05000247/LER-2013-002

From kanterella
Revision as of 11:12, 27 November 2017 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
LER-2013-002, Safety System Functional Failure of the Onsite Emergency Diesel Generators Due to Maintenance on the Emergency Fuel Oil Supply Line During Tagout of the Normal Line
Indian Point 2
Event date: 04-16-2013
Report date: 06-13-2013
Reporting criterion: 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications
10 CFR 50.73(a)(2)(vii), Common Cause Inoperability
10 CFR 50.73(a)(2)(v), Loss of Safety Function
10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition
2472013002R00 - NRC Website
v  d  e

Note: The Energy Industry Identification System Codes are identified within the brackets 0.

DESCRIPTION OF EVENT

On April 16, 2013, while at 100% steady state reactor power, Operations personnel discovered that internal inspection work on the 23 Emergency Diesel Generator (EDG) {EK} Day Tank (TK) fuel oil (FO) fill stop valve DF-17-4 had been performed on April 15, 2013 without tag out protection by Maintenance. Valve DF-17-4 is in the emergency FO supply line and was intrusively inspected concurrently with the normal FO supply line header tagged out for approved work on valve DF-17-5. The condition could potentially allow EDG makup FO to escape out of the disassembled valve DF-17-4 bonnet and result in inadequate FO flow to EDG 21 and 22 FO day tanks. No injuries occurred but an auto start of EDG 21 or 22 while valve DF-17-4 was disassembled could have resulted in personnel injury or a fire hazard due to uncontrolled release of FO. The condition was recorded in the Indian Point Energy Center (IPEC) Corrective Action Program (CAP) as Condition Report CR-IP2-2013-01366.

The work package did not include any specific details on the valve sequence or that the work on valve DF-17-4 could not be performed at the same time as work on valve DF-17-5.

Information regarding the sequence of work and cautions not to work valve DF-17-4 and DF-17-5 concurrently were known by the WWM and Maintenance Coordinator. However, this information was not made available to the job supervisor or any of the work crew. The schedule showed both valves to be worked at the same time.

On April 14, 2013, at 22:05 hours, Technical Specification (TS) 3.8.1 (AC Sources- Operating) Condition B was entered for an inoperable 23 EDG due to scheduled maintenance and TS 3.8.3 (Diesel Fuel Oil and Starting Air) Condition A and G entered for Limiting Condition for Operation (LCO) not met due to protective tag out (PTO) of the 23 EDG FO transfer pump (P} and starting air compressor {CMP}.

On April 15, 2013, the CRS received a call from the first line supervisor (FLS) to unlock the PTO for valve DF-17-5. The CRS verified that the PTO for valve DF-17-5 was applied and that the PTO for valve DF-17-4 was not hanging according to the tagout instructions and the PTO was unlocked. After the CRS unlocked the PTO, the FLS signed onto the clearance electronically as the tag holder and the two assigned workers signed on electronically as WO holders. The WO holders did not use the Electronic Shift Operations Management System (ESOMS) kiosk barcode process when signing onto the tagout. The tagout holder did not use the procedure EN-OP-102-01 tagout checklists as required and did not ensure that the tagout walkdown was performed. On April 15, 2013, from 13:00 to 14:30 hours, workers completed the required asbestos abatement and OTI work on FO valves DF-17-4, DF-17-5, DF-3-2 and DF-10-2. On April 16, 2013, at 10:34 hours, the post work test (PWT) was satisfactorily performed on valve DF-17-4 following valve reassembly on April 15, 2013 and the FO storage system restored to operable.

Three Emergency Diesel Generators (EDGs) provide onsite emergency AC power to the 480 volt AC safeguards busses (ED). Fuel oil (FO) for the three EDGs is stored in three 7,700 gallon FO storage tanks (FOST) (one associated with each engine) and a common FO reserve tank(s). Each FO storage tank is equipped with a single vertical FO transfer pump that discharges to the day tanks supporting each EDG via either a normal or emergency header according to the manual valve arrangement selected. Each EDG is equipped with a 175 gallon day tank that feeds the FO pump on the engine. Each header independently supplies the day tank for each diesel. A decrease in level in any one of the three day tanks to the 65% level automatically starts its associated FO transfer pump.

Cause of Event

The root causes (RC) were as follows:

RC1: Maintenance personnel did not follow procedure EN-OP-102 (Protective and Caution Tagging) and related work package requirements. RC2: Inadequate implementation of maintenance from a work readiness standpoint.

Corrective Actions

The following corrective actions have been or will be performed under Entergy's Corrective Action Program to address the cause and prevent recurrence:

  • A standdown was performed with maintenance personnel to reinforce tagout standards and expectations.
  • The performance management process was implemented for the tagout holder and WO holders involved with the event.
  • Established and communicated the following interim measures during maintenance work activities involving PT0s; 1) Each maintenance craft worker will obtain a peer check to ensure they have signed onto the appropriate tagout prior to work in the field, 2) Supervisors will ensure that the tagout holder/WO holder checklists are used and validate that the craft along with themselves are signed onto each tagout prior to the craft going to the field, 3) The Maintenance Superintendent will validate that the FLSs are using required tagout checklists and the assigned craft are signed onto the appropriate tagout by checking at least one tagout for each FLS per day.
  • Each Maintenance Supervisor and above will conduct at least two pre-job briefings or field observations of tagout holders per quarter until the end of the year or later as determined by the Maintenance Manager.
  • A review of the protective tagging program will be presented to each maintenance shop that covers the following information: 1) Safety message about tagging, 2) Program performance, 3) Gaps in the tagging process, 4) WO and tagout holder expectations, and 5) IPEC tagging program vision.
  • Issue and communicate a Maintenance Department policy or WILL sheet that reinforces specific expectations for conducting quality walkdowns and readiness for online maintenance activities based on procedure EN-WM-101 (Online Work Management Process) requirements. The policy or equivalent document will consolidate standards and expectations for protective tagging excellence and cover requirements for using ESOMS kiosk as the primary method for signing onto tagouts.

Event Analysis

The event is reportable under 10CFR50.73(a)(2)(v)(A,B, C, D) as a safety system functional failure as the condition could have prevented the fulfillment of the safety function of systems needed (A) to shut down the reactor and maintain it in a safe shutdown condition (B) remove residual heat, (C) control the release of radioactive material, and (D) mitigate the consequences of an accident. The initial conditions of a design basis accident (DBA) and transient in the UFSAR assume Engineered Safety Features (ESF) are operable. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy and reliability to ensure the availability of necessary power to ESF systems so that design limits are not exceeded. Operability Specification (TS) 3.8.3 (AC Sources-Operating) requires three EDGs to be operable in Modes 1, 2, 3 and 4. The minimum volume of FO is to provide for operation of the EDGs at the maximum load profile for a period of at least 168 hours0.00194 days <br />0.0467 hours <br />2.777778e-4 weeks <br />6.3924e-5 months <br />. This requirement supports the availability of the EDGs required to shutdown the reactor and to maintain it in a safe condition for an anticipated operational occurrence or a postulated design basis accident (DBA) with an assumed loss of offsite power and a worst case single failure. The minimum volume of FO did not consider the loss of FO via an open FO supply line. EDG 23 was declared inoperable after tag out for scheduled maintenance.

The 21 and 22 EDG FO transfer pumps were aligned to the emergency fill line header to support the inspection of valve DF-17-5. When valve DF-17-4 was opened internally for inspection the emergency fill line was breached which rendered the 21 and 22 EDG FO transfer pumps inoperable and thereby the 21 and 22 EDGs were also inoperable due to the loss of the dedicated FO volume.

The condition is also reportable under 10CFR50.73(a)(2)(vii) (common cause inoperability of independent trains or channels) as the condition caused at least one independent train or channel to become inoperable in multiple systems or two independent trains or channels to become inoperable in a single system designed to (D) mitigate the consequences of an accident.

The condition was not reportable as a TS prohibited condition under 10CFR50.73(a)(2)(i)(B) as valve DF-17-4 was open less than TS 3.8.1, Condition E (two or more EDGs inoperable) allowed Completion Time of two hours. Operations determined that on April 15, 2013, from 13:00 hours to 14:30 hours, TS 3.8.3 LCO Condition A was not met due to the 23 EDG FO emergency supply valve DF-17-4 being disassembled coincident with the normal FO supply header being tagged out for approved work on DF-17-5.

The condition was not reportable as an unanalyzed condition that significantly affects plant safety under 10CFR50.73(a)(2)(ii)(B). Plant electrical power sources and systems have been evaluated as meeting the requirements of 10 CFR 50.63 (the Station Blackout Rule, i.e., loss of offsite power and unavailability of the onsite emergency AC power system). A SBO/Appendix R diesel generator and associated switchgear is installed in the Unit 1 Turbine Building and used to supply power for Appendix R fires and a SBO.

The SBO/Appendix R power system provides the necessary power to achieve and maintain cold shutdown conditions independent of the normal safeguards and instrumentation power supplies and to function as the alternate ac power supply operated from outside the Control Room.

Past Similar Events

A review was performed of the past three years of Licensee Event Reports (LERs) for events that involved a SSFF and/or common cause inoperability of an Engineered Safety Feature System. The review included any LERs reporting failure to follow PTO requirements. No LERS were identified.

Safety Significance

This event had no significant effect on the health and safety of the public. There were no actual safety consequences for the event because there were no accidents or transients during the time of the event.

The maintenance activity on the emergency FO header was less than TS 3.8.1 (AC Sources- Operating) Condition E (Two or more diesel generators inoperable) Allowed Completion Time of two hours. Operations determined the condition existed for approximately 1-1/2 hours. As the condition existed for 1-1/2 hours, it was within the TS allowed time (AOT) of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. The basis of the AOT is the low probability of a Design Basis Accident (DBA) with an assumed loss of offsite power occurring during the AOT period.

During the time of the condition, required offsite power sources were available. The following mitigating conditions would have limited the significance of the event. The need for FO after start of the EDGs would not be immediate but after EDG operation caused FO consumption to drain the day tank to the low level limit for FO transfer pump start (approximately 65% of nominal full). The tank capacity is sufficient for 53 minutes of full load operation with the tank at 65% full. Valve DF-17-4 is a manual valve on a bypass line for LCV-1209B on the emergency fill line and could have been reassembled from its intrusive inspection condition. The dedicated FO volume for the 21 and 22 EDGs would not be available due to the condition.

Operators would be made aware of the condition via the following equipment. A FO storage tank level switch provides a low tank level alarm on the Control Room alarm panel and the Engine Auxiliaries Control Panel. The low level alarm alerts operators of a pending Technical Specification limit. Each day tank level is monitored on a local level indicator. A low day tank FO level will alarm on the EDG Alarm Panel. The diesel generator trouble alarms are also an input to the PICS computer. The local alarm response procedure for the diesels provides the operator actions for a local alarm.

For potential fire concerns, the EDG building has a fire detection system, a CO2 fire protection system and automatic water spray systems and fire walls to limit the impact of any fire.

The plant is designed to withstand a station blackout (SBO scenarios use an alternate AC power system). An independent SBO/Appendix R diesel generator is provided in the unlikely event of loss of offsite power and unavailability of the on-site emergency AC SBO/Appendix R diesel generator to Unit 3 alternate shutdown loads. A dedicated minimum quantity of fuel oil for the SBO/Appendix R Diesel to operate 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is available at all times the SBO/Appendix R Diesel is credited as being functional.

Retrieved from "https://kanterella.com/w/index.php?title=05000247/LER-2013-002&oldid=200358"