05000373/LER-2005-001

From kanterella
Jump to navigation Jump to search
LER-2005-001, Single Failure Vulnerability of Division 1 and 2 Protective Relay Circuitry Due to Latent Design Deficiency
Event date: 02-02-2005
Report date: 03-28-2005
3732005001R00 - NRC Website

PLANT AND SYSTEM IDENTIFICATION

General Electric - Boiling Water Reactor, 3489 Megawatts Thermal Rated Core Power

A. CONDITION PRIOR TO EVENT

� Unit (s) : 1/2 Event Date: 02/02/2005� Event Time: 1542 CST � Reactor Mode(s): 1/1 Power Level(s): 100/100 Mode(s) Name: Run/Run

B. DESCRIPTION OF EVENT

On January 27, 2005, Crystal River Nuclear Station made a 10 CFR 50.72 Emergency Notification System call (Event # 41362) that identified a condition where a single failure could prevent both Emergency Diesel Generators (DG)IEK1 and both offsite power sources from supplying power to their respective Engineered Safeguards Buses (AP)[EB].

On February 1, 2005, LaSalle became aware of the event through internal company communications and by discussion with the LaSalle NRC Resident Inspector. Site Engineering reviewed LaSalle's safety related bus protective relaying circuitry and on February 2, 2005, determined that a single failure vulnerability existed for LaSalle between the current transformer (CT) circuits of the divisional safety related buses.

The CT circuits that supply the over current relay scheme for each divisional bus are connected to a common point that supplies control room indication for the total System Auxiliary Transformer (SAT) Y winding power (wattmeter) and current (ammeter). An open circuit condition on any of the CT phases downstream of the common point in the circuit would result in an unbalanced current condition. The unbalanced current condition initiates a trip of the associated SAT feed breakers for the applicable buses. The current unbalance would actuate the ground fault relays, resulting in the actuation of the SAT feed breaker lockout relays on both divisions. Following a trip of the bus feed breakers, the lockout relay for the respective bus would initiate a trip of the other bus feed breakers and prevent any closure of these breakers, including the DG output breaker. The result of this condition would be a loss of all onsite and offsite AC power sources to both Division 1 and 2 safety related buses. No EDG or offsite power source would be permitted to close onto the respective Division 1 & 2 safety buses.

This condition was determined to be reportable under 10 CFR 50.72(b)(3)(ii) as an event or condition that resulted in the nuclear power plant being in an unanalyzed condition that significantly degraded plant safety. An ENS notification (Event# 41366) was made at 1959 hours0.0227 days <br />0.544 hours <br />0.00324 weeks <br />7.453995e-4 months <br /> CST on February 2, 2005.

At 1542 hours0.0178 days <br />0.428 hours <br />0.00255 weeks <br />5.86731e-4 months <br /> on February 2, 2005 LaSalle Unit 1 and Unit 2 entered Technical Specification (TS) 3.8.1 "AC Sources - Operating," Required Action E.1 due to inability of the offsite and onsite power systems to accommodate a single failure. A temporary modification was installed to remove the interconnection, and the TS Required Action was exited at 2306 hours0.0267 days <br />0.641 hours <br />0.00381 weeks <br />8.77433e-4 months <br /> on February 2, 2005.

C. CAUSE OF EVENT

The root cause of the common CT circuit affecting two separate 4.16 kV divisional buses was an existing latent design deficiency not identified in subsequent design reviews when the bus functional requirements were modified, allowing the systems to continue to be deficient for a common single failure.

A contributing factor was that various programmatic reviews failed to identify this single failure vulnerability, because these reviews were limited in scope.

The LaSalle initial design had the CT circuits of the safety related Division 1 and 2 buses connected for the common metering circuit. However, the logic of the DG feed breaker did not have the bus lockout interlocks at the time of initial plant startup. A failure (i.e., open circuit) of the common CT circuit would have resulted in the safety buses being de-energized and offsite power sources prevented from closure due to the lockout relays. However, the EDG breakers would have closed and energized the safety buses.

Subsequent modifications were made to inhibit the DG breaker closure on a bus lockout condition and also trip the DG output breaker from a detected bus fault condition under non-accident condition. The scope of these modifications was the bus protection logic, and the reviews did not extend to the metering circuitry that had the latent design deficiency.

D. SAFETY ANALYSIS

The safety significance of this event was moderate, in that a single passive failure could have resulted in a loss of all onsite and offsite AC power sources to both Division 1 and 2 safety related buses. A risk assessment was performed, which estimated a Core Damage Probability of 2E-6 for operation of LaSalle Units 1 and 2 for greater than one year with the identified single failure vulnerability in key 4.16 kV bus metering circuitry.

E. CORRECTIVE ACTIONS

1. A temporary modification was installed to remove the interconnection and the TS action statement was exited within the time clock limitations (Complete).

2. Permanent modifications to eliminate this vulnerability have been prepared and approved. The modification was installed on Unit 2 during the February 2005 refueling outage; the modification will be installed on Unit 1 during its next refueling outage (AT# 299641-84).

3. A review will be performed of the AC, DC, and diesel generator systems for similar latent design deficiencies. This review will include assurance the current transformers and lockouts have been analyzed correctly with respect to the Fire Safe Shutdown Analysis (AT# 299641-08).

4. Engineering personnel will review this event for awareness of common circuits and the potential to affect more than one division of equipment OM 299641-18).

5. A review was conducted that determined that Engineering processes and procedures currently in place would prevent this design from being implemented today.

F. PREVIOUS OCCURRENCES

A search of the corrective action database for the keywords "single failure," "current transformer," "protective relaying" and "metering circuits" found no similar previous occurrences at LaSalle Station.

G. COMPONENT FAILURE DATA

No components failed in this event.