IR 05000219/2009009

From kanterella
Jump to navigation Jump to search
IR 05000219-09-009, on 07/16/2009 - 08/14/2009, Exelon Generation Company, LLC, Oyster Creek Nuclear Generating Station, Special Inspection for July 12, 2009, Reactor Scram, Inspection Procedure 93812, Special Inspection
ML092710122
Person / Time
Site: Oyster Creek
Issue date: 09/26/2009
From: Clifford J
Division Reactor Projects I
To: Pardee C
Exelon Generation Co, Exelon Nuclear
BELLAMY RR
References
IR-09-009
Download: ML092710122 (38)
v  d  e


Text

UNITED STATES ber 26, 2009

SUBJECT:

OYSTER CREEK GENERATING STATION - NRC SPECIAL INSPECTION REPORT 05000219/2009009

Dear Mr. Pardee:

On August 13, 2009, the U. S. Nuclear Regulatory Commission (NRC) completed a Special Inspection of the July 12, 2009, reactor scram with a loss of offsite power at your Oyster Creek Generating Station. The Special Inspection Team (SIT) Charter (Attachment 1 of the enclosed report) provides the basis and additional details concerning the scope of the inspection. The enclosed report documents the inspection teams activities conducted in accordance with the SIT Charter and the inspection findings, which were discussed on August 13, 2009, with Mr. M. Massaro, Site Vice President, and other members of your staff.

The inspection examined activities conducted under your license as they relate to safety and compliance with Commission rules and regulations and with conditions of your license. The team reviewed selected procedures and records, observed activities, and interviewed personnel. In particular, the inspection team reviewed event evaluations (including technical analyses), causal investigations, relevant performance history, and extent-of-condition to assess the significance and potential consequences of issues related to the July 12, 2009, reactor scram with a loss of offsite power. The team also reviewed the circumstances leading to the August 3, 2009, #1 emergency diesel generator surveillance test failure.

The team concluded that, overall, Exelon personnel maintained plant safety in response to the reactor scram with a loss of offsite power. Nonetheless, the team identified several issues related to equipment performance which complicated the event. The enclosed chronology (Attachment 2 of the enclosed report) provides additional details on the sequence of events and event complications that the team developed during the inspection.

The report documents one NRC-identified finding and one self-revealing finding, both of very low safety significance (Green). These findings were determined to involve violations of NRC requirements. However, because of the very low safety significance and because they were entered into your corrective action program, the NRC is treating these findings as non-cited violations (NCVs) consistent with Section VI.A.1 of the NRC Enforcement Policy. If you contest any NCV, you should provide a response within 30 days of the date of this inspection report, with the basis for your denial, to the Nuclear Regulatory Commission, ATTN.: Document Control Desk, Washington DC 20555-0001; with copies to the Regional Administrator, Region I; the Director, Office of Enforcement, United States Nuclear Regulatory Commission, Washington, DC 20555-0001; and the NRC Senior Resident Inspector at Oyster Creek Generating Station.

In addition, if you disagree with the characterization of any finding in this report, you should provide a response within 30 days of the date of this inspection report, with the basis for your disagreement, to the Regional Administrator, Region I, and the NRC Senior Resident Inspector at Oyster Creek Generating Station. The information you provide will be considered in accordance with Inspection Manual Chapter 0305.

In accordance with 10 CFR 2.390 of the NRC's "Rules of Practice," a copy of this letter, its enclosure, and your response (if any) will be available electronically for public inspection in the NRC Public Document Room or from the Publicly Available Records (PARS) component of NRCs document system (ADAMS). ADAMS is accessible from the NRC Website at http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).

We appreciate your cooperation. Please contact me at (610) 337-5080 if you have any questions regarding this letter.

Sincerely,

/RA/

James W. Clifford, Acting Director Division of Reactor Projects Docket No. 50-219 License No. DPR-16 Enclosure: Inspection Report 05000219/2009009 w/Attachments cc w/encl:

C. Crane, President and Chief Operating Officer, Exelon Corporation M. Pacilio, Chief Operating Officer, Exelon Nuclear M. Massaro, Site Vice President, Oyster Creek Nuclear Generating Station P. Orphanos, Plant Manager, Oyster Creek Generating Station J. Barstow, Regulatory Assurance Manager, Oyster Creek J. Grimes, Senior Vice President, Mid-Atlantic Operations K. Jury, Vice President, Licensing and Regulatory Affairs P. Cowan, Director, Licensing B. Fewell, Associate General Counsel, Exelon Correspondence Control Desk, Exelon Nuclear Mayor of Lacey Township P. Mulligan, Chief, NJ Dept of Environmental Protection R. Shadis, New England Coalition Staff E. Gbur, Chairwoman - Jersey Shore Nuclear Watch E. Zobian, Coordinator - Jersey Shore Anti Nuclear Alliance P. Baldauf, Assistant Director, NJ Radiation Protection Programs Honorable Christopher J. Connors, New Jersey State Senator Honorable Brian E. Rumpf, New Jersey State Assemblyman

SUMMARY OF FINDINGS

IR 05000219/2009009; 07/16/2009 - 08/14/2009; Exelon Generation Company, LLC, Oyster

Creek Nuclear Generating Station; Special Inspection for July 12, 2009, Reactor Scram;

Inspection Procedure 93812, Special Inspection.

A seven-person NRC team, comprised of resident inspectors, regional inspectors, and a regional senior reactor analyst conducted this Special Inspection. The team was accompanied by an engineer from the State of New Jersey Department of Environmental Protection. The inspection team identified two Green non-cited violations (NCVs). The significance of most findings is indicated by their color (Green, White, Yellow, or Red) using Inspection Manual Chapter (IMC)0609, "Significance Determination Process" (SDP); the cross-cutting aspect was determined using IMC 0305, Operating Reactor Assessment Program; and findings for which the SDP does not apply may be Green or be assigned a severity level after NRC management review. The NRCs program for overseeing the safe operation of commercial nuclear power reactors is described in NUREG-1649, "Reactor Oversight Process," Revision 4, dated December 2006.

Cornerstone: Mitigating Systems

  • (GREEN) The NRC identified a finding of very low safety significance (Green) that involved a non-cited violation (NCV) of 10 CFR50, Appendix B, Criterion XVI, Corrective Action, because Exelon did not identify and correct a degraded condition which resulted in subsequent inoperablility that would have prevented the #1 emergency diesel generator (EDG) from automatically performing its safety function. Specifically, the troubleshooting activity following the July 12, 2009, event, conducted prior to restart on July 15, 2009, did not identify the degraded operation of Generator Breaker Close (GBC) relay contacts.

Continued degradation of these relay contacts subsequently resulted in the #1 EDG output breaker not closing during surveillance testing on August 3, 2009. The team found that Exelon replaced the GBC relay and its base and conducted an adequate post-maintenance test, returning the #1 EDG to an operable condition on August 5, 2009.

Exelon entered this issue into the corrective action program.

The finding was more than minor because it was associated with the equipment reliability attribute of the Mitigating Cornerstone and it adversely affected the associated cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences (i.e., core damage). A Phase 3 SDP analysis determined that the finding was of very low safety significance (Green),

during the 16 day exposure period, in that there was a reasonable probability that operators would have successfully locally closed the output breaker. This finding had a cross-cutting aspect in the area of human performance, decision making [IMC 0305,

Aspect H.1(a), because the safety-significant and risk-significant decisions concerning the #1 EDG were not completed in a systematic process to ensure safety is maintained.

(Section 2.2)

(GREEN) The NRC identified a self-revealing finding of very low safety significance (Green) that involved an NCV of Oyster Creek Technical Specification 6.8.1, Procedures and Programs, because Exelon did not adequately implement a safety- related maintenance activity. Specifically, foreign material exclusion (FME) control requirements during maintenance in November 2008 were not properly implemented which allowed foreign material to enter the B Isolation Condenser (IC) level instrumentation piping. This resulted in the unavailability of the IC due to erratic water level indication during the July 12, 2009 event. The team found that Exelon took adequate corrective actions to restore the B IC to an operable condition including back-flushing the instrumentation piping, calibrating the instrument, and revising the surveillance procedure to incorporate back-flushing of the instrument piping during surveillances. Exelon entered this issue into their corrective action program.

The finding was more than minor because it was associated with the human performance attribute of the Mitigating Systems Cornerstone and it adversely affected the associated cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences (i.e., core damage). A Phase 3 SDP analysis determined that this finding was of very low safety significance (Green), during the 233 day exposure period, in that there was a reasonable probability that the operators could have successfully used the B IC. The finding was identified to have a cross-cutting aspect in the area of human performance, work practices [IMC 0305,

Aspect H.4(c), because Exelon did not ensure supervisory and management oversight of work activities, including contractors, such that nuclear safety is supported. (Section 2.3)

REPORT DETAILS

1. Description of Events

In accordance with the Special Inspection Team (SIT) charter (Attachment 1), team members (the team) conducted a detailed review of the events leading up to and equipment and operator response following the July 12, 2009, reactor scram with a loss of offsite power (the July 2009 event) at Exelons Oyster Creek Generating Station (OC). The team gathered information from the plant process computer (PPC) alarm printouts, conducted interviews with plant operators, and interviewed engineering staff to develop a detailed timeline of the event (Attachment 2). The following represents an abbreviated summary of the significant automatic plant and operator responses which began at 1:31 am and ended with the unit reaching cold shutdown at 6:30 pm on July 12, 2009:

  • A lightning strike on the 34.5 kilovolt (kV) Whiting Line near the OC switchyard1, caused the pilot (guard) wire to break and fall across the suspended wire conductors.

This caused both a phase to phase and a phase to ground short circuit. Primary and secondary fault protection relays actuated, as designed. The primary relays demanded an immediate isolation of the Whiting Line to clear the short circuit from the 34.5 kV system. The circuit breaker in the Whiting switchyard opened, but the Q121 breaker in the OC switchyard failed to open to isolate the fault. (See Section 2.1 for additional details)

  • The OC generator responded to the fault on the Whiting line as an additional load and the generator automatic voltage regulator increased excitation to the generator field to match the load.
  • When the Q121 breaker failed to open, after a designed 3.5 second time delay the secondary fault protection relays demanded the opening of all the circuit breakers in the 34.5 kV ring bus, including Bank 5, Bank 6, Bank 7, and Bank 8 circuit breakers.

This resulted in successful isolation of the Q121 fault.

  • Opening of Bank 5 and Bank 6 circuit breakers de-energized the two startup transformers2.
  • Opening of the Bank 7 and Bank 8 circuit breakers, which cross connect the 220 kV and the 34.5 kV section of the OC switchyard, suddenly removed the increased load from the OC generator. The OC generator protection relays sensed a valid over-excitation condition, and after an appropriate time delay, caused the OC generator output breakers to open (generator trip). This initiated a signal to remove steam from the OC turbine (turbine trip), which resulted in a fast closure of the turbine control valves.
  • The fast closure of the turbine control valves initiated the reactor scram, as designed.

This reactor scram signal anticipates a subsequent high reactor pressure scram.

The OC switchyard is adjacent to the plant and is owned and maintained by First Energy/Jersey Central Power and Light (JCP&L)). Equipment in the switchyard is jointly controlled by Exelon and JCP&L under an interface agreement.

During plant operation, the OC generator supplies the safety-related busses through the station auxiliary transformer.

By design each of the two safety-related 4 kV busses (1C and 1D) automatically switch their power supply to their respective startup transformer following an OC generator trip. If power is not available to the startup transformer or if the circuit breakers do not transfer properly, the safety-related bus is de-energized. The de-energization of the bus is sensed by an under-voltage relay which starts the emergency diesel generator, repowering the bus.

  • Following the generator trip and reactor scram, with the prior opening of the Bank 5 and Bank 6 circuit breakers, the safety-related 4 kV busses were de-energized (a reactor scram with a loss of offsite power (LOOP)).
  • The maximum reactor coolant system (RCS) pressure during the transient was 1066 psig, which caused the A and D electromatic relief valves (EMRVs) to open, as designed, to limit the pressure increase. Both Isolation Condensers (ICs)initiated at an RCS pressure of 1051 psig, as designed. To limit the RCS cooldown and depressurization the operators secured both ICs by closing their condensate return valves.
  • The main feed pumps, powered from non-safety-related busses, tripped on loss of power and could not be restarted until offsite power was restored.
  • Both emergency diesel generators (EDGs) started on their respective bus under-voltage (UV) relay signals. The design basis time for EDG start and circuit breaker closure is 7+/- 3 seconds. The #2 EDG breaker closed within the required design basis time period; while the #1 EDG output breaker did not close within the design basis time period. The #1 EDG output breaker closed in about 91 seconds. (See Section 2.2 for additional details and Attachment 3 EDG Design Basis and EDG Safety Function)
  • In the time that the 4 kV safety busses were de-energized, the reactor protection system (RPS) motor generator (MG) sets lost power until the EDGs started and repowered the busses and MG sets. The electrical protection assemblies located downstream of the RPS MG sets tripped open, as designed, on under frequency to protect the RPS system. This loss of RPS power caused primary and secondary containment isolations due to a loss of power, including closure of the main steam isolation valves (MSIVs). This loss of power also caused the reactor water cleanup system (RWCU) isolation valves to close, because the high energy line break (HELB) isolation logic circuit was de-energized.
  • The lowest RPV water level was 106 inches above Top of Active Fuel (TAF) based on indication from the instrumentation used for RPS and emergency core cooling actuations. The Low water level setpoint of 138 inches TAF3 was reached, as expected.
  • The operators opened and closed (cycled) the IC condensate return valves, as needed, to control RCS pressure and temperature (cooldown rate).4
  • After the initial operation, the third time that the B IC was initiated its shell side water level indication decreased to zero. Operators noted the decrease and removed the B IC from further service. (See Section 2.3 for additional detail)
  • The operators took actions as directed by procedures to minimize the CRD flow to the RCS, attempting to maintain RPV water level less than 160 inches TAF.5 The With respect to reactor vessel water level, the terms High (175 inches TAF), Low (138 inches TAF), Low-Low (91 inches TAF) and Low-Low-Low (65 inches TAF) are used to relate water level and designed safety function that should occur or operator actions that should be taken, if level reaches that point. The normal water level is approximately 160 inches TAF.

Following the initial automatic operation, the A IC operated 67 times and the B IC operated 3 times until shutdown cooling was placed in service.

With RPV level above 160 inches TAF, initiation of the ICs is prohibited due to concerns with entrainment of water into the IC steam piping.

operators had difficulty closing the CRD cooling flow control valve (FCV) as water level approached 160 inches TAF. (See Section 2.4 below)

  • The highest indicated RPV water level was 173 inches TAF, below the 180 inches TAF where the steam side of the ICs must be isolated.
  • The operators manually opened EMRVs three times to lower RCS pressure and RPV level when RPV level was above 160 inches TAF.
  • Operators unsuccessfully attempted to restore offsite power to the 1C safety-related bus at 3:08 am. The #1 EDG would not automatically synchronize6 with offsite power and operators could not complete the manual synchronization given the procedures in place at the time. Although offsite power was available to the bus, the #1 EDG continued to power the bus until July 13, 2009.
  • Offsite power was restored to the 1D safety-related bus at 3:14 am and the #2 EDG was secured and placed in a standby status.
  • The operators restored the RPS MG sets at 3:35 am, then reset the RWCU isolation, allowing for a water drain path from the RCS and then reset the reactor scram.
  • After a main feed pump was restarted on offsite power, the operators commenced a cooldown using the A IC at 10:47 am, placing shutdown cooling (SDC) in service at 4:21 pm, and reaching cold shutdown at 6:30 pm, on July 12, 2009.

Clarification of SIT Charter Event Discussion The SIT charter stated that A primary containment isolation (including MSIV closure)occurred due to reaching Low-Low reactor water level due to the loss of feedwater. The team determined that this preliminary understanding for the containment isolation was incorrect. The Low-Low RPV water level of 91 inches TAF was not reached, as determined from PPC data, because the event started from a normal water level of 160 inches TAF and there were no significant flow paths out of the RCS. As noted above, the MSIVs and other primary containment isolation valves went closed, as designed, due to loss of power to the RPS.

2. Equipment Performance Issues

2.1 Q121 Breaker

a. Inspection Scope

The team reviewed design requirements, drawings, and maintenance history of the Q121 breaker, because the failure of the breaker to open resulted in the turbine trip and automatic reactor scram with a LOOP. The team reviewed the design and functioning of the 34.5 kV switchyard primary and secondary fault protection relaying scheme to ensure proper equipment protection during transient and steady state conditions. The team also reviewed the history of the Q121 breaker testing and maintenance, performed by First Energy/Jersey Central Power and Light (JCP&L) to verify that the applicable test acceptance criteria and testing frequency requirements were met. The team also reviewed the status of the offsite power equipment relative to 10CFR 50.56 Maintenance Rule.

OC has an installed feature that automatically synchronizes the EDG with the safety bus during testing and allows automatic synchronizing of the EDG and safety bus to offsite power, after offsite power is restored. (See Attachment 3)

b. Findings

/Observations No findings of significance were identified. The team determined that if the Q121 circuit breaker had opened on the primary protection signal the reactor scram with a LOOP would have been avoided.

The team identified an Unresolved Item pending review of Exelons root cause analysis of the failure of the Q121 circuit breaker to open and Maintenance Rule performance monitoring of this breaker. At the end of the inspection period, the Q121 breaker remained open and the root cause for the breaker failing to open had not been completed.

The OC maintenance rule program included the capability of the offsite power system to conduct 34.5 kV power to the Startup Transformers and the capability of the protective relays and controls to operate the breakers on demand to perform their protective functions. As such, the failure of the breaker to open during the July 2009 event, appeared to be a functional failure.

In discussions with the transmission system operator JCP&L, following the end of the inspection, Exelon discovered that there had been a previous instance in June 2009, where the Q121 breaker had failed to open when demanded by protective relaying.

Apparently in that instance the fault current was sufficiently low such that the OC generator was not impacted. At the close of the inspection period Exelon had not completed the root cause analysis for the failure and was reviewing the impact of the newly identified failure in June 2009 and the July 2009 failure for applicability to the OC Maintenance Rule Program.

URI 05000219/2009009-01, Review Exelons Root Cause Analysis for the Q121 Circuit Breaker Failure to Open on July 12, 2009 2.2 #1 Emergency Diesel Generator

a. Inspection Scope

The team reviewed the #1 EDG performance, given that it started, but its output breaker did not close within the designed time, and because the operators had difficulty paralleling the #1 EDG with offsite power when restoring normal power to the bus. The team assessed the EDGs ability to perform its safety function relative to its design basis and the licensees troubleshooting effort to identify the cause of the failure and corrective action to prevent recurrence. The team reviewed the EDG surveillance test (ST) and maintenance history to ensure the adequacy of design requirements and test acceptance criteria. The team also reviewed a subsequent August 3, 2009, failure of the #1 EDG output breaker to close during a normal ST and its relevance to the July 2009, event including the previous corrective actions taken by Exelon. The team also reviewed the results of an Exelon Power Labs analysis of the generator breaker close (GBC) relay that was removed and tested following the ST failure on August 3, 2009

b. Findings

/Observations A detailed discussion of the #1 EDG design basis, safety function, operation and STs, sequence of events and operability and safety functionality is provided in Attachment 3.

The team determined that the #1 EDG performed its safety function, with the delayed closure of its output circuit breaker during the July 2009 event because the loads supplied by the #1 EDG were automatically powered in sufficient time to perform their safety function. Based on the failure of the #1 EDG output breaker to close during the August 3, 2009, ST and on subsequent troubleshooting and testing, the team determined that Exelon had taken inadequate corrective actions, as discussed in the finding below.

The failure analysis of the GBC relay indicated that one of the two contacts off this relay, one used in the EDG circuit breaker closing circuit, failed to close with the relay energized.

Another contact, not used in any circuit, also did not fully close. Exelon attributed the contacts failure to close to mispositioning of an internal spring, potentially due to a manufacturing defect. Exelon was pursuing the issue with this Tyco/Agastat, (Model#:

EGPI004) in accordance with 10 CFR Part 21, Reporting of Defects and Noncompliance.

Introduction:

The team identified a finding of very low safety significance (Green) that involved a non-cited violation (NCV) of 10 CFR 50, Appendix B, Criterion XVI, Corrective Action, because Exelon did not identify and correct a degraded condition which resulted in a subsequent inoperablility that would have prevented the #1 EDG from automatically performing its safety function. Specifically, the troubleshooting activity following the July 12, 2009, event conducted prior to restart on July 15, 2009 did not identify the degraded operation of Generator Breaker Close (GBC) relay contacts. Continued degradation of these relay contacts resulted in the #1 EDG output breaker not closing during surveillance testing on August 3, 2009. The team found that Exelon replaced the GBC relay and its base and conducted an adequate post-maintenance test, returning the #1 EDG to an operable condition on August 5, 2009. Exelon entered this issue into the corrective action program as Action Request (AR) 00950494.

Description:

The team reviewed the degraded performance of the #1 EDG output breaker during the July 2009 event and the failure of the #1 EDG output breaker to close on August 3, 2009. Specifically, the team evaluated Exelons troubleshooting attempts to identify the cause of the output breaker closure delay prior to restart from the reactor scram and the subsequent actions following the August 3, 2009, ST failure.

As detailed in Attachment 3, following identification that the #1 EDG output breaker had not closed within its required time of 7+/- 3 seconds from the EDG start signal during the July 2009 event, Exelon developed a detailed trouble shooting plan to identify and correct the cause prior to plant restart on July 15, 2009. This plan systematically identified the potential causes for the slow breaker closure, and included specific actions to verify that the cause had been identified and corrected. Troubleshooting data gathered by Exelon included EDG Dranetz event and Astro-Med recorder data during test runs, which recorded the relay actuation, voltage and current profiles across the EDG start and output breaker closure circuitry.

Exelons troubleshooting efforts concluded that the Woodward SPM-A Synchronizer (SPM-A) was the cause of the EDG output breaker closure delay, and concluded that the noise observed (regular voltage spikes) in the Astro-Med data was coming from the SPM-A.

Exelon replaced the SPM-A and performed successful post-maintenance and operability testing prior to restart on July 15, 2009. On July 20, 2009, operators satisfactorily completed the #1 EDG normal biweekly slow speed start load test.

The team determined the Exelon review of troubleshooting data did not conclusively prove that the SPM-A caused the slow breaker closure and Exelon incorrectly ruled out the GBC relay contacts. The team focused on the relays and associated contacts that needed to function to signal the EDG output circuit breaker to close, specifically the GBC relay. This relay needs to energize and close two contacts in the EDG output breaker control circuit to close the output circuit breaker. In review of the troubleshooting information, the team noted that the Dranetz recorder showed that the GBC relay energized as designed, as indicated by the closure of a spare relay contact. However, the Astro-Med data indicated that the circuit breaker control logic was not receiving a signal to close the circuit breaker.

The Astro-Med data showed regular voltage spikes across the two GBC relay contacts without any indication of GBC contact closure. The team determined the data did not show that the contacts actually closed, as required, when the relay was energized.

Therefore Exelons conclusion that the GBC relay was functioning properly was not supported by the results of their troubleshooting activities and was subsequently demonstrated to be incorrect, as discussed below.

During a subsequent ST, performed on August 3, 2009, the #1 EDG output breaker failed to close. Exelon performed additional troubleshooting and concluded that the GBC relay was the cause. Exelon replaced the GBC relay and its base and conducted an adequate post-maintenance test, returning the #1 EDG to an operable condition on August 5, 2009.

In review of slow speed start load test data, the team found indications that the GBC relay contacts had not functioned properly during the July 20, 2009, and other earlier STs.

The Dranetz recorder data showed several examples where the GBC relay was energized multiple times by the SPM-A prior to circuit breaker closure, indicating a problem with the GBC relay contacts. (See Team Conclusion on #1 EDG TS Operability and Safety Function in Attachment 3)

Analysis:

The performance deficiency associated with this finding involved Exelon not identifying and correcting a degraded condition on the #1 EDG during troubleshooting of the output breaker slow closure following the July 2009 event. As such, operating problems with a relay in the breaker closure circuit were not identified and corrected, resulting in a period between July 20 and August 5, 2009, when the #1 EDG output circuit breaker would not have automatically closed in response to a LOOP (SDP Phase 2)or a LOOP and any other initiating event that could consequentially result in a loss of power to the 1C safety bus (SDP Phase 3). (See EDG Safety Function in Attachment 3)

The finding was more than minor, in accordance with NRC Inspection Manual Chapter (IMC) 0612, Appendix B, Issue Screening, (IMC 0612B) because, while it was not similar to any examples in IMC 0612, Appendix E, Examples of Minor Issues (IMC 0612E), it was associated with the equipment reliability attribute of the Mitigating Cornerstone and it adversely affected the associated cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences (i.e., core damage).

The finding was determined to be of very low safety significance in accordance with IMC 0609, Appendix A, Determining the Significance of Reactor Inspection Findings for At-Power Situations (IMC 0609A) using significance determination process (SDP) Phases 1, 2 and 3. The Phase 1 screening, in accordance with NRC IMC 0609, Attachment 4, determined that the finding required a Phase 2 analysis because it represented an actual loss of the #1 EDG safety function (a single train), for longer than its 7 day technical specification (TS) limiting condition for operation (LCO). A Region I Senior Reactor Analyst (SRA) conducted a Phase 3 analysis because the Phase 2 analysis, conducted by the team using the OC Pre-solved Risk-Informed Inspection Notebook, indicated that the finding could be more than very low significance.

The SRA used the OC Standardized Plant Analysis Risk (SPAR) model, Revision 3.45, with the following assumptions in the Phase 3

Analysis:
  • The #1 EDG output circuit breaker would not have automatically closed, as designed in response to a LOOP.
  • An exposure period of 16 days.
  • Operators could take recovery actions to close the circuit breaker locally, by either follow existing procedures to shutdown the EDG and locally restart it and close the circuit breaker or by getting advice and direction from engineering. The analysis used conservative screening values for non-recovery probability of 0.5 and 0.1.
  • The #1 EDG operator recovery probabilities were not applied to the large loss of coolant initiating events, with a consequential loss of power to the 1C safety bus because even if the #1 EDG started the operators would not have been able to respond in sufficient time to ensure that 10 CFR 50 Appendix K requirements could be met.

The Phase 3 analysis determined that for internal and external initiating events the issue was of very low safety significance, with the increase in core damage frequency (CDF)and the increase in large early release frequency (LERF) below the 1E-6 per year and 1E-7 per year thresholds, respectively:

  • The CDF for internal initiating events in the range of 1 core damage accident in 2,000,000 to 10,000,000 years of reactor operation, in the range of mid E-7 to low E-7 per year, depending on the non-recovery values of 0.5 and 0.1, respectively.

The dominate core damage sequences involved a LOOP initiating event, with the failure of the #2 EDG to run or start and the failure of the operator to recover the

  1. 1 EDG, leading to a station blackout, with failure of the combustion gas turbines (CGTs) and failure to recover offsite power or an EDG within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
  • In accordance with IMC 0609A, for a finding with an internal events CDF above 1E-7 per year, the SRA assessed the impact of the finding on: 1) External events such as fire, seismic and flooding, based on review of the OC Individual Plant Examination for External Events (IPEEE) and on licensee fire probabilistic risk assessment (PRA) information, determining that the total CDF (internal plus external) would not exceed the 1 E-6 per year threshold; and 2) the increase in large early release frequency (LERF), determining that given the operators ability, following core damage, to depressurize and inject water to the reactor from low pressure sources and to flood the containment, that the LERF was in the range of mid to low E-8 per year.

The team determined that this finding had a cross-cutting aspect in the area of human performance, decision making [IMC 0305, Aspect H.1(a) because the safety-significant and risk-significant decisions concerning the #1 EDG were not completed in a systematic process to ensure safety is maintained. Exelon did not thoroughly complete the troubleshooting plan following the July 12, 2009, #1 EDG slow circuit breaker closure and as such did not identify the degradation of the GBC relay, prior to its failure.

Enforcement:

10 CFR 50 Appendix B, Criterion XVI, Corrective Action, requires, in part, that measures shall be established to assure that conditions adverse to quality are promptly identified and corrected. Contrary to the above, Exelon did not conduct adequate troubleshooting to promptly identity and correct degradation of the GBC relay, which affected #1 EDG operability between July 20 and August 5, 2009. Because the finding was of very low safety significance and has been entered into Exelons corrective action program (AR 00950494), this violation is being treated as a non-cited violation (NCV),consistent with Section VI.A of the NRC Enforcement Policy: NCV 05000219/2009009-02, Failure to Identity and Correct a Degraded Condition Leading to #1 EDG Inability to Perform Its Safety Function.

2.3 B Isolation Condenser

a. Inspection Scope

The team reviewed and assessed the B IC response to the event, and evaluated if its performance was consistent with its design basis. The inspectors reviewed Exelons investigation (AR 940999) into the cause for the B IC level instrumentation malfunction to determine the adequacy of the evaluation and the appropriateness of the extent-of-condition review. Independent reviews of the supporting design documentation, drawings, and plant computer data as well as field walk-downs were performed to validate the cause of the level instrumentation malfunction. Additionally, operations and instrumentation and controls (I&C) staff were interviewed to confirm the observations and causes cited in Exelons evaluation of this issue. The inspectors reviewed the adequacy of associated preventative maintenance, corrective actions, and post maintenance testing performed on the B IC.

b. Findings

The team determined that, during the July 2009 event, the B IC did not perform as designed, given the erroneous shell side low level indication, due to the presence of foreign material (FM) in the level instrument, as discussed in the finding below.

Introduction:

The team identified a self-revealing finding of very low safety significance (Green) that involved an NCV of TS 6.8.1, Procedures and Programs, because Exelon did not adequately implement a safety-related maintenance activity. Specifically, foreign material exclusion (FME) control requirements during maintenance in November 2008 were not properly implemented which allowed FM to enter the B IC level instrumentation piping. This resulted in the unavailability of the IC due to erratic water level indication during the July 2009 event. The team found that Exelon took adequate corrective actions to restore the B IC to an operable condition including back-flushing the instrumentation piping, calibrating the instrument, and revising the surveillance procedure to incorporate back-flushing of the instrument piping during surveillances. Exelon entered this issue into their corrective action program as AR 00940999.

Description:

During the July 2009 event the ICs initiated, as designed, in response to a high pressure condition in the RCS. During the event, the operators cycled the ICs to control pressure and cool-down rate of the RCS. Upon manually initiating the B IC, operators identified that the shell level indication dropped below the minimum required operating level of 4.2 feet. The B IC was subsequently secured and the shift manager declared it inoperable. The A IC remained operable and was used for the duration of the event.

OC has two ICs which control RCS pressure, by removing decay heat when the main condenser is unavailable as a heat sink. The system operates with steam from the reactor pressure vessel (RPV) being condensed in the IC tubes, with condensate returning by gravity to the RPV, forming a closed loop. The IC tubes are surrounded by water in the shell side. The shell side is vented and the water in the shell side acts as a heat sink (i.e.,

boils). Normal shell side water level is 4.2 to 7.7 feet. Operators refill the system as the inventory is boiled off to the atmosphere.

The team found that Exelon took adequate corrective actions to restore operability of the B IC prior to plant restart. Exelons investigation (AR 940999) into the cause of this event identified that FM had blocked the variable leg input for the B IC level instrument. On July 12, I&C personnel flushed the variable leg and captured the FM for analysis. Exelon identified the FM as primarily sand blast grit, identical to the compound used to clean the B IC during the previous plant refueling outage, in the fall of 2008. I&C personnel calibrated the level instrument and the B IC was declared operable on July 14.

During the Fall 2008 refueling outage, Exelon performed preventative maintenance on the B IC. The work performed included draining the shell, cleaning and sand blasting the internals, and recoating the shell. FME requirements in accordance with Exelon procedure MA-AA-716-08, Foreign Material Exclusion Program, were incorporated into the work instruction (WO C2017561) to appropriately control any FM in the B IC shell. Specifically, the FME requirements were to isolate the IC shell from all communicating systems, thoroughly clean the IC shell and perform a closeout FM inspection. The inspectors noted that Exelon did not adequately implement the FME requirements in the work instruction, which resulted in the unavailability of the B IC due to FM discovered in the variable leg of the level transmitter and local level instrument.

Analysis:

The performance deficiency associated with this finding involved Exelon not adequately implementing FME requirements as stated in the maintenance instructions for the work performed on the B IC. This resulted in the unavailability of the IC due to erratic shell side level indications during the July 2009 event.

The finding was more than minor, in accordance with IMC 0612B, because, while it was not similar to any examples in IMC 0612E, it was associated with the human performance attribute of the Mitigating Systems Cornerstone and it adversely affected the associated cornerstone objective of ensuring the availability, reliability, and capability of systems that respond to initiating events to prevent undesirable consequences (i.e., core damage).

The finding was determined to be of very low safety significance in accordance with IMC 0609A, using SDP Phases 1, 2 and 3. The Phase 1 screening, in accordance with NRC IMC 0609, Attachment 4, determined that the finding required a Phase 2 analysis because it represented an actual loss of the B IC safety function (a single train), for longer than its 7 day TS LCO. A Region I SRA conducted a Phase 3 analysis because the Phase 2 analysis, conducted by the inspectors using the OC Pre-solved Risk-Informed Inspection Notebook, indicated that the finding could be more than very low significance.

The SRA used the OC SPAR model, Revision 3.45, with the following assumptions:

  • The B IC was not operable, because its shell side level would be lower than the procedurally allowed level when operated for more than a short period of time.
  • An exposure period of 233 days.
  • Operators could take recovery actions to restore the level instrument to operation or operate the B IC given an understanding of the initially available water supply and no apparent leakage from the shell side. Operators would get engineering advice on operation of the B IC or would use it and monitor the time in service and refill it as needed. The analysis used conservative screening values for non-recovery probability of 0.5 and 0.1.

The Phase 3 analysis determined that for internal and external initiating events the issue was of very low safety significance, with the CDF and the LERF) below the 1E-6 per year and 1E-7 per year thresholds, respectively:

  • The CDF for internal initiating events in the range of 1 core damage accident in 2,000,000 to 10,000,000 years of reactor operation, in the range of mid E-7 to low E-7 per year, respectively. The dominant core damage sequences involved a transient initiating event, with the failure of the A IC to operate and the failure of the operator to recover the B IC leading to an emergency depressurization of the plant, with subsequent failure to remove decay heat from the containment, resulting in containment failure, and failure to inject water to the RPV.
  • In accordance with IMC 0609A, for a finding with an internal events CDF above 1E-7 per year, the SRA assessed the impact of the finding on: 1) External events such as fire, seismic and flooding, based on review of the OC IPEEE and on licensee fire PRA information, determining that the total CDF (internal plus external) would not exceed the 1 E-6 per year threshold; and 2) the LERF, determining that given the operators ability, following core damage, to depressurize and inject water to the reactor from low pressure sources and to flood the containment that the LERF was in the range of mid to low E-8 per year.

The finding had a cross cutting aspect in the area of human performance, work practices

[IMC 0305, Aspect H.4(c), because Exelon did not ensure supervisory and management oversight of work activities, including contractors, such that nuclear safety is supported.

Specifically, Exelon did not appropriately oversee that work was being performed adequately during the cleaning and recoating of the B IC.

Enforcement:

TS 6.8.1, Procedures and Programs, states, in part, that written procedures shall be established, implemented, and maintained covering the items in applicable procedures recommended in Appendix A of Regulatory Guide 1.33, Quality Assurance Program Requirements (Operations). Appendix A of Regulatory Guide 1.33 states, in part, that maintenance that can affect the performance of safety-related equipment shall be properly preplanned and performed in accordance with documented instructions appropriate to the circumstance. Contrary to the above, on November 4, 2008, Exelon did not adequately implement FME requirements during cleaning and recoating activities on the B IC shell per the written maintenance instructions which resulted in the entrainment of debris in the variable leg of the level instrument and erratic level indication on the B IC on July 12, 2009. However, because the finding was of very low safety significance (Green) and has been entered into their corrective action program in AR 00940999, this violation is being treated as an NCV, consistent with section IV.A of the NRC Enforcement Policy: NCV 05000219/2009009-03, Failure to Control Foreign Material in the Shell Side of the B Isolation Condenser.

2.4 Control Rod Drive Flow Control Valve

a. Inspection Scope

During interviews, reactor operators commented and the team verified through plant process computer information that the CRD FCV did not close, which led to the inability to maintain RPV water level below 160 inches. The team reviewed the corrective actions taken to repair the air operated FCV and the prior history of issues with this valve.

b. Findings

No findings of significance were identified.

3. Human Performance

3.1 Event Diagnosis and Crew Performance

a. Inspection Scope

To determine whether the operators performed in accordance with procedures and training the team interviewed the operations crew that was involved with the July 2009 event response, including the three senior reactor operators (SRO), the shift manager (SM), the unit supervisor (US), the shift technical advisor (STA), the two reactor operators (ROs),and three equipment operators (EOs). The team also reviewed narrative logs, post-transient reports, condition reports, PPC trend data and procedures implemented by the crew.

b. Findings

/Observations No findings of significance were identified.

Control room operators responded to the event in accordance with approved procedures and station management expectations. The SM properly declared and exited the Unusual Event (UE) in accordance with the OC Emergency Action Levels (EALs). Operators maintained core cooling and proper control of RPV level and pressure throughout the event, despite numerous distractions associated with the equipment challenges related to the #1 EDG response, the B IC shell level indication and CRD FCV. Activities in the field were addressed in order of priority by the EOs as directed by the control room. It was apparent that procedure changes, initiated by Exelon after the loss of reactor feed pump reactor scram on July 17, 2007, enhanced operator control of this event by directing a reduction in CRD flow during RPV water level recovery.

Exelon properly identified numerous plant complications in their post-event self critique.

However, the team found that Exelon had done no further follow-up on an indicated shutdown cooling (SDC) room high temperature condition that led to entry into the EOP for Secondary Containment Control during the event. Exelon generated an AR in response to teams questions, which led to the identification and replacement of a faulty room temperature sensor.

The post-transient review was sufficient to ensure that there were no significant operator performance issues and to identify the equipment performance issues. However, the team noted several minor areas for improvement concerning the rigor of Exelons post-transient review. Specifically, the final version (approved by plant management prior to restart) of the facilitys post-transient review:

  • Contained multiple factual errors, including misstatements about the event (incorrect cause of the reactor scram, high temperature reported in the wrong room, incorrect reporting that Low-Low RPV water level isolation signal actuated, incorrect reporting that RPV water level dropped to 77 inches TAF when lowest level was 106 inches TAF)
  • Did not contain pertinent PPC alarm data (there was apparent confusion on the site about the availability of this data, days after the event). The team received this data several days after the event.
  • Contained invalid RPV water level trend data from non-functioning level transmitters,
  • Did not contain plant data beyond 2:30 am, which was prior to recovery of offsite power and prior to restoration of RCS drain capability.

4. Emergency Communications

a. Inspection Scope

The team reviewed the communications made by the control room staff as a result of the scram. This included review of the plant logs, State of New Jersey reporting sheets, and the emergency notification system (ENS) sheets used during the event.

b. Findings

/Observations No findings of significance were identified.

Early in the response to the reactor scram, shortly after declaring the UE, the SM notified the NRC about the event on the ENS. At that time, the SM had not assessed the delayed closure of the #1 EDG output breaker and was not yet aware of the B IC shell level control problems. Prior to the resident inspectors arriving on-site, the NRC was not informed during the event of the equipment challenges presented by #1 EDG and the 'B' IC. The station identified this communication weakness during their post-event assessment and included the issue as a self-improvement item for the station.

5. Risk Significance of the Event

a. Initial Assessment The initial risk assessment for this event is documented in the enclosed SIT charter.

b.

Final Assessment Based upon best available information developed by the team, a Region I SRA conducted a risk estimate of conditional core damage probability (CCDP) 7 for the July 12, 2009, reactor scram with a LOOP. The following assumptions, were consistent with the initial assessment, and were used as input to this final assessment:

  • Offsite power was not recovered in the first hour (the probability of operator non-recovery of offsite power for the first hour was set to 1.0) - the rest of the non-recoveries were established at the Switchyard Centered LOOP values by the Graphical Evaluation Module (GEM) software.
  • The model assumed that if both CGTs were running at the time of a LOOP, they would be unavailable for response. For this case the basic event EPS-CGT-OP-BOTH was set to FALSE (i.e., the CGTs were not running at the time of the event).
  • The cutsets with Test and Maintenance basic events were screened out (i.e., zero test and maintenance).

The following final assumptions were different or in addition to the initial assessment assumptions:

  • B IC (as stated in the finding above) would have been able to be used with a failure probability of 0.5.
  • The A IC motor operated valve was cycled 67 times during the event until cold shut down was reached, as such the probability of failure of this valve to open was adjusted for the 67 demands vice the initially assumed single demand, using a binomial expansion. The failure probability was calculated to be 0.065 given 67 demands, vice 0.001 per one demand.
  • The chance of having a single EMRV stick open was increased, given the three EMRV openings when the RPV water level was above 160 inches. Using a binomial expansion, the failure probability was calculated at 2.4E-3 given 3 demands vice 8E-4 per one demand.
  • Procedures directed that the CRD scram charging header isolation valve be shut to limit the amount of water being injected into the RPV to control it below 160 inches.

As such the failure probability of this injection pathway was taken to 1.0, which limited the CRD flow to the normal cooling flow control valves.

Using the GEM initiating event quantification tool and the OC 3.45 SPAR model, the CCDP was estimated to be in the low to mid E-5 range (approx 3 E-5) given the above assumptions. The dominate core damage sequence was a LOOP with the failure of the A IC, the failure of the B IC, and the failure of operators to depressurize the plant.

6. Exit Meetings

On August 13, 2009, the team presented their overall findings to members of Exelons management led by Mr. M. Massaro, Site Vice President, and other members of his staff who acknowledged the findings. The inspectors confirmed that proprietary information reviewed during the inspection period was returned to Exelon.

CCDP is an estimate of the chance that core damage could have occurred given the associate specific initiating event and the noted equipment problems.

Attachment 1 SPECIAL INSPECTION TEAM CHARTER July 15, 2009 MEMORANDUM TO: Ronald Bellamy, Manager Special Inspection Team Wayne Schmidt, Leader Special Inspection Team FROM: David C. Lew, Director Division of Reactor Projects Darrell J. Roberts, Director Division of Reactor Safety SUBJECT: SPECIAL INSPECTION TEAM CHARTER -

OYSTER CREEK REACTOR SCRAM AND LOSS OF OFFSITE POWER ON JULY 12, 2009 In accordance with Inspection Manual Chapter (IMC) 0309, Reactive Inspection Decision Basis for Reactors, a Special Inspection Team (SIT) is being chartered to evaluate an Oyster Creek reactor scram and Unusual Event that occurred due to a loss of offsite power (LOOP)on July 12, 2009. The decision to conduct this special inspection was based on deterministic criteria (multiple failures in equipment needed to mitigate an actual plant event) in enclosure 1 in IMC 0309 and a preliminary conditional core damage probability for this event is in the mid E-6 low E-5 range.

The SIT will expand on the inspection activities started by the resident inspectors immediately after the event and will review Exelons actions to determine if any equipment issues, design deficiencies, and/or operating practices complicated the event. The team will also collect data, as necessary, to refine the existing risk analysis.

The inspection will be conducted in accordance with the guidance contained in NRC Inspection Procedure 93812, Special Inspection, and the inspection report will be issued within 45 days following the final exit meeting for the inspection.

1-The special inspection will commence on July 16, 2009. The following personnel have been assigned to this effort:

Manager: Ronald Bellamy, Branch Chief, Projects Branch 6, Division of Reactor Projects (DRP), Region I Team Leader: Wayne Schmidt, Senior Reactor Analyst Division of Reactor Safety (DRS), Region I Full Time Members: Peter Presby, Operations Inspector DRS, Region I Manan Patel, Electrical Inspector DRS, Region I Justin Heinly, Reactor Engineer DRP, Region I Part Time Member: Marc Ferdas, Senior Resident Inspector DRP, Region I Jeff Kulp, Resident Inspector DRP, Region I

Special Inspection Charter 1-Special Inspection Team Charter Oyster Creek Nuclear Power Plant Reactor Scram and Loss of Offsite Power on July 15, 2009 Background:

On July 12, at 1:35 a.m., a lightning strike on the Whiting (Q121) line, a portion of the 34.5 kV offsite distribution system, caused a fault which resulted in a loss of offsite power (LOOP) at Oyster Creek. All control rods inserted during the scram. Both isolation condensers (ICs)actuated, two electro-magnetic relief valves (EMRVs) opened, and the reactor recirculation pumps tripped as designed in response to a high-pressure condition. In addition, the #2 EDG fast-started and loaded its emergency bus, while the #1 EDG started and loaded its bus 80 seconds later. A primary containment isolation (including MSIV closure) occurred due to reaching low-low reactor water level due to the loss of feedwater. Plant operators used the Isolation Condenser System, EMRVs, and control rod drive flow to control reactor pressure and level. An Unusual Event was declared at 1:48 a.m. because the LOOP exceeded 15 minutes in duration. Offsite power was subsequently restored at 3:05 a.m. and the UE was terminated at 4:05 a.m. Oyster Creek achieved cold shutdown at 6:30 p.m. using the Isolation Condenser and Shutdown Cooling systems.

Significant equipment anomalies observed during the transient included: 1) the Q121 breaker, which isolates the Whiting Line, failed to open to clear the fault which resulted in the LOOP and the reactor scram; 2) the B IC level indication for the shell side exhibited anomalous readings; 3) the #1 EDG required longer to start and load its respective emergency bus than expected. In addition, there were a number of other control and non-safety systems that were affected by the loss of power.

At the time of the event, the resident inspectors responded to the site and monitored licensee actions to stabilize the plant and restore offsite power. NRC regional and the resident inspector staff followed the licensees actions to address equipment issues before plant restart.

Basis for the Formation of the SIT:

The IMC 0309 review concluded that the deterministic criteria for multiple failures of plant equipment in systems used to mitigate an event was met because the loss of offsite power (LOOP) in conjunction with the significant equipment anomalies observed challenged the plants ability to respond to the event. These significant equipment anomalies included the inability to clear the fault which resulted in the LOOP and the reactor scram, delays in starting and loading of the #1 EDG which complicated plant and operator response, and early isolation of the B IC level due to erroneous level readings which disabled a single train of an important safety system. Additionally, these significant equipment anomalies and a number of non-safety systems problems complicated overall operator response during the transient.

Because the IMC 0309 review concluded that at least one deterministic criteria was met, the event was also evaluated for risk significance. Based upon best available information, the Region I Senior Reactor Analyst (SRA) conducted a preliminary risk estimate of the July 12 scram due to a loss of offsite power. Using the GEM initiating event quantification tool and the 1-Oyster Creek 3.45 SPAR model, the CCDP was estimated to be in the mid E-6 range (approx 5 E-6) given the following assumptions:

  • Offsite power was not recovered in the first hour (OEP for one hour set to 1.0) - the Rest of the non-recoveries were established at the Switchyard Centered LOOP values by GEM.
  • B Isolation Condenser (IC) declared inoperable due to shell side water level discrepancies (MOV14-35 condensate return valve failure to open set to 1.0).
  • The model assumed that if both CGTs were running at the time of a LOOP they would be unavailable for response. For this case the basic event EPS-CGT-OP-BOTH was set to FALSE (i.e., the CGTs were not running at the time of the event).
  • The Cutsets with Test and Maintenance basic events were screened out (i.e., zero test and maintenance).

This assessment did not include the inability to use the A isolation condenser for the relatively short period that reactor water level was above 160 inches (IC operation precluded by procedure) nor did it include the increased chance of an electro-magnetic relief valve sticking open due to cycling three EMRVs open to control pressure and reduce reactor water level when it was above 160 inches.

Based upon the preliminary conditional core damage probability estimate of mid E-6 range, in accordance with IMC 0309, this event falls within the overlap range for No Additional Inspection or a Special Inspection Team. After consultation with NRC headquarters personnel, a special inspection team was recommended.

Objectives of the Special Inspection:

The objectives of the special inspection are to review and assess:

(1) the plants response to the scram and LOOP including any responses which may have challenged the design basis; (2)equipment issues related to the event;
(3) operator performance related to the event; and
(4) Exelons organizational response to this event.

To accomplish these objectives, the team will:

1. Develop a complete sequence of events including follow-up actions taken by Exelon.

This review should consider any licensee-developed timelines, logs, strip chart recording, computer points and trends, sequence of events printouts, or other data used by Exelon to analyze and/or reconstruct the event; 2. Review and assess the equipment response to the event and verify that it was consistent with plant design. In addition, review and assess the adequacy of any operability assessments, corrective and preventive maintenance, and post maintenance testing. Evaluate the safety significance of any equipment issues identified as well as their impact on the plants license, technical specification, or regulatory requirements; 3. Review and assess operator performance including procedures, logs, communications (internal and external), and appropriateness of NRC reporting during the event. Consider use of the plant specific simulator to verify plant 1-response was consistent with the design including any operator actions taken. Also, consider Exelons implementation of the emergency plan during the event; 4. Review and assess the effectiveness of Exelons response to this event. This should include internal and external communications, directions of actions from the outage control center, and short term actions taken to address the identified equipment issues.

5. Review relevant operating experience to assess Exelons effectiveness at identifying and correcting any similar equipment issues or the prevention of any previous similar events; and 6. Collect any data necessary to refine the existing risk analysis and document the final risk analysis in the SIT report.

Additionally, the team leader will review lessons learned identified during this Special Inspection and, if appropriate, prepare a feedback form on recommendations for revising the reactor oversight process (ROP) baseline inspection procedures.

Guidance:

Inspection Procedure 93812, Special Inspection, provides additional guidance to be used by the Special Inspection Team. Team duties will be as described in Inspection Procedure 93812.

The inspection should emphasize fact-finding in its review of the circumstances surrounding the event. It is not the responsibility of the team to examine the regulatory process. Safety concerns identified that are not directly related to the event should be reported to the Region I office for appropriate action.

The Team will conduct an entrance meeting and begin the inspection on July 16, 2009. While on site, the Team Leader will provide daily briefings to Region I management, who will coordinate with the Office of Nuclear Reactor Regulation, to ensure that all other parties are kept informed. A report documenting the results of the inspection should be issued within 45 days of the completion of the inspection.

This Charter may be modified should the team develop significant new information that warrants review.

1-DETAILED SEQUENCE OF EVENTS July 12, 2009 Reactor Scram with LOOP 1:31 - 18:30 The sequence of events was constructed by the team from review of Control Room Narrative Logs, corrective action program condition reports, post transient review report, process plant computer (PPC) data (alarm message file and plant parameter graphs) and plant personnel interviews.

1:31 A lightning strike on the 34.5 kilovolt (kV) Whiting Line near the OC switchyard, caused the pilot (guard) wire to break and fall across the suspended wire conductors. This caused a phase to phase and phase to ground short circuit.

Primary and secondary fault protection relays actuated, as designed. The primary relays demanded an immediate isolation of the Whiting Line to clear the short circuit from the 34.5 kV system. The circuit breaker in the Whiting switchyard opened, but the Q121 breaker in the OC switchyard failed to open to isolate the fault.

The OC generator responded to the fault on the Whiting line as an additional load and the generator automatic voltage regulator increased excitation to the generator field to match the load.

When the Q121 breaker failed to open, after a designed 3.5 second time delay the secondary fault protection relays demanded the opening of all the circuit breakers in the 34.5 kV ring bus, including Bank 5, Bank 6, Bank 7 and Bank 8 circuit breakers. This resulted in successful isolation of the Q121 fault.

Opening of Bank 5 and Bank 6 circuit breakers resulted in the de-energization of the two startup transformers.

Opening of the Bank 7 and Bank 8 circuit breakers, which cross connects the 220 kV and the 34.5 kV section of the OC switchyard, suddenly removed the increased load from the OC generator. The OC generator protection relays sensed a valid over-excitation condition and after an appropriate time delay caused the OC generator output breakers to open (generator trip), this caused a signal to remove steam from the OC turbine (turbine trip), which resulted in a fast closure of the turbine control valves.

1:31:50 The fast closure of the turbine control valves initiated the reactor scram, as designed. This reactor scram signal anticipates a subsequent high reactor pressure scram. A & D EMRVs opened and closed within 20 seconds; inboard and outboard MSIVs closed; RWCU isolation.

Operators entered the EOPs for RPV Control-No ATWS (anticipated transient without scram) due to RPV water level dropping below 138 inches TAF. The US issued an RPV water level band of 138 to 160 inches TAF and RCS pressure band of 800 - 1000 psig.

2-1:32 #2 EDG Output Breaker closed, repowering the 1D safety bus.

1:33 RO secured the A IC secured followed by B IC. The RO started the second CRD pump, the maximum indicated CRD flow was104 gpm: The RO verified all control rods fully inserted.

1:33 #1 EDG output breaker closed, but it did not close within the designed time of 7+/-

3 seconds after the EDG received a start signal. The EDG required 90 seconds for the output breaker to close. (Attachment 3 for detailed EDG chronology)1:35-1:37 RO initiated the B IC initiated followed by A IC; and then secured the A IC followed by B IC.

1:40 -1:42 RO initiated and secured B IC.

1:40 RO communicated with system dispatcher to determine the condition of offsite power. The dispatcher identified that the fault was contained in the 34.5 kV system.

The STA and the EO/Communicator reported to the control room.

1:45 RO directed the reactor building (RB) EO to isolate CRD flow to the hydraulic control unit accumulator header (charging flow), per abnormal operating procedures (ABN). Maximum recorded CRD flow was less than 110 gpm. RO and RB EO coordinated to control CRD flow with FCV bypass valve to restore RPV level to 138 -160 inches.

1:48 SM declared a UE in accordance with MU1, of the EAls, due to a LOOP to startup transformers for greater than 15 minutes.

1:46 - 1:49 RO initiated and secured A IC.

1:54 - 1:56 RO initiated and secured A IC.

2:02 Notification made to the State of New Jersey.

2:03 - 2:05 RO initiated and secured B IC.

ROs noted that B IC shell water level indicated low during the three times that it was initiated manually from the control room. Operators secured the B IC and the shell level gradually returned to expected level.

2:10 US directed RO to only use the A IC for decay heat removal and declared the B IC inoperable due to level indication problem (local and main control room).

2:11 SM completed the ENS phone call made to Headquarters Operations Officers to report the declaration of the UE for LOOP for greater than 15 minutes.

2:19 JCP&L reported lines down on the Whiting Line (Q-121).

2-2:27 RO restored RPV water level to greater than 138 inches.

2:32 US entered EOP for secondary containment control due to an indicated SDC room temperature of 180F (Alarm set point is180F).

No other abnormal temperatures were reported and the alarm subsequently cleared upon restoration of RB ventilation.

2:46 RPV water level nearing 150 inches TAF and the RO tried to stop CRD flow to RPV. RO notes that FCV30B reopened to allow 35 to 65 gpm to the RPV.

3:00 RPV water level approached 160 inches.

3:04 RO opened A EMRV for 58 seconds to control pressure. IC A not used because RPV water level was above 160 inches.

3:05 Offsite power is restored to the 34.5 kV system and startup transformers Bank 5 and Bank 6 are repowered. The startup transformers supplied power to the 4 kV non-safety-related busses (1A & 1B).

3:08 RO unable to auto-synchronize #1 EDG across the 1C breaker. The RO then attempted to manually synchronize the #1 EDG and experienced no control in generator voltage. Power for 1C 4 kV bus remained from #1 EDG.

3:14 RO successfully auto-synchronized #2 EDG across the 1D breaker, 1D 4 kV bus repowered from offsite power and #2 EDG placed in a standby status.

3:24 RO opened D EMRV for 52 seconds to control pressure. A IC not used because level was above 160 inches.

3:38 RO notes that CRD flow jumps to greater than 70 gpm from approx 36 gpm.

(FCV 30B hunts between 50 and 60 gpm for remainder of event response)3:44 EO reset the RPS electrical protection assemblies and restored power to RPS via the RPS MG sets.

3:58 RO opened B EMRV for 1 minute 32 seconds to control pressure. A IC not used because level was above 160 inches.

4:05 SM terminated the UE due to restoration of offsite power.

4:10 State of New Jersey notified of UE termination.

RWCU system returned to service and let-down placed in service.

4:52 RO reset the reactor scram, after switching to the A CRD flow control valve.

5:20 RO returned the C condensate pump to service in preparation for placing the reactor in cold shutdown.

2-6:30 US exited ABN-36 (Loss of Offsite Power).

6:38 SM performed ENS phone call to NRC Headquarters Operations Officers to report the declaration of the UE (Event Report Notification 45197).

7:18 US exited EOPs RPV Control-No ATWS & Secondary Containment Control.

9:53 RO returned C feedwater pump to service.

10:47 Operators commenced a reactor cooldown to cold shutdown with A IC.

11:43 Chemistry reported that tritium levels in the water exhausted to atmosphere, were below minimum detectable activity (<2000 pCi/L).

15:12-16:21 Operators commenced placing SDC in service.

18:30 Cold shutdown achieved.

2-

  1. 1 EDG Information and Issues between July 12 - August 5, 2009 EDG Design Basis: Provide emergency AC power to one train of the core spray system in the event of a large loss of coolant accident (LLOCA) with a coincident LOOP (LLOCA/LOOP) and a single failure, to ensure that core cooling requirements of 10 CFR 50, Appendix K Emergency Core Cooling Evaluation Models are met.

From a review of UFSAR Sections 8.3 Onsite Power Systems and Section 15.6 Decrease in Reactor Coolant Inventory, the team determined that the design requirement for the EDG starting time was based on a LLOCA/LOOP and a single failure, such that one EDG shall respond to the LLOCA/LOOP and repower a safety bus in 20 seconds (which includes the UV sensor pick-up time, emergency bus logic to isolate and start the EDG and close its output breaker and the period to bring the Emergency Buses to normal voltage level). This was based on the overall requirement that one train of the core spray system is injecting at 35 seconds following a LLOCA/LOOP to meet 10 CFR 50, Appendix K requirements. The EDG design basis documents indicated a 7+/-3 seconds start to breaker close time.

EDG Safety Function: Provide emergency AC power to the 1C or 1D 4 KV buses to allow the powering of associated loads in the event of a loss of power to its respective safety bus.

The SDP Phase 2 OC Risk-Informed Inspection Notebook does not include the design basis LLOCA/LOOP with a single failure, because of the extremely low probability of having both occur at the same time. The only safety function for EDG in the SDP Phase 2 is included in the overall Emergency AC (EAC) power function in response to a LOOP.

The SDP Phase 3 SPAR model for OC also does not include the design basis LLOCA/LOOP with a single failure. However, because the OC safety busses are normally powered from the generator and need to switch to offsite power following any initiating event (reactor scram), the model includes consequential losses of offsite power to the safety busses (i.e., the chance that a safety bus does not automatically transfer correctly to the offsite power source, resulting in the deenergization of the safety bus and the need for the EDG to start and repower the bus and the associated loads). As such there is some chance that both safety-related busses do not receive offsite power following any initiating event. This was dominated by the chance that both offsite power supply breakers dont close in the mid E-6 range, given any initiator. The model does include LLOCA initiating events and the consequential chance that offsite power is not transferred correctly to both emergency busses. The LLOCA frequency is assumed to be 1 E-5 per year combined with the probability that both output breakers dont close put this event frequency in the range of E-11 to E-12 per year.

EDG Operation Given a Loss of Power to a Safety Bus:

When the UV relay senses the loss of power, the EDG fast start relay energizes and the EDG starts and increases speed to the proper speed. The field is flashed to allow generation of voltage. Once sufficient voltage is developed the GBC relay is energized. Two contacts in the GBC relay close, sending a signal to the EDG output circuit breaker to close.

If the breaker does not close, additional relays cause the EDG to slow back to the idle speed and then, as long as the UV signal is still present, re-increase in speed, flash the field and once sufficient voltage is developed, the GBC is energized and once again the two contacts in the GBC relay close, sending a signal to the circuit breaker to close.

3-Testing of this logic is done, during refueling outages, as part of the LOOP/loss of coolant accident TS required ST.

With the 4 kV bus powered from offsite power or the generator, this test cannot be conducted without placing the EDG circuit breaker into the test position.

Exelon has the ability to conduct a simulated fast start test with the circuit breaker racked out.

This testing is controlled by a maintenance procedure (MA-OC-741-102/103). During this test the EDG starts and the output breaker closes as if it was responding to a UV signal.

Designed EDG Operation Given a Load Test (Slow Start And Fast Start):

The slow speed start load test is performed by pushing the start button in the control room.

The EDG starts, comes to idle speed to warm-up, then increases in speed to normal speed, the field is flashed, and the SPM-A gauges and adjusts EDG speed relative to the frequency of the bus. The SPM-A then sends out a one second duration signal at the point that the two power supplies are in phase to the GBC relay, and the breaker closes. If the breaker does not close, the SPM-A will continue to send signals for breaker closure when the correct phase to phase relationship is met. This test is performed as the routine, biweekly, EDG operability ST as required by TS.

The fast speed start load test is performed by pushing the emergency start button in the control room. The test is essentially the same as the slow speed test except that the EDG comes up to rated speed, without first idling. This test is not required by TS, and is performed approximately every six months.

Chronology of #1 EDG Issue Resolution July 13 Exelon installed an Astro-Med multi channel recorder instrument to monitor voltages at several points in the closing circuit including the GBC contacts and breaker closing coil.

During a simulated fast start test #1 EDG successfully started, but the breaker closed in 91 seconds, outside design basis of 7 +/- 3 seconds.

The Dranetz event recorder showed that the GBC relay energized, however the Astro-Med recorder showed regular voltage spikes on the GBC relay contacts and the breaker closure relay, with no signal from the GBC contacts. Exelon observed that the field flash relay was chattering and replaced the relay.

July 14 Exelon conducted a simulated fast start test with an output breaker closure time of approximately 32 seconds. Exelon suspected a problem with the circuit breaker closing coil and replaced the circuit breaker.

July 15 3-Exelon conducted a simulated fast start test with the output breaker closing in approximately the same time as on July 14. Astro-Med recorder showed regular voltage spikes on the GBC relay contacts and the breaker closure relay, with no signal from the GBC contacts. Exelon suspected a problem with the SPM-A. Exelon lifted the leads to the synchronizer and reperformed the simulated fast start test. The breaker closed in approximately 6 seconds.

Exelon replaced the SPM-A and ran the EDG to calibrate the new synchronizer. Exelon performed the fast speed start load test of the EDG and observed the output breaker closed in 6 seconds. The licensee performed a slow speed load test run for one hour and declared the EDG operable.

July 20 Exelon completed a TS required slow speed start load test, noting no issues.

July 31 Testing by the manufacture of the SPM-A showed no significant problems when operated in a test setup.

August 3 Exelon conducted a TS required slow speed start load test and the output circuit breaker did not close. Exelon installed additional test instrumentation and retested, but again the breaker did not close. Data indicated that when the GBC relay was energized, one or both of the two contacts in the output breaker closing circuit did not close.

Exelon replaced the GBC relay and its base.

August 4 Exelon conducted a slow speed start load test and the output circuit breaker closed within its required time. However, Exelon noted swings in generator VARS. Exelon reviewed the voltage regulator circuit and fixed loose fuse holders and other conditions.

August 5 Exelon conducted a slow speed start load test, the breaker closed within its required time and the #1 EDG was declared operable.

Team Conclusion on #1 EDG TS Operability and Safety Function:

During the July 2009 event, the #1 EDG performed its safety function (given the #1 EDG output breaker closure time of 80-90 seconds) because there was no impact on the loads off the 1C bus such that the safety function of the EDG and the associated loads was maintained. This would have the same effect as the operator restoring offsite power to the 1C bus within 30 minutes, which leads to a success path on the LOOP event tree.

Exelon properly declared the #1 EDG inoperable in accordance with TS, when the output circuit breaker did not close within the required 7+/- 3 seconds, as required by the Design Basis. The STs completed on July 15, adequately demonstrated EDG operability.

3-From plant restart on July 15 until July 20, the #1 EDG was in a degraded condition due to the erratic behavior of the GBC relay contacts. The team determined that the GBC relay contacts would have functioned, but given the degradation of the relay the specific time at which the output breaker would have automatically closed was not clear. It could have closed within the design basis time period or it may have operated as it did during the July 12 event. If the #1 EDG behaved as it did during the July 12 event it would have performed its safety function for all initiating events except, for the very low probability LLOCA with a consequential loss of power to the 1C safety bus, where the design basis closure time may not have been achieved.

As discussed above, the LLOCA with a consequential LOOP was very unlikely and the resulting increase in core damage probability, if the #1 EDG was assumed to not function, was extremely small, in the E-13 range over those 5 days.

Following the July 20 ST until August 3 when the #1 EDG output breaker did not close during an ST, the team found that the #1 EDG was inoperable with respect to TS, and would not have automatically performed its safety function for any initiating event. The EDG would have started but the output breaker would not have automatically closed. Specifically, after the GBC relay operated on July 20, any additional operation would have failed, as it did during the next operation on August 3.

Following the failure of the output breaker to close on August 3, 2009, Exelon properly declared the EDG inoperable in accordance with TS. The troubleshooting, maintenance and STs completed between August 3 and August 5 supported Exelons determination the #1 EDG was operable on August 5.

3-

SUPPLEMENTAL INFORMATION

KEY POINTS OF CONTACT

Licensee Personnel

M. Massaro, Site Vice-President
P. Orphanos, Plant Manager
J. Dostal, Director, Operations
R. Peak, Director, Engineering
J. Barstow, Manager, Regulatory Assurance
T. Keenan, Manager, Security
R. Wiebenga, Senior Manager, System Engineering
H. Ray, Senior Manager, Design Engineering
S. Dupont, Regulatory Assurance Specialist
D. Barns, Design Engineering
R. Skelskey, Senior Manager, System Engineering

Others

R. Pinney, State of New Jersey Bureau of Nuclear Engineering

LIST OF ITEMS OPENED, CLOSED, AND DISCUSSED

Opened

05000219/2009009-01 URI Review Excelons Root Cause Analysis for the Q121 Circuit Breaker Failure to Open on July 12, 2009 (Section 2.1)

Opened/Closed

05000219/2009009-02 NCV Failure to Identity and Correct a Degraded Condition Leading to #1 EDG Inability to Perform Its Safety Function (Section 2.2)
05000219/2009009-03 NCV Failure to Control Foreign Material in the Shell Side of the B Isolation Condenser (Section 2.3)

4-1

LIST OF DOCUMENTS REVIEWED

Retrieved from "https://kanterella.com/w/index.php?title=IR_05000219/2009009&oldid=2141239"