05000287/LER-2005-002
| Docket Number | |
| Event date: | 08-31-2005 |
|---|---|
| Report date: | 10-31-2005 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(iv)(A), System Actuation |
| Initial Reporting | |
| ENS 41966 | 10 CFR 50.72(b)(2)(iv)(B), RPS System Actuation, 10 CFR 50.72(b)(3)(iv)(A), System Actuation, 10 CFR 50.72(b)(2)(i), Tech Spec Required Shutdown, 10 CFR 50.72(b)(2)(iv)(A), System Actuation - ECCS Discharge |
| 2872005002R00 - NRC Website | |
EVALUATION:
BACKGROUND
This event is reportable per 10CFR 50.73(a)(2)(iv)(A), "Any event or condition that resulted in manual or automatic actuation.." of listed systems. The systems listed in 50.73(a)(2)(iv)(B) which were actuated during this event are:
1.Reactor Protection System (RPS) [EIIS:JC] (reactor trip), 2.Containment Isolation signals [EIIS:JM] affecting containment isolation [EIIS:NH] valves in more than one system, 3.Emergency core cooling systems (ECCS) [EIIS:BG] (high-head injection system) (i.e. High Pressure Injection (HPI)), 4.hydroelectric facilities [EIIS:EK] used in lieu of emergency diesel generators (EDGs) at the Oconee Station.
A Digital Control Rod Drive (CRD) Control System (DCRDCS) [EIIS:AA] was installed during refueling outage 3E0C21, the most recent outage which ended 1-2-2005.
The DCRDCS receives electrical power via two redundant paths.
Breaker SB-1 is one of the internal DC breakers for the primary path. It provides power to the processor controlling rod motion.
Breaker 2X2-5D is the AC input breaker for the alternate path.
Several relays provide Reactor Trip Confirm (RTC) signals to various systems to initiate actions based on post-trip logic. The DCRDCS contains one such relay that is energized to provide a separate RTC signal to the Integrated Control System (ICS) [EIIS:JA]. This signal, which is not safety related, causes two ICS responses following a trip. The first response is to bias the Main Steam (MS) [EIIS:SB] Header Pressure control setpoint by +125 psig (to 1010 psig from 885 psig). The increased header pressure results in a higher Main Steam saturation temperature; thereby raising the effective temperature of the secondary heat sink and decreasing heat transfer from the Reactor Coolant System (RCS) [EIIS:AB]. This limits the cooldown and shrinkage of the RCS water inventory. The second ICS response to an RTC signal is to revise the rate at which Main Feedwater [EIIS:SJ] demand is reduced from a normal value of 20%/minute to a rate of 600%/minute following a trip.
Technical Specification (TS) 3.3.7 requires the Emergency Safeguard (ES) Protective System Digital Actuation System [EIIS:JE] to be operable in Modes 1 and 2 and also in Modes 3 and 4 when the associated components are required to be operable. There are eight required channels (four functions, each having two redundant channels). Condition 'A' allows one or more channels to be out of service for up to one hour, after which the associated components must either be placed in their ES configuration or be declared inoperable.
Prior to this event Unit 3 was operating at 100% power with no safety systems or components out of service that would have contributed to this event.
EVENT DESCRIPTION
On 8-31-05, at approximately 1420, Nuclear Equipment Operators opened the Unit 3 CRD alternate control power path breaker (2X2-5D) as part of a Preventative Maintenance activity. In this configuration the DCRDCS primary DC power path carried the full system load. This was the first time the system was placed in this configuration since the DCRDCS was installed.
Trip:
At 1428:27, SB-1, the primary path internal DC breaker to the processor controlling rod motion, tripped. The resulting loss of DCRDCS control power caused all control rods to drop. Subsequent investigation revealed that, with power removed from the alternate power path, breaker SB-1, rated at 63 Amps for nominal ambient temperature, was operating near rated load.
Trip Response:
At 1428:27 the loss of CRD control power caused several RTC signals which immediately resulted in a generator backup lockout and a turbine trip. Due to the turbine trip signal, the Emergency Power Switching Logic (EPSL) caused unit AC power to transfer from the Normal to Start-up source. This was a normal post trip transfer.
At 1428:28 RPS channels A, B, C, and D tripped on a turbine trip signal. All CRD breakers tripped in response to the RPS signal.
All control rods dropped into the core within the required response times.
The operators performed immediate manual actions and entered the Emergency Operating Procedure (EOP).
ICS did not bias the MS pressure setpoint. Investigation later found that the DCRDCS modification had revised the logic of the relay which supplies the RTC signal to ICS. The modification changed the relay logic to require power in order to provide the RTC signal to the ICS. Since the initiating event was a loss of DC
- control power, this relay did not change state and ICS MS header pressure setpoint remained at approximately 885 psig.
Main Feedwater remained in service. Flow demand was automatically reduced by the ICS but, because the RTC signal had not been received by ICS, the demand was reduced at a rate of 20%/minute instead of the accelerated post trip rate of 600%/minute. Steam Generator inventory remained within expected limits, but did not decrease as fast as normal because feedwater demand/flow was not reduced at the faster rate. This had no significant impact on the transient response.
Normal post trip response is for RCS average temperature to reduce from 579F to 555F. In this event, due to the lower MS pressure/saturation temperature, RCS average temperature reduced to 535F. As a result, RCS inventory went from 222 inches in the pressurizer to off scale low. RCS Pressure dropped from 2155 psig to 1595 psig, which was below the 1600 psig setpoint for actuation of Engineered Safeguards (ES) [EIIS:JE] Channels 1 and 2, both of which actuated.
ES Channels 1 and 2 actuate the following components:
- High Pressure Injection (HPI) which is part of Emergency Core Cooling.
Prior to the trip, HPI pump A was providing normal make up and RCP seal injection flow. Upon ES actuation at 1429:46 all three HPI pumps and valves in both injection headers received and responded to ES signals.
The HPI pumps continued to operate in ES mode until Pressurizer level was restored to approximated 120 inches. Flow was throttled manually per the EOP.
Pressurizer level continued to increase and at approximately 170 inches, Operators took action to restore letdown. HPI pump C was taken to manual and secured at 1433:28. At approximately 220 inches in the pressurizer, letdown was reestablished. Pressurizer level remained approximately 200 inches until the pressurizer saturated, at which time pressurizer level was reduced to a range of 110 to 115 inches. � The HPI pump B was secured at 1514:54 with the RCS stabilized at 2190 psig and 541F.
- Keowee Emergency Start Channels A and B, part of Emergency Power.
Keowee Emergency Start Channels A and B each start both Keowee Hydro Units, which provide emergency power. Both Keowee units started and came to rated speed and voltage.
Since there was no disruption of power from the Start-up Source (switchyard), there was no demand for either Keowee unit/emergency power path to actually connect to supply Unit 3 loads. At 1635 the associated ES signals were taken to manual, the emergency start signals were reset, and the Keowee Units were secured per administrative guidance for bypassing safety systems.
- Emergency Power Switching Logic (EPSL) Load Shed Initiate.
This signal arms logic to permit a load shed (tripping of non-essential electrical loads) for certain Emergency Power scenarios. Since there was no disruption of power from the Start-up Source (switchyard), the logic to initiate Load Shed was not challenged.
This signal also trips the normal feeder breaker supplying power to the Stand-by Shutdown Facility (SSF) [EIIS:NB]. As a result of tripping the SSF normal feeder breaker, the SSF was powered from its batteries. The SSF power system was declared out of service at 1550 and the appropriate TS condition was entered. The ES Channel 1&2 signals to the Load Shed logic were reset to allow the SSF to regain normal power at 1634 per administrative guidance for bypassing safety systems.
- Non-Essential Reactor Building (RB) Containment Isolation (EIIS:NH], (i.e. containment penetrations which are considered Non-Essential with respect to support of operating systems).
Most of the valves receiving ES Channel 1 and 2 isolation signals are normally closed in Mode 1 and did not need to react. Isolation valves on the RCS Letdown, Reactor Coolant Pump (RCP) Seal Return, and RB Radiation Monitor [EIIS:IL] (inlet and outlet) penetrations were the only isolation valves challenged to change state and did so.
The RCS Letdown isolation valves were placed in manual and reopened per EOP enclosure 5.1 to re-establish normal letdown after Pressurizer level was restored as described above.
The RCP Seal Return isolation valves were placed in manual and reopened per EOP enclosure 5.1 to maintain seal flow with the RCPs in service.
At 1640, the RB Radiation Monitor inlet and outlet penetration valves were placed to manual and opened per administrative guidance for bypassing safety systems. At 1645, the RB Radiation Monitors were returned to service.
As the event progressed into the recovery phase, it was recognized that the EOP contained guidance to manipulate specific components when needed, but did not contain specific guidance to reset the ES signals or to assure all equipment was restored to normal alignments when appropriate. In this case, guidance existed in Operations Management Procedures (OMPs), which provided administrative directive level guidance. Using this guidance the operators put individual components in Manual and repositioned them to the non-ES state as described above.
As a result of the ES actuation, the EOP placed several other components which did not receive ES signals into specific alignments. The lack of procedural guidance extended to securing and repositioning these components to normal status also. The affected components included:
valves were opened. This was intended to prevent Low Pressure Injection (LPI) [EIIS:BP] Suction Piping overpressurization due to a previous design problem that had subsequently been corrected. This alignment resulted in some RB Spray water flowing from the BS system through a normally open header drain valve into the containment sump. The valves were reclosed at 1458 per administrative guidance for conditions where existing procedural guidance is determined to be inappropriate for current plant conditions.
- Units 1&2 and Unit 3 Outside Air Booster Fans (part of the Control Room Ventilation and Air Conditioning System [EIIS:VF]) were started manually. The fans were stopped at 0902 on 9-1-2005.
- Unit 3 RB Hydrogen Analyzers were started manually. They were returned to standby status at 0118 on 9-1-2005 per the system operating procedure.
- 3LPSW-251 and 3LPSW-252, Low Pressure Service Water (LPSW) [EIIS:BI] control valves for Decay Heat Coolers, were manually placed in the failed open position.
At 1715 on 8-31-05 the EOP was exited at Station Management direction and OP/3/A/1102/010 (Controlling Procedure For Unit Shutdown) was entered.
NRC notification was made at 1738 on 8-31-05 under 50.72(b)(2) (iv)(B) for RPS Actuation while critical and under 50.72(b)(2)(iv) (A) for valid actuations of ECCS, emergency power, and containment isolation. Event number 41966 was assigned.
Operations shift change occurred between approximately 1800 and 1900 hours0.022 days <br />0.528 hours <br />0.00314 weeks <br />7.2295e-4 months <br />.
Oncoming night shift Operations personnel discussed the absence of guidance to reset ES Digital Channels 1&2. At 2115 on 8-31-2005 they decided to declare both ES channels inoperable because they were not capable of automatic actuation. TS 3.3.7 (ES actuation system) Condition 'A' (one or more channels inoperable) was entered, which allows one hour to either position the associated components to their ES state or declare them inoperable. As described above, components affecting RCS Letdown, RCP Seal Return, and RB Radiation Monitor containment isolation valves, and two trains of HPI, were in Manual and not in their ES state.
Operations reset the ES channels at 2206, which was within the one hour required action time; therefore TS conditions for the affected components were not entered.
Consideration of Reportability under Additional Criteria:
The Operators recognized that the limiting condition TS 3.3.7 had not been satisfied for a time period longer than the one hour action time. If TS 3.3.7 Condition IA' had been entered when the first component had been repositioned from its ES state and the affected components declared inoperable one hour later, TS 3.5.2 (HPI) Condition H and TS 3.6.3 (Containment Isolation Valves) Conditions B and D would have applied. TS 3.5.2 (HPI) Condition H requires entry into TS 3.0.3. Both TS 3.0.3 and TS 3.6.3 Condition D would have required entry into Mode 3. Since Unit 3 was already in Mode 3 in post-trip recovery, these TS conditions were satisfied.
An update to Event Number 41966 was made at 2156 on 8-31-2005 under 10 CFR 50.72(b)(2) (i), "Plant Shutdown Required by Technical Specifications" due to the conclusion that these TS conditions would have required initiation of a shutdown.
Since Unit 3 was already in Mode 3 before these TS should have been entered, guidance in NUREG 1022, Rev 2 indicates that this event is NOT reportable under this criterion. The applicable section states:
"The "initiation of any nuclear plant shutdown" does not include mode changes required by TS if initiated after the plant is already in a shutdown condition.
Since this criterion was reported as an update to the initial event, Duke elected not to retract it to avoid any potential confusion.
The conditions potentially requiring entry into TS 3.0.3 and TS 3.6.3 Conditions B and D were also evaluated for reportability as potential losses of safety functions. The ES automatic actuation system had already performed its function. Containment Isolation and HPI components had been taken to manual per the EOP to support functions of systems/components desired in the current condition.
Procedures require Operators to monitor for ES actuation conditions and to manually initiate or re-initiate ES if needed. Because Unit 3 was in Mode 3, adequate response time existed to credit manual operator response for performing the Containment and HPI functions in the unlikely case of a subsequent event while recovery from the initial event was still ongoing. Therefore Duke concluded the conditions were not a reportable loss of safety function or a safety system functional failure.
CAUSAL FACTORS
Following the reactor trip Duke initially began a post trip investigation to determine the cause of the trip and to evaluate plant/system response. The post trip investigation concluded that the reactor trip occurred due to the unexpected trip of DC breaker SB-1 and that ES actuation occurred due to a valid actuation. A Technical Issues Resolution (TIR) team was formed to determine the technical cause of the breaker trip and ES actuation.
Additionally, an independent Event Investigation Team (EIT) was formed to determine the root causes of these issues.
The TIR found that, when carrying full system load, breaker SB-1 was operating very near its nominal maximum load. The TIR concluded that breaker SB-i tripped because the breaker was undersized and could not carry the full load of the DCRDCS.
The TIR found that the ES actuation occurred because the SB-1 trip isolated power from a RTC signal to the ICS. Therefore the ICS did not bias the MS pressure setpoint as designed. The failure mode of the interface between DCRDCS and ICS had been changed during the design of the DCRDCS modification in order to prevent a single- failure vulnerability.
The EIT validated the initial conclusions of the TIR and performed a root cause investigation of these two issues.
For the undersized breaker issue which caused the Unit trip, the EIT determined that the breaker was not designed for the operating conditions. The design of the breaker and power system was not verified as required by industry standards and Duke Power policy.
- No analysis of the breaker or power system design was performed by Duke or Vendor.
- No documented testing of the redundant power system
- was performed in either the Factory Acceptance Testing or Post Modification Testing.
For the interface between DCRDCS and ICS which caused the ES actuation, the EIT determined that a functional design deficiency in the failure modes of the ICS/DCRDCS interface was not adequately dispositioned in either the design or testing phases of the modification.
The EIT determined that a contributing cause was that management did not provide the processes, clarification of roles and responsibilities and management oversight required to support the DCRDCS modification.
In addition to the TIR and EIT investigations, an assessment of Operator action and procedural adequacy for this event was performed by Operations. Operations concluded that the Emergency Operating Procedure (EOP) (or an.equivalent interfacing procedure) did not contain adequate guidance to reset the ES signals and to restore all equipment to normal alignment. As a result, Operators used administrative guidance, resulting in the TS ES alignment not being restored until approximately five hours after the EOP was exited. The assessment concluded that the actions taken were within established protocols and consistent with applicable training.
CORRECTIVE ACTIONS
Immediate:
1.� Operators took immediate actions as directed by the EOP.
Subsequent:
1. A design change was implemented on Unit 3 to replace the breakers and cabling involved in the undersized breaker issue and to ensure adequately sized components are installed.
2. A design change was implemented to modify the DCRDCS to ICS interface. The revised interface uses a two out of three relay logic that de-energizes to actuate to ensure that the ICS receives a Reactor Trip Confirm signal.
3. Operations developed ES recovery guidance and placed it in the Unit specific EOPs.
Planned:
1. Revise the design for the scheduled DCRDCS installations on Units 1 and 2 to incorporate the two out of three DCRDCS to ICS interface relay logic.
2. Revise the design for the scheduled DCRDCS installations on Units 1 and 2 to incorporate the resized breakers and cabling.
3. Enhance the Design Change process to ensure that all important functions of a modification are identified and the design verified, and that the verification method is documented.
4. Enhance the Design Change process to require reviews of the impacts of design changes (e.g. reviews of FMEA) by responsible plant personnel.
Interim Planned Corrective Actions 1. Enhance the Design Change process for tracking, review and resolution of items encountered during Post Modification testing including roles and responsibilities of appropriate personnel.
2. The FMEA for the DCRDCS modification will be analyzed for impacts on interfacing systems, and effects resolved.
3. Problems entered into the Corrective Action Process during the implementation of Unit 3 DCRDCS will be re-evaluated to ensure there are no issues remaining that adversely impact plant systems.
4. The 10CFR50.59 Evaluations for the DCRDCS modifications will be re-evaluated to include the identified DCRDCS/ICS Interface and any additional identified FMEA interactions.
There are no NRC Commitment items contained in this LER.
SAFETY ANALYSIS
The reactor trip was the unintended result of a design deficiency in that the newly installed CRD control power breakers were not adequately sized. However, the result was that the CRD system failed in the conservative direction by tripping the unit. By design, Reactor trip is the desired result for many postulated equipment failures.
The reactor trip was classified as an abnormal transient due to the fact that a valid ES actuation occurred. Given the fact that the ICS did not receive a RTC signal, and therefore did not shift the MS header pressure control setpoint, the plant response was as expected. All challenged ES components responded to the ES actuation as designed and as expected. The ES actuation, combined with Operator response, adequately and promptly terminated the overcooling transient. No cooldown rates were exceeded. ES flow rates were throttled to normal make up values within approximately four minutes as the RCS volume was restored. The volume injected in this mode was estimated to be between 3000 and 5000 gallons of water.
The sighificance of the ES signal associated with the reactor trip has been evaluated using the current update of the Oconee PRA. The Oconee PRA model was modified to include explicit modeling of the transient that occurred. The estimated increase in CDF is approximately 1.9E-06/yr. The dominant sequence contributing to the increase is an event where the operators fail to throttle HPI injection flow leading to a stuck open primary safety relief valve.
The increase in LERF is negligible.
Following the trip and ES actuation, there was a period of approximately five hours after the EOP was exited before Operations reset the ES channels and re-enabled automatic ES actuation.
Although the limiting conditions for operation were not met during this time, the condition was in accordance with TS because the Unit was in Mode 3, which would have been the result of the applicable action statements. During this time the affected systems/components which were not already in their ES state were available for operation in Manual mode with procedural guidance in place to take such actions if required.
Existing procedural guidance, analyses, past experience on the training simulator, and engineering judgment all support a conclusion that sufficient time existed to credit operator action to restore ES alignments if necessary, especially for an event initiated from Mode 3.
This event did not include a Safety System Functional Failure.
In conclusion, there was no actual impact on the health and safety of the public due to this event.
ADDITIONAL INFORMATION
This event is not recurring with respect to events involving reactor trip or actuation of systems listed in 50.73(a)(2)(iv)(B).
However, there have been previous events at Oconee, which were not reportable, with recurring themes of modification design inadequacies as well as inadequate or ineffective Post Modification Testing.
There were no releases of radioactive materials, radiation exposures or personnel injuries associated with this event.
This event is considered reportable under the Equipment Performance and Information Exchange (EPIX) program. The affected breaker was undersized in this application. Therefore, the fact that it tripped is not considered a component failure. It was an ABB 1 Pole miniature circuit breaker, Part number S271-K63.