05000259/LER-2018-002-01, Automatic Reactor Scram Due to an Unanticipated Electro-Hydraulic Control Logic Condition
| ML19087A244 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry  |
| Issue date: | 03/28/2018 |
| From: | Hughes D Tennessee Valley Authority |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| LER 2018-002-01 | |
| Download: ML19087A244 (8) | |
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(iv)(A), System Actuation |
| 2592018002R01 - NRC Website | |
text
Tennessee Valley Authority, Post Office Box 2000, Decatur, Alabama 35609-2000 March 28, 2019 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, D.C. 20555-0001 Browns Ferry Nuclear Plant, Unit 1 Renewed Facility Operating License No. DPR-33 NRC Docket No. 50-259
Subject:
Licensee Event Report 50-259/2018-002-01 10 CFR 50.73
Reference:
Letter from TVA to NRC, "Licensee Event Report 50-259/2018-002-00,"
dated May 17, 2018 On May 17, 2018, the Tennessee Valley Authority submitted Revision Oto Licensee Event Report (LER) 50-259/2018-002-00 (Reference) which provided the details of an automatic reactor scram due to an unanticipated electro-hydraulic control logic condition. The enclosed LER has been revised to document a revised causal analysis, which determined that the event was due to a failure to identify operational risks.
The Tennessee Valley Authority is submitting the enclosed Licensee Event Report in accordance with Title 10 of the Code of Federal Regulations (10 CFR) 50.73(a)(2)(iv)(A),
as any event or condition that resulted in a manual or automatic actuation of the RPS and general containment isolation signals affecting containment isolation valves in more than one system or multiple Main Steam Isolation Valves.
There are no new regulatory commitments contained in this letter. Should you have any questions concerning this submittal, please contact J. L. Paul, Nuclear Site Licensing Manager, at (256) 729-2636.
D. L. Hughes Site Vice President Enclosure: Licensee Event Report 50-259/2018-002 Automatic Reactor Scram Due to an Unanticipated Electro-Hydraulic Control Logic Condition
U.S. Nuclear Regulatory Commission Page 2 March 28, 2019 cc (w/ Enclosure):
NRC Regional Administrator - Region II NRC Senior Resident Inspector - Browns Ferry Nuclear Plant
NRC FORM 366 U.S. NUCLEAR REGULATORY COMMISSION APPROVED BY 0MB: NO. 3150-0104 EXPIRES: 03/31/2020 (04-2018)
Estima1ed, the NRG may not conduct or sponsor, and a person is not required to respond to, the infoonation collection.
YEAR 2018 -
- 3. LER NUMBER SEQUENTIAL NUMBER 002 REV NO.
01
A. Cause of each component or system failure or personnel error
No systems or components failed during this event.
Operations and Engineering Management failed to track and review the aggregate impact of off-normal conditions.
There was inadequate procedural guidance to assess operational impact at the time equipment failures/faults occurred, and prior to entering the work management process. The procedural guidance only assessed risk in the work management process which was specific to performing the work. There was no provision to assess the operational impacts of failed equipment before scheduling and planning repair work.
IV.
Analysis of the Event
The scram was caused by having both U1 Nexus units failed and cycling the Generator 1 Relay 250V DC Supply Breaker (BFN-0-BKR-282-0024/709), during ground location activities. Opening the breaker dropped out relay coils (15221 and 15222), which each have a normally-open contact that provides Generator Breaker status to the EHC system. Closing the breaker re-energized these relay coils and closed the contact inputs to EHC. Transitioning the Generator Breaker status contacts from Open to Closed triggered the Initial Load Pickup logic, which takes the TCV Flow Demand signal (LSS Bus) and adds 4.7% (to prevent generator motoring) through a limiter (0-20%) and applies it to the LSS Bus. The TCV Flow Demand is then quickly ramped to the new position. In this instance, the LSS Bus was ramped from approximately 91 % (which is approximately 59% TCV position) to 20% (which is approximately 10% TCV position). When the TCVs ramped to 10%, Bypass Valves all opened to 100%, but total flow steam flow was not adequate to prevent reactor pressure to raise subsequently resulting in an APR High Flux reactor scram.
The logic design was determined to be robust, in that it did not trip until there was an initiator (power cycling the generator breaker position relays) and two failures (the redundant MW devices).
However, during review it was found that a loss of the only first stage shell pressure indicator would cause the same scram when cycling the breaker. The first stage shell pressure can be repaired/replaced while the unit is on-line.
On December 26, 2016, when one Nexus module failed, Operations challenged Engineering to identify the operational impact. The answer received was 'The MVAR input is used for indication only. The MW input is used for indication only (except when using megawatt control which is normally only between speed control and pressure control during startup)". When the second Nexus module failed on January 22, 2018, Operations thought that the operational impact was minimal based on information previously provided. Identifying the operational impact of two failed Nexus
~-
,~wCU l:IY vmc: r,v...,.. u-v 1U4 t:}U'IKt::S : u..,..,,,u,u
, the NRC may not conduct or sponsor, and a person is not required to respond ID, the information conection.
YEAR 2018
- 3. LER NUMBER SEQUENTIAL NUMBER 002 REV NO.
01 modules would have triggered actions to mitigate risk in accordance with NPG-SPP-07.3, Work Activity Risk Management Process.
The scram could have been prevented by taking risk mitigation actions when two Nexus modules had failed. The operational impact for this event was thought to be "none" based upon the system engineer's review of only one failed Nexus module. There was no official established process which drives detailed engineering reviews for aggregate equipment failures. The system engineer did not review the start-up logic because there was no guidance on engineering review depth.
In discussions with the EHC digital logic subject matter expert (SME), it was determined that it was unreasonable to expect the engineer to identify the risk during an operational impact review. These logic block diagrams are typically hundreds of pages long, and the engineer would not know which specific code or logic block diagrams to review. After the event, the EHC digital logic SME recognized the inputs and realized that the EHC logic caused the scram. The TCVs moving to 20% is the specific limit for control valves when the Generator Breaker is initially closed during starting up.
Since the SME was involved in EHC code revisions, he was able to locate the logic in the logic block diagrams once this information had became available.
In hindsight, the risk assessments performed were inconsistent due to the depth of the aggregate operational impact review.
V.
Assessment of Safety Consequences
This event automatically actuated safety systems and did not result in the inoperability or unavailability of any system to provide their required safety functions. All withdrawn control rods fully inserted into the core. Main Steam Isolation Valves (MSIVs) remained open with MSRVs operating during the initial transient as expected. The Main Turbine Bypass Valves controlled reactor pressure.
Reactor Feedwater pumps remained in service to control reactor water level. Primary Containment Isolation Signals Groups 2, 3, 6, and 8 containment isolation and initiation signals were received.
Upon receipt of these signals the affected components actuated as required. All safety systems operated as expected. Therefore, this condition was of low safety significance and had negligible impact on the health and safety of the public.
A. Availability of systems or components that could have performed the same function as the components and systems that failed during the event No systems or components failed during this event.
B. For events that occurred when the reactor was shut down, availability of systems or components needed to shutdown the reactor and maintain safe shutdown conditions, remove residual heat, control the release of radioactive material, or mitigate the consequences of an accident This event did not occur when the reactor was shutdown.
,A,
__ c,vmc:.. v.~1.,.,-v,.,..
t:A1"'1n,a-, :
, the NRG may not conduct or sponsor, and a person is not required to respond to, the information collection.
YEAR 2018
- 3. LER NUMBER SEQUENTIAL NUMBER 002 REV NO.
01 C. For failure that rendered a train of a safety system inoperable, an estimate of the elapsed time from the discovery of the failure until the train was returned to service Safety system availability was not impacted by this event.
VI.
Corrective Actions
This event was entered into the TVA Corrective Action Program and is being tracked under CR 1397341.
A. Immediate Corrective Actions
The immediate corrective actions included:
Both megawatt input transducers were replaced prior to Unit 1 restart from the scram.
Engineered Solutions, Inc. conducted an independent evaluation for what caused the Unit 1 scram.
A Nuclear Operating Experience Report (NOER) was issued for communication to other TVA sites. This NOER stressed the importance of evaluating the full impact of failed digital equipment failure, which must include software logic inputs.
B. Corrective Actions to Prevent Recurrence or to reduce probability of similar events occurring in the future Operator responsibilities for performing operational impact reviews were clarified in procedures.
This included developing a tool or checklist for operational impact reviews.
VII.
Previous Similar Events at the Same Site
A review of the BFN CAP and Licensee Event Reports for Units 1, 2, and 3 found no instances of reactor scrams similar to this event within the past five years.
VIII.
Additional Information
None.
IX.
Commitments
None. Page _6_ of _6_