05000346/LER-2010-001
| Docket Numbersequential Rev | |
| Event date: | 03-02-2010 |
|---|---|
| Report date: | 05-10-2010 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(v), Loss of Safety Function 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition |
| 3462010001R00 - NRC Website | |
Energy Industry Identification System (EIIS) codes are identified in the text as [XX].
DESCRIPTION OF EVENT:
Initial Plant Conditions:
On March 2, 2010, the Davis-Besse Nuclear Power Station (DBNPS) was shutdown for a refueling outage in Mode 5.
Steam and Feedwater Rupture Control System Description:
The Steam and Feedwater Rupture Control System (SFRCS) [JB] is a nuclear power plant protection system required to actuate Auxiliary Feedwater (AFW) [BA] to feed the Steam Generator (SG) [AB-HX] to remove reactor decay heat during periods when normal heat removal has been lost. The SFRCS isolates the affected SG and automatically starts AFW in the event of a main steam [SB] line or main feedwater [SJ] line break. Also, SFRCS automatically starts AFW on low SG level or the loss of power to all four Reactor Coolant Pump Motors [AB-MO]. Lastly, SFRCS prevents SG overfill and subsequent spillover into the main steam lines. The SFRCS also provides a trip signal to the Anticipatory Reactor Trip System (ARTS).
The SFRCS consists of two independent redundant protection channels (Actuation Channels 1 and 2).
Each protection channel consists of two electrically independent complementary logic channels (Logic Channel 1 through 4). Actuation Channel 1 is comprised of Logic Channels 1 and 3, and Actuation Channel 2 is comprised of Logic Channels 2 and 4. The essential instrumentation power distribution system [EF] supplies four separate sources of 120 VAC to the SFRCS logic channels, two of which are from battery backed inverters [EF-INVT] (Logic Channels 1 and 2), the other two are emergency diesel generator [EK-DG] backed (Logic Channels 3 and 4). In the case of Loss of Off-site Power (LOOP), Logic Channels 1 and 2 will be transferred without interruption to the battery backed inverters, while Logic Channels 3 and 4 will be without power for approximately ten (10) seconds until the emergency diesel generators are providing power. Until the emergency diesel generators provide power, the SFRCS logic channels 3 and 4 will be de-energized (tripped). There is a Power On Reset circuit which is intended to restore the SFRCS to a known (Unblocked) state when it is re-energized. After the return of power, the SFRCS is expected to automatically reset to its normal mode of operation.
The trip output of each complementary logic channel is combined in each channel in a two-out-of-two logic, such that the SFRCS will initiate an Actuation Channel trip if both of the complementary logic channels trip. The SFRCS functions as a "de-energize to trip system," by de-energizing the SFRCS output relays in each of the logic channels upon a trip command. Similarly, the removal of power, or loss of power, or test of one complementary logic channel de-energizes the associated relays, without causing an SFRCS initiation (since two-out-of-two logic is not met). The SFRCS provides a manual shutdown block feature to allow blocking the SG High Level and Low Pressure Trips during normal plant startups or shutdowns.
Event Description:
On March 2, 2010 ("event date"), with the plant in Mode 5, following the performance of the integrated Safety Features Actuation System (SFAS) test, SFRCS Logic Channel 4 unexpectedly re-energized in a low steam line pressure blocked condition.
Event Description (continued) On March 5, 2010, while performing troubleshooting, it was determined that when power was interrupted to the SFRCS cabinet by opening the input breaker, the 28 VDC cabinet power supply voltage began to decay. However, it took approximately 4 seconds before the power supply was at half its normal voltage and additional time to decay to 0 volts. The long decay time was most likely due to the 3 internal capacitors in the power supply. The SFRCS circuit boards use 15 VDC, which is supplied by the 28 VDC supply. When power was interrupted to the cabinet, the 15 VDC voltage remained steady for approximately 3 seconds before it began to decrease. The 15 VDC logic voltage took approximately 7 seconds to decay to half its normal value. Since power is still being supplied to the logic circuits, the system would not recognize a short duration loss of power and would not initiate a Power On Reset.
On March 10, 2010 ("discovery date"), during further investigation of these conditions, it was discovered that the SFRCS could re-energize in a blocked condition following a main steam line break and a LOOP scenario. A design deficiency was discovered, in that if an SFRCS actuation were to occur due to a main steam line break followed by a LOOP, there was the potential that upon restoration of power, Logic Channels 3 and 4 could have re-energized with the low steam line pressure block initiated on the affected SG. This condition could have allowed feedwater to be supplied to the affected/faulted SG due to the SFRCS module re-energizing in the blocked state with the response of the SFRCS to the loss of all Reactor Coolant Pumps, as a result of the LOOP.
The SFRCS design requires that it,perform in the event of a LOOP. The SFRCS Logic Channels 1 and 2 are not affected because they are battery backed and not expected to lose power and then re-energize during a LOOP.
This condition has existed in the SFRCS since 1988 when the current SFRCS system was installed. The original design requirements for SFRCS included auctioneered (shared) power supplies which would have prevented logic channels 3 and 4 from losing power during a LOOP.
TECHNICAL SPECIFICATION(s):
Technical Specification (TS) 3.3.13, "Steam and Feedwater Rupture Control System (SFRCS) Actuation," requires the Channels 1 and 2 of each Logic Function (AFW initiation, AFW and Main Steam Valve Control, Main Steam Line Isolation, and Main Feedwater Isolation) to be operable in Modes 1, 2, and 3.
CAUSE OF EVENT:
Following the DBNPS June 9, 1985, Loss of Feedwater Event (Reference LER 85-013), the SFRCS was re-designed, which included a complete replacement of the SFRCS cabinets in 1998. The condition identified above was introduced as part of the design and implemented with the replacement of the SFRCS cabinets during that 1988 time period.
The root cause of the event is less than adequate time allowed for development of the modification that re-designed the SFRCS in that the schedule for implementing the modification was accelerated. The original design specification for SFRCS issued included a requirement for auctioneered power supplies.
It was determined by Management personnel to accelerate the outage schedule in order to return the Unit to service. As a result of the accelerated schedule, the original design of the SFRCS system was not installed. Specifically, the requirement for auctioneered power supplies was removed without adequately addressing the impact on the system after it was determined that including power supply auctioneering would not support the schedule for restart of the plant.
CAUSE OF EVENT (continued) This design became inadequate when the original design was changed from battery-backed auctioneered power supplies for the four individual logic channels to powering logic channels 3 and 4 from interruptible power sources backed by EDGs. Auctioneered power supplies were viewed as an enhancement not a requirement. Since auctioneered power supplies were not a licensing requirement, they could be removed when auctioneered power supplies would not support the implementation schedule.
ANALYSIS OF EVENT:
If an SFRCS actuation were to occur due to a main steam line break followed by a LOOP, the potential exists where upon the restoration of power, Logic Channels 3 or 4 could re-energize in a blocked configuration. The design basis event affected is a rupture on an SG with the respective Logic Channel re-energizing in the blocked configuration. If this occurred, the respective AFW pump would continue to feed the faulted SG.
During a main steam line break, the SFRCS system will initiate a reactor trip signal, isolate the affected SG, and initiate AFW, aligning the associated motor-operated valves so that both AFW pumps are aligned to feed the non-faulted SG. The analysis of this condition assumes the reactor trip leads to a consequential LOOP, which de-energizes SFRCS Logic Channels 3 and 4. Due to the identified design deficiency within the SFRCS power supply logic, when power is restored to these channels by the EDGs, these logic channels could re-energize with the Shutdown Bypass (Block) initiated. This block prevents SFRCS from acting on the low steam pressure or high SG level signal. In the absence of a low steam pressure signal (blocked), and with the loss of all four (4) reactor coolant pumps (due to the LOOP), SFRCS will now realign the motor-operated valves so that each AFW pump will supply its respective SG. Thus, one (1) AFW pump will be supplying the faulted SG and the other AFW pump will be supplying the non-faulted SG.
The identified condition results in continuing to feed the faulted SG and represents a diversion of flow that was going to the non-faulted SG (i.e., only one (1) AFW pump is supplying the non-faulted SG rather than both AFW pumps). Thus, AFW cooling (secondary side cooling via the motor-driven feedwater pump or start-up feedwater pump) would still be available.
This design deficiency is of very low safety significance. The resultant Delta Core Damage Frequency (CDF) determination of less than 1.0E-09/year is much less than the Regulatory Guide 1.174 threshold value of 1.0E-06 events/year. Since the Delta CDF is less than 1.0E-07/year, even for the bounding sensitivity study, this deficiency is not significant from a Large Early Release Frequency (LERF) perspective and no further LERF evaluation is necessary, per NRC Inspection Manual 0609, Appendix A.
REPORTABILITY DISCUSSION:
With the condition described above present, SFRCS does not meet single failure criterion due to this condition, therefore, in accordance with the guidance of Section 3.2.4 of NUREG-1022, "Event Reporting Guidelines, 10 CFR 50.72 and 50.73," this event is reportable as an unanalyzed condition that significantly degraded plant safety in accordance with 10 CFR 50.73(a)(2)(ii)(B). The condition also represents an operation or condition prohibited by the Technical Specifications and is reportable in accordance with 10 CFR 50.73(a)(2)(i)(B).
REPORTABILITY DISCUSSION (continued) This condition has been reviewed and determined to not be reportable in accordance with 10 CFR 50.73(a)(2)(v) as an event or condition that could have prevented fulfillment of a safety function. The safety function of the SFRCS, stated above, is to actuate AFW to feed the SG to remove reactor decay heat during periods when normal feedwater supply has been lost and/or the loss of power to the four RCP motors. Because the AFW/SG System is designed to meet the single failure criteria, the second train will supply sufficient residual heat removal (using the guidance in NUREG-1022, it is not necessary to assume an additional random single failure in that system).
CORRECTIVE ACTIONS:
An Engineering Change Package (ECP) was developed to change the SFRCS logic to ensure a Power On Reset occurs anytime power is lost. The required changes will be implemented under the work management process work orders and will be tracked to completion in the DBNPS Corrective Action Program. The work orders will be completed during the current refueling outage (16RFO) to change the SFRCS logic to ensure a Power On Reset occurs anytime power is lost.
PREVIOUS SIMILAR EVENTS
DBNPS LER 2003-014 describes a condition that if an SFRCS actuation were to occur due to a steam line break followed by a LOOP, there is the potential that upon the restoration of power, Logic Channels 3 and 4 could re-energize with the low steam line pressure block initiated. This condition could cause an inappropriate SFRCS actuation. This condition was the result of the 1988 modification to the SFRCS system. A modification was implemented during 13RFO (2003) to correct the identified condition.
The 2003 condition, as reported in LER 2003-014, was different than the event currently identified. The specific condition that was observed in 2003 was that sometimes the logic would re-energize in a blocked condition and sometimes it would not. The flaw identified affected SFRCS Channel 1, 2, 3 and 4; in the current condition, identified in 2010, only Channels 3 and 4 are affected. There is nothing in the design of SFRCS to indicate that the SFRCS cabinets would react differently to a short duration loss of power versus a long duration loss of power. There is no previous history of this occurring. No industry experience of similar events were identified. The expectation is that both power supplies in the cabinet would de-energize at the same time. Having one power supply essentially remain on after power is lost is not typical nor would it be an expected condition for a power supply that is not battery backed.