On April 23, 2006, while performing reviews of fire abnormal operating procedures to assure compliance with the Fire Hazards Analysis Report (FHAR), a control logic error was identified in the circuit elementary drawing for the isolation valves (DH-V-6A and DH-V-6B) between the Borated Water Storage Tank (BWST) and the Reactor Building ( RB) sump. The valve control circuit was verified to be wired as per the elementary drawing. The design was to prevent a hot short, due to a fire, from opening the valve, but the design change was made on the closing circuit. The identified control logic error could allow DH-V-6A or DH-V-6B to spuriously open due to a fire. The FHAR credits these valves as being protected from spuriously opening due to a fire in AB FZ-5 (Auxiliary Building 281' general area). If this protection is not provided, then spurious opening could result in draining the BWST inventory to the RB sump. This hot short condition would result in the depletion of the BWST inventory and loss of the High Pressure Injection ( HPI) makeup capability, resulting in an unanalyzed condition that significantly degrades plant safety.
The Root Cause of the problem is identified as "accountability needs improvement" in that the reviewers did not validate the design requirements for DH-V-6A/B in the original 1985 Appendix R package. Upon discovery, an hourly fire-watch was established in the affected fire zone in the 281' elevation Auxiliary Building. The fire watch was continued until June 2, 2006, when the control circuitry was modified to prevent the RB sump isolation valves, DH-V-6A and DH-V-6B, from spuriously opening due to a hot short. No additional corrective action is needed, as the current Fundamentals Tool Kit procedure (HU-AA-1081) emphasizes personal accountability, which addresses the root cause of this issue. Also, current procedures for Design Input and Configuration Change Impact Screening (CC-AA-102), Configuration Change Control (CC-AA-103), and Technical Risk/Rigor Assessment (HU-AA-1212) provide guidance for both initial scope definition and changes in scope, including the required reviews. These process controls did not exist at the time this error was made, and would have prevented this event.
This condition was determined to be an unanalyzed condition that significantly degraded plant safety (10 CFR 50.73 (a)(2)(ii)(B)).
i.
DOCKET 121 LER NUMBER (6 PAGE (3) 0 0010 00 |
EVENT DESCRIPTION
Plant Conditions before the event:
Babcock & Wilcox — Pressurized Water Reactor — 2568 MWth Core Power Date/Time: April 23, 2006/approximately 1500 hours0.0174 days <br />0.417 hours <br />0.00248 weeks <br />5.7075e-4 months <br /> Power Level: 100% steady state power prior to and during the event Mode: Power Operations On April 23, 2006, while performing reviews of fire abnormal operating procedures to assure compliance with the Fire Hazards Analysis Report (FHAR), a control logic error was identified in the circuit elementary drawing for the isolation valves (DH-V-6A and DH-V-6B) *[BP/INV] between the Borated Water Storage Tank (BWST) and the Reactor Building (RB) sump. The valve control circuit was verified to be wired as per the elementary drawing.
The design was to prevent a hot short, due to a fire, from opening the valve, but the design change was made on the closing circuit. The identified control logic error could allow DH-V-6A or DH-V-6B to spuriously open due to a fire. The FHAR credits these valves as being protected from spuriously opening due to a fire in AB-FZ-5 (Auxiliary Building 281' general area). If this protection is not provided, then spurious opening could result in draining the BWST inventory to the RB sump. This hot short condition would result in the depletion of the BWST inventory and loss of the High Pressure Injection (HPI) makeup capability, resulting in an unanalyzed condition that significantly degrades plant safety.
The spurious opening of DH-V-6A or DH-V-6B is not prevented by design as described in the FHAR. The FHAR specifies that operator response to a spurious opening of DH-V-6A or —6B is to close the upstream isolation valve (DH-V-5A or —5B). Closing of DH-V-5A or -5B for a fire in AB-FZ-5 cannot be credited since DH-V-5A and DH-V 5B are located in this zone.
When the technical basis for the FHAR was completed in 1985, the need to protect DH-V-6A and DH-V-6B from spurious operation due to a hot short from a fire in AB-FZ-5 was identified. The safe fire shutdown analysis determined that such an event could not be tolerated. A hot short in the control circuit for DH-V-6A or DH-V-6B could cause the valve to open and thereby drain the BWST to the RB sump. Analysis was performed to demonstrate that closure of DH-V-5A or DH-V-5B (BWST to LPI suction isolation valve) within 45 minutes would preserve sufficient BWST inventory to achieve cold shutdown. This strategy is not reliable for a fire in AB-FZ-5 because the fire could prevent remote or local operation of DH-V-5A or DH-V-5B. In 1986, the remote shutdown modifications were installed. DH-V-6A and DH-V-6B control circuits were modified. The limit switch wiring at the Motor Control Center (MCC) was moved to the grounded side of the CLOSING relay coil. This change effectively prevented hot short spurious valve CLOSURE for a fire in AB-FZ-5. The OPENING circuit was not modified.
As a result of this design flaw, the following sequence of events could occur if licensing basis failure assumptions are considered. A fire in AB-FZ-5 could cause spurious opening of DH-V-6A or DH-V-6B and the operators would be unable to close the associated DH-V-5A (B) before the BWST was completely drained to the RB sump. The fire could also cause loss of Reactor Coolant Pump (RCP) thermal barrier cooling and loss of RCP seal injection.
As a result, the RCP seals would heat up to Reactor Coolant System (RCS) temperature and the seal leakage rate would increase to — 21 GPM / pump. The fire could also cause loss of both trains of the Decay Heat Removal System. This would prevent use of the Decay Heat (DH) pumps to provide suction to HPI (i.e.
piggyback). The overall effect of these failures would be a loss of all RCS makeup capability. This could eventually cause a loss of core cooling (via Once Through Steam Generator (OTSG) cooling) when RCS inventory was insufficient to support natural circulation. Other methods (beyond the BWST or RB sump via piggyback) to provide inventory for HPI are possible but have not been analyzed for the effects of fire, and, therefore, are not reliable without further analysis.
The Root Cause of the problem is identified as "accountability needs improvement" in that the reviewers did not validate the design requirements for DH-V-6A/B in the original 1985 Appendix R package. The fire hazards analysis team originally specified a generic fix to deal with the spurious operation of several valves, not yet including DH-V-6A/B. The solution to modify the closing control circuit, was correct for all these valves, since they needed protection from spurious closure. However, when DH-V-6A and DH-V-6B were added to the scope, the detailed design requirement was different than those other valves. DH-V-6A and DH-V-6B design requirement was to prevent spurious opening, and was not verified by the design team. The design engineer apparently assumed that the fix, prevention of spurious closure, was appropriate for DH-V-6A and DH-V-6B and apparently did not perform a self-check. Also, the fire hazards analysis team apparently did not review the Design Input Record.
ANALYSIS / SAFETY SIGNIFICANCE
The design flaw in DH-V-6A and DH-V-6B control circuit wiring has the potential to prevent achieving safe shutdown in the event of a fire in AB-FZ-5. The risk of such an event before the valve design is modified is very low.
All of the following events (each of which is unlikely) would have to occur concurrently to prevent achieving safe shutdown.
1. A serious fire occurs in AB-FZ-5. (Note that the probability of this event in this interim period has been reduced by the performance of a fire watch in this area until the valve modifications have been performed.) 2. The fire causes the following equipment failures:
- Loss of ICCW flow to RCP thermal barrier coolers
- Loss of RCP seal injection
- Spurious opening of DH-V-6A or DH-V-6B
- Failure of remote operation of DH-V-5A or DH-V-5B 3.The fire blocks access to locally operate DH-V-5A or DH-V-5B for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
A quantitative risk assessment was performed to determine the increase in Core Damage Frequency (CDF) due to the condition of DH-V-6A & DH-V-6B.
Fire scenarios of concern in this area are all self initiated cable fires since the fixed ignition sources in this area are located well away from cable targets. The probability that a fire would occur in AB-FZ-5 and cause a spurious opening of DH-V-6A and disable remote operation of DH-V-5A (or a similar pair of events with DH-V-6B and DH- V-5B) was determined to 3.49E-06.
The probability of core damage was conservatively estimated at 3.49E-07. This is a bounding estimate of the probability of the additional failures that would have to occur to lead to core damage.
This bounding estimate of the probability for core damage is well below the threshold of a significant effect on overall CDF.
2. DH-V-6A and DH-V-6B were modified to correct the design error. The modification was completed and placed in service on June 2, 2006. The roving fire watch was terminated at this time.
Long Term Corrective Actions:
No additional corrective action is needed, as the current Fundamentals Tool Kit procedure (HU-AA-1081) emphasizes personal accountability, which addresses the root cause of this issue. Also, current procedures for Design Input and Configuration Change Impact Screening (CC-AA-102), Configuration Change Control (CC-AA 103), and Technical Risk/Rigor Assessment (HU-AA-1212) provide guidance for both initial scope definition and changes in scope, including the required reviews. These process controls did not exist at the time this error was made, and would have prevented this event.
PREVIOUS OCCURENCES
TMI-1 LER 2005-002 reported the discovery of a condition whereby a fire in Control Building Fire Area 1 (CB-FA 1) could cause loss of indication and control needed to maintain the plant in a safe shutdown condition. The DC Cable to Inverters 1B and 1D are not protected from damage due to fire. The AC source to the Inverters could be lost by trip of 1B Engineered Safeguards (ES) Motor Control Center (MCC) due to Multiple High Impedance Faults (MHIF) on unprotected cables fed from 1B ES MCC. TMI-1 made the decision not to protect the DC cables to Inverters B and D in 1988 and chose to use procedures to address the event. Unlike this condition, this was not the result of a modification process error, but was an inadequate analysis of the consequences of the MHIF event for a fire in CB-FA-1.
- * Energy Industry Identification System (EIIS), System Identification (SI) and Component Function Identification (CFI) Codes are included in brackets, [SI/CFI] where applicable, as required by 10 CFR 50.73 (b)(2)(ii)(F).
|
|---|
|
|
| | | Reporting criterion |
|---|
| 05000305/LER-2006-010 | | | | 05000456/LER-2006-001 | Unit 1 Reactor Coolant System Pressure Boundary Leakage Due To Inter-Granular Stress Corrosion Cracking of a Pressurizer Heater Sleeve | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications
10 CFR 50.73(a)(2)(ii)(A), Seriously Degraded | | 05000454/LER-2006-001 | Technical Specification Required Action Completion Time Exceeded for Inoperable Containment Isolation Valves Due to Untimely Operability Determination | | | 05000423/LER-2006-001 | Loss Of Safety Function Of The Control Room Emergency Ventilation System | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident | | 05000369/LER-2006-001 | Ice Condenser and Floor Cooling System Containment Isolation Valve inoperable longer than allowed by Technical Specification 3.6.3. | | | 05000353/LER-2006-001 | HPCI Ramp Generator Signal Converter Failure | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident
10 CFR 50.73(a)(2)(v), Loss of Safety Function | | 05000352/LER-2006-001 | Loss Of One Offsite Circuit Due To Invalid Actuation Of Fire Suppression System | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | | 05000336/LER-2006-001 | | 10 CFR 50.73(a)(2)(v)(A), Loss of Safety Function - Shutdown the Reactor | | 05000316/LER-2006-001 | Failure to Comply with Technical Specification 3.6.2, Containment Air Locks | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000315/LER-2006-001 | Plant Shutdown Required by Technical Specification Action 3.6.5.B.1 | | | 05000293/LER-2006-001 | | 10 CFR 50.73(a)(2)(iv), System Actuation | | 05000289/LER-2006-001 | | | | 05000287/LER-2006-001 | Actuation of Emergency Generator due to Spurious Transformer Lockout | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | | 05000251/LER-2006-001 | Turkey Point Unit 4 05000251 1 OF 6 | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000247/LER-2006-001 | Manual Reactor Trip Due to Multiple Dropped Control Rods Caused by Loss of Control Rod Power Due to Personnel Error | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | | 05000440/LER-2006-001 | Incorrect Wiring in the Remote Shutdown Panel Results in a Fire Protection Program Violation | | | 05000413/LER-2006-001 | | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | | 05000368/LER-2006-001 | Completion of a Plant Shutdown Required by Technical Specifications Due to Loss of Motive Power to Certain Containment Isolation Valves as a Result of a Phase to Ground Short Circuit in a Motor Control Cubicle | 10 CFR 50.73(a)(2)(i)(A), Completion of TS Shutdown | | 05000306/LER-2006-001 | | 10 CFR 50.73(a)(2)(v), Loss of Safety Function
10 CFR 50.73(a)(2)(i)(A), Completion of TS Shutdown | | 05000298/LER-2006-001 | Cooper Nuclear Station 05000298 1 of 4 | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | | 05000286/LER-2006-001 | I | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | | 05000282/LER-2006-001 | | 10 CFR 50.73(a)(2)(iv)(A), System Actuation
10 CFR 50.73(a)(2)(v), Loss of Safety Function | | 05000266/LER-2006-001 | | 10 CFR 50.73(a)(2)(v), Loss of Safety Function | | 05000261/LER-2006-001 | Manual Reactor Trip Due to Failure of a Turbine Governor Valve Electro-Hydraulic Control Card | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | | 05000255/LER-2006-001 | | 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition | | 05000461/LER-2006-002 | Turbine Bypass Function Lost Due to Circuit Card Maintenance Frequency | | | 05000458/LER-2006-002 | Loss of Safety Function of High Pressure Core Spray Due to Manual Deactivation | | | 05000456/LER-2006-002 | Units 1 and 2 Entry into Limiting Condition for Operation 3.0.3 due to Main Control Room Ventilation Envelope Low Pressure | | | 05000443/LER-2006-002 | Noncompliance with the Requirements of Technical Specification 6.8.1.2.a | | | 05000387/LER-2006-002 | DMissed Technical Specification surveillance requirement | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000362/LER-2006-002 | Unit 3 Shutdown to Inspect Safety Injection Tank Spiral Wound Gaskets | | | 05000336/LER-2006-002 | Manual Reactor Trip Due To Trip Of Both Feed Pumps Following A Loss Of Instrument Air | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | | 05000316/LER-2006-002 | | 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability
10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000315/LER-2006-002 | Failure to Comply with Technical Specification Requirement 3.6.13, Divider Barrier Integrity | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000293/LER-2006-002 | | | | 05000289/LER-2006-002 | | | | 05000251/LER-2006-002 | Intermediate Range High Flux Trip Setpoint Exceeded Technical Specification Allowable Value | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000440/LER-2006-002 | Scaffold Built in the Containment Pool Swell Region | 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition | | 05000413/LER-2006-002 | Safe Shutdown Potentially Challenged by an External Flooding Event and Inadequate Design and Configuration Control | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000388/LER-2006-002 | Missed Technical Specification LCO 3.8.1 Entry for Unit 2 During Unit 1 ESS Bus Testing | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000348/LER-2006-002 | Main Steam Isolation Valve Failure to Close | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000305/LER-2006-002 | | 10 CFR 50.73(a)(2)(v)(C), Loss of Safety Function - Release of Radioactive Material
10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000301/LER-2006-002 | | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000286/LER-2006-002 | 450 Broadway, GSB
P.O. Box 249
Buchanan, N.Y. 10511-0249Entergy Tel (914) 734-6700
Fred Dacimo
Site Vice President
Administration
September 13, 2006
Indian Point Unit No. 3
Docket No. 50-286
N L-06-084
Document Control Desk
U.S. Nuclear Regulatory Commission
Mail Stop O-P1-17
Washington, DC 20555-0001
Subject:L Licensee Event Report # 2006-002-00, "Manual Reactor Trip as a Result
of Arcing Under the Main Generator Between Scaffolding and Phase A&B
of the Isophase Bus Housing"
Dear Sir:
The attached Licensee Event Report (LER) 2006-002-00 is the follow-up written report
submitted in accordance with 10 CFR 50.73. This event is of the type defined in 10
CFR 50.73(a)(2)(iv)(A) for an event recorded in the Entergy corrective action process as
Condition Report CR-IP3-2006-02255.
There are no commitments contained in this letter. Should you or your staff have any
questions regarding this matter, please contact Mr. Patric W. Conroy, Manager,
Licensing, Indian Point Energy Center at (914) 734-6668.
Fred R. Dacimo
Site Vice President
Indian Point Energy Center
Docket No. 50-286
NL-06-084
Page 2 of 2
Attachment: LER-2006-002-00
CC:
Mr. Samuel J. Collins
Regional Administrator — Region I
U.S. Nuclear Regulatory Commission
U.S. Nuclear Regulatory Commission
Resident Inspector's Office
Resident Inspector Indian Point Unit 3
Mr. Paul Eddy
State of New York Public Service Commission
INPO Record Center
NRC FORM 366 U.S. NUCLEAR REGULATORY COMMISSION APPROVED BY OMB NO. 3150-0104 EXPIRES: 06/30/2007
(6-2004)
. Estimated burden per response to comply with this mandatory collection
request: 50 hours.DReported lessons learned are incorporated into the
licensing process and fed back to industry. Send comments regarding burden
estimate to the Records and FOIA/Privacy Service Branch (T-5 F52), U.S.
Nuclear Regulatory Commission, Washington, DC 20555-0001, or by internetLICENSEE EVENT REPORT (LER) e-mail to infocollects@nrc.gov, and to the Desk Officer, Office of Information
and Regulatory Affairs, NEOB-10202, (3150-0104), Office of Management and
Budget, Washington, DC 20503. If a means used to impose an information
collection does not display a currently valid OMB control number, the NRC
may not conduct or sponsor, and a person is not required to respond to, the
information collection.
■
1. FACILITY NAME 2. DOCKET NUMBER I 3. PAGE
INDIAN POINT 3 05000-286 1 OF 6
4.TITLE: Manual Reactor Trip as a Result of Arcing Under the Main Generator Between
Scaffolding and Phase A&B of the Iso-phase Bus Housing | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | | 05000282/LER-2006-002 | | 10 CFR 50.73(a)(2)(v), Loss of Safety Function
10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000269/LER-2006-002 | High Energy Line Breaks Outside Licensing Basis May Result in Loss of Safety Function | | | 05000263/LER-2006-002 | | | | 05000255/LER-2006-002 | | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications | | 05000254/LER-2006-002 | Quad Cities Nuclear Power Station Unit 1 05000254 1 of 3 | 10 CFR 50.73(a)(2)(iv)(A), System Actuation | | 05000483/LER-2006-003 | Unexpected Inoperability of the Emergency Exhaust System due to Inoperable Pressure Boundary | 10 CFR 50.73(a)(2)(v)(C), Loss of Safety Function - Release of Radioactive Material
10 CFR 50.73(a)(2)(vii), Common Cause Inoperability
10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications |
|