ML20115D548
| ML20115D548 | |
| Person / Time | |
|---|---|
| Site: | Pennsylvania State University |
| Issue date: | 10/14/1992 |
| From: | Shirley D PENNSYLVANIA STATE UNIV., UNIVERSITY PARK, PA |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| NUDOCS 9210210015 | |
| Download: ML20115D548 (5) | |
Text
,
l bENNSTATE --
iwd 3. sune3 ine n e.mu si.na nnenn7 Senior Vice lieuderd k.t Rewarcb l ad iate liudJms and De.m of the Graauate 5chmi ,r- , Park 1% lf A02-1.W6 October 14,1992
'US Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555 Re: Report on inadvenent Reactivity Addi tion Penn State Bn:azeale Reactor
- Licen:;e Number R 2, Docket Number 50-05 On October 5,1992, an incident occerred at the above facility which is described in the attached mport. In summary, an operator error when changing a control system parameter with all rods fully inserted caused an inadvertent partial withdrawal of one rod. This incident does not constitute a reportable occurrence under the Technical Specifications, but 4 never-the-less considered a serious matter which is appropriate for regulatory review.
i On the moming of Octorec 6,1992, members of our staff discussed the incident with Mr.
Alexander Adams of the NRC Non-Power Reactor Duectorate, outlining the cause, response, immediate corrective action, and long-term cormctive actions under consideration. In a call later that day, Mr. Adams reported that the incident had been discuesed with his management and with Region I; there was concurrence with our interpretation of the reporting requirements stated above.
The control systen vendor was informed on October 6,1992, as was the Penn State Reactor Safeguards Committee which was ce9vening that day for its regularly scheduled quarterly meeting.
Both the vendor representative and the safeguards committee concurred with the preliminary analysis and corrective actions and asked to be kept informed of additiorr' long-term corrective actions, r
In addition to this preliminary report, we intend to submit a follow-up report within 3d days, describing final resolution of this matter.
Sincerely, l (01 tl k Y /
< David A. Shirley Senior Vice President for Research and Dean of Graduate School DAS/MHV/ld1441 Attachment l- pc: Region 1 Administrator l Mr. Gilbert Raiskums, AECL Technologies An r,2m re nonny Unnena12 0 0 0.1. 6 hy!
l 9210210015 921o14 PDR ADOCK 05000005 l S PDR - !
l 4 -
s 8' The following is a description and initial analysis of the event that occurred October 5,1992 at 1606.
Reactor initial Status:
Reactor was shutdt.wn with all rods at the lower limit (=$5.85 suberitical).
The key switch was on with air applied to the transient rod (total worth of the transient rod =$3.00).
Background:
With our console, the control and monitoring software was doveloped using a high level block language. The available blocks can be linked, much like analog electronic components are connected, to perform the desired function. The blocks are software subroutines that are linked with calls and
- transfers of data. Once the blocks are linked with source code and compiled, that particular compilation of the system is fixed until a software change is needed that requires a different arrangement of the blocks. Each block has within its subroutine the capabihty of baing changed a limited amount by making tuning parameter changes. These can be made after the the software has been compiled. As an example, there is a block called a limit block (LIM) ,
~'
that passes the input to the output without change as long as the input is within the upper and lower limit parameters. If the input is greater than the upper limit parameter the output will be equal to the upper limit parameter. If the input is less than the lower limit parameter the output will be equal to the lower limit pa meter. To change the limits of the LIM block the limit- parameters of the block can be changed by entering the software maintenance mode. Tuning parameter changes car be made without compiling the software again.
The Electronic Designer was performing checks of the tuning parameters
- in the rod drive portions of the control and monitoring software of DCC-X. He had verified that a parameter (ratio / bias block gain) that converted the rod velocity from inches per second to revolutions oer second was wrong. This parameter was erroneous because the gear ra 'o of the dive mechanism was changed, during the installation, after the Factory Acceptance Test (FAT) and the initial Site Acceptance Tests (SAT) had verified the initial design specification. The effect of this parameter on operation was moot because the actual physical parameter, inches /second, was measured by operating the drive mechanism and timing the drive displacement. After installation the measured value was acceptable in terms of control and Technical Specification
- ren.uirements and was therefore not compared to the program data value (rod velocity in inches /second). It is possible to display the prngram data value as a time trend but it is not normally displayed to the onorator or used in day to day operailon.
l I When the ratio / bias block gain was found to be wrong a determination of L the correct value was made. This was done by withdrawing the full 15 inches of j tho transient rod while counting the revolutions. The facH!ty change procedure j (AP-13) was initiated to make the parameter change to correct the ratio / bias 5 Oct 1992 event 10/9/92 1 l,
'. r
- gain and rod velocity program data value while maintaining the measured physical rod velocity at its previous value. The new ratio / bias gain and the change was verbally verified and approved by the Manager of Engineering
- Services (there is at present no forrnal independent verification process called for by AP-13). AP-13 required post change verification and validation (V&V) by appropriate Check 91d Calibration Procedures (CCP's) but there was no .
- requirement for intermediate or process V&V for such a perce!ved simple
- change. Those staff involved were the most knowledgeable of the system but they did not anticipate any need for additional intermedia 5 V&V requirements.
They were not cognizant of the fact that the process of change could create an unanticipated result.
To enter the software maintenance mode to make parameter changes,
- there are two security checks. First the key switch must be on operate and, second, the proper password must be enterad. There is no requirement that all 4
scrams be reset or in this case no need for air to be applied to the transient rod.
Having just completed the measurement of the physical velocity of.the transient rod the air was applied and it was not removed (scrammed) prior to the initiation of the softwaro tuning change. It was not anticipated that the rod would move,
- even with intermediate errors, during the change, therefore it was not
- determined that uniatched rods (de-energized scram bus) was a required pr9 condition.
4 i Error #1:-
After the successful change of the ratio / bias gain, an input error was made during the change of the limit block upper and lower limit _ values. The LIM block output is the input to the ratio / bias block. A change of this block was necessary to compensate for the now altered inpu from the ratio / bias block.
c Since the same limits on the physical rod velocity were desired, the limits had to be changed by the inverse of the raf.o/ bias gain change.
! Error #2:
The new parameter values are entered by typing in the new values and
. hitting the enter key. The new parameter values are not saved to disk or placed into the running software until the entered values are defined (by piessing the F3 function key). Comfortable in the knowledge that the post change V&V would ensure the proper result and oue to the cperator automatic response to define the change (much as a typist automatically adds a space after each word), the erroneous input was defined without verifying the entered values.
Event:
i The operator entered the lower limit of the LIM block as 1.13 inches per-l second. It should have been - (negative) 1.13 in/sec. The upper limit was l entered as 0.354 in/sec which was the correct value. The operator automatically defined the entered values. The software was written to not allow the lower limit L to be greater than the upper limit and automatically changed the upper limit to l 1.13 in/sec after the values were defined. The defined values became: upper 5 Oct 1992 event 10/9/92 2 l
,. a +-.w, ~-+--mun an - -,.a.nu... - - ., - - a - u - 1.-- u- ..n., . - - . ~ ..- +
- 4. - ,
L.A- ,
p .
j
- ~ '
i limit =1 13 in/sec and lower limit =1.13 in/sec. This effectively d'efined the LIM -
block such that no matter the input the output would be 1.13 in/sec. At that time j and during the entire event the input _was zero because no velocity was !
demandeo by the manual rod up/down switches and because a software interlock prevents rod moti_on by demanding a zero velocity when the core / rod!
- mimic is not showing on the DCC X CRT. Since the output of the LIM block goes directly to the moto_r block the 1.13 in/sec velocity demand was sent to the motor i- controller and the motor started withdrawing the transient rod at that speed.' The - _
i system does have an over speed trip set at .4.5 rev/sec (1.13 in/sec corresponds i to 4.52 rev/sec) and the transient rod scrammed. By looking at the historical data after the scram, it was determined that the transient rod drive withdrew to
- - end of travel but that the rod bottom switch was reversed (indicating that the -
, transient rod was_ fully in'serted) when the transient rod drive was at 2.92 inches.
- 2.92 inches corresponds to 43c transient rod worth. The actual position of the -
F transleni tod was (2.92_ in-scram time (sec) X 1.13 in/sec), somewhat less than '
43c, probably =25c. The rate of i 2ctivity insertion was no grerter than 17e/sec.
{ . .
An event evaluation procedure (AP-4) was completed. The 'AP-4 requires
- the evaluator to notify the ' appropriate _ personnel, investigate the event, _
i determine the cause and obtain the required _ approvals before starting the
! reactor. After the cause of the event was determined, the AP-13 was completed i- and V&V'ed. It'was considered more appropriate to close out the APr13 than to leave it in some intermediate condition or return to the previous condition. The j_ tuning parameter changes were made with the scram bus de-energized to
- ensure that the reactivity insertion would not be repeated.
Analysis:
i l The reactor safety and automatic shutdown was completely operational ~
i -during the entire event.
l_ Even though the re. actor was shutdown (2.$5.40 subcritical) during the
- entire event (shutdown by the Technical Specification definition) it was an
- enanticipated reactivity change of _43c, r
l With a variation in the keyboarci error, such as entering 5;1.1 in/.sec as the-lower limit (4.4 rev/sec), the ove_r speed scram would not have occurred. Since-
- j. the reactor was 2 $5.85 subcritical and the tott.i worth of the transient rod is
- , $3.08 no 'other scrams would have occurredc It would have been an inadvertent
[ - reactivity change of 2 $1.00, However, the reactor would have remained
[- - shutdown (> $2.70 subcritical). -
L l LThe use of the AP-13 procedure _in its present form for software tuning l - changes was based on the assumption that post change V&V was sufficient for-
~
i: simple changes.-More extensive software changes were performed with an
- additional approved written procedure. All software tuning changes are recorded in the AP-13 and in a softwarofchange log; A procedure that asks -
guiding questions may be helpfulin determining the_ appropriate process and s V&V. Unfortunately, prior to this event no one on the staff may have anticipated l the appropriate guiding questions to ask for this particular case.
l l 5 Oct 1992 event 10/9/92 3 l
. . . - . - - . . . . - - _ . . . . - . ..- . . ~ . . - - . - . , . -. - . . . . _ . - . - . - . . - - . -
,J- ,
Thero was a failure to realize that the process or sequence of en i software tuning changw .4ay be important to consider in the approve and V&V ii, of a change. t There also was a failure to realize that if the consequences of each '
L intermed_iate step in a ~given change are not fully understood the system must be i rendered incapable of changing the state of the reactor (such as de-energizing j the scram bus). If a scram had been ac+'ve prior to the change, the movement of i the transient rod drive without the attached rod would have'been of no consequence.
The characteristics of the LIM ' block that allows it to alter the typed Input to 1
" acceptable" values without rejection of the derming proces.s or a warning was
!. not fully understood by the staff. Other software blocks in Protrol m reject ,
- irrational parameter changes and issue a warning message, if that had been.-
- true for the LlM block or its peculiarities more fully understood, the event may
{ not have occurred.
- The event was not cause by software or hardware error or failure. The
- ' system performed as designed.
l This event occuned because of a combination of (1) operator errors;and i
(2) procedural controls that did not adequately aid the staff in the analysis and ~
l approval of a software tuning chanoo;
- Immediate Corrective Action
4 l' The Director of the facility was notified and he gave approval for the;
! startup of the reactor on October 6,1992.-The Director called Alexander Adams
- -of the Nuclear Regulatory Commission and described the event to him. Until; further notice the Director has placed a ' moratorium on tuning parameter .
changes. The event was described and explained to the licensed operators in a -
staff meeting on October 8,1992. On October 6,.1992 the event was described' to the Penn State Reactor Safeguards Committee at ; previously scheduled h meeting. They determined that the staff had acted correctly and they wished to be informed of further developments a:.d tne final resolution. The staff is in the process of determi_ning the long term corrective action.
Gilbert Raiskums of AECL, Mississauga, Ontario was informed of the .
L event by telephone and FAX on October 6,1'.92.-
~
i
,1 l
L l 5 Oct 1992 e' vent 10/9/92 4. '
_ - - . . - . - - . - . _ . - . . . - . . . . - . - . . . . - . - . - . -