05000260/LER-2004-001
| Browns Ferry Unit 2 | |
| Event date: | 07-08-2004 |
|---|---|
| Report date: | 09-07-2004 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(iv)(A), System Actuation |
| 2602004001R00 - NRC Website | |
I. PLANT CONDITION(S)
Prior to the reactor scram event, Unit 2 and Unit 3 were in Mode 1 at 100 percent reactor power (approximately 3458 megawatts thermal). Unit 1 was shutdown and defueled. Units 1 and 3 were unaffected by the event.
II. DESCRIPTION OF EVENT
A. Event:
On Thursday, July 8, 2004, while in steady state operation at 100% power, a main turbine [TA] trip and reactor scram occurred at 2232 hours0.0258 days <br />0.62 hours <br />0.00369 weeks <br />8.49276e-4 months <br /> CDT. All expected system responses were received, including the automatic opening of seven safety-relief valves (SRV) [SB] upon the initial reactor pressurization transient. Actuation of primary containment isolation system (PCIS) [JM] groups 2, 3, 6, and 8 occurred due to the expected temporary lowering of reactor water level below the actuation setpoint. This logic isolates shutdown cooling [BO] (if in service), isolates the reactor water cleanup (RWCU) [CE] system, isolates the normal reactor building ventilation [VA], initiates the standby gas treatment (SGT) [BH] system, initiates the control room emergency ventilation (CREV) [VI] system, and retracts Traversing Incore Probes [IG] (if inserted). The normal heat rejection path (from the reactor to the main condenser via the steam lines with reactor water make up provided by the condensate/feedwater systems [SD/SJ] remained in service. Reactor water level was recovered to the normal operating range by the normal reactor water level control system. Neither the high pressure coolant injection (HPCI) [BJ] nor reactor core isolation cooling (RCIC) [BN] systems were used during this event. Reactor water level did not drop to the auto initiation point for these systems, and they were not manually placed in service by the control room staff.
Electrical switching in support of plant maintenance was in progress at the time of the scram, and during this switching activity the Unit 2 Unit Preferred System (UPS) 120 VAC Bus [EF] was inadvertently de-energized briefly. The Unit 2 reactor scram occurred at this time due to a turbine control valve fast closure/turbine trip condition. This is indicative of a power load unbalance (PLU), i.e., a main generator [TB] load reject condition. The temporary loss of the UPS power would not by itself be expected to result in a turbine trip/reactor scram because of the fault-tolerant design of the main turbine electro-hydraulic control (EHC) [JI/JJ] system logic. However, it was determined that one of two main generator output current signal channels in the EHC logic had been automatically bypassed by the system software during a separate power supply transient on a different plant distribution bus on November 27, 2003. The plant staff was not aware that this automatic bypass had occurred. The subsequent temporary interruption of the UPS bus during the subject event caused the loss of the second main generator output current signal EHC channel, and with one channel bypassed and the loss of the remaining channel, the system logic indicated that a PLU condition existed. The designed EHC system response to a sensed PLU condition is the rapid closure of the main turbine control valves to prevent an anticipated main turbine overspeed. This rapid control valve closure is accomplished via the depressurization of their hydraulic actuation medium. This depressurization is detected by pressure switches which input to the reactor protection system (RPS) [JC], and, since the unit was operating at a power level greater than the bypass point for this scram signal, the RPS logic directly initiated a reactor scram.
Because this event involved the valid, automatic actuation of the RPS and the operation of containment isolation valves in more than one system, and because the scram was not part of a pre-planned sequence, this event is reportable in accordance with 10 CFR 50.73 (a) (2) (iv) (A).
B. Inoperable Structures, Components, or Systems that Contributed to the Event:
The BFN EHC system is designed with two PLU channels, designated as PLU1 and PLU2. It was determined that PLU2 had been automatically bypassed by the system software on November 27, 2003, after a temporary power loss on the channel. PLU2 was therefore not functioning at the time of the July 8, 2004, Unit 2 scram, effectively leaving the system with an unrecognized single-point scram vulnerability.
C. Dates and Approximate Times of Major Occurrences:
November 27, 2003 1115 hours0.0129 days <br />0.31 hours <br />0.00184 weeks <br />4.242575e-4 months <br /> PLU2 automatically bypassed by system software when its power was briefly interrupted. PLU2 remained in a bypassed condition.
July 8, 2004 2231 hour0.0258 days <br />0.62 hours <br />0.00369 weeks <br />8.488955e-4 months <br />s�Switching commenced on Unit 2 UPS bus July 8, 2004 2232 hour0.0258 days <br />0.62 hours <br />0.00369 weeks <br />8.49276e-4 months <br />s�Unit 2 UPS bus inadvertently de-energized during the reconnection to its normal power source July 8, 2004�2232 hours�Unit 2 reactor scram occurred as a result of EHC system response to a sensed PLU condition D. Other Systems or Secondary Functions Affected None E. Method of Discovery This reactor scram event was identified through numerous indications and alarms in the control room.
F. Operator Actions This event was an uncomplicated scram. All operator actions taken in response to the scram and in the recovery from the event were appropriate. These actions included the verification that the reactor had been successfully shut down, the expected system isolations and initiations had occurred, and accomplishing the subsequent restoration of these systems to normal alignments.
G. Safety System Responses All equipment operated in accordance with the plant design during this event.
The RPS logic responded to the turbine control valve fast closure condition per design to initiate the reactor scram. All control rods fully inserted into the core.
The PCIS logic responded per design to the expected lowered reactor water level by actuating the following isolation groups:
- Group 2 - Residual Heat Removal shutdown cooling function isolation (not in service at the time of the event)
- Group 3 - RWCU system isolation
- Group 6 - primary and secondary containment isolation, including the isolation of the normal reactor building ventilation and the initiation of the SGT and CREV systems
- Group 8 - withdrawal and isolation of the Traversing Incore Probes (the probes were not inserted at the time of this event) Reactor water level was maintained by the condensate/feedwater systems and the normal water level control systems such that no automatic or manual operation of the HPCI or RCIC systems occurred during this event.
The PLU condition causes a rapid closure of the main turbine control valves. This valve operation produces a pressurization transient in the main steam lines and reactor vessel upstream of the valves. Thirteen SRVs are installed on the main steam lines inside the drywell to mitigate such pressurization transients. Seven valves lifted briefly during this event. The system pressure quickly lowered to the normal range through the combined effects of the SRV operation, the operation of the main turbine bypass valves, and the scram of the reactor. Each of the opened SRV's properly reseated with the lowering pressure.
III. CAUSE OF THE EVENT
A. Immediate Cause The immediate cause of this event was the designed response of the EHC system to a sensed PLU condition.
B. Root Cause The detail in the Operations procedure controlling the transfer of the UPS bus was inadequate to prevent interaction between the alternate and normal supplies' voltage control circuits. The interaction in this case resulted in loss of the UPS bus following its transfer to the normal supply.
The EHC system logic software configuration was such that a second PLU channel was automatically bypassed without its status being clearly communicated to the operating staff. As a result of the channel bypass, the PLU logic portion of the system was not operating in a fault tolerant configuration at the time of this event. This software configuration established the plant conditions such that the loss of the single power bus would result in a PLU actuation and reactor scram.
IV. ANALYSIS OF THE EVENT
This event was an uncomplicated plant scram. Both the temporarily lowered reactor water level and the temporarily raised reactor pressure conditions are expected plant responses where rapid main turbine control valve closure occurs from high power. The event as it occurred is addressed in detail by the plant Final Safety Analysis Report (FSAR), and the plant conditions assumed in the FSAR for analyzing this event are more severe than the actual conditions which were in existence at the time of this event. See Section V. below for further details.
The EHC system initiated a fast closure of the main turbine control valves as it is designed to do during a sensed PLU condition. This fast closure is sensed by RPS pressure switches monitoring the hydraulic fluid pressure being applied to the control valves. The RPS logic is designed such that a main turbine control valve fast closure with reactor power above approximately 30% reactor power will directly scram the reactor. All of these trip actions occurred in accordance with the plant design.
Equipment response following the reactor scram and turbine trip was also in accordance with the plant design. The short term pressurization transient was mitigated by SRV and turbine bypass valve operation, and pressure control following the initial transient was handled by the bypass valves. The operation of other systems post-scram (e.g., containment isolation, start-up of SGT and CREV, isolation of normal reactor building ventilation, RWCU isolation, TIP isolation, etc.) also occurred in accordance with the plant design. The main condenser continued to function as the heat sink following the scram. All operator actions in response to the event were appropriate.
On November 27, 2003, an electrical switching activity temporarily de-energized the power supply for the Unit 2 PLU2 input instrumentation. The system software noted the downscale (below minimum) reading of this channel and bypassed the channel as invalid. A bypass event statement was written to an EHC event log, however, that log is not routinely reviewed by the plant staff. With PLU2 bypassed, the remaining PLU1 channel constituted a one-out-of-one logic that would generate a PLU trip if the generator output current was sensed as being 40% lower than the corresponding value seen for main turbine steam input.
The electrical switching activity on July 8, 2004, was being conducted in support of plant maintenance.
Prior to the event, the UPS bus was being supplied by one of its alternate power supplies, a regulating transformer, while maintenance was completed on the normal source, a motor-motor-generator (MMG) set. The MMG set has both an AC powered and a DC powered motor to drive the generator such that output is maintained on loss of power to the AC motor. A flywheel provides additional inertia to minimize the impact of a drive power transfer. The switching activity which resulted in this event was intended to restore the UPS bus to its normal (MMG set) power supply.
Both the MMG set generator and the alternate supply regulating transformer employ voltage regulating circuitry. However, neither of these circuits contain the voltage droop features necessary to allow true parallel operation with another source. Without such droop circuits, the two regulating circuits will oppose one another if placed in parallel operation, and unstable voltage and current conditions will result. It is acceptable to briefly parallel two circuits such as these in order to accomplish a make-before-break transfer, i.e., a bus transfer where even a very short loss of power is undesirable, which is the case for this UPS bus. However, this transfer must be accomplished very quickly to keep the paralleling of the two sources to a minimum duration. The Operations procedure which was being used by the personnel [licensed — utility] performing this transfer did not provide adequate instruction to ensure this parallel condition was minimized. The procedure recognized that extended parallel operation was not allowable, but it did not adequately convey the critical nature of minimizing the time in the paralleled condition. The step sequencing in the procedure did not properly expedite the separation of the two sources once the second source had been applied to the bus.
In this case, the two sources were paralleled for too long during the switching activity, and the control circuitry of the MMG set was damaged during this interval. The MMG set carried the UPS bus briefly following the opening of the breaker between the bus and the alternate transformer supply, however, the MMG set output breaker subsequently tripped open a few seconds afterwards. When this occurred, power was totally lost to the UPS 120 VAC uninterruptible power bus, which de-energized the PLU1 instrumentation. When the bus was lost, the PLU1 generator output current signal input to the EHC logic was lost. The loss of the PLU1 signal directly resulted in the fast closure of the main turbine control valves, given the bypassed state of the PLU2 channel. If the PLU2 channel had not been bypassed at the time of the July 8, 2004 event, the downscale failure of PLU1 resulting from the loss of power would not have rAsultAd in any turhinp. rIontml VaiVe motion at all and nn scram would have onnurrp.ri
V. ASSESSMENT OF SAFETY CONSEQUENCES
FSAR sections 14.5.2.1 and 14.5.2.2 specifically address the main generator load reject event. Turbine bypass valves are assumed to function in the discussion under section 14.5.2.1. Section 14.5.2.2, however, assumes that the main turbine bypass valves do not function and therefore is the more limiting scenario. This analysis assumes initial conditions of all rods fully withdrawn, a core power of 100% of rated, and a core flow of 105% of rated. The analysis shows that no safety limits are exceeded for such a transient scenario. In the transient event described in this LER, no actual generator load reject occurred, but the EHC logic responded to the event as if one had occurred. The actual plant conditions for this event were less severe than those described in the FSAR section 14.5.2.2 analysis, and the subject event is fully bounded by the analysis presented in section 14.5.2.2.
The health and safety of the public were not affected by the subject scram event.
VI. CORRECTIVE ACTIONS
A. Immediate Corrective Actions
Following trip of the MMG supply breaker to the UPS bus, the bus was re-energized by reconnecting it to the alternate transformer supply.
B. Corrective Actions to Prevent Recurrence) 1. Revise the operating procedure to clarify how much time the paralleled condition between the MMG and regulating transformer UPS bus power sources may be allowed.
2. Revise the operating procedure to improve the switching activity step sequencing to adequately support the necessity of minimizing the time in the paralleled condition.
3. Add indication of signal bypass condition for each EHC signal that has the capability of being bypassed.
4. Review EHC logic to ensure each condition that will result in signal bypass will also bring in the associated alarm.
VII. ADDITIONAL INFORMATION
A. Failed Components
None B. Previous LERs on Similar Events None
C. Additional Information
None (1) TVA does not consider this corrective action a regulatory commitment. The completion of this action will be tracked in TVA's Corrective Action Program.
D. Safety System Functional Failure Consideration:
This event does not involve a safety system functional failure which would be reported in accordance with NEI 99-02. The scram was caused by a malfunction of non-safety related equipment. All safety-related equipment performed in accordance with design in response to the event.
E. Loss of Normal Heat Removal Consideration:
The main condenser was retained as the heat sink during this event, and the condensate/feedwater systems continued to provide reactor vessel inventory make-up. Neither HPCI nor RCIC operated during this event. A momentary lift of seven SRV's occurred at the time of the event to control the initial pressure transient, but the valves properly reseated. Other than quenching the discharge from the short-term opening of the SRV's, the suppression pool was not used as a heat sink following this event. This event does not constitute a scram with a loss of normal heat removal which would be reported in accordance with NEI 99-02.
VIII. COMMITMENTS
None