05000382/LER-2017-001

From kanterella
Revision as of 00:55, 3 March 2018 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
LER-2017-001, 1 of 5
Waterford 3 Steam Electric Station
Event date: 03-08-2017
Report date: 05-04-2017
Reporting criterion: 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident
3822017001R00 - NRC Website
v  d  e
LER 17-001-00 for Waterford, Unit 3 Regarding Both Trains of Emergency Core Cooling System Inoperable due to Inadvertently Performing Maintenance on Train 'B' Resulting in Event or Condition that Could Have Prevented Fulfillment of a Safety Function
ML17128A085
Person / Time
Site: Waterford Entergy icon.png
Issue date: 05/04/2017
From: Jarrell J P
Entergy Operations
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
W3F1-2017-0041 LER 17-001-00
Download: ML17128A085 (8)
v  d  e


comments regarding burden estimate to the Information Services Branch (T-2 F43), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.

Waterford 3 was in Mode 1 at approximately 100% power. Low Pressure Safety Injection (LPSI) train ‘A' had previously been declared inoperable for scheduled maintenance and the station was in compliance with Technical Specification (TS) 3.5.2 action ‘a'. There were no other structures, components, or systems inoperable at the start of this event that contributed to this event.

The Emergency Core Cooling System (ECCS) or Safety Injection System (SIS) is designed to provide core cooling in the unlikely event of a Loss of Coolant Accident (LOCA). The cooling must suffice to prevent significant alteration of core geometry, preclude fuel melting, limit the cladding metal-water reaction, and remove the energy generated in the core for an extended period of time following a LOCA. The SIS fluid must contain sufficient neutron absorbers to maintain the core subcritical for the duration of a LOCA. In addition, the ECCS functions to inject borated water into the Reactor Coolant System (RCS) to add negative reactivity to the core in the unlikely event of a steam line rupture.

Safety injection is also initiated in the event of a steam generator [SG] tube rupture or a control element assembly [ROD] ejection incident.

SYSTEM DESCRIPTION

To assure system availability, redundant components are provided. The major components of this system are three High Pressure Safety Injection (HPSI) pumps [P], two LPSI pumps [P], four safety injection tanks [TK], high pressure injection valves [INV], and low-pressure injection valves [INV]. The functions of the LPSI pumps are to inject large quantities of borated water into the RCS in the event of a large pipe rupture and to provide shutdown cooling flow through the reactor core and shutdown cooling heat exchanger [HX] for normal plant shutdown cooling operation or as required for long-term core cooling.

On March 8, 2017, at 1608, maintenance personnel commenced work to inspect the stem threads and obtain measurements on SI-135A. At 1627, a Shift Technical Advisor located in the control room identified that SI-135B was open, which was not the required position for this component per the system alignment performed to demonstrate operability [TS Surveillance Requirement (SR) 4.5.2.b.1]. At the time of discovery, LPSI train ‘A' was inoperable for maintenance and the station was in compliance with Technical Specification (TS) 3.5.2 action ‘a' which requires that an inoperable LPSI train be restored within 7 days. LPSI train ‘B' was declared inoperable and TS 3.5.2 action ‘c' was entered. Action ‘c' requires that with both LPSI trains inoperable, at least one train must be restored within one hour.

An operator sent to the field determined that the maintenance personnel had inadvertently opened SI-135B instead of SI-135A. SI-135B was closed and operability was verified by performing stroke time testing in accordance with the surveillance procedure. LPSI train ‘B' was declared operable at 1705 and TS 3.5.2 action ‘c' was exited. The station remained in compliance with TS 3.5.2 action ‘a'.

SI-135A is the Reactor Coolant Loop 2 Shutdown Cooling Warmup Valve [V] for LPSI train ‘A' and SI-135B is the Reactor Coolant Loop 1 Shutdown Cooling Warmup Valve [V] for LPSI train ‘B'. Both are normally closed valves and are opened when placing the Shutdown Cooling System in service. SI-135A and SI-135B are located in an area that contains SIS piping and components for trains ‘A' and ‘B'. Remote indication of SI-135A and SI-135B valve position is provided in the control room.

INITIAL CONDITIONS

EVENT DESCRIPTION

- 00 2017 - 001 comments regarding burden estimate to the Information Services Branch (T-2 F43), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.

TS 3.5.2 requires that two independent ECCS subsystems shall be OPERABLE in Modes 1, 2, and 3 (with pressurizer [PZR] pressure greater than or equal to 1750 psia and RCS average temperature greater than or equal to 500 degrees F) with each subsystem comprised of: a. One OPERABLE high-pressure safety injection train, b. One OPERABLE low-pressure safety injection train, and c. An independent OPERABLE flow path capable of taking suction from the refueling water storage pool on a safety injection actuation signal [JE] and automatically transferring suction to the safety injection system sump [SUMP] on a recirculation actuation signal. Action a. requires that with one ECCS subsystem inoperable due to one low pressure safety injection train inoperable, restore the inoperable train to OPERABLE status within 7 days or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and reduce pressurizer pressure to less than 1750 psia and RCS average temperature to less than 500 degrees F within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

Action c. requires that with both LPSI trains inoperable due to less than 100% of ECCS flow equivalent to a single OPERABLE ECCS subsystem, restore at least one LPSI train to OPERABLE status within one hour or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and reduce pressurizer pressure to less than 1750 psia and RCS average temperature to less than 500 degrees F within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

Each ECCS subsystem is required by SR 4.5.2 to be demonstrated OPERABLE. To ensure that the ECCS subsystem can deliver the design flow to the RCS, SR 4.5.2.b.1. requires that each valve (manual, power-operated, or automatic) in the flow path that is not locked, sealed, or otherwise secured in position, is in its correct position. Operability is demonstrated by satisfactory performance of a system alignment in accordance with station procedure. Valve SI-135B is required to be in the closed position by the system alignment; therefore, when it was inadvertently opened, LPSI train ‘B' was rendered inoperable. This misalignment coincided with LPSI train ‘A' being inoperable due to the planned maintenance. The amount of time that both trains were inoperable was 38 minutes.

This condition is reportable pursuant to 10 CFR 50.73(a)(2)(v)(D), “Event or Condition that Could Have Prevented Fulfillment of a Safety Function of Structures or Systems that are Needed to (D) Mitigate the Consequences of an Accident" due to both ECCS subsystems being inoperable.

Searches of the Entergy Condition Reporting System were performed for the past 5 years for conditions with a keyword of “component misposition” or trend code of “component mispositioning.” Those identified as similar to this event are provided below.

CR-GGN-2014-1345: On February 16, 2014, nuclear oversight personnel identified that technicians performing scheduled work for valve 1N23-F502A were incorrectly working on 1N35-F502A.

CR-PNP-2014-1431: On April 1, 2014, an operator inadvertently depressed the RCIC INITIATION SIGNAL reset push button on panel C904, instead of the RCIC SYS INJECTION MODE push button on panel C904 as directed by procedure. The incident resulted in unexpected test results and some steps of the surveillance being reperformed.

CR-IP2-2016-504: On January 29, 2016, during performance of calibration on RCS Wide Range Temperature Instruments, instrument technicians opened the terminal block protective cover for the incorrect instrument causing unexpected alarms and a plant perturbation.

REPORTABLE OCCURRENCE

PREVIOUS OCCURRENCES

- 00 2017 - 001 comments regarding burden estimate to the Information Services Branch (T-2 F43), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.

CR-ANO-C-2016-4258: On October 7, 2016, an operator incorrectly closed the makeup isolation damper for the running control room ventilation fan. This caused the running fan to be inoperable and placed Unit 2 into a 7-day LCO time clock.

CR-WF3-2017-0977: On February 16, 2017, while hanging tagout CW-115, operations department hung a danger tag on a component not within the scope of their tagout. This resulted in a level 3 misposition and potential for equipment damage and personnel injury.

CR-ANO-C-2016-3841: On October 16, 2016, two FIN mechanics inadvertently uncoupled 2P-39A boric acid makeup pump resulting in no boric acid makeup pumps being available, risk of injury from working on an unisolated pump that was positioned in “Auto,” and a site clock reset.

CAUSAL FACTORS

(1) Maintenance personnel did not adequately perform component verification to validate that they were on the correct component and opened SI-135B instead of SI-135A.

(2) The protected equipment posting process did not provide an adequate barrier to protect the opposite train components that are located in the same area. Workers were allowed to approach protected train component SI-135B because it had no protected equipment posting.

(3) The work order to perform the maintenance on SI-135A was not planned in accordance with the station procedure that establishes standards and expectations for the use of specific human performance tools. This procedure states that concurrent verification should be used for actions that have a high potential to lead to irreversible consequences (loss of safety function). This allowed the condition by not requiring concurrent verification for component identification steps to be included in the work package.

(4) Supervisory engagement during the pre-job brief was inadequate. This allowed mitigating factors (proper component verification) to not be established when the potential to work on the wrong component had been identified as the worst thing that could happen.

CORRECTIVE ACTIONS

(1) A maintenance department stand down was performed to discuss the event and reinforce expectations for component verification (complete).

(2) SI-135B was added to the protected equipment postings database and the valve was posted as protected train equipment to support the maintenance on SI-135A (complete).

(3) Concurrent verification will be added to the component identification steps for future planned work on SI-135A (planned).

(4) Implement a process where if the determined risk mitigation actions for medium and high integrated risk activities call for “protect redundant/mitigating equipment,” then ensure that the opposite train redundant components located in mixed system train areas are positively protected (planned).

- 00 2017 - 001 comments regarding burden estimate to the Information Services Branch (T-2 F43), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.

A safety system functional failure analysis was performed for this event. The assumptions used in the analysis were as follows:

  • LPSI train ‘A' was not available;
  • LPSI train ‘B' was available but in the unplanned configuration with valve SI-135B open;
  • HPSI trains ‘A' and ‘B' were both available;
  • All containment cooling systems were available.

The unplanned configuration of LPSI train ‘B' combined with LPSI train ‘A' not available resulted in reducing the credited flow to the RCS to 2330 gpm. Analysis of this configuration concluded that no loss of the safety function occurred. This is based on the following results:

  • Peak clad temperature, peak local oxidation, and core-wide oxidation results documented in the ECCS performance analysis of record (AOR) remain bounding at this lower LPSI system flow.
  • The mass and energy releases during the blowdown, reflood, and long-term cooling phase of a LOCA at this lower LPSI system flow are bounded by the mass and energy releases documented in the AOR from the perspective of maximizing the containment pressure calculations.
  • The mass and energy releases from a main steam line break at this lower LPSI system flow do not affect the AOR for this event.

SAFETY SIGNIFICANCE

ADDITIONAL INFORMATION

The actual consequence was that with LPSI train ‘A' inoperable, and with SI-135B open, LPSI train ‘B' would be able to deliver the reduced flow of 2330 gpm to the RCS during a design basis event. SI-135B was opened and LPSI train ‘B' operability was restored in 38 min. There were no other actual consequences to the general safety of the public, nuclear safety, industrial safety, and radiological safety for this event. As described above, although LPSI train ‘A' was inoperable and SI-135B was open, LPSI train ‘B' would be able to perform the required safety function of the ECCS during all required accident conditions. Therefore, it has been determined that the ECCS was capable of performing its safety function. The safety significance of this event is considered low.

The potential consequence to the general safety of the public, nuclear safety, industrial safety, and radiological safety of this event if response actions were delayed is that ECCS performance acceptance criteria would have been exceeded.

(5) Each maintenance shop superintendent will perform a series of targeted observations that focus on component verification practices during the job site review process with the intent to improve component verification practices (planned).

Energy industry identification system (EIIS) codes and component function identifiers are identified in the text with brackets [ ].

- 00 2017 - 001

Retrieved from "https://kanterella.com/w/index.php?title=05000382/LER-2017-001&oldid=454552"