10 CFR 50.72(b)(3)(iv)(A), System Actuation

From kanterella
Revision as of 21:43, 18 November 2017 by StriderTol (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

ECCS Actuation

System Actuation Reporting Summary

Valid Invalid
Moved ENS + LER LER (as 60 day ENS)
Not moved ENS + LER None

4-hour (ENS)

While Critical or RPS (ie Scram)

8-hour (ENS)

60-day (LER)

60-day (ENS)

Allowance for invalid signals which actuated a system

System actuation list

System Actuation Reporting contains a list of applicable systems

Both list include:

(1) Reactor protection system (RPS) including: Reactor scram and reactor trip.
(2) General containment isolation signals affecting containment isolation valves in more than one system or multiple main steam isolation valves (MSIVs).
(3) Emergency core cooling systems (ECCS) for pressurized water reactors (PWRs) including: High-head, intermediate-head, and low-head injection systems and the low pressure injection function of residual (decay) heat removal systems.
(4) ECCS for boiling water reactors (BWRs) including: High-pressure and low-pressure core spray systems; high-pressure coolant injection system; low pressure injection function of the residual heat removal system.
(5) BWR reactor core isolation cooling system; isolation condenser system; and feedwater coolant injection system.
(6) PWR feedwater system or emergency feedwater system.
(7) Containment heat removal and depressurization systems, including containment spray and fan cooler systems.
(8) Emergency ac electrical power systems, including: Emergency diesel generators (EDGs); hydroelectric facilities used in lieu of EDGs at the Oconee Station; and BWR dedicated Division 3 EDGs.

Only 50.73: (9) Emergency service water systems that do not normally run and that serve as ultimate heat sinks.

Discussion

An event that results or should have resulted in a discharge of the ECCS into the RCS as a result of a valid signal, or an event involving a critical scram, is reportable under 10 CFR 50.72(b)(2)(iv) (a 4-hour report) unless the actuation resulted from and was part of a preplanned sequence.

A valid actuation of any of the systems named in 10 CFR 50.72(b)(3)(iv)(B) is reportable under 10 CFR 50.72(b)(3)(iv)(A) (an 8-hour report) unless the actuation resulted from and was part of a preplanned sequence during testing or reactor operation.

A system actuation should be apparent at the time of occurrence. Therefore, if all events are reported properly, it is expected that all reports under 10 CFR 50.72 are as a result of an ongoing condition. An actuation of any of the systems named in 10 CFR 50.73(a)(2)(iv)(B) is reportable under 10 CFR 50.73(a)(2)(iv)(A) (a 60-day report) unless the actuation resulted from and was part of a preplanned sequence during testing or reactor operation or the actuation was invalid and occurred while the system was properly removed from service or occurred after the safety function had been already completed. As indicated in 10 CFR 50.73(a)(1), in the case of an invalid actuation reported under 10 CFR 50.73(a)(2)(iv)(A) other than actuation of the RPS when the reactor is critical, the licensee may, at its option, provide a telephone notification to the NRC Operations Center within 60 days after discovery of the event instead of submitting a written LER. In these cases, the telephone report—

(1) Is not considered an LER.
(2) Should identify that the report is being made under 10 CFR 50.73(a)(2)(iv)(A).
(3) Should provide the following information:
(a) the specific train(s) and system(s) that were actuated
(b) whether each train actuation was complete or partial
(c) whether or not the system started and functioned successfully

These paragraphs require events to be reported whenever one of the specified systems actuates either manually or automatically. They are based on the premise that these systems are provided to mitigate the consequences of a significant event and, therefore, (1) they should work properly when called upon, and (2) they should not be challenged frequently or unnecessarily. The Commission is interested in both events in which a system was needed to mitigate the consequences of an event (whether or not the equipment performed properly) and events in which a system actuated unnecessarily.

Events involving ECCS discharge to the vessel are generally more serious than actuations without discharge to the vessel. Therefore, this reporting criterion is a 4-hour report. Valid signals that should have resulted in a discharge of the ECCS into the RCS but did not due to some component that had failed or an operator action that was taken are reportable under 10 CFR 50.72(b)(2)(iv). For example, if a valid ECCS signal was generated by plant conditions and the operator put all ECCS pumps in pull-to-lock position, although no ECCS discharge occurred, the event is reportable under 10 CFR 50.72(b)(2)(iv).

Actuations that need not be reported are those initiated for reasons other than to mitigate the consequences of an event (e.g., at the discretion of the licensee as part of a preplanned procedure).

The intent is to require reporting of the actuation of systems that mitigate the consequences of significant events. Usually, the staff would not consider this to include single-component actuations because single components of complex systems, by themselves, usually do not mitigate the consequences of significant events. However, in some cases a component would be sufficient to mitigate the event (i.e., perform the safety function) and its actuation would, therefore, be reportable. This position is consistent with the statement that the reporting requirement is based on the premise that these systems are provided to mitigate the consequences of a significant event.

Single trains do mitigate the consequences of events, and, thus, train level actuations are reportable.

In this regard, the staff considers actuation of an EDG to be actuation of a train—not actuation of a single component—because an EDG mitigates the event (performs the safety function). (See Example 3 below.) The staff also considers intentional manual actions, in which one or more system components are actuated in response to actual plant conditions resulting from equipment failure or human error, to be reportable because such actions would usually mitigate the consequences of a significant event. This position is consistent with the statement that the Commission is interested in events in which a system was needed to mitigate the consequences of the event.

For example, starting a safety injection (SI) pump in response to a rapidly decreasing pressurizer level or starting high-pressure coolant injection (HPCI) in response to a loss of feedwater would be reportable. However, shifting alignment of makeup pumps or closing a containment isolation valve for normal operational purposes would not be reportable.

Actuation of multichannel actuation systems is defined as actuation of enough channels to complete the minimum actuation logic. Therefore, single-channel actuations, whether caused by failures or otherwise, are not reportable if they do not complete the minimum actuation logic.

Note, however, that if only a single logic channel actuates when, in fact, the system should have actuated in response to plant parameters, this would be reportable under these paragraphs as well as under 10 CFR 50.72(b)(3)(v) and 10 CFR 50.73(a)(2)(v) (“event or condition that could have prevented the fulfillment of the safety function of....”).

With regard to preplanned actuations, operation of a system as part of a planned test or operational evolution need not be reported. Preplanned actuations are those that are expected to actually occur due to preplanned activities covered by procedures. Such actuations are those for which a procedural step or other appropriate documentation indicates that the specific actuation is actually expected to occur. Control room personnel are aware of the specific signal generation before its occurrence or indication in the control room. However, if, during the test or evolution, the system actuates in a way that is not part of the planned evolution, that actuation should be reported. For example, if the normal reactor shutdown procedure requires that the control rods be inserted by a manual reactor scram, the reactor scram need not be reported.

However, if unanticipated conditions develop during the shutdown that cause an automatic reactor scram, such a reactor scram should be reported. The fact that the safety analysis assumes that a system will actuate automatically during an event does not eliminate the need to report that actuation. Actuations that need not be reported are those initiated for reasons other than to mitigate the consequences of an event (e.g., at the discretion of the licensee as part of a planned evolution).

Note that, if an operator were to manually scram the reactor in anticipation of receiving an automatic reactor scram, this would be reportable just as the automatic scram would be reportable.

Valid actuations are those actuations that result from valid signals or from intentional manual initiation, unless it is part of a preplanned test. Valid signals are those signals that are initiated in response to actual plant conditions or parameters satisfying the requirements for initiation of the system. They do not include those that are the result of other signals. Invalid actuations are, by definition, those that do not meet the criteria for being valid. Thus, invalid actuations include actuations that are not the result of valid signals and are not intentional manual actuations.

Except for critical scrams, invalid actuations are not reportable by telephone under 10 CFR 50.72. In addition, invalid actuations are not reportable under 10 CFR 50.73 in any of the following circumstances:

(1) The invalid actuation occurred when the system was already properly removed from service. This means that all requirements of plant procedures for removing equipment from service have been met. It includes required clearance documentation, equipment and control board tagging, and properly positioned valves and power supply breakers.
(2) The invalid actuation occurred after the safety function had already been completed. An example would be RPS actuation after the control rods have already been inserted into the core.

If an invalid actuation reveals a defect in the system so that the system failed or would fail to perform its intended function, the event continues to be reportable under other requirements of 10 CFR 50.72 and 50.73. When invalid actuations excluded by the conditions described above occur as part of a reportable event, they should be described as part of the reportable event in order to provide a complete, accurate, and thorough description of the event.

Examples

(1) Reactor Protection System Actuation

  • The licensee was placing the RHR system in its shutdown cooling mode while the plant was in hot shutdown. The BWR vessel level decreased for unknown reasons, causing RPS scram and Group III primary containment isolation signals, as designed. All control rods had been previously inserted and all Group III isolation valves had been manually isolated. The licensee isolated RHR to stop the decrease in reactor vessel level.

An ENS notification and an LER are both required because, although the systems’ safety functions had already been completed, the RPS scram and primary containment isolation signals were valid and the actuations were not part of the planned procedure. The automatic signals were valid because they were generated from the sensor by measurement of an actual physical system parameter that was at its setpoint.

With the BWR defueled, an invalid signal actuated the RPS. There was no component operation because the control rod drive system had been properly removed from service. This event is not reportable because (1) the RPS signal was invalid, and (2) the system had been properly removed from service.

  • At a BWR, both recirculation pumps tripped as a result of a breaker problem.

This placed the plant in a condition in which BWRs are typically scrammed to avoid potential power/flow oscillations. At this plant, for this condition, a written off-normal procedure required the plant operations staff to scram the reactor. The plant staff performed a reactor scram, which was uncomplicated.

This event is reportable as a manual RPS actuation. Even though the reactor scram was in response to an existing written procedure, this event does not involve a preplanned sequence because the loss of recirculation pumps and the resultant off-normal procedure entry were event driven, not preplanned. Both an ENS notification and an LER are required. In this case, the licensee initially retracted the ENS notification, believing that the event was not reportable. After staff review and further discussion, it was agreed that the event is reportable for the reasons discussed above.

(2) Boiling Water Reactor Control Rod Block Monitor Actuation

A rod block that was part of the planned startup procedure occurred from the rod block monitor, which, at this plant, is classified as a portion of the RPS.

This event is not reportable because it occurred as a part of a preplanned startup procedure that specified that certain rod blocks were expected to occur.

(3) Emergency Diesel Generator Starts

  • An EDG automatically started when a technician inadvertently caused a short circuit that de-energized an essential bus during a calibration. The actuation was valid because an essential bus was de-energized. The event is reportable because the EDG autostart was not identified at the step in the calibration procedure being used.
  • After an automatic EDG start, and for unknown reasons, the emergency bus feeder breaker from the EDG did not close when power was lost on the bus. The event is reportable because the actuation logic for the EDG start was completed, even though the EDG did not power the safety buses.

(4) Preplanned Manual Scram

During a normal reactor shutdown, the reactor shutdown procedure required that reactor power be reduced to a low power, at which point the control rods were to be inserted by a manual reactor scram. The rods were manually scrammed.

This event is not reportable because the manual scram resulted from and was, by procedure, part of a preplanned sequence of reactor operation. However, if conditions develop during the process of shutting down that require an unplanned reactor scram, the RPS actuation (whether manually or automatically produced) is reportable.

(5) Actuation of Wrong Component during Testing

During surveillance testing of the MSIVs, an operator incorrectly closed MSIV D when the procedure specified closing MSIV C.

This event is not reportable because the event is an inadvertent actuation of a single component rather than a train-level actuation (and the purpose of the actuation was not to mitigate the consequences of an event).

(6) Reactor Water Cleanup Isolation

A Reactor Water Cleanup (RWCU) primary containment isolation occurred on pressurization between the RWCU suction containment isolation valves, as designed to isolate a pipe break. It is a valid signal because this is the safety function of the containment isolation system. Regardless, the event is not reportable because the signal did not affect containment isolation valves in multiple systems.

(7) Manual Actuation of Component in Response to Actual Plant Condition

At a PWR, maintenance personnel inadvertently pulled an instrument line out of a compression fitting connection at a pressure transmitter. The resultant RCS leak was estimated at between 70 and 80 gallons per minute. Charging flow increased due to automatic control system action. The operations staff recognized the symptoms of an RCS leak and entered the appropriate off-normal procedure. The procedure directed the operations staff to start a second charging pump, and flow was manually increased to raise pressurizer level. Based on the response of the pressurizer level, the operations staff determined that a reactor scram and SI were not necessary. Maintenance personnel still at the transmitter closed the instrument block and root valves, terminating the event.

The staff considers the manual start of the charging pump (which also serves as an ECCS pump, but with a different valve lineup) in response to dropping pressurizer level to be an intentional manual actuation in response to equipment failure or human error and reportable because it constitutes deliberate manual actuation of a single component, in response to plant conditions, to mitigate the consequences of an event. As discussed previously in this section, actuations that need not be reported are those that are initiated for reasons other than to mitigate the consequences of an event (e.g., at the discretion of the licensee as part of a planned procedure or evolution).

(8) Actuation during Maintenance Activity

At a BWR, a maintenance activity was underway involving placement of a jumper to avoid unintended actuations. The maintenance staff recognized that there was a high potential for a loss of contact with the jumper and consequent actuation. This potential was explicitly stated in the maintenance work request and on a risk evaluation sheet.

The operating staff was briefed on the potential actuations prior to start of work. During the event, a loss of continuity did occur and the actuations occurred, involving isolation, standby gas treatment start, closing of some valves in the primary containment isolation system (recirculation pump seal mini purge valve, nitrogen supply to drywell valve, and containment atmospheric monitoring valve).

The event is not reportable under 10 CFR 50.72(b)(2)(iv) or (b)(3)(iv) because the actuations were not valid. It is reportable under 10 CFR 50.73(a)(2)(iv) because the actuations were not listed as (and were not) definitely expected to occur.


Retrieved from "https://kanterella.com/w/index.php?title=10_CFR_50.72(b)(3)(iv)(A),_System_Actuation&oldid=195623"