05000269/LER-2007-001

EVALUATION:

BACKGROUND

Each unit at ONS is equipped with a reactor trip feature which is generated from the Reactor Coolant Pump Power Monitor (RCPPM). The pump power monitor trip provides protection against power operation with less than the appropriate number of reactor coolant pumps in operation for the amount of power (neutron flux) being generated. The pump power monitor trip will generate a reactor trip signal above 2% power if fewer than 3 reactor coolant pumps are operating or the power to the pumps has degraded to 75% of nominal level for 200 milliseconds.

To protect the generator from damage against a loss of the magnetic field, each unit is equipped with one Generator Loss of Excitation relay (labeled 40-1). The relay is calibrated such that it will actuate within a range of reactance/resistance combinations. In the event of an under excitation of the main generator, primary relay 40-1 will provide an almost instantaneous signal to actuate the 86GA relay (Generator Lockout) which initiates a trip of the associated turbine, opens unit tie Power Circuit Breakers (PCBs) to the switchyard, initiates a rapid transfer of plant auxiliary load busses to a startup transformer, and opens the generator field breaker. Each unit is also equipped with a Loss of Excitation relay (labeled 40-2) that serves as a backup to the 40-1 relay. The actuation of this relay will trigger a 750 millisecond timer delay (if unit voltage is below normal) and 30 second time delay (if unit voltage is normal) which cause a generator lockout.

There are two switchyards on the ONS site; a 230KV yard and a 525KV yard. Each switchyard contains two buses designated as Yellow and Red. The breakers within the switchyards are designed with a breaker-and-a-half scheme such that either bus or any PCB can be disconnected without de-energizing any circuit. The 230KV and 525KV switchyards are connected together through an autotransformer. Within each of the ONS switchyards, there are a number of transmission lines that interconnect to other switchyards on the Duke Energy grid. For example, the Jocassee Hydro Station switchyard has a transmission line designated as the "White" line that is connected to the Oconee 230KV switchyard via PCBs 11 and 12. In addition, the Jocassee "Black" line is connected to the Oconee 230KV switchyard via PCBs 14 and 15.

For Units 1 and 2, output voltage of the generator is stepped up from 19KV to 230KV through a main transformer. Unit 1 is connected to the 230KV switchyard via PCBs 20 and 21. Unit 2 is connected to the 230KV switchyard via PCBs 23 and 24. For Unit 3, output voltage of the generator is stepped up from 19KV to 525KV through a main transformer. Unit 3 is connected to the 525KV switchyard via PCBs 58 and 59.

At 1654 hours0.0191 days <br />0.459 hours <br />0.00273 weeks <br />6.29347e-4 months <br /> on February 15, 2007, an external electrical fault created a grid disturbance in the 230 KV switchyard which serves ONS Units 1 and 2. The resulting voltage transient ultimately led to a reactor trip for both units via the protective relaying described above.

This event is reportable per 10CFR 50.73(a)(2)(iv)(A) because a valid Reactor Protective System (RPS) [JC] actuation occurred, including reactor [RCT] trip.

Prior to this event Units 1 and 2 were operating at 100% power.

Emergency Feedwater (EFW)[BA] flowpath 2A was inoperable (but available) prior to the event due to testing of throttle valve [FCV] 2FDW315. No other safety systems or components were out of service that would have contributed to this event.

EVENT DESCRIPTION

On February 15, 2007, Oconee Nuclear Station experienced a trip of Units 1 and 2. The initiating event lasted less than one second.

The sequence of events, including subsequent equipment failures and operator actions during recovery, is described below:

February 15, 2007 at 1654 hrs:

A breaker [52] failure occurred at Jocassee Hydro Station busline Z phase to fault to ground. The fault produced a voltage/current transient in the 230KV switchyard at Oconee Nuclear Station. The fault was cleared by protective relays [67] in the Oconee 230 KV switchyard. The resulting grid disturbance, however, ultimately resulted in the trip of the reactors at Oconee Units 1 and 2 in less.than one second. The relevant component actuations and/or trips are discussed below.

Immediate Actuations/Failures - Units 1 & 2

• The grid disturbance was characterized by a prolonged (less than one second) voltage/current transient and wide phase angle swing. Generator Loss of Excitation Relay (40-1) [40] interpreted the phase angle change as under-excitation and actuated Generator Lockout Relay [86] almost instantaneously.

This was not an expected response.

• Generator Lockout Relay [86] initiated a turbine [TG] trip, opened the unit tie Power Circuit Breakers (PCB's 20 & 21 for Unit 1, PCB's 23 & 24 for Unit 2) [52] to the switchyard, initiated a rapid transfer of auxiliary loads from the normal source (1T, 2T) [XFMR] to the startup source (CT-1, CT-2) [XFMR], and opened the generator field breaker [41]. This relay performed as expected.

• The voltage sag during the event was as much as 39% on one phase for approximately 260 ms. Reactor Coolant Pump Power Monitor [MON] generated a reactor trip signal in less than one second (expected response) on loss of power due to a power deficiency of greater than 25% for greater than 200 ms. All four channels of the Reactor Protection System (RPS) [JC] were tripped, and the reactor [RCT] was tripped. All control rod drive breakers opened and control rods dropped into the core as expected.

On the primary side, Reactor Coolant Pumps [AB][P] continued to operate and provide core cooling. RCS pressure, temperature, flow, and inventory remained within expected post-trip limits. High Pressure Injection (HPI) Pump 1B [BG][P] auto started on low seal injection flow caused by momentary interruption of power to the operating HPI pump (1A). This low seal flow interlock is not an Engineered Safeguards actuation and is not reportable under the safety system actuation criterion in 10 CFR 50.73 (a)(2)(iv)(A).

Secondary side response was not normal. Transfer of auxiliary loads from the normal power source (Auxiliary Transformer 1T) to the startup source (Startup Transformer CT-1) is accomplished via a switch on the main feeder bus normal breakers. Failure of this switch resulted in slower than expected load transfer. The slow bus transfer resulted in the loss of the Hotwell Pumps [P] and Condensate Booster Pumps [SD][P], both of which were tripped by their low voltage relays. With these pumps tripped, Main Feedwater Pumps [SJ][P] tripped on low suction pressure after 90 second time delay (as designed).

Motor Driven Emergency Feedwater Pumps (1A MDEFWP and 1B MDEFWP) [BA][P] autostarted at 16:54:19 on Low MFDWP Discharge Pressure signal. This was a normal response to a valid signal. Turbine Driven Emergency Feedwater Pump [BA][P] started (as expected) at 16:54:22, also on Low MFDWP discharge pressure. Steam Generator [SG] level was established and controlled at approximately 30", which is within design limits. A brief spike to 120"-130" was observed during this time. The spike was evaluated by engineering to have been the result of pressure transients in the steam generators attributed to the lifting of relief valves, which is an expected and acceptable response.

Main Steam Relief Valves [RV] lifted and reseated at > 90% of set pressure as designed.

Upper Surge Tank (UST) [TK] auto-isolated as a result of the voltage transient and slow transfer. There was no adverse impact to trip recovery, as this is a fail-safe feature which preserves UST inventory for the Emergency Feedwater System.

Loss of secondary loads resulted in water hammers throughout the secondary side of the plant. The Condensate Steam Air Ejectors (CSAEs) utilize main steam (MS) to draw vacuum on the hotwell and are cooled by the condensate system. When condensate flow ceased, and MS continued to be supplied to the CSAEs, the water immediately around the CSAEs heated up and flashed to steam. The trapped steam then recondensed as it mixed with cooler water trapped in the condensate line. This flashing and recondensing around the CSAEs caused waterhammering and significant shaking of the line. A damage assessment was performed and identified additional inspections/repairs required for startup. This assessment is captured in the Corrective Action Program.

Two additional component trips occurred as a result of the slow bus transfer. The Spent Fuel Pool Cooling Pumps [DA][P] tripped off for a short time. Pool temperatures remained stable until pumps were restored. Also, Control Room Area Chiller A (powered from Unit 1) tripped off and was restored in about an hour. Control room habitability was not significantly affected. The resulting temperature increase in the Equipment Room and Cable Room was also minimal (3-6 degrees) and remained within TS limits.

Unit 1 Emergency Operating Procedure (EOP) was entered. The EOP directed entry into Recovery From Loss Of Power Abnormal Procedure (AP/1/A/1700/11). The AP directed cooldown per normal shutdown procedures (OP/1/A/1102/10). Reactor coolant pumps [AB][P] provided forced flow of primary coolant. Emergency Feedwater pumps [BA][P] provided feedwater flow for primary-to-secondary heat transfer. Atmospheric dump valves [V] were used to reject heat to atmosphere due to degrading condenser [COND] vacuum and increasing hotwell level. Low Pressure Injection [LPI] provided decay heat removal when the unit reached Mode 4.

February 16, 2007 at 2210 hrs:

lA MDEFW Pump [BA][P] was declared inoperable on high bearing temperature. There was no adverse impact to the trip event, as the failure occurred after the unit had reached Mode 4 and long term core cooling had been established by the LPI system. Therefore, the pump operated for its required mission time for this event.

February 23, 2007 Unit 1 was returned to service following performance of appropriate post-trip reviews and completion of recovery actions per station procedures.

Reactor Coolant Pumps [AB][P] continued to operate providing forced primary coolant circulation. Rapid power transfer was successful and widespread under-voltage component trips did not occur as on Unit 1. Secondary systems remained in service and provided heat transfer capability. Therefore, shutdown to Mode 4 was not necessary. Main Feedwater Pump 2A [SJ][P] continued to operate providing primary-to-secondary heat transfer, allowing normal shutdown to Mode 3. Steam generator levels were maintained at the normal post-trip levels. Feedwater Pump 2B [SJ][P] tripped on high discharge pressure due to a failure of its hydraulic controls.

This unexpected trip had little or no impact on the event, since the 2A pump remained in service. The trip has been evaluated within the Corrective Action Program. Turbine Bypass Valves [V] were used to direct steam to Condenser [COND], providing heat rejection.

The Concentrated Boric Acid Storage Tank Pump breaker was noticed open after the trip. It is believed to be the result of the undervoltage transient. The pump was not in service at the time of the transient and there was no effect on unit operation. The pump was operated on 2/16/07 at 0435 and again at 1005 with no apparent problems.

Unit 2 was returned to power operation. on February 18, 2007.

CAUSAL FACTORS

A properly designed protective relaying scheme should have enabled the units to withstand a switchyard transient of this magnitude and duration. However, a wiring design error in the loss-of-excitation relay (40-1) caused the relay to trip the Unit 1 and 2 generators and turbines through the generator lockout scheme. A latent design error existed in this relay and its leads were installed according to this error at initial installation (ie, rolled leads). Had this error not been present, testing has shown that the relay would not have tripped the unit.

The slow bus transfer was caused by incorrect setting of the fast contacts located on the auxiliary switches on the Main Feeder Bus Normal Breakers (N-Breakers). This error has been present since original installation. The incorrect setting caused the fast contacts to operate slower than designed. The slower operation of the fast contacts prevented completion of a fast transfer in less than 60 milliseconds as designed.

The 1A MDEFWP failure (high bearing temperature) resulted from improper installation of its oil slinger ring, which was caused by a procedure deficiency.

The 2B MFDWP control failure was determined by engineering evaluation to be the result of debris in the Main Feedwater Pump Turbine (MFDWPT) hydraulic control system.

CORRECTIVE ACTIONS

Immediate:

1. Emergency Operating Procedures' (EOP) (EP/1/A/1800/001 and EP/2/A/1800/01) were entered on both Units. Immediate manual actions were taken as prescribed by the EOP to place the plant in a safe and stable operating condition as quickly as possible.

For Unit 1, the EOP directed entry into AP/1/A/1700/11, Abnormal Procedure for Recovery From Loss of Power. Ultimately, both units were shut down in a controlled manner by entry into shutdown, procedure OP/1,2/A/1102/010.

Subsequent:

1. A design change (OD-300025) was prepared and implemented to correct the deficient 40-1 wiring on Unit 1 prior to placing the unit on line.

2. 40-1 relays on Units 2 and 3 main generators were blocked while these units remained on line.

3.40-1 relay on Unit 2. was re-wired per design change OD-201613 during refueling outage 2EOC22.

4. The Main Feeder Bus Normal Breakers auxiliary switch contacts were adjusted on Units 1 and 2 so the special fast acting contacts are aligned per manufacturer's instructions.

5. A review of previous LERs involving unit trips and loss of power from 1973 to present day was performed. The review found no clear history of trips in which slow bus transfer was manifested in ways that should have been readily identified.

6.A new outboard bearing was installed in 1A MDEFWP. After post­ maintenance testing, the pump was returned to service.

7. All Motor Driven Emergency Feedwater Pumps and other pumps of similar make and model were inspected to ensure correct installation of the oil slinger rings.

8. An engineering review of the 2B MFDWP trip was performed.

Additional testing of the hydraulic controls indicated that the obstruction in the hydraulic lines had cleared and the pump was returned to service.

Planned:

1. Unit 3 40-1 relay wiring deficiency will be corrected by design change OD 301612 during refueling outage 3E0C23.

2.A procedure change will be made to ensure the correct alignment of special fast-acting switch contacts.

3.Fast-acting switch contacts on Unit 3 Main Feeder Bus Normal Breakers will be adjusted during the next refueling outage in the fall of 2007 (3E0C23).

4.Maintenance procedures will be revised to ensure correct installation of oil slinger rings on all motor-driven emergency feedwater pumps. Expected completion date is October 20, 2007.

There are no NRC Commitment items contained in this LER.

SAFETY ANALYSIS

The Unit 1 trip was complicated by a non-recoverable loss of main feedwater (condenser vacuum problems and increasing hotwell levels impacted recovery efforts) following the trip. As a consequence of losing main feedwater, this event has been evaluated to have a Conditional Core Damage Probability (CCDP) that is greater than 1E­ 06 but less than 1E-05. The Conditional Large Early Release Probability (CLERP) is approximately a factor of 100 lower than the CCDP and therefore the CCDP result is limiting.

The Unit 2 trip was uncomplicated and challenged no accident mitigation systems. As a consequence, this event has been evaluated to have a CCDP that is less than 1E-06. The CLERP is approximately a factor of 100 lower than the CCDP and therefore the CCDP result is limiting.

This event included four functional failures:

1. The 40-1 relay failure on Unit 1, which caused the unit to trip.

2. The 40-1 relay failure on Unit 2, which caused the unit to trip.

3. The auxiliary switch contacts on the Unit 1 normal main feeder bus breakers which caused the slow bus transfer.

4. The lA MDEFW Pump bearing failure. This failure was addressed as a separate item within our corrective action program, which included its own reportability evaluation. This failure was determined to be NOT REPORTABLE under 10 CFR 50.73 because the failure occurred after the pump had performed its required function.

All of the above failures have been determined to be Maintenance Rule Functional Failures. The auxiliary switch contact failure and the MDEFW Pump bearing failure have been evaluated as Maintenance Preventable Functional Failures. The 40-1 relay failures were not.

The failure of the 2B MFDWP hydraulic controls was not a functional failure. The feedwater system is monitored under the plant level criteria. Since this failure did not cause a reactor trip, a power transient of > 10%, or a safety system actuation, there was no functional failure.

No fission product barriers were compromised by this event. Thus there was no actual impact on the health and safety of the public.

ADDITIONAL INFORMATION

There were no releases of radioactive materials, radiation exposures or personnel injuries associated with this event.

The following failures are reportable under the Equipment Performance and Information Exchange (EPIX) program:

1. Unit 1 40-1 Relay Failure This failure caused the unit to trip. The component ID is ON1 EL RL 401. The relay is a General Electric (GE) model number CEH51A. The EPIX report number is 879, dated May 23, 2007.

2. Unit 2 40-1 Relay Failure This failure caused the unit to trip. The component ID is ON2 EL RL 401. The relay is a GE model number CEH51A. The EPIX report number is 880, dated May 23, 2007.

3. Fast Transfer Switch Failure The failure of these switches caused the slow bus transfer on Unit 1. The component IDs are 1EL BKB1T03_AuxSwitch and 1EL BKB2T11_AuxSwitch. The switches are Asea Brown Boveri (ABB) model 700038K51. The EPIX Report number is 877, dated May 21, 2007.

4. lA MDEFW Pump Failure The failure of the 1A MDEFW Pump did not significantly complicate the event, as the failure occurred after decay heat removal had been established with the Low Pressure Injection System in Mode 4.

Nevertheless, this has been evaluated as a functional failure.

The component ID is 1A FDWPU0004. It is a Sulzer Bingham Model 3X4X9 E MSD. EPIX Report No. 858 was submitted on March 12, 2007.