Basic event representing the operators failing to initiate "feed and bleed" primary injection cooling was changed from 2E-2 to 1E-2. This change was made based on the lower decay heat level in the reactor core at 40 percent reactor power (when the performance deficiency would cause a LOOP), thus providing the operators approximately 50 percent more time to complete the action.

When applying these additional recovery credits, and when applying additional credit to the CST and emergency ventilation recovery actions mentioned above (one order of magnitude decrease in each case) the risk result remained greater than 1E-6 (White).

The preliminary finding involved the cross-cutting area of human performance and was associated with the cross-cutting aspect of avoiding complacency because the individuals involved failed to recognize and plan for the possibility of mistakes, latent issues, and inherent risk and failed to implement appropriate error reduction tools. Specifically the licensee failed to plan for the inherent risk of errors during the removal of unnecessary conductors in the circuit and failed to implement human error reduction tools associated with configuration control. [H.12].

Enforcement:

The inspectors did not identify a violation of regulatory requirements associated with this finding. Because the finding did not involve a violation of regulatory requirements and the significance has not been determined, it is identified as FIN 05000335/2016012-01, "Failure to Maintain Component Configuration Control Resulted in a Complicated Reactor Trip." 6

4OA6 Meetings, Including Exit

On December 19, 2016, the resident inspectors discussed the inspection results with Mr. Chris Costanzo, Site Vice President, and other members of the licensee's staff. On January 27, 2017, the resident inspectors presented the preliminary safety significance to Mr. Dan Deboer, Site Director, and other members of the licensee's staff. The inspectors verified that no proprietary information was retained by the inspectors or documented in this report.

ATTACHMENTS:

SUPPLEMENTAL INFORMATION

KEY POINTS OF CONTACT

Licensee Personnel

T. Summers, Regional Vice President
D. Deboer, Site Director
C. Costanzo, Site Vice President
D. Cecchett, Licensing Engineer
K. Frehafer, Licensing Engineer
M. Jones, Engineering Director
W. Parks, Operations Director
D. Pitts, Maintenance Director
R. Sciscente, Licensing Engineer
M. Snyder, Licensing Manager
R. Wright, Plant General Manager

NRC Personnel

L. Pressley, Senior Project Engineer
J. Hanna, Senior Reactor Analyst

LIST OF ITEMS OPENED, CLOSED, AND DISCUSSED

Opened

05000335/2016012-01

FIN

Failure to Maintain Component Configuration Control

Resulted in a Complicated Reactor Trip

(Section 4OA3)

Closed

05000335/2016-003-00
LER
Generator Lockout Relay Actuation During Power Ascension Results in Reactor Trip (Section 4OA3)

LIST OF DOCUMENTS REVIEWED

Section 4OA3: Follow-up of Events and Notice of Enforcement Discretion

Miscellaneous:
LER 05000335, 2016-003-00, Generator Lockout Relay Actuation during Power Ascension Results in Reactor Trip "PRA Analysis of St. Lucie Unit 1 August 21, 2016 Generator Lockout Event," dated January 13, 2017
Procedures:
MA-AA-100, Conduct of Maintenance, Revision 15
ADM-08.12, Maintenance Configuration Control, Revision 2 1-ARP-01-G00, "Control Room Panel G RTGB 102," Revision 42 1-AOP-25.02, "Ventilation Systems," Revision 6
2-EOP-01, "Standard Post Trip Actions SPTA," Revision 35
2-EOP-09, "Loss of Offsite Power/Loss of Forced Circulation," Revision 20
2-EOP-10, "Station Blackout," Revision 25 1-FSG-02, "Alternate AFW Suction Source," Revision 2
1-FSG-03, "Alternate Low Pressure Feedwater," Revision 2
1-FSG-06, "Alternate CST Makeup," Revision 2
Drawings: 8770-B-327, sheet 1790, Inadvertent Energization Generator Protection 8770-B-327, sheet 886, Generator Breakers 1E & 1M 8770-B-327, sheet 888, Gen. Auto & MAN. Synchronization
Miscellaneous:
WO 40038386,
EC 274642, SYNC/888: Auto Sync Not Working Job Performance Measure
0121245, "Supply Demineralized Water from the Treated Water Storage Tank to the Unit 1(2) Condensate Storage Tank," Revision 0 Job Performance Measure
0321227, "Align Unit 2 CST to Supply 1C AFW Pump," Revision 6Job Performance Measure
0521517, "Restoration of Electrical Equipment Room Ventilation-Unit 1," Revision 3 Operations Training Document, "Align the Unit 1A and 1B AFW Pumps to the Unit 2 CST, " Revision 4 Root Cause Analysis, "Lockout Relay Automatic Reactor Trip (Complicated)" Licensee Decay Heat Calculations Assuming 38% Power, dated November 30, 2016
Enercon Calculation, "Plant St. Lucie Unit 1 Electrical Equipment Room Loss of
HVS-5A/B Heatup Evaluation," Revision 0