05000461/LER-2013-009
| Clinton Power Station, Unit 1 | |
| Event date: | 12-13-2013 |
|---|---|
| Report date: | 02-10-2014 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(iv)(A), System Actuation |
| Initial Reporting | |
| ENS 49632 | 10 CFR 50.72(b)(2)(iv)(B), RPS System Actuation |
| 4612013009R00 - NRC Website | |
Reported lessons learned are Incorporated into the licensing process and fed back to industry.
Send comments regarding burden estimate to the FOIA, Privacy and Information Collections Branch (1-5 F53), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by intemet e-mail to Infocollects.Resource@nrcgov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0104), Office of Management and Budget.
Washington, DC 20503. If a means used to impose an information collection does not display a currently vafid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
PLANT AND SYSTEM IDENTIFICATION
General Electric -- Boiling Water Reactor, 3473 Megawatts Thermal Rated Core Power Energy Industry Identification System (EllS) codes are identified in text as [XX].
EVENT IDENTIFICATION
Software Errors in New Digital Feedwater Control System Result in Manual Reactor Scram Due to Approaching High Reactor Pressure Vessel Water Level Setpoint
A. Plant Operating Conditions Before the Event
Unit: 1 Event Date: 12113/2013 Event Time: 1758 hours0.0203 days <br />0.488 hours <br />0.00291 weeks <br />6.68919e-4 months <br /> Central Standard Time (CST) Mode: 1 Mode Name: POWER OPERATION Reactor Power: 18 percent
B. DESCRIPTION OF EVENT
On 12/13/13 the plant was in Mode 1 (Power Operation) at 18 percent reactor power and power ascension was in progress from a plant outage. Operators were preparing to transition from the Motor Driven Reactor Feed Pump (MDRFP) [Si] [P] to the 'A' Turbine Driven Reactor Feed Pump (TDRFP) in accordance with the feedwater operating procedure. This was a first time evolution for the operating crew using the digital feedwater control system (DFW), although the crew was trained on DFW in the simulator. In accordance with the procedure, Operators opened the 'A' TDRFP discharge valve [V] and placed the 'A' TDRFP recirculation valve in automatic, which positioned the recirculation valve to 25% open.
When the 'A' TDRFP began to feed, the MDRFP began to reduce flow as designed. Over the next few minutes, flow from the two feed pumps began to fluctuate, and reactor pressure vessel [RPV] water level began to oscillate outside the normal control band. Operators recognized the level swings were growing in amplitude, and took manual control of the MDRFP flow control valve [FCV]. With the FCV valve shut and no flow from the MDRFP, Operators gave the FCV a shut signal to ensure it remained fully shut. At this time, the speed of the 'A' TDRFP increased causing an increase in RPV water level. At 1758 hours0.0203 days <br />0.488 hours <br />0.00291 weeks <br />6.68919e-4 months <br /> when the predetermined RPV water level threshold was achieved (prior to the Level 8 high RPV water level signal), operators placed the Reactor Mode Switch [HS] Into the Shutdown position, initiating a manual Reactor SCRAM.
RPV water level decreased to the low RPV water Level 3 setpoint as expected and operators entered Emergency Operating Procedure (EOP) -1, RPV Control. Operators verified all control rods fully inserted into the reactor core.
Normally closed Group 2 (Residual Heat Removal (RHR) [BC]), Group 3 (RHR), and Group 20 (miscellaneous systems) containment isolation valves received signals to close as expected from the Level 3 trip and operators subsequently verified the associated valves were closed.
Operators controlled reactor pressure using main steam line drains [SB] and controlled reactor pressure vessel level using the feedwater I condensate booster systems [SD].
This event is reportable under the provisions of 10 CFR 50.73(a)(2)(iv)(A) due to the unplanned manual actuation of the Reactor Protection System [JC] (RPS) and actuations of containment isolation valves. Event Notification Number 49632 was made to the NRC on 12/13/13 at 1907 hours0.0221 days <br />0.53 hours <br />0.00315 weeks <br />7.256135e-4 months <br /> CST.
This event was entered into the Clinton Power Station corrective action program under Issue Report 1596987. 2
C. CAUSE OF EVENT
The Root Cause for this event is that system and component level critical characteristics and parameters were embedded within the application software that were not identified, evaluated, and mitigated in the engineering change package for the recently installed digital feedwater control system.
D. SAFETY CONSEQUENCES
When reactor water level approached the high RPV water Level 8 trip set point, operators took manual action to shut down the reactor prior to an automatic reactor scram and place the plant in a safe and stable condition. Safety-related systems functioned correctly in response to this event with critical plant parameters remaining within the bounds of plant design, Technical Specifications, Updated Safety Analysis Report, Offsite Dose Calculation Manual, and Core Operating Limits Report. No plant safety limits were exceeded. No Emergency Core Cooling System actuations occurred or were required to place the plant in a safe and stable condition.
E. CORRECTIVE ACTIONS
The installed digital feedwater programming will be revised to correct the identified software errors.
Operating procedures have been revised as interim corrective action to provide operators with clear guidance for manually bringing the TDRFP on line and specific operating limits to prevent TDRFP operation below 2900 RPM. These revisions will ensure safe and controlled operation of the TDRFP until programming is revised and installed to correct the identified software errors.
The Process for Managing Plant Modifications Involving Microprocessor Technology, will be revised to mandate that any and all engineering judgments and unverified assumptions encapsulated within vendor provided software be clearly identified and independently validated prior to modification completion. This includes function blocks, mathematical calculations and modeled plant performance characteristics.
F. PREVIOUS OCCURRENCES
No previous similar events have been identified.
G. COMPONENT FAILURE DATA
No components failed during this event.