05000325/LER-2015-002
| Brunswick Steam Electric Plant (Bsep), Unit 1 | |
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(v)(D), Loss of Safety Function - Mitigate the Consequences of an Accident |
| 3252015002R01 - NRC Website | |
Reported lessons teamed are incorporated into the licensing process and fed back to industry.
Send comments regarding burden estimate to the FOIA, Privacy and Information Collections Branch (T-5 F53), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by intemet e-mail to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150.0104), Office of Management and Budget, Washington, DC 20503. If a means used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
Energy Industry Identification System (EIIS) codes are identified in the text as [XX].
Background
Initial Conditions At the time of the event, Unit 1 was in Mode 1 at approximately 100 percent of rated thermal power, and Unit 2 was in Mode 5 (i.e., Refueling).
The only Unit 1 safety-related equipment out of service at the time of this event was the 1B Residual Heat Removal System [BO] pump. This item of equipment being out of service had no effect on the sequence of events described in this report.
Reportability Criteria This condition is being reported in accordance with 10 CFR 50.73(a)(2)(v)(D) as an event or condition that could have prevented the fulfillment of the safety function of a system that is needed to mitigate the consequences of an accident. The loss of safety function was discovered after the event had occurred; thus, no Event Notification (EN) was made to the NRC per the guidance of NUREG-1022, "Event Report Guidelines 10 CFR 50.72 and 50.73," Revision 3.
Event Description
During the Unit 2 refueling outage of spring 2015, emergency diesel generator 3 (EDG 3) [EK] reliability modifications were performed. These modifications included replacement of the voltage regulator and governor. The governor replacement was completed while EDG 3 was removed from service from March 10, 2015, through March 18, 2015.
During post-maintenance testing (PMT) for the governor replacement, the EDG 3 output breaker failed to remain closed in response to a simulated loss of offsite power condition. This failure was determined to have been caused by a relay, designated 2-DG3-RCR, which experienced oscillation in response to electrical noise generated by a second relay de-energizing, designated 2-DG3-RCR-X. Both relays were replaced; additional monitoring equipment was installed, and the PMT for EDG 3 was successfully completed on March 18, 2015.
Based on the failure of relay 2-DG3-RCR, a decision was made to proactively replace the identical relays on EDG 4, designated 2-DG4-RCR and 2-DG4-RCR-X. On March 19, 2015, EDG 4 was removed from service, and during the ensuing maintenance window, the relays were replaced. During the PMT on March 21, 2015, for EDG 4, the output breaker cycled four times before remaining closed. This resulted from misoperation of the newly installed relay, 2-DG4-RCR.
A failure of the EDG output breaker to close due to erratic RCR relay operation could occur only if the affected EDG were already running and not tied to its electrical bus when a breaker closure signal is received. In this condition, it could not be assured that the EDG output breaker would remain closed. As such, the affected EDG would be considered inoperable. When an affected EDG was in the standby mode, the RCR relay issue would have no effect, so the EDG remained operable and able to perform its safety function.
On March 21, 2015, procedure OMST-DG14R, "DG-4 Loading Test," was performed as part of the PMT for EDG 4. This test starts all four EDGs. EDG 3 ran unloaded from 13:08 Eastern Daylight Time (EDT) until it was shut down at 14:38 EDT. During this 90-minute span, therefore, EDG 3 was inoperable.
Concurrently during OMST-DG14R, EDG 4 was loaded, separated from the bus, and loaded again.
During the time EDG 4 was running unloaded, it was also inoperable. For the period of 14:05 EDT until 14:17 EDT, both EDG 3 and EDG 4 were running and were unloaded. Therefore, for this 12-minute period, both EDGs 3 and 4 were considered to be inoperable.
After the failure of EDG 4 to tie to its bus, bench testing closely matching field conditions showed that relay 2-DG4-RCR oscillated due to voltage transients generated when the adjacent RCR-X relay was de-energized. The bench testing also demonstrated that installing a transient voltage suppressor across the RCR-X relay coil eliminated the erratic behavior of the RCR relay.
The original relay 2-DG4-RCR was bench tested and found to be not susceptible to misoperation due to electrical noise. It was then re-installed on March 22, 2015. In addition, given what was learned during bench testing, engineers suspected that installation of test equipment on EDG 3 (i.e., data recorder and Simpson volt-ohmmeter) had had a similar effect as the transient voltage suppressor by absorbing the voltage transient produced by the RCR-X relay. A test was performed on EDG 3 to challenge the new RCR relay, and it showed oscillation in response to noise generated by the RCR-X relay. It was then concluded that the presence of test equipment had contributed to the successful PMT of EDG 3 on March 18, 2015. A modification to install a transient voltage suppressor across the RCR-X relay coil on EDG 3 was developed. The transient voltage suppressor modification to EDG 3 was installed and successfully tested on March 23, 2015.
This condition resulted in a brief loss of safety function for the onsite standby alternating current (AC) power source. Three of four EDGs are required to mitigate an accident on one unit while maintaining the other unit in a safe condition. With both EDGs 3 and 4 inoperable, only EDGs 1 and 2 were operable, and the ability to perform this safety function was adversely affected. The event is not reportable as a condition prohibited by the TS because in all cases, the diesels were returned to service in less than the time allowed by the applicable required action statement.
Event Cause The immediate, technical cause of the loss of safety function was that both EDG 3 and EDG 4 were simultaneously in a condition where it could not be assured that their output breakers would close to their emergency busses. EDG 3 was in a degraded condition after the initial relay replacement because newly installed relay 2-DG3-RCR was susceptible to electrical noise generated by relay 2-DG3-RCR-X. EDG 4 was likewise in a degraded condition because relay 2-DG4-RCR was proactively replaced, and the replacement relay was susceptible to electrical noise generated by relay 2-DG4-RCR-X. The effect of the electrical noise upon the relay was to cause it to oscillate briefly when the nearby RCR-X relay actuated. Contacts from the oscillating relay then affected the logic for closing and tripping the EDG output breaker, resulting in the breaker closing and immediately tripping. Because of the location of the contacts in the breaker logic, the oscillation could affect the logic only if the EDG were already running and not tied to its bus. If the EDG were starting from standby, the relay problem would have no effect because the oscillation would settle out long before the EDG came up to speed where the breaker could tie to its bus.
Root cause investigators found that the manufacturer of the RCR relays had introduced a complex programmable logic device (CPLD) into the design. The manufacturer retained the original part number for the relay, and did not notify BSEP that the design had been altered to include a CPLD. The change is not visible externally because the timer circuit board containing the CPLD is enclosed within the relay body, requiring disassembly to see it. When this condition was reported per 10 CFR 21, BSEP did not appear in the affected plants list because the relays had been obtained as commercial grade and later dedicated for safety-related use. Therefore, industry operating experience published via the 10 CFR 21 process was not recognized as applicable to BSEP.
The investigation also identified the fact that the decision to replace the RCR relay on EDG 4 was made without fully understanding the original fault with EDG 3 RCR relay.
A root cause of the event was that procedure AD-EG-ALL-1103, "Procurement Engineering Products," contained no guidance or requirement for the examination of dedicated high risk items that may be susceptible to a manufacturer introducing a CPLD or digital device in the item's circuitry.
Safety Assessment There was no actual safety consequence associated with this event, and the potential safety significance of this event is minimal. As stated previously, EDG 3 and EDG 4 were susceptible to this failure mechanism only when susceptible relays were installed in the breaker logic for both diesels, and both diesels were running and not tied to their electrical busses. The duration over which both diesels and their breaker logic met these conditions was a total of 12 minutes.
Technical Specifications Bases 3.8.1, "AC Sources — Operating," states that the safety function of the electrical power system is to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to engineered safety features (ESF) systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. Technical Specification 3.8.2, "AC Sources — Shutdown," states that the safety function of the AC sources is to ensure that the facility can be maintained in the shutdown or refueling condition for extended periods; sufficient instrumentation and control capability is available for monitoring and maintaining the unit status, and adequate AC electrical power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident. The EDGs must provide power for these safety functions should a loss of offsite power (LOOP) occur.
In addition, the Updated Final Safety Analysis Report (UFSAR) states that three of the four EDGs must be available to mitigate a design basis accident on one unit and a shutdown of the other unit without offsite power available.
Since only two diesels were available during the 12-minute duration of the event, reasonable assurance could not be established that the safety functions could be met on both the operating unit and the shutdown unit.
Probabilistic Risk Analysis (PRA) examined the change in risk of having EDG 3 and EDG 4 simultaneously out of service, conservatively assuming a full hour for the duration. During the event, both EDG 1 and EDG 2 were available and protected, along with the supplemental diesel and offsite electrical sources. The analysis showed the change in Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) was negligible.
Corrective Actions
Any changes to the corrective actions and schedules noted below will be made in accordance with the site's corrective action program.
To prevent recurrence of a similar event, procedure AD-EG-ALL-1103, "Procurement Engineering Products," has been revised.
The following actions have been completed to address the relay issue.
- A review of circuits containing Allen-Bradley type 700-RTC relays has been performed, identifying specific areas where a relay of this type is located adjacent to a GE type HGA or HFA relay. Condition reports have been initiated for conditions requiring further engineering analysis.
In addition, site leadership and key personnel assigned to the Outage Control Center will be briefed on lessons learned from this event. This action is currently scheduled to be completed by March 1, 2016.
Previous Similar Events
A review of LERs for the past three years did not identify any previous similar occurrences. A review of the site's Corrective Action Program database also did not identify any previous similar occurrences.
Commitments No regulatory commitments are contained in this report.