Two Trains of Auxiliary Feedwater Inoperable Due to Protection System Failure

ML092470085
Person / Time
Site:	Diablo Canyon
Issue date:	08/28/2009
From:	Becker J Pacific Gas & Electric Co
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
DCL-09-061, OL-DPR-80 LER 09-002-00
Download: ML092470085 (8)
v • d • e

text

Pacific Gas and Electric Company James R. Becker Site Vice President Diablo Canyon Power Plant Mail Code 104/5/601 P 0. Box 56 Avila Beach, CA 93424 805.545.3462 Internal: 691.3462 Fax: 805.545.6445 August 28, 2009 PG&E Letter DCL-09-061 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 Docket No. 50-275, OL-DPR-80 Diablo Canyon Unit 1 Licensee Event Report 1-2009-002-00 Two Trains of Auxiliary Feedwater Inoperable Due to Protection System Failure

Dear Commissioners and Staff:

In accordance with 10 CFR 50.73(a)(2)(vii) Pacific Gas and Electric Company is submitting the enclosed licensee event report regarding two trains of auxiliary feedwater inoperable due to an Eagle 21 protection system failure.

There are no new or revised regulatory commitments in this report.

This event did not adversely affect the health and safety of the public.

ddm/2246/50251823 Enclosure cc/enc:

Elmo E. Collins, NRC Region IV Michael S. Peck, NRC Senior Resident Inspector Alan B. Wang, NRR Project Manager INPO Diablo Distribution A member of the STARS (Strategic Teaming and Resource Sharing) Afliance Cattaway

• Comanche Peak

• Diabto Canyon

• PaLo Verde

• San Onofre

• South Texas Project

• WolfCreek

NRC FORM 366 U.S. NUCLEAR REGULATORY COMMISSION APPROVED BY OMB: NO, 3150-0104 EXPIRES: 08/31/2010 (9-2007)

, the NRC may not conduct or sponsor, and a person is not required to respond to, the digits/characters for each block) information collection.

13. PAGE Diablo Canyon Unit 1 05000275 1 OF 7

4. TITLE Two Trains of Auxiliary Feedwater Inoperable Due to Protection System Failure

5. EVENT DATE

6. LER NUMBER

7. REPORT DATE

8. OTHER FACILITIES INVOLVED MOT DY YRSEUENTIAL REV M

H D

Y FACILITY NAME DOCKET NUMBER MONTH DAY YEAR YEAR NUMBERN i

REV MONTH DAY YEAR I

FACILITY NAME DOCKET NUMBER 06 29 2009 2009

- 002 -

00 08 28 2009

9. OPERATING MODE

11. THIS REPORT IS SUBMITTED PURSUANT TO THE REQUIREMENTS OF 10 CFR§: (Check all that apply)

El 20.2201(b)

El 20.2203(a)(3)(i)

El 50.73(a)(2)(i)(C)

Z 50.73(a)(2)(vii)

El 20.2201(d)

El 20.2203(a)(3)(ii)

[] 50.73(a)(2)(ii)(A)

[E] 50.73(a)(2)(viii)(A)

El 20.2203(a)(1)

El 20.2203(a)(4)

El 50.73(a)(2)(ii)(B)

El 50.73(a)(2)(viii)(B)

E_ 20.2203(a)(2)(i)

El 50.36(c)(1)(i)(A)

El 50.73(a)(2)(iii)

[1 50.73(a)(2)(ix)(A)

10. POWER LEVEL

[] 20.2203(a)(2)(ii)

ED 50.36(c)(1)(ii)(A)

[I 50.73(a)(2)(iv)(A)

E] 50.73(a)(2)(x)

[I 20.2203(a)(2)(iii)

[I 50.36(c)(2)

El 50.73(a)(2)(v)(A)

[1 73.71(a)(4)

C3 20.2203(a)(2)(iv) 1l 50.46(a)(3)(ii) 1 50.73(a)(2)(v)(B)

El 73.71(a)(5) 100 [3 20.2203(a)(2)(v)

El] 50.73(a)(2)(i)(A)

El 50.73(a)(2)(v)(C)

[I OTHER E] 20.2203(a)(2)(vi)

Cl 50.73(a)(2)(i)(B)

C 50.73(a)(2)(v)(D)

Specify in Abstract below or in NRC Form 366A

12. LICENSEE CONTACT FOR THIS LER FACILITY NAME ITELEPHONE NUMBER (include Area Code)

Steven W. Hamilton - Senior Regulatory Services Engineer i

(805) 545-3449CAUSE SYSTEM COMPONENT MANU-REPORTABLE

CAUSE

SYSTEM COMPONENT MANU-REPORTABLE FACTURER TO EPIXO FACTUROER TO EPIX X

1A DCC W120 Yes A

14. SUPPLEMENTAL REPORT EXPECTED

15. EXPECTED MONTH DAY YEAR SUBMISSION E] YES (If yes, complete 15. EXPECTED SUBMISSION DATE)

El NO DATE ABSTRACT (Limit to 1400 spaces, i.e., approximately 15 single-spaced typewritten lines)

On June 29, 2009, at 06:47 PDT, with Unit 1 in Mode 1 (Power Operation) the Eagle 21 Protection Set II, Rack 8, alarmed in the control room due to a Loop Calculation Processor (LCP) card failure. Plant operators declared motor-driven auxiliary feedwater (AFW) Pumps 1-2 and 1-3 inoperable in accordance with TS 3.7.5 Limiting Condition for Operation (LCO).

Plant operators entered Operating Procedure (OP) Abnormal Procedure AP-5, "Malfunction of Eagle 21 Protection or Control Channel," and took manual control actions in the control room.

On June 29, 2009, at 07:14 PDT, Technical Specification (TS) 3.7.5, Condition C, was exited when the first level control valve (LCV) was placed in manual and a dedicated licensed plant operator was assigned to the AFW level controller. TS 3.7.5 LCO was exited when the second LCV was placed in manual at 07:17 PDT.

The cause of the TS 3.7.5 entry was determined to be the result of intended design response to an Eagle 21 LCP failure, i.e., to lockup the control output in a "fail-as-is" status to minimize a plant transient as a result of a single failure. On June 30, 2009, at 08:26 PDT, the failed Eagle 21 LCP card was replaced and the LCVs returned to automatic level control.

NRC FORM 366 (9-2007)

PRINTED ON RECYCLED PAPER

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME (1)

DOCKET NUMBER (2)

LER NUMBER (6)

PAGE (3)

YEAR SEQUENTIAL NUMBER REVISION NUMBER DiabloCanyonUnitl 050 0

0 2

7 5 2009 0

0 2

0 1 0 2

oF 7

TEXT

1.

Plant Conditions

Unit'1 was in Mode 1 (Power Operation) at approximately 100 percent reactor power with normal operating reactor coolant temperature and pressure.

I1.

Description of Problem A.

Background

The Diablo Canyon Power Plants (DCPP) Units 1 and 2 are Pressurized Water Reactors (PWR) with four Reactor Coolant Loops (RCL)[AB] to circulate reactor coolant to each of the four steam generators (SG)[SG].

Each SG is a vertical U-tube design provided by the Nuclear Steam Supply System (NSSS) vendor, Westinghouse.

The auxiliary feedwater (AFW) system [BA] is a safety-related system that serves as a backup supply of feedwater to the secondary side of the SG.

It maintains the heat sink function of the SGs whenever the Main Feedwater (MFW) system is unavailable.

The AFW system is Design Class I and includes the feedwater process and the power supply portion of the system. The basis for the Class I designation is that the AFW system is considered an engineered safety feature system that is required for safe shutdown of the reactor. It is directly relied upon to prevent core damage and reactor coolant system (RCS) overpressurization in the event of transients, such as a Loss of Normal Feedwater (LONF) or a secondary system pipe rupture.

The AFW system consists of three feedwater supply trains with diverse drive-power sources. One train employs a full capacity, approximately 800 gpm steam turbine-driven pump, AFW Pump 1-1, aligned to all four SGs. The other two trains consist of half-capacity motor-driven AFW pumps, AFW Pump 1-2 and AFW Pump 1-3, each supplying approximately 400 gpm to two of the four SGs, with the capability to be manually aligned to any of the four generators.

The normal operation of the AFW system, which is during startup and shutdown, is to supply the SGs with a secondary heat sink while main feedwater is unavailable. This is done with two motor-driven AFW pumps providing the AFW flow with suction taken from the condensate storage tank (CST) [KA]. If the CST becomes unavailable for any reason, several additional sources of water can be aligned for AFW.

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME (1)

DOCKET NUMBER (2)

LER NUMBER (6)

PAGE (3)

YEAR SEQUENTIAL NUMBER REVISION NUMBER DiabloCanyonUnitl 050 0102 7 15 2009 0 10 2

0 0

3 OF 7

TEXT The LONF analysis assumes that with the limiting single failure of one motor-driven AFW pump, the second motor-driven AFW pump provides the minimum required flow to two of four SGs.

The Feedwater Line Break (FLB) analysis assumes flow to two intact SGs.

No AFW injection is credited until the faulted SG is isolated at ten minutes.

Since the FLB is a limiting loss of secondary heat transfer event, the analysis assumes that only the faulted SG blows down to minimize primary heat removal.

The Main Steam Line Break (MSLB) event establishes the maximum AFW flow imbalance assumed with respect to maximizing the mass and energy release from the faulted SG.

Technical Specification (TS) 3.7.5, "Auxiliary Feedwater System," requires three AFW trains to be OPERABLE in Modes 1, 2, and 3. T.S.3.7.5 Condition B requires entry into a 72-hour Action Statement in Modes 1, 2 or 3, in which the one AFW train that is inoperable must be repaired.

TS.3.7.5 Condition C is entered when two AFW trains become inoperable in Modes 1, 2, or 3, at which time the action statement is entered to be in Mode 3 in six hours and Mode 4 in eighteen hours.

B.

Event Description

Prior to the event, auxiliary salt water (ASW) Pump 1-2 was declared inoperable and cleared for planned Maintenance.

On June 29, 2009, at 06:47 PDT, Protection Set 2, Rack 8, failed due to a Loop Calculation Processor (LCP) card failure. Plant operators declared both motor-driven AFW pumps inoperable based on Operating Procedure (OP) AP-5 guidance and training. They determined the operational risk assessment management (ORAM) risk indicator was red. A dedicated operator was stationed to control the affected level control valves (LCV-1 10 and LCV-1 13) in manual should the need arise, assuring their full flow capability, thus, allowing AFW pumps to be OPERABLE and exiting the red risk status.

On June 29, 2009, at 07:14 PDT, TS 3.7.5, Condition C, was exited when the first LCV was placed in manual and a dedicated licensed operator assigned to the controls.

On June 29, 2009, at 07:17 PDT, both motor-driven AFW Pumps 1-2 and 1-3 LCVs were taken to manual and plant operators exited TS 3.7.5.

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME (1)

DOCKET NUMBER (2)

LER NUMBER (6)

PAGE (3)

YEAR SEQUENTIAL NUMBER REVISION NUMBER Diablo Canyon Unit1 0500 0

2 7 5 2009

- 10 0

2 0

4 OF 7

TEXT On June 29, 2009, at 12:00 PDT plant operators returned ASW 1-2 to service following completion of the planned maintenance outage window.

On June 30, 2009, at 08:26 PDT the Eagle 21 Protection Set II, Rack 8, was returned to service following completion of LCP replacement and satisfactory testing.

C.

Status of Inoperable Structures, Systems, or Components that Contributed to the Event The Eagle 21 Reactor Protection System (RPS)[JA] Protection Set II, Rack 8, LCP failure resulted in motor driven AFW Pumps 1-2 and 1-3 being declared inoperable.

D.

Other Systems or Secondary Functions Affected

No additional safety systems were adversely affected by this event.

E.

Method of Discovery

The condition was promptly known to the Utility Licensed Plant Operators at the controls due to alarms and indications received in the control room.

F.

Operator Actions

Utility licensed plant operators transitioned the motor-driven AFW Pumps 1-2 and 1-3 to manual level control mode in accordance with established plant procedures, returning the pumps to operable status.

G.

Safety System Responses Operation of the AFW circuit with Eagle-21 Rack Failed (Locked Up):

Eagle-21 is designed to be fail safe for all safety-related channels. If a rack were to lose power or otherwise fail, watchdog circuitry is provided that automatically sends a trip signal to the safety-related outputs to the Solid State Protection System (SSPS). However, the non-safety related outputs such as those used for indication and control are designed to fail "as-is" or freeze at the current value to prevent perturbating the plant.

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME (1)

DOCKET NUMBER (2)

LER NUMBER (6)

PAGE (3)

YEAR SEQUENTIAL NUMBER REVISION NUMBER DiabloCanyonUnitl 050 0

0 2 7 5 2009 0

0 2

0 0

5 OF 7

TEXT A simplified sketch of the AFW control system is shown below:

1 Aux Feed Pp 2 Bkr Closed Power to LCV-111 During this event, the Eagle 21 Protection Set 11, Rack 8, experienced a "lockup" condition when the LCP failed. As designed, the safety-related outputs went to the "trip" condition and the non-safety outputs failed "as-is." This froze the outputs to the normal operating SG level at approximately 65 percent level. Based on the Scaling Calculations for the loop, this represents approximately 50 percent open on the valves. So if the hand controllers (HCs) on the control room Vertical Board were left in Auto during the time that Rack 8 was locked up and a SG Io-lo level trip occurred, the LCV-1 10 (SG Loop 1) valve would have been demanded to 50 percent open and the LCV-1 13 (Loop 4) would be demanded to 50 percent open when the motor driven AFW pumps were started. The other two valves (LCV-1 11 and LCV-1 15) would be at 100 percent open and then control on the actual active level control signal.

Ill.

Cause of the Problem A.

Immediate Cause The Eagle 21 LCP failure caused the SG level control output to lockup at the fail-as-is setpoint of approximately 65 percent in accordance with the design intent.

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME (1)

DOCKET NUMBER (2)

LER NUMBER (6)

PAGE (3)

YEAR SEQUENTIAL NUMBER REVISION NUMBER DiabloCanyonUnit1 0 5 0 0 0 2 7 2009 1 -

0 0 12 0 10 6

OF 7

TEXT The inoperability of the motor-driven AFW valves LCV-1 10 and LCV-1 13 automatic level control function is a known condition resulting from the failed automatic level control input that requires licensed plant operator intervention in accordance with approved plant procedures.

B.

Cause

The Eagle 21 LCP failure is designed to result in the lockup of the AFW level control ouput signal, therefore, the system performed as designed and operator actions were taken in accordance with approved plant procedures. The cause of the Eagle 21 LCP single failure was entered into the plant problem resolution system for further investigation and resolution.

The motor-driven AFW LCVs are designed to have manual operator control override capability by manual intervention at the manual/auto controller provided to the licensed plant operators in the control room.

Therefore, the Eagle 21 and motor-driven AFW control systems responded in accordance with their design intent.

IV.

Assessment of Safety Consequences

There were no safety consequences as a result of this event.

Probabilistic risk assessment (PRA) analysis of conditional core damage probability of this event was found to be approximately 4E-8, based on the timeline provided and the assumed operability of motor-driven AFW pumps with the dedicated operator at the LCVS. The results are low due to the short time (30 minutes) used when both motor driven AFW pumps and one ASW pump were considered inoperable.

The Unit 1 reactor was maintained in Mode 1 at normal pressure and temperature during the event with TS-required equipment operable and the motor-driven AFW Pump 1-3 made available via manual licensed plant operator actions taken in accordance with the TS 3.7.5 Condition C and established plant procedures. Therefore, the consequences of any at-power accidents postulated in the Final Safety Analysis Report (FSAR) Update were precluded.

In the unlikely event of a postulated accident during the short time period of inoperability, the steam-turbine driven AFW Pump 1-1 was operable and capable

LICENSEE EVENT REPORT (LER) TEXT CONTINUATION FACILITY NAME (1)

DOCKET NUMBER (2)

LER NUMBER (6)

PAGE (3)

YEAR SEQUENTIAL NUMBER REVISION NUMBER DiabloCanyonUnitl 050 0

0 2

7 5 2009 0

0 2

0 0

7 OF 7

TEXT of providing adequate AFW flow to the four SGs via diverse flow pathways.

Therefore, the AFW system was capable of performing its safety function.

Therefore, the event is not considered risk significant and it did not adversely affect the health and safety of the public.

V.

Corrective Actions

A.

Immediate Corrective Actions

Plant operators entered TS 3.7.5 Condition C and maintained Unit 1 in Mode 1 at normal operating temperature and pressure. The failed Eagle 21 LCP card was replaced.

B.

Corrective Actions to Prevent Recurrence (CAPR)

None required as the systems involved performed as designed and licensed operator actions were taken in accordance with plant procedures.

VI.

Additional Information

A.

Failed Components Eagle 21 LCP provided by the NSSS Vendor, Westinghouse, board Part# 3D21654G01.

B.

Previous Similar Events

None.

C.

Industry Reports None.