Information Notice 1996-56, Problems Associated with Testing, Tuning, or Resetting of Digital Control Systems While at Power

Problems Associated with Testing, Tuning, or Resetting of Digital Control Systems While at Power
	ML031050587
Person / Time
Site:	Beaver Valley, Millstone, Hatch, Monticello, Calvert Cliffs, Dresden, Davis Besse, Peach Bottom, Browns Ferry, Salem, Oconee, Mcguire, Nine Mile Point, Palisades, Palo Verde, Perry, Indian Point, Fermi, Kewaunee, Catawba, Harris, Wolf Creek, Saint Lucie, Point Beach, Oyster Creek, Watts Bar, Hope Creek, Grand Gulf, Cooper, Sequoyah, Byron, Pilgrim, Arkansas Nuclear, Three Mile Island, Braidwood, Susquehanna, Summer, Prairie Island, Columbia, Seabrook, Brunswick, Surry, Limerick, North Anna, Turkey Point, River Bend, Vermont Yankee, Crystal River, Haddam Neck, Ginna, Diablo Canyon, Callaway, Vogtle, Waterford, Duane Arnold, Farley, Robinson, Clinton, South Texas, San Onofre, Cook, Comanche Peak, Yankee Rowe, Maine Yankee, Quad Cities, Humboldt Bay, La Crosse, Big Rock Point, Rancho Seco, Zion, Midland, Bellefonte, Fort Calhoun, FitzPatrick, McGuire, LaSalle, Fort Saint Vrain, Shoreham, Satsop, Trojan, Atlantic Nuclear Power Plant
Issue date:	10/22/1996
From:	Martin T; Office of Nuclear Reactor Regulation
To:	;
References
	IN-96-056, NUDOCS 9610160361
	Download: ML031050587 (10)
	v • d • e

vJ

UNITED STATES

NUCLEAR REGULATORY COMMISSION

OFFICE OF NUCLEAR REACTOR REGULATION

WASHINGTON, D.C. 20555-0001 October 22, 1996 NRC INFORMATION NOTICE 96-56: PROBLEMS ASSOCIATED WITH TESTING, TUNING,

OR RESETTING OF DIGITAL CONTROL SYSTEMS

WHILE AT POWER

Addressees

All holders of operating licenses or construction permits for nuclear power reactors.

Purpose

The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice to alert

addressees to recent reactor transient events, reactor trips, and engineered safety feature

actuations caused by testing, tuning, or resetting of digital control systems while at power. It

is expected that recipients will review the information for applicability to their facilities and

consider actions, as appropriate, to avoid similar problems. However, suggestions contained

in this information notice are not NRC requirements; therefore, no specific action or written

response is required.

Description of Circumstances

Washington Nuclear Project 2 (WNP-2)

On July 20, 1996, the WNP-2 facility experienced a rapid change in power of 15 percent in a

40-second timeframe. Specifically, power dropped from 68 to 53 percent and returned to

68 percent. The licensee determined that the power transient resulted from testing of the

recently installed digital adjustable speed drive modification to the reactor recirculation

pumps. The adjustable speed drive provides the capability to change the speed of the

reactor recirculation pump motors and eliminates the need for recirculation flow control

valves.

Before the event, the licensee was preparing to increase reactor recirculation flow from 51 to

53 percent. As part of the preparation, a nonlicensed General Electric (GE) test engineer

typed computer instructions that would return the reactor recirculation flow to 51 percent if

electrical harmonics were experienced in the adjustable speed drive system during the

reactor recirculation flow increase. Once these instructions were typed, a licensed reactor

operator would verify the entry and only had to strike the "ENTER" key on the computer

keyboard to execute the instruction. It was intended that the licensed operator would only hit

the ENTER key and execute the instruction if the system started to experience electrical

harmonics as reactor recirculation flow was increased. If there were no electrical harmonics, W

the instruction would not be executed. In this instance, the GE engineer typed an incorrect

R N I C9610160361 PDR ran- NOTICEq&"'OS6S 1&1022- gas~L

i

IN 96-56 October 22, 1996 value (transposed numbers) and then mistakenly executed the instruction by striking the

ENTER key. These actions caused reactor recirculation flow and reactor power to drop.

Immediately after entering the data, the GE engineer recognized the error and corrected the

instruction, thereby increasing reactor power. This event is discussed in NRC Inspection

Report 50-397/96-16 dated September 12, 1996 (Accession No. 9609190275).

Dresden Unit 2 On May 31, 1996, while at approximately 45-percent power, Dresden Unit 2 experienced a

loss of reactor feedwater control and a subsequent decrease in reactor vessel water level

while performing an on-ine configuration change to the recently installed Bailey Network 90

digital feedwater control system. Operators initiated a manual reactor scram as a result of

the decrease in the reactor vessel water level.

Before the event, the licensee was performing startup testing of the Bailey Network 90

feedwater control system modification. During the startup testing, the test team determined

that a minor software logic change was required to correct a problem associated with

automatic transition from the 2B feedwater regulating valve to the 2A valve. An original

equipment manufacturer representative indicated that the proposed software logic change

could be completed with the control system on-line. The manufacturer representative

indicated that the system would check the logic before going into the control mode and, as a

result, there would be no impact on plant operation. The test team reviewed and approved

the on-ine logic change; however, the approval process was not documented per station

procedure.

The new software logic configuration was inserted on the backup control module. Automatic

diagnostic checks indicated a successful load into the control module. Upon placing the

backup control module in the execute mode, the 2B feedwater regulating valve began to

close, resulting in a sudden drop in feedwater flow and reactor vessel water level.

During a subsequent design review of the Bailey Network 90 feedwater control system, a

logic execution sequence error was found in the original logic design of the Bailey

Network 90 firmware. This error caused the 2B feedwater regulating valve to dose when the

backup control module attempted to take over process control from the primary module. It

was determined that the execution sequence error would have resulted in the same process

control failure any time the backup control module attempted to take control from the primary

control module with the control system in the automatic mode. This event is discussed in

NRC Inspection Report 50-237/96-06 dated August 22, 1996 (Accession No. 9609030142).

Browns Ferry Unit 2 On May 10, 1996, Browns Ferry Unit 2 experienced an automatic reactor scram on low

reactor water level from full power. The low water level resulted from an unexpected runback

of two of the three reactor feedwater pumps, which occurred while software parameter

changes were being made in the recently installed digital feedwater control system.

Specifically, the flow biasing of the feedwater pumps was being adjusted and the control

system speed demand limit was being increased while at power in an effort to fine tune the

IN 96-56 October 22, 1996 system and thereby enhance system performance. When the software parameter changes

were made active (saved) in the control system, a reinitialization sequence occurred within

the control software block, which drove the feed pump speed demand signal to zero for a few

seconds. Plant personnel were unaware that entering these new software parameters would

cause the feedwater control system to reinitialize.

The cause of the event was attributed to inadequate design of the control system software.

The digital feedwater control system is a Foxboro I/A distributed control system. The system

software contains 380 software blocks, that is, logic functions performed by the computer. A

design weakness existed in the installed system in that making software parameter changes

in certain software blocks would cause the control system to automatically reinitialize to zero

output. During its investigation, the licensee confirmed that for 5 of the 380 software blocks, a parameter change would result in a control system reinitialization. This characteristic of the

software design was not known to the plant personnel. As part of its corrective actions, the

licensee modified the five affected software blocks to eliminate the reinitialization problem.

This event is discussed in NRC Inspection Report 50-260196-05 dated June 19, 1996 (Accession No. 9607030386).

Comanche Peak Unit 2 On May 5, 1996, while in Mode 3, Comanche Peak Unit 2 experienced an auto-start of the

motor-driven auxiliary feedwater pumps while personnel were resetting the central processing

units in the digital main feedwater pump turbine control system. Before the event, the vendor

representative for the newly installed main feedwater pump control system requested access

to reset the central processing units following completion of system testing. The shift

manager cautioned the vendor and nonlicensed utility instrumentation and controls personnel

that two of the three processors were required to be in service to avoid a trip of the main

feedwater pumps.

The instrumentation and controls personnel and the vendor representative planned to reset

the three central processing units one at a time to avoid initiating a trip of the main feedwater

pumps. The first two processors were rebooted. However, during the reset of the third

processor, an inadvertent trip signal was generated for both main feedwater pumps. This

signal caused an auto-start of the motor-driven auxiliary feedwater pumps (an engineered

safety feature actuation). All four motor-driven auxiliary feedwater flow control valves shifted

to auto and opened. Both motor-driven auxiliary feedwater pumps were operating and

supplying the required flow to the steam generators before the event.

The licensee concluded that the personnel performing the rebooting task did not adequately

verify that the second processor was properly restored and functional before rebooting the

third processor. The main feedwater pump trip signal was generated because the system

sensed that two of the three central processing units were not functional.

Discussion

In recent years, many licensees have chosen to replace outdated analog control systems with

digital upgrades. Digital system retrofits are intended to improve system performance,

K)

IN 96-56 October 22, 1996 reliability, flexibility, and operator interface characteristics. These systems also offer the

capability to change software parameters, setpoints, or logic configurations or to reset

processors while at power. However, as illustrated in the events previously described, resetting processors in digital control systems or performing on-line software manipulations

as part of digital control system tuning or testing can result in unforeseen transients, reactor

trips, and engineered safety feature actuations.

The events described herein highlight the importance of evaluating proposed changes and

developing and implementing controls for performing any type of on-line manipulation of

digital control systems to avoid reactor transients and plant trips. When it is deemed

necessary to reset a processor or to perform on-line software changes, it is important to

maintain control of these activities in order to minimize potential errors, and to be aware of

the potential effect on plant operation if errors occur while performing such activities.

This information notice requires no specific action or written response. If you have any

questions about the information in this notice, please contact one of the technical contacts

listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager.

Ia Thomas T. Martin, Director

Division of Reactor Program Management

Office of Nuclear Reactor Regulation

Technical contacts: Charles Petrone, NRR Jerry L. Mauck, NRR

(301) 415-1027 (301) 415-3248 Email: odp@nrc.gov Email: jlm2@nrc.gov

John K. Ganiere, NRR

(301) 415-2921 Email: jkg@nrc.gov

Attachment: List of Recently Issued NRC Information Notices

V N o >

K>

Attachment

IN 96-56 October 22, 1996 LIST OF RECENTLY ISSUED

NRC INFORMATION NOTICES

Information Date of

Notice No. Subject Issuance Issued to

96-55 Inadequate Net Positive 10/22/96 All holders of OLs or

Suction Head of Emergency CPs for nuclear power

Core Cooling and Contain- reactors

ment Heat Removal Pumps

Under Design Basis Accident

Conditions

96-54 Vulnerability of Stainless 10/17/96 All materials licensees

Steel to Corrosion When

Sensitized

96-53 Retrofit to Amersham 660 10/15/96 All industrial radio- Posilock Radiography graphy licensees

Camera to Correct Incon- sistency in 10 CFR Part 34 Compatibility

95-04, Excessive Cooldown 10/11/96 All holders of OLs or CPs

Supp. 1 and Depressurization and vendors for nuclear

of the Reactor Coolant power reactors

System Following Loss

of Offsite Power

96-40, Deficiencies in 10/07/96 All holders of OLs or CPs

Supp. 1 Material Dedication for nuclear power reactors

and Procurement

Practices and in

Audits of Vendors

96-52 Cracked Insertion 09/26/96 All U.S. Nuclear Regulatory

Rods on Troxler Commission portable gauge

Model 3400 Series licensees and vendors

Portable Moisture

Density Gauges

OL = Operating License

CP = Construction Permit

IN 96-56 October22, 1996 reliability, flexibility, and operator interface characteristics. These systems also offer the

capability to change software parameters, setpoints, or logic configurations or to reset

processors while at power. However, as illustrated in the events previously described, resetting processors in digital control systems or performing on-ine software manipulations