IR 05000327/2003010

From kanterella
Jump to navigation Jump to search
IR 05000327-03-010 & 05000328-03-010, on 08/29/03 Through 08/31/03 for, Sequoyah Nuclear Power Plant, Tennessee Valley Authority, Chattanooga, Tn; Special Inspection
ML032790062
Person / Time
Site: Sequoyah  Tennessee Valley Authority icon.png
Issue date: 10/03/2003
From: Mccree V
Division Reactor Projects II
To: Scalice J
Tennessee Valley Authority
References
IR-03-010
Download: ML032790062 (28)
v  d  e


Text

ber 3, 2003

SUBJECT:

SEQUOYAH NUCLEAR POWER PLANT - NRC SPECIAL INSPECTION REPORT 05000327/2003010 AND 05000328/2003010

Dear Mr. Scalice:

On August 31, 2003, the Nuclear Regulatory Commission (NRC) completed a Special Inspection at the Sequoyah Nuclear Power Plant. The enclosed report documents the inspection conclusions which were discussed on September 4, 2003, with Mr. R. Purcell and other members of your staff.

On August 29, 2003, an Augmented Inspection Team (AIT) was established by NRC Region II management using the guidance contained in Management Directive (MD) 8.3, NRC Incident Investigation Procedures. The AIT was chartered to inspect and assess the apparent turbine trip without an automatic reactor trip event of August 28, 2003, at Sequoyah Unit 1. On August 30, 2003, as permitted by MD 8.3, the AIT was downgraded to a Special Inspection Team (SIT)

based on the inspection teams conclusion that there had been no failure of the reactor protection system to automatically trip the reactor. The inspection examined activities conducted under your license as they relate to safety and compliance with the Commissions rules and regulations and with the conditions of your license. The inspectors reviewed selected procedures and records, conducted field walkdowns, observed activities, and interviewed personnel.

The SIT conducted an independent inspection of the circumstances surrounding the event, monitored your investigation of the incident, and reviewed other related plant information. The SIT concluded that your staffs response to the event was appropriate, the turbine control system and the plant responded as designed, and no automatic trip signal was required to immediately shut down the plant. Therefore, no failure of the reactor protection system to automatically trip the reactor occurred. Your event investigation process was sufficiently thorough to determine the cause of the event and fully explained the sequence of events.

TVA 2 In accordance with 10 CFR 2.790 of the NRCs "Rules of Practice," a copy of this letter and its enclosure will be available electronically for public inspection in the NRC Public Document Room or from the Publically Available Records (PARS) component of NRCs document system (ADAMS). ADAMS is accessible from the NRC Web-site at http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).

Sincerely,

/RA/

Victor M. McCree, Director Division of Reactor Projects Docket Nos.: 50-327, 50-328 License Nos.: DPR-77, DPR-79

Enclosure:

Inspection Report Nos. 05000327/2003010, 05000328/2003010 w/Attachments Attachments: 1. Partial List of Persons Contacted 2. Memorandum on Augmented Inspection Team Charter

REGION II==

Docket Nos: 50-327, 50-328 License Nos: DPR-77, DPR-79 Report Nos: 05000327/2003010, 05000328/2003010 Licensee: Tennessee Valley Authority (TVA)

Facility: Sequoyah Nuclear Plant, Units 1 & 2 Location: Sequoyah Access Road Soddy-Daisy, TN 37379 Dates: 8/29/2003 - 8/31/2003 Inspectors: B. Bonser, Branch Chief (Team Leader)

S. Freeman, Senior Resident Inspector C. Smith, Senior Reactor Inspector L. Miller, Senior Operations Engineer S. Walker, Reactor Inspector Approved by: Victor M. McCree, Director Division of Reactor Projects Enclosure

SUMMARY OF FINDINGS IR 05000327/2003-010, 8/29/2003 - 8/31/2003, Sequoyah Nuclear Power Plant, Unit 1; Tennessee Valley Authority; Special Inspection This report covers a three-day Special Inspection conducted by a branch chief, a senior resident inspector, a senior reactor inspector, a senior operations engineer, and a reactor inspector to inspect and assess the apparent turbine trip without an automatic reactor trip event of August 28, 2003, at Sequoyah Unit 1. The NRCs program for overseeing the safe operation of commercial nuclear power reactors is described in NUREG-1649, Reactor Oversight Process, Revision 3, dated July 2000.

Special Inspection Conclusions

  • Operations personnel both at the turbine front standard and in the control room took the proper actions for the observed plant indications and the nature of the event. The quick response of the control room operators to trip the reactor was appropriate and mitigated the event before a reactor protection system (RPS) setpoint was reached. The declaration of an Alert made by the Shift Manager was appropriate based on the nature of the event and the understanding of plant conditions at the time of the declaration.
  • The turbine control system responded as designed and no RPS logic input was required from the turbine auto-stop oil system to automatically trip the reactor. RPS logic inputs, which would initiate an automatic reactor trip, were not generated from the auto-stop oil pressure switches or from the turbine main stop valves.
  • The inspectors independently reviewed the information from the licensees event investigation and concluded that the licensees investigation of this event was thorough and comprehensive and that the identification of the closed auto-stop oil pressure switch isolation valve fully explained the cause and the resulting sequence of events. The investigation identified two possible causes for the closed isolation valve: An inappropriate verification process following calibration of the auto-stop oil pressure switch or inappropriate configuration control while troubleshooting problems with turbine latching during the last unit startup.
  • There were two opportunities for which the licensee did not complete actions that could have prevented the August 28 event. A single point failure identified in a Problem Event Report (closed pressure switch contacts) was not addressed before performing the turbine testing on August 28. Also, a computer point indicating a generator trip would occur during the last turbine test in June 2003 (unit was not on-line) was not investigated or addressed prior to the August 28 testing.

Report Details Introduction and Charter On August 28, 2003, Sequoyah Unit 1 experienced a generator trip with the unit at 100 percent power. The expected automatic turbine trip and reactor trip did not occur. The initial assessment of the event by NRC management concluded that it met the criteria of Management Directive 8.3, NRC Incident Investigation Procedures, in that the lack of an automatic reactor trip represented a loss of safety function used to mitigate an actual event. The initial risk assessment indicated that the conditional core damage probability was approximately 7E-4 and that an Augmented Inspection Team (AIT) was the appropriate NRC response.

On August 28, 2003, an AIT was established by NRC Region II management using the guidance contained in Management Directive 8.3. The objectives of the AIT were to:

(1) determine the facts surrounding the specific event; (2) assess the licensees response to the event; (3) oversee licensee activity during their event review; (4) identify any generic issues associated with the event; and (5) interface with other on-site entities. The AIT charter is attached.

On August 30, 2003, the AIT concluded that there was no failure of the reactor protection system (RPS) (i.e. not a loss of safety function used to mitigate an actual event). The AIT verified that the RPS functioned as expected during the event. Based on this information and a re-assessment of the risk, the Region II Regional Administrator downgraded the AIT to a Special Inspection Team (SIT) on August 30. The objectives of the AIT as outlined in the original charter still applied to the Special Inspection.

Utilizing Inspection Procedure 93812, Special Inspection, the SIT focused on the activities outlined in the AIT charter. Observations and findings of these areas are outlined below.

Event Description On August 28, 2003, at 4:03 p.m. Unit 1 was operating in Mode 1 with reactor power at 100 percent (1177 MWe, 3453 MWt). Operations personnel were performing 1-PI-OPS-047-760.0, Main Turbine Overspeed and Oil System Tests, on the Unit 1 turbine.

During the thrust bearing trip section of the test, the main generator power circuit breakers (PCBs) tripped open. When the PCBs opened the turbine overspeed protection circuitry operated to prevent the turbine from over speeding and closed the turbine governor and intercept valves. The opening of the PCBs and the action of the turbine overspeed protection circuit caused a rapid reduction in steam demand and the release of steam through the steam dumps into the main condenser, and the opening of all four steam generator atmospheric relief valves (ARVs) and possibly one or more main steam safety valves. The control rods automatically drove-in as reactor coolant system (RCS) Average Loop Temperature (Tavg) increased due to the rapid decrease in steam demand. Pressurizer power operated relief valve (PORV), 1-PCV-68-334, cycled open for about six seconds as Tavg and pressurizer pressure increased.

Control room operators expected an automatic reactor trip and turbine trip when the PCBs opened with full load on the Unit 1 turbine generator. When the automatic trip did not occur, the reactor operator manually tripped the reactor twenty-five seconds after the start of the event. The control room operators completed the actions of emergency procedure E-0, Reactor Trip or Safety Injection, then transitioned to emergency procedure ES-0.1, Reactor Trip Response.

Fifteen minutes after the event began, the Operations Shift Manager, based on his assessment that there was a turbine trip without an automatic reactor trip and a successful manual trip, declared the Alert. The Shift Manager used the Emergency Action Level designator 2.3, failure of reactor protection, to declare an Alert and direct emergency notifications be made to state, local, and federal response organizations.

Immediately following the trip, with steam flow on all four main steam lines indicating in excess of expected flow combined with indications of a failed open steam dump valve, 1-FCV-1-106, control room operators closed the main steam isolation valves (MSIVs) to limit the cool down of the RCS. Control room operators also took manual control of Auxiliary Feed Water per EA-3.8, Manual Control of Auxiliary Feed Water, to limit the cool down of the RCS. The actions of ES-0.1, Reactor Trip Response were then completed, and operators returned to the appropriate plant procedure (0-GO-2, Hot Standby to Critical). The Alert was terminated four hours and twelve minutes later with Unit 1 in a stable hot shutdown condition.

On August 29, during troubleshooting of the turbine control system, the licensee found the isolation valve to low auto-stop oil pressure switch, 1-PS-47-76, closed. This closed isolation valve set-up conditions for a single point failure during turbine trip testing which resulted in the generator PCBs opening. The single point failure was induced by the Thrust Bearing Trip Test performed during the Main Turbine Overspeed and Oil System Tests, on Unit 1 turbine.

4. OTHER ACTIVITIES 4OA3 Event Followup

.1 Evaluation of Operator Performance a. Inspection Scope The inspectors assessed the performance of operating personnel before and during the event. The assessment included review of the post trip logs, interviews with Operations staff, review of operating logs, review of historical plant event data, and relevant procedural reviews.

b. Findings Immediately prior to the event Unit 1 was operating in Mode 1 with reactor power at 100 percent. Operations personnel were performing the quarterly simulated auto-stop oil trip tests on the main turbine. Operations personnel at the turbine front standard had conducted a job pre-brief and established communications with personnel in the Unit 1

main control room. During each portion of the surveillance test the turbine trip test lever was held firmly in the Test position to ensure auto-stop oil pressure was not lost and thus preventing the turbine from tripping. If auto-stop oil pressure was lost during any portion of the surveillance, a turbine trip would result. The overspeed trip mechanism oil pressure check and the vacuum trip tests were completed. During conduct of the thrust bearing trip section of the test the main generator PCBs opened.

The Operations personnel at the turbine front standard conducting the test were holding the test lever in the required position and continued to hold it in the Test position until told by the Unit Supervisor to release the test lever. Unit 1 control room operators received alarms that the generator PCBs had tripped open, and observed generator electrical output drop to zero and control rods start stepping in at a rapid rate. The operating crew diagnosed that the turbine-generator was shut down but the reactor was not tripped and decided to initiate a manual reactor trip, suspecting that an automatic reactor trip had failed to actuate. The reactor operator manually tripped the reactor twenty-five seconds from the start of the event.

In responding to the event, operators noted that steam flow on all four main steam lines indicated in excess of expected flow, and one steam dump valve,1-FCV-1-106, indicated failed open. The operators closed the MSIVs to limit the cool down of the RCS. The control room operators also took manual control of Auxiliary Feed Water per EA-3.8, Manual Control of Auxiliary Feed Water, to limit the cool down of the RCS. With the MSIVs closed steam was released through the steam generator ARVs.

As expected, control room operators completed immediate operator actions, the actions of emergency procedure E-0, Reactor Trip or Safety Injection, and transitioned to emergency procedure ES-0.1, Reactor Trip Response. The Shift Manager, based on information that the reactor had not tripped following a valid an automatic trip signal but had been successfully tripped manually, made an Alert emergency declaration using Emergency Action Level (EAL) designator 2.3, failure of reactor protection. Based on the Alert declaration, state, local, and federal response organizations were notified. The Alert was terminated four hours and twelve minutes later with Unit 1 in a stable hot shutdown condition.

The SIT concluded, from their review of the August 28 event, that operations personnel both at the turbine front standard and in the control room took the proper actions for the observed plant indications and the nature of the event. The quick response of the control room operators to trip the reactor was appropriate and mitigated the event before it reached an RPS setpoint and challenged the protection system. The emergency declaration of an Alert made by the Shift Manager was appropriate based on the nature of the event and the understanding of plant conditions at the time of the declaration.

.2 Assessment of Equipment Performance a. Inspection Scope The Sequoyah Unit 1 turbine is a Siemens-Westinghouse design with various turbine protective devices provided by the auto-stop oil system. These turbine protection devices include: a mechanical turbine overspeed trip, a low condenser vacuum trip, a low lube oil pressure trip, and a high thrust bearing wear trip. These turbine trip features are tested quarterly using Operations procedure 0-PI-OPS-047-760.0, Main Turbine Overspeed and Oil System Test.

When the event occurred on August 28, Section 6.3 of the turbine test was being performed. This section tests the turbine thrust bearing trip. The thrust bearing trip device is designed to trip the turbine when thrust bearing trip control pressure rises above the set point (60 psig). As the pressure increases, the turbine trip bar auto-stop oil drain valve will raise dumping auto-stop oil and electro-hydraulic control (EHC) high pressure trip fluid, which results in tripping the turbine. When the thrust bearing wear oil pressure increases to 60 psig, pressure switch 1-PS-47-77B closes. After the auto-stop oil is dumped the decrease in pressure to less than 45 psig, which is indicative of the turbine having already tripped, closes auto-stop oil pressure switch 1-PS-47-76. With the contacts closed on pressure switches 1-PS-47-77B and 1-PS-47-76 the turbine control logic is satisfied for tripping and locking out the Unit 1 generator power circuit breakers PCB-5034 and PCB-5038.

On August 29, 2003, licensee post-trip troubleshooting on Unit 1, identified that the contacts for 1-PS-47-76 were closed with full auto-stop oil pressure. Further investigation found that the isolation valve for pressure switch 1-PS-47-76 was closed.

The valves required position was open. During the thrust bearing wear trip test on August 28, 1-PS-47-77B was actuated as expected, and with pressure switch 1-PS-47-76 isolated and the contacts closed, the logic was satisfied to trip and lock out both generator PCBs resulting in separating the Unit 1 generator from the grid.

Normally, with no grid or generator electrical fault condition present, the main generator motors on the grid for about 30 seconds following a turbine trip. Pressure switch 1-PS-47-77B is designed to trip the generator only if a high thrust bearing wear condition exists with the turbine already tripped.

There are no direct turbine or reactor trips initiated from the turbine control logic that would trip the generator breakers. The generator trip from high thrust bearing wear coincident with loss of auto-stop oil pressure is not designed to initiate a turbine trip because the turbine is already assumed to be tripped.

On August 29, 2003, the licensees post trip investigation identified that contacts for 1-PS-47-76 were closed with full auto-stop oil pressure. Further investigation found that the isolation valve for pressure switch 1-PS-47-76 was closed. The valves required position was open. The inspectors assessed the performance of the turbine auto-stop oil system and EHC system during the transient caused by isolation of pressure switch 1-PS-47-76, and evaluated the need for initiation of turbine trip signals to the reactor protection system (RPS) for reactor trip functions.

b. Findings The SIT reviewed the design criteria document for the Reactor Protection System in order to evaluate and verify that equipment performance was consistent with design bases requirements. Design criteria document No. SQN-DC-V-27.9, section 6, specifies the turbine trip-reactor trip design requirements. The turbine trip-reactor trip is actuated by two out of three logic from low auto-stop oil pressure signals or by closed signals from all turbine steam stop valves. A turbine trip will cause a reactor trip above the P-9 setpoint (50 percent reactor power). P-9 is a power escalation permissive, which blocks a reactor trip on turbine trip if it is below an established set point.

Based on review of SQN-DC-V-27.9 the team determined that when the turbine is tripped, turbine auto-stop oil pressure drops, and the drop in pressure is sensed by three safety related pressure switches 1-PS-47-73, 1-PS-47-74 and 1-PS-47-75 in addition to non-safety related pressure switch 1-PS-47-76. A contact closure is provided from each pressure switch when the oil pressure drops below 45 psig. The contact closures from the pressure switches are transmitted to two redundant two out of three logic matrices in RPS, either of which trips the reactor if the reactor power is above the P9 set point. The auto-stop oil pressure signal also dumps the EHC fluid which closes the turbine stop valves. Upon closure of all stop valves, a reactor trip signal is initiated in RPS if the reactor power is above the P-9 set point.

The inspectors reviewed additional design documents and conducted interviews with the licensees engineering personnel in order to determine if the above trip signals should have been initiated upon opening of PCB-5034 and PCB-5038. With the reactor operating at 100 percent power at the time the PCBs opened, the turbine experienced an over-speed condition which activated the over-speed protection control circuit at 103 percent of the turbine rated speed. The inspectors reviewed design documents and verified that energization of the over speed protection control solenoids FSV-47-26A and FSV-47-26B resulted in closing the turbine governor and intercept valves for a turbine over-speed condition of 103 percent. Additionally, based on discussions with the licensees engineering staff and review of data and design documents, turbine speed did not exceed the over-speed set point of 110 percent for the electrical and mechanical over-speed trips during the transient. The turbine over-speed protection control circuit was therefore successful in maintaining turbine speed below the 110 percent trip set point and precluded tripping the turbine as a result of dumping the auto-stop oil and the EHC fluid. As a result, there were no turbine trip signals initiated during the transient.

Consequently, the inspectors concluded that since auto-stop oil pressure remained normal when the generator tripped there was neither a two out of three RPS logic input generated from the auto-stop oil pressure switches, nor an RPS logic input from the turbine main stop valves which would initiate a reactor trip.

The team found that the isolation of pressure switch 1-PS-47-76 resulted in the pressure switch contact closing ( which was indicative of the turbine having been tripped). When the thrust bearing trip test was performed this activated a design feature for protecting the turbine which was based on erroneous information. The information provided by pressure switch 1-PS-47-76 was incorrect in that it provided a logic input that indicated the turbine auto-stop oil pressure was less than 45 psig. At the same time, pressure switches 1-PS-47-73, 1-PS47-74 and 1-PS-4775 which have set point values identical to

pressure switch 1-PS-47-76, were sensing auto-stop oil pressure that was higher than 45 psig. The design feature for protecting the turbine required immediate opening of the generator output circuit breakers upon occurrence of the simulated thrust bearing failure in order to prevent the generator from motoring to the grid for 30 seconds. This design feature was activated based on this contradictory information concerning the true status of the auto-stop oil pressure. The test requirements, in combination with the human error that isolated pressure switch 1-PS-47-76, resulted in an unusual plant condition where sudden loss of the generator load did not result in the initiation of turbine trip signal inputs to the RPS for tripping the reactor.

Based on the objective evidence reviewed and discussions with the licensees engineering staff, the SIT concluded that on August 28 the turbine control system responded as designed and no RPS logic input was required from the turbine auto-stop oil system to automatically trip the reactor. RPS logic inputs, which would initiate an automatic reactor trip, were not generated from the auto-stop oil pressure switches or from the turbine main stop valves.

The SIT also reviewed the apparent failure of a steam dump to close following the manual trip of the reactor. The licensees investigation found that the dump appeared open due to an out of adjustment limit switch.

.3 Potential Undetectable Failure of Pressure Switch a. Inspection Scope The inspectors evaluated the licensees corrective actions for the potential undetectable failure of low auto-stop oil pressure switch 1-PS-47-76 documented in Problem Event Report (PER) 02-006955-000.

b. Findings On June 29, 2002, during an engineering review, the licensee identified a potential undetectable single point failure associated with performance of the turbine test (0-PI-OPS-047-760.0). The concern was that during performance of the test there are two trip signals that could trip the generator. The licensee found that when pressure switch PS-47-77B actuates during the thrust bearing test the contacts remaining open on low auto-stop oil pressure switch PS-47-76 are all that are preventing a generator trip. The problem the licensee identified was that there was no clear method of verifying the state of the PS-47-76 contacts. In the event that this pressure switch failed, the generator could trip during performance of the thrust bearing test. The apparent cause for this potential undetectable single point failure was described as original plant design of both the Sequoyah units and Watts Bar units. Watts Bar implemented a plant modification which resolved this design weakness at that facility.

As of August 28, the day of the event, a Sequoyah plant modification had not been implemented for resolving this potential undetectable failure. The PER was closed with a proposal to add an indicator light to identify whether the pressure switch contacts were closed during the upcoming refueling outages. Additionally, an interim corrective action, to monitor the pressure switch contact condition prior to performance of the thrust

bearing test was never implemented. The reason given for not implementing this interim corrective action was that it presented more risk than the single point failure potential.

As a consequence of the events on August 28, the licensee proposed immediate implementation of corrective action for addressing the design deficiency involving the undetectable single point failure of pressure switch PS-47-76. A plant modification (DCN 21563) was issued and implemented to install an indicator light for monitoring the open/close contact status of pressure switch 1-PS-47-76.

The SIT also identified a second missed opportunity where the event could have prevented. In June 2003, when the turbine thrust bearing wear detector was last tested the low auto-stop oil pressure switch isolation valve was closed. When the turbine thrust bearing test was performed the turbine control logic initiated the same generator trip signal but because the generator breakers were already opened there was no event. In that test, however, a computer point fed from the relay that trips the generator breakers indicated the trip occurred.

There were two opportunities for which the licensee did not complete actions that could have prevented the August 28 event. The single point failure identified in the Problem Event Report (closed pressure switch contacts) was not addressed before performing the turbine testing on August 28. Also, the computer point indicating a generator trip would occur during the last turbine test in June 2003 (unit was not on-line) was not investigated or addressed prior to the August 28 testing.

.4 Assessment of Performance History of Auto-stop Oil Pressure Switches a. Inspection Scope The inspectors assessed the operating performance history of auto-stop oil pressure switches 1-PS-47-73, -74, & -75 (RPS Logic Input), and 1-PS-47-76 (turbine already tripped).

b. Findings The SIT members also reviewed the instrument data package documentation prepared for calibration of pressure switch 1-PS-47-76 and conducted discussions with licensees staff in order to verify the calibration status of this instrument. Based on this review the inspectors noted several deficiencies with the instrument calibration that was performed on April 1, 2003. Specifically, procedural requirements for performed by and verified by checks involving removal and return of the instrument to service were not checked as having been completed. In lieu of the check mark there was an asterisk with a note that said; sense lines and associated valves were previously removed by Westinghouse for the HP turbine replacement. An interview by the licensee of the individual who later signed as the independent verifier for the pressure switch valve line-up of 1-PS-47-76 on April 23, 2003, indicated that the valves were verified to be in the correct position.

This was identified by the licensee as one of two possible causes of the pressure switch isolation valve being left closed. The licensee recognized the problem with the independent verification of valve configuration on this non-safety related system and

planned to communicate the lessons learned from this error as part of the corrective action.

Additional deficiencies identified by the inspectors involved a discrepancy between TVA drawing 1,2-47W807-2 and the as-built installation of pressure switch 1-PS-47-76. The drawing showed the pressure switch root valve as 1-ISIV-47-76X, while the instrument tag in the field showed it as 1-ISIV-47-76Z. The SIT discussed these discrepancies with the licensee and confirmed that they would be entered into the corrective action program.

The SIT members performed an inspection of the turbine front standard and verified that the discrepancy between the design drawing and the as built plant configuration was limited to that involving the instrument root valve for pressure switch 1-PS-47-76.

The inspectors reviewed PER No. 03-009172-000, dated June 18, 2003, and determined that auto-stop oil pressure switches 1-PS-47-73 and 1-PS-47-74 were found out of Technical Specification allowable tolerance during performance of surveillance instruction 0-SI-IFT-099-093.1 on June 12, 2003. The apparent cause documented on the PER for the out of tolerance condition was that the pressure switches, which are United Electric pressure switch model J402, continue to be a concern at Sequoyah and have been since 1987. The extent of condition for this plant problem was documented on the PER as being applicable to both Units 1 and 2. The inspectors reviewed several PERs that had been prepared to document similar problems with Unit 2 auto-stop oil pressure switches. Based on this review, the inspectors concluded that the performance history of the United Electric pressure switch model J402 has demonstrated a consistent pattern of out of tolerance behavior. The licensees corrective actions include an effort to employ successful calibration practices used at Watts Bar for calibration of these pressure instruments, to assess the results, and consider incorporating these practices into the Sequoyah calibration program.

The SIT members concluded that the model J402 pressure switches were operable during the event and the drift problems experienced were probably related to the calibration practices used at Sequoyah. The calibration of these instruments was not linked to or was not a factor in the event.

.5 Effectiveness of the Event Review Team a. Inspection Scope The inspectors attended licensee event review team meetings, observed turbine and RPS troubleshooting, reviewed the draft and final trip report, attended the restart PORC meeting, and interviewed event review team personnel to assess the event investigation and evaluate the effectiveness of the team.

b. Findings The licensees event investigation found that an erroneously closed instrument isolation valve in the turbine front standard caused the trip. Closing this valve resulted in a failure of the thrust bearing wear portion of the turbine control logic to sense auto-stop oil

pressure, which signaled the logic that the turbine was tripped, and thus, when the thrust bearing wear test was performed the generator output breakers opened. The inspectors independently reviewed the information from the licensees event investigation and concluded that the closed pressure switch isolation valve fully explained the cause and the sequence of events.

The licensees investigation further determined two possible causes for the instrument valve closure. One included an inappropriate verification process following calibration of the affected auto-stop oil pressure switch. Due to on-going maintenance of the turbine at the time, only one individual verified that the instrument valve was open when procedures called for three people to be involved. The second potential cause involved inappropriate configuration control while troubleshooting problems with turbine latching during the last unit startup on June 8, 2003. This troubleshooting was done without a controlling document. The inspectors concluded that the licensees root cause determination process was sufficiently thorough to determine the cause. The licensee plans to issue a Licensee Event Report (LER) that will include further evaluation of the cause(s) of this event. The inspectors will further review the licensee cause evaluation when that report is issued.

The licensees extent of condition review focused on areas of the plant where instrument valves could have been positioned incorrectly but not yet identified. The licensee limited this review to instrument valves because work performed on other types of valves or equipment was either controlled under red tag clearances or problems would be self-revealing. The review thus focused on the turbine instruments, main feedwater pump instruments, and motor driven auxiliary feedwater pump suction pressure switches. The inspectors determined that the review of instrument valves was sufficiently thorough to detect other cases where valves could be inappropriately closed yet undetected.

The licensees event review team also determined that there were two prior opportunities to prevent the event. PER 02-006955-000 was written in June of 2002 identifying this single failure in the thrust bearing wear detector logic as a trip potential.

The PER acknowledged that a similar situation was previously corrected a the Watts Bar Nuclear Plant and recommended implementing the same corrective action at Sequoyah but the PER was closed with the action deferred. A second opportunity occurred in June of 2003 when the thrust bearing wear detector was last tested. In that test, the problem existed and the logic tripped, but because the generator breakers were already opened, there was no event. In that test however, a computer point fed from the relay that trips the generators breakers did indicate the trip occurred.

Once the cause was determined to be a mispositioned isolation valve, the licensee verified the affected switch was properly calibrated, checked the position of all other valves on the front standard, and ran surveillance tests on the RPS signals from the turbine. The inspectors determined these recovery actions to be sufficient to ensure that the RPS would trip the reactor if a turbine trip were to occur.

The inspectors concluded that the licensees investigation of this event was thorough and comprehensive. The inspectors independently reviewed the information from the event investigation and concluded that the identification of the closed auto-stop oil pressure switch isolation valve fully explained the cause and the resulting sequence of events.

4OA6 Management Meetings Exit Meeting Summary The inspectors presented the inspection results to Mr. R. Purcell and other members of licensee management at the conclusion of the inspection on September 4, 2003. The inspectors confirmed with the licensee that material examined during the inspection was not proprietary.

PARTIAL LIST OF PERSONS CONTACTED Licensee Richard T. Purcell, Site Vice President Hank Butterworth, Improvement Initiatives Manager Jerry Beasley, Site Quality Manager Pedro Salas, Licensing and Industry Affairs Manager Dave Kulisek, Plant Manager Don Clift, (Acting) Maintenance and Modifications Manager Marie Gillman, Operations Manager Paul Simmons, Operations Superintendent Roy Goodman, Training Manager Charles Kent, Rad Con/Chemistry Manager David Stonestreet, (Acting) Senior Outage Manager Dennis Koehl, Engineering and Site Support Manager Charlie Davis, Manager of Projects Randy Ford, Emergency Preparedness Manager John Hamilton, Site Support Manager Dennis Lundy, Site Engineering Manager Rick Rogers, Design Engineering Manager Mark Burzynski, Corp. Licensing and Industry Affairs Manager Kay Whittenburg, Corp. Communications Ed Vigluicci, Office of General Council TVA Gary Sanders, Unit Supervisor Operations Mark Whitt, Unit Supervisor Operations David Moore, Shift Manager Operations Mike Peterson, SQN Technical Training Manager Ed Hughes, Reactor Operator Dave Pond, Corp. Emergency Preparedness Rusty Proffitt, Licensing Engineer Jim Cannon, TEMA Wayne Stundtz, Hamilton County Emergency Management NRC Victor McCree, Director Division of Reactor Projects Ross Telson, NRC Resident Inspector Jay Hopkins, NRC Technical Training Center Roger Hannah, NRC Media Relations ITEMS OPENED, CLOSED AND DISCUSSED Opened and Closed During this Inspection None Attachment 1

LIST OF DOCUMENTS REVIEWED Condition Reports/ Action Requests Work Orders W.O. 03-002251-000, Remove, inspect, replace parts as necessary, and test the main turbine protective devices trip block, dated 03/22/03 W.O. 03-011945-000, Calibration check on auto-stop oil pressure switch, dated 08/28/03 Design Basis Documents SQN-DC-V-27.9, Design Criteria Document : Reactor Protection System, Rev. 14 FSAR, Chapter 7.2, Reactor Trip System FSAR, Chapter 10.2, Turbine Generator FSAR, Chapter 8.0, Electrical Power System Procedures 0-PI-OPS-047-760.0, Main Turbine Overspeed and Oil System Tests, Rev. 29 0-TI-QXX-000-001.0, Event Critique, Post Trip Report, and Equipment Root Cause, Rev. 5 0-SI-IFT-099-093.1, Functional Tests of Turbine Auto-stop Oil Dump and Throttle Valves Reactor Trips, Rev. 8 1-PS-47-76, Loop Calibration Configuration Change Log, Rev. 2 Calibration Tests 1-PS-47-76, Loop Calibration Configuration Change Log, Rev. 2, dated 3/31/03 Problem Event Reports PER 03-009172-000, 1-PS-47-73 & 74 Auto-stop Oil Pressure Low Switches found out of Tech Spec tolerances, dated 06/18/03 PER 03-012042-000, Isolation valve for 1-PS-47-76 found closed, dated 08/30/03 PER 02-006955-000, Single Point Failure During 0-PI-OPS-047-760.0, dated 06/29/02 PER 02-005548-000, 2-PS-47-74 Auto-stop Oil Trip out of Tech Spec limits, dated 05/17/02 PER 03-004406-000, 2-PS-47-74 & 75 Auto-stop Oil Trip out of Tech Spec limits, dated 04/13/03 PER02-015526-000, 2-PS-47-73 Auto-stop Oil Trip out of Tech Spec limits, dated 12/27/02

PER 03-009172-000, 1-PS-47-73 & 74 Auto-stop Oil Trip out of Tech Spec limits, dated 06/18/03 PER 03-011940-000, Post Trip Report U1 Generator Trip, dated 08/28/03 PER 03-011940-000, Unit 1 Generator Trip While Performing Turbine Overspeed Tests PER 02-006955-000, Undetectable Single Point Failure Exists During Turbine Thrust Bearing Oil Trip Test Surveillance Tests 0-PI-OPS-047-760.0, Main Turbine Overspeed and Oil System Tests, dated 06/17 0-SI-IFT-099-093.1, Functional Tests of Turbine Auto-stop Oil Dump and Throttle Valves Reactor Trips- Unit 2, Rev. 8, dated 03/11/03 0-SI-IFT-099-093.1, Functional Tests of Turbine Auto-stop Oil Dump and Throttle Valves Reactor Trips- Unit 2, Rev. 8, dated 07/13/02 0-SI-IFT-IFT-099-093.1, Functional Tests of Turbine Auto-stop Oil Dump and Throttle Valves Reactor Trips- Unit 2, Rev. 8, dated 05/17/02 0-SI-IFT-099-093.1, Functional Tests of Turbine Auto-stop Oil Dump and Throttle Valves Reactor Trips- Unit 2, Rev. 8, dated 04/13/03 0-SI-IFT-099-093.1, Functional Tests of Turbine Auto-stop Oil Dump and Throttle Valves Reactor Trips- Unit 2, Rev. 8, dated 12/27/02 0-SI-IFT-099-093.1, Functional Tests of Turbine Auto-stop Oil Dump and Throttle Valves Reactor Trips- Unit 1, Rev. 8, dated 06/15/03 Vendor Manuals SQN-VTD-W120-6560, Protective Devices (Turbine) - Low Vacuum, Low Bearing Oil Pressure, Thrust Bearing & Solenoid Operated Trips, Rev. 1 Drawings CCD 1,2-47W807-2, Mechanical Flow Diagram, EHC & Lube Oil Systems, Rev. 10 CCD 1,2-47W610-47-1, Mechanical Control Diagram, Turbogen Cont System, Rev. 16 CCD 1,2-47W610-47-2, Mechanical Control Diagram, Turbogen Cont System, Rev. 21 CCD 1,2-47W611-99-1, Mechanical Logic Diagram, Reactor Protection System, Rev. 8 CCD 1,2-47W611-99-2, Mechanical Logic Diagram, Reactor Protection System, Rev. 11 CCD 1,2-47W611-99-3, Mechanical Logic Diagram, Reactor Protection System, Rev. 11

CCD 1,2-47W611-99-4, Mechanical Logic Diagram, Reactor Protection System, Rev. 19 CCD 1,2-47W611-99-5, Mechanical Logic Diagram, Reactor Protection System, Rev. 8 CCD 1,2-47W611-99-6, Mechanical Logic Diagram, Reactor Protection System, Rev. 2 CCD 1,2-45N647-2, Wiring Diagrams, Turbo-Gen Auxiliaries Schematic Diagrams, sh. 2, Rev.

CCD 1-45W550, Wiring Diagrams, 250 VDC Main Control Shcematic Generator & XFMR Relays, Rev. 13 CCD 1-45N1504, Wiring Diagrams, Main Single Line, 500 kV Switchyard, sh. 1, Rev. 25 CCD 1,2-45N1560, Wiring Diagrams, 250 VDC Main Control Schematic Generator1 PCB 5038, Rev. 5 CCD 1,2-45N1561, Wiring Diagrams, 250 VDC Main Control Schematic 500 kV Bus1-1 PCB 5034, Rev. 11 CCD 1,2-15E500-1, Key Diagrams, Station Aux Power System, Rev. 22 CCD 1,2-15E500-2, Key Diagrams, Station Aux Power System, Rev. 9 CCD 1,2-45N647-1, Wiring Diagrams, Turbo-Gen Auxiliaries Schematic Diagrams, sh. 1, Rev.

CCD 1, 2 - 47W807-2, Mechanical Flow Diagram EHC & Lube Oil Systems, Revision 45 CCD 1, 2 - 45N647-2, Turbo-Gen Auxiliaries Schematic Diagrams Sheet 2, Revision 27 CCD 1-45W550, 250V DC Main Control Schematic, Generator & XFMR Relays, Revision 15

August 29, 2003 MEMORANDUM TO: Brian R. Bonser Team Leader Augmented Inspection Team FROM: Luis A. Reyes /RA/

Regional Administrator SUBJECT: AUGMENTED INSPECTION TEAM CHARTER An Augmented Inspection Team (AIT) has been established to inspect and assess the turbine trip without automatic reactor trip event of August 28, 2003, at Sequoyah Unit 1. The team composition is as follows:

Team Leader: B. Bonser Team Members: L. Miller S. Freeman S. Walker C. Smith The objectives of the inspection are to: (1) determine the facts surrounding the specific event; (2) assess licensee response to the event; (3) oversee licensee activity during their event review; (4) identify any generic issues associated with the event; and (5) interface with other on-site entities as needed.

For the period during which you are leading this inspection and documenting the results, you will report directly to me. The guidance in Inspection Procedure 93800, Augmented Inspection Team, and Management directive 8.3, NRC Incident Investigation Procedures, apply to your inspection. If you have any questions regarding the objectives or the attached charter, contact me.

Attachment: AIT Charter cc w/att:

W. Travers, EDO W. Borchardt, NRR L. Marsh, NRR E. Hackett, NRR S. Rosenberg, EDO Attachment 2

AUGMENTED INSPECTION TEAM (AIT) CHARTER SEQUOYAH UNIT 1 TURBINE TRIP WITHOUT AUTOMATIC REACTOR TRIP Basis for the Formation of the AIT - On August 28, 2003, Sequoyah Unit 1 experienced a turbine trip with the unit at 100 percent power. The expected automatic reactor trip did not occur. This event meets the criteria of Management Directive 8.3, in that the lack of the automatic reactor trip represented a loss of safety function used to mitigate an actual event.

The initial risk assessment indicates that the conditional core damage probability was approximately 7E-4 and that an AIT is the appropriate NRC response.

Objectives of the AIT - The objectives of the inspection are to: (1) determine the facts surrounding the specific event; (2) assess licensee response to the event; (3) oversee licensee activity during their event review; (4) identify any generic issues associated with the event; and (5) interface with any other on-site entities To accomplish these objectives, the following will be performed:

  • Develop a sequence of events associated with the event of concern.
  • Assess the performance of plant systems during the event.
  • Assess the performance of plant personnel before, during, and after the event.
  • Assess the licensees activities related to the event investigation (e.g., initial or preliminary root cause analysis, extent of condition, precursor event review, etc.) and evaluate the effectiveness of any related event review team.
  • Assess the licensees activities related to event recovery (e.g., actions to restore system operability).
  • Document the inspection findings and conclusions in an inspection report within 30 days of the inspection.
  • Conduct a public exit meeting.

Attachment

Retrieved from "https://kanterella.com/w/index.php?title=IR_05000327/2003010&oldid=2642566"