ML20106A936
| ML20106A936 | |
| Person / Time | |
|---|---|
| Site: | Fort Calhoun  |
| Issue date: | 09/30/1992 |
| From: | Hill S, Steinke W EG&G IDAHO, INC., IDAHO NATIONAL ENGINEERING & ENVIRONMENTAL LABORATORY |
| To: | NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD) |
| Shared Package | |
| ML20106A935 | List: |
| References | |
| NUDOCS 9209300153 | |
| Download: ML20106A936 (35) | |
Text
. _. _ . _ . _ . _ _ _ _ . _ _ . _ . - _ - - - . . . _ . - . _ _ _ _ . _ _ . _ . _ . -
l
. 1 I
N
-i TRIP REPORT:
ONSITE ANALYSIS OF Tile HUMAN FACTORS OF AN EVENT AT FORT CALHOUN ON JULY 3, 1992 ;
(LO3S OF INSTRUMENT INVERTER AND SUBSEQUENT LOSS OF COOLANT) i William Steinke 5usan 11111 Onsite Analysis Team:
John Kauffman William Steinke Published September 1992 Idaho National Engineering Laboratory EG&G Idaho, Inc.
P. O. Box 1625 Idaho-Falls, ID -83415 Prepared for the Office for Analysis and Evaluation of Operational- Data U.S. Nuclear. Regulatory Commission Washington, D.C. 20555 Under DOE Contract No. DE-AC07-761001570 9209300153 920925 PDR ADOCK 05000285 S PDR c-r -iyt#---T' - -my
---eW- -- - - - - - - - - - - - - - - E
I EXECUIlVE SutHARY On July 3,1992, . cort Calhoun was operating at 100 percent and had experienced (within the last 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br />) three occurrences of a nonsafety-related electrical inverter No. 2 switching from its normal lineup to a bypassed condition. Inverter No. 2 supplies 120 Vac power to various instrumentation and components in the plant. After the first two times the inverter changed operating mode, inspections by operations or maintenance personnel found no problems and the inverter was returned to service without incident. Maintenance personnel replaced two circuit boards after the third event and at 11:35 p.m. on July 3,1992, the operating crew transferred the inverter back to the normal position connecting it to the loads on the instrument bus. Immediately following the transfer, a control room operator observed indication of the affected bus voltage oscillating 20 to 40 volts and local -inverter voltage indication was observed oscillating between 0 and 120 Vac. The voltage oscillations caused an electrical supply breaker which provides power to electrical panel Al-50 to trip open on high current.
Control circuitry for the main turbine, supplied by panel Al-50, lost power causing the main turbine control valves to shut while the main turbine stop valves remained open. No alternate heat sink was available to the reactor coolant system at this point because an enabling signal was absent which would allow the steam bypass valves to the condenser to open. As reactor coolant system temperature and pressure increased, the main. steam l safety valves opened to provide a' heat removal path. When pressure in the reactor coolant system reached approximately 2400 psia, a reactor and turbine trip occurred, and the pressurizer power-operated relief valves opened. As pressure continued to rise, a pressurizer code safety valve opened to reduce reactor coolant system pressure.
l- Following the unit trip, reactor coolant pressure decreased to 1745 psia and began to recover as operators implemented procedure E0p-00, Standard Post Trip Actions. When pressure reached 1925 psia, quench tank alarms were received and the primary licensed operator reported rapidly decreasing pressure. In response to alarms for the quench tank and decreasing pressure indication, the block valves were shut isolating the power-operated relief valves. Pressure continued to decrease which initiated safety injection, iii
, _ ~ . - _ _ . _ . .
- - . - - - - . . - - - . . . - - - - . -_. .~ -. .. -
l 1
l l
-containment and ventilation isolation signals. Pressurizer code sofety valve - l RC-142 had opened and remained partially open. Later invertigation found that the. initial pressure increase, which had caused the safety valve ta actuate, also resulted in a lowering of the valve setpoint. Failure of the safety valve created an unisolable loss of coolant from-the pressurizer to the quench tank with the tank rupture disc blowing as designed when the tank filled allowing the reactor coolant to spill into the containment sump.
At the completion of the diagnostic section of procedure E0P-00, a transition was made to Procedure E0P-20, Functional Recovery, based on multiple problems of an inverter failure and unisolable loss of coolant. The event was classified as an Alert at 11:52 p.m. in accordance with procedure EPIP-0SC-1, Emergency Classification. Activation of the emergency response organization and no+.1fication of offsite agencies was initiated in accordance
- with procedure Er1P-OSC-2, Notifications. Several key personnel were already.
onsite due to involvement in the inverter maintenance activities and were immediately available to assist the shift supervisor in emergency plan activities.
Implementing emergency procedural steps of E0P-20, the operations crew secured reactor coolant pumps, verified natural circulation and initiated a plant cooldown and depressurization to shutdown cooling entry conditions.
Reactor coolant system leakage was' minimized during the cooldown by performing i emergency procedure floating (continuous action) steps for "stop and throttle" of safety injection flow.
The t. *gency classification was downgraded to a notification of unusual event at 6:30 a.m. on July 4,1992, with the reactor coolant system at 290 *F
, and 360 psia. Following the establishment of shutdown cooling, emergency procedure E0P-20 was exited and the operating crew entered normal shutdown procedures. The emergency plan was exited at 6:40 p.m. that evening with the plant on shutdown cooling at chout 120 *F and depressurized.
The factors that affected human performance during this event are summarized below:
r iv ,
i Procedures In general, the recently revised procedures seemed to work well for the operators. A new system of placekeeping (i.e., a separate step check-off list) and floating steps (i.e., steps with continuous applicability) assisted the operators in using the procedures. There were at leas + three examples of where procedures ticeded to be supplemented by operator knowledge. These examples illustrate that knowledge-based behavior can, and of ten is, u.ud io support procedures, but can not and should not be relied upon for factual information that needs to be incorporated in the procedures and in training.
Training All operators agreed that plant-specific simulator training had assisted in their ability to respond to this event. The operators were trained on loss of coolant accidents and loss of inverter scenarios. They were also trained specifically on implementing the Emergency Plan which aided them in carrying out the emergency response requirements.
Human-Machine Interface OlMI)
P Several HM1 issues were identified. In two cases, related displays and .
controls were located at some distance from each other. Windows on each annunciator panel to indicate " loss of power" for the other annunciator panel were available to confirm that power was lost. Computer displays normally Jsed for containment temperature and RCS subcooling parameters were malfunctioning. Although the information was available on control board panels or other, less frequently used, computer screens, the operators reported that not having the values available on the normally used screens was a hindrance to performance. This suggests that operators should be exposed to computer malfunctions as well as plant malfunctions during simulatnr training.
What to do and how to obtain needed information should be addressed in training for degraded computer operation.
Stress Stress did not seem to degrade human performance in this event.
v
- - .- - ~ - -.- - - . ..~. .- - - ..- - .- = . - - - - . . _ - . _ -
i Staffing Staffing was suff'cient to perform required actions, llaving a dedicated person to act as communicator for notifications left the shift supervisor free to oversee activities and confer with others, including the operations manager and the maintenance supervisor, during the recovery efforts. The shift technical advisor provided support to the shift supervisor, including 4
assistance with notifications, calculations, safety function monitoring, and l involvement in technical discussions and decisions. The shift technical
! advisor position was not a dual role, but a dedicated role for an engineer. l l
l I 4
Task Awareness ,
A major part of the success of the human performance associated with this r event was related to the degree of task awareness on the part of the operators. Awareness of plant conditions and status appeared to be heightened during the event, but the heightened awareness did not result in stress levels that degraded performance. On the contrary, the heightened awareness was exhibited in pro-active monitoring and action, thinking ahead as to what actions might be needed and to anticipate and preempt undesirable piant conditions. Several examples illustrate a high level of task awareness.
Command and Control / Teamwork Normal command and control existed. Communications and support from the emergency response organization functioned smoothly. All personnel involved seemed_to-function as a team. Such teamwork contributed to the successful response to-the event.
-Maintenance Activities Several latent factors associated with maintenance activities contributed to the failure of inverter No. 2, hence to the initiating event. There was no way to perform post maintenance testing without placing the inverter in service. Information was not available from the vendor regarding correct
)- circuit board configuration or the torque required for the setpoint locking ,
nut of the safety-relief valve.
vi
_ __ _ _ _ . _ . _ . - . . . _. . ._ _ . _ . . . . . . . -. . _ _.. _ _ . _ ._ ._ . . _m . ._
ACKNOWLEDGEMENTS We-express appreciation to the fort Calhoun staff for their cooperation for freely providing information necessary to analyze the human factors of the
- operating event. We particularly thank the facility Investigation Team for their cooperation for responding so promptly to our requests for information and for making arrangements for and scheduling the requested interviews.
Also, we thank the operators and technical staff who were on duty during the event for their cooperation during the interviews.
I d...
t Vii i
~. -
CONTENTS; EXECUTIVE
SUMMARY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . iii ACKNOWLEDGEMENTS ............................ vii ACRONYMS ................................. xi 1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . , . . I 1.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . , . . . . I 1.3 Onsite Analysis Team ..................... 1
'2 DESCRIPTION OF THE EVENT ANALYSIS . . . . . . . . . . . . . . . . . . 2.
2.1 Background .......................... 2 2.2 Time Line of-the Event .'. . . . . . . . . . . . . . . . . . . . 9 2.3 Analysis ........................... .
14 2.3.1 Procedures . . . . . . . . . . . . . . . . . . . . . . . 15 2.3.2 Training ........................ 17 2.3.3 Human-Machine Interface ................ 17 2.3.4 Stress ......................... 19 2.3.5 Staffing . . . . . . . . . . . . . . . . . . . . . . . . 19 2.3.6 Task Awareness ..................... 20 2.3.7 Command and Control / Teamwork . . . . . . . . . . . . . . 21 2.3.8 Maintenance Activities . . . . . . . . . . . . . . . . . 21 l 3
SUMMARY
,.........................,... 22 i
4 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 ,
i FIGURES l
Figure 1 Fort Calhoun Control Room Staffing. . . . . ._ . . . . . . . . . 25 Figure 2 Emergency Procedure Placekeeper . . . . . . . . . . . . . . . . 26 p . Figure 3 Safety Function Floating Step Checklist . . . . . . . . . . , . _.
27-p u
l l -:
l l
L LL .ix l
i - - -
._ _ _ . _... _ . ~ . _ . . - . _ . _ _ _ . _ . . . _ _ .. . _ .- _
. L ACRONYMS AE00 Analysis and Evaluation of Operational Data (NRC's Office for)
AIT Augmented Inspection Team CCW component cooling water EAL emergency action level EliC electrohydraulic control E0P emergency operating procedure ;
ER0 Emergency Response Organization itMI human-machine interface .
HPSI high-pressure safety injection INEL Idahs Naticaal Engineering Laboratory LED light-emitting diode LOCA loss-of-coolant accident LSO licensed senior operator LTOP low-temperature-overpressure protection NOVE notification of unusual event NRC Nuclear Regulatory Commission NRR - Nuclear Reactor Regulation (NRC's Office for)
PLO primary licensed operator PORV p:wer-operated relief valve PPLS pressurizer pressure low signal PSIA -pounds per square inch absolute QSPDS qualified safety parameter display system RCP reactor _ coolant _ pump RCS reactor coolant system SIAS safety-injection actuation signal SLO secondary licensed operator 1 SS shift supervisor STA shift technical advisor TB0 turbine building operator TMI . Three Mile Island TSC technical support center Vac Volts alternating current 3
xi
. .~
4 1 INTRODUCTION l.1 Purpose On July 4,1992, the Nuclear Regulatory Commission (NRC) Region'IV formed -
an Augmented Inspection Team (AIT) for an event at Fort Calhoun Nuclear Power Station. The purpose was to investigate the loss of a nonsafety-related electrical inverter which led to a high pressure reactor trip followed by a partially failed open safety relief valve on July 3,1992. A similar event involving an inverter-induced high pressure reactor trip had occurred at this facility in July, 1986.
1.2 Scope The human factors analysis focused on the factors that influenced the performance of the maintenance staff leading up to this event, as well as the operations staff and technical support personnel throughout this event. The l analysis was based on data derived from plant logs and recordings; interviews j
with plant management, maintenance, operations, and training personnel; and l review of plant procedures and training lesson plans. Idaho Engineering Laboratory (INEL) provided assistance to the AIT as part of the program at the ,
NRC's Office for Analysis and Evaluation of Operational Data (AE00) to study human performance during operating events.
I 1.3 - Onsite Analysis Team The human performance specialists were at the site July 4 through July 9.
The onsite AIT consisted of the following members:
Phillip Harrell NRC/ Region IV. (team leader)
Philip Wagner NRC/ Region IV (assistant team leader)
Charles Paulk Jr NRC/ Region IV Terrence Reis NRC/ Region IV Chu-Yu Liang NRC/NRR/ DST /RSB John Kauffman NRC/AE00/DSP/ROAB William Steinke INEL/EG&G Idaho, Inc.
I 1
1
4 2 DESCRIP110N Of lHE EVENT ANALYSIS
2.1 Background
The fort Calhoun Nuclear Power Station, located in eastern Nebraska about 19 miles north of Omaha, is owned and operated by the Omaha Public Power District. The pressurized water reactor is rated at 1500 MWt with Combustion Engineering Nuclear Steam Supply Systems and a dry containment building. The unit has been in commercial operation since September 1973.
On July 3,1992, the unit was at 100 percen+ of rated power when the operating crew began experiencing problems with a nonsafety-related electrical inverter. The crew was working the fourth of a 7-day 8-hour shift (11:00 p.m.
- 7:00 a.m.) rotation. The control room personnel consisted of a shift supervisor (SS), licensed senior operator (LS0), primary licensed operator (PLO) and a secondary licensed operator (SLO). The normal LSO and PLO for the crew were on vacation and two replacement personnel from another crew were filling in for them (see Figure 1). An operations department engineer was at the plant fulfilling the shift technical advisor (STA) requirement.
At 4:33 a.m. on July 3rd, an inverter trouble alarm and inverter fan failure alarm were received in the control room. Investigation of the aiarms found that inverter No. 2 had automatically shifted to the bypass mode of operation and an electrical " hot smell" was present in the-area by the inverter cabinet. The normal mode of inverter operation utilized de power from safety related, 125 Vdc Battery Bus 2. The de power was converted to a 120 Vac 60 hertz source for important instrumentation and control loads. The inverter control circuitry automatically transferred the instrumentation and
,- control loads to an alternate 125 Vac source when a problem was-detected with either the 120 Vdc power source or an internal conversion (inverter) circuit.
This trans_fer to the bypass mode was accomplished by a solid state switching circuit referred b as the static switch.
A maintenance work order was initiated for craft personnel to evaluate the cause of the inverter .ilarms and the electrical " hot smell" that had been l
detected by the operations personnel. The craft personnel performed an inspection of the inverter No. 2 and found no evidence of overheating or any 2
p
i other problems. Th::-inverter was subsequently returned-to the_ normal mode of operation at 6:36 a.m. and functioned normally.
Later that day, at 3:10 p.m., the trouble alarm and fan alarm were received again with inverter No. 2 transferring to the bypass mode of operation. Operations personnel checked inverter No. 2 and did not _ observe any problems. The inverter was returned at 3:27 p.m. to the inverter (normal) mode of operation without incident.
At 7:21 p.m., the same control room inverter alarms were received again j accompanied by a transfer of inverter No. 2 to the bypass mode. An internal ;
inspection of inverter No. 2 was cbnducted by craft personnel, reve'aling possible overheating indication (small discolored section) on two of the printed circuit boards, the inverter drive and static switch drive.
Discussions between the system engineer and the work planner ended with a decision to replace the two discolored circuit boards. Concurrence was received from the maintenance supervisor who was also at-the plant to assist i.i the repair. A briefing between the SS, maintenance supervisor and operations manager was conducted to discuss technical specification time requirements for the inoperable inverter and repair activity in progress.
Maintenance activities on inverter No. 2 were completed that evening at the end of the shift and the SS of the on-coming crew then authorized placing the inverter back in service at 11:30 p.m. following the shift briefing. The~
turbine building operator (TBO) began placing the inverter back;in service with Attachment 6 " Inverter 2 (EE-8Q) Operation" of operating _ instruction 01-EE-4. At 11:35 p.m., the manual transfer switch was moved from the bypass mode to the normal static-switch position. The SLO was monitoring AI-428 bus voltage in the control room on a back panel, which is supplied by inverter No. 2, and observed several voltage oscillations with voltage dropping 20 to 40 volts. Similar_ voltage oscillations were observed on the local indication at the-inverter. These voltage oscillations caused a number of problems, including the trip of a circuit breaker AI-428-CB2 and the blowing of numerous fuses- for control board annunciators.
Power was lost to distribution panel Al-50 which provided electrical-power to sections of the nonsafety-related electrohydraulic control (EHC) 3
circuity for the main turbine. Throttle compensation pressure transmitter PT-943 and first stage turbine pressure transmitter PT-945 were deenergized and the EHC system responded by initiating an inmediate full closure of the turbine control valves creating a full load rejection with no immediate heat i sink for the reactor. i 1
l A turbine trip signal is required to enable the steam dump valves to the condenser to provide an alternate heat sink. A turbine trip signal is generated when two of the four turbine stop valves leave their fully open seat, which did not happen in this event. Only the turbine control valves were affected by the power loss. A reactor trip signal would have also been generated from a turbine trip condition as anticipatory protection to limit the primary coolant system stored energy and pressure caused by a cessation of normal steam removal from the steam generators. Consequently, the reactor coolant system (RCS) temperature and pressure increased, and the iin steam safety valves opened to provide a heat removal path. When pressurt in the RCS reached approximately 2400 psia, a reactor and turbine trip occurred and the pressurizer power-operated relief valves (PORVs) opened. As pressure continued to rise, a pressurizer code safety valve opened to reduce RCS pressure.
Immedittely following the voltage oscillations, control room annunciator panels AI-658 and AI-66B alarmed completely (all windows lighted). The SS, who was standing in the center of the control room, looked at the EHC panel and saw that it was dark, indicating that there had been some loss of power to the system. At the secondary feedwater control station, the LSO saw all the parameters start to enange rapidly. Within a matter of seconds, the main steam safety valves lifted in response to the load rejection with no steam dump bypass valves available. The PLO, hearing the steam generator safety-valves open, in anticipation of a high pressure reactor trip, initiated a manual reactor trip. The automatic high pressure reacter trip setpoint (2400 psia) was reached before the manual trip was. achieved. Pressure peaked on cht narrow range pressure chart recorder at-approximately 2430 psia (the best' available data).
The LSO entered emergency operating procedure (EOP) E0P-00, Standard Post Trip Actions, and began directing control room operators' response. The PLO 4
~ ~ ~
v
informed the LSO that he had received pressurizer PORV tail pipe temperature alarms with associated quench tank alarms during the transient and that pressurizer pressure was recovering in a normal manner. Backup charging pumps started and letdown flow was isolated by the PLO to restore pressurizer levei to normal. The SLO, performing procedure immediate actions, reported turbine stop valves 1, 3, and 4 were indicating 50 percent open and initiatec a contingency action of stopping the EHC pumps to fully close the valves. A running Londensate pump was also tripped by the SLO at this time to reduce electrical load per step 13.d of procedure E0P-00 which required that only one condensate pump be in operation.
Seven minutes arter the reactor trip, the crew had completed all steps in section 5.0 of procedure E0P-00, verifying proper response of equipe. ' to the reactor trip. Pressurizer pressure was increasing and was at approximately 1925 psia when quench tank alarms were received again. The PLO informed the LSO that pressurizer pressure was decreasing rapidly with a correspcnding increasing quench tank level and then closed the PORV block valves to eliminate the PORVs as a potential cause of the depressurization. The rate of pressure J; crease was unchanged and the PLO informed the LSO that pressure was approaching the setpoint for a pressurizer pressure low signal (PPLS).
Automatic PPLS occurred at the setpoint (1600 psia) and the PLO verified proper response of engineered safety feature pumps and valves. After checking _
tailpipe temperature indications on the control board and the acoustic flow indicaticn on the back of the main control board for the safety valves and PORVs, thr- PLO informed the LSO that he had indication that pressurizer safety valve RC-142 had lifted and failed to rescat. Reactor coolant pumps (RCPs)
RC-3B and RC-30 were stopped by the PLO with LSO concurrence at 1350 psia as directed by E0?-00. Pressurizer level channels LT-10lX and LT-10lY were in disagreement during this time period. tnannel LT-10lX was increasing and near 100 percent wnile LT-10lY had oscillated several times and then indicated 0 percent level. Pressurizer cold calibrated channel LT-106 was still on scale high.
The STA was in the control room for shift turnover and present when the reactor tripped. He went to the Emergency Response Facility Ccmguter System (ERFCS) screens in the control room. Vital auxiliaries were indicating normal and a check of safety functions for a reactor trip recovery (EOP-1) were also 5
normal. Indications for containment sumps and pressure were unchanged. All safety functiens were satisfactory with the exception of containment integrity which could not be assessed until the containment hydrogen analyzers were placed in service. The Si A informed the LSO of the safety function check.
At 11:46 p.m. witn the completion of E0P-00 diagnostic section 6.0, two applicable procedure paths were identified for the existing plant conditions.
Either .he loss-of-coolant accident (LOCA) procedure (E0P-3) or the functional Recovery Procedure (EOP-20) was an appropriate path. The SS, LSO and STA conferred on the procedure trai.sition with aa existing 120 Vac instrument _
power problem and a loss of coolant. Because of the multiple problems, the decision was made to enter procedu.re E0P-20 Functional Recovery. Ten minute interval verifications of safety functions including review of floating steps were maintained by the STA with results given to the LSO. Assistance was provided by the STA to the SS in comoleting the immediate notification forms and a shutdown margin calculation was performed by the STA upon the request of the LSO.
Upon entering E0P-20, safety injection flow was reduced by stopping safety injection pumps SI-28 and SI-2C in accordance with floating step 19.A of the procedure. Section 19 of the prncedure contains floating steps which are continucus action steps and can be performed at any time the specified conditions are met. Also, RCPs RC-3A and RC-3C were stopped at this time per the floating step requirements. With pressurizer level channel LT-101X reading greater than 100 percent and PORV block valves closed, the PLO was concerned about overpressurization if the suspected open safety valve (RC-142) were to close while all three nonsafety-related positive displacement charging pumps were operating. The LSO concurred with the PLO and charging pumps CH-1B and CH-lC were stopped.
The SS entered procedure EPIP-OSC-1, Emergency Classification, to determine the-classification of the event. The plant conditions met:two emergency action levels (EAL) in the procedure. Conditions for EAL 1.10, failura of a fission barri'r and EAL 1.5, RCS leakage greater than 40 gpm, called for a declaration of an Alert. An Alert was declared at 11:52 p.m. and a subsequent procedure EPIP-OSC-2, Notifications, was implemented. An initial accident-notification form was completed by the SS. Emergency response shift 6
l
. ..- . - - . -.- g- -.- - - .-. - -~ . . - - . - . - . . . - . . - - . - - - _ - --
assignments included a dedicated control roca communicator who immediately initiated phone notification of key personnel and paging of the emergency response organization (ERO). The operations manager and the maintenance supervisor wert immediately available to assist in emergency plan activation.
By'12:30 a.m., July 4, ERO personnel had established communications between the control room and the technical support center (lSC) and relieved the i onshift crew of communications with offsite organizations. I i
l The LSO followed procedure E0P-20 and implemented section 16.0, RCS core l and heat removal, to accomplish the plant cooldown and depressurization. A natural circulation cooldown was initiated at 12:04 a.m. by the PLO.
f.ccording to the procedure steps,.the PPLS was blocked at 1:03 a.m. for the purpose of restoring low-temperature overpressure protection (LTOP) (the PORV block valves were still closed at this time). A check of the acoustic sonic flow indicators at 1:10 a.m. indicated no flow through the pressurizer safety valve RC-142. .
The Site Director responsibilities were transferred at 1:20 a.m. from the contN1 roon,to the TSC, Backfeed through the 345 kV transform.* was established and plans were made to sample the steam generators, containment l building and the RCS for radioactivity levels. The conditions in the RCS at this time were about 800 psia and 417 'F with a 50 to 60 *F per hour cooldown in progress.
l l To minimize leakage from the RCS during the-natural = c_irculation cooldown, the PLO was performing floating step 19 A, high-pressure safety injection (HPSI) stop and throttle, from procedure E0P-20. Subcooling was being minimized by lowering safety injection flow and consequently reducing the flow through the open pressurizer safety valve. While the PLO was reducing flow and lowering pressure, reactor vessel indication on quality safety parameter display panel -(QSPDS) (located behind the control board) was being monitored by extra personnel. As pressure was decreased to less than 700 psia, personnel at the QSPDS informed the PLO that the reactor vessel level inoication had changed to less than 100 percent. The'PLO immediately increased pressure to 750 psia to regain 100 percent level indication.
7
. .- . - - - - - . - - .. ----. . - - . - . - ~ . -. _ - - . - -
t Normal letdown and charging was established as the cooldown progressed and at 3:29 a.m. injection flow through the llPSI pumps had decreased to zero, it_ was identified at this time the PORV block valves must be opened to have LTOP available. Block valve llCV-151 was opened first without problems. When the second block valve HCV-150 was opened, high tail pipe temperature indication and alarms were received. The block valve was reclosed immediately to isolate the leaking PORV (PCV-102-2). It was later determined that this valve did not leak; the leak indications were due to backflow from the open pressurizer safety valve, Pressurizer level indication was regained at 4:07 a.m. when cold calibrated channel LI-106 came off scale high and was indicating 68 percent (corrected l. Shutdown /cooldown activities continued such as isolating safety injection tanks and making preparations for initiating normal shutdown cooling. At 6:30 a.m. with the RCS at 400 psia and 329 'F, the emergency classification was downgraded to an notification of unusual event (N0UE) in accordance with station procedures.
During the next six hours, the operating crew continued with procedure E0P-20 and started a RCP to cool the reacter vessel head foliowing the natural circulation cooldown and established shutdown cooling. After placing the shutdown cooling system in service, procedure E0P-20 was exited and normal shutdown procedures entered. Draining of-the quench tank was accomplished at this time. With the plant cooled to 120 'F and-stable on shutdown cooling, the NOUE was terminated at 6:40 p.m. and the emergency plan exited.
All safety related equipment functioned as designed during the event with the one except_ ion of pressurizer safety valve RC-142 which remained partially open. Operators experienced other problems in plant support systems during the early stages of the reactor trip recovery including:
- 1) Fire alarms in two areas of the plant (later determined to be caused by steam from steam generator safety valves and a malfunctioning steam trap associated with the steam driven auxiliary feedwater pump).
8
- 2) lhe running air compressor (CA-1B) shutdown (located in area with fire alarm present).
- 3) loxic gas alarms shifted control room ventilation (monitors de-energized on loss of electrical bus Al-428).
- 4) Electric fire pump auto started (the fire jockey pump lost power when the invertbr tripped, so later the electric fire pump auto started due to low system pressure). _
- 5) Turbine plant. cooling water flow gauge by the secondary sample panel ruptured causing some minor local flooding before being isolated (TB0 dispatched to isolate).
- 6) Pressurizer heaters developed grounds as a result of the LOCA in the containment building (diagnosed as related to containment environment).
- 7) Apparent total loss of condensate flow (system modification during last refueling automatically tripped two pumps on a safety injection actuation signal (SIAS), pumps were restarted). ,
- 8) Component cooling water (CCW) to the RCPs isolated when CCW pumps were sequenced on during the PPLS/SIAS (suspected problem with system design). PLO reestablished flow immediately.
Each of these items required additional operator attention and time to investigate during the process of performing the plant cooldown and depressurization.
2.2 Time Line of the Event To establish this time line, the cnsite analysis team interviewed all control room personnel shown on Figure 1. Copies of control room strip chart recordings, the control room logs, post trip review and the annunciator printout were also provided by the station. The training staff also reproduced the initial 10 minutes of the event sequence, which included a 9
failed pressurizer safety valve af ter a seven minute delay, for the analysis team on the plant specific simulator- to observe pressurizer pressure response.
The simulator trace matched the actual recorder trace very closely collaborating the belief that a safety valve had opened and remained open after pressure decrease during the plant recovery from the reactor trip.
Note: all times are Central Daylight Time Jul_v 3.1992 4:33 a.m. Inverter No. 2 Trouble Alarm received. Inverter automatically _
shifted to bypass. Engineering and maintenance personnel investigated and found no specific cause for the alarms.
6:36 a.m. Inverter No. 2 returnej to cal (Inverter) mode and operated normally.
3:10 p.m. Inverter No. 21 rouble Alarm received. Inverter automatically
-shifted to bypass. Again no specific cause could be determined.
3:27 p.m. Inverter No. 2 Trouble alarm cleared and the inverter was returned to service by operations personnel without incident.
7:21 p.m. Inverter No. 2 Trouble Alarm received a third time. Inverter automaticaily shifted to bypass as in previous instances. On-call maintenance and engineering personnel contacted for assistance.
8:54 p.m. Inverter No. 2 was deenergized for maintenance and engineering personnel to perform an inspection. Two circuit boards were replaced that had indications of overheating.
11:30 p.m. SS authorized return to service of' inverter No. 2. procedure 01-EE-4,120 Vac system normal operation was used, 11:35 p.m. Inverter No. 2 transferred back to normal mode. Voltage output indications locally and in control room (bus Al-428) oscillated. Distribution' breaker to electrical panel Al-50 tripped open de-energizing the main turbine control circuitry.
10
11:36 p.m. -
Reactor tripped on pressurizer high pressure of 2400 psia.
RCS pressure peaked at approximately 2430 psia.
Steam generator RC-2A pressure reached 1033 psi and main steam safety valves lifted.
Operating crew entered E0P-00, Standard Post Trip Actions.
Operating crew received quench tank pressure / level-alaiws.
Backup charging pumps (Cil-1A and Cll_lB) started.
Multiple alarms were received due to the inverter voltage '
fluctuations blowing fuses and causing loss of power.
ERFCS display values for containment temperature and RCS subcooling were not available on summary pag's. e 11:37 p.m. -
SLO placed both EllC pumps in " pull-to-lock" to ensure all turbine stop valves ware shut.
Pressurizer pressure dropped to 1745 psia and began to recover. Letdown isolation valve TCV-202 was closed to conserve inventory, 11:40 p.m. Containment pressure reduction system secured by_SS direction.
11:43 p.m. -
Pressurizer pressure reached 1925 psia, then started to decrease. Quench tank level started increasing at a higher rate.
Primary licensed operator closed pres,;urizer powcr operated relief block valves (11CV-150 and ilCV-151) based on decreasing pressure aid increasing quench tank level.
+ RC-142 safety valve tail pipe temperature increased.
PPLS actuation occurred with the associated containment isolation signal, SIAS and ventilation isolation actuation signal.
L
- CCW isolation valves closed and are reopened by the PLO.
11:44 p.m. RCPs RC-3B and'RC-20 were shutdown per procedure E0P-00 guidance (reactor coolant pressure less than 1350 psia).
L 11:46 p.m. - Procedure E0P-00 completed.
Operating crew entered procedure E0P-20 " Functional Recovery Procedure" due to two events in progress (LOCA and 120 Vac problems).
- Pressurtzer level channel 10lX indicated 100 percent and f the other channel 10lY indicated 0 percent.
l 11
. _ m.___ _ _ . - ___ _ . - _ _ _ _. _ . ~ , _ _ _ _ ._- _. _ _ . _ _ _ _ _. _ .. _ ..
/ ,. j l
. 11:46 p.m. < floating step requirements for ilPSI stop and throttle _were 3 (cont.) met. lipSI pumps SI-28 and 51-20 were shutdown with pump SI-2A still in operation, 11:49 p.m. RCps RC-3A and RC-3C were shutdown per procedure 00P-20 guidance (reactor coolant pressure less than 1350 psia),
11:52 p.m. Charging pumps Cil 1B and C11-1C were shutdown, 11:52 p.m. SS declared an Alert (based on EAL 1.10). RCS leakage was estimated at greater than 40 gpm at this time, 11:55 p.m. Quench tank rupture disk rupt. ed and depressurized to the '
containment. Quench tank level indication oscillated.
11:56 p.m. Emergency feedwater Storage Tank low level alarm (tank level 90.9 percent).
11:58 p.m - Charging pump [ Cil-18 and Cll-1C started for emergency baration.
Containment sump level in alarm (level indicators L599 and L600 read 25.22" and 25.82" respectively).
11:59 p.m. ERO page initiated with notification to report to their assigned locations.
July 4. 1992 12:04 a.m. Natural circulation confirmed by the PLO. SS directed the initiation of a plant cooldown in accordance with E0P-20.
(RCS temperature 524 'F and pressure at 1100 psia) 12:06 a.m. Containment fan cooler units VA-7C and VA-7D started to lower containment pressure (peak p essure.was 2.5 psi).
12:07 a.m. Charging pump CH-lC was shutdown by PLO.
12:10 a.m.- Emergency Plan initial notification to Iowa and Nebraska-completed.
12:16 a.m. Charging pump Cil-lc was started by PLO.
12:20 a.m. Senior NRC Resident Inspector notified of the Alert.
12:24 a.m. flydrogen a -alyzer placed in service.
12:29 a.m. NRC headquarters duty . officer notified of the Alert.
12:30 a.m. Acoustical moniter still howed flow through pressurizer safety l valve RC-142.
12:34 a.m. Group N nontrippable rods were fully inserted.
12 i
, , , . e i 4 ; . .. , . - . - , . - - . , , , , . . , ., , -, r _, .<c_, . .. ,.~
i l
l 12:44 a.m. Charging pumps CH-18 and CH-lC shutdown by the PLO. RCS i temperature was 495 *F and pressure 1100 psia. j 12:46 a.m. Emergency boration terminated as directed by E0P after one hour of boration.
12:48 a.m. Charging Pump Ch-1A shutdown by PLO.
1:02 a.m. Steam generator low signal blocked per procedure during plant cooldown.
1:03 a.m. PPLS blocked per procedure to establish LTOP. ,
1:10 a.m. -
Emergency feedwater Storage Tank low level alarm cleared (level 93.1 percent)
PORV/ Safety Soqic flow lights out (no flow).
1:12 a.m. Main turbine / generator on turning gear. RCS pressure was at 950 psia and temperature 470 *F.
1:13 a.m. Low pressure safety injection pumps SI-1A and $1-1B shutdown in accordance with procedure E0P-20 floating step.
1:21 a.m. Site Director responsibilities transferred to the TSC from the SS.
1:22 a.m. Electrical buses lAl and 1A2 were transferred to 345 kV system.
1:31 a.m. Turbine driven auxiliary feedwater pump secured (FW-10 shut).
1:38 a.m. Atmospheric dump valve HCV-1040 isolated, 1:40 a.m. Shutdown margin verified. -RCS pretsure was at 934 psia and temperature 448 'F.
1:46 a.m. Completed reset of safeguards.
1:51 a.m. Started charging aump CH-lC :o re-establish charging and letdown along wit 1 RCP seal leakoff to the volume control tank.
1:52 a.m. Opened containment isolaticn valves for radiation monitors -
RM-050 and RM-051 to obtain an atmospheric-sample in the containment.
1:56 a.m. Received a ventilation isolation actuation signal and containment-high radiation signal from radiation monitors RM-050 and RM-051, 2:00 a.m. Opened electrical-breakers to the containment sump pumps due to submergence resulting in electrical bus grounds. RCS pressure was at 800 psia and temperature 417 *F.
2:09 a.m. Opened containment isolation valves for steam generator blowdown for sampling purposes. No activity was detected. ,
i 13
fl'Il1 BR4' 2:16 a.m. Opened RCS sample valves to obtain RCS sample. The results indicated all-isotopic activities were normal.
2:18 a.m. Reactor vessel level on QSPDS display indicated less than 100 percent (possible voiding in reactor vessel head). PLO immediately increased RCS presse-- frora 650 to about 750 psia.
2:33 a.m. Reset electrical 86 relay and shutdown diesel generator Dl.
2:39 a.m. Reset electrical 86 relay and shutdown diesel generator D2, 3:20 a.m. Zero power mode switch was placed in bypass.
3:29 a.m. HPSI flow to RCS decreased to zero. _
3:34 a.m. PORV block valve HCV-151 opened.-
3:37 a.m. PORV block valve HCV-150 opened and reclosed when tail pipe temperature increased.
4:07 a.m. - Pressurizer level channel LI-106 reading 68 percent corrected (cold calibrated channel).
4:20 a.m. HPSI pump SI-2A shutdown.
4:31 a.m. Safety injection tanks were isolated. RCS pressure was at 400 psia and temperature 329 'F.
5:25 a.m. " laced steam dump control in INHI8IT.
6:30 a.m. Dawngraded emergency classification to Notification of an Unusual Event. RCS pressure was at 360 psia and temperature 290 'F. _
10:24 a.m. Started RCP RC-3C to assist in cooling the reactor vessel head.
1:12 p.m. Shutdown cooling established in accordance with procedure E0P-20.
-1:52 p.m. Exited procedure E0P-20 with TSC concurrence and entered normal 1
shutdown procedures.
6:40 p.m. Exited the emergency pl , with the plant stable on shutdown cooling at 120 *F atj s 03ressurized.
2.3 Analysis in many respects, parallels between this event and the Three Mile Island (TMI) event can be drawn. They both had a loss of coolant from the relief-valves at the top of the pressurizer. They had the same indications of increasing pressurizer level with maximum injection flow to the system with 14 i
pressure decreasing or at saturation. Much of the 1M1 e"ent was blamed on the human oprators, llowever, the Fort Calhoun event had a successful conclusion.
The following analysis suggests some of the f actors which contributed to human perfor o ce in tHs event.
2.3.1 Procedures Hany of the abnormal and emergency procedures had just been revised and issued in the preceding months. This event was the first significant " test" of the new procedures and the operational personnel interviewed indicated that the procedures and, in particular, the new system for p ace l eep k i seeme d to ng, work well. The previous placekeeping shtems had used ribbons attached to the spine of the procedures or operator notes on pads of paper as a means to identify what steps had been accomplished and locations of cross-references.
The new placekeeping system used a removable page to checkoff (or record the time) when each step was completed. An example of the new placekeeping pages is given in Figure 2.
" Floating steps" were also used in the procedures. Floating steps were procedural action steps with continuous applicability, if, at any time during s
the procedure, the conditional criteria of a floating step were met, then the action was to be carried out. In this system, all floating steps for a procedure were listed in a specific section. Procedur ; E0P-20 had 27 floating steps with 49 pages of instructions. Each operator was provided with an individual copy of the floating steps that coult ',e referenced at any time.
The STA, as part of his functions, mor .ored the floating steps as well.
Figure 3 presents the checklist of floating steps that was used by the STA in his monitoring task. The operators reportal that this organization and presentation of continuous steps seemed to work vell.
There were at itist three examples in this event where knowledge was needed to sur:)rt the use of procedures.
- In ti.o first example, an individual was able to identify a procedure deficiency based on prior knowledge and experience. In this case, 1 situation developed in the recovery effort where discussion was hela regarding starting a RCP without offsite power from the 345 KV system. Procedurally, there was nothing to prevent the star +,ing of the pump. One of the ERG personnel in the control room knew that an undervoltage 15
l : I condition could result from this causing bus stripping, and auto starting of i safeguards pumps on the diesel generators which was undesirable given existing plant conditions. 1his concern was taken into account in the original >
procedure by ordering the actions steps in a specified sequence, however this ;
sequence of steps was climinated by floating steps in sJbsequent revisions, lhe original step sequence ensured that offsite power was established prior to starting a RCP. In this case, the personnel were able to supplement the procedures from a knowledge base.
A second example of where knowledge was needed to supplement the precedures (i.e., the procedure did not contain sufficient detail needed by l the operator) concerned the tripping of condensate pumps. In this case, the ,
operator did not have the additional knowledge base, which led to a complete loss of condensate flow during recovery. llere, the operator tripped off the B condensate pump in his initial post trip response actions. lhe procedure E0P-00 does not specify which one of the three condensate pumps to trip and his action was in accordance with the procedure as written. A plant modification completed during the last refueling outage automatically trips the A and C condensate pumps along with a circulating water pump when a PPLS/SIAS occurs. Therefore, when the B condensate was turned off, and the other two pumps tripped later, there was no condensate flow.
The third example of knowledge supporting procedures invoived the process of placing LTOP in service. Procedurally, the operators were only directed to reset the PplS signal to enable the protection. Actions taken early in the event had closed block valves in series with the PORVs and made the PORVs unavailable as relief protection. Later in the plant cooldown and
- depressurization the operators recognized this situation and opened the block valves.
These examples illustrate the point that knowledge based behavior can, and often is, used to support procedures, but can not and should not be relied upon for factual information that needs to be incorporated in the procedures and in training.
16 r-, -, ,--.-,-e .-,.-.v. , . - - . - - , -..---.,.m.w- ..,_.n-u , . - . . . y.-4 . --y-, , .--+.,-,ye-, ..
l 2.3.2 1 raining All operators reported and emphasized the importance of plant-specific simulator training in their ability to respond to this event. The plant-specific simulator training allowed the operators to practice procedures related to LOP.A and loss of inverter scenarios. Although the event may not have corresponded precisely to the tr. lining scenarios, the training provided exposure to plant conditions that might exist and what kl.id of responses t.ight be anticipated.
A second specific area of training was that of emergency response. Every 1hursday of their training week, the operators and other support organizations (e.g., chemistry, radiological protection) participated in simulator scenarios implementing the Emergency plan. This training provided the opportunity for personnel to learn and frequently practice emergency response plans and proceaures, including notifications and form completion. ihe STA participated in this training as well. The personnel credited this training with aiding them in their ability to carry out emergency response requirements and activities.
2.3.3 Iluman-Machine Interface Several human-machine interface (llMI) issues were identified. The first involved the performance of the stop and thrott1e procedure for the lipSI valves. For this operation, the valve controls used were located on a panel that is physically lecated away from (approximately 8-10 ft.) the panel with the flow and pressure indications. The indications were needed to accomplish effective control of the valve flow. Therefore, in order to accomplish this procedure, operators were stationed at each of the panels and communicated with each other. The control actions made at one panel had an immediate effect on flow and somewhu less immediate effect on pressure indications, which were needed to make appropriate control actions. It should be noted that these valves were not designed as throttle valves and do not have cont.istent linear control characteristics throughout the range of control.
This nonlinear characteristic made it difficult to control flow and made the ability to monitor the effects of the control actions on the flow and pressure parameters for feedback desirable. ]
17
A second ilHI issue involved the location of the sonic flow indication for the PORV and safety reifef valves. Sonic flow indicators were added on to nuclear power plants following the lhree Mile Island incident. At fort Calhoun, there is one sonic flow alarm (along with a temperature alarm) located on the front panel. 1he sonic flow indicators were a series of light-Mtting diodes (LEDs) located on the back panel. The LEDs were used as diagnostic indicators for flow or no flow (along with tail pipe temperature located on the main control board) and were located remote from other indications associated with the PORVs and safety valves. Grouping backup indication with other associated indications in a manner where the operator .i does not have leave the control area would be more helpful.
It was noted that the annunciator panels that were lost because of the electrical failures associated with the inverter problem were identified with a " loss of power" window on other panels that were powered by different sources. This " loss of power" window was used as a confirmation of an annunciator panel problem.
Emergency response facility computer inputs for containment temperature and RCS subcooling were malfunctioning on the parameter display pages that the operators normally used. These parameter valurs were asked for frequently by the TSC because they were not available on their computer. These same parameter values were availabic on other computer screen pages or on control room panels. However, the operators stated that they had a difficult tima in obtaining the required information, in this case, the ERFCS normally provided a useful operator aid with all the required parameters displayed. During the computer malfunction, the display indicated (by using question marks) that valid input was not -availablo. However, the operators found it difficult to move to a ernative means of obtaining that infonnation. This suggests that operators should be exposed to computer malfunctions during simulator training as well as plant malfunctions. What to do and how to obtain needed information should be addressed in-training for degradad computer operation.
As more indications and operations are displayed and controlled via computer screens, it becomes more important for the operators to understand what to do if the computer aalfunctions.
18
2.3.4 Stress !
1he degradation of human performance by stress did not appear t i be a factor in this event. The related concepts of fatigue and workload (Sharit '
and Salvendy, 1982) did not appear to affect performance. Both the LSO and pl0 had experienced the high pressure reactor trip resulting from a similar loss of an inverter in 1986. This was cited as one reason for personal stre:;s not being as high as it would have been without such experience. Staffing was adequate to perform required actions. The event occurred at the beginning of ,
the night shift, so the operators were " fresh" on their shift. fatigue did not enter into the event because the operators did not have to stay beyond their regular shift hours. ,
2.3.5 Staffing Staffing was sufficient to perform required actions. Because of scheduled vacations (e.g., the fourth of July holiriay), the LSO and the pl0 were both relief operators from another crew. The LSO and pt0 were from the same crew and had worked together. They apparently worked well together as did the entire crew. No additional operators were brought in to assist the i SS, LSO, PLO and SLO because they were not needed, although management inquired if additional operators were needed. ,
The emergency response crew complement included a dedicated person to act as the communicator to handle notifications during the event. This left the ,
SS free to oversee activities and confer with others in the recovery efforts.
! The STA was in the control room for the shift briefing and remained in j
the control room for placing the inverter in service and the following event.
The SlA provided support functions to the SS which included assistance in notifications, shutdown margin calculations, and monitoring safety functions.
The STA was involved in technical discussions and interpretations and was-included in decision making processes such as choosing E0P-20 as the alternative procedural success path upon completion of E0P-00. It was part of the STA's safety function to monitor the status of the floating steps (see figure 3). A check list was providcd to the STA as an operator aid to assist in the floating step status checking. It is important to note that the STA 19
.- . .s not a dual role, but was a dedicated role for an engineer.
t; is te also trained with n operational crew and participates in the lhursday 1: 4 .ing of emergency response activities.
The operations manager and the maintenance supervisor were in the plant and available for assistance immediately after the event. Similarly, many of the ERO personnel lived with ten to twenty minutes of the plant and some ERO
,.ersonnel were manning their positions within 30 to 40 minutes of the classification. The inenediate availability of the personnel was a factor which contributed to the success of the event. The presence of the operations ,_
manager and other personnel assisted with the workload regarding notifications, provided the opport. unity for the SS to conference with his superiors, and allowed the SS to focus on the decision making involved in the recovery efforts.
2.3.6 lask Awareness A major part of the success of the human performance associa'ed with this event was related to the degree of task awareness on the part of the ope ra'.o rs . Awareness of plant conditions and status appeared to be heig1tened during the event, but the heightened awareness did not result in stress levels that degraded performance. On the contrary, the heightened awareness wa; a exhibited in pro-active monitoring and action, thinking ahead as to what sctlons might be needed to anticipate and preempt undesirable plant conditions. One example of this task awareness involved the CCW pumps. The tina to sequence from normal to emergency power supply for the CCW pumps on the diesel generator and increased flow to containment fan coolers during a pPLS/SIAS was long enough to allow pressure and flow to decrease in the C(W system to the point where an automatic isolation of the RCp cooling did occur.
This coula have resulted in unnecessary tripping of the RCPs. Ilowever, the pl0 identified this automatic isolation and restored the RCP cooling immediately. There were no cautions in the procedures to assist the operator.
Another example of task awareness was demonstrated by the SLO. lie had reviewed the abnormal procedure for the loss of inverter and was monitoring parameters on the back of the control boards. lie maintained an awareness of 20
t what was and what might happen, and took actions to investigate and prepare l I
for possibilities.
t A final example of task awareness was demonstrated by the PLO. The pl0 expressed concern about possible overpressurization if the safety valve closed :
while all three positive displacement charging pumps were operating. Although there was no prediction that the safety valve would close, the PLO was i anticipating a scenario where the consequences (overpressurization) may cause ,
reopening of the reiter valves. The charging pumps were stopped after discussions with the LSO. The pumps were started later to accommodate procedural requirements for emergency boration.
i 2.3.7 Command and Control / Teamwork ;
Normal command and control existed without change due to the staffing configuration. Connunications and support from the ERO functioned smoothly.
Because of the staffing organization, the SS was able to oversee activities without being unduly burdened with notification activities. The SS was also able to confer with his superior (i.e., the operations manager) and the ,
maintenance supervisor directly because of their presence in the control room.
Even though the SS and LSO were members of different crews, information flow and decisions were made in a timely manner. All personnel involved seemed to function as a team. Any-personnel with input, even if not part of the operating crew,-felt they could contribute and have their input evaluated. An example, mentioned previously, was that an ERO person contributed his knowledge concerning the need to ensure offsite power before starting a RCP.
Such teamwork contributed to the successful response to the event. - ,
2.3.8 Maintenance Activities There were several latent' factors associated with maintenance activities which.. contributed to the initiating event (the failure of the inverter No. 2).
A latent design factor was that when the inverter board was replaced, there-was n9 way to perform post maintenance testing without placing the-inverter in service. -This was significant in that the circuit board which was installed by maintenance personnel was missing a small jumper between two terminals.
Information was.not available from the vendor in the technical manual to 21
. = , - - . . - . - - -_-.-.-
ensure that the correctly configured circuit board was being used as a replacement.
I L An-)ther latent factor was that the technical manuals did not provide the ,
torque required for the setpoint lockir.g nut on the safety relief valve. As a 1
result, the setpoint locking nut was loosened during the first actuation of i the safety valve which contributed to the reduction in setpoint and further damage of the safety valve to extent the valve remained partially open.
3
SUMMARY
1he factors that affected human performance during this event are summarized below:
J' roc edure s.
4 In general, the recently revised procedures seemed to work well for the .
operators. A new system of placekeeping (i.e., a separate step check-off l list) and floating steps (l.c., steps with continuous applicability) assisted the operators in using the procedures. There were at least three examples of where procedures needed to be supplemented by operator knowledge base. These examples illustrate the point that knowledge-based behavior can, and of ten is. P used to support procedures, but can not and should not be relied upon for factual information that needs to be incorporated in the procedures and in training.
Training All operators agreed that plant-specific simulator training hao assisted ;
in their ability to respond to this event. The operators trained on loss of coolant and loss of inverter scenarios, and also trained specifically on implementing the Emergency plan which .nssisted them in carrying out the emergency response requirements.
L
??
l!umanJia. chine _lnterface R [ill Several Ittil issues were identified. In two cases, related displays and controls were located at some distance from each other. Windows on each annunciator panel to indicate " loss of power" for the other annunciator panel were available to confirm that power was lost. Computer displays normally used for containment temperature and RCS subcooling parameters were malfunctioning. Although the information was available on control board panels or other, less frequently used, computer screens, the operators reported that not having the values available on the normally used screens was a hindrance to performance. This suggests that operators should be exposed to computer malfunctions during simulator training as well as plant malfunctions.
What to do and how to obtain needed information should be addressed in training for degraded computer operation.
Stress Stress did not seem to degrade human performance in this event.
Staf fing Staffing was adequate to perform required actions. A dedicated person to act as communicator to handle notifications left the SS free to oversee activities and confer with others, including the operations manager and the maintenance supervisor, during the recovery efforts. The STA provided support to the SS, including notifications, calculations, safety function monitoring, and involvement in technical discussions and decisions. The STA position was not a dual role, but was a dedicated role for an engineer.
Task Awareness A major part of the success of the human performance associated with this event was related to the degree of task awareness on the part of the operators. Awareness of plant conditions and status appeared to be heightened during the event, but the heightened awareness did not result in stress levels that degraded performance. On the contrary, the heightened awareness was exhibited in preactive monitoring and action, thinking ahead as to what 23
actions might be needed and anticipate and preempt undesirable plant ,
conditions. Several exampi s illustrated thn task awcreness.
Commanst_ard Coj.rpl/ Tean3_2r}k i
flormal congnand and control existed. Consnunications and support from the- !
ERO functioned smoothly. All personnel involved seemed to function as a team.
Such loanwork contributed to the successful response to the event.
tbjntenance Activities ,
Several latent factors associated with maintenance activities contributed to the failure of inverter No. 2, hence to the initiating event. There was no way to perform post maintenance testing without placing the inverter in service. Information was not available from the vendor regarding correct circuit board configuration or the torque required for the setpoint locking nut of the safety relief valve.
4 REFERENCES Sharit, J. and Salvendy, G. (1982). Occupational stress: Review and i reappraisal Human Factors, 21(2),129162.
4 l
24
. ;_.,_..__..u.. ._ _ _ . _ , _ _ - . . _ . _ . ~ . _ , _ _ - , , . . _ . -
I Shift Supervisor SR0 - 4 yrs.
i Licensed Senior Shift Technical Operator Advisor - 1 yr. '
SR0 - 10 yrs. Non-Licensed l
l Primary Licensed Secondary Licensed Operator Operator
- R0 - 2 yrs. R0 - 9 mo.
Note 1: The licensed senior opeiator and primary licensed operator were crew members from another crew filling in for vacation vacancies.
Note 2: Shift technical advisors schedule rotated opposite of the operating Crew.
Figure 1. Fort Calhoun Control Room Staffing.
25
- . . . - . . = . , . . . . . . . . . . . . , , _ . - - . - . . - . . . - . . - - . . - . . . , , _ . _ - - . - . - . - . . . . , . , . , . _ . . , . . . . _ . . , . . , . , - - - , . . _ . . , - . , -
. __ - _ _ _ _ ___ ____.-___.. _ _ _m. _ ___.__ _ -__ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ . . . . . _ _ . _ -
/ ,
r COP 20 Page 299 of $27 I G.0 f.l.ACEEEEP_E8 HR-3 l
Number Step tsme/V Page 1 Check CSAS initiated 301 2 Chock PPLS initiated 306 3 Check CPHS initiated 308 ,
4 Maximize Si flow 311 5 Confirm no SGTR 312 -
G Commenca cooldown t 313 7 Maintain RCS pressuro 315 8 Placo HM-0G4 in service t 317 9 to 11 Identify and Isolato affected S/G t 318 12 Depressurize RCS to <1000 psia t 320 13 Maintain RCS pressuro 320 14 Align blowdown sample to wasto 321 _
15 Maintain isolated S/G lovel 322 16 Samplo serot dar/ systems 322 17 Confirm no UHE 322 -
18 to 22 Identify and isolato affected S/G t 323 23,24 Stoam lonst affected S/G 311 25 Override SGIS t 329 COMMENTS:
1 Figure 2. Ernergency Procedure Placekeeper u
1.6 I
y- - - ,,-s . , , . . , , ,-,~--w-v,. ~ , . , , - - - . - . - , - , e. .- , - - . - - --w.s v -
EOP 20 Page E3 of 527
- 7. Floating Step Monitoring pgg
- a. Identify and inform the LSO cf those Floating Steps which may need additional operator attention.
A. HPSI STOP AND THROTTLE CRITERIA B. LPSI STOP AND THROTTLE CRITERIA C. NATURAL CIRCULATION D. RCP RESTART CRITERIA E. RCP OPERATING PARAMETERS F. CONTAINMENT SPRAY TERMINATION ~~
G. CONTROL ROOM HABITABluTY ~ ~ ~ ~
H. RESET OF ENGINEERED SAFEGUARDS
- 1. TURBINE AUXILIARIES ~~
J. EMERGENCY FFEDWATER STORAGE TANKINVENTO.' ' ~ ~ -
K. SHUTDOWN 01 . E EL GENERATORS L STEAM GENERATOR WATER LEVEL MONITORING -
M. SAMPUNG THE CONTAINMENT SUMP FOLLOWING RAS N. AUGNMENT OF CHARGING PUMP SUCTION TO SIRWT ~
O. RCS HEAT REMOVAL P. REACTOR TRIP CHEMISTRY CHECKUST --
O. AUDIBLE COUNT RATE OPERATION ~
R. CONTAINMENT HYDROGEN S. RESTORATION OF NORMAL UGHTING T. STEAM GENERATOR ISOLATION ~
U. PZR LEVEL MONITORING V. BLOCKING OF SGLS W. ENGINEERED SAFEGUARDS ACTUATION VERIFICATION X. TRIPPING RCPS Y. 345 KV BACKFEED ~
- 2. BLOCKING OF PPLS '
AA. LOCAL ALIGNnAENT OF CHARGING PUMP SUCTION TO SIRWT ~~~
BB. STOPPING OF TURDINE BUILD"7 SUMP PUMPS Figure 3.
SUMMARY
Safety Function Floating Step Checklist 27
.