05000259/LER-2010-001

From kanterella
Revision as of 10:11, 27 November 2017 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
LER-2010-001, Units 1, 2, and 3 Appendix R Safe Shutdown Instruction Procedures Contain Incorrect Operator Manual I Actions
Docket Numbersequential Revyear Month Day Yearnumber No. Bfn Unit 2 05000260 I
Event date:
Report date:
Reporting criterion: 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition
2592010001R01 - NRC Website

1.� PLANT CONDITION(S) Browns Ferry Nuclear Plant (BFN) Units 1, 2, and 3 were operating in Mode 1 at approximately 50 percent thermal power.

II.� DESCRIPTION OF EVENT

A. Event

On August 9, 2010, during a review of design input calculations in support of the NFPA 805 transition from the 10CFR 50 Appendix R licensing basis, it was discovered that two 4kV breakers [BKR] that should be tripped and/or tripped and isolated during an Appendix R fire were not identified in the calculation summary. Specifically, for a postulated fire in Fire Zone 01-03, Breaker 14 on 4kV Shutdown Board B [EB] should be tripped. Also, for a postulated fire in Fire Zone 02-03, Breaker 19 on 4kV Shutdown Board A should be isolated and tripped in lieu of Breaker 10. Therefore, the Safe Shutdown Instructions (SSIs) for certain Appendix R fires do not contain two required operator manual actions (OMAs) to trip and/or trip and isolate these breakers. These OMAs are necessary to prevent spurious load additions on the credited Emergency Diesel Generator (EDG) [EK] during certain Appendix R fires. Without operator action to trip these breakers, spurious actuations could add loads on the credited EDG beyond what has been analyzed.

Operations personnel instituted compensatory actions by initiating interim operator actions to trip and/or trip and isolate the appropriate breakers during performance of the affected SSIs.

Following permanent SSI procedure revisions, these compensatory actions were terminated.

The Tennessee Valley Authority (TVA) is submitting this report in accordance with 10 CFR 50.73(a)(2)(ii)(B), any event or condition that results in the nuclear power plant being in an unanalyzed condition that significantly degraded plant safety.

B. Inoperable Structures, Components, or Systems that Contributed to the Event None C. Dates and Approximate Times of Major Occurrences August 22, 2003 Calculation "Units 1, :2, and 3 Appendix R - Auxiliary Power System Alignments and Diesel Generator Loading" issued with Breaker 14 and Breaker 19 transposition errors.

August 9, 2010, at 0835 hours0.00966 days <br />0.232 hours <br />0.00138 weeks <br />3.177175e-4 months <br /> CDT � Engineering personnel notified Operations personnel that SSI procedures do not contain two required actions.

August 9, 2010, at 1616 hours0.0187 days <br />0.449 hours <br />0.00267 weeks <br />6.14888e-4 months <br /> CDT� Operations personnel completed an 8-hour Non-Emergency Notification System report to the NRC.

August 9, 2010, at 1654 hours0.0191 days <br />0.459 hours <br />0.00273 weeks <br />6.29347e-4 months <br /> CDT � Operations personnel initiated compensatory interim operator actions.

D. Other Systems or Secondary Functions Affected

None

E. Method of Discovery

During a review of design input calculations in support of the NFPA 805 transition from the 10 CFR 50 Appendix R licensing basis, it was discovered that two 4kV breakers that should be tripped and/or tripped and isolated during an Appendix R fire were not captured in the calculation summary, and therefore not appropriately incorporated into the SSIs.

F. Operator Actions

None

G. Safety System Responses

None

III. CAUSE OF THE EVENT

A. Immediate Cause

None

B. Root Cause

The cause of the SSI issues is that certain 4kV electrical loads identified in the appendices and attachments of the calculation were not carried through to the main body of the calculation and subsequently were not identified in successor calculations and instructions. This was determined to be a transposition error in the calculation due to human error. This transposition error was not found by the independent reviewer.

C. Contributing Factors

None

IV. ANALYSIS OF THE EVENT

The engineering calculation transposition error occurred in August 2003. As a result of this past design-related problem if certain Appendix R fires were to occur, under the guidance and alignments provided in the SSIs with the incorrect steps to trip and/or trip and isolate the two breakers, there existed the potential for an EDG to be overloaded and the ability to power the equipment necessary to achieve and maintain safe shutdown could be jeopardized.

For a postulated fire in Fire Zone 01-03, Breaker 14 on 4kV Shutdown Board B (0-BKR-211-000B/014, Normal Feeder to Transformers TS1E and TDE) is required to be tripped.

There is normally no appreciable load on this breaker. However, if a specific fire induced failure of the control circuits to 480V [ED] transfer switches occurred, then loading of transformers TS1E and TDE could occur, and therefore loading on the credited EDG could increase to above analyzed limits.

For a postulated fire in Fire Zone 02-03, Breaker 19 on 4kV Shutdown Board A (2-BKR-074-0005, Residual Heat Removal (RHR) [BO] Pump 2A) should be isolated and tripped in lieu of Breaker 10 (0-BKR-023-0001, Residual Heat Removal Service Water (RHRSW) [BI] Pump Al). If the non-credited large load (i.e., 2000 hp RHR Pump 2A) is not isolated from the fire induced spurious start (i.e., Breaker 19 on 4kV Shutdown Board A isolated and tripped), then the postulated loading on the credited EDG could exceed the generator rating beyond what has been analyzed. Note that the incorrect tripping of the RHRSW Pump Al breaker (Breaker 10) has no effect on the emergency core cooling system because it is not credited for an Appendix R fire.

If the operators do not take prompt action to remedy the EDG overload for certain Appendix R fires in Fire Zone 01-03 or 02-03, and the EDG fails, then the credited power source would not be available to power the credited RHR pumps. With rapid depressurization and no injection, the core could be uncovered for longer than what has been analyzed. Therefore, there is a potential for fuel damage as a result of this condition.

V. ASSESSMENT OF SAFETY CONSEQUENCES

The Low Pressure Coolant Injection (LPCI) mode of the RHR system is the minimum safe shutdown system to maintain reactor inventory. The RHR system in its LPCI mode is designed to provide a high capacity low pressure source of makeup water to the reactor vessel to assure adequate core cooling for a spectrum of conditions which can depressurize the reactor vessel. Following reactor depressurization, the RHR system may be manually operated to inject flow from the suppression pool to the reactor vessel through the recirculation line. In addition to providing makeup inventory, the LPCI mode is also used for decay heat removal. This function is accomplished by continuously pumping suppression pool water through the RHR heat exchanger to allow the RHRSW to remove the pool heat to the ultimate heat sink. This function is normally provided by the Suppression Pool Cooling mode of the RHR system. However, for minimum safe shutdown systems, the LPCI mode combined with the main steam relief valves relieving pressure will be adequate for decay heat removal.

There are three levels of defense in depth related to Fire Protection.

1) Prevent fires from starting with administrative controls. Administrative controls are in place to control and track combustibles at BFN.

2) Identify and extinguish those fires that do start. At a minimum all fire areas have detection and the majority of areas have suppression systems. In addition, BFN has a full-time Fire Department that has an average response time of 10 minutes.

3) Ensure that a train of safe shutdown equipment is free of fire damage in the event of an Appendix R fire. The Appendix R Safe Shutdown Instructions have been walked down to verify their feasibility and reliability. Training is provided on a regular basis.

Once the fire is extinguished the possibility of fire induced overloading of the electrical boards ceases.

The SSIs are based on a minimum set of equipment to keep the reactor core covered and cooled; they do not list or credit all potentially available equipment. In both of the postulated fire events impacted by the discovered SSI issues, offsite power, other electrical boards, and other pumps other than the minimum specified in the SSIs may be available.

Additionally, the Condensate System [SD] may be available as an alternate water source to restore the reactor inventory which would provide additional time for recovery.

A risk evaluation was performed to determine the impact of failure to protect the EDG from potential overload conditions associated with a fire in fire zones 01-03 and 02-03. The fire frequency, which would result in an SSI entry, is approximately 1.6E-5/yr and 1.75E-5/yr, respectively. Since the calculation of the core damage frequency (CDF) is the multiplication of the ignition frequency by numbers less than one, the CDF cannot exceed the ignition frequency. Conservatively assuming that the core damage probability is 1.0 for simplification of this analysis, the delta-CDF would be no greater than 1.6E-5/yr and 1.75E-5/yr. Either taken separately or summed, these conditions do not result in a delta-CDF greater than 1 E-4/year. Therefore, this condition is not considered to be risk significant.

Therefore, TVA concludes that there was no significant reduction in the protection of the public by this deficiency.

VI. CORRECTIVE ACTIONS

A. Immediate Corrective Actions

Interim operator action requirements were issued to trip and/or trip and isolate the appropriate breakers during applicable SSI entry conditions. These interim actions have been replaced by permanent incorporation into the appropriate SSI steps.

B. Corrective Actions to Prevent Recurrence

re-start effort. The current Engineering Department at BFN is actively involved in the use of Human Performance Tools, such as self-checking and peer-checking and Technical Pre-Job Briefs. Technical Pre-Job Briefs are routinely performed for engineering tasks, and during these Pre-Job Briefs there is typically discussion of which Human Performance Tools should be used for the activity being performed. These Human Performance Tools are used on a daily basis and there are no adverse trends associated with calculation errors. The issue identified in this LER is a legacy issue. A review of the Corrective Action Program did not reveal any current trends related to calculation related human performance errors.

An additional review was made of the credited and non-credited 4kV loads and 480V loads associated with the calculation and no other deficiencies were found.

Therefore no additional corrective actions to prevent recurrence are necessary.

VII. ADDITIONAL INFORMATION

A. Failed Components

None

B. Previous Similar Events

There were no previous LERs on similar events identified.

C. Additional Information

Corrective action document for this report is Problem Evaluation Report PER 243955.

D. Safety System Functional Failure Consideration

This condition is not considered to be a safety system functional failure in accordance with NEI 99-02.

E. Scram With Complications Consideration

This event did not involve a scram.

VIII. COMMITMENTS

None