05000321/LER-2009-003

From kanterella
(Redirected from ML091700630)
Jump to navigation Jump to search
LER-2009-003,
Edwin I. Hatch Nuclear Plant Unit 1
Event date:
Report date:
Reporting criterion: 10 CFR 50.73(a)(2)(iv)(A), System Actuation
3212009003R00 - NRC Website

PLANT AND SYSTEM IDENTIFICATION

General Electric - Boiling Water Reactor Energy Industry Identification System codes appear in the text as (EIIS Code XX).

DESCRIPTION OF EVENT

On January 10, 2009 quarterly turbine control valve (TCV) (EIIS Code TA) fast closure surveillance on IN30F012 was being performed. During that surveillance a "Servo suicide alarm" was received on control valve #4 (TCV4). Maintenance personnel investigated and determined that when "Test" was selected on the turbine Mark VI human-machine interface (HMI) (EIIS Code TG) during the fast closure surveillance, the valves fast acting solenoid was observed fired, resulting in TCV4 valve position feedback that exceeded the suicide set point in the closed direction. The valve over traveled to negative 9.5 percent travel which exceeds its negative 3.5 percent Min Pos value +/-5 percent suicide set-point values. This resulted in initiating a servo suicide alarm and the valve loosing functionality. Since the reactor was at less than 72 percent power, the alarm was cleared by the use of the master reset of the Mark VI system and TCV4 returned to service for repair offline.

On May 5, 2009 during a planned outage, site maintenance attempted to calibrate 1N30F012 TCV4 per site procedures. When TCV4 valve was stroked no problems were observed. TCV4 has a triple redundant Linear Voltage Differential Transmitter (LVDT), whose function is to provide valve position feedback to the Mark VI S 1 core processors. The valves LVDT position values recorded during calibration was documented as changed slightly. After calibration, maintenance procedures required the Mark VI controllers to be updated with any new values from the surveillance. While attempting to update the data to Mark VI Steam Generation (S1) core processors, an error message was received. An attempt was made to validate, build, and download to the S 1 Cores processors simultaneously and individually with no success. A time out was called to develop a corrective action plan.

The main turbine Electro-Hydraulic Control (EHC) (EIIS Code TG) system employs a General Electric (G.E.) Type Mark VI controller. The Mark VI system is a dual triple modular redundant system, one controller for the turbine steam generation (S I) controls while another for reactor pressure controls (P1) whose function is to maintain a constant reactor pressure. The system is a triple modular system because the Si and P1 each contain three redundant processors. R core, S core, & T core processors make up the S 1 controller. The S core processor was initiating the error message during the download. Because of the error message "Innovation Series Controller error" this prevented the validation, build, and download of the appropriate updated values to each core processor. The error message was discussed with the G.E. field engineer representative and it was decided that the S 1 core needed a complete reboot to remove the error. Work instructions were generated that turned off all power to the S1 cores and protective cores redundant processors in sequence. The processors were rebooted in the reverse sequence. Before the plan was implemented, site and G.E. personnel reviewed the developed work instructions, all available Mark VI control logic was reviewed, the task was performed successfully on the Mark VI suitcase simulator, and Mark VI diagnostic alarms were reviewed.

On 5/08/2009 at 15:15, while Hatch Unit 1 was in Hot Shutdown, a Group 1 primary containment � isolation signal was received. The direct cause of the isolation is due to simultaneously removing power to the Si cores and reboot. When all Si & Protective core processors were powered down simultaneously, controls were lost to the turbine control valve, stop valves, and intercept valves. After a reboot of the Mark VI Si Cores, the Mark VI system logic returned to the logics "shelf state". The shelf state for many of the logic circuit seal-ins, commands, and bypasses are zero "False". Therefore, if a logic seal in was "true" before the reboot, it became "false" afterwards and would require manual actions to restore. This is what occurred in this event; when the turbine was tripped, there was a logic circuit turbine trip seal —in keeping the turbine from resetting. After the reboot, this logic seal-in unlatched and returned to its shelf state, which caused the main turbine trip to reset. From discussions with the G.E. vendor, when the turbine trip unlatched and a "No Closed Valve" Mark VI logic command became false (shelf state), this provided the permissive for the #2 TSV to cycle open. With both the main turbine reset and TSV open along with low condenser vacuum (EIIS Code SG) due to the reactor being in hot shutdown a permissive existed for a Group 1 isolation signal.

CAUSE OF EVENT

Inadequate information on the Mark VI logic concerning the fact that a turbine trip reset occurs when the S1 core processor is rebooted caused this event. Installation of a hard turbine trip seal-in that would not reset when the SI core processor is rebooted, would have prevented the Group 1 isolation.

This should have been incorporated into the repair plan before the power was removed from the SI cores processor. It was not incorporated due to lack of knowledge by the vendor and SNC personnel concerning response of the Mark VI controller when a reboot was performed.

REPORTABILITY ANALYSIS AND SAFETY ASSESSMENT

This event is reportable per 10 CFR 50.73(a)(2)(iv)(A) because unplanned actuations of safety feature systems listed in 10 CFR 50.73 occurred. In this instance, a Group 1 isolation occurred.

The Condenser Vacuum - Low Function is provided to prevent over pressurization of the main condenser in the event of a loss of the main condenser vacuum. Since the integrity of the condenser is an assumption in offsite dose calculations, the Condenser Vacuum - Low Function is assumed to be operable and capable of initiating closure of the MSIVs (EIIS Code SB). The closure of the MSIVs is initiated to prevent the addition of steam that would lead to additional condenser pressurization and possible rupture of the diaphragm installed to protect the turbine exhaust hood, thereby preventing a potential radiation leakage path following an accident. Condenser vacuum pressure signals are derived from four pressure switches that sense the pressure in the condenser. Four channels of Condenser Vacuum - Low Function are available and are required to be operable to ensure that no single instrument failure can preclude the isolation function. The Allowable Value is chosen to prevent damage to the condenser due to pressurization, thereby ensuring its integrity for offsite dose analysis. As noted in the technical specifications, the channels are not required to be operable in Modes 2 and 3 when all turbine stop valves (TSVs) are closed, since the potential for condenser over pressurization is minimized. Switches are provided to manually bypass the channels when all TSVs are closed. This Function isolates the Group 1 valves.

the bypass of the low condenser vacuum isolation signal was removed when the main turbine stop valves opened following reset of the turbine. The turbine logic system was reset by the resting of the Mark VI turbine control system. With the logic bypass removed, a Group 1 isolation signal was generated per design and the open Group 1 primary containment isolation valves closed as PRINTED ON RECYCLED PAPERNRC FORM 366A (9-2007)� Based on this analysis, it is concluded that this event had no adverse impact on nuclear safety. This analysis applies to all operating conditions.

CORRECTIVE ACTIONS

A new procedure will be developed that addresses actions to be taken and potential consequences when a reboot of the S1 processor is to be performed. This will be tracked in the Corrective Action Program.

ADDITIONAL INFORMATION

Other Systems Affected: None Failed Components Information: None Commitment Information: This report does not create any new permanent licensing commitments.

Previous Similar Events:

There are no similar events within the past two years in which a group one isolation was received as a result of mark VI Turbine Control System work.

PRINTED ON RECYCLED PAPERNRC FORM 366A (9-2007)