ML12006A192

From kanterella
Jump to navigation Jump to search
LER 11-03-001 for Oconee, Units 1, 2, and 3 Regarding Inoperability of the Standby Shutdown Facility Diesel Generator
ML12006A192
Person / Time
Site: Oconee  Duke energy icon.png
Issue date: 12/19/2011
From: Gillespie T
Duke Energy Carolinas
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
O-10-03882 LER 11-03-01
Download: ML12006A192 (6)
v  d  e


Text

Duke T. PRESTON Vice PresidentGILLESPIE, JR.

  • knergy, Oconee Nuclear Station Duke Energy ON01 VP / 7800 Rochester Hwy.

Seneca, SC 29672 864-873-4478 864-873-4208 fax T.Gillespie@duke-energy.com December 19, 2011 U.S. Nuclear Regulatory Commission Document Control Desk Washington, DC 20555

Subject:

Duke Energy Carolinas LLC (Duke Energy)

Oconee Nuclear Station Units 1, 2, and 3 Docket Nos.: 50-269, 50-270, and 50-287 Licensee Event Report 269/2011-03, Revision 1 Problem Investigation Process No: 0-10-03882 Ladies and Gentlemen:

Pursuant to 10 CFR 50.73 Sections (a)(1) and (d), attached is Licensee Event Report 269/2011-03, Revision 1, regarding the inoperability of the Standby Shutdown Facility (SSF) due to a design oversight that resulted in a condition which exceeded the seven (7) days allowed by Technical Specification (TS) 3.10.1 Action Statement D. Consequently, this report is being submitted in accordance with 10 CFR 50.73(a)(2)(i)(b), as an operation prohibited by the station's TSs. This report has been revised to add the cause and corrective actions for this event which were not available in Revision 0 of the report.

This event is considered to be of no significance with respect to the health and safety of the public.

There are no regulatory commitments contained in this report.

Any questions regarding the content of this report should be directed to Steven Newman at 864-873-4388.

Sincerely, T. Preston Gillespie, Jr.

Vice President Oconee Nuclear Station Attachment www. duke-energy. com

Document Control Desk Date: December 19, 2011 Page 2 cc: Mr. Victor McCree Administrator, Region II U.S. Nuclear Regulatory Commission Marquis One Tower 245 Peachtree Center Ave., NE, Suite 1200 Atlanta, GA 30303-1257 Mr. John Stang Project Manager U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation Washington, DC 20555 Mr. Andrew Sabisch NRC Senior Resident Inspector Oconee Nuclear Station INPO (Word File via E-mail)

NRC FORM 366 U.S. NUCLEAR REGULATORY COMMISSION APPROVED BY OMB: NO. 3150-0104 EXPIRES: 10/31/2013 (10-2010) Estimated burden per response to comply with this mandatory collection request: 80 hours9.259259e-4 days <br />0.0222 hours <br />1.322751e-4 weeks <br />3.044e-5 months <br />.

Reported lessons learned are incorporated into the licensing process and fed back to industry. Send comments regarding burden estimate to the FOIA/Privacy Section (T-5 F53),

U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by internet e-mail to infocollects Resource@nrc.gov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0104), Office of Management and Budget, (See reverse for required number of Washington, DC 20503. If a means used to impose an information collection does not digits/characters for each block) display a currently valid OMB control number, the NRC may not conduct or sponsor, and a doperson is not required to respond to, the information collection.

1. FACILITY NAME 2. DOCKET NUMBER 3. PAGE Oconee Nuclear Station (ONS), Units 1, 2, and 3 105000- 269 I 1 OF 4
4. TITLE Inoperability of the Standby Shutdown Facility Diesel Generator
5. EVENT DATE 6. LER NUMBER 7. REPORT DATE 8. OTHER FACILITIES INVOLVED REV FACILITY NAME DOCKET NUMBER Y SEQUENTIAL MO DAY YEAR YEAR NUMBER NO MO DAY YEAR ONS, Unit 2 05000 270 FACILITY NAME DOCKET NUMBER 02 24 2011 2011 03 1 12 19 2011 ONS, Unit3 05000 287
9. OPERATING MODE 11. THIS REPORT IS SUBMITTED PURSUANT TO THE REQUIREMENTS OF 10 CFR §: (Check all that apply)

Unit 1 - 1 El 20.2201(b) El 20.2203(a)(3)(i) C] 50.73(a)(2)(i)(C) [I 50.73(a)(2)(vii)

Unit 2 - 1 El 20.2201(d) [I 20.2203(a)(3)(ii) El 50.73(a)(2)(ii)(A) El 50.73(a)(2)(viii)(A)

Unit 3 - 1 [1 20.2203(a)(1) El 20.2203(a)(4) El 50.73(a)(2)(ii)(B) El 50.73(a)(2)(viii)(B)

El 20.2203(a)(2)(i) El 50.36(c)(1)(i)(A) El 50.73(a)(2)(iii) El 50.73(a)(2)(ix)(A)

10. POWER LEVEL [I 20.2203(a)(2)(ii) [I 50.36(c)(1)(ii)(A) El 50.73(a)(2)(iv)(A) El 50.73(a)(2)(x)

El 20.2203(a)(2)(iii) El 50.36(c)(2) [1 50.73(a)(2)(v)(A) El 73.71(a)(4)

Unit 1 - 100 El 20.2203(a)(2)(iv) [I 50.46(a)(3)(ii) C] 50.73(a)(2)(v)(B) El 73.71 (a)(5)

Unit 2 - 100 El 20.2203(a)(2)(v) [E 50.73(a)(2)(i)(A) El 50.73(a)(2)(v)(C) El OTHER Unit 3 - 100 El 20.2203(a)(2)(vi) Z 50.73(a)(2)(i)(B) El 50.73(a)(2)(v)(D) El Specify in Abstract below Unit__3_-_100 _or in NRC Form 366A

12. LICENSEE CONTACT FOR THIS LER FACILITY NAME TELEPHONE NUMBER (Include Area Code)

S. C. Newman, ONS Regulatory Compliance Group 864-873-4388

13. COMPLETE ONE LINE FOR EACH COMPONENT FAILURE DESCRIBED IN THIS REPORT MANU- REPORTABLE MANU- REPORTABLE CAUSE SYSTEM COMPONENT FACTURER TO EPIX CAUSE SYSTEM COMPONENT FA CTURER TO EPIX B NB 86 P076 Y
14. SUPPLEMENTAL REPORT EXPECTED 15. EXPECTED MONTH DAY YEAR SUBMISSION YES (If yes, complete EXPECTED SUBMISSION DATE) I X INO DATE
16. ABSTRACT (Limit to 1400 spaces, i.e., approximately 15 single-spaced typewritten lines)

On May 13, 2010, an unanticipated Standby Shutdown Facility (SSF) differential lockout relay (86D) actuation occurred while performing an emergency power switching logic function test (i.e., J-test).

This lockout rendered the SSF Diesel Generator (D/G) incapable of starting in any mode.

The root cause was inadequate consideration of all failure modes and effects due to personnel not fully understanding the impact of a design change on the SSF D/G. The design change modified the output contacts of new chart recorders from normally open to normally closed, changing the design function. But, the design inputs were not re-validated. During the J-test, the chart recorders were load shed and repowered (as expected); however, until the recorder completes its "reboot," the output contact is maintained in its shelf state. As a result, the SSF D/G Control Logic received a "false" diesel engine high bearing temperature trip signal for approximately 25 seconds that resulted in actuation of the 86D relay.

The design issue with the SSF chart recorders existed since design change implementation in November 2008. Since this time span exceeded the seven days allowed by Technical Specification 3.10.1, the event is reportable. Immediate corrective action involved resetting the 86D lockout relay to clear alarms and to restore Diesel Emergency Start-Ready to Start light indication. The high bearing temperature trip interlocks were removed from the chart recorders and the circuit functionally tested.

NRC FORM 366A U.S. NUCLEAR REGULATORY COMMISSION (10-2010)

LICENSEE EVENT REPORT (LER)

1. FACILITY NAME. 2. DOCKET 6. LER NUMBER 3. PAGE SEQUENTIAL REVISION YEAR NUMBER NUMBER Oconee Nuclear Station, Units 1, 2, and 3 05000 269 2011 - 03 - 01 2 OF 4
17. NARRATIVE BACKGROUND The Standby Shutdown Facility (SSF)[NB] is designed as a standby system for use under emergency conditions.

The system provides additional "defense in-depth" protection for the health and safety of the public by serving as a backup to existing safety systems. The SSF is provided as an alternate means to achieve and maintain MODE 3 with an average Reactor Coolant [AB] temperature > 525 degrees F following postulated fire, sabotage, or flooding events, and is designed in accordance with criteria associated with these events. Loss of all other station power does not impact the SSF's capability to mitigate each event.

In 2005, it was determined that the SSF Diesel Generator (D/G)[EK] Bearing Temperature Monitoring Panel [PL]

needed to be replaced due to aging and obsolescence concerns. An Engineering Change Request was initiated to replace the existing obsolete monitor with a new monitor [MON] that would deliver the same functions as the existing one.

A minor design change was issued in 2007 to replace the existing Chromolax bearing temperature monitor panel with a Chessell 6100A chart recorder [TR] and to reinstall the High Bearing Temperature Trips. As is typical, the normally open contact was open in the shelf or de-energized state and closed on high bearing temperature to provide the trip signal. Subsequently, a revision to the design change was issued to change the normally open contact on the Chessell recorder output relay to normally closed when it was discovered the normally open contact would not provide the desired response. This function is non-safety related and is bypassed during emergency start of the SSF D/G. The design change was implemented in November 2008.

EVENT DESCRIPTION On May 13, 2010, at approximately 2245 hours0.026 days <br />0.624 hours <br />0.00371 weeks <br />8.542225e-4 months <br />, an unanticipated SSF differential lockout relay (86D)[86]

actuation occurred while performing an emergency power switching logic function test (i.e., J-test). The 86D lockout relay is actuated by various safety and non-safety trip signals. The non-safety trip signals are disabled during emergency operation of the SSF D/G. However, once the lockout relay is actuated, the lockout relay must be manually reset in order for the SSF diesel to start in any mode. This adverse condition rendered the SSF D/G inoperable.

A reportability review of the above described condition, completed on February 24, 2011, determined that the period of SSF inoperability existed since November 2008, exceeding the seven days allowed by Technical Specification 3.10.1 Action Statement D. Thus, the event is reportable.

CAUSAL FACTORS The Root Cause was inadequate consideration of all failure modes and effects due to personnel not fully understanding the impact of the design change on the SSF D/G.

This Root Cause of SSF D/G 86D Lockout relay actuation was the result of the design change which replaced a Chromolax monitoring panel with a Chessell Recorder and then changed the output contacts of the Chessell recorder used for the high bearing temperature trip function from normally open (NO) to normally closed (NC).

Reversal of the output contacts changed the design function and the design inputs were not re-validated. During the original design development it was not understood how the contacts functioned on the Chessell recorder.

During the development of the design change revision, it was not realized that a time delay on reboot would take place, leaving the contacts in a trip actuation state.

NRIC FORA 366A U.S. NUCLEAR REGULATORY COMMISSION (10-2010)

LICENSEE EVENT REPORT (LER)

1. FACILITY NAME 2. DOCKET 6. LER NUMBER 3. PAGE SEQUENTIAL REVISION YEAR NUMBER NUMBER Oconee Nuclear Station, Units 1, 2, and 3 05000 269 2011 03 - 01 3 OF 4
17. NARRATIVE Per Duke Energy guidance, one design input for a design change is to "Describe any design features(s) incorporated in this portion of the modification to specifically account for the failure mode of the system/equipment affected by this modification." This design input requirement was not applied correctly based on the lack of understanding of how the recorder contacts worked. Individuals performing this design change didn't recognize the potential impact of this change because the trip function from the Chessell recorder was a non-safety input, was by-passed in emergency mode, and was previously installed.

CORRECTIVE ACTIONS Immediate Action(s):

The 86D lockout relay was reset to clear alarms and restore SSF Diesel Emergency Start-Ready to Start light indication. This action rendered the SSF DIG available.

Corrective Action(s) to Prevent Recurrence:

1. On May 16, 2010, Engineering issued a design change to remove the high bearing temperature trip interlocks from the .Chessell recorders. This design change was implemented on the same day and functionally tested with proper results.
2. On October 13, 2011, a review of all design changes awaiting implementation in Work Control that involve digital equipment for the effects of loss/return of power was completed and a disposition justification for the adequacy of the post modification test (PMT) plans associated with the design changes was provided.
3. On November 30, 2011, EDM 601, "Engineering Change Manual," Appendix K.2 was revised (Rev. 15) by adding a new question asking if a proposed engineering change adds, removes, or modifies a digital component used to support a control function. If the question is answered "Yes," the appendix will require the user ensure the effects of loss of power and return of power are evaluated (i.e., reboot time, default status, etc.).

EXTENT OF CONDITION A review of all Chessell recorders was performed to determine if the output contacts of any other recorder are used for trip functions. A list of Chessell recorders was retrieved from the ONS electronic database and drawings were reviewed to determine if the recorder had any wires on their output contacts. The recorders that had wires on their output contacts were reviewed to determine if they were used as alarm functions or as trip functions. This application is the only instance that a Chessell recorder output was used to perform a trip function.

A review of trips associated with the SSF D/G 86D lockout relay was performed. The non-safety trips which initiate the 86D lockout are disabled during emergency operation of the SSF D/G. The safety trips which initiate the 86D lockout relay remain enabled during emergency operation. The 86D relay seals in upon actuation; therefore, if a non-safety trip occurs with the diesel shutdown, the lockout will seal in and prevent the diesel from starting in any mode until the lockout is reset. A review of the non-safety trip initiating devices was performed, to determine if failure modes exist which could cause an 86D lockout while the diesel is shutdown. The review determined that none of the non-safety trips exhibit a failure mode which will cause an 86D lockout with the diesel shutdown. All the trip inputs are either blocked or open (non-trip state). Additionally, total loss of AC power has been performed on the SSF per the PMT plan that removed the high bearing temperature trip and no actuation of the 86D relay occurred. This PMT proved no additional equipment in the SSF has this failure mode.

NRC FORM 366A U.S. NUCLEAR REGULATORY COMMISSION (10-2010)

LICENSEE EVENT REPORT (LER)

1. FACILITY NAME 2. DOCKET 6. LER NUMBER 3. PAGE SEQUENTIAL REVISION YEAR NUMBER NUMBER Oconee Nuclear Station, Units 1, 2, and 3 05000 269 2011 - 03 - 01 4 OF 4
17. NARRATIVE SAFETY ANALYSIS The SSF provides an alternate means of achieving and maintaining hot shutdown conditions for all three Oconee Nuclear Station (ONS) units in the event of loss of normal and emergency shutdown systems in the plant. The independence and physical separation of the SSF make it an important accident mitigation system in the ONS Probabilistic Risk Assessment (PRA). Failures of the SSF contribute to the dominate ONS PRA accident sequences such as fire, tornado, high energy line breaks (HELBs), and turbine building floods.

The exposure time for the 86D relay issue is long (> 1 year) based on when the new chart recorder was installed and when the design error was identified and fixed. No credit is given for operator action to recover the SSF D/G since outside technical support would be required to diagnose and resolve the problem. On the other hand, the conditions of applicability are very specific and do not apply to the most important SSF-related accident sequences (i.e., in order for the lockout relay to actuate due to the design error, the chart recorder and the D/G control system must lose normal AC power and then have it restored prior to the need to activate the SSF).

Normal power to the SSF is supplied from the Unit 2 Main Feeder Bus #2 (2MFB2) via a breaker located in switchgear B2T in the blockhouse. The following conditions affect the applicability of the 86D design error.

1. Many of the dominant SSF scenarios involve loss of all AC power with the MFBs damaged/unavailable, or involve a loss of off-site power and the Keowee Overhead Path (KOH). In these cases, a 2MFB2 lockout or a loadshed signal will prevent normal power from being restored to the SSF and prevent the 86D lockout.

Seismic events and external flood sequence are also expected to fail the KOH at the same time and prevent restoration of normal power to the SSF.

2. Turbine Building Flood and other transient events are not expected to cause a loss of AC power in which case the SSF will not lose normal power and the 86D relay will not trip.
3. Only a limited number of fire scenarios are applicable to the 86D relay issue. These involve a spurious actuation of degraded grid protection circuitry (LOOP) due to a hot short and a Keowee run failure after the overhead path is successfully aligned to the Startup Buses.

These conditions limit the applicable scenarios for the 86D relay issue to a narrow set of events involving either a grid-centered LOOP event with Keowee run failures, or a small set of internal fire scenarios that spuriously actuate the grid-protection circuitry but still allow the KOH to initially restore power. Thus it is concluded that the SSF 86D relay design error had a very low risk impact based on this very narrow set of low probability events that can create the necessary conditions to actuate the lockout relay.

ADDITIONAL INFORMATION To determine if a recurring or similar event exists, a search of the site corrective action program database was conducted for a time period covering five years prior to the date of this event. Based on this search, no other events that are similar to the subject event were discovered. Therefore it is concluded that this event is not recurring.

Energy Industry Identification System (EIIS) codes are identified in the text within brackets []. This event is considered reportable under the EPIX program as noted in Failure Report No. 1055.

There were no releases of radioactive materials, radiation exposures or personnel injuries associated with this event.

Retrieved from "https://kanterella.com/w/index.php?title=ML12006A192&oldid=2107934"