05000325/LER-2008-006
| Brunswick Steam Electric Plant (Bsep) | |
| Event date: | 08-18-2008 |
|---|---|
| Report date: | 07-30-2009 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition |
| Initial Reporting | |
| ENS 44425 | 10 CFR 50.72(b)(3)(ii)(B), Unanalyzed Condition |
| 3252008006R01 - NRC Website | |
Energy Industry Identification System (EIIS) codes are identified the text as [XX].
INTRODUCTION
On August 18, 2008, at 2152 hours0.0249 days <br />0.598 hours <br />0.00356 weeks <br />8.18836e-4 months <br /> Eastern Daylight Time (EDT), during the performance of surveillance OPT-12.14.L, "Diesel Generator 4 Local Control Operability Test," Emergency Diesel Generator (EDG) [EK] 4 failed to start from the local control panel. The biennial (i.e., every 24 months) surveillance is a non-Technical Specification (TS) related test to demonstrate that control and indication for EDG 4, and the EDG 4 to Bus E4 output breaker, can be isolated from the Control Room and be controlled from the respective local control station, as required by the Alternate Safe Shutdown (ASSD) analysis.
Troubleshooting determined that the Lockout Control Relay (LOCR), installed in a 2007 plant modification, was wired such that power was lost when the associated ASSD switch was in the LOCAL position, preventing EDG 4 to be reset so that it could be started locally.
At 1110 hours0.0128 days <br />0.308 hours <br />0.00184 weeks <br />4.22355e-4 months <br /> on August 19, 2008, it was concluded that the plant modification was installed on all four EDGs, and that this condition impacted the ability of EDG Nos. 2, 3, and 4 to perform their intended ASSD function (i.e., local control of EDG 1 is not credited in the ASSD analysis). This condition did not affect the TS operability of the EDGs and they remained fully capable of performing their intended safety system functions.
On August 19, 2008, at 1727 hours0.02 days <br />0.48 hours <br />0.00286 weeks <br />6.571235e-4 months <br />, the NRC was notified of this event (i.e., Event Number 44425) in accordance with 10 CFR 50.72(b)(3)(ii)(B), as an event or condition that resulted in the nuclear power plant being in an unanalyzed condition that significantly degrades plant safety.
This event is being reported in accordance with 10 CFR 50.73(a)(2)(ii)(B), as an event or condition that resulted in the nuclear power plant being in an unanalyzed condition that significantly degraded plant safety.
EVENT DESCRIPTION
Initial Conditions Prior to the event, both Units 1 and 2 were in Mode 1 operating at approximately 100 percent rated thermal power.
Discussion The EDG biennial surveillance, OPT-12.14.L, "Diesel Generator 4 Local Control Operability Test," is performed to demonstrate that control and indication for EDG 4, and the EDG 4 to Bus E4 output breaker, can be isolated from the Control Room and be controlled from their respective local control stations. The Emergency AC Power system is equipped with key-locked isolation switches located on the local diesel generator electrical panel and on each emergency bus section. These switches allow isolation of the diesel EVENT DESCRIPTION (continued) generators and emergency buses from the control circuit conductors routed through the Control Building.
In the event that a fire forces an evacuation of the Control Room, or in any way affects control of the diesel generators and emergency buses from the Control Room, safe shutdown equipment can be operated locally by placing these NORMAL/LOCAL switches in the LOCAL position.
On August 18, 2008, during the performance of this surveillance, EDG 4 would not reset locally following a lock-out with the ASSD key-switch in the LOCAL position. This condition impacted the ability of EDG 4 to perform its intended ASSD function but it did not affect the TS operability of the EDG and it remained fully capable of performing its intended safety system functions.
Troubleshooting activities determined that the inability to clear the lock-out condition was due to the LOCR being wired downstream of the ASSD switch such that it lost control power when the switch was placed in the LOCAL position. Further investigation determined that following the failure of a relay on EDG 2 in February 2007, preventive maintenance (PM) activities were generated to periodically replace all relays associated with the EDGs. Subsequently, an Engineering Change (EC) modification, EC 66274 installed in June 2007, was required to replace the LOCRs due to the obsolescence of the originally installed relays. During the design effort, a decision was made to use an additional auxiliary relay (LR) to provide the reset (i.e., unlatching) signal to the LOCR due to the operating characteristics of the replacement LOCR relay (i.e., overlapping contacts).
The new LR relay was installed in the location of the original LOCR relay and the new LOCR relay was to be positioned in a parallel circuit path. The intent was to select termination points for this new relay such that it was situated between the main positive power wire segment and the main negative wire segment.
This arrangement is consistent with most control wiring circuits where control devices are situated in parallel paths between the two main wire segments. The EDGs have an additional feature where these buses are split into two segments by means of an ASSD key-switch. This ASSD key-switch isolates the upstream "LOCAL" wire segment from the downstream "REMOTE" wire segment to allow local control to be maintained in the event that fire, or other cause, disables the remotely controlled functions in the Control Room. In order for the new LOCR to function as intended, it needed to be terminated such that it was independent of the ASSD key-switch's position so that its control power would not be interruptible.
However, the termination point selected resulted in its positive voltage termination point actually being downstream of the ASSD key-switch. The design was also complicated by the unrealized fact that the same wire segment number existed on both sides of the ASSD key-switches. This led to the selection of a termination point for a new relay which was not electrically continuous with its required power source.
The post-modification testing did not detect that the circuit was not configured in the intended manner.
Since it had not been intended to terminate the LOCR on the downstream wire segment, the testing was not designed to consider any affects associated with opening of the ASSD key-switch. This modification, installed in June 2007, resulted in the inability to reset and subsequently start the diesel from the local control station in the ASSD mode but it did not affect the TS operability of the EDG and it remained fully capable of performing its intended safety system functions.
EVENT DESCRIPTION (continued) On August 19, 2008, it was verified that the same modification was performed on all four diesel generators. This condition impacted the ability of EDG Nos. 2, 3, and 4 to perform their ASSD function (i.e., local control of EDG 1 is not credited in the ASSD analysis).
EVENT CAUSE
There were two root causes identified for this event:
- A latent organizational weakness existed where the EDG control wire circuitry maintained the same wire segment number on either side of the ASSD key-switches.
- Lack of sufficient rigor by the modification writer, Design Engineer, and Design Verifier in performance of their responsibilities during EC activities associated with modification of control logic circuitry (personal performance).
A long-standing decision that allowed the same wire segment numbers on both sides of the ASSD key- switches introduced a latent organizational weakness which was a contributing factor in selecting a LOCR relay termination point which was not continuous with the relay's required power source. The failure to adhere to a standard and accepted wire segment numbering convention, where a wire segment's number designation changes whenever the circuit path is divided by a distinct device, contributed to the LOCR being installed incorrectly. Secondly, the Engineers involved, including the preparer and reviewer, did not establish a sufficient understanding of the overall EDG control circuits or trace the selected relay termination point back to its source, either on prints or in the field.
SAFETY ASSESSMENT
The actual safety significance of this condition is considered minimal. This condition did not affect the TS operability of the EDGs and they remained fully capable of performing their intended design basis accident response functions. The potential safety significance was somewhat higher. It is unlikely that an Operator would have been able to restore any EDG which may have experienced a lockout while the ASSD key- switch was in LOCAL. However, since no fire induced trip condition occurred between the time the EC was installed in June 2007, and the time at which the ASSD surveillance was performed, there was no actual safety significance. Although the 2007 modification was installed on all four EDGs, only the local control of EDGs 2, 3, and 4 is credited in safe shutdown analysis. A revised plant modification has been implemented on all four EDGs that re-wired the LOCRs such that they do not lose power when the ASSD switches are operated. Completion of this activity on August 21, 2008, returned the EDGs to being fully capable of performing their ASSD function. There were no nuclear or industrial safety consequences from this event.
CORRECTIVE ACTIONS
The following corrective action to prevent recurrence will be taken.
- Generate an Engineering Change package to clearly denote on applicable plant drawings that duplicate wire numbers exist on either side of the EDG ASSD key switches. This action has been completed.
- Revise the applicable plant drawings in accordance with the Engineering Change package. This action is currently scheduled to be completed by September 15, 2009.
- Develop formal requirements that wire segment numbers be changed wherever a circuit is divided into non-continuous segments. This action has been completed.
- Revise EGR-NGGC-0011 requiring that any additions to control logic circuits be electrically traced to their intended source or destination, and provide additional guidance/cautions to address other factors affecting rigor and risk management during design and review activities. This action has been completed.
- Revise EGR-NGGC-0155 to more fully discuss the concept of unintended consequences as it relates to control logic circuits, discuss the need for additional care when dealing with daisy-chained circuits, and more fully describe how to comprehensively determine the sphere of influence of a control circuit modification such that potential consequences and PMT scope can be adequately addressed. This action has been completed.
Additional corrective actions include the following.
- Perform a complete as-built verification between field wiring and applicable drawings associated with the EDGs. This action is currently scheduled to be completed by December 16, 2009.
PREVIOUS SIMILAR EVENTS
A review of LERs and corrective action program condition reports for the past three years identified the following previous similar occurrences.
- NCR 270475, initiated on March 15, 2008, "Unexpected Unit 1 Group 1 Isolation," documents an event where a full Containment Group 1 Isolation was received while resetting the BSEP Unit 1 Main Turbine. The isolation occurred during work associated with an EC to replace the main generator output breakers. In order for the breakers to be removed, wiring that provides breaker position information was disconnected from the turbine control system (EHC). This resulted in a "breaker closed" input to EHC. When the main turbine was reset for an unrelated surveillance test, several logic interactions occurred resulting in a full Group 1 isolation. It was determined the responsible engineer PREVIOUS SIMILAR EVENTS (continued) and engineering reviewer failed to validate assumptions regarding acceptability of the wire lift. The corrective actions associated with this NCR could not have reasonably been expected to prevent the condition reported in this LER.
COMMITMENTS
No regulatory commitments are contained in this report.