05000287/LER-2008-001
| Docket Number Sequential Revmonth Day Year Year Month Day Yearnumber No. 05000 | |
| Event date: | 0-07-2009 |
|---|---|
| Report date: | 0-8-2008 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(iv)(A), System Actuation |
| 2872008001R00 - NRC Website | |
EVALUATION:
BACKGROUND
Inter Range Instrumentation Group (IRIG) is a serial time code format which is used by communication systems, data handling systems, tracking, and telemetry systems that require time-of-day information for data correlation with time. The TRIG code is used to synchronize the internal clock of multiple systems to a common source. There are six serial time codes: A,B,D,E,G, and H. Oconee utilizes the IRIG-B time code format.
The CRD system has two primary processors, P1 and P2. P1 controls rod movement, operator control panel (OPC) interface, and voltage monitoring of single rod power supplies (SRPS). P2 (system I/O) provides control rod position indication, AC voltage monitoring, and Absolute Position Indication power supply voltage monitoring.
This event is reportable per 10CFR 50.73(a)(2)(iv)(A) because a valid Reactor Protective System (RPS)[JC] actuation occurred, including reactor trip.
Prior to this event Unit 3 was operating at 100% power with the Standby Shutdown Facility out of service. No other safety systems or components were out of service and no evolutions were in progress that would have contributed to this event.
EVENT DESCRIPTION
On November 7, 2008 at 0834 hours0.00965 days <br />0.232 hours <br />0.00138 weeks <br />3.17337e-4 months <br />, Oconee Nuclear Station experienced a trip of Unit 3. The sequence of events, including subsequent equipment failures and operator actions during recovery, is described below.
Sequence of Events :
- Time synchronizing signal was received by the IRIG-B receiver in the Oconee Office Building (OOB).
- Signal was split by the receiver in the OOB and sent to four locations: 1) Unit 1 and 2 cable room, 2) Unit 3 cable room, 3) 230 kV switchyard, and 4) Keowee Hydro station, as designed.
i3ORM 3bbA (9 2UU/)
- Unit 3 cable room receiver sent this signal to the Truetime SF DC clock in the Sequence of Events Recorder (SER) cabinet, as designed.
- Zero date stamp output was sent from Unit 3 clock to CRD Primary Processors P1 and P2. The zero date value was not an expected output.
- Unable to decode the zero date stamp, the Unit 3 CRD Primary Processors P1 and P2 completely stopped. This was not an expected response.
- Without P1 and P2 operating, the CRD system input/output (I/O) modules went to fail safe state (i.e., off or zero) as designed.
- The single rod power supplies (SRPS) turned OFF because they were no longer getting a command signal to energize any phases (expected response). At this time, the control rods dropped into the core. This was also an expected response.
- Relays which are normally energized de-energized. This produced a Reactor Trip Confirm (RTC) signal. This was an expected response.
- The RTC signal initiated a turbine trip and generator [TB] lockout. This was an expected response.
- RPS received a Loss of Main Turbine Anticipatory Trip signal and tripped the CRD Breakers, as designed. All control rod drop 'times were within expected limits.
Post-Trip Response :
No safety system actuations occurred other than the RPS.
On the primary side, Reactor Coolant Pumps [AB][P] continued to operate and provide core cooling. RCS pressure, temperature, flow, and inventory remained within expected post-trip limits.
Secondary side response was normal. Main Steam Relief Valves (MSRVs) lifted and resea'ted as expected. Secondary systems remained in service and provided heat removal capability, and shutdown to Mode 4 was not necessary. The Unit was maintained in Mode 3 while post-trip reviews were completed, the cause of the event was identified, and it was determined to be safe to return the unit to service.
NRC ROHM _ibbA (9-2UU / ) The sequence of events recorder (SER) time reset after the turbine trip event entry. This is related to the initiating cause of the event because the SER time signal comes from the same source as the time signal sent to the Control Rod Drive (CRD) System.
The CRD Operator Control Panel (Diamond) lost all indication. This is also a direct function of the shutdown of the CRD System and is the expected response given the processor shutdown.
No significant equipment failures were noted following the trip or during the recovery activities. The unit was returned to service on November 9, 2008 without further complication.
CAUSAL FACTORS:
After the reactor trip occurred, the Unit 3 SER data was reviewed.
Evaluation of this data indicated that the timestamp (Time of Year) had apparently "zeroed". A single frame of the IRIG-B format includes the fields: seconds, minutes, hours, and day of year. The IRIG signal that resulted in the processor module shutdown included a value of zero for each of the previously defined fields. While zero is within the expected range of values for zeconds, minutes, and hours, the expected range of the day of year is 1-366 (accounting for leap year). The processor software does not recognize a zero day of year. Therefore, if an IRIG signal is decoded with zero in the day of year field and sent to the CRD processor, the processor software will initiate a kernel fault while attempting to update the time. The software is designed to expect the day of year field to roll over to one, not zero. In addition, the software is not designed to range check the day of year field.
In short, the Unit 3 reactor trip was the result of the CRD processor modules experiencing a kernel fault caused by the inability of the processor to decode an IRIG-B signal output with a day value of zero.
As noted above, the loss of indication on the Diamond was the direct result of the processor fault and shutdown of the Control Rod Drive System.
NHL. bORM ibbA (9-2UU/) Also noted above, the resetting of the SER was the direct result of the initiating event given that the SER time signal comes from the same source as the time signal sent to the DCRDCS.
CORRECTIVE ACTIONS
Immediate:
1) Emergency Operating Procedure (EOP) (EP/3/A/1800/001) was .
entered. Immediate manual actions were taken as prescribed by the EOP to place (and/or maintain) the plant in a safe and stable operating condition as quickly as possible.
2) A Unit Threat.Team was formed and met in the Outage Control Center at 1000 hrs on November 7, 2008.
3) Unit 1 and 2 events recorder cabinets and power supply panel boards were designated as Protected Equipment until the cause of the Unit 3 trip was understood.
4) Equipment associated with IRIG-B signal in the PCS communications room (2nd Floor Oconee Office Building) and communications room (1st Floor Administrative Building) were trip was understood.
Subsequent:
1) Disconnected the IRIG-B cable from the CRD system P1 and P2 processors on all three Oconee Units to prevent recurrence of the processor failure.
Planned:
1) Document the results of the kernel fault analysis performed (for the CRD primary processors) by the CRD system vendor.
2) Revise appropriate Engineering Directives to ensure that Failure Modes and Effects Analyses and/or the modification process evaluate and document not only single active failures but all potential common cause failures that could adversely impact the operation of a control system. Also, ensure that digital systems have range checking capabilities for input data, whether external or internal to the application software or hardware, in order to ensure the input data is acceptable prior to the data being processed.
3) Evaluate the Keowee exciter control system for potential kernel fault susceptibility from an incorrect time decode as described in this event.
4) Evaluate the Keowee governor control system for potential kernel fault susceptibility from an incorrect time decode as described in this event.
5) Evaluate the automatic voltage regulator (AVR) control system for potential kernel fault susceptibility from an incorrect time decode as described in this event.
SAFETY ANALYSIS
This event did not include a Safety System Functional Failure. The event was uncomplicated and challenged no accident mitigation systems.
Duke Energy used a risk-informed approach to determine the risk significance associated with this event, considering the following:
- A reactor trip initiating event.
- Actual plant configuration and maintenance activities at the time of the trip.
The Coriditional Core Damage Probability (CCDP) associated with this event was evaluated to be less than 1E-06. The Conditional Large Early Release Probability (CLERP) associated with this event was evaluated to be time, but are not expected to change. In the unlikely event that changes are made, Duke will submit a supplement to this report.
No fission product barriers were compromised by this event.
Therefore, there was no actual impact on the health and safety of the public due to this event.
ADDITIONAL INFORMATION
A search of Oconee's corrective action database found no similar occurrences of this type of event with same cause.
There were no releases of radioactive materials, radiation exposures or personnel injuries associated with this event.
This event is not considered reportable, under the Equipment Performance and Information Exchange (EPIX) program.
NI-CU F'ORM SbbA ( 9 -2 UU / )