05000400/LER-2002-002

1. � DESCRIPTION OF EVENT

SUMMARY

At approximately 1:10 am July 13, 2002, a manual reactor trip was performed due to a Main Turbine Digital Electro-Hydraulic (DEH) control system malfunction. The plant was in the process of reducing load to perform a scheduled turbine valve test. While reducing load to a target load value of 900 IVIWe, governor valve number GV-4 indicated shut via local position indication with demand still indicating 8.4% (its starting position). The DEH "HOLD" button was subsequently pressed but the other three governor valves continued closing. A manual reactor trip was inserted at 85% power due to the uncontrolled turbine load decrease.

Plant and operator response was as expected for the event. The Motor-Driven Auxiliary Feedwater pumps started automatically on low steam generator level as a result of the plant transient. One steam generator power operated relief valve remained open longer than expected due to the controller's setpoint being set lower than required. The valve was closed from the main control board manually. The plant was stabilized at normal operating temperature.

Event Summary:

Quarterly turbine valve testing requires reducing Rx power to 90% or less. To reduce power, a target turbine load value and a Ioad rate are entered at the Digital Electro-Hydraulic (DEH) panel, and the 'GO' button is pressed. Governor valves should then reposition and turbine load should go to the target load value (at the programmed rate) and maintain the desired load. While reducing turbine load to a target load value of 900 MWc at a load rate of 2 MWe/min, GV-4 indicated shut via local position indication with demand still indicating 8.4% (its starting position). The DEH 'HOLD' button was subsequently pressed but OV-1, 2 and 3 continued closing. GV-4 demand did not lower as expected and GV-I, 2, and 3 motion did not stop when the 'HOLD' button was pressed. The manual reactor trip was then inserted at 85% Rx power due to the uncontrolled turbine load decrease.

II. CAUSE OF EVENT

A component failure initiated the events that led to the manual reactor trip. The "VIDAR" voltage/frequency unit (CPOS) failed which created a condition that resulted in the turbine control system not stopping the governor valve closure as required. The equipment malfunction and the failure to incorporate industry operating experience into the preventative maintenance program, operating procedures, and training, are the root causes identified for this event. Better utilization of internal and industry operating experience could have resulted in improved equipment reliability, and demonstrated the need for additional guidance for operator response to DEH control malfunctions. The turbine control system could have been taken from "Operator Auto" control to "Turbine Manual" to stop the valve continuous closure event. However, based on the culture of conservative decision-making and the operators having no specific directions in the Abnormal Operating Procedures, the operators did not take the turbine to manual control, but instead conservatively inserted the manual reactor trip.

III. SAFETY SIGNIFICANCE

The failure experienced in DEH control resulted in a decrease-in-heat-removal transient, which is described in FSAR Section 15.2.

The VIDAR failure resulted in the governor valves going shut in an uncontrolled manner, which is similar to the loss of external electrical load accident described in FSAR section 15.2.2. A decrease in heat removal results in reactor temperature increasing, causing RCS water expansion and subsequent increase in reactor coolant pressure. The rod control system responds automatically by inserting rods to reduce the reactor temperature. When the operators observed the rod movement they determined that they did not understand the nature of the DEH problem, and conditions were degrading so they initiated a manual reactor trip. The plant is designed for manual reactor trip. Other than the transient induced by the trip there are no adverse safety consequences.

IV, CORRECTIVE ACTIONS

The VIDAR voltage/frequency unit was replaced. More direct ownership of the system function for the DEH computer controls has been transferred to the Harris Engineering Section. A revision to the Operations procedures is being performed to institutionalize guidance that will incorporate a verification of proper DEH analog input function prior to placing impulse MWe feedback loops in service. Training will be provided to operators on potential transients when MANUAL control of DEH is appropriate. An evaluation of the VIDAR unit failure is being conducted to determine failure mechanism and develop additional corrective actions for preventative maintenance as needed. Included in the scope of the DEH control system VIDAR evaluation will be the impact on other DEH components and the development of other action items that may be needed beyond the failure that initiated this event.

V. � PREVIOUS SIMILAR EVENTS Incident Report 88-002 —A DEH computer system malfunction caused all turbine governor valves to go full open on 1/19/88.

Following a complete loss of power to the DEH computer, software was reloaded. Plant power was reduced to 90% to transfer the DEH system back to automatic. The DEH computer rebooted in the SEQUENTIAL mod; but did not reposition any governor valves until the SINGLE mode and automatic was selected. After the reconfiguration to SINGLE mode valve control, the operators desired to transfer back to SEQUENTIAL mode. At this point all the governor valves were approximately 25% open and the operators expected GV-4 to start to close and the remaining valves to open slightly. The operators observed no valve movement for fifteen to thirty seconds, then all four valves unexpectedly opened fully. Reactor power increased from 88% to 98% before the BOP operator placed the DEH control system in MANUAL and closed the governor valves. The plant did not trip.

The ensuing investigation focused on how to reboot the DEH computer and the work practices involved in determining the cause of the electrical power loss. The incident report does not provide an explanation regarding why the governor valves received a full- open demand signal. Corrective actions included, A checkout of the DEH computer by the DEH contract consultant (action item response states that all identified problems were corrected, but does not specify what problems were found or how they were corrected), and A maintenance procedure revision to provide better guidance for rebooting the DEH system (CM-C-0004).

Adverse Condition Report (ACR)92-163 — This document investigated seven instances of other ACRs related to the DEH computer system malfunctions from 5/7/92 to 8/15/92. Two of these events (ACR 92-168 and ACR 92-190) involved significant resulting load swings.

The first load swing event involved an unexpected transfer of the DEH system from SEQUENTIAL to SINGLE valve control while performing a down power in automatic with MWe and impulse feedback loops in service. No conclusive cause was found.

Operator action to transfer the DEH system to MANUAL and reduce turbine load precluded the need to trip the plant.

The second event involved unexpected opening of all four governor valves during a down power in SINGLE valve mode control while in automatic. The automatic "turbine stop loading" halted the resulting power increase. The operator noted that the "MANUAL NOT TRACKING AUTO" annunciator illuminated. After troubleshooting, the cause was attributed to the Single Valve Output circuit board, which had failed several times in the past. The card was replaced with a new card.

Another event (ACR 92-644) occurred in 1992 where a load swing occurred during a power increase. The operator attempted to terminate the load increase by depressing the HOLD -button, but the function did not work. The operator transferred the DEH system to MANUAL, successfully stopping the transient. The investigation concluded that the cause of the load increase was due to a stuck reference button.

V. � PREVIOUS SIMILAR EVENTS/continued) CR 96-01725 & WR/J0 AEPU1 — In June 1996 the DEH VIDAR unit failed resulting in foss of automatic turbine control. DEH control was placed in MANUAL. The VIDAR unit was shipped to a vendor for determination of what failed within the unit, who concluded that an internal component (the opto-coupler, one of three in the unit) had failed, and that the failed opto-coupler was of an "old style" which the vendor replaced with the latest style". The vendor stated that they had no record of the new style failing and did not recommend a periodic replacement of the component.

The WR/.10 documenting the following: � - DEH VIDAR (voltage to frequency converter) drifting. The DEH VIDAR indicates it is going bad. The DEH control system was placed in MANUAL by Operations until the VIDAR can be replaced. The OPC Speed Channel Monitor" and "Control Speed Channel Monitor" lights of the DEH Operator 'A' panel illuminate intermittently. The Supervisory Speed Channel input indicates 2250 RPM with a normal 1800 RPM input voltage at the half-shell input. Corrective action indicated the following:

Replaced VIDAR unit. Restarted DEH computer and Ieft system operating sat.

AR 1516 — Event where on 10/23/98, all four turbine governor valves went full open during a power decrease with DEH in automatic. A manual reactor trip was initiated after power increased from 84% to 90%.

A memorandum from the contract DEH system consultant was included in the investigation, which indicated a discrepancy between his recommendations for operating the DEH system and the guidance in OP-131.01. The consultant recommended keeping the feedback loops (impulse and MWe) out after transferring from MANUAL to AUTOMATIC to minimize load swings. The consultant also recommended changing load at least 1 'unit' on DEH prior to placing the impulse and MWe feedback loops in service. Both recommendations were given when the earlier event occurred (ACR 92-168), and copies of the memorandum were sent to Operations Procedures, Operations Supervision, and Regulatory Affairs, but the procedure was not revised.

The corrective actions identified in this report are designed to prevent recurrence of problems of the type identified in this event.