05000369/LER-2012-002
| Infocollects Resource©Nrc.Gov, And To The Desk Officer, Office Of Information And Regulatory | |
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability |
| 3692012002R00 - NRC Website | |
15. EXPECTED MONTH DAY YEAR
SUBMISSION
_ DATE N/A N/A N/A September 26,0 100% power and Unit 2 was in Mode 6.
At the time of the event, 02012, Unit 1 was in Mode 1 at It was discovered that the existing Solid State Protection System (SSPS) (semi- logic test0 automatic test)0 and Westinghouse "7300" series channel operational test (COT) surveillance procedures for the "Safety Injection on 2/4 Low-Low Pressurizer Pressure" function may not provide sufficient overlap to confirm continuity for some of the SSPS jumpers used for channel multiplication. The inadequate surveillance testing constitutes a failure to meet the Limiting Condition for Operation, 0resulting in past operation prohibited by Technical Specifications, and common cause inoperability of an independent train or channel. The cause of this event was a design deficiency by the vendor in the specific test circuitry used to verify the SSPS logic. Testing was conducted to verify continuity of the affected SSPS jumpers which provide overlap.
As corrective actions, the appropriate procedure changes were made and design changes will be implemented.
NRC FORM 366A� U.S. NUCLEAR REGULATORY COMMISSION
BACKGROUND
The following information is provided to assist readers in understanding the event described in this Licensee Event Report (LER). Applicable.
Energy Industry Identification [EIIS] system and component codes are enclosed within brackets. McGuire unique system and component identifiers are contained within parentheses.
Engineered Safety Features Actuation System [JE](ESFAS):
The Solid State Protection System (SSPS) equipment is used for the decision logic processing of outputs from the signal processing equipment bistables.
To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided.
The SSPS performs the decision logic for most Engineered Safety Features (ESF) equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.
The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate function best serves to alleviate the condition and restore the unit to a safe condition.
SSPS will actuate as needed a reactor trip and the following safety functions via an ESFAS signal:
- Safety Injection [BQ](NI), including emergency diesel generator [EK](DG) actuation
- Phase A and Phase B Containment Isolation
- Containment Ventilation Isolation
- Steam Line Isolation
- Main Feedwater Isolation
- Steam Dump Interlock
- Turbine Generator Trip
- Auxiliary Feedwater Automatic Start
- Automatic Switchover of Emergency Core Cooling Water to the Containment Sump
- Containment Air Return and Hydrogen Skimmer Fans Each SSPS train has a built in testing device that can test the decision logic matrix functions and the actuation devices while the unit is at power.
When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semi-automatic to minimize testing time.
Safety Injection - Pressurizer Pressure Low-Low is one of the SSPS input signals. This signal provides protection against the following accidents: inadvertent opening of a steam generator (SG) relief or safety valve; steam line break (SLB); inadvertent opening of a pressurizer relief or safety valve; loss of coolant accidents (LOCAs); and SG tube rupture.
EVENT DESCRIPTION
On 9/26/12, site Engineering personnel were contacted by counterparts at the Catawba Nuclear Station and were made aware that the existing SSPS logic test (semi-automatic test) and 7300 channel operational test (COT) surveillance procedures for "Safety Injection on 2/4 Low-Low Pressurizer Pressure" function may not provide sufficient overlap to confirm continuity for some of the SSPS jumpers used for channel multiplication.
This condition was subsequently confirmed by site Engineering personnel in consultation with the vendor (Westinghouse) SSPS Engineer.
The condition was determined to impact both SSPS trains of both Units for the specific function. The SSPS design uses a combination of 2/3 and 2/2 SSPS logic cards to develop the 2/4 logic for Safety Injection on Low Pressurizer Pressure. The arrangement uses external jumpers on the back planes of the cards to distribute some of the four input signals to the appropriate logic cards. For this specific function and current design, positive verification of annunciator and/or status indications during the 7300 Pressurizer Pressure Low Low Channel COT's does not electrically validate some of the logic input jumper wiring paths to the logic cards. Current SSPS logic testing, using the built in semi-automatic tester, verifies the correct logic from the logic .input to the appropriate logic outputs, but does not electrically validate the jumper wiring continuity.
Subsequent to the discovery of the condition, it was recognized that applicable surveillance requirements for Limiting Condition for Operation (LCO) 3.3.2, "Engineered Safety Features Actuation System Instrumentation," were not met for both Unit 1 SSPS trains, resulting in entry into LCO 3.0.3 at 1820 hours0.0211 days <br />0.506 hours <br />0.00301 weeks <br />6.9251e-4 months <br /> on 9/26/12. Unit 2 was in Mode 6 at the time as part of scheduled outage 2E0C21; hence, LCO 3.3.2 was not applicable to Unit 2 at the time. Following successful verification of exited LCO 3.0.3 at 2322 hours0.0269 days <br />0.645 hours <br />0.00384 weeks <br />8.83521e-4 months <br /> on 9/26/12, prior to a power reduction being required. Continuity of the Unit 1 train lA and the Unit 2 train 2A and 2B SSPS jumpers were verified by later testing.
In that the condition existed on both units prior to discovery, the inadequate surveillance testing constitutes a failure to meet LCO 3.3.2, and resulted in past operation prohibited by Technical Specifications, satisfying reporting criterion 10 CFR 50.73(a)(2)(i)(B). The event is also reportable as a result of common cause inoperability of an independent train or channel (reporting criterion 10 CFR 50.73(a)(2)(vii).
The McGuire Nuclear Station SSPS design was reviewed for other cases where a similar issue exists, and none were found.
CAUSAL FACTORS
It was determined that the jumper wiring of the "Safety Injection on 2/4 Low-Low Pressurizer Pressure" function and the associated selector switch wiring inside the SSPS was an original design provided by Westinghouse during the construction of the plant.
During 1996-1997, Duke Energy performed an extensive review of logic schematics and surveillance procedures as required by Generic Letter (GL) 96-01, "Testing of Safety-Related Circuits." However, the jumper issue for the Safety Injection Low Pressurizer Pressure function was not identified as creating a potential gap in the logic testing.
The cause of this event was a design deficiency by the vendor (Westinghouse) in the specific test circuitry used to verify the Pressurizer Low Pressure Safety Injection logic. The Westinghouse Semi-Automatic Tester was designed by Westinghouse and is considered as an integral function in the overall SSPS Design. The failure of Duke Energy personnel to discover the condition during the original test procedure preparation/review and the much later GL 96-01 review are considered to be missed opportunities.
CORRECTIVE ACTIONS
Immediate Corrective Action:
Conducted testing to verify continuity of SSPS jumpers on Unit 1.
(Train 1B was completed on 9/26/12 at 2130 hours0.0247 days <br />0.592 hours <br />0.00352 weeks <br />8.10465e-4 months <br />; Train 1A was completed on 9/26/12 at 2322 hours0.0269 days <br />0.645 hours <br />0.00384 weeks <br />8.83521e-4 months <br />) 1.
Subsequent Corrective Actions:
prior to entry into Mode 4. (Train 2A was completed on 10/11/12; Train 2B was completed on 10/12/12) 2. Revised procedures to ensure logic testing for Unit 1 Trains A and B satisfy Technical Specification Surveillance Requirements for safety injection on low pressurizer pressure. (Complete) 3. Implemented design change to ensure comprehensive semi-automatic logic testing for Unit 2 Trains A and B satisfy Technical Specification Surveillance Requirements for safety injection on low pressurizer pressure. (Complete) Planned Corrective Action:
Implement design change to ensure comprehensive semi-automatic logic testing for Unit 1 Trains A and B satisfy Technical Specification Surveillance Requirements for safety injection on low pressurizer pressure.
1.
SAFETY ANALYSIS
The SSPS remained capable of performing its safety function, as demonstrated by subsequent continuity testing of the affected SSPS jumpers. Therefore, this event had no impact on nuclear safety.
ADDITIONAL INFORMATION
To determine if this event is recurring, a search of the McGuire Nuclear Station Problem. Identification Process (PIP) database was conducted for a time period covering five years prior to the event. The PIP searches do not show any previous history or identification of inadequate testing pertaining to the specific issue identified at the McGuire Nuclear Station for Safety Injection Low Pressurizer Pressure logic testing.
Therefore, this event is not considered recurring.