05000259/LER-2011-003
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(v)(B), Loss of Safety Function - Remove Residual Heat 10 CFR 50.73(a)(2)(iv)(B), System Actuation 10 CFR 50.73(a)(2)(iv)(A), System Actuation |
| 2592011003R02 - NRC Website | |
On April 27, 2011, severe weather in the Tennessee Valley service area caused grid instability and a loss of all 500-kV offsite power sources that resulted in scrams on all three Browns Ferry Nuclear Plant (BFN) units.
At the time of the event being reported (May 2, 2011, at 0626 hours0.00725 days <br />0.174 hours <br />0.00104 weeks <br />2.38193e-4 months <br /> Central Daylight Time [CDT]), BFN Units 1, 2, and 3 were in Mode 4 (Cold Shutdown) with all control rods inserted generators (EDG) [EK] and a 161-kV [FK] offsite power source.
II. DESCRIPTION OF EVENT
A. Event:
source were in use to provide alternating current (AC) power for core cooling loads, the output breaker of the Unit 1/2 A EDG tripped.
I The Unit 1/2 A EDG output breaker trip interrupted power to 4-kV Shutdown Board A [EB], caused a loss of power to a portion of the Unit 1 Reactor Protection System (RPS A) [JC], and led to Primary Containment Isolation System (PCIS) [JE][JM] Group 2, 3, 6, and 8 isolations. The Group 2 isolation caused the loss of Unit 1 Residual Heat Removal (RHR) System [BO] Shutdown Cooling (SDC). Unit 2 was not affected by this event.
On May 2, 2011, at 0723 hours0.00837 days <br />0.201 hours <br />0.0012 weeks <br />2.751015e-4 months <br /> CDT, after power had been restored to 4-kV Shutdown Board A using a 161-kV offsite power source, Operations personnel placed Unit 1 SDC in service. The Unit 1/2 A EDG output breaker trip had caused the loss of SDC for approximately 57 minutes.
I With an automatic start signal present, each EDG is protected against damage from overspeed by use of an Overspeed Trip Limit Switch (OTLS). The OTLS is positioned against the engine mechanical Overspeed Trip (OT) Lever Arm. When the engine overspeeds, the mechanical lever arm is mechanically released and rotates clockwise (from the front of the engine), which results in engine shutdown by locking out fuel delivery to the power assembly.
The underlying cause for the Unit 1/2 A EDG output breaker trip was inadvertent actuation of the OTLS. The contact was closed, even though the OT lever had not been mechanically released.
B. Inoperable Structures, Components, or Systems that Contributed to the Event:
Loss of offsite power was a contributor to this event.
D. Other Systems or Secondary Functions Affected:
None
E. Method of Discovery:
The EDG output breaker trip was self-revealing as the power lost to the associated 4-kV Shutdown Board caused multiple Main Control Room alarms, which required an Operations response.
F. Operator Actions:
In response to the loss of power, Operations personnel restored power to 4-kV Shutdown Board A using a 161-kV offsite power source, reset the PCIS isolations, and returned Unit 1 SDC to service.
G. Safety System Responses:
All onsite safe shutdown equipment required for Unit 1 was available.
III. CAUSE OF THE EVENT
A. Immediate Cause:
The underlying cause for the Unit 1/2 A EDG output breaker trip was inadvertent actuation of the OTLS — the contact was closed, even though the OT lever had not been mechanically released.
B. Root Cause:
The root cause analysis identified the inadvertent output breaker trip to be a result of inadequate procedural guidance for setup of the emergency diesel generator overspeed trip limit switch. BFN had no formal procedural guidance for OTLS setup. The switch setup is complex and infrequently performed such that procedural guidance on the switch setup is required to ensure proper operation. With no procedural guidance, switches were set close to the actuation point during EDG runs. Slight overspeed trip lever movement allowed the switch to make up.
Extent of Condition The root cause analysis concluded that the inadvertent trip of the output breaker on the Unit 1/2 A EDG resulted from a marginal setting on the OTLS arm. Actuation of the OTLS will result in annunciation for Overspeed Trip and Not Auto. Additionally, the OT relay will be energized resulting in opening of the EDG output breaker and lockout of the engine start circuit.
I OTLS devices are installed on all (8) diesel generators (A, B, C, D, 3A, 3B, 3C, and 3D).
This failure occurred due to an installed/maintained condition relative to the installed over speed trip lever and; therefore, would not be applicable to switches that are not currently installed. Thus, the other diesel generators overspeed trip limit switches were reviewed for similar failure mechanisms, but uninstalled spare/inventoried switches were not.
Immediate corrective action replaced all (8) OTLSs and verified acceptable margin with the OTLS arm was verified for all of the diesel generators.
The OT lever mechanism has the potential to have degradation or wear at the interface between the trip pawl and within the OT lever assembly which could result in a change in the original position of the OT lever when reset. Work Orders were initiated to inspect the OT assemblies for degradation and wear for each DG.
For the DG OTLS, there is a vulnerability that the OTLS may fail to actuate. All OTLS have been replaced, and all switches get tested to ensure they actuate on an overspeed. In addition, this failure to actuate would not cause a loss of D/G function.
Similar rotating equipment with the potential to overspeed (main turbine, reactor feedwater pumps, HPCI, RCIC, Channel Diesel Fire Pump) were reviewed for trip limit switches that may actuate without the overspeed condition present. No similar conditions were found.
Similar non-electrically driven rotating equipment (main turbine, reactor feed pumps, HPCI, RCIC, diesel fire pump) were reviewed for OTLS failure to actuate. As explained above, Main turbine, reactor feed pumps, and RCIC limit switches do not cause loss of function.
The HPCI stop valve limit switch has procedural guidance to ensure proper setup of this switch.
Extent of Cause:
TVA reviewed the following cases to determine the extent of cause:
Inadequate procedural guidance for setup of the EDG OTLS resulting in a failed
EDG
Inadequate procedural guidance for setup of the EDG OTLS resulting in a failed safety system Inadequate procedural guidance for other safety related (SR) components resulting in a failed EDG Inadequate procedural guidance for other SR components resulting in a failed safety system Given that EDGs are support systems that provide power to other SR systems, they have not caused failures of other SR systems. The maintenance rule database was reviewed to determine if procedure issues have led to safety system functional failures and several identified were determined to be related to procedure issues.
Inadvertent overspeed trips have occurred numerous times on EDGs, both at BFN and across the nuclear power industry. Evaluations are performed to assess equipment reliability issues, and periodic self assessments are performed to document the state of the systems and review areas for improvement regarding owners group recommendations for preventive maintenance and industry experience.
Despite these evaluations, the OTLS was not considered as a vulnerability to an EDG functional failure and resulted in the inadvertent output breaker trip. I
IV. ANALYSIS OF THE EVENT
The TVA is reporting this event in accordance with 10 CFR 50.73(a)(2)(iv)(A), as any event or condition that resulted in manual or automatic actuation of any of the systems listed in 10 CFR 50.73(a)(2)(iv)(B). This event is also reportable in accordance with 10 CFR 50.73(a)(2)(v)(B), as any event or condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to remove residual heat and 10 CFR 50.73(a)(2)(i)(B), any operation or condition prohibited by the plant's Technical Specifications.
Evaluation of Plant Systems/Components Based on review of plant system records (including operating logs), following the Unit 1/2 A EDG output breaker trip, power was lost to plant equipment fed from 4-kV Shutdown Board A. With the loss of power to RPS A (half scram), all automatic actuations occurred, all actuations were completed, and required systems started and functioned successfully.
I would not have been able to perform its specified safety function for a span of time from July 25, 2009, to May 2, 2011, when the failed OTLS was replaced. The determination was based on the results of an evaluation of the Unit 1/2 A EDG operating history and the cause of the failure.
The past operability evaluation identified Technical Specification ACTIONS that would have been entered had the condition of the Unit 1/2 A EDG been known during this span of time.
Reportabilitv Evaluation A review of the reporting requirements of 10 CFR 50.72 and 10 CFR 50.73 and NRC guidance provided in NUREG-1022, Revision 3, Event Reporting Guidelines 10 CFR 50.72 and 10 CFR 50.73, was performed for the subject condition. The following TS non- compliances resulted because it was not recognized that the Unit 1/2 A EDG was inoperable for the span of time stated above:
1. BFN Units 1, 2, and 3, TS LCO 3.7.1, "Residual Heat Removal Service Water (RHRSW) System," requires, in part, eight RHRSW pumps to be OPERABLE when three units are fueled in MODES 1, 2, and 3. The RHRSW System provides cooling water from RHRSW pumps A.2, B.2, C.2, and D.2 and from RHRSW/EECW pumps A.1, B.1, C.1, and D.1. During numerous times, at least one or more required RHRSW pump, in the other division of the 4-kV shutdown boards, was inoperable when all three units were in MODE 1, 2, or 3. Since RHRSW pump A.2 and RHRSW/EECS pump A.1 are inoperable because they are supplied power from 4-kV Shutdown Board A; there would now be three or more RHRSW pumps inoperable. TS 3.7.1 ACTION E should have been entered when three or more required RHRSW pumps are inoperable. TS 3.7.1 Required Action E.1 requires that one RHRSW pump must be restored to OPERABLE status within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. If the Required Actions and associated Completion Time of Condition E are not met, then TS 3.7.1 ACTION G requires Unit 1, Unit 2, and Unit 3 to be in MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. Since it was not recognized that the Unit 1/2 A EDG was inoperable, BFN Unit 1, Unit 2, and Unit 3 operated with three or more required RHRSW pumps inoperable longer than was allowed by the TS.
As stated in the previous revision to this LER, this event constituted a reportable condition as described in 10 CFR 50.73(a)(2)(i)(B), operation or condition which was prohibited by the plant's Technical Specifications. Based on a full review Operation Logs, the above description represents the extent of TS non-compliance for BFN Units 1, 2, and 3.
limits the capability for the unit to respond to an accident or transient when accompanied by a loss of offsite power.
The Unit 1/2 A EDG operated for approximately 4 days and 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br /> prior to the output breaker trip. This period of operation did not meet the 7-day mission time of the Unit 1/2 A EDG. At the time of this event, Unit 1/2 B, C, and D EDGs and one 161-kV offsite power source were operable and the required Emergency Core Cooling Systems were operable.
Therefore, there was sufficient redundancy to support the core cooling requirements for Units 1 and 2 Technical Specifications.
I Three of the four Unit 1/2 EDGs were operable to support both Units 1 and 2 following the three-unit scram event that began on April 27, 2011, until all shutdown boards were powered from qualified 161-kV offsite power sources, and all EDGs were shutdown and in standby readiness. As reported in LER 259/2011-002-00, the Unit 1/2 C EDG developed a hydraulic oil leak and was shutdown at 31 hours3.587963e-4 days <br />0.00861 hours <br />5.125661e-5 weeks <br />1.17955e-5 months <br /> into the three-unit scram event and was returned to operable status prior to the Unit 1/2 A EDG output breaker trip event. The Unit 1/2 C EDG was not required to be started because the remaining two EDGs and a 161-kV offsite power source maintained the required loads.
I Therefore, because sufficient onsite and offsite power sources were available at the time of the event and afterwards, this event was of minimal nuclear safety significance.
The Unit 1/2 A EDG output breaker trip caused a loss of Unit 1 SDC on Unit 1 for 57 minutes. At the time of this event, the time to boil for the Unit 1 Spent Fuel Pool Water (airborne radioactive contamination risk) was approximately 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> and the time to boil for each of Unit 1/2 was approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. Technical Specification 3.4.8, Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown, contains provisions that allow RHR SDC subsystems to be out of service indefinitely as long as verification is performed to indicate that an alternate method of decay heat removal is available for each RHR shutdown cooling system within one hour and every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> thereafter. However, RHR SDC was restored within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of the event.
Therefore, because there was sufficient redundancy to support the core cooling requirements and shutdown cooling was recovered within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, this event was not significant from a radiological safety standpoint.
An evaluation was performed on past concurrent inoperabilities of safety systems. The Unit 1/2 A and Unit 1/2 C EDGs were declared inoperable due to not being able to meet a 7 day mission time. The term inoperable does not necessarily imply a state of physical failure. A component can be "inoperable" and still perform its PRA function for the entire PRA 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time. During the time period that Unit 1/2 A EDG was inoperable, the following safety systems were also inoperable.
Available Equipment:
Unit 1/2 A EDG inoperable from July 25, 2009, at 1127 hours0.013 days <br />0.313 hours <br />0.00186 weeks <br />4.288235e-4 months <br /> CDT; to May 2, 2011, at 0626 hours0.00725 days <br />0.174 hours <br />0.00104 weeks <br />2.38193e-4 months <br /> CDT (Available); significant systems (or portions of risk significant systems) that were unavailable during the period of time when Unit 1/2 A EDG was unavailable. The ICDPD was determined to be 5.80E-07 and the ILERPD was determined to be 5.53E-08.
Based on the PRA, the inoperable Unit 1/2 A EDG for the extended period of time posed minimal reduction to public health and safety.
VI. CORRECTIVE ACTIONS
Corrective actions are being managed within TVA's Corrective Action Program.
A. Immediate and Corrective Actions:
The Unit 1/2 A EDG output breaker trip was initiated by the OTLS, which was found to be of a different model than the other 7 EDGs and, post-event, exhibited some sticking when exercising the OTLS arm. After evaluation of the problem (including laboratory analysis), it was determined that the preliminary extent of condition was limited to a mis- adjustment of this OTLS and not a component defect or failure. Therefore, the Unit 1/2 A EDG OTLS was replaced with the same model as the other 7 EDGs and was adjusted properly.
A review of all EDGs will be performed for single point vulnerabilities to functional failure including a self-assessment of EDG vulnerabilities for trip-related functions, preventative maintenance to inspect, test, and establish a replacement frequency for EDG OT devices based on NA fleet and owner's group recommendations.
B. Corrective Actions to Prevent Recurrence:
Corrective actions to prevent recurrence include:
Revise 1/2-SI-4.9.A.1.d(A)-(D) and 3-SI-4.9.A.1.d(A)-(D) "Diesel Generator X 2 Year Inspection" to include step(s) to perform setting of the overspeed trip limit switch per ECI-0-000-SWZ002 "Replacement of Switches" Revise ECI-0-000-SWZ002 "Replacement of Switches" to incorporate step(s) for proper setup of the overspeed trip roller arm within a specified margin based on engineer guidance provided by CA-362340-026
A. Failed Components:
None B. Previous LERS or Similar Events:
A search of LERs for BFN Units 1, 2, and 3 for approximately the past five years did not identify any similar issues involving EDG output breaker trips or issues with the OTLS.
A search of the TVA BFN corrective action program was performed. There were several Problem Evaluation Reports (PERs) that documented OTLS issues. One of the PERs reviewed was associated with a recent Unit 3 B EDG OTLS problem; however, this problem was concluded to be from a different failure mechanism (mechanical binding) that resulted from component aging issues.
C. Additional Information:
The corrective action document for this report is PER 362340.
Safety System Functional Failure Consideration: D.
This event is a safety system functional failure in accordance with NEI 99-02 because it meets the reporting criteria of 10 CFR 50.73(a)(2)(v)(B).
See ICES 248955.
I
E. Scram With Complications Consideration:
This event did not include a reactor scram.
COMMITMENTS
None VIII.