05000440/LER-2002-003
| Perry Nuclear Power Plant | |
| Event date: | 11-14-2002 |
|---|---|
| Report date: | 01-13-2003 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(vii)(D), Common Cause Inoperability 10 CFR 50.73(a)(2)(v)(B), Loss of Safety Function - Remove Residual Heat 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident 10 CFR 50.73(a)(2)(vii)(B), Common Cause Inoperability |
| 4402002003R00 - NRC Website | |
I. Introduction The Perry Nuclear Power Plant (PNPP) Emergency Closed Cooling Water (ECCW) [CC] system is a safety related system that provides a heat sink for the removal of process and operating heat from safety related components dunng a Design Basis Accident or transient. Cooling water is supplied for safety related systems including Residual Heat Removal (RHR) [BO], Low Pressure Core Spray (LPCS) [BM], Reactor Core Isolation Cooling (RCIC) [BN], Hydrogen Analyzers [IK] and Control Complex Chillers [KM].
During normal power operation, the ECCW system is maintained in a standby condition. The ECCW system is also required to operate when the plant is in a hot or cold shutdown condition to supply cooling water to the RHR pump seals and room coolers. The ECCW system serves as a barrier to the release of radioactive byproducts between potentially radioactive systems and the Emergency Service Water system, and thus to the environment.
The ECCW system consists of two independent and redundant subsystems that provide cooling water to safety related equipment.
Each ECCW subsystem consists of a pump, surge tank, heat exchanger, piping, valves, instrumentation, and controls. An open surge tank in each subsystem includes alarm functions to ensure sufficient net positive suction head is maintained for the ECCW pumps.
The surge tank also provides for monitoring and control of system fluid inventory. The pump in each subsystem is automatically started on receipt of an actuation signal due to a Loss of Coolant Accident (LOCA) or a Loss of Off-site Power (LOOP).
Additionally, the pump in the A subsystem will start on a RCIC initiation signal.
A non-safety related chemical addition tank is shared by both loops. The chemical addition tank is connected to each loop through three-fourths inch diameter piping that interconnects the two loops. The non-safety related, non-seismically qualified chemical addition piping is isolated from each safety related ECCW loop by a normally closed valve. Independence is to be maintained by allowing alignment of the chemical addition tank to only one loop at a time.
During testing of the pump discharge check valves for reverse flow, the surveillance instruction allowed both chemical addition system isolation valves to be opened simultaneously. Thus, the two independent loops were interconnected for a short period of time through the non-safety related chemical addition system piping. Technical Specification 3.7.10 requires that two ECCW subsystems shall be operable in Modes 1, 2 and 3. With two subsystems inoperable, the associated systems are to be immediately declared inoperable and the plant is to be placed in Mode 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. Opening the isolation valves of the chemical addition system between each ECCW loop rendered both loops inoperable, a condition that was not identified during development of the test procedure Revision in 1998. A design basis accident, which includes a seismic event during this time could have resulted in loss of system inventory required for the system to fulfill its safety functions. The interconnection of the two independent ECCW subsystems is considered a condition that could have prevented the fulfillment of a safety function of a system needed to remove residual heat in accordance with 10CFR50.73(a)(2)(v)(B) and to mitigate the consequences of an accident in accordance with 10CFR50.73(a)(2)(v)(D). This condition is also considered an event whereby a single condition caused two independent trains to become inoperable in a single system designed to remove residual heat in accordance with 10CFR50.73(a)(2)(vii)(B) and to mitigate the consequences of an event in accordance with 10CFR50.73(a)(2)(vii)(D).
II. Event Description
On November 14, 2002, with the Perry Nuclear Power Plant operating in Mode 1 at 100 percent power, a review of the "ECC Pump and Valve Operability Test" (SVI-P42-T2001), Revision 7, revealed that two independent loops of the ECCW system were being interconnected through non-safety related chemical addition system piping to facilitate performance of reverse flow testing of the ECCW system pump discharge check valves.
The quarterly surveillance instruction used to perform this testing was made effective on November 18, 1998. Revision 7 incorporated a test of the ECCW pump discharge check valve for reverse closure. This testing was incorporated dunng the 10-Year Update of the Pump and Valve Inservice Testing (IST) Program required by 10CFR50.55a(f), and has been performed on a quarterly basis since that time. This resulted in the ECCW system being in the interconnected lineup approximately 35 times. The condition report investigation operator interviews estimated that the time the interconnected lineup existed was less than 15 minutes per loop.
The test methodology involved starting an ECCW pump on minimum flow recirculation and then opened the chemical addition system isolation valve for each loop. Consequently, the discharge pressure of the operating pump was applied against the opposite loop non-operating pump discharge check valve to test for reverse closure. The isolation valves for the chemical addition system were open for a short period of time (approximately 15 minutes), in order to verify the closure of the ECCW pump discharge check valve.
If a design basis accident, which includes a seismic event, had occurred with the isolation valves for the chemical addition system open, loss of inventory required for the system to remain available to fulfill its safety functions could have resulted.
III. Cause of Event
The cause of this event was determined to be inadequate preparation, review and approval of the "ECC Pump and Valve Operability Test," Revision 7, made effective on November 18, 1998. Processing of the procedure change did not identify that both ECCW loop A and B were being made simultaneously inoperable, which requires specific Technical Specification actions. Furthermore, the potential loss of cooling capability of both loops during a design basis accident, which includes a seismic event, was not recognized.
IV. Safety Analysis
Interconnection of the two ECCW loops during ECCW pump discharge check valve testing could have resulted in leakage from both ECCW loops if the non-safety piping failed during a design basis accident, which includes a seismic event. The loss of system inventory could have resulted in the loss of cooling capability and consequently the loss of safety functions performed by the residual heat removal and accident mitigating components cooled by ECCW loops A and B.
Automatic makeup is normally provided to the ECCW surge tanks from the non-safety Two-Bed Water System. A manual safety- related surge tank fill connection is supplied from the safety related ESW system. It is expected that the field operator would notify the control room staff of the leak and be immediately available to isolate the leak. The ECCW surge tank level instrumentation has a computer alarm in the control room to alarm on low surge tank level. This is also the level at which the automatic makeup valve should open. There is also a surge tank low level alarm, which is annunciated in the control room. The alarm instruction directs the operators to manually add water to the ECCW surge tanks and to look for and isolate any system leaks. The ECCW system has low flow alarms and high heat exchanger temperature alarms should the low level alarms not be quickly corrected. The actions in the alarm procedures direct mitigation of the leakage and refilling the surge tanks to continue or restore operation of the ECCW system.
An Incremental Conditional Core Damage Probability (ICCDP) calculation was performed assuming the interconnected condition existed for 15 minutes for each loop for each performance of the surveillance, giving an interconnected time of 30 minutes for each surveillance performance. Assuming 8 performances per year, which includes an allowance for post-maintenance testing, this results in a total time period of ECCW vulnerability of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> per year. The calculation assumed that both ECCW pumps A and B were failed during this interval. No credit was taken for operator action to isolate the interconnection or to refill the surge tanks. The calculated ICCDP was determined to be 6.54E-7 per year. Using Regulatory Guide 1.174, An Approach For Using Probabilistic Risk Assessment In Risk-Informed Decisions on Plant-Specific Changes To the Licensing Basis, as a reference, this event is considered to have very low safety significance.
V. Corrective Actions
The surveillance procedure "ECC Pump and Valve Operability Test" was revised to eliminate the steps that interconnect the two ECCW loops. It was determined that the pump discharge check valves being tested had no safety closure function in a design basis accident and are not required to be tested in this manner.
All ASME Section XI Inservice Pump and Valve Testing surveillance instructions were reviewed to ensure no similar conditions exist in these procedures.
VI. Previous Similar Events
No events that involved interconnection of safety related subsytems were identified in the past two years at the PNPP.
Energy Industry Identification System (EIIS) codes are identified in the text in the format [xx].