05000529/LER-2015-001
| Palo Verde Nuclear Generating Station (Pvngs) Unit 2 | |
| Event date: | 01-11-2015 |
|---|---|
| Report date: | 03-25-2015 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(v), Loss of Safety Function |
| 5292015001R00 - NRC Website | |
Reported lessons learned are incorporated into the licensing process and fed back to industry.
Send comments regarding burden estimate to the FOIA, Privacy and Information Collections Branch (T-5 F53), U,S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by internet e-mail to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0104), Office of Management and Budget, Washington, DC 20503. If a means used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
Palo Verde Nuclear Generating Station All times are Mountain Standard Time and approximate unless otherwise indicated.
1. REPORTING REQUIREMENT(S):
This Licensee Event Report is being submitted pursuant to 10 CFR 50.73 (a)(2)(i)(B) to report a condition prohibited by Technical Specification (TS) Limiting Condition for Operation (LCO) 3.3.5, Engineered Safety Features Actuation System (ESFAS) (EIIS: JE) Instrumentation. When one or more functions of a single automatic ESFAS trip channel are inoperable, LCO 3.3.5, Condition A, requires affected channels to be placed in bypass or trip within one hour. If the required action and associated completion time is not met, LCO 3.3.5, Condition E, requires the unit to be in MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to be in MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. An ESFAS trip channel became inoperable in PVNGS Unit 2 on January 11, 2015; however, the required actions of LCO 3.3.5 were not completed until after discovery on January 24, 2015.
2. DESCRIPTION OF STRUCTURE(S), SYSTEM(S) AND COMPONENT(S):
The plant protection system (PPS) (EllS: JC) is comprised of the reactor protection system (RPS) (EIIS: JC) and the ESFAS system. The RPS portion of the PPS provides a rapid and reliable shutdown of the reactor to protect the core and the reactor coolant system (EIIS: AB) pressure boundary from potentially hazardous operating conditions. The ESFAS portion of the PPS initiates necessary safety systems to prevent violating core design limits and to protect the RCS pressure boundary and containment (EIIS: NH) during anticipated operational occurrences and ensures acceptable consequences during accidents.
Each RPS and ESFAS trip actuation function consists of the instrumentation, signal processing equipment, bistable relays, logic matrices, initiation relays, controls, and indications required to perform its intended function and create an effective interface with the operator. Four redundant protective channels (A, B, C and D) are used for each trip or actuation function. The ESFAS circuits generate the following signals using 2-out-of-4 logic when monitored plant parameters reach levels that are indicative of conditions requiring protective action:
- containment isolation actuation signal (CIAS)
- containment spray actuation signal (CSAS)
- main steam isolation signal (MSIS)
- safety injection actuation signal (SIAS)
- recirculation actuation signal (RAS)
- steam generator (SG) 1 auxiliary feedwater actuation signal (AFAS-1)
- SG 2 auxiliary feedwater actuation signal (AFAS-2) Each of the two auxiliary feedwater actuation signals (AFAS-1 and AFAS-2) automatically starts necessary equipment and opens necessary valves to feed the affected SG when level decreases below 25.8 percent on any two of the four wide range level instrument channels.
If the two SGs differ in pressure by more than a set value, a fault in a SG or its associated piping is assumed, and a differential pressure (DP) lockout is activated that automatically closes the auxiliary feedwater isolation and flow control valves for the lower pressure SG.
This prevents adding feedwater to a faulted SG. In order for the DP lockout feature to function as designed, the bistable relay setpoint for SASB22 must not be permitted to drift beyond its TS value of less than or equal to ( (psid).
The plant annunciator (RK) (EIIS: IB) system and the plant computer (RJ) (EIIS: ID) alarm displays provide two separate means of alerting operators to changes in plant conditions.
The RK system provides a flashing alarm window and a distinct audible bell tone to inform control room personnel when a monitored point is alarming. RK alarms require an operator to physically acknowledge the alarm in order to silence the bell tone. Adherence to an associated alarm response procedure is required for each RK alarm.
The RJ system alerts operators of a change in plant conditions by displaying an alarm as a flashing text line on select control room monitors. A brief audible sound accompanies an RJ alarm but does not require operator acknowledgement. Some, but not all, RJ alarms have an associated procedural alarm response. In addition, some RJ alarms are configured to also initiate an accompanying RK system alarm, which require both operator acknowledgement and a procedural alarm response.
The RJ system provides an alarm to alert operators when the SASB22 value approaches the SG Pressure Difference-High TS value; however, it is not among those alarms that have an accompanying RK alarm.
3. INITIAL PLANT CONDITIONS:
On January 11, 2015, PVNGS Unit 2 was in Mode 1 (Power Operation), at 100 percent power, normal operating temperature, and normal operating pressure. There were no other structures, systems, or components inoperable at the time of the event that contributed to the event.
4. EVENT DESCRIPTION:
On January 11, 2015, at 0024, Unit 2 received an RJ alarm on point SASB22, indicating the setpoint for the bistable that monitors differential pressure between SGs had approached its allowable limit for SG Pressure Difference-High. The alarm condition occurred because the bistable setpoint for the related ESFAS function had drifted beyond the allowable value for this parameter. The alarm condition was not detected by operators until late in that shift.
When the alarm was identified, operators verified SG pressures were normal and the ESFAS SG DP High annunciators were not in an alarm condition. The significance of the alarm was not apparent because the value was displayed by the RJ system in volts versus psid. As a result, the inoperable condition of the related ESFAS function was not detected and the actions of LCO 3.3.5 were not completed. The operators also reviewed the RJ system alarm response procedure and determined that no response was provided for alarm point SASB22.
At the end of the shift, the need for follow-up action to investigate the impact of the SASB22 alarm condition was not effectively communicated to the oncoming crew and no follow-up actions were taken. During subsequent shifts control room operators did not recognize the significance of the SASB22 alarm point on the plant computer display. On January 24, 2015, at 0216, a control room operator noted that RJ alarm point SASB22 was in alarm on the plant computer and questioned the impact of this condition. With Maintenance assistance, the ESFAS bistable setpoint value at the PPS cabinet was verified to read 1.404 volts. This corresponds to a differential pressure of 213 psid and exceeds the TS limit of Operators declared Channel B SG Pressure Difference-High function inoperable and the SG 2 Level Low (AFAS-2) function was placed in bypass as required by LCO 3.3.5, Condition A.
Two investigations were performed in response to this event: an apparent cause evaluation to address the equipment problem that resulted in drift of the setpoint, and a root cause evaluation to address the operations human performance shortfalls that resulted in failure to recognize a condition prohibited by TSs.
5. ASSESSMENT OF SAFETY CONSEQUENCES:
This event did not result in a potential transient more severe than those analyzed in the Updated Final Safety Analysis Report or result in the release of radioactive materials to the environment. There were no actual safety consequences as a result of this event and the event did not adversely affect the health and safety of the public.
During the time when the Channel B SG Pressure Difference-High function was inoperable, channels A, C and D for this parameter remained operable and were fully capable of performing the safety function to secure feeding a faulted SG 2. The condition resulted in loss of some defense-in-depth capability designed into the ESFAS logic. With one degraded bistable channel the PPS ESFAS logic continued to be capable of performing the safety function with a 2-out-of-3 logic; therefore, the core damage risk and large early radioactive release risk impacts were negligible.
The condition would not have prevented the fulfillment of a safety function and the condition did not result in a safety system functional failure as defined by 10 CFR 50.73(a)(2)(v).
6. CAUSE OF THE EVENT:
The direct cause of the event was setpoint drift of SASB22, ESFAS Channel B SG Pressure Difference-High function bistable relay, Electro - Mechanics Inc., model 33450, caused by potentiometers that had not recently been wiped clean. The calibration procedure only required wiping the bistable potentiometers clean if the as-found reading was out of a specified narrow band, typically 50 percent of the as-found tolerance. Atypical of industry operating experience performance, the readings remained in this narrow band for an extended period of time; therefore, that section of the procedure was not recently performed.
The root cause was the lack of an annunciated alarm for SASB22 and associated alarm response procedure to ensure the alarm condition was promptly acknowledged, understood, and correctly addressed within TS time limitations. Contributing to this event were weaknesses in meeting Operations Department standards and expectations for alarm response.
7. CORRECTIVE ACTIONS:
Troubleshooting of the ESFAS Channel B SG Pressure Difference-High function was completed and confirmed the allowable value for the setpoint voltage was exceeded. The potentiometers were wiped clean, the setpoint was returned to the proper value, and appropriate retests were completed. A review of Maintenance procedures concluded that recent revisions contain adequate guidance for wiping clean PPS potentiometers during routine maintenance; therefore, no further action was necessary.
As an interim corrective action, an Operations standing order was issued to implement a requirement that logs be taken every four hours to verify that PPS setpoints are not in alarm.
Monitoring in this manner provides reasonable assurance that appropriate RJ alarms that do not have an associated RK alarm will be identified and addressed in a timely manner.
To prevent recurrence, an RK alarm and associated procedural alarm response will be provided for point SASB22 and similar RJ alarm points that were identified during an extent of cause review.
Identified Operations weakness in meeting alarm response standards and expectations will be addressed in the training environment.
8. PREVIOUS SIMILAR EVENTS:
No previous similar events have been reported to the NRC by PVNGS in the prior three years.