05000413/LER-2016-001
| Catawba Nuclear Station, Unit 1 | |
| Event date: | 12-13-2015 |
|---|---|
| Report date: | 06-23-2016 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(v), Loss of Safety Function 10 CFR 50.73(a)(2)(v)(A), Loss of Safety Function - Shutdown the Reactor |
| 4132016001R00 - NRC Website | |
| ML16179A207 | |
| Person / Time | |
|---|---|
| Site: | Catawba  |
| Issue date: | 06/23/2016 |
| From: | Henderson K Duke Energy Corp |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| CNS-16-048 LER 16-001-00 | |
| Download: ML16179A207 (8) | |
comments regarding burden estimate to th'e FOIA, Privacy and Information Collections. Branch '.(T-5 F53), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by intemet e-mail to used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection. '-
BACKGROUND
The following information is provided to assist readers in understanding the event described in this LER.
Applicable Energy Industry Identification system [EIIS] and component codes are enclosed within brackets.
Catawba's unique system and component identifiers are contained within parentheses.
The function of the Emergency Core Cooling System (ECCS) is to provide core cooling and negative reactivity to ensure that the reactor core is protected after any of the following accidents:
a. Loss of Coolant Accident (COCA), coolant leakage greater than the capability of the normal charging system; b. Rod ejection accident; c. Loss of secondary coolant accident, including uncontrolled steam or feedwater release; and d. Steam Generator Tube Rupture (SGTR).
There are three phases of ECCS operation: injection, cold leg recirculation, and hot leg recirculation. In the injection phase, water is taken from the Refueling Water Storage Tank (RWST) and injected into the Reactor Coolant System (RCS) [EIIS: AB] through the cold legs. When sufficient water is removed from the RWST to ensure that enough boron has been added to maintain the reactor subcritical and that the containment emergency sump contains enough water to supply the required net positive suction head to the ECCS pumps, suction is switched to the sump for cold leg recirculation. During the recirculation phase of LOCA recovery, Residual Heat Removal (RHR) [EIIS: BP] pump suction is transferred to the sump. The RHR pumps then supply the other ECCS pumps. Initially, recirculation is through the same paths as the injection phase. Subsequently, for large LOCAs, the recirculation phase includes injection into both the hot and cold legs.
The operability requirements for the ECCS are based on the following LOCA analysis assumptions:
a. A large break LOCA event, with loss of offsite power and a single failure disabling one ECCS train; and b. A small break LOCA event, with a loss of offsite power and a single failure disabling one ECCS train.
In MODES 1, 2, and 3, two independent (and redundant) ECCS trains are required to ensure that sufficient ECCS flow is available, assuming a single failure affecting either train. Additionally, individual components within the ECCS trains may be called upon to mitigate the consequences of other transients and accidents.
TS Limiting Condition of Operation (LCO) 3.5.2 governs ECCS - Operating for Modes 1, 2, and 3. LCO 3.5.2, Required Action A states with one or more trains inoperable, and at least 100% of the ECCS flow equivalent to a single operable ECCS train available, the inoperable components must be returned to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
The unit Essential Auxiliary Power Distribution System AC sources consist of the offsite power sources, and the onsite standby power sources. The design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.
The onsite standby power source for each 4.16 kV ESF bus [EIIS: BU] is a dedicated emergency Diesel Generator (DG) [EIIS: EK]. DGs A and B are dedicated to ESF buses ETA and ETB, respectively. A DG starts automatically on a Safety Injection (SI) signal (i.e., low pressurizer pressure or high containment pressure signals) or on an ESF bus degraded voltage or undervoltage signal. After the DG has started, it will automatically tie to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with an SI signal. With no SI signal, there is a 10 minute delay between the degraded voltage signal and the DG start signal. The DGs will also start and operate in the standby mode without tying to the ESF bus on an SI signal alone. Following the trip of offsite power, a sequencer [EIIS: EK] strips loads from the ESF bus. When the DG is tied to the ESF bus, loads are then sequentially connected to its respective ESF bus by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG by automatic load application.
In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a LOCA.
TS 3.8.1 governs the DGs. LCO 3.8.1 requires two operable DGs for each unit that is in Modes 1, 2, 3, and 4. Required Action B.2, states with one DG inoperable, required feature(s) supported by the inoperable DG are to be declared inoperable within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. This action is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety function of critical systems. In this Required Action, the Completion Time only begins on discovery that both an inoperable DG exists, and a required feature on the opposite train is inoperable.
Valve 1ND-36B is a motor operated gate valve located on the inlet to the RHR System (ND) from RCS Loop C. This valve, along with valve 1ND-37A, is closed during normal unit operation to provide isolation between the RCS and the RHR pump B suction line and thus protect the RHR System from overpressurization. This valve is opened when the RHR System is placed into operation during cooldown. During Modes 1 through 4, power is not removed from valve 1ND-36B in order to prevent the loss of the interlock between this valve and other valves in the Intermediate Head Safety Injection System [EIIS: BQ] and the Containment Spray System [EIIS: BE]. This interlock is provided by relay contacts. The relay is powered by the same breaker as the valve.
Therefore, removing power to valve 1ND-36B also deenergizes the relay and will not give a permissive to open these other valves during cold leg recirculation following a LOCA. During Modes 5 (depending on RCS level) and 6, power is removed from all suction isolation valves, (including 1ND-36B) in the open position to prevent inadvertent closure during cooldown and refueling operations and subsequent loss of RHR.
The breaker for the Unit 1 RHR pump suction valve (1ND-36B) was found in the incorrect position. The last manipulation of this breaker was determined to have been during the unit's previous outage. For the period of time between the outage and when the breaker was found open, this event is being reported under 10 CFR 50.73(a)(2)(i)(B), any operation or condition which was prohibited by the plant's TS. During this period of time, when the other train (1A) DG was unavailable for greater than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, this event is also being reported under 10 CFR 50.73(a)(2)(v), any event or condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to shutdown the reactor and maintain it in a safe shutdown condition, or mitigate the consequences of an accident. At the time this condition was identified, Catawba Unit 1 was operating in Mode 1 at approximately 100 percent power. No structures, systems, or components were out of service at the time of this condition that contributed to this event.
On March 28, 2016, while attempting to perform the 1B train ECCS cold leg recirculation interlock test, Operations did not receive the expected condition from a relay in the test procedure. The investigation found the breaker (1EMXD-F02A) for the 1B RHR pump loop suction valve (1ND-36B) was open. The required position for 1EMXD-F02A, in Mode 1, is closed to provide the interlock with other required ECCS valves. 1B train ECCS was declared inoperable. After the shift determined 1EMXD-F02A was not tripped, the breaker was closed and 1B train ECCS was declared operable. The investigation determined that the last operation of 1EMXD-F02A was during the previous refueling outage (1E0C22) on December 13, 2015.
The issue was determined to be LER reportable on April 26, 2016. Unit 1 was operating in Mode 1 at approximately 100% power at the time the breaker was discovered open and 1A DG was operable.
Due to the coordination of performing two separate procedures concurrently during 1E0C22, the breaker was inadvertently left open for valve 1ND-36B, although the valve itself was found in the correct position (closed). Both the pressure boundary valve test procedure and the standby readiness operating procedure operate the RHR loop suction valve breakers. The pressure boundary valve test procedure was the last procedure to manipulate 1EMXD-F02A during 1E0C22 on December 13, 2015.
Timeline:
12/12/15 nightshift - Main control room began coordination for 1B train RHR standby readiness. During this procedure, the breaker for 1ND-36B is closed in, and the valve is closed.
12/12/15 nightshift - Primary outage execution group began coordination for RHR pressure boundary valve testing. During this procedure, the breaker for 1ND-36B is turned off (opened). Later in the procedure, a suction source is verified for the RHR 1B train pump. With the valve already closed in the correct position, the breaker was not verified closed.
12/15/15 13:52 - Unit 1 entered Mode 3. TS 3.5.2 should have been entered for ECCS 1B train at this time.
12/18/15 13:52 - 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after entering Mode 3. TS 3.5.2 would have expired for ECCS 1B train.
1/19/16 04:00 - 1A train DG declared inoperable for 19hr 0 min. TS 3.8.1 Required Action B.2 should have been performed after 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
2/16/16 06:10 - 1A train DG declared inoperable for 14 hr 18 min. TS 3.8.1 Required Action B.2 should have been performed after 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
2/17/16 07:45 - 1A train DG declared inoperable for 10 hr 18 min. TS 3.8.1 Required Action B.2 should have been performed after 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
2/18/16 04:45 - 1A train DG declared inoperable for 7 hr 24 min. TS 3.8.1 Required Action B.2 should have been performed after 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
3/22/16 04:18 - 1A train DG declared inoperable for 18 hr 40 min. TS 3.8.1 Required Action B.2 should have been performed after 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
3/28/16 0928 - 1B train ECCS cold leg recirculation interlock test started.
3/28/16 0951 - 1EMXD-F02A (1ND-36B) breaker position found open during 1B train ECCS cold leg recirculation interlock test.
3/28/16 1100 - 1B train ECCS was declared inoperable.
3/28/16 1201 - 1EMXD-F02A was closed and 1B train ECCS was declared operable.
I The direct cause of this event is that the test procedure for pressure boundary valve testing did not contain specific procedural guidance for establishing a suction source for the 1B train RHR pump, and therefore coordination is required with the standby readiness alignment procedure. The lack of specific procedural guidance allowed the breaker for 1ND-36B to remain open.
Contributing to the event was ineffective procedural coordination by licensed personnel for the performance of both procedures. Also contributing was the fact that no indication exists in the control room that would indicate the breaker is out of its normal position, nor is there a method to check the RHR pump loop suction valve breaker position.
CORRECTIVE ACTIONS
Immediate 1. Operators closed 1EMXD-F02A and declared ECCS 1B operable.
Planned 1. Revise the Reactor Coolant System Pressure Boundary Valve Leak Rate Test procedure to add steps on how to align a suction source prior to racking in the RHR pump breaker.
2. Revise RHR System procedure to add a verification step for ensuring EMXD-F02A is closed when aligning RHR for standby readiness.
3. Establish a method to check the position of safety related breakers for those that can't be monitored from the control room.
SAFETY ANALYSIS
During the course of this event, Unit 1 operated for a period of time (from December 18, 2015, to March 28, 2016) outside the TS Required Action Completion Time for 1B train ECCS inoperable. During the period of 1B train ECCS inoperability, A train DG was inoperable for greater than four hours on five different occasions, resulting in a loss of safety function for the Unit 1 ECCS. The loss of safety function would have applied following the injection phase of ECCS of a LOCA, during the time in which the interlock between 1ND-36B and other valves in the Intermediate Head Safety Injection System and Containment Spray System would have been required during cold leg recirculation.
During the time the breaker was left open during the previous refueling outage, and the time the breaker was discovered to be open, no events or conditions occurred which would have required the actuation of the ECCS or other safety related systems. Had a LOCA occurred, Operations would have taken action to close the breaker for valve 1ND-36B, or would have used the guidance provided in an emergency procedure to manually position the valve.
The nuclear safety significance of this event was evaluated qualitatively using a risk-informed approach and found to be of very low risk significance. The mispositioned power breaker did not result in a plant transient or abnormal plant condition that impacted public health and safety.
During the period of time that breaker 1EMXD-F02A was open, one of the two parallel interlocks that allows a valve in the Intermediate Head Safety Injection System to open could not have been met; however, the parallel interlock from valve 1ND-37A was available to satisfy the interlock if it were demanded to open.
Thus, ECCS 1B could still provide its accident mitigation function as long as power is available to valve 1ND-37A to satisfy the parallel interlock circuit. Apart from a loss of power to 1ND-37A, the loss of the single interlock has an insignificant impact on ECCS train reliability and a negligible risk impact.
However, a potential risk impact of this event is from an event involving a LOCA with coincident loss of offsite power (LOOP) and a 1A DG failure which causes both the demand for ECCS actuation and a loss of power to 1ND-37A. Based on information from the Catawba PRA model, the frequency of a LOCA event during the period of ECCS 1B inoperability is low. The likelihood of a coincident LOOP and LOCA is also a low probability event. And given a LOOP event, the probability of a failure of the 1A DG is also low.
Based on the combined probabilities of these factors taken together, it is concluded that the mispositioned breaker event was of very low risk significance and not significant to the health and safety of the public.
ADDITIONAL INFORMATION
A review of the Catawba corrective action program was conducted to determine whether this was a recurring event (i.e. similar event with the same cause). No other similar events have been documented in the past three years. Therefore, this is not considered a recurring event.
The issue described in this LER is considered to constitute a Safety System Functional Failure. There was no release of radioactive material, radiation overexposure, or personnel injury associated with the issue described in this LER. A decision was made to post this event to the INPO Consolidated Event System (ICES).