05000499/LER-2008-002
South Texas, Unit 2 | |
Event date: | 10-25-2008 |
---|---|
Report date: | 10-29-2009 |
Reporting criterion: | 10 CFR 50.73(a)(2)(v)(B), Loss of Safety Function - Remove Residual Heat 10 CFR 50.73(a)(2)(iv)(B), System Actuation 10 CFR 50.73(a)(2)(iv)(A), System Actuation |
4992008002R01 - NRC Website | |
I.�DESCRIPTION OF REPORTABLE EVENT
A. REPORTABLE EVENT CLASSIFICATION
This event is reportable pursuant to 10 CFR 50.73(a)(2)(iv)(A) as an event or condition that resulted in a valid automatic actuation of systems listed in paragraph (a)(2)(iv)(B) of this section of 10 CFR 50.73. The actuation was not part of a pre-planned sequence during testing or reactor operation. The actuation resulted in automatic start of all three Engineered Safety Features (ESF) Diesel Generators, a Containment ventilation isolation, a Containment phase A isolation and tripping of the running Residual Heat Removal (RHR) pumps.
This event is also considered reportable pursuant to 10 CFR 50.73(a)(2)(v)(B) as an event or condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to remove residual heat.
B. PLANT OPERATING CONDITIONS PRIOR TO THE EVENT
At the time of the event, Unit 2 was in MODE 5 with two RHR pumps running.
C. STATUS OF STRUCTURES, SYSTEMS, OR COMPONENTS THAT WERE
INOPERABLE AT THE START OF THE EVENT AND THAT CONTRIBUTED TO THE
EVENT
The Solid State Protection System (SSPS) that initiated the actuation signal was inoperable as planned at the initiation of the event.
D. NARRATIVE SUMMARY OF THE EVENT, INCLUDING DATES AND APPROXIMATE
TIMES
At approximately 1600 on October 25, 2008, with Unit 2 in MODE 5 during the end of a refueling outage, a test switch on the SSPS failed to operate as expected during the performance of a surveillance. It was determined that an A416 general logic card had failed. A decision was made to replace the failed circuit card as emergent work to support the outage MODE ascension plan.
The repair was considered to have little risk in the plant condition existing at the time of the event provided the SSPS cabinets were removed from service. No formal risk assessment was conducted. It was decided to combine the surveillance procedure with the maintenance activity to replace the circuit card in the work package instructions.
The preparation of the emergent work package included a turnover from the day shift to the night shift. During the transfer of information, the requirements to have SSPS out of service and actuation trains in a test condition prior to replacing the failed circuit card were not communicated clearly to the on coming shift. The work package was reviewed by an individual who had very limited familiarity with the SSPS. During the process to gain permission to start the work, it was decided that all prerequisites of the surveillance procedure were required. The performance of all the prerequisites placed both logic trains of the SSPS in normal and all actuation trains in operate.
5 Work start permission was received and the surveillance prerequisite steps were completed. Upon removal of the failed A416 circuit card on October 25, 2008 at 2344 hours0.0271 days <br />0.651 hours <br />0.00388 weeks <br />8.91892e-4 months <br />, a low steam pressure actuation signal block was removed from the actuation circuitry. This condition provided a valid Safety Injection (SI) actuation signal. The actuation resulted in automatic start of all three Engineered Safety Features (ESF) Diesel Generators, a Containment ventilation isolation, a Containment phase A isolation and tripping of the running Residual Heat Removal (RHR) pumps. The RHR pumps trip because their power supplies are stripped from the ESF electrical buses in response to an SI signal. No safety system that was aligned to actuate in response to the signal failed to actuate.
There was no discharge of the Emergency Core Cooling System (ECCS) into the Reactor Coolant System (RCS). The High Head Safety Injection Pumps were in pull-to-lock as required by the Technical Specifications for this plant MODE. The Low Head Safety Injection pumps were in pull-to-lock to meet the requirements of plant procedures for the plant condition.
It was concluded immediately that the maintenance activity resulted in the SI actuation.
The actuation trains were placed in a test condition and the SI actuation signal was reset.
The first RHR pump was restarted in approximately four minutes following the tripping of the pump. The second RHR pump was restarted in approximately six minutes following the tripping of the pump. The interruption of RHR flow resulted in a RCS temperature rise of 7°F (i.e. 147°F to 154°F) based on monitoring core exit thermocouple temperatures.
E. THE METHOD OF DISCOVERY OF EACH COMPONENT OR SYSTEM FAILURE, OR
PROCEDURAL OR PERSONNEL ERROR
The unintended SI actuation was self-revealing as a result of the performance of the maintenance activity when the failed circuit card was removed from the SSPS.
II.0COMPONENT OR SYSTEM FAILURES
A. FAILURE MODE, MECHANISM, AND EFFECTS OF EACH FAILED COMPONENT
This valid actuation of safety systems was not a result of a failed component.
B. CAUSE OF EACH COMPONENT OR SYSTEM FAILURE
Not applicable.
C. SYSTEMS OR SECONDARY FUNCTIONS THAT WERE AFFECTED BY FAILURE OF
COMPONENTS WITH MULTIPLE FUNCTIONS
Not applicable.
D. FAILED COMPONENT INFORMATION
Not applicable.
5 III.�ANALYSIS OF THE EVENT
A. SAFETY SYSTEM RESPONSES THAT OCCURRED
Although a valid SI actuation signal was generated and safety systems were unnecessarily challenged, the actuation was not required for the plant condition. Proper performance of the maintenance activity should have resulted in continuing to block the actuation signal.
The RHR system was in service. The SI actuation resulted in loss of this system.
B. DURATION OF SAFETY SYSTEM TRAIN INOPERABILITY
The first RHR loop was out of service for approximately four minutes. The second RHR loop was out of service for approximately six minutes.
C. SAFETY CONSEQUENCES AND IMPLICATIONS
The event did not have an adverse affect on the health and safety of the public.
There was no discharge of the ECCS into the RCS.
Residual heat removal capability was lost for a brief period of time. The loss of RHR cooling occurred 21 days after shutdown with the core reloaded for the next operating cycle. The RCS was pressurized and all four steam generators were available for heat removal. Using conservative assumptions based on plant data, sufficient heat removal capability existed to keep the RCS from boiling for 31 hours3.587963e-4 days <br />0.00861 hours <br />5.125661e-5 weeks <br />1.17955e-5 months <br />. A bounding evaluation determined that the Conditional Core Damage Probability for this event was much less than 1E-06.
This event resulted in no personnel injuries, no offsite radiological releases, and no damage to other safety-related equipment.
IV.�CAUSE OF THE EVENT
- The outage process did not have specific requirements for processing emergent work or evaluating the associated risk impact on plant conditions.
- Work planning guidance lacked sufficient rigor. Ownership for work package preparation and review was not clearly established. Mitigation strategies were not formalized to ensure that the technical content of the work package was correct. The technical expertise required for a work package review was not specified.
- Combining the surveillance procedure with the maintenance activity to replace the circuit card complicated the work coordination. The increased level of complexity in the work package instructions resulted in the SSPS being in service instead of being removed from service for the circuit card replacement.
V.�CORRECTIVE ACTIONS
- Residual heat removal capability was restored.
- Work instructions were revised to configure the SSPS so that the logic cabinets would be out of service and the actuations trains in test to support the A416 circuit card replacement.
- A plant procedure will be implemented to specify requirements for addressing emergent work during outages including requirements for assessing any shutdown risk created by the work activity. The procedure will list roles and responsibilities of key individuals for providing input, review and approval of emergent work packages.
- The Planner's Guide will be revised to include:
a. Requirements to avoid using Operations procedures as work instructions to ensure work instructions are kept simple for review of technical requirements pertaining to the performance of the maintenance activity. If Operations procedures are used, the Planners Guide will provide for a formalized process and required technical justification regarding using this approach.
b. A.defense in depth strategy in work package preparation identifying such attributes as review responsibilities and error mitigation strategies.
VI.�PREVIOUS SIMILAR EVENTS There have been no STPNOC Licensee Event Reports in the past three years regarding the valid automatic actuation of safety systems or loss of residual heat removal.
VI.�ADDITIONAL INFORMATION The 10 CFR 50.72 notification to the Nuclear Regulatory Commission on October 27, 2008, Event Number 44605, stated the removal of the block for the low pressurizer pressure signal initiated the actuation. Upon further review of the event, the removal of the block for the low steam pressure signal, as stated in Section I.D above, initiated the actuation.