05000265/LER-2012-003
| Quad Cities Nuclear Power Station | |
| Event date: | 04-18-2012 |
|---|---|
| Report date: | 06-14-2012 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(iv)(A), System Actuation |
| 2652012003R00 - NRC Website | |
PLANT AND SYSTEM IDENTIFICATION
General Electric - Boiling Water Reactor, 2957 Megawatts Thermal Rated Core Power Energy Industry Identification System (EllS) codes are identified in the text as [XX].
EVENT IDENTIFICATION
Unit 2 Automatic Reactor Scram Due to Digital Electro Hydraulic Control System Failure
A. CONDITION PRIOR TO EVENT
�Unit: 2 Event Date: April 18, 2012� Event Time: 1511 hrs � Reactor Mode: 1 Mode Name: Power Operation� Power Level: 21%
B. DESCRIPTION OF EVENT
On April 18, 2012, a test of the Unit 2 main generator [TB] Automatic Voltage Regulator [EC] (AVR) installed during refueling outage Q2R21 was being conducted with Unit 2 synchronized to the grid at approximately 21% [AD] reactor power. The test initiated a switchyard [FK] load reject (with an expected turbine [TA] overspeed). The expected Digital Electro Hydraulic Control [TG] (DEHC) System response was to maintain the Unit 2 Turbine at 1800 RPM unloaded and control Unit 2 Reactor pressure via the Turbine Bypass Valves [FCV] (TBVs). While the initial response to the load reject was as expected, at 1511 hrs the Unit 2 Reactor scrammed on high reactor pressure, which was approximately 33 seconds after the load reject was initiated. All plant systems responded as required and operations personnel responded to the scram in accordance with their training and plant procedures.
To simulate the load reject, the main generator output breakers [52] were opened. As a result, the Turbine Control Valves [FCV] (TCVs) went closed, five (5) TBVs went open, and fast closure of all turbine Intercept Valves [ISV] (IVs) of the Combined Intermediate Valves [FCV] (CIVs) occurred. Approximately 14 seconds after the generator load was removed, turbine speed slowed down to 1825 RPM, and the DEHC system attempted to open TCVs to reintroduce steam flow to maintain the turbine at 1800 rpm. After turbine speed started to decrease, the servo valves [20] for the IVs responded to drive the IVs back open to control turbine speed. The IV disk dump valves [SHV] opened as required on the IV fast closure signal, but could not properly seat with the servo valves remaining open. High fluid flow through the unseated IV disk dump valves caused a significant decrease in EHC [TG] system pressure as measured locally at the TCVs. The backup EHC pump [P] started as expected on low EHC system pressures, but both EHC pumps are not designed to maintain system pressure while in this configuration. As a result, TCVs were unable to open more than approximately 1% valve position due to low EHC hydraulic pressure. With the TCVs not responding, DEHC continued to input an increasing TCV demand signal. The TBVs could not effectively control reactor pressure because the TBVs were closing in response to an increasing TCV demand signal. As a result, with only three (3) and 1/2 TBVs staying open, reactor pressure increased until the automatic scram occurred on high reactor pressure.
A troubleshooting team executed a complex trouble shooting plan to identify the sequence of events leading to the scram, and summarized the event as follows: DEHC failed to mitigate the resulting pressure transient before a reactor scram occurred on high pressure. Following the load reject, the CIVs failed to reset, causing EHC pressure to decrease. The low EHC pressure prevented the TCVs from opening (to maintain turbine speed) on increasing demand (accordingly, TCV demand continued to increase). The TBVs failed to control pressure because they partially closed due to the increasing opening demand signal to the ,TCVs. It was also noted that, the Mark VI DEHC (and original Mark I EHC) designs for controlling TBV positions are based on TCV demand input signal, and do not use an actual TCV position input signal.
After the event occurred, operability and technical evaluations were prepared which evaluated this event and the impact on the future operability of the TBVs. As a result, it was determined that operating crews would be required to take the appropriate action to apply a Minimum Critical Power Ratio (MCPR) Operating Penalty (TS 3.7.7) when reactor power is between 25% and 50%, since TBV operability is currently not assured when the reactor is operating between 25% and 50% power. This action was applied to both Units 1 and 2, and will remain in effect until the DEHC system is modified to address this issue.
Unit 2 was subsequently restarted and placed on-line on April 20, 2012, without issues.
A root cause investigation was initiated to determine the causes associated with the Unit 2 system response that led to the Unit 2 Reactor scram as well as any programmatic or organizational weaknesses associated with the event.
The safety significance of this event was minimal. This event is reportable (Unit 2) per 10 CFR 50.73(a)(2)(iv)(A), which requires the reporting of any event or condition that resulted in manual or automatic actuation of the reactor protection system (RPS), including reactor scram; (Units 1 and 2) 10 CFR 50.73(a)(2)(i)(B), which requires the reporting of any operation or condition which was prohibited by the plant's Technical Specifications; and (Units 1 and 2) 10 CFR 50.73 (a)(2)(v)(C), which requires the reporting of any event or condition that could have prevented the fulfillment of the safety function of structures or systems needed to control the release of radioactive material.
C. CAUSE OF EVENT
The root cause of the Unit 2 reactor high pressure scram during AVR testing was the failure to establish sufficient controls over the DEHC contractor (GE) for the delivery of the required configuration change products. These inadequate controls enabled a latent design deficiency to be created when the GE Mark VI digital control system (DEHC) was installed on Unit 2 in place of a GE Mark I analog EHC system.
The latent design deficiency was the Mark VI design assumed IV EHC shutoff valves [SHV] existed in the original Mark I design. These shutoff valves are needed for proper operation of the Mark VI design, however, did not exist in the original Mark I design for Quad Cities. This absence of IV EHC shutoff valves, in combination with the following Mark VI design attributes, contributed to the event.
- Removal (from Mark I design) of an IV servo position bias used to close the disk dump valve upon fast-acting solenoid valve (FASV) energization.
- Removal (from Mark I design) of a time delay for re-opening the IV servo valve upon FASV de-energization.
During AVR testing this latent design deficiency resulted in the failure of the IV disk dump valves to fully seat, which in turn caused the diversion of approximately 75 gallons per minute of EHC fluid from the valve actuating supply header directly to the drain header via the 4n-seated IV disk dump valves. This fluid diversion resulted in the inability of the TCVs to open due to insufficient EHC fluid pressure (despite having an open demand signal). The TBVs began to close due to the TCV open demand signal which resulted in a reactor pressure increase and ultimately a reactor scram due to sensing high reactor pressure.
This design deficiency was not identified in either the design' phase of DEHC (initiated in 2003), or the modification testing phase of the installation in Unit 1 (2007), and in Uni1f 2 (2008). The vendor (GE) is also performing a Root Cause Analysis specific to this event.
D. SAFETY ANALYSIS
Safety Impact Post-modification AVR testing was designed with a load reject occurring at a low power level where the expected response was that reactor pressure would be maintained without a scram, and main turbine speed would be maintained without a turbine trip. However, at 33 seconds after the load reject was initiated, a reactor scram occurred based on high reactor pressure. This AVR testing resulted in a station event because the turbine DEHC system was not able to adequately control TCV and TBV operation concurrent with a low power load reject, and hence reactor pressure increased unexpectedly and caused a reactor scram.
The DEHC system design is intended to use TBVs within the turbine bypass capacity to control reactor pressure in the region of low power levels of greater than 10% Rated Thermal Power (RTP) to the Power Load Unbalance (PLU) set-point of approximately 50% RTP, where a load reject could occur without a turbine trip, and without a reactor scram. If TBVs are unable to control reactor pressure when operating within turbine bypass capacity, coincident with a load reject at reduced reactor power, a reactor scram may occur. Above approximately 50% RTP, a scram is expected to occur on a load rejection condition as a result of a PLU condition (where TBV operation is not impacted).
While this event occurred at 21% reactor power, the failure of the DEHC system to use TBVs to control pressure when operating within turbine bypass capacity is a non-conforming condition related to the DEHC system design. As a result, when between 10% and 50% RTP, this condition resulted in the TBV system being inoperable. Corrective actions applied (until modifications to DEHC are completed) included evaluating the impact of the event on the operability of the TBVs, and applying a Minimum Critical Power Ratio (MCPR) Operating Penalty (TS 3.7.7) when reactor power is between 25% and 50%.
Since application of a MCPR Operating Penalty (TS 3.7.7) was not evaluated during the period of time while the DEHC would not have assured proper TBV operation (i.e., since the DEHC installation on each unit), this issue is reported for Unit 2 and additionally for Unit 1 under 10 CFR 50.73(a)(2)(i)(B), which requires the reporting of any operation or condition which was prohibited by the plant's Technical Specifications, since a MCPR penalty would have been required at some times during this time period (such as during unit startups).
Although this issue is isolated to the event involving the potential improper TBV operation during a low power turbine generator load rejection transient, the safety function of the TBVs and MCPR penalty is to prevent reactor fuel failure due to inadequate cooling. Hence thid issue is reported for Unit 2 and additionally for Unit 1 under 10 CFR 50.73 (a)(2)(v)(C), which requires the reporting of any event or condition that could have prevented the fulfillment of the safety function of structures or systems needed to control the release of radioactive material, since the fuel cladding is a barrier that supports the control of the release of radioactive material.
The safety significance of this eveht was minimal. Following the reactor scram, reactor water level decreased to approximately zero inches, which resulted in automatic Group II and III isolations (Reactor Water Clean Up and Secondary Containment Isolation)/ as expected. There were no complications during the reactor scram and subsequent turbine trip, and other than the initial unexpected DEHC response, all systems functioned as required.
Operators performed required actions safely and in accordance with procedures and training.
Risk Insights Automatic scrams are not explicitly modeled as initiators in the PRA. In this case, the RPS worked properly to detect a scram initiating signal, process the signal and execute the scram. All other systems subsequently operated as expected.
The only contribution to PRA risk therefore, was the initiator for a turbine trip. A further consideration is this event occurred only at approximately 25% of full power, rather/than 100% reactor power. This further decreases the risk, resulting in a calculated value for delta CDF of less than 1.0E-07/yr.
In conclusion, the overall safety significance and impact 6n risk of this event were minimal.
E. CORRECTIVE ACTIONS
Immediate:
1. Operability and technical evaluations were prepared which evaluated this event and the impact on the operability of the TBVs. It was determined that operating crews will be required to take the appropriate action to apply a Minimum Critical Power Ratio (MCPR) Operating Penalty (TS 3.7.7) when reactor power is between 25% and 50%, since TBV operability is currently not assured when the reactor is operating between 25% and 50% power. This action was applied to both Units 1 and 2.
Follow-up:
1. DEHC Vendor to develop a hardware/software modification to the DEHC system to correct the design deficiency.
2. Modifications to the Unit 1 and Unit 2 DEHC systems to correct the design are planned during the upcoming Unit refueling outages.
3. A Modification Improvement Quality Action Plan has been completed (but was not in effect prior to the DEHC post modification testing activities) with actions addressing site modification quality issues.
4. A procedure has been developed that provides guidelines for developing and implementing Factory Acceptance Tests.
F. PREVIOUS OCCURRENCES
The station events database, LERs, EPIX, and NPRDS were reviewed for similar events at Quad Cities Nuclear Power Station. This event was failure of Exelon to establish sufficient controls over the DEHC contractor (GE) for the delivery of the required configuration change products. Based on the causes of this event and associated corrective actions, the events listed below, although similar in topic, are not considered significant station experiences that would have directly contributed to preventing1this event.
- Station Events Database — lssye Report (IR) 649176 (07/10/07), Corporate Root Cause Report: BWR Max Combined Flow Limit Setting. The root cause report (RCR) identified root causes of modification failures as, Exelon Engineering not sufficiently engaged with modification product quality for a large scale project, and failure of Exelon to establish sufficient controls over the DEHC contractor for the delivery of the required configuration change products from the sub-contractor. The results of that investigation identified issues which closely parallel issues from the current LER, however, the design and testing requirements of the DEHC installation had been finalized several months prior to full implementation of RCR 649176 actions. Thus, the conditions that led to the present event were already in place as latent vulnerabilities. This issue and resulting actions are addressed in the Cause of Event and Corrective Actions sections of this LER.
- LER 254/2011-002-00 (08/12/11), Unit 1 Manual ReacOr Scram Due to Steam Leak (06/13/11) - A contributing cause to the event was that the Owner's Acceptance Review did not adequately challenge the engineering contractor design of the original instrument lines with respect to piping vibrations at the installation location.
Corrective actions included, develop and perform training for Engineering personnel on the technical review requirements when performing Owner's Acceptance( Reviews. The LER event of 06/13/11 and cause are not directly applicable to this DEHC LER event and cause, since the LER of 06/13/11 related missed review of the vendor design was caused by failure to apply the exi6ting vendor review process, whereas, the DEHC LER event was caused by lack of a rigorous process for venddr reviews in place at the time of design and testing (2003 2008). Hence, although the two LERs are similar fin topic area (scram related to technical reviews of vendor designs), the LER of 06/13/11 is not considered a significant station experience that would have directly contributed to preventing this DEHC LER event.
�I 1
G. COMPONENT FAILURE DATA
Although no specific component failure occurred during this event, the DEHC system did not operate as expected.
The DEHC system is manufactured and designed by General Electric (GE) and is a Mark VI model.
This event has been reported to EPIX as Failure Report No. 1153.