05000499/LER-2008-002, Regarding Valid Actuation of Safety Systems
| ML083650345 | |
| Person / Time | |
|---|---|
| Site: | South Texas  |
| Issue date: | 12/22/2008 |
| From: | Coates K South Texas |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| NOC-AE-08002373 LER 08-002-00 | |
| Download: ML083650345 (7) | |
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(iv)(B), System Actuation 10 CFR 50.73(a)(2)(i) 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability 10 CFR 50.73(a)(2)(ii)(A), Seriously Degraded 10 CFR 50.73(a)(2)(viii)(A) 10 CFR 50.73(a)(2)(ii)(B), Unanalyzed Condition 10 CFR 50.73(a)(2)(viii)(B) 10 CFR 50.73(a)(2)(iii) 10 CFR 50.73(a)(2)(ix)(A) 10 CFR 50.73(a)(2)(iv)(A), System Actuation 10 CFR 50.73(a)(2)(x) 10 CFR 50.73(a)(2)(v)(A), Loss of Safety Function - Shutdown the Reactor 10 CFR 50.73(a)(2)(v)(B), Loss of Safety Function - Remove Residual Heat 10 CFR 50.73(a)(2)(i)(A), Completion of TS Shutdown 10 CFR 50.73(a)(2)(v), Loss of Safety Function 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications |
| 4992008002R00 - NRC Website | |
text
Nuclear Operating Company South Texas Pro/ect Electric GeneratinS Station P.O Box 289 Wadsworth, Texas 77483 December 22, 2008 NOC-AE-08002373 1 OCFR50.73 U. S. Nuclear Regulatory Commission Attention: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738 South Texas Project Unit 2 Docket No. STN 50-499 Licensee Event Report 2008-002 Valid Actuation of Safety Systems Pursuant to 10 CFR 50.73, the STP Nuclear Operating Company (STPNOC) submits the attached Unit 2 Licensee Event Report 2008-002 to address a valid actuation of some of the safety systems listed in 10 CFR 50.73(a)(2)(iv)(B). The valid actuation resulted in the loss of residual heat removal capability for a brief period of time.
This event did not have an adverse effect on the health and safety of the public.
There are no commitments contained in this event report. Resulting corrective actions will be implemented in accordance with the Corrective Action Program.
If there are any questions regarding this submittal, please contact Ken Taplett at (361) 972-8416 or me at (361) 972-8902.
Ken Coates Plant General Manager kjt/
Attachment: South Texas Unit 2 LER 2008-002 STI: 32411719
NOC-AE-08002373 Page 2 of 2 cc:
(paper copy)
(electronic copy)
Regional Administrator, Region IV U. S. Nuclear Regulatory Commission 612 East Lamar Blvd, Suite 400 Arlington, Texas 76011-4125 Mohan C. Thadani Senior Project Manager U.S. Nuclear Regulatory Commission One White Flint North (MS 7 D1) 11555 Rockville Pike Rockville, MD 20852 Senior Resident Inspector U. S. Nuclear Regulatory Commission P. 0. Box 289, Mail Code: MN1 16 Wadsworth, TX 77483 C. M. Canady City of Austin Electric Utility Department 721 Barton Springs Road Austin, TX 78704 Richard A. Ratliff Bureau of Radiation Control Texas Department of State Health Services 1100 West 49th Street Austin, TX 78756-3189 A. H. Gutterman, Esquire Morgan, Lewis & Bockius LLP Mohan C. Thadani U. S. Nuclear Regulatory Commission Kevin Howell Catherine Callaway Jim von Suskil NRG South Texas LP Ed Alarcon J. J. Nesrsta R. K. Temple Kevin Pollo City Public Service Jon C. Wood Cox Smith Matthews C. Kirksey City of Austin
NRC FORM 366 U.S. NUCLEAR REGULATORY COMMISSION APPROVED BY OMB: NO. 3150-0104 EXPIRES: 06/30/2007 (6-2004)
(6.204
, the NRC may sfor each block)inot conduct or sponsor, and a person is not required to respond to, the digits/characters frecblk)information collection.
- 3. PAGE South Texas, Unit 2 05000499 1 OF 5
- 4. TITLE Valid Actuation of Safety Systems
- 5. EVENT DATE
- 6. LER NUMBER__
- 7. REPORT DATE
- 8. OTHER FACILITIES INVOLVED MNT AYSEQUENTIAL I REV T
DY Y
FACILITY NAME DOCKET NUMBER YEAR NUMBER NO.
NA 05000 FACILITY NAME DOCKET NUMBER 10 25 2008 2008
- - 002 00 12 22 2008 NA 05000
- 9. OPERATING MODE
- 11. THIS REPORT IS SUBMI'TED PURSUANT TO THE REQUIREMENTS OF 10 CFR§: (Check all that apply)
El 20.2201(b)
El 20.2203(a)(3)(i)
El 50.73(a)(2)(i)(C)
El 50.73(a)(2)(vii) 5 El 20.2201(d)
El 20.2203(a)(3)(ii)
El 50.73(a)(2)(ii)(A)
[I 50.73(a)(2)(viii)(A)
El 20.2203(a)(1)
El 20.2203(a)(4)
[I 50.73(a)(2)(ii)(B)
[I 50.73(a)(2)(viii)(B)
El 20.2203(a)(2)(i)
[I 50.36(c)(1)(i)(A)
El 50.73(a)(2)(iii)
El 50.73(a)(2)(ix)(A)
- 10. POWER LEVEL
[] 20.2203(a)(2)(ii)
[I 50.36(c)(1)(ii)(A) 0 50.73(a)(2)(iv)(A)
El 50.73(a)(2)(x)
[I 20.2203(a)(2)(iii) 0l 50.36(c)(2)
El 50.73(a)(2)(v)(A)
[E 73.71 (a)(4)
El 20.2203(a)(2)(iv)
F-50.46(a)(3)(ii)
El 50.73(a)(2)(v)(B)
El 73.71(a)(5) 0 E 20.2203(a)(2)(v) 0l 50.73(a)(2)(i)(A)
El 50.73(a)(2)(v)(C)
[E OTHER El 20.2203(a)(2)(vi)
[E 50.73(a)(2)(i)(B)
El 50.73(a)(2)(v)(D)
Specify in Abstract below or in SUMMARY OF THE EVENT, INCLUDING DATES AND APPROXIMATE TIMES At approximately 1600 on October 25, 2008, with Unit 2 in MODE 5 during the end of a refueling outage, a test switch on the SSPS failed to operate as expected during the performance of a surveillance. It was determined that an A416 general logic card had failed. A decision was made to replace the failed circuit card as emergent work to support the outage MODE ascension plan.
The repair was considered to have little risk in the plant condition existing at the time of the event provided the SSPS cabinets were removed from service. No formal risk assessment was conducted. It was decided to combine the surveillance procedure with the maintenance activity to replace the circuit card in the work package instructions.
The preparation of the emergent work package included a turnover from the day shift to the night shift. During the transfer of information, the requirements to have SSPS out of service and actuation trains in a test condition prior to replacing the failed circuit card were not communicated clearly to the on coming shift. The work package was reviewed by an individual who had very limited familiarity with the SSPS. During the process to gain permission to start the work, it was decided that all prerequisites of the surveillance procedure were required. The performance of all the prerequisites placed both logic trains of the SSPS in normal and all actuation trains in operate.
Work start permission was received and the surveillance prerequisite steps were completed. Upon removal of the failed A416 circuit card on October 25, 2008 at 2344 hours0.0271 days <br />0.651 hours <br />0.00388 weeks <br />8.91892e-4 months <br />, a low steam pressure actuation signal block was removed from the actuation circuitry. This condition provided a valid Safety Injection (SI) actuation signal. The
actuation resulted in automatic start of all three Engineered Safety Features (ESF) Diesel Generators, a Containment ventilation isolation, a Containment phase A isolation and tripping of the running Residual Heat Removal (RHR) pumps. The RHR pumps trip because their power supplies are stripped from the ESF electrical buses in response to an SI signal. No safety system that was aligned to actuate in response to the signal failed to actuate.
There was no discharge of the Emergency Core Cooling System (ECCS) into the Reactor Coolant System (RCS). The High Head Safety Injection Pumps were in pull-to-lock as required by the Technical Specifications for this plant MODE. The Low Head Safety Injection pumps were in pull-to-lock to meet the requirements of plant procedures for the plant condition.
It was concluded immediately that the maintenance activity resulted in the Si actuation.
The actuation trains were placed in a test condition and the SI actuation signal was reset.
The first RHR pump was restarted in approximately four minutes following the tripping of the pump. The second RHR pump was restarted in approximately six minutes following the tripping of the pump. The interruption of RHR flow resulted in a RCS temperature rise of 70F (i.e. 1470F to 1540F) based on monitoring core exit thermocouple temperatures.
E.
THE METHOD OF DISCOVERY OF EACH COMPONENT OR SYSTEM FAILURE, OR PROCEDURAL OR PERSONNEL ERROR The unintended SI actuation was self-revealing as a result of the performance of the maintenance activity when the failed circuit card was removed from the SSPS.
I1.
COMPONENT OR SYSTEM FAILURES A.
FAILURE MODE, MECHANISM, AND EFFECTS OF EACH FAILED COMPONENT This valid actuation of safety systems was not a result of a failed component.
B.
CAUSE OF EACH COMPONENT OR SYSTEM FAILURE Not applicable.
C.
SYSTEMS OR SECONDARY FUNCTIONS THAT WERE AFFECTED BY FAILURE OF COMPONENTS WITH MULTIPLE FUNCTIONS Not applicable.
D.
FAILED COMPONENT INFORMATION
Not applicable.
II1.
ANALYSIS OF THE EVENT
A.
SAFETY SYSTEM RESPONSES THAT OCCURRED Although a valid SI actuation signal was generated and safety systems were unnecessarily challenged, the actuation was not required for the plant condition. Proper performance of
the maintenance activity should have resulted in continuing to block the actuation signal.
The RHR system was in service. The SI actuation resulted in loss of this system.
B.
DURATION OF SAFETY SYSTEM TRAIN INOPERABILITY The first RHR loop was out of service for approximately four minutes. The second RHR loop was out of service for approximately six minutes.
C.
SAFETY CONSEQUENCES AND IMPLICATIONS
The event did not have an adverse affect on the health and safety of the public.
There was no discharge of the ECCS into the RCS.
Residual heat removal capability was lost for a brief period of time. The loss of RHR cooling occurred 21 days after shutdown with the core reloaded for the next operating cycle. The RCS was pressurized and all four steam generators were available for heat removal. Using conservative assumptions based on plant data, sufficient heat removal capability existed to keep the RCS from boiling for 31 hours3.587963e-4 days <br />0.00861 hours <br />5.125661e-5 weeks <br />1.17955e-5 months <br />. A bounding evaluation determined that the Conditional Core Damage Probability for this event was much less than 1 E-06.
This event resulted in no personnel injuries, no offsite radiological releases, and no damage to other safety-related equipment.
IV.
CAUSE OF THE EVENT
The outage process did not have specific requirements for processing emergent work or evaluating the associated risk impact on plant conditions.
Work planning guidance lacked sufficient rigor. Ownership for work package preparation and review was not clearly established. Mitigation strategies were not formalized to ensure that the technical content of the work package was correct. The technical expertise required for a work package review was not specified.
Combining the surveillance procedure with the maintenance activity to replace the circuit card complicated the work coordination. The increased level of complexity in the work package instructions resulted in the SSPS being in service instead of being removed from service for the circuit card replacement.
V.
CORRECTIVE ACTIONS
Residual heat removal capability was restored.
Work instructions were revised to configure the SSPS so that the logic cabinets would be out of service and the actuations trains in test to support the A416 circuit card replacement.
A plant procedure will be implemented to specify requirements for addressing emergent work during outages including requirements for assessing any shutdown risk created by the work activity. The procedure will list roles and responsibilities of key individuals for providing input, review and approval of emergent work packages.
" The Planner's Guide will be revised to include:
a. Requirements to avoid using Operations procedures as work instructions to ensure work instructions are kept simple for review of technical requirements pertaining to the performance of the maintenance activity. If Operations procedures are used, the Planners Guide will provide for a formalized process and required technical justification regarding using this approach.
b. A defense in depth strategy in work package preparation identifying such attributes as review responsibilities and error mitigation strategies.
VI.
PREVIOUS SIMILAR EVENTS
There have been no STPNOC Licensee Event Reports in the past three years regarding the valid automatic actuation of safety systems.
VI.
ADDITIONAL INFORMATION
The 10 CFR 50.72 notification to the Nuclear Regulatory Commission on October 27, 2008, Event Number 44605, stated the removal of the block for the low pressurizer pressure signal initiated the actuation. Upon further review of the event, the removal of the block for the low steam pressure signal, as stated in Section I.D above, initiated the actuation.