05000529/LER-2003-001
| Docket Number | |
| Event date: | 07-29-2003 |
|---|---|
| Report date: | 04-25-2006 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(iv)(A), System Actuation 10 CFR 50.73(a)(2)(v), Loss of Safety Function |
| Initial Reporting | |
| 5292003001R01 - NRC Website | |
1. REPORTING REQUIREMENT(S):
Arizona Public Service Company (APS) is reporting this condition pursuant to 10 CFR 50.73(a)(2)(iv)(A) due to a manual actuation of the reactor protection system [EIIS: JC] on July 29, 2003. Similarly, notification was made to the NRC headquarters operation officer on July :29, 2003 (reference ENS # 40033) pursuant to 10 CFR 50.72(b)(2)(iv)( B).
2. DESCRIPTION OF STRUCTURE(S), SYSTEM(S) AND COMPONENT(S):
Pressurizer Spray Control Valves (RCE-100E/F) [EIIS: AB, FCV] During normal operation, with reactor coolant pumps operating, pressurizer spray flowrate is controlled by two modulating (regulating), diaphragm operated spray control valves (Fisher valve model number 67-70 and the positioner model number is 3582G).
When in the automatic mode, these valves start to open at 2275 psia and are fully open at 2300 psia. The spray control valves can also be controlled manually in the control room.
Pressurizer spray water is normally supplied from the cold leg reactor coolant pump (RCP) discharge of loops 1A and 1B. Having spray lines from both RCP discharge loops permits spray flow with less than four reactor coolant pumps operating. Differential pressure created by coolant flow through the reactor vessel normally provides the motive force necessary for spray flow.
Reactor Protection System (RPS) The RPS provides for the rapid and reliable shutdown of the reactor to protect the core and the reactor coolant system pressure boundary from potentially hazardous operating conditions. Shutdown is accomplished by the generation of reactor trip signals. The trip signals open the reactor trip switchgear (RTSG) breakers [EIIS: AA], BRK), de-energizing the control elernent drive mechanism (CEDM) coils [EllS: AA], allowing control element assemblies (CEAs) to drop into the core by the force of gravity.
Engineered Safety Features Actuation System (ESFAS)[EIIS: JE] The ESFAS initiates necessary safety systems, based upon the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences and ensures acceptable consequences during accidents.
The ESFAS contains devices and circuitry that generate Safety Injection Actuation Signals (SIAS) and Containment Isolation Actuation Signals (CIAS) (among others) when monitored variables reach levels that are indicative of conditions requiring protective action. A SIAS actuation will also start the emergency Diesel Generators (DG)[EIIS: EK].
If, during testing, a SIAS, containment spray actuation signal or auxiliary feedwater actuation signal occurs while the diesel generator is paralleled to the preferred power supply with its control switch in the REMOTE or LOCAL position, the diesel generator breaker will be automatically tripped by a momentary tripping pulse.
3. INITIAL PLANT CONDITIONS:
On July 29, 2003, at approximately 1500 Mountain Standard Time (MST), Palo Verde Unit 2 was in Mode 1 (POWER OPERATION), operating at approximately 98 percent power. There were no major structures, systems, or components that were inoperable at the start of the event that contributed to the event. There were no failures that rendered a train of a safety system inoperable and no failures of components with multiple functions.
Prior to the event, DG "A" was running in the "test" mode during a scheduled surveillance test (ST). Following the SIAS initiation, DG "B" started as required in the "emergency" mode and the DG "A" output breaker [EDS: BRK] opened, as designed, upon receipt of the SIAS. Both DGs remained OPERABLE, running unloaded in the emergency mode as expected.
4. RELEVANT EVENTS CHRONOLOGY:
On July 29, 2003, at approximately 1425 MST, control room personnel (utility-licensed operators) returned RCE-100F to service upon completion of repairs to the valve's control system and applicable testing.
At 1500 MST, control room personnel received an alarm indicating that pressurizer pressure was c ecreasing due to pressurizer spray valve RCE-100F being full open.
Control room personnel performed the first priority actions of the applicable alarm response procedure which included isolating the instrument air (1A)[EllS: LF] to containment. RCS letdown was lost due to isolation of IA.
At 1515 MST, control room personnel, noting that the isolation of IA had not caused RCE-100F to close and that pressurizer pressure was continuing to decrease, initiated a manual reactor trip in accordance with the alarm response procedure. All CEAs inserted fully into the reactor core. Safety related buses remained energized during and following the reactor trip. All four RCPs were secured and control room personnel commenced applicable standard post trip actions (SPTAs). SIAS/CIAS automatically actuated. DG "A" output breaker tripped due to the SIAS/CIAS actuation.
At 1517 MST, control room personnel entered Limiting Condition for Operation (LCO) 3.4.5 RCS Loops—MODE 3, conditions A and C due to all four RCPs being secured.
At 1525 MST, control room personnel completed applicable SPTAs and the control room supervisor (CRS, utility-licensed operator) determined that plant conditions met a Loss of Forced Circulalion (LOFC) event. SPTAs were exited and the LOFC emergency operating procedure (EOP) was entered.
At 1529 MST, control room personnel reviewed Emergency Plan procedure EPIP-01 and determined that no emergency action level event classifications were required for the event. Control room personnel entered LCO 3.4.9 Pressurizer, condition A due to pressurizer level exceeding 56%.
At 1542 MST, control room personnel exited LCO 3.4.9 condition A when pressurizer level was reduced below 56%.
At 1610 MST, control room personnel restored RCS letdown after the SIAS/CIAS.
By 1616 MST, other utility personnel entered containment and manually isolated RCE-100F by closing both its inlet and outlet valves.
At 1725 MST, control room personnel started RCP "1A" per applicable procedures and LCO 3.4.5 condition C was exited.
At 1746 MST, control room personnel started RCP "2A" per applicable procedures and LCO 3.4.5 condition "A" was exited.
At 1749 MST, control room personnel placed DG "A" in standby following the reset of SIAS/CIAS.
By 1808 MST, control room personnel had started both RCP 1B and 2B and EDG "B" had been placed in standby following the reset of SIAS/CIAS.
5. ASSESSMENT OF SAFETY CONSEQUENCES:
The minimum RCS pressure reached during the event was approximately 1792 pounds per square inch absolute (psia) (SIAS/CIAS setpoint is 1837 psia). RCS pressure reached a maximum of approximately 2264 psia after establishment of natural circulation.
The minimum pressurizer level reached was approximately 30%. The decrease in RCS pressure and level is attributed to cooling caused by the opening of steam bypass control system (SBCSAEIIS: JI] valves following the turbine trip. Letdown was lost during the event due to isolation of IA to containment and pressurizer level increased to approximately 59%. Control room personnel initiated a cool-down in accordance with the applicable emergency operating procedure to control pressurizer level.
Subsequent to the reactor trip the plant responded as designed. The reactor trip was uncomplicated, no safety limits were exceeded, and the event was bounded by current safety analyses. Primary and secondary pressure boundary limits were not exceeded as a result of the reactor trip. The transient did not cause any violation of the safety limits.
Therefore, there were no adverse safety consequences or implications as a result of this event. This event did not adversely affect the safe operation of the plant or health and safety of the public.
The condition (RCE-100F full open) did not prevent the fulfillment of any safety function and did not result in a safety system functional failure as defined by 10CFR50.73(a)(2)(v).
6. CAUSE OF THE EVENT:
The direct cause of the event was RCE-100F's positioner balance beam was found disengaged from its pivot point and came to rest in a position that obstructed the positioner air vent. This obstruction prevented the venting of the positioner air relay, which then caused the maximum amount of air to be delivered to open the spray valve, overriding the close demand signal from the control room.
The root cause of the event was Air Operated Valve Services maintenance group work processes and procedures did not ensure worn and loose parts were detected and replaced prior to valve positioner failure. The combination of these worn and loose parts resulted in the valve positioner failing open in a manner that had not been seen at PVNGS or described in previously available operating experience and therefore was not anticipated.
No unusual characteristics of the work location (e.g., noise, heat, poor lighting) directly contributed to his event.
7. CORRECTIVE ACTIONS:
Control room personnel took immediate action to place the reactor in a stable condition in accordance with the applicable procedures.
Unit 1, 2 and 3 Fisher air operated valve positioners for the RCE-100 E and F main pressurizer spray valves were replaced with new positioners.
Applicable procedures were revised to require the monitoring of the main pressurizer spray valve operation prior to fully aligning these valves for RCS pressure control.
A checklist of specific attributes was added to the Air Operated Valve (AOV) Preventive Maintenance (PM) instructions for critical components and alignments in valve positioners and other control components to ensure valve control remains reliable.
8. PREVIOUS SIMILAR EVENTS:
In the past three years there have been no similar events where a Palo Verde Generating Unit experienced a reactor trip with Loss of Forced Circulation (LOFC) due to a failed pressurizer main spray valve.
9. ADDITIONAL INFORMATION:
Subsequent to the event, the shift technical advisor (STA) group did not promptly notify the System Engineering department that a safety injection had occurred as a result of the reactor trip (this delay was also noted by the resident NRC inspector).
During the post-trip plant performance evaluation, the initiation of the SIAS signal and RCS pressures were reviewed and it was noted that RCS pressure had lowered to 1792 psia (below the 1837 psia SIAS/CIAS setpoint). The STA group was initially not certain that an actual injection had occurred due to the lack of confirmatory flow indication and unknown piping head losses present at the time of the event. The subsequent review confirmed a safety injection had occurred and the initial NRC event notification was supplemented 10 reflect this finding.
Procedural enchantments were made to ensure that the total number of High Pressure Safety Injection (HPSI) nozzle thermal cycles does not exceed the Update Final Safety HPSI thermal cycle count was seven, with a procedural limit of 112 (70% of the UFSAR allowable cycles) before an Engineering evaluation is necessary. The HPSI cycle (injection) that occurred during this event has been taken into account by the System Engineering department through the corrective action program.