ML20128N394
| ML20128N394 | |
| Person / Time | |
|---|---|
| Issue date: | 07/31/1985 |
| From: | Trager E NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD) |
| To: | |
| Shared Package | |
| ML20128N375 | List: |
| References | |
| NUDOCS 8507260198 | |
| Download: ML20128N394 (128) | |
Text
_
e Preliminary Case Study Report on Loss of Safety System Function Events by the Office for Analysis and Evaluation of Operational Data July 1985 Prepared by:
E. A. Trager, Jr.
Note:
Inis report documents the preliminary results of an ongoing study by the Office for Analysis and Evaluation of Operational Data with regard to selected operating events. This report is issued for review and comment as part of the " peer review" process used for AE00 case studies. Since the study is ongoing, the content, findings, and reconenendations are preliminary and may not represent the final position of AE00, the responsible program office or the Nuclear Regulatory Commission.
g 72 g 8 950712 e507260193 PDR
e 111 t
Table of Contents i
Page i
EXECUTIVE
SUMMARY
1.0 INTR 000CTION....................................................
2 2.0 DISCUSS 10N......................................................
5 2.1 Events Involving a Loss of Safety System Function..........
5 2.2 Human Factors Considerations in LSSF Events...............
29 l
2.2.1 Categorization of Events Involving Human Factors Considerations.............................
29 l
2.2.2 Other Characteristics of LSSF Events Involving Huma n Factors Considerations.......................
34 i
3.0 F I ND I NGS AND CO NC LU S I ONS....................................... 38 r
{
4.0 R ECOMME NDA T I ONS................................................ 4 2
5.0 REFERENCES
44 Appendix A........................................................... A-1 l
Appendix 8........................................................... B-1 Appendix C........................................................... C-1 l
t l
i i
I
. I i
Executive Summary
\\
The study discusses events resulting in a total loss of safety system function.
Although the study identifies 133 losses of safety system function (LSSF) in the 1981 to June 1984 time period, the major focus of the analysis is on 87 events (65% of the total) that were the result of human factors considerations, e.g., personnel errors. The objectives of the study were to determine the frequency of this type of event, whether or not these events are occurring more at one plant than another, and the causes of such events.
The study found that between 1981 and June 1984 no significant trends were observed in the rate of occurrence of LSSF events. However, this indicates that improvement is not being made, on an industry-wide basis, in preventing loss of safety system events.
Variation in the rate of occurrence was observed to be the result of variation among a small number of individual plants rather than differences in NSSS type or plant age (with the exception of the first year). With few exceptions, the events were non-repetitive. About one-half of the PWR events involved the RHR system (shutdown cooling mode) or the containment spray system while BWR events most frequently involved the HPCI, RCIC or RHR systems.
The majority of the loss of safety system function events (87 out of 133 events) were the result of human factors considerations, i.e., they were not attributed solely to equipment failure. However, only 38% of the events were the result of " personnel error " 1.e., 62% of the events were the result of conditions outside of the control of the worker. This indicated that although training, qualifications and motivation are important, improvements in the areas of management and administrative control, procedures and planning could have a significant impact on reducing the number of LSSF events.
- la -
The report makes a number of recommendations based on the results of the study. The recommendations include:
IE feed back the results of this study to industry; NNH review training and qualification programs to ensure I
that adequate attention is paid to the programs for personnel other than licensed operators; AE00 perform further technical evaluations of three particular types of LSSF events; AE00 monitor the quality of human factors data in LERs to ensure licensees are meeting the intent of 10CFR50.73 requirements regarding completeness; AE00 collect and evaluate LSSF event data on a continuing basis.
F 6
r
o
1.0 INTRODUCTION
In response to a request by NRR, AE00 prepared and issued a special study report entitled, " Human Error in Events involving Wrong Unit or Wrong Train,"
i AE0D/S401 (Ref. 1). The report concerned 27 events involving loss of safety system function that resulted because an action was performed on the wrong reactor unit (seven events) or the wrong train (20 events) and the error was not immediately detected. The report observed that these errors were most frequently the result of errors in procedures or deficiencies in unit /
train / component identification or labeling.
During the course of that study of events, a number of the events were r
noted that did not fall into the wrong unit / wrong train categories, but that involved a loss of function of a safety system. As a result, AE00 undertook a study of total loss of safety system function (LSSF) events to: (1) identify all such recent events that appeared to involve a loss of safetysystemfunction,and(2)determinetheextenttowhichhumanfactors l
contributed to the events.
Systems included in this study were those subject to technical specification reporting requirements (i.e., were reported by LER). This study included only those events that involved an actual total loss of system function.
Events were excluded where the condition was anticipated or readily recognized and the system was immediately recovered, or where there was an apparent l
loss of function because of administrative procedures (e.g., a system was
" declared inoperable" because a required surveillance had not been completed, but the system was then shown to be operable).
. The purpose of this study was to characterize recent LSSF events and to:
Determine the fregggncy/ rate of occurrence and compare event totals on an annual basis.
Determine if there is a significant variation among reactor vendors.
Determine the reported event duration (length of time the system was not available) and possible contributing factors (factors that may have influenced the duration).
Determine if there is a correlation between numbers of events and plant age.
Identify plants at which events appear to be occurring more frequently than at others, and attempt to determine why.
Describe the method of discovery to determine the most effective methods to identify unavailable or degraded safety systems, and to ensure quick recovery in the event of a loss.
Analyze event causes with particular focus on human factors considerations.
Identify any additional event characteristics, such as particular groups of personnel or types of-activities that are more frequently associated with event occurrence.
. The Sequence Coding and Search System (SCSS) data base was the primary source for events that involved a total loss of system function.
In addition, as a check on completeness, a review was made of the following additional sources:
Report to Congress on Abnormal Occurrences (NJREG-UU90 series reports)
ORNL, Precursors to Potential Severe Core Damage Accidents:
1980-1981 (NUREG/CR-3591), Uuly 1984.
NSAC/52, Residual Heat Removal Experience Review and Safety Analysis, January 1983.
This study covers the period from January 1981 through June 1984. During this period a total of 133 LSSF events (81 PWR and 52 BWR) were identified.
The nature and characteristics of these events are discussed in Section 2, with particular emphasis on human factors considerations. Section 3 includes the findings and conclusions fran this study, and the recommendations are contained in Section 4.
Appendix A contains a listing of the LSSF events, Appendix B contains a summary of details of these events, and Appendix C contains descriptions of these events.
Other AE00 technical studies will continue to focus on events involving specific systems, such as failure of the residual heat removal system.
l
. 2.0 DISCUSSION Of the events reported to the NRC from 1981 ". rough June 1984, 133 involved a total loss of safety system function (LSSF). Table 1 lists the numbers of LSSF events by year. The totals for January through June 1984 may not be directly comparable with the totals for earlier years because the LER reporting requirements changed on January 1,1984, when 10CFR50.73 became effective.
2.1 Events Involving a Loss of Safety System Function Frequency / Rate of Occurrence During the three and one-half year period covered by the study,133 LSSF events occurred. As shown in Table 1, the frequency of occurrence averaged about three events per month, and was relatively constant, ranging from 2.6 events per month in 1982 to 4.2 events per month in the first six months in 1984.
A total of 81 events was reported for PWRs and 52 for BWRs. Thus, the frequency of occurrence per reactor was comparable for the two reactor types (0.48 for PWRs and 0.60 for BWRs) considering the numbers of each type in operation.
On a per plant basis, the occurrence rate for PWRs has been relatively constant (about 0.5), while the rate for BWRs has shown considerable variation; for example, the BWR rate in' 1984 (0.97) is three times that in 1982 (0.31). As will be further discussed below much of the observed variation may, be due to the performance of a relatively small number of plants. Overall, the frequency of occurrence of LSSF events has been relatively constant and no significant trends can be seen with regard to reactor type or frequency of occurrence.
However, the data does indicate no major or clear evidence that there has been any real improvement on an industry-wide basis with regard to preventing losses of safety system function in recent years.
O
- TABLE 1 Frequency of LSSF Events Jan-June 1981 1982 1983 1984 Total Average Total PWR Events 21 23 26 11 81 Number of Reactors
- 46 48 51 51 Events /PWR 0.47 0.48 0.51 0.43**
0.48 i
Total BWR Events 16 8
16 14 52 Number of Reactors
- 23 26 26 29 Events /BWR 0.70 0.31 0.62 0.97**
0.60 Total Events (BWR and PWR) 37 31 42 25 133 Events / Month 3.1 2.6 3.5 4.2 3.2 Number of Reactors (BWR and PWR)*
69 74 77 80 Events / Reactor Year 0.54 0.42 0.55 0.63 0.51
- Number of plants that had achieved initial criticality.
4
- Assuming a constant frequency for the entire year.
Variation Among Reactor Vendors Table 2 shows variation among reactor vendors and among the different models of Westinghouse PWR. The Westinghouse (W) three-loop plants and the General Electric (GE) plants reported an average number of LSSF events. The }[ two-loop plants and Babcock and Wilcox (B&W) plants (two-loop) reported fewer and )[
four-loop plants and Combustion Engineering (CE) plants reported more LSSF events than the average.
In fact, the rate for }[ two-loop plants was one-quarter
. of the rate for the four-loop plants. However, the rate is strongly influenced by plants with multiple events. For example, the apparent high rate for four-loop W_ plants is influenced by 13 events at McGuire 1 and 2, and the apparent high rate for CE plants reflects ten events at Calvert Cliffs 1 and 2 (see Table 3 and Appendix A). Without the events at McGuire and Calvert Cliffs the W four-loop plants have a rate of 1.5 events / plant and CE plants have a rate of about 1.3, and the overall industry rate drops to about 1.4.
Therefore, with the exception of certain outliers (e.g., McGuire and Calvert Cliffs) W three-loop and four-loop, and CE and GE plants had an occurrence rate of from TABLE 2 Frequency of LSSF Events by NSSS Vendor Plant Type
Total Number of Loops Year 2
3 4
1981 1
6 6
6 2
16 37 1982 2
6 8
6 1
8 31 1983 0
5 12 7
2 14 40 1984 (Jan-June) 0 0
7 3
1 14 25 Total 3
17 33 22 6
52 133 Total Operating During 1984 6
12 15 11 7
29 80 Events /1984 Population 0.S 1.4 2.2 2.0 0.9 1.8 1.7
- PWR NSSS vendors Combustion Engineering (CE) and Babcock and Wilcox (B&W) have plants with two primary loops while Westinghouse (W) plants have two, three, or four loops. General Electric (GE) plants are direct cycle BWR and have no primary " loops".
I
. about 1.3 to 1.8 events / plant. The rate for }[ two-loop plants was about 0.5 event / plant and the rate for B&W plants was about 0.9.
Thus, the only significant variation noted in terms of reactor vendor was a substantially lower rate of losses for the }[ two-loop plants and to a lesser extent for B&W plants. However, the reason for these lower rates could not be definitely determined.
~
Systems Involved Tables 3 and 4 give a count of the total numbers of LSSF events and the systems lost by plant for PWRs and BWRs, respectively. Table 3 shows that the system most frequently involved at PWRs was the residual heat removal (RHR) system (31 events). Some other systems affected include the containment spray system (CSS) (11 events), the chemical and volume control system (CVCS)
(eight), emergency core cooling systems (ECCS) (six), diesel generators (DGs) (five), and the auxiliary feedwater system (AFW) (four). Table 4 data show that LSSF events at BWRs most frequently involved the high pressure coolant injection (HPCI) system (21 times), reactor core isolation cooling (RCIC) system (nine times), and the residual heat removal (RHR) system (eight times).
Most of the LSSF events at PWRs were nonrepetitive events, even at reactors where there were two or more LSSF events. Exceptions to this observation include multiple RHR events at Calvert Cliffs 2 (six out of seven events),
North Anna 2 (three out of four), McGuire 1 (three cut of nine), McGuire 2 (three out of four), Salem 2 (three out of three), Trojan (two out of six),
and Millstone 2 (two out of three). McGuire 1 also lost the CVCS twice, and Trojan lost the AFW twice. Crystal River has three LSSF events involving the auxiliary building exhaust system.
.=
9-Tne data of Table 4 lead to a similar assessment of system losses at BWRs.
Most of tne events are nonrepetitive. Exceptions include HPCI system losses at Dresden 2 (four out of four events), Hatch 1 (two of four), Duane Arnold (three of four), Peach Bottom 3 (two of three), Fitzpatrick (two of three),
and Browns Ferry 2 (two of two).
Multiple RCIC system losses occurred at Brunswick 1 (two out of five events) and Hatch 2 (two of three). Grand Gulf lost the RHR system four times (out of five events). Big Rock Point lost the reactor depressurization system (RDS) system twice (out of two events).
That only a few PWRs experienced multiple LSSF events involving the same system over the 31/2-year period of the study appears to indicate that for the most part, losses of safety systems are random events. However, the multiple loss of RHR events at certain plants is evidence of a generic problem with the RHR system hardware or associated factors, such as design, procedures, maintenance, training or management.
Several BWRs experienced multiple losses of the HPCI system. The four HPCI failures at Dresden 2 resulted from different causes and give no reason to believe a specific problem exists. The three Duane Arnold HPCI failures were
. the result of unrelated equipment failures. The remaining multiple HPCI failures also appear to be unrelated. The four RHR losses at Grand Gulf I do not appear to indicate a specific problem but do show the vulnerability of the RHR. Multiple losses of safety systems at BWRs do not clearly point to any generic problem.
Safety systems are generally protected against single failure by incorporating redundancy and diversity. Therefore, events involving total loss of safety system function (LSSF) may be particularly significant from a safety standpoint.
HowevI, not all LSSF events are equally significant. For example, a safety system may become momentarily unavailable, but is readily returned to service
c.
. TABLE 3 Systems. Involved in LSSF Events at PWRs Total Plant Docket # Events RHR SP CVCS ECCS DG AFW CCW RPS LTOP Misc.
McGuire 1 50-369 9
3 1
2 1
2(RB/HVAC, ESFAS)
Calvert Cliffs 2 50-318 7
6 1
Trojan.
50-344 6
2 1
1 2
North Anna 1 50-339 4
3 1
McGuire 2 50-370 4
3 1
Salem 1 -
50-272 3
1 1
1 Crystal River 3 50-302 3
3(ABES)
Salem 2 311 3
3 Calvert Cliffs 1-50-317 3
1 1
1 Sequoyah 1 50-327 3
1 1
1(ABGTS)
Millstone 2 50-336 3
2 1
North Anna 2 50-338 3
2 1
San Onofre 1 50-206 2
1 1*
Turkey.
Pt. 3 50-250 2
1 1
Turkey
'Pt. 4 50-251 2
1 1
Pali sades 50-255 2
1 1**
Oconee 1 50-269 2
1 1***
- Waste gas
- 125V dc batteries
- Containment e
o-
. Table 3 (Continued)
Total Plant Docket # Events' RHR SP CVCS ECCS-DG AFW CCW RPS LT0P Misc.
Kewaunee 50-305 2
1 1
-D.C.
Cook 2 50-316 2
1 1
St.
e.
1
.Lucie 1 50-335 2
1 1
. San i0nofre 3 50-362 2
1 1
Indian
-Pt. 2 50-247 1
1 Robinson 2 50-261-1 1
Oconee 2 50-270 1
1 Prairie Island 1 50-282 1
1 Ft.
Calhoun 1 50-285 1
1 Zion 2 50-304 1
1 Maine t
Yankee 50-309:
1 1
D.C..
Cook 1 50-315 1
1 Beaver Valley 1 50-334 1
1 Farley 1 50-348 1
1 San
.0nofre 2 50-361 1~
1 Farley 2 50-364 1
1 e
Total 81 31
-11 8
6 5
4 3
2 2
9 r
5 I
.,.,, _ _. ~. -
. Note PWR Systems:
RHR Residual / Decay Heat Removal / Shutdown Cooling SP Containment Spray CVCS Chemical and Volume Control System ECCS Emergency Core Cooling DG Diesel Generators Auxiliary Feedwater AFW ABES Auxiliary Building Exhaust System CCW Component Cooling Water RPS Reactor Protection System / Solid State Protection System (RPS/SSPS)
LTOP Low Temperature Overpressurization Protection RB/HVAC - Reactor Building HVAC ABGTS
- Auxiliary Building Gas Treatment System i
l s TABLE 4 Systems Involved in LSSF Events at BWRs Total Plant Docket # Events HPCI RCIC RHR CONT DG SBGT MISC BrunsEick 1 50-325~
5 1
2 1
1(CBEAF)
Grand Gulf 1 50-416 5
1 4
Dresden 2 50-237 4
4 Hatch 1 50-321 4
2 1
1 Arnold 50-331 4
3 1
Peach Bottom 3 50-278 3
2 1
Pilgrim 1 50-293 3
1 1
1 Fitzpatrick 50-338 3
2 1
Hatch 2 50-366 3
2 1
Susquehanna 1 50-387 3
1 1
1 Big Rock Pt.
50-155 2
2(RDS)
Quad Cities 1 50-254 2
1 1
Browns Ferry 2 50-260 2
2 Cooper 50-298 2
1 1
Brunswick 2 59-324 2
1 1
Oyster Creek 50-219 1
1(CRD pumps)
Nine Mile Pt. 1 50-220 1
1(Emer.
Condensers)
Dresden 3 50-249 1
1 Peach Bottom 2 50-277 1
1 Browns Ferry 3 50-296 1
1 Total 52 21 9
8 4
3 2
5
's 14 -
^
Note BWR Systems:
HPCI High Pressure Coolant Injection RHR Residual Heat Removal RCIC Reactor Core Isolation Cooling Containment (Primary / Secondary)
Cont.
DG Diesel Generators ADS Automatic Depressurization System (ADS /RDS)
SBGT Standby Gas Treatment CBEAF
' Control Building Emergency Air Filtration RDS Reactor Depressurization System f
,,,.,,w.
-a---
. or an alternate system (s) is available to perform the same function.
It is important to consider the relative significance of events, so that numbers of events alone are not permitted to unduly influence the evaluation of the overall statistics. One type of PWR event that may be relatively significant is loss of the PWR decay heat removal system while the reactor is shut down.
This type of event comprises a large fraction of PWR events and has been analyzed separately (a specific AE00 case study is being prepared on this subject). Because the residual heat removal system (in the shutdown cooling mode) is a low pressure system, it is designed to isolate from the reactor coolant system (RCS) on an indication of high RCS pressure. Although the RHR system has two trains at most U.S. PWRs, both trains can be made inoperable by closure of a single isolation valve (the trains share a common suction line). As a result of this design, the shutdown cooling system is subject to single failure. However, the significance of the failure depends on the decay heat load. Certain loss of RHR system events may be highly significant.
( As noted previously, the number of losses of PWR RHR systems and their potential significance is the subject of a separate AE00 case study that is currently in preparation.)
The total number of losses of the HPCI and RCIC systems at BWRs must also be put in perspective. They are bath single train systems and thus subject to single failure. However, HPCI is backed up by RCIC for small breaks and by the automatic depressurization and the low pressure coolant injection and -
core spray systems (ADS and LPCI and LPCS) for medium and large breaks.
Consequently, the safety of the plant can be maintained during a loss of HPCI if the other systems remain operable.
In fact, technical specifications usually allow continued plant operation for seven days while HPCI is unaviYlable if the otner systems are operable (the plant must be shut down within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> if one of the other systems is not operable). HPCI is the
. primary high pressure, high capacity means of replenishing RCS inventory, although RCIC provides an additional high pressure, low capacity source.
Event Duration Tables 5 and 6 list the duration of the reported events (i.e., the length of time the off-normal condition existed) for PWRs and BWRs, respectively.
The data indicate about 85% of the PWR events were concluded within eight hours. For BWR events for which duration was reported, about 65% were concluded in eight hours.
As can be seen from Table 5, PWR loss of RHR events accounted for most of the events that lasted less than one hour. The majority of the PWR events lasting 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or more involved the containment spray system (five events).
Three other events lasted 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or more. One involved the unavailability of the auxiliary feedwater system at Turkey Point 3 for five days. The second event involved blocking of automatic safety injection signals for 43 hours4.976852e-4 days <br />0.0119 hours <br />7.109788e-5 weeks <br />1.63615e-5 months <br /> at Trojan, which would have prevented automatic actuation of emergency core cooling during that period, and the third event involved an improperly set reactor building pressure switch that was not detected for eight months at Oconee 1.
Five of the eight events that lasted more than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> were determined to be abnormal occurrences.
0f the events at BWRs for which the duration was reported, four lasted 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or more.
In the first event the RCIC was unavailable for up to four days at Hatch 2.
In the second event primary containment integrity at Peach Bottom 2 was not established during reactor operation for about 80 hours9.259259e-4 days <br />0.0222 hours <br />1.322751e-4 weeks <br />3.044e-5 months <br /> because a test connection was not reisolated after a calibration.
. TABLE 5 Duration of Events for PWR Systems RHR SP CVCS ECCS DG AFW ABES CCW RPS LTOP Misc. Total t < 1 minute 0
0 1 min i t < 10 minutes 8
1 1
1 1
12 10 mins 1 t < 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> '
17 4
1 2
2 1
2 1
2*
32 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> 1 t < 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> 1
3 2
1 1
1**
9 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> I t < 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 1
2 1
1(ABGTS) 5 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 1 t < 1 month 2
1 1
4 1 month < t < 3 months 1
1***
1 3 months < t 2
2 Not Reported 4
1 4
1 1
1 2
1(ESFAS) 16 Total 31 11 8
6 5
4 3
3 2
2 6
81
Residual Heat Removal RHR Containment Spray SP CVCS - Chemical and Volume Control System ECCS - Emergency Core Cooling DG Diesel Generators AFW Auxiliary Feedwater ABES - Auxiliary Building Exhaust System CCW Component Cooling Water RPS Reactor Protection System / Solid State Protection System (RPS/SSPS)
LTOP - Low Temperature Overpressurization Protection
s l
i TABLE 5 Duration of Events for BWR Systems HPCI RCIC RHR CONT DG SBGT Misc.
Total t < 1 miaute 0
0 1 min ;E t < 10 minutes 0
1 1
10 mins _< t < 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> 2
1 1
1 1*
6 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> ;[ t < 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> 3
2 4
2 1
1**
13 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> < 't < 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 4
1 1
1***
7 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> ;[ t < 1 month 1
1 1
1 4
1 month j[ t < 3 months 0
0 3 months j! t 0
0 Not Reported 11 4
2 1
1 2(ADS) 21 Total 21 9
8 4
3 2
5 52
- Emergency condensers
- CRD pumps oc*CBEAF Note PWR Systems:
HPCI - High Pressure Coolant Injection RCIC - Reactor Core Isolation Cooling RHR Residual Heat Removal Cont.- Containment (Primary / Secondary)
Diesel Generators DG Automatic Depressurization System (ADS /RDS)
ADS SBGT - Standby Gas Treatment
a In the third event, overpressurization of the HPCI turbine suction piping at Pilgrim 1 because of personnel errors during testing resulted in the unavailability of that system for three days.
In the fourth event, both trains of the standby gas treatment system at Susquehanna 1 were unintentionally blocked for a period of 25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />. None of these BWR events were determined to be abnormal occurrences.
Effect of Plant Age Table 7 lists the time from initial plant criticality to occurrence of the LSSF event. As indicated in the table, the frequency of occurrence was the highest during the first year following initial criticality, then dropped significantly and remained low for a few years. Starting in the fourth to fifth year of operation, until about the tenth year of operation, there was a relatively high rate of occurrence. The numbers of events have been normalized by the number of years of plant operation to account for opportunities for error. The normalized data are also given in Table 7.
Normalization of the data removes some of the variation from the PWR data, but has little effect on the BWR data. Plant age appears to have no significant influence on the frequency of LSSF events. The Table 7 data are plotted in Figures 1 and 2.
Because of the large number of loss of PWR shutdown cooling system events, Table 7a has been included, and these data are plotted in Figure 3.
One observation that could be drawn from Figure 3 is that loss of RHR system events were not reported at plants more than ten or 11 years following initial criticality, i.e., at plants with technical specifications dating from around 1973 or earlier.
. TABLE 7 Plant Age When Events Occurred Frequency of Events
- Number of Events (Number of Events / Plant-Year)
Years Since Initial Criticality Total PWR BWR Total PWR BWR 0-1 19 15 4
1.4 1.6 1.0 1
6 2
4 0.6 0.3 1.3 2
4 4
0 0.6 0.6 0
3 6
5 1
0.6 0.7 0.8 4
9 4
5 0.8 0.4 2.0 5
9 9
0 0.6 0.8 0
6 16 12 4
0.7 0.8 0.7 7
11 6
5 0.4 0.3 0.5 8
lb 11 4
0.5 U.S 0.4 9
13 3
10 0.4 0.2 0.8 10 11 6
6 0.5 0.4 U.6 11 6
1 4
0.3 0.1 0.4 12 4
1 3
0.3 0.3 0.4 13 1
0 1
0.3 0
0.2 14 2
2 0
0.5 0.8 0
>14 2
0 2
0.2 0
0.6 Total 133 81 52
- The number of events was normalized by dividing the number of events by the number of plant years of operation between 1981 and June 1984 for plants that had operated for a specific number of years since initial criticality.
L
. TABLE 7a Plant Age When LSSF Events Occurred Influence of RHR Events Number of Number of Years Since Number of Events RHR Events Non-RHR Event Initial Criticality PWR BWR PWR BWR PWR BWR d
0-1 15 4
5 1
10 3
1 2
4 1
3 1
1 2
4 0
2 0
2 0
3 5
1 4
0 1
1 4
4 5
0 1
4 4
5 9
0 4
0 5
0 6
12 4
9 0
3 4
7 6
5 1
1 6
4 8-11 4
3 1
8 3
9 3
10 1
1 2
9 10 6
b 1
0 5
5 11 1
4 0
0 1
4 12 1
3 0
0 1
3 13 0
1 0
0 0
1 14 2
0 0
0 2
0
>14 0
2 0
0 0
2 Total 81 52 31 8
50 44
/
i 1
1 1
i i
l 1
l FIGURE 1 ll of Reactor Age.
Annual Number of LSSF Events as a Function 20
- - - PWR g
BWR us 15 s
i 5
\\
i D
A I
/\\
1
=
\\
/
\\
/<\\
'o
/
/ \\
\\
e
\\
=
/
s
\\
/
s j
5 A
7
\\
Y
\\
l l
V
\\ _ s'
^/y I
I 0-4 i
0-1 1
2 3
4 5
6 7
8 9
10 11 12 13 14
>14 YEARS SINCE INITIAL CRITICALITY 1
i
l 1
l I
FIGURE 2 Frequency of LSSF Events as a Function of Reactor Age.
2.0
~
g 4
l
- - - BWR
\\
b PWR l
4 1.5 w
i i
i 6
k l
l
?=
m 1.0 u.
I O
[
s m
4
\\
I \\
e E
o.s
\\
\\q
\\
/
g i
V V
\\
/%
/
V
\\ p^g g
Y
\\
1 I
I i
i i
I I
i 1
0-1 1
2 3
4 5
6 7
8 9
10 11 12 13 14
> 14 l
1 S SINCE INgTIAL CRITICALITY
)
l 4
1 I
1 FIGURE 3 l
Frequency of Non-RHR and RHR LSSF Events 2.0 as a Function of Plant Age.
m
<w>
m O
RHR EVENTS j
1.5 NON-RHR m
E I
m i
zw 1.0 i
u.
o m
m m
4
/k
=
a5 5
/
s
\\
g
\\/
~
t I
i af I
I I
9%'
~
5 6
7 8
9 10 11 12 13 14
>14 0-1 1
2 3
4 YEARS SINCE INITIAL CRITICALITY I
. Plants with Multiple Events In the previous discussion of systems involved in LSSF events it was shown that these events have occurred more frequently at some plants than at others.
Tables 8 and 9 list plants (PWRs and BWRs, respectively) that had three or more events during the time period of the study. As can be seen from Table 8, 12 PWR plants accounted for 51 of the 81 total PWR LSSF events; the other 30 PWR events occurred at 21 plants.
Table 9 shows that ten BWR plants accounted for 37 of the 52 total BWR LSSF events; the other 15 BWR events occurred at ten plants. A review of the event characteristics indicates the following:
Twenty-seven of the 51 PWR events at the 12 plants with three or more events involved loss of the RHR system (in shutdowa coding mode).
In fact, six plants had three or more loss of RHR events. This type of event comprised over 50% of the multiple events.
Thirty-two of the 37 BWR events (at the ten plants with three or more events) involved losses of HPCI, RCIC, or shutdown cuoling.
Many of the multiple events occurred at plants with little operating experience *.
(The specific plants will be identified in the following discussion.)
- This is in agreement with the observation in NUREG/CR-3673, " Economic Risks of Nuclear Power Accidents" that reactors are more prone to forced outage events in the first years of plant operation. In fact, the authors wrote:
"This behavior is important because it indicates that economic risk from forced outage events and transient-induced core-melt accident risks are not constant over the life of [ light-water reactor] plants. Risk management programs in the U.S. LWR industry should direct special attention to plants in the first few years of commercial operation."
o TABLE 8
-PWRs With Three or More LSSF Events NSSS/
Number Reactor Loops Number RHR McGuire 1 W/4 9*
3 Calvert Cliffs 2 C-E
-7 6
Trojan W/4 6
2 North Anna 1 W/3 4
3 McGuire 2 W/4 4**
3 Calvert Cliffs 1 C-E 3
1 Crystal River 3 B&W 3***
O Millstone 2 C-E 3
2 Salem 1 W/4 3
0 Salem 2 W/4 3
3 Sequoyah 1 W/4 3
1 North Anna 2 W/3 3
2 Total 51 27
- Eight of nine within two years of initial criticality.
- All witnin two years of initial criticality.
- All auxiliary building exhaust system.
TABLE 9 BWRS With Three or More LSSF Events Total Number RHR HPCI/RCIC l
Reactor of Events Events Events Brunswick 1 5
1 3
Grand Gulf 1 5*
4 1
Dresden 2 4
0 4
Hatch 1 4
0 3
Arnold 3
0 4
Peach Bottom 3 3
0 2
Fitzpatrick 3
0 3
Hatch 2 3**
1 2
Pilgrim 1 3
1 2
Susquehanna 1 3*
0 1
w Total 37 32
- All' within two years of initial criticality.
- All three in 1982.
. The various LSSF events at reactors having more than three LSSF events over the period of the study were reviewed on a reactor specific basis to detennine whether there were any reasons for the high LSSF event frequency.
McGuire 1 Of the nine events at McGuire 1, eight occurred within the first two years of operation following initial criticality.
Calvert Cliffs 2 Of the seven events at this reactor, six were losses of the RHR, all occurring before 1984. Of these six, five were human factors-related and all were caused by interruptions to the electrical signal to the RHR return header valve. The five events were attributed to the following major specific causes:
procedures (2) fuses (2) incorrect jumper location The operating history for 1984 of Calvert Cliffs 2 has not shown any LSSF events.
Trojan - The six Trojan events involved four different systems: RHR, AFW, CVCS, and ECCS. All of the events were associated with human factors problems and five of the six were ascribed to licensed operators.
The number of LSSF events and the number of systems involved, and the fact that all involved human factors, may indicate a lack of attention to operations by management. AE0D is currently preparing an engineering evaluation of certain events that occurred at Trojan between May 4, 1984 and September 26, 1984.
Of the four LSSF events, three involved the RHR North Anna 1 a
two of these resulted from equipment failure.
- All of tne McGuire 2 events occurred in the first two McGuire 2 years of operation.
Brunswick 1 - One HPCI and two RCIC failures accounted for three of the five events. The fourth involved a loss of shutdown cooling and the fifth the control building emergency air filtration (CBEAF) system.
All of the five LSSF events at Grand Gulf 1 occurred Grand Gulf 1 within the first two years following initial criticality. Four involved loss of the RHR system and the fifth the HPCS system.
The four Dresden 2 LSSF events involved the HPCI system, Dresden 2 and all occurred prior to 1983. Three of the events involved equipment failures, with none of the failures having much similarity to one another.
(In one, a pump burned out; in another, an amplifier board failed under test; in a third, actuation of a fire suppression system contaminated the HPCI oil system.) The Dresden 2 events do not appear to show a specific problem, but appear to be a statistical anomaly.
Hatch 1 - The two HPCI and one RCIC events were the result of unrelated equipment failures. The fourtn event involved the diesel generator system.
Duane Arnold - The four events involved unrelated failures of the HPCI (three events) or RCIC (one event) systems.
l In reviewing the LSSF history of the above ten reactors, the large number l
of events at all except Trojan can be ascribed to limited operating experience I
(McGuire 1, McGuire 2, Grand Gulf), RHR system problems (Calvert Cliffs 2,
. North Anna 1), or HPCI AND RCIC system failures (Brunswick 1, Dresden 2, Hatch 1 and Duane Arnold). Only the Trojan data appear to point to a potential problem with the management of operations.
Method of Discovery LERs generally contained little information on the method of discovery, that is, whether the event or off-normal condition was automatically alamed, was the result of an inspection, or was just noted fortuitously.
It was anticipated prior to the study that by examining data on the length of time the system was not available, and the method of discovery, it might be possible to determine the most effective methods to identify unavailable or degraded safety systems, to avoid total system losses, and to ensure quick recovery in the event of a loss. However, this was not possible because LERs frequently included no explicit statement of now an event or off-nomal condition was discovered. LERs prepared since January 1,1984 should include information regarding the metnod of discovery, such as:
Condition was automatically alarmed / annunciated.
Instrumentation gave clear indication of specific equipment inoperability/ malfunction.
Operator observed indications of an r,ff-normal condition (increasing /
decreasing temperature, pressure, level, etc.).
l l
Personnel noted that a required action had not been taken or had been taken incorrectly.
Improved reporting of information on the method of discovery should provide insights into ways in which LSSF events can best be prevented or at least terminated. The LER rule (10CFR50.73), effective January 1,1984, requires the reporting of such infomation and close monitoring of LERs will be continued to verify the adequacy of reported infomation in this regard.
- 2.2 Human Factors Considerations in LSSF Events LSSF events have occurred because of equipment failure or because of human factors considerations.
In this study human factors were considered to i
have contributed to an event when deviation from required human performance was an apparent contributing factor.
Table 10 is a listing of the numbers of LSSF events that involved human factors. Of the 133 LSSF egents that took place during the study period, the events were most frequently the result of human factors considerations (87 events; 65f of the total), i.e., they were not attributed solely to the failure of equipment. This section will focus on those events that involved human factors.
2.2.1 Categorization of Events Involving Human Factors Considerations The 87 LSSF events that involved human factors were categorized by the type of deficiency that led to the event (Table 11). The categories are intended to point out broad areas that appear to be deficient. Because licensee event reports (LERs) usually provide little detailed information on human factors (e.g., "the event was the result of personnel error"), some interpretation of LER data was necessary to establish the probable cause of the error. For example: was the procedure or the planning defective, was the equipment poorly designed or labeled, was the operator inadequately qualified, or was there a combination of all of these factors.
Failure to Perform Thirty-eight percent of events that involved human factors resulted from
" personnel error", or failures by personnel to perform as required. These
. h-TABLE 10 Frequency of LSSF Events Involving Human Factors Jan-June 1981 1982 1983 1984 Total PWR events involving HF considerations 14 17 22 11 64 PWR events involving no HF considerations 7
6 4
0 17 Total PWR events 21 23 26 11 81 Number of reactors
- 46 48 51 51 BWR events involving HF considerations 7
2 7
7 23 BWR events involving no HF considerations 9
6 6
8 29 Total BWR events 16 8
13 15 52 l
Number of reactors
i Number of reactors (BWR and PWR*)
69 74 77 80
- Number of plants that had achieved initial criticality.
I l
t_
~
4 TABLE 11 l
Deficiency Type Category PWR BWR Total Percent Failure to Perform 19 14 33 38 Management /Admi nistration 17 5
22 25 Procedure, Defective 15 2
17 20 Systems Status / Planning 8
2 10 11 Design 5
5 6
Total 64 23 87 100 Key:
Personnel Error / Failure to Perform Failure to follow procedure or perform procedure correctly; complete all work.
Misidentification Management / Administration, Deficiencies in Verification Shift turnover Guidelines for verbal communication Identification / Labeling Control of contractor activities Control of procedures and procedure changes Procedure, Defective Incomplete, incorrect, ambiguous, etc.
Systems Status / Planning Failure to be aware of system configuration / interaction / dependency.
1 Includes:
s Channel / train removed from service to perform work, but (1) more i
than-was-intended was actually taken out; or (2) work was continued, disabling anothar train (operator intended to block one but took
~
action that affected all).
l I
Loss of a service system of a redundant train results in loss (unavailability) of both.
t
. errors included incorrect actions (e.g., operated wrong control, opened wrong breaker, installed wrong equipment, installed equipment in wrong location, etc.), as well as failure to perform a required action (e.g., open valve, control pressure, install wiring correctly) or perform a procedure correctly (e.g., verify ' flow path, isolate test connection, follow up on an annunciator, etc.). The LERs generally did not give enough information to establish a specific root cause(s) for the " improper or inadvertent action," and it was not clear whether this was due to a lack of depth in the licensees' reports or in their investigations.
Management / Administrative Control Systems One-quarter of the LSSF events that involved human factors resulted from deficiencies in management or administrative control systems. The broad category included deficiencies in programs for control of personnel access, contractor work activities, procedures and procedure changes, design changes, and shift turnover.
It also incibded deficiencies in programs for labeling and identification, verification of work, and coordination between operations and maintenance activities.
Defective Procedures One-fiftn of the events resulted because of defective procedures. The deficiencics included procedures that were imprecise, ambiguous, or incomplete.
Procedures were incomplete if they lacked a reasonable caution statement, failed to require necessary monitoring, or permitted an unacceptable condition to exist upon completion of a procedure (e.g., did not require to reopen, reset, recap, reisolate, etc.).
- n..
l
3
. System Status / Planning Approximately 10% of the events involving human factors were the result of a failure to be aware of the system configuration, system interactions, or system dependencies. This category included events in which a train was removed from service for maintenance while the redundant train was unknowingly disabled (e.g., service water to one train was stopped while the other train was out for maintenance).
It also included events in which action to isolate one train resulted in isolation of all trains.
Design Five events involving human factors were losses of the RHR system that resulted because of system design deficiencies. System electrical design deficiencies resulted in two events at Calvert Cliffs (because of improperly sized fuses, load perturbations resulted in RHR return isolation valve closures) and one event at Millstone 2 (LPSI tripped due to non-RHR testing but annunciator did not make this known). The two remaining events, one each at Nortn Anna 1 and 2, resulted from deficiencies in the primary level indication system during RHR operation (because of an ambiguous level indication, level dropped until RHR suction was lost).
When LSSF events involving human factors considerations were categorized by deficiency type, approximately two-thirds (62%) of the events were the result of factors that were outside of the control of the worker. Even in the events that involved a failure to perform, there were a number of instances where improved administrative or operating procedures might have reduced the proba-bility of error. Although training, qualifications, and motivation are important, improvements in the areas of management and administrative control, procedures, and planning could have a significant impact in reducing LSSF events.
. Reported corrective actions (or actions taken to prevent recurrence) consisted most frequently of procedure changes or personnel actions such as counseling or training. The relatively large number of cases :n which procedure changes were made to prevent recurrence indicates that licensees considered that the existing procedures were not entirely adequate or satisfactory,.if not necessarily defective.
2.2.2 Other Characteristics of LSSF Events Involving Human Factors Considerations Table 12 lists the personnel who were reported to be responsible for the errors leading to LSSF events. Of the 87 errors involving human factors considerations,17 were the result of defective procedures and no specific category of personnel was considered responsible for these errors. The remaining 70 were caused by personnel. Licensed operators, non-licensed operators and other personnel (technicians and maintenance personnel) appeared to be responsible for roughly equal numbers of the errors (23, 23, and 16, respectively).
TABLE 12 Personnel Responsible for Errors Personnel Frequency Licensed Operators 23 Non-Licensed Operators 23 Technician, IaC 9
Maintenance 7
Construction / Contractor 7
Unknown 1
Total 70
I
. It is sometimes difficult to determine whether the cause of an operator error is idiosyncratic (operator-determined; e.g., aptitude and motivation) or situational (produced by system inadequacies such as inadequate or unrealistic procedures). For example, the shift supervisor has been considered to be fully responsible when one train of a system (e.g.,
containment spray) is out of service and the other train is inadvertently removed from service because of an unrecognized system dependence (e.g.,
the service water system needed for cooling the other train is removed).
Because the shift supervisor is apparently well trained and under no unusual strain, it may appear that the problem is idiosyncratic. However, things can get too busy when a lot of maintenance and surveillance is scheduled for the same time period and system dependencies may not be recognized (actually a situational cause). Furthermore, the supervisor might not be getting the necessary administrative support, such as an operator aid (computer-based or manual program) to record all systems out of service and all systems that will be impacted when a particular component is taken out of service.
Although counseling was an action frequently taken to prevent recurrence of errors, it may not be appropriate, if errors are in fact due to deficiencies in the system (situation factors) rather than shortcomings in individuals. Licensees should recognize the importance of thoroughly investigating and identifying to the greatest extent possible, the root cause of the human error in order to increase confidence that the action taken will prove effective in preventing recurrence.
In general, it was not possible to determine the effectiveness of the specific corrective actions taken to preventing recurrence. This is because licensees frequently do not report the full corrective action L
. but only the immediate actions. For example, a procedure may be cnanged or personnel may be counseled in response to an error, but the full and necessary corrective action might include changes in equipment design, labeling, etc. The full corrective action might be completed at some future time at some facilities and not at others. The LERs did not contain sufficient information to permit an analysis of this.
Table 13 is a matrix representation of the data of Tables 11 and 12. In events involving failure to perform or management / administrative control deficiencies, licensed and non-licensed operators and other personnel (maintenance personnel and I&C technicians) were responsible for equal number of errors.
In all events involving planning and human engineering design deficiencies operators (licensed and non-licensed) were involved.*
Table 14 is a listing of activities that were underway when the LSSF events occurred. Operations include activities to operate the plant in any mode whether at power or shut down. Maintenance and testing activities are routine or non-routine (responding to abnormal conditions) while the plant is in operation or undergoing some modification. Roughly two-thirds of the events resulted from errors during maintenance and testing.
- Human engineering design deficiencies include features that should be present but are not (e.g., an annunciator) or that are present but are unnecessarily complex and difficult to concrol. Such deficiencies may not become apparent until an incident occurs.
11
- 3 -
TABLE 13 Deficiency Type vs. Personnel Type -
. Operator,
- Operator, Non-Technician, Contractor Licensed -
Licensed I&C Maintenance Construction Unknown N/A Total v
Failure to Perform 11 11 7
4 33 Management /
Administration' 5
4 2
3 7
1 22-Defective Procedure 17-17 System Status /
Planning 6
4 10 Design Deficient 1
4 5
Total' 23 23 9
7 7
1-17 87 TABLE 14 Activity Underway Activity Frequency Maintenance 28 Testing 25 Operations 22 Plant Modifications 6
Refueling 6
Total 87
. 3.0 FINDINGS AND CONCLUSIONS Our study identified 133 events between 1981 and June 1984 that involved a loss of safety system function (LSSF). Human factors considerations were involved in 87 of the 133 events, while 46 were solely the result of equipment failure. A review of the LSSF events indicates the following:
(1) Between 1981 and June 1984, there was a relatively constant frequency of LSSF events, and no significant trend in the rate of occurrence could be seen with regard to reactor plant type. However, there is no clear evidence that a large improvement is being made, on an industry-wide basis, in preventing loss of safety system events.
(2) Variation of rate of occurrence of LSSF events was observed among reactor vendors and among different models of Westinghouse (W) PWR, although this variation was likely to have been the result of variation among a small number of individual plants. It seems clear that the W two-loop '
plants and Babcock and Wilcox (B&W) plants reported fewer than the average number of LSSF events.
(3) LSSF events at PWRs most frequently involved the RHR system (31 events),
the containment spray system (11), and the CVCS (eight). LSSF events at BWRs most frequently involved the HPCI system (21), the RCIC system (nine) and the shutdown cooling system (eight).
With few exceptions, most of the LSSF events at PWRs and BWRs were non-repetitive, even at plants where there were multiple events. The relatively large numbers of events involving the RHR system at PWRs and the HPCI, RCIC and RHR systems at BWRs must be put in perspective; i.e.,
consideration must be given to the single-failure vulnerability in the designs of those systems.
i
. (4) The event duration was less than eight hours in 85% of the PWR events and 65% of the BWR events.. PWR RHR system events accounted for most of the events lasting less than one hour, while containment spray isolation events accounted for most of the events lasting more than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Four reported events at BWRs lasted more than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
_(5) The frequency of occurrence of LSSF events was highest in the first year following initial plant criticality, then dropped for a few years. Starting in about the fourth to fifth year until about the tenth year of operation the occurrence rate was relatively high.
However, after the first year plant age appeared to have no significant influence on the frequency of LSSF events.
(6) LSSF events have occurred more frequently at some plants then at others. Data show that 12 PWR plants accounted for 51 of the 81 total PWR LSSF events and ten BWR plants accounted for 37 of the 52 total BWR LSSF events. A review of the characteristics of LSSF events at plants with multiple events indicated events most frequently involved the residual / decay heat removal system at PWRs, the HPCI, RCIC, or RHR at BWRs, and plants with little operating experience.
In reviewing the operating history of the several plants that reported three or more events, the excess number of events at all except Trojan could be ascribed to limited operating experience (McGuire 1 and 2, Grand Gulf 1), RHR system problems (Calvert Cliffs 2, North Anna 1),
or HPCI and RCIC system failures (Brunswick 1, Dresden 2, Hatch 1, and Duane Arnold). Only the events at Trojan point to a potential plant operations management problem.
l-.
. = -.
-.- (7) Of tne 133 LSSF events that took place during the study period, the events were most frequently (87 times; 65% of the total) the result of human factors considerations, i.e., they were not attributed solely to equipment failure.
.(8) Categorization of LSSF events involving human factors considerations.
showed that 38% of all such events resulted from " personnel error" or failures by personnel to perform as required. That is, the remaining events (almost two-thirds) resulted from conditions that were outside of the control of the worker.. For example, events frequently occurred as a result of defective administrative or operating procedures. This indicated that although training, qualifications and motivation are important, improvements in the areas of management and administrative control, procedures and planning could have a significant impact on reducing the number of LSSF events. For the events that were due to personnel error the LERs generally did not give enough information to establish a specific " root cause" and it was not clear whether this was due to a lack of depth in the licensees' reports or in their investigations.
(9)
Licensed operators, non-licensed operators, and other personnel (technicians and maintenance personnel) were responsible for roughly equal numbers of errors leading to LSSF events. This is evidence that it is necessary that licensees establish programs to ensure
- all types of personnel are well qualified and trained.
~
. (10) Licensee Event Reports were generally unclear regarding the cause for human error, particularly failures to perform tasks correctly or adequately, perhaps because the events were not promptly and thoroughly investigated or because an attempt was made to assign a single, unequivocal "cause."
In any case, the great majority of them seemed to be due to deficiencies in situational factors (e.g., poor human engineering design) rather than idiosyncratic factors (shortcomings in individuals, such as lack of motivation, lack of skill / training, and/or lack of capability.)
Licensees should recognize the importance of thoroughly investigating and identifying to the greatest extent possible, the root cause of
^
the human error in order to increase confidence that the action taken will prove effective in preventing recurrence.
g
'4.0 RECOMMENDATIONS This study identified and evaluated all LSSF events in the 1981 through ' June _
1984 time period. The study found that-LSSF events most frequently involved the PWR RHR and containment spray systems, the BWR HPCI, RCIC, and RHR systems, and plants with little operating experience. There were also six events at PWRs involving total loss of ECCS systems. However, no problems were noted that justify firm specific recommendations.
(1)
Licensees should be informed regarding the characteristics of recent LSSF events resulting from numan factors considerations. Although industry should be made aware of potential problems in this area, it is particularly important that licensees that experience more frequent losses take prompt action to reduce the potential for problems.
It is recommended that IE consider an Information Notice to feed back this information to industry and that this study be forwarded to the Regions for input to the SALP assessments.
Suggested licensee actions in the Information Notice should include a review of procedures for the management and administrative control of work and planning. Procedures for investigation of events or off-normal conditions should include specific measures to determine the root cause(s) and all contributing factors.
(2)
That equal numbers of events resulted from errors by licensed operators, non-licensed operators, and other personnel (maintenance personnel and 18C technicians) points to a need to ensure sufficient attention is paid to the qualifications of all personnel. Therefore, it is recommended that NRR (1) review this aspect of personnel qualification programs for adequacy as part of the maintenance and
. surveillance program plan (MSPP) and (2) determine whether this observation has been adequately considered in the INPO accreditation programs for licensee personnel.
In addition, the Human Factors Program Plan should be reviewed to ensure that appropriately high priorities have been assigned to NRR and RES activities aimed at developing qualification and training requirements for NPP personnel.
Similarly, the large proportion of events due to defective procedures indicates the HFPP should be reviewed to ensure that an adequate priority has been assigned to the goal of adequate and effective procedures.
(3)
At the conclusion of the study an attempt was made to determine whether any event (s) of the study seemed to have a level of signifi-cance higher than previously recognized. *For BWR events it was found this was generally not the case. However, for PWR events it was found that three types of event (losses of ECCS injection systems, containment spray isolations, and a Salem loss of component cooling water event) may warrant further study. Therefore,it is recommended that AE00 perform additional evaluations of these three types of events.
(4)
A major difficulty encountered during this study was the lack of information on the cause of human error. The revised event reporting requirements that went into effect in January 1984 (LER Rule 50.73) have helped to resolve this problem, because events are being reported in greater detail. However, there is a wide range of interpretations of what is required to meet the intent of
-reporting requirements for events that may have been the result of human factors considerations. This finding confirms a similar
. finding of NUREG-1022, Supplement 2*, that recent LERs have frequently been deficient with respect to the quality of the data on the human factors contributions to events. Therefore, it is recommended that AE00 continue to monitor the quality of the data in the LERs that are received, and take further action if improvement is not seen in the extent to which human factors data is being reported.
(5)
Although this study did not find evidence of previously unrecognized safety problems, it is anticipated that a data base on LSSF events can be a useful tool for identifying areas in which effor.s can be made to most effectively improve safety. Therefore, it is recommended that AE00 collect and evaluate LSSF event data on a continuing basis.
5.0 REFERENCES
(1) NRC, Memorandum from C. J. Heltemes to Harold R. Denton, Special Study Report - Human Error in Events Involving Wrong Unit or Wrong Train, AE00/S401, January 13, 1984 (and Supplement dated August 8, 1984).
(2) Nuclear Safety Analysis Center, EPRI, NSAC/52, Residual Heat Removal Experience Review and Safety Analysis, Pressurized Water Reactors, January 1983.
(3) NOREG-1022. Supplement No.1, Licensee Event Report System, Description of System and Guidelines for Reporting, February 1984.
- NUREG-1022, Supplement No. 2, contains an evaluation of the quality of the 1984 LERs received under the new reporting requirements of 50.73. The supplement will be distributed to all licensees.
}
A-1 APPENDIX A TABLE A-1 LOSSES OF SAFETY SYSTEM FUNCTION - PWR EVENTS INVOLVING HUMAN ERROR Plant Event Mode /
Other NSSS/
Since LER #
Date System
% Power Duration Report
- Loops **
Crit.***
Indian Point 2 831129 Cont.
1/100 43 days A0 W/4 10 y 24783043 Spray Turkey Point 3 830419
.AFW 1/100 5 days x,A0 W/3 10 y 25083007 Turkey Point 4 811128 LTOP 5/0 182 mins A0 W/3 8y 25181015 Turkey Point 4 831004 Cont.
1/100 50 hrs x,A0 W/3 10 y 25183016 Spray Palisades 810106 125V 1/99 1 hr A0 C-E 9y 25581001 D.C.
Batteries Robinson 2 810114 CVCS 1/100 2 hrs x
W/3 10 y 26181003 Oconee 1 820323 Cont.
5/0 51 days B&W 11 y 26982008 Oconee 1 830623 Cont.
1/100 NR x
B&W 12 y 26982012 Spray Wrong Unit / Train (WU/T) Event
- x
=
Special Study Report,1/13/84 WU/T Event Follow-up Report. 8/8/84 xx =
A0 Abnormal Occurrence
=
- NSSS Vendors Combustion Engineering (CE) and Babcock and Wilcox (B&W) plants all have two loops. Westinghouse (W) plants hava two, three or four loops.
- Time period since initial criticality (y = years, m = months).
l
A-2 TABLE A-1 (Continued)
Plant Event Mode /
Other NSSS/
Since LER #
Date System
% Power Durat_ ion _ Report *_, Loops ** Cri t.***
Salem 1 830222 RPS 1/20 NA A0 W/4 6y 27283011 Prairie Island 1 820827 DG 1/100 1.5 hrs W/2 8y 28282015 Fort Calhoun 1 840314 CCW 1/100 2 mins C-E 10 y 28584003 Crystal River 3 810508 ABES 1/100 NR B&W 4y 30281027 Crystal River 3 840615 ABES 1/99 44 mins B&W 7y 30284012 Kewaunce 811016 CCW 1/100 50 mins W/2 7y 30581033 Kewaunee 821004 Cont. 1/100 4 months W/2 8y 30582030 Spray
/0 5 mins C-E 8y 30981008 Salem 2 831220 RHR
/0 22 mins W/4 3y 31183066 Salem 2 840209 RHR
/0 17 mins W/4 3y 31184002 D.C. Cook 1 830201 Cont. 1/100 7 hrs x
W/4 8y 31583009 Spray D.C. Cook 2 830603 Cont. 1/100 3 hrs x
W/4 5y 31683048 Spray D.C. Cook 2 840521 RHR
/0 25 mins W/4 6y 31684014
- Lost automatic actuation of all features actuated by containment pressure.
l
r o
A-3 TABLE A-1 (Continued)
. Plant Event Mode /
Other NSSS/
Since LER #
Date System
% Power Duration Repor_t*._ Loops ** Cri t.***
Calvert Cliffs 1 830426 LTOP 5/0 17 mins C-E 8y
-31783019 Calvert Cliffs 1 830524 ECCS 1/100 22 hrs C-E 8y 31783028 Calvert Cliffs 1 831012 RHR
/0 30 mins C-E 9y 31783061 Calvert Cliffs 2 810204 RHR
/0 17 mins C-E 5y 31881004 Calvert Cliffs 2 821122 RHR
/0 4 mins C-E 6y
'31882053 Calvert Cliffs 2 821228 RHR
/0 NR C-E-6y 31882055 Calvert Cliffs 2 830104 -RHR
/0 15 mins C-E 6y 31883001 Calvert Cliffs 2 830107 RHR
/0 9 mins C-E 6y 31883005 Calvert Cliffs 2 840426 DG
/0 10 hrs C-E 7y 31884005 Sequoyah 1 810324 ABGTS 1/98 12 hrs W/4 8m 32781032 Sequoyah 1 820916 RHR 0
6 mins W/4 26 m 32782116 Sequoyah 1 830911 RPS 0
NR W/4 3 y+
32783112 (SSPS)
Beaver Valley 1 810606 ECCS 1/99 NR A0 W/3 5y 33481047 (HHSI)
St. Lucie 1 830329 RHR 6/0 10 mins C-E 7y 33583021
A-4 TABLE A-1 (Continued)
Plant Event Mode /
Other NSSS/
Since LER #
Date System
% Power Duration Report
- Loops **
Crit.***
Millstone 2 810102 DG 1/100 3 hrs-C-E 5y 33681001 Millstone 2 811209 RHR 5/0 2 mins C-E 6y 33681043 (LPSI)
North Anna 1 821019 RHR 6/0 36/33 mins W/3 4y 33882067 North Anna 1 821206 ECCS 3/0 22.5 hrs W/3 4y 33882082 (SI)
North Anna 2 820528 Cont.
3/0 17 mins x
W/3 2y 33982022 Spray North Anna 2 820520 RHR 5/0 8/26/60 mins W/3 2y 33982026 North Anna 2 830503 RHR 6/0 NR W/3 3y 33983038 Trojan 810626 RHR
/0 1.25 hrs W/4 5y 34481012 Trojan 820820 ECCS
/0 2 days W/4 6y 34482015 (SI)
Trojan 830122 AFW 2/4 7 mins W/4 7y 34483002 Trojan 830908 CVCS 1/100 3 hrs xx W/4 7y 34483013 Trojan 840324 AFW 1/7 1.3 hrs W/4 8y 34484110 Trojan 840504 RHR 6/0 40 mins W/4 8y 34484010 Farley 1 820510 Cont.
1/100 7 hrs A0 W/3 4y 34882021 Spray
A-5 TABLE A-1 (Continued)
Plant Event Mode /
Other NSSS/
Since LER #
Date System
% Power Duration Report
- Loops **
Crit.***
San 0,1ofre 2 830621 CVCS 5/0 NR C-E 11 m 36183071 San Onofre 3 821205 CVCS
/0 7.5 hrs C-E Om 36282005 San Onofre 3 840317 Cont.
1/100 13 days A0 C-E 8m 36284009 Spray Farley 2 821028 Cont.
1/100 17 mos A0 W/3 19 m 36482043 Spray McGuire 1 811112 R8/HVAC /48 10 mins x
W/4 3m 36981180 McGuire 1 811118 RHR
/0 22 mins W/4 3m 36981185 McGuire 1 820212 ECCS
/50
<1 hr W/4 7m 36982017 (UHI)
McGuire 1 820302 RHR
/0
<1 hr W/4 8m 36982024 McGuire 1 820423 CVCS
/50 NR W/4 9m 36982030 McGuire 1 830405 RHR 6/0 NR W/4 21 m 36983017 McGuire 1 830929 Cont.
1/100 4.7 hrs A0 W/4 27 m 36983084 Spray e
McGuire 2 831231 RHR 0
43 mins W/4 7m 37083092 McGuire 2 840109 RHR 0
40 mins W/4 8m 37084001 McGuire 2 840115 RHR 0
49 mins W/4 8m 37084002 McGuire 2 840115 CVCS 0
NR W/4 8m 37084004 Total: 64 Events
7-i o
0 A-6 TABLE A-2 LOSSES OF SAFETY SYSTEM FUNCTION - BWR EVENTS INVOLVING HUMAN ERROR Plant Event Mode /
Other Since LER #
Date System
% Power Duration Report
- Crit.**
Big Rock Point 810917 RDS 1/80 NR x
19 y 15581022 i
Oyster Creek 820614 CRD 1/82
-2.5 hrs 13 y 21982031 Pumps Dresden 2 810526 HPCI
/44 NR 11 y 23781030 Quad Cities 1 811209 Cont.
1/98 7 hrs 10 y 25481024 (Sec)
Peach Bottom 2 830323 Cont.
1/7 80 hrs 9y 27783006 (Pri)
Peach Bottom 3 810211 Cont.
1/100 93 mins x
6y 27881008 (Pri)
Peach Bottom 3 840602 HPCI a 4/0 2 hrs 9y 27884007 RCIC Pilgrim 1 811211 RHR
/0 5 hrs x
9y 29381064 Pilgrim 1 830929 HPCI 1/96 3 days 11 y 29383048 Cooper 810613 RCIC
/0
<8 hrs 7y 29881017 Cooper 840414 SBGT 1/70 13 hrs 10 y 29884007 Brunswick 2 830825 RHR 1/100 3 hrs 8y 32483069 Brunswick 1 810220 RCIC 1/97 15 mins 4y 32581031 I
- x - Wrong Unit / Train (WU/T) Event Report,1/13/84 l
- Time period since initial criticality ( y = years, m = months) l
O 8
A-7 TA8LE A-2 (Continued)
Plant Event Mode /
Other Since LER #
Date System
% Power Duration Report
- Cri t.**
Fitzpatrick 840207 RCIC 1/100 6.5 hrs 9y 33384003 Fitzpatrick 840210 HPCI &
1/100 30 mins 9y 33384004 RCIC Hatch 2 820817 RHR 1/99
<2 mins x
4y 36682095 Susquehanna 1 830301 SGTS 1/100 25 hrs x
0m 38783026 Susquehanna 1 830310 Cont.
O
<5 months 6m 38783033 (Sec)
Susquehanna 1-830311 HPCI O
NR 6m 38783044 Grand Gulf 1 830523 RHR 0
1 hr 9m 41683069 Grand Gulf 1 840114 RHR 0
1 hr 17 m 41684004 Grand Gulf 1 840202 HPCS 0
30 mins 18 m 41684008 Grand Gulf 1 840322 RHR 0
NR 19 m 41684013 Total : 23 Events
A-8 TABLE A-3 LOSSES OF SAFETY SYSTEM FUNCTION - PWR EVENTS WITH NO HUMAN ERROR INVOLVED Plant Event Mode /
NMSS Since LER #
Date System
% Power Duration Loops **
Crit.***
San Onofre 1 810717 Waste 5/0 18 mins W/3 14 y 20681018 Gas San Onofre 1 '
810903*
ECCS 1/88 30 mins W/3 14 y 20681020 (SI)
Turkey Point 3 811112 DG 5/0 30 mins W/3 9y 25081015 Palisades 810718 RHR b/0 NR C-E 10 y 25581030 Oconee 2 810919 RHR 0
17 hrs B&W 8y 27082017 Salem 1 820106 DG 5/0 2 days W/4 5y 27282003 Salem 1 820316 CCW/SW**** 5/0 45 mins W/4 5y 27282015 Crystal River 3 831018 ABES 1/96 2 hrs B&W 6y 30283044 Zion 2 810914 AFW 4/0 NR W/4 8y 30481020 Salem 2 830713 RHR 5/0 55 mins W/4 3y 31183032 Calvert Cliffs 2 821124 RHR 6/0 18 mins C-E 6y 31882054 St. Lucie 1 821023 CVCS 0
15 mins C-E 6y 33582050 Millstone 2 820106 RHR 6/0 7 mins C-E 6y 33682002
- Abnormal occurrence.
- NSSS vendors Combustion Engineering (CE) and Babcock and Wilcox (B&W) plants all have two loops. Westinghouse plants have two, three, and four loops.
- Time period since initial criticality (y = years, m = months).
A-9 A-3 (Continued)
Plant Event Mode /
NSSS/
Since LER#-
Date System
% Power Duration Loops **
Cri t.***
North Anna 1
.830122 RHR 5/0 4 mins W/3 5y 33883003 North Anna 1 830218 RHR 5/0 5 mins W/3 5y 33883009
-McGuire 1 811216 ESFAS 5/0 NR W/4 4m 36981188 McGuire 1 820212 CVCS 1/50 NR W/4 6m 36982015 Total:
17 Events
O 8
A-10 TABLE A-4 LOSSES OF SAFETY SYSTEM FUNCTION - BWR EVENTS WITH NO HUMAN ERROR INVOLVE 0 Plant' Event Mode /
Since LER #
Date System
% Power Duration Crit.**
Big Rock Point 840222 RDS
/0 NR 21 y 15584001 Nine Mile Pt.1 811120 Emer.
1/99 20 mins 12 y 22081053 Condensers Dresden 2 810602 HPCI
/46 NR 11 y 23781033 Dresden 2 811223 HPCI 1/99 NR 12 y 23781079 Oresden 2 820622 HPCI 1/78 NR 12 y 23782021 Dresden 3 811023*
/66 1 hr 10 y 24981033 Quad Cities 1 820622*
UG
/53 17 mins 10 y 2S482012 Browns Ferry 2 830801 HPCI 1/100 NR 9y 26083046 Browns Ferry 2 831110 HPCI 1/98 NR 9y 26083074 Peach Bottom 3 830126 HPIC &
1/86 NR 8y 27883002 RCIC Pil9 rim 1 830413 RCIC 1/99 NR 11 y 29383022 Browns Ferry 3 810317 HPCI 1/100 NR 4y 29681015
- Abnormal Occurrence
- Time period since initial criticality ( y = years, m = months)
-,,-__er
--r
A-11 Table A-4 (Continued)
Plant Event Mode /
Since LER #
Date System
% Power Duration Crit.
Hatch 1 820805 HPCI
/0 NR 6y 32181013 Hatch 1 810405 DG 6/0 NR 6y 32181026 Hatch 1 820805 HPCI 1/98
<24 hrs 7y 32182070 Hatch 1 830523 RCIC 1/99 NR 8y 3218356 Brunswick 2 810410 HPCI
/37 NR 6y 32481029 Brunswick 1 810120 RCIC
/0 NR 4y 32581010 Brunswick 1 840109 RHR/SW 1/100 NR 7y 32584001 Brunswick 1 840331 HPCI 1/100 NR 7y 32584007 Brunswick 1 840606 CBEAF 1/100 11 hrs 7y 32584008 Arnold 820912 HPCI &
1/34 11 hrs 8y 33182056 RCIC Arnold 830803 HPCI 1/96
<24 hrs 9y 33183028 Arnold 830904 RCIC 1/80 10 hrs 9y l
33183032 Arnold 840210 HPCI &
1/100 5 hrs 10 y 33184012 ADS Fitzpatrick 840518 HPCI &
1/100 3 hrs 9y 33384012 RCIC Hatch 2 820126 RCIC 3/3 NR 3y 36682012 Hatch 2 820828 RCIC
/10 4 days 4y 36682100 GrandJ'ulf1 840107 RHR
/0 NR 17 m 41684002 Total:
29 Events t
i
O B-1 APPEM)IX B TABLE B-1 LOSSES OF SAFETY SYSTEM FUNCTION INVOLVING HUMAN ERROR PRESSURIZED WATER REACTOR EVENTS LER #
Event Cause/
Corrective Plant Date System Activity
% Power Person Contributing Factors Action (s) 247-83-043 831129 Cont.
Maintenance, 100
- Operator, Failure to perform Training (improvement Indian Pt. 2 Spray Unscheduled Non-procedure correctly in area of equipment licensed (SI check-off list)/
status identification)
Failure to verify by second operator.
(Note: Appears independent verifica-tion was not required) 250-83-007 830419 AFW Modification 100
- Operator, Deficient Management /
Procedure Changes Turkey Pt. 3 Non-Administration licensed (Misidentification /
l Failure to independently l
verify) 251-81-015 811128 LTOP Testing 0
N/A Defective Procedure Procedure Changes Turkey Pt. 4 251-83-016 831004 Cont.
Operations 100
- Operator, Deficient Management /
Labeling, Design Turkey Pt. 4 Spray Mon-Administration licensed I
B-2 o
Table B-1 (Continued)
LER #
Event Cause/
Corrective Plant Date System Activity
% Power Person Contributing Factors Actionis_)
255-81-001 810106 125V Testing 99 Maintenance, Deficient Management /
Design (add CR indi-Palisades DC Surveillance Electrical Administration cation of station Batteries battery operability) 261-81-003 810114 CVCS Maintenance 100 N/A Procedure Procedure Changes Robinson 2 269-82-008 820323 Cont.
- Testing, O
Technician, Deficient Management /
Work ' veri fication Oconee 1 Calibration I&C Administration program changes.
(Independent veri-fication would be required in all instrumentation and electrical procedures that components are returned to required status)
Procedure Changes.
269-82-012 830623 Cont.
Testing 100
- Operator, Planning Training Oconee 1 Spray ifcensed
(
B-3 m
Table B-1 (Continued)
LER #
Event Cause/
Corrective.
Plar.t Date System Activity 1 Power Person Contributing Factors Action (s)
- 272-83-011 830222 RPS
. Operations (Power) Operators, Management /Adminis-Procedure Changes, Salem I licensed tration Training 282-82-015 820827 DG Maintenance 100
-Maintenance, Failure to follow _
Procedure Changes Prairie Island Electrical procedure.
285-84-003 840314 CCW Testing 100
- Operator, Opened Wrong Breaker Procedure Changes Fort Calhoun 1 Licensed 302-81-027 810508 ABES Maintenance 100 N/A Defective Procedure Procedure Changes Crystal River 3 302-84-012 840615 ABES Modification 99 Contractor Management /Adminis--
Damage Repaired-Crystal River Non-tration (Instrument licensed air line damaged by contractor personnel) a 4
s i
~., "
d' l
B-4 Table B-1 (Continued)
LER #
Event Cause/
Corrective Plant Date System Activity
% Power Person Contributing Factors Action (s) 305-81-033 811016 CCW Maintenance 100
- Operator, Planning incorrect Counseling Kewaunee Non-removal from service licensed (for maintenance) 305-82-030 821004 Cont.
Testing 100 Technician, Management /Adminis-Labeling (Penetrations Kewaunee Spray
- I&C tration (Inadequate Tagged), Procedure Labeling)
Changes 309-81-008 810610 RHR Maintenance O
Contractor, Management /Admints-Counseling (of Maine Yankee Electrician tration (Contractor contractor personnel displaced connector who were involved) on flow controller) 311-83-066 831220 RHR Maintenance 0
- Operator, Planning Counseling Salem 2 No n-licensed 311-84-002 840209 RHR Maintenance 0
- Operator, Management /Adminis-Procedure Changes Salem 2 Licensed tration (Problem updating status in control room) 315-83-009 830201 Cont.
Testing 100
- Operator, Misidentification /
Procedure, D.C. Cook 1 Spray Non-Failure to independent-Counseling licensed ly verify
- Loss of automatic actuation of features actuated by containment pressure.
B-5 TABLE B-1 (Continued)
LER#
Event Cause/
Corrective Plant Date System Activity
% Power Person Contributing Factors Action (s) t 316-83-048 830603 Cont.
Testing 100
- Operator, Perform incorrect Counseling D.C. Cook 2 Spray Non-action / Failure to licensed veri fy
)
316-84-014 840521 RHR Operations 0
N/A Defective Procedure Procedure Changes (Regarding RCS In-D.C. Cook 2 (CSD) ventory) 317-83-019 830426 LTOP Operations 0
- Operator, Personnel Error Counseling Calvert Licensed
]
Cliffs 1 317-83-028 830527 ECCS Maintenance 100
- Operator, Inadaquate Planning Procedure Changes Calvert Licensed (Failure to recognize C11ffs 1 system interdependency) l l
317-83-061 831012 RHR Testing 0
N/A Defective Procedure Procedure Changes i
Calvert I
Cliffs 2 l
318-81-004 810204 RHR Preventive 0
N/A Defective Procedure Procedure Changes Calvert Maintenance Cliffs 2 318-82-053 821122 RHR Testing 0
Technician Performed action Counseling Calvert incorrectly Cliffs 2
i B-6 TABLE B-1 (Continued)
LER #
Event Cause/
Corrective Plant Date System Activity
% Power Person Contributing Factors Action (s) 3:!8-82-055 821228 RHR Operations 0
- Operator, Design Deficiency Design Modifications i
Cal vert Non-(Fuse Coordination Cliffs 2 Licensed Scheme) 318-83-001 830104 RHR Testing 0
- Operator, Design Deficiency Design Modifications Calvert Non-(same as #318-82-055)
Cliffs 2 Licensed 318-83-005 830107 RHR Testing 0
N/A Defective Procedure Procedure Change Calvert Cliffs 2 318-84-005 840426 DG Preventive 0
- Operator, Failure to recognize Counseling Cal vert Maintenance Licensed dependence system / status Cliffs 2
/ Improper removal from service 327-81-032 810324 ABGTS Testing 98
- Operator, Misinterpretation of Training l
Sequoyah 1 Licensed LCO Requirements 4
327-82-116 820916 RHR Modification 0
N/A Defective Procedure Procedure Changes Sequoyah 1 (SSPS)
J
B-7.
e TABLE B-1.(Continued)
LER #
Event Cause/
Corrective 3
Plant Date System Activity
-% Power Person Contributing Factors-
-Action (s) 327-83-112 830911 RPS Testing 0.
N/A Defective Procedure Procedure Changes Sequoyah 1 (SSPS)
(Review quality assurance procedures on changes to procedures) i 334-81-047 810606 ECCS Operations 99 Unknown Management /Admins-Procedure Changes
. Beaver Valley 1 (HHSI) tration (To control personnel access) 335-83-021 830329 RHR Refueling 0
Construc-Management /Admins-Not Reported 4
St. Lucie 1 tion tration (failure to control construction i
activity) 336-81-001 810102 DG Testing 100
- Operator, Failure to Perform Labeling Millstone 2 Non-(Misidentification) licensed i
336-81-043 811029 RHR Operations 0
- Operator, Inadequate Design /
Design Change Millstone 2 (LPSI)
(Shutdown)
Licensed Defective Procedure (install annunciator for loss of LPCI),
Procedure Change) k l
I
B,
TABLE B-1 (Continued)
LER #
Event Cause/
Corrective-Plant Date
' System Activity
% Power Person
' Contributing Factors Action (s) 338-82-067 821019 RHR Refueling 0
- Operator, Design (ambiguous Not Reported North Anna 1 821020 Non-level indication)
Licensed i
338-82-082 821206 ECCS Operations 0
N/A Defective Procedure Procedure Changes l
North Anna 1 (SI) 339-82-022 820528 Cont.
Testing 0
Maintenance, Personnel Error /
Procedure, Labeling North Anna 2 Spray Electrical Labeling 339-82-026 820520 RHR Operations 0
- Operator, Inadequate Design Procedure Changes North Anna 2 Non-licensed 339-83-038 830503 RHR Refueling 0
Operators, Failure to perform Counseling North Anna 2 Non-(monitor RCS level) licensed adequately 344-81-012 810626 RHR Operations 0
Operators,
Failure to perform Procedure l
Trojan Licensed procedure adequately Changes (vent pressurizer) i 344-82-015 820820 ECCS Operations 0
Operators, Failure to perform Counseling Trojan (SI)
Licensed procedure adequately 344-83-002 830122 AFW Operations 4
- Operator, Failure to perform Procedure Changes, Trojan (Mode 2)
Licensed procedure adequately Training 1
B-9 TABLE B-1 (Continued) i LER Cause/
Corrective Plant Date System Activity
% Power Person Contributing Factors Action (s) 344-83-013 830908 CVCS Maintenance 100
- Operator, Failure to prepare Counseling 4
Trojan Licensed correct tagout 344-84-110 840324 AFW Testing (Power)
- Operator, Planning (Lack of Improvements in Trojan Licensed coordination between planning of operations (Inspection maintenance and and maintenance Report) operations) 344-84-010 840504 RHR Refueling 0
N/A Procedure Procedure Changes Trojan 348-82-021 820510 Cont.
Testing 100
- Operator, Personnel Error Counseling Farley 1 Spray Non-(Misidentification licensed and failure of operators to investigate when condition was indicated by an annuciator) 361-83-071 830621 CVCS Testing 0
Technician, Personnel Error Counseling San Onofre 2 I&C 362-82-005 821205 CVCS Maintenance 0
- Operator, Inadequate Planning
- Training, San Onofre 3 Non-(Incorrect removal Counseling licensed from service) i
B-10 TABLE B-1 (Continued)
LER #
Cause/
Corrective Plant Date System Activity _
% Power Person Contributing Factors Action (s) 362-84-009 840317 Cont.
Testing 100
- Operator, Management /Adminis-Procedure Changes San Onofre 3 Spray Licensed tration (Lack of control (to ensure correct over procedures) valve alignment prior to entering a given mode of operation and to ensure control over changes to procedures);
Training 364-82-043 821028 Cont.
Operations 100
- Operator, Management /Adminis-Procedure Changes Farley 2 Spray Non-tration (Valve position (valve position Licensed verification) verification required) 369-81-180 811112 Cont.
Operations 48 Construc-Management /Adminis-Label Corrected McGuire 1 Vent.
tion tration (Labeling) 369-81-185 811118 RHR Maintenance 0
- Operator, Management /Adminis-Counseling McGuire 1 (Mod)
Licensed tration (Control of construction personnel)
Ball TABLE B-1 (Continued)
LER #
Cause/
Corrective Plant Date System Activity
% Power Person Contributing Factors Action (s) 369-82-017 820212 ECCS Operations 50 Construc-Management /Adminis-Fitting replaced McGuire 1 (UHI) tion tration (Fitting and correctly installed incorrectly) installed 369-82-024 820302 RHR Maintenance 0
- Operator, Incorrect operation P.C water level McGuire 1 Non-of equipment indication system Licensed design changed 369-82-030 820423 CVCS Testing 50
- Operator, Management /Adminis-Procedure Changes McGuire 1 Non-tration (Design change (to improve control Licensed implementation program) over plant modifi-cations) 369-83-017 830405 RHR Refueling 0
N/A Defective Procedure Procedure Changes McGuire 1 369-83-084 830929 Cont.
Maintenance 100
- Operator, Failure to recognize Procedure Changes McGuire 1 Spray Licensed system dependency (technical specifications (Planning) had not addressed the CS system dependency on the Nuclear Service Water System for operability)
B-12 o
TABLE B-1 (Continued)
LER #
Cause/
Corrective Plant Date System Activity
% Power Person Contributing Factors Action (s) h0-83-092 831231 RHR Maintenance O
N/A Defective Procedure Procedure Changes McGuire 2 370-84-001 840109 RHR Maintenance 0
N/A Defective Procedure Procedure Changes McGuire 2 (regarding RCS level to be maintained during RHR operation) 370-84-002 840115 RHR Maintenance 0
N/A Procedure Procedure Changes, McGuire 2 Counseling 370-84-004 840115 CVCS Operations 0
- Operator, Incorrect operation Counseling McGuire 2 Licensed of equipment (emphasis on verification of flow paths and the proper response to alarms)
J
B-13 APPENDIX B TABLE B-2 LOSSES OF SAFETY SYSTEM FUNCTION INVOLVING HUMAN ERROR BOILING WATER REACTOR EVENTS LER #
Event Cause/
Corrective Plant Date System Activity
% Power Person Contributing Factors Action (s) 155-81-022 810917 RDS Maintenance 80
- Operator, Personnel Error Labeling Big Rock Point Non-(Misidentification)/
Licensed Labeling 219-82-031 820614 CRD Mainter.ance 82
- Operator, Inadequate planning Procedure Change, Oyster Creek Pumps Licensed (failure to recognize Training dependency between systems) 237-81-030 810526 HPCI Maintenance 44 Maintenance Management /Adminis-Procedure Change Dresden 2 Mechanical tration (to include verifi-cation of correct disc _ installation) 254-81-024 811209 Cont.
Maintenance 98 Operator Failure to perform Training Quad Cities 1 (Sec.)
Non-task correctly (use licensed procedure to maintain containment integrity)
B-14 TABLE B-2 (Continued)
LER #
Event Cause/
Corrective Plant Date System Activity
% Power Person Contributing Factors Action (s) 277-83-006 830323 Cont.
- Testing,
(*)
Technician Personnel Error Counseling Peach Bottom 2 (Pri.)
Surveillance I&C 278-83-008 810211 Cont.
Modification 100 N/A Procedure Procedure, Peach Bottom 3 (Pri.)
Labeling 278-84-007 840602 HPCI &
Operations 0
- Operator, Failure to follow TS Counseling Peach Bottom 3 RCIC Licensed 293-81-064 811211 RHR Refueling 0
- Operator, Management /Adminis-Procedure Pilgrim 1 Licensed tration (Shift turnover (Control Room Admin.)
and control room activity) 293-83-043 830929 HPCI Testing 96 CR0 Personnel Error Procedure Pilgrim (and I&C (Miscommunication (Instructions for Technician) because of inadequate verbal communi-4 procedures for verbal cations) communication)
Counseling 298-81-017 810613 RCIC Maintenance O
Maintenance, Failure to perform Electrical maintenance Cooper Electrical task (electrical personnel informed wiring) correctly of event
- At power, level not report
B-15 TABLE B-2 (Continued)
LER #
Event Cause/
Corrective Plant Date System Activity
% Power Person Contributing Factors Action (s) 298-84-007 840414 SBGT Modi fication 70 Bulldozer Management /Adminis-N.R.
Cooper Operator tration (Inadequate control of contractor employees) 324-83-069 830825 RHR Operations 100 Maintenance Management /Adminis-Procedure Changes Brunswick 2 stration (Inadequate (Preventive maintenance) preventive maintenance program) 325-81-031 810220 RCIC Operations 97
- Operator, Failure to recognize Counseling Brunswick 1 Non-potential problem with Licensed tripping RCIC turbine 333-84-003 840207 RCIC Maintenance 100 Technicians, Misidentification
- Labeling, Fitzpatrick I&C (wrong system)
Training 333-84-004 840210 HPCI & Operations 100
- Operator, Personnel Error Procedure Changes Fitzpatrick RCIC Licensed 366-82-095 820817 RHR Maintenance 99
- Operator, Misidentification Counseling, Hatch 2 Non-Labeling Labeling, Design Licensed
B-16 TABLE B-2 (Continued)
LER #
Event Cause/
Corrective Plant Date System Activity
% Power Person Contributing Factors Action (s) 387-83-026 830301 SGTS Maintenance 100
- Operator, Planning / Procedure Training Suquehanna 1 Non-Licensed 387-83-033 830310 Cont.
Modification 0
Construction Management /Adminis-Procedure Changes Susquehanna 1 (Sec) tration (Inadequate program for unit separation)/
Inadequate Tagging 387-83-044 830311 HPCI Testing 0
Technician, Performed task Counseling Susquehanna 1 I&C incorrectly (wrong test connections) 416-83-069 830523 RHR Operations O
Maintenance, Procedure not N.R.*
Grand Gulf 1 (CSD)
Electrical performed correctly (not completed) 416-84-004 840114 RHR Maintenance 0
Technician Failure to perform Counseling Grand Gulf 1 18C procedure correctly 416-84-008 840202 HPCS Operations 0
N/A-Defective Procedure Procedure Changes Grand Gulf 1 416-84-013 840322 RHR Testing 0
Technici an, Failure to verify Counseling Grand Gulf 1 reset of trip
- Action to prevent recurrence was not reported.
. -.. ~.
C-1 APPENDIX C-1 LOSSES OF SAFETY SYSTEM FUNCTION INVOLVING HUMAN ERROR Descriptions of PWR Events
- 4 LER #
Plant
' Event Date Description / Notes 247-83-043 831129 A0#84-1. IEN#84-39 Indian Pt. 2 -
Isolation of containment spray.
When returning from non-scheduled main-
~
tenance, valves (2) were not opened or verified opened.
43 days (October 18-November 30,1983).
Training
" Improvements made to place new emphasis on equipment status verifi-cation."
Identified during bimonthly containment spray pump surveillance test.
250-83-007 830419_
While operating at 100% power, a Nuclear Turbine Turkey Pt. 3 Operator (NTO) discovered that all steam supply lines to unit 3 auxiliary feedwater pumps B and C were closed. Auxiliary feedwater pump A was out of service. All auxiliary feedwater pumps j
had been inoperable from April 14, 1983 to April 19,1983 (5 days).
Evidence indicated that the NTO had closed isolation valves in the steam supply lines rather than valves in the redundant steam supply lines.
The verification signoff for the NTO's action was not understood or performed. Numerous system alignment checks over next five days missed identifying the incorrect alignment.
This was significant, not only because of the misalignment error but also because the independent verification was not understood or performed and because AFW alignment checks on all shifts for
- Events are in order of increasing Docket /LER number.
k 4
b
C-2 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 250-83-007 830419 (Continued)
Turkey Pt. 3 the next five days did not identify the error.
Independent verification of the rehanging of tha tags, which may have detected the operator error, was not performed because the requirement was not completely understood by the personnel. The e
licensee had implemented independent verification for tagging operations but left it ambiguous regarding the need for independent verification during temporary lifts of tags for testing and restoration. The twice per shift NTO AFW system checks were not properly detailed in instructions.
As part of actions taken to prevent recurrence, the licensee issued instructions to operators emphasizing the need for independent verification and revised the NTO logsheets to improve detail and clarity.
251-81-015 811128 A0#82-2, NSAC/52, Precursor AEOD/C401 Turkey Pt. 4 When beginning plant heatup, two overpressure conditions developed for which the overpressure monitoring system (OMS) failed to operate.
RHR system suction isolation valve's automatic closure and OMS failed to operate because one train was inoperable for maintenance and the other was not correctly aligned (the root valve to the pressure transmitter had been isolated during a previous hydrostatic test).
Surveillance procedure changes were made to prevent recurrence.
C-3 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 251-83-016 831004 On October 4,1983, a manual isolation valve on Turkey Pt. 4 the discharge side of each of the redundant con-tainment spray pumps for unit 4 was found in the locked closed position. Unit 4 was operating at power and unit 3 was proceeding from hot to cold shutdown for a refueling outage.
In the process of proceeding from hot to cold shutdown for unit 3, an operator was dispatched on October 2 to lockout several valves as required by procedures.
Included in the list of valves were manual valves (891A&B) on the discharge side of unit 3 redundant containment spray pumps.
The operator closed and locked the valves on the discharge side of the unit 4 containment spray pumps, but did not initial the tag out sheet, as required. (He did not have the tagout sheet with him). Subsequent to this action, the operator was isolating a sample line and was exposed to contaminated mist from a leak. The operator was relieved to receive medical attention. His replacement proceeded to the correct valves on unit 3 and noted they were open. He closed, locked and tagged the valves in accordance with procedures and was apparently unaware that the valves on the unit 4 discharge lines were in the closed position.
On October 4,1983, the licensee's technical staff were performing monthly periodic tests of the unit 4 containment spray pumps and noted that the discharge valves were in the closed position.
Containment spray was unavailable for over 28 hours3.240741e-4 days <br />0.00778 hours <br />4.62963e-5 weeks <br />1.0654e-5 months <br />.
It is important to note that the operator was considered experienced and canpetent and had a good operating record.
In fact, the operator claimed responsibility when the condition was discovered.
l (Otherwise the cause would have been " unknown.")
i
[
~
s g_4 1
APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes
- 251-83-016 831004 (Continued)
Turkey Pt. 4 The operator had just begun work on the Sunday dayshift and went to the wrong set of valves 891 A and B and closed, locked and tagged them.
The operator did not bring the tagout sheet along and was unable to sign that he believed he had closed valves on unit 3.
This error was not caught, because there was no documentation that the operator closed the (what he believed to be) unit 3 valves. The licensee now strictly enforces a requirement to bring the tagout sheet to the job site and immediately initial when an action has been taken.
As a result of this event the licensee color coded the locks (using red and green fluorescent spray paint to help distinguish between units.
In addition, different keys were used for the locks of the different units.
255-81-001 810106 A0#81-1; Precursor; IEN#81-05 Palisades While performing monthly surveillance tests on both station batteries, breakers to 125V DC buses were left open for approximately one hour.
The two electricians failed to follow the test procedure.
(Real Puzzle - They had procedure (and procedure was adequate) had performed test previously, and had been briefed by supervisor.)
Added verification by a second qualified individual for work in safety-related areas.
Additional training added.
Review to be made of adding CR indication to show battery circuit operability.
C-5 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 261-81-003 810114 Both channels of heat tracing for both boric acid Robinson 2 transfer pumps were unintentionally deenergized during maintenance on one of the pumps. The procedure for deenergizing the heat tracing for the pump ambigucusly specified "open" circuit E-1.
However, opening the circuit supply breakers deenergized the heat tracing for both pumps since the circuits were supplied from the same breaker.
The procedure was changed to specify " fuses removed" to deenergize circuit E-1.
269-82-008 820323 Civil Penalty Oconee 1 July 1981 to March 1982.
Reactor building pressure switch was not properly returned to service upon completion of calibration testing (the test tee was not capped).
The particular procedure was changed to add a step signoff and an independent verification for cap removal and replacement.
Additional (independent) verification require-ments were added to all instrumentation and electrical procedures.
In addition, procedures are now reviewed by shift supervisors (to check that they are clear).
269-82-012 820623 Both trains of reactor building spray (RBS) were Oconee 1 inoperable due to the "B" train RBS pump being out of service while the "A" train RBS pump suction valve was shut.
Although the technical specification may not have been entirely clear, the problem resulted because the Assistant Shift Supervisor failed to consider consequences of the RBS lineup for testing (lack of planning).
C-6 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 272-83-011 830222 A0#83-3, ATWS Salem 1 Reactor trip breakers failed to open in response to trip signal.
272-83-011 for February 22, 1983 event and 272-83-012 for February 25, 1983 event.
Corrective Actions:
Training and procedure on RTB.
282-82-015 820827 With 01 D/G out for preventive maintenance, Prairie Island operability test of D2 was done, but D2 was not returned to service correctly after test.
285-84-003 840314 In the process of tagging out Instrument Fort Calhoun Inverter B for maintenance, a switching error was made. Maintenance Procedure MP-EE-9 for Instrument Inverter Maintenance was being used.
The procedure called for opening the dc feeder breaker to the inverter but instead the operator opened a breaker which supplies de power to Control Room Panel AI-418. As a result, two reportable events occurred. The first event was that both channels of Steam Generator Low Signal (SGLS) which is an Engineered Safety Feature, unblocked and tripped. The second event was that the Component Cooling Water (CCW) system which is a safety system became inoperable.
Several CCW valves failed open on loss of dc power. The increased flow demand in the system caused a drop in CCW system pressure. When the CCW system dropped below 60 psig, the raw water back-up valves to several components normally cooled by CCW opened. When the Raw Water back-up valves opened the head pressure in the CCW system caused a CCW inventory loss through the back-up valves to the extent that the running CCW pump began cavitating and had to be secured.
3
r o
C-7 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 285-84-003 840314 (Continued)
Fort Calhoun Approximately two minutes after the event occurred, the operator realized his mistake and reclosed the breaker restoring dc power to the distribution panel in the control room. The control room operators then closed the raw water back-up valves that had opened. Refilling of the CCW system was started. Approximately one hour later the CCW system inventory was restored and the system was returned to service.
The approved procedure which was being used was correctly written. The error was made when the wrong breaker on the panel was opened. The error was made by a licensed reactor operator (R0 license).
302-81-027 810508 During performance of SP-187, Auxiliary Building Crystal River 3 Exhaust Ventilation System Testing, it was discovered that on May 5,1981, three of four Auxiliary Building filter systems were rendered inoperable _ by removal of cells for replacing charcoal canisters used for surveillance. Each system should have been determined operable prior to proceeding to perform maintenance on the next system. All three systems failed the flow bypass test. At 1600 it was recognized that Technical Specification requirements had been exceeded and plant shutdown was initiated as required by Technical Specification 3.0.3.
The Reactor was tripped at 1654 to comply with the one hour shutdown requirement. At 1800 on May 9, 1981 operability had been restored to three filter systems and the cooldown was secured.
Full operability was restored at 2219 on May 9, 1981.
C-8 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 302-81-027 810508 (Continued)
Crystal River 3 The event occurred because the controlling pro-cedures did not adequately reflect TS require-ments. The procedures were reviewed and revised as necessary.
302-84-012 840615 While in steady state operation at 99% reactor Crystal River 3 power, contract workers were moving materials into the ventilation area of the Auxiliary Building 143' elevation for a plant modification.
At 1436, while carrying a large suppsrt structure into the ventilation area, an instrument air supply line was inadvertently struck by the support structure, thus rupturing the instrument air line. The instrument air line supplied air to the suction and discharge dampers (VF, DNP) for AHF-14A,B,C and D (VF, FAN). These dampers closed when supply air was lost. Control Room operators were not automatically alerted to the event until notified by a technician working in the area of the air line rupture. A flow switch (VF,FS) AH-31-DPS, should have closed to cause an alarm. When the dampers closed, it was suspected the dampers did not fully close allowing some continued air flow. Upon notification the Control Room operator promptly secured the operating pair of exhaust fans to prevent fan damage. The supply fans to the auxiliary building were tripped by an interlock when the exhaust fans were secured.
All doors (NF, DR) into the auxiliary building were closed.
The ruptured instrument air supply line was repaired at 1520 and fans AHF-14A and C were restarted.
Approximately 40 minutes elapsed from the time the exhaust fans were secured until they were returned to service.
,. _ _,. _.., _ _ _ _ _ _ -.. _ ~ _ _
C-9 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 305-81-033 811016 Improper removal from service (condition existed Kewaunee 50 minutes). Emergency diesel generator (EDG)
IB was removed from service for maintenance.
However, service water to the 1A CCWHX was later isolated and the supply MOV breaker opened, i.e.,
both trains of cooling via the CCWHX's were made unavailable.
~
305-82-030 821004 IEN 83-23; Civil Penalty; AE0D/T313.
Six containment pressure transmitter sensing Kewaunee lines capped rendering all containment pressure.
transmitters and vacuum breakers inoperative for four months. Therefore, automatic actuation of containment spray and containment isolation would not have been possible during this time period. Also, with containment pressure indication disabled the operator may have taken an incorrect action in response to an accident (e.g., LOCA).
The six lines were identical to vent and drain lines that were required to be capped. However, the pressure sensing lines were not labeled to make clear they must remain open.
309-81-008 810610 NSAC/52 RHR cooling interrupted for five minutes when Maine Yankee RH-M-2 (outboard stop valve) closed. While pulling cables behind the main control panel, contractor electrician displaced the connector on the flow controller for RH-M-2.
A warning was given to contractor employees.
w n e
---e-er e,
v---
--en.,--
C-10 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 311-83-066' 831220 On December 20, 1983, during a maintenance shut-Salem 2 down, 2RH1 (suction isolation) closed, resulting in a loss of RHR flow. The event took place during the transfer of 284KV vital bus from one station power transformer to the other while the backup power supply for 2B instrument inverter was deenergized for maintenance. The transfer resulted in a momentary loss of the instrument bus and 2RH1 closed on interlock. When 2RH1 closed, the operator secured 22 RHR pump. The cause was determined, and 2RH1 was reopened.
The 22 RHR pump was started, and RHR flow was reestablished within 22 minutes of the start of the occurrence. A newsletter item was issued to inform all Operations Department personnel of the incident.
311-84-002 840209 RHR common suction valve 2RH1 shut while testing Salem 2 was being performed on POPS (17-minute loss of DHR flow).
The system for control room display of required system status was not adequate.
Breakers for the RHR common suction valves were open and tagged per the POPS testing procedure but the tagging procedure did not require this be reflected at the control room console.
Systems were established for updating the status of control room console bezel covers, whenever tagging releases or requests are initiated.
t
.o C-11 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 315-83-009 830201 During a routine plant tour at 0915 hours0.0106 days <br />0.254 hours <br />0.00151 weeks <br />3.481575e-4 months <br /> on D.C. Cook 1 February 1,1983, an operator found the spray additive tank outlet valve sealed in the closed position. With the valve closed, the Na0H would not have been added to the containment spray system in the event of an accident. The valve was in the closed position for 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />.
The surveillance test procedure (STP) for the system had been completed at 0203 on February 1, 1983. During the STP, the valve was required to be closed. After the test was completed, the valve was to have been reopened and sealed and the seal number recorded. The valve lineup was also to have been completed and verified by another operator.
The Auxiliary Equipment Operator (AEO) who performed the test and did the initial signoff had started to open the valve when the rest of the systems valve seals fell out of his pocket.
He picked up the seals and put one on the valve without further opening the valve.
The Reactor Operator (RO) who verified the valve lineup looked at the unit 2 valve and saw it was open but the seal numbar wasn't right (both unit's tanks are in the same room). He then realized his mistake and checked the seal number on the right valve, saw the numbers matched, and signed it off without checking that the valve was open.
Surveillance was being done on the morning / graveyard shift to prepare for the dayshift (a need to complete the surveillance). The auxiliary operator was having difficulty opening the valve because he was in an awkward position and because the valve had been closed with excessive force. When the valve opened, he lost his balance and became further distracted when valve seals fell from his pocket. He did not l
o C-12 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 315-83-009 (Continued) then check that the valve was fully open before applying the seal. The second operator who was responsible for independent verification was also distracted because he first went to the wrong unit and when he got to the correct unit he actually verified that the valve was sealed rather than opened.
In this case, the licensee's system for independent verification was adequate. Furthermore, it was understood by the second operator. The errors resulted primarily because the operators were working under stressful conditions. Because of the high workload that they planned to accomplish, the operators became frustrated and then distracted when they encountered minor. problems.
The licensee started a practice of performing more of the heavy surveillance during the afternoon of the dayshift to alleviate the crisis atmosphere that had been more common during early morning surveillance testing.
316-83-048 830603 A scheduled test on the containment spray system D.C. Cook 2 was being performed when operators inadvertently closed and did not reopen a manual isolation valve on the heat exchanger of the train not under test rendering both trains inoperable.
(A surveillance test condition required the containment spray HX inlet and outlet valves to be closed during test to prevent the inadvertent spraying of containment.) Appropriate administra-tive action was taken with the individuals involved.
C-13 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 316-83-048 830603 (Continued)
D.C. Cook 2 The heat exchanger inlet valves were located near each other and were operated with reach rods. The initial " double" verification failed to detect the error. The error was detected by the person who was providing a " third party verification" (in this case it was a supervisor).
This third party verification was actually an independent verification.
316-84-014 840521 CR0s started RHR pump in preparation for taking D.C. Cook 2 the other out of service. The resulting high flow at half loop conditions caused air binding of the pumps.
Procedure was revised to clarify instructions to stop the operating pump prior to starting the second pump while at half loop.
317-83-019 830426 During mode 5 operation at 2014 while raising Calvert Cliffs 1 RCS pressure, a power operated relief valve (PORV), ERV-404 opened. It was immediately isolated by shutting its upstream isolation valve (Tech Spec 3.4.9.3).
While troubleshooting the problem with ERV-404, at 2150 a short circuit caused a loss of control power to ERV-402, rendering it inoperable. (At this point the low temperature overpressurization protection system was unavailable.) Control power was restored to ERV-402 by 2207. RCS pressure was lowered to below the reset point, and ERV-404 unisolated by 2230. Similar events: None. The cause of the actuation of ERV-404 was a failure of the control room operator to monitor RCS pressure carefully enough. The short circuit in the ERV-402 control circuitry was due to technician error. Personnel involved in this event were counselled. All operators and instrument maintenance technicians were informed of the details of this event.
r
-n.w y
C-14 APPENDIX C-1 (Continued)
LER#
Plant Event Date Description / Notes 317-83-028 830524 EA#83-58; IEN #83-56. During normal power Calvert-Cliffs 1 operation at 1615, discovered that both ECCS
^
pump room air coolers were out of service from about 1900 on May 24,1983 to 1715 on May 25, 1983. With No.12 cooler out of service for maintenance, the salt water inlet valve to No.11 cooler was shut to facilitate draining the salt water piping on No.12 cooler.
Without this room cooling, both trains of the ECCS and the containment spray system (CCS) were considered inoperable in that required auxiliary equipment, specifically the pump room air coolers was out of service. This occurred primarily because operators did not recognize that the coolers provided a necessary support function for the ECCS and CSS.
Consequently, an operator shut the inlet valve t
to the operating cooler while maintenance was being performed on the other cooler. A causative factor in this incident was that the procedures used to perform the maintenance activity on the coolers were not sufficiently detailed. As a result, one cooler was drained into the redundant i
cooler by means of a temporary hose connection without a formal and systematic evaluation of the safety implications. (EA#83-58) 317-83-061 831012 Inadvertent isolation of shutdown cooling was Calvert Cliffs 1 caused by failure to deactivate RCS pressure sensing instrumentation prior to performing a hydro. test on instrument sensing lines. Procedure i
changes would require a review of transmitter electrical process functions prior to pressure testing.
e d
i 1
5 w<
r.
ee-m--
,-.-r_-.w.7 m.w.-r y
,-~m-,--y..,,_,_,7em-.
, vw e r y,.,
-,,,.,---,,,-4-w,-,
n m vm
.---y----
...c,-~.v---
C-15 APPENDIX C-1 (Continued)
LER#
Plant Event Date Description / Notes 318-81-004 810204 NSAC/ 52. Lost shutdown cooling because a vital Calvert Cliffs 2 ac bus was " inadvertently" deenergized causing a shutdown cooling return header valve to shut.
Preventive maintenance procedures for vital ac inverters and backup bus components were revised to include the required power source lineup necessary for the maintenance.
318-82-053 821122 SDC flow was lost when return valve, 2-SI-652, Calvert Cliffs 2 shut when the instrument power supply panel was deenergized due to an incorrectly installed temporary jumper.
The technician assigned to determine the electrical lineup required failed to clarify the exact power supply being deenergized. This resulted in incorrect temporary jumper location. Also, the technician did not clearly describe the power supply on the lineup document. The technician was reinstructed on the requirements related to temporary lineups.
318-82-055 821228 A vital ac inverter failed causing a 120V ac Calvert Cliffs 2 vital bus to deenergize closing shutdown cooling return isolation valve, rendering both shutdown loops inoperable. Licensee investigation found the original fuse coordination scheme was not well designed.
In addition, problems were experienced with the current limiters that fed the inverters. Corrective action included modi-fying the fuse coordination scheme and removing tne current limiters.
318-83-001 830104 Same problem as described in 318-82-055.
'Calvert Cliffs 2 y
C-16 APPENDIX C-1 (Continued)
LER#
Plant Event Date Description / Notes 318-83-005 830107 Because of a test procedure deficiency (lack Calvert Cliffs 2 of caution statement) the operating DHR pump stopped due to test of recirculation actuation signal.
318-84-005 840426 With the plant in mode 6, an electrical lineup Calvert Cliffs 2 was performed to allow preventive maintenance on a 24A 480V ac bus. This lineup powered 21 diesel generator (DG) auxiliaries from a bus receiving its backup power from 12 DG, thereby causing a loss of independence between 21 and 12 DGs.
Although 21 DG was considered inoperable at this point, that fact was not conveyed to personnel on subsequent shifts. Since only one DG is required operable in mode 6, no technical specification action statements were entered and hence no log entry to the effect that 21 DG was inoperable was made. The following shift, not realizing the lack of independence, removed 12 DG from service, which resulted in inoper-ability of both DGs.
To prevent a recurrence of a similar event the following corrective actions were to be taken:
(1) A list of equipment required to maintain DG operability would be prepared for each DG. When a condition arose that required a DG to be placed out of service, these lists would be used as an operator aid for verifying the operability of the redundant DG. The lists include both mechanical and electrical systems, that are required to maintain DG operability, (2) all licerised operators would receive training during the annual requalification cycle on the conditions surrounding this event.
Particular emphasis would be given to the role electrical distribution plays in supporting DG operability.
C-17 APPENDIX C-1 (Continued)
LER#
Plant Event Date Description / Notes 327-81-032 810325 With the unit in mode 1 at 98% RTP, at 0436(c),
Sequoyah 1 the 2B-B diesel generator was removed from service for inspection to fulfill a surveillance requirement.
At 1325(c), the ABGTS "A" train was removed from service to reroute an air line for FC0 30-146B. On March 25,1981 at 0030(c), it was determined the operability requirements for ABGTS could not be met with both the 2B-B diesel generator and the ABGTS "A" train inoperable. This resulted in both the ABGTS trains being inoperable. This error was the result of misinterpretation of LC0 3.0.5 by the assistant' shift engineer. The ABGTS "A" train was returned to service at 0125(c) within the one-hour time of LC0 3.0.5.
The requirements of LC0 3.0.5 were discussed with all shift engineers, assistant shift engineers, unit operators, and shift technical advisors.
327-82-116 820916 The W supplied procedure did not adequately Sequoyah I describe precautions that should be taken when cutting off power to the output relays of the SSPS, train "B."
When the power fuses were pulled, the train "B" RHR suction valve closed, rendering the RHR system inoperable.
327-83-112 830911 IEN#84-37. Manual reactor trip channel test Sequoyah 1 procedure was incorrect in that it allowed for the disabling of both trains of the SSPS (Solid State Protection System) automatic trip logic during testing. This could have prevented an automatic reactor trip in the event of uncontrolled rod withdrawal with the reactor subcritical.
The procedure instructed the instrument mechanics to install a jumper in both trains of the SSPS cabinets from the energized 48V bus bar to the l
UV coil relays. This was done to ensure that c
O O
C-18 APPENDIX C-1 (Continued)
LER #
plan Event Date Description / Notes 327-83-112 830911 (Continued)
Sequoyah 1 the reactor trip breakers ' tripped from the trip (shunt) coil instead of the UV coil, thus independently testing this trip mechanism as recommended by I&E Circular 81-12 dated July 22, 1981. The installed jumpers caused the UV coil to remain energized, preventing any automatic trip actuation.
Further investigation into the history of the procedure shows that in March 1980 the procedure was revised from R0 to R1 which added the jumpers to allow for independent testing of the shunt coil. The error in the procedure was undetected in the review process and in the subsequent performance of the test for three years. The test was performed during startup prior to going critical. At no time during this period did the testing exceed one hour.
l To prevent recurrence the procedure was revised to open the MG set load breakers to ensure that j
the rods were deenergized prior to closing the reactor trip breakers.
(Note: The " shunt trip modification" that is due to be completed during en August 1985 outage will result in trips from the shunt coil or the UV coil and will eliminate the need for jumpering during the test.)
t i
i
C-19 APPENDIX C-1 (Continued)
LER#
Plant Event Date Description / Notes 334-81-047 810606 A0#81-3; Precursor; E201. Manually operated Beaver Valley 1 suction isolation valve in the ECCS was found closed rather than locked open. Loss of high-head safety injection capability because water from the RWST would not have been available automatically to the three HHSI pumps for injection into the core under emergency conditions. NRC investigation identified two generic procedural concerns that may have contributed:
(1) procedures did not ensure timely withdrawal of access authorization of personnel being terminated under adverse circumstances, and (2) criteria for authorizing unescorted access to vital areas were not sufficiently selective.
335-83-021 830329-The shutdown cooling hot leg suction valves St. Lucie 1 closed when construction personnel shorted out the power supply to one of the control grade pressure indicator control circuits which gave a close signal to the valves. Action to prevent recurrence was not reported.
336-81-001 810102 Precursor; PRE V.3 #3; C104. Reactor trip Millstone 2 occurred when the main dc breaker was opened (subsequent events include loss of RP instru-mentation). Operator opened breaker instead of rotating the ground detector switch. Although both the mistaken ground detector and breaker switches are located on the face of the switch-gear cabinet and are adjacent to each other, the switch handles are of different styles and the breaker control switch is covered with a plastic cover plate.
It was considered that any additional physical protection of the breaker control switch would interfere with the possible requirements for rapid manual operation of the breaker; however, licensee upgraded the switch-gear component labels.
i
C-20 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 336-81-043 811209 NSAC/52; Trip signal deactivated LPSI.
Millstone 2 Heatup and cooldown limits (TS) were exceeded (Mode 5 to Mode 4) for two minutes. LPSI pump tripped due to turbine generator circuitry activated by switchyard breaker testing..
Intermediate corrective actions included changes to the operations procedure to bypass that trip circuit when the LPSI pump was used for SDC.
Final action to prevent recurrence was installation of an annunciator to signal a LPCI pump trip.
338-82-067 821019 With vessel drained to centerline of hot leg North Anna 1 821020 nozzles, RHR suction was lost on both trains because of ambiguous level indication (10/19, 36 min. loss; 10/20, 33 min. loss). No action to prevent recurrence was reported.
338-82-082 821206 The automatic safety injection block was not reset North Anna 1 following an inadvertent safety injection on December 5, 1982. This condition was recognized 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br /> and 30 minutes later. Licensee revised emergency procedures concerning securing a safety injection. A step was added to cycle the reactor trip breaker to reset the automatic safety injection block.
n.
C-21 LER #
Plant Event Date Description / Notes 339-82-022 820528 Both trains of the North Anna 2 Quench Spray North Anna 2 Subsystem and the Recirculation Spray Systems were inoperable for 17 minutes because jumpers had been installed in the Train A instead of the Train B Solid State Protection Output Cabinet, and double verification did not detect the error.
The engineer and electrician involved each had approximately one year of experience. However, the electrician was just carrying out the instructions from the engineer. The engineer had expected to work on Train A and had that on his mind when he was sent to work on Train B.
They went to the Train A cabinet. Even though he had the correct procedure, component markings in the Train A cabinet were the same as those in the Train 8 cabinet. The LER stated that color coding of the solid state protection cabinets was "being considered as a prevention against personnel entering the wrong train," however, although the licensee's electrical engineering staff had recommended color coding of the cabinets, this was never done.
Note: According to records kept by the engineer, he had worked 13-hour backshifts on four consecutive days prior to this event. However, he felt that this had no influence on his performance.
339-82-026 820520 On May 20, 1982, with unit 2 in mode 5, the North Anna 2 suction to the residual heat removal system (RHR) pumps from the reactor coolant system (RCS) was lost on three occasions; once for 8 minute, once for 26 minutes, and once for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. In each case the RHR pumps were not deenergized for >1 hour and no dilution of the RCS occurred.
The primary cause for each of the above mentioned events was unreliable primary level indications while draining the RCS. The higher than nonnal
C-22 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 339-82-026 820520 (Continued)
North Anna 2 indications in the primary level hose were occurring because the level hose was connected to the aerated primary vent system. This system operated at a slight vacuum as it was evacuated through the gaseous waste system to the release point. Such a situation resulted in a higher than actual level being indicated in the primary level hose.
The immediate action was to start a charging pump and to refill the RCS from the refueling water storage tank. Subsequent to refilling the RCS, a RHR pump was placed in service and RHR flow was restored.
A procedure change to OP-11.3, Aerated Primary Vent System (VA), to connect the primary level hose to the pressurizer vapor space, rather then to the VA header, was initiated to eliminate the AP problems that were occurring between the RCS and the primary level hose and causing unreliable primary level indications.
339-83-038 830503 With unit 2 in mode 6, suction to the "B" residual North Anna 2 heat removal (RHR) pump was lost while transferring water from the reactor coolant system (RCS) to the refueling water storage tank (RWST) via the refueling purification (RP) system. The "A"
pump was secured and the "B" RHR pump started but suction was not available.
Suction to the RHR pump was lost because the RCS was pumped below the established operating limit.
Pumping of the RCS continued without adequate monitoring of the RCS level. THe RCS was refilled and RHR pump suction restored. The reponsible senior operator was reinstructed.
C-23 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 344-81-012 810626 NSAC/ 52. During RCS level reduction the RHR Trojan pump began cavitating and was stopped to prevent pump damage. Investigation found the RCS level stand pipe to be indicating erroneously due to inadequate venting of the PZR. The RCS was vented, the level was restored and the pump was restarted in about 75 minutes. (Cause was inadequate venting of the PZR and corrective action was review of procedures and review of importance with operating personnel.)
344-82-015 820820 Plant entered mode 4 and then mode 3 on August 18, Trojan 1982 with both trains of automatic safety injection (SI) blocked. Operators on shift were not aware that both trains of ECCS automatic SI were required by technical specification. This event was discussed with the shift supervisors.
344-83-002 830122 AE00/T416 dated August 1, 1984. While the plant Trojan was at 4% reactor power preparing for shutdown, a high-high level on one steam generator caused an automatic trip and an automatic start of the auxiliary feedwater (AFW) pumps from the control room. The operator manually shut off the AFW pumps and was unable to restart them. Auxiliary feedwater was supplied by the non-ESF electric AFW pump until the other pumps could be restarted.
A comoination of inadequate procedures and operator training caused the event. The method of manually securing the turbine-driven AFW pump rendered it incapable to restart without local manual reset.
By manually shutting down and trying to restart the AFW pumps when he did, the operator interrupted the sequences which assure that the correct equipment is available for the pumps to operate.
In the case of the diesel-driven pump, the pump
C-24 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 344-83-002 830122 (Continued)
Trojan had already reached its minimum operating speed when the operator turned the control switch to stop and released it before the diesel came to a full stop. When he released the stop switch, it went to " Auto After Stop" and the pump again received a signal to start because the main feed pumps had tripped. Since the pump had not stopped and the engine was still rotating at more than 40 rpm, the starter motor was disengaged, thus preventing pump start. In additio'n, shortly after the second auto start signal was received, the low lube oil pressure switch trip engaged because the automatic start signal opens the trip and throttle valve over a 20 second time period to prevent turbine overspeed. When the operator manually stopped this pump from the control room only the startup valve was closed. Therefore, when the operator attempted to restart the pump and the startup valve opened, the trip and throttle valve was also full open and the pump tripped on overspeed. This overspeed trip would occur each time the operator used only the startup valve to manually start or stop the pump. Corrective actions included revisions to procedures (diesel and turbine-driven pump operation) and additional operator training.
344-83-013 830908 While at 100% power a maintenance tagout was Trojan prepared at 0545 for the Trojan "A" train boric acid transfer pump by the assistant control operator. The tagout correctly deenergized the "A" train pump but incorrectly called for valving out the "B" train transfer pump. The tags were then hung as called for in the tagout. At 0840 when the maintenance person went to work on the "A" train pump, this verification check of the
., ~.,,
,n---p.
~
e m,
,r,-
C-25 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 344-83-013 830908 (Continued)
Trojan tagout discovered that the "B" train pump was improperly valved out. He informed the control room and the tags on the "B" train valves were removed restoring the boric acid flow path. The boric acid flow path was inoperable for three hours in violation of technical specification.
344-84-110 840324 Operations personnel failed to recognize that
.(Insp. Report #)
one AFW pump was out of service and that.the
-Trojan surveillance testing of the RPS rendered the other inoperable per technical specification.
Inspection Report and Notice of Violation EA84-33, dated May 4, 1984, points to improve-ments necessary in the management commitment to improving the coordination of maintenance and operations activities.
344-84-010 840504 During an RCS drain down to support refueling, Trojan a faulty level measurement led to air binding of the RHR pump. The RCS was vented to atmosphere.
A tygon manometer configuration was being used to measure RCS level, however, " crud blockage" of the manometer tap led to erroneous level measure-ment. RCS temperature went from 105 F to 201 F during the 40 minute loss.
In order to prevent recurrence a number of changes were made to procedure 01-3-2, " Draining the Reactor Coolant System":
Alert the operator to promptly restore RHR flow, if lost, especially during high decay heat generation conditions.
Do not permit removal of the RHR system from service for a planned evolution until the reactor has been shut down for greater than ten days and only after considering the decay heat load, duration of evolution, and avail-able backup heat removal mechanisms.
i C-26 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 344-84-010 840504 (Continued)
Trojan A curve was developed that provides direction for the operator to verify that the RCS level decrease during drain down is consistent with the indicated volume of liquid drained from the system.
Require the level stand pipe 'B' loop lower tap to be flushed at approximately 150 psig pressure to remove any corrosion products prior to placing the system into service.
Require the RHR discharge valves to be closed prior to starting RHR pumps and initiate RHR flow slowly with a maximum allowable RHR flow when drained to loop centerline.
348-82-021 820510 (Referred to in A0#84-1).
Farley 1-While performing " Penetration Room Exhaust and Air Filtration System Train Operability and Valve Inservice Test," an operator inadvertently closed the containment spray suction valves from the refueling water storage tank. The valves were closed at power for seven hours.
361-83-071 830621 With the plant in mode 5 and during surveillance San Onofre 2 testing in accordance with procedure 5023-3.23, diesel generator 2G002 (Train A) was declared inoperable at 1009 when it failed to start.
Since boration equipment (i.e., HPSI and charging pumps) was either aligned to Train A or out of service per procedure, inoperability of 2G002 resulted in no operable boration flow paths powered by emergency power sources.
Diesel generator 2G002's failure to start was due to air supply valve MUO82 being closed. This valve was located on the air supply line to the set of air start motors on engine #1 for the diesel. It was considered most likely that MUO82 was inadvertently closed during the line up to I
C-27 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 361-83-071 830621 (Continued)
San Onofre 2 conduct the surveillance test on June 21. At that time, similar valves in Train A were deliberately closed. However, because there was the possibility of an unauthorized manipulation of MUO82 between June S and June 21, 1983, the seriousness of unauthorized valve manipulations was reemphasized to operating personnel. Also Special Order 83-39, which responds to IE Bulletin 83-27 and details action to be taken when misalignment of a system is discovered, was implemented. No other misalignments were noted.
362-82-005 821205 On December 4,1982 at 2242 with Unit 3 in San Onofre 3 Mode 5, Train B Diesel Generator 3G003 was removed from service requiring entry into the Action Statement associated with LCO 3.1.2.3 since other boration paths were not available at the time because of various inoperable equipment. (No boration flow path powered by an emergency power source was available.)
Although the determination that the Action Statement was to be invoked was not made until 0545 on December 5,1982, the requirement of the Action Statement had been satisfied since no core alterations or positive reactivity changes were in~ progress at the time.
This occurrence was caused by failure to recognize the full impact of taking the Train B diesel out of service. Train B diesel generator was returned to service at 0600 on December 5, 1982. As corrective action to prevent recurrence, responsible operations personnel reviewed the circumstances of this event and were directed to perform a more detailed review of the impact on plant operations of taking a diesel generator out of service. This was to be included in their monthly retraining session.
C-28 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 362-84-009 840317 (A0#84-6; referred to in A0#84-1; IEN 8-39; San Onofre 3 Enforcement Notice 84-29).
While performing routine surveillance at nearly full power, manual isolation valves in both of the containment spray headers were found closed.
System was inoperable for about 13 days._ Cause of the misalignment of the isolation valves was improper use of the valve alignment checklist.
i On February 27, 1984, unit 3 went from mode 5 to mode 4, but a need was later identified to return to shutdown cooling, which was done on February 29, 1984. Following the required repair work a partial valve alignment checklist was developed to realign the containment spray system (CSS) for mode 3 entry. CSS valves MU012 and MU014 were omitted from the list.
The licensee revised written procedures to ensure the proper alignment of valves prior to entering a mode of operation for which the system is required to be operable. Steps were also taken by the licensee to ensure more effective controls over the preparation of and changes to operating procedures. The licensee's training program was revised to provide additional emphasis on operator recognition of proper system alignments during various plant evolutions.
364-82-043 821028 A0#82-7 and referred to in A0#84-1. Farley unit 2 Farley 2 was taken to cold shutdown on October 24, 1982, to begin a refueling and maintenance outage. On October 28, 1982, while aligning valves for certain scheduled inservice inspections, the licensee found the containment spray header isolation valve on each of the two supply headers locked in the closed
C-29 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 364-82-043 821028 (Continued)
Farley 2 position. The valves, located inside the unit 2 containment building, supply separate, redundant, containment spray rings. After investigation and record searches of valve movement documentation, the licensee concluded that the valves had been closed since before the plant achieved initial criticality on May 8,1981. Thus, the redundant containment spray systems were inoperable during this period (17 months) and consequently would have been unable to fulfill their safety function.
The event was caused by the valves not being in conformance with design drawings and by a procedural inadequacy used for operator determination of valve position. A unique condition developed in these valves when the vendor, Westinghouse, made a design change that lengthened the valve stem to increase the valve's adaptability to a motor operated valve (however, as described above, the valves are manually operated at Farley). The design change resulted in a valve stem that makes the valve appear to be open when it is actually closed.
That is, in the closed position, the extra long valve stem shows six inches of threaded stem extending out of the bonnet. Therefore, operators who were instructed and trained to observe valve stem positions in order to verify the valve positions, erroneously interpreted these valves as being open when they were, in fact, closed.
In addition, Westinghouse had not provided revised drawings showing the valve modification. As a result, the overall dimension of the installed valve stem was six inches longer than that specified.
y
o C-30 APf'NDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 364-82-043 821028 (Continued)
Farley 2 As part of the corrective action, Alabama Power obtained concurrence from Westinghouse Corpora-tion to cut the excess stem off the valves so as to conform with design drawings and with other rising stem gate valves throughout the plant.
In addition, as a further safeguard to prevent recurrence, plant administrative procedures covering valve position verification were changed to require that manual valves which are locked open would be moved in the shut direction to verify their position; then the valve would be returned, if applicable, to the original position.
369-81-180 811112 While at 48% power, the containment temperature McGuire 1 exceeded Technical Specification 3.b.1.5 limits (120*F) and two temperature sensors indicated as high as 145*F. For personnel safety, the con-tainment was evacuated. The containment temperature was only excessive for about 10 minutes and was quickly brought under control once the Unit 1 Containment Ventilation Cooling Water valve was reopened. Thus, no heat damage to containment and equipment occurred.
Unit I containment ventilation return isolation valve IRN153 (B1F) had been misiabeled 1RN863 (Unit 2 Containment Ventilation Return Isolation),
by construction and was closed inadvertently isolating
~
containment ventilation cooling water to the Un1t 1 containment ventilation system. The valve was reopened, the metal valve labels switched and construction valve documentation changed.
Incorrect identification of equipment is likely to lead to errors. When the NE0 initially closed IRN153 (mislabelled 1RN863) he noticed he seemed to be throttling flow though no flow should have existed and he notified the assistant operating engineer who verified that 1RN863 should be closed.
1
~-..-n. - -
C-31 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 369-81-185 811118 NSAC/52.
McGuire 1 On November 18, 1981, with Unit 1 in Mode 5, cold shutdown, both residual heat removal (RHR).
j loops were rendered inoperable when an inlet -
isolation valve inadvertently shut. Concurrently a pressurizer high temperature alarm was received.
RHR pump A was immediately stopped to protect the pump, and action to restore the system to operation was initiated. The valve was reopened and the system was operating after a 22 minute shutdown.
Investigation revealed that construction personnel working in accordance with a shutdown request had disconnected the pressurizer vapor space temperature sensor signal cable. This signal is used as a d*"erse means of providing overpressure protection to the RHR system. When the signal lead was disconnected a fail-safe characteristic caused the valve actuator to close the valve.
l Operators were cautioned about the possibilities of RHR isolation due to actuation of protective 1
features.
i l
369-82-017 820212 While in Mode 1, control room alarms indicated McGuire 1 the closing of all four accumulator discharge isolation valves, rendering the upper head injection (UHI) portion of the Emergency Core Cooling System inoperable.
Investigation discovered an open-ended leak on 4
an impulse line to a UHI level switch which resulted-from the failure of a Parker-Hannifin fitting to hold the impulse line intact, probably due to an installation deficiency. The train A valves were successfully reopened using control room manual actuators. The leak was repaired, and the train B valves reopened within an hour.
4 Appropriate Parker-Hannifin fittings were verified installed correctly.
3 1
- ~ _ _ _.... _ _ _ _
_.,. ~.. -. - _ _ - _, _. _....
C-32 l.
APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 369-82-024 820302 While draining the Reactor Coolant System for McGuire 1 steam generator inspection, investigation of a residual heat removal (RHR) pump low discharge pressure alam resulted in RHR pump 1A being stopped due to signs of cavitation. With the redundant pump 1B out of service for maintenance, no means existed for removing core residual heat, I
which violated and was reportable per technical-specification. RHR was restored in less than one hour. Analysis indicated that RHR could have been shutdown almost four hours before the onset of boiling.
A misapplication of the transmitter for the control board level gauge led to inaccurate indication of the Reactor Coolant (RC) System i
water level. RC level was raised to the i
minimum level for RHR operation, and nomal RHR flow was resumed. A modification to have the reference leg of the transmitter connected to the PORY discharge line, redundant level i
indication and expanded scale in the normal i
RC level range for RHR operation was planned j
(design modification).
3 i
369-82-030 820423 While in Mode 1, diesel generator (D/G) 1A McGuire 1 failed to start for a periodic test and was declared inoperable. Since centrifugal charging pump (CCP) IB was out of service for i
periodic maintenance, neither CCP was operable i
and a unit shutdown was commenced. During the shutdown the reactor was manually tripped due to an unrelated feedwater problem. Offsi te power was available throughout the incident.
Apparent cause of the incident was the failure of the station design change implementation d
program to adequately control work on station modifications. CCP pump 18 and D/G 1A were returned to service on April 24. Drawings a
p.,
C-33 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes (Continued) would be prepared to accompany each modifi-cation with changes marked to avoid confusion and a training program on the design change process and the proper usage of drawings was to be developed.
369-83-017 830405 RHR pumps began to cavitate because the valve McGuire for the level sensor had been closed and because procedures did not require visual monitoring of cavity level.
369-83-084 830929 (Referred to in A0#84-1).
McGuire 1 On September 28, 1983, containment spray (CS) system train "B" was declared inoperable due to a loss of power indication to the containment pressure control system (CPCS) pressure transmitter. On September 29, 1983 (with CS train B still out) nuclear service water (RN) train A was declared inoperable due to water in the oil reservoir of RN pump 1A. Since RN is required for CS operability, both CS trains were inoperable.
The power supply for the CPCS failed and was subsequently replaced. The drain line for RN pump 1A seal catch basin was clogged, allowing water to back up and enter the outboard bearing. The oil reservoir was refilled. The failure to identify the impact of RN train A on CS train A's operability was attributed to personnel error. Appropriate personnel were counseled and a T.S. reference manual revised (procedure now requires a logging of all systems that are impacted when a given system is taken out of service).
~,,.
--,----n-a-
, - ~ -
- +,
C-34 APPENDIX C-1 (Continued)
LER.#
Plant Event Date Description / Notes (Continued)
The shift supervisor knew better, but was over-whelmed. Certain periods (e.g., between 8:00 and 10:30 am) can be particularly demanding (because of numerous requests for clearance of systems to perform surveillance and maintenance).
370-83-092 831231 During draining operations of the reactor McGuire 2 coolant (RC) system, residual heat removal (RHR) pump B was observed to have zero discharge flow and was subsequently tripped and RHR train B declared inoperable. This constituted a degradation of the reactor coolant system (cold shutdown loops not filled; similar to LER 370/84-01 and 369/82-24).
Immediate action was taken to restore both RHR loops to operable status (restored in 43 minutes). Had the return to service been further delayed, core cooling could have been provided by additional valve cycling.
This was attributed to procedural deficiencies, due to inadequate guidelines regarding the water level to be maintained in the reactor coolant (RC) loops during RHR operation. The fueling water storage tank to RHR pump isolation valve was cycled to provide core cooling and raise RC system level until flow was restored. Procedures were to be revised by March 31, 1984. Additional corrective actions were detailed in LER #370/84-01.
- ~
C-35 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 370-84-001 840109 On December 31, 1983, at approximately 1640, McGuire 2 during draining operations of the reactor coolant (RC) system, residual heat removal (RHR) pump B was observed to have zero discharge flow.
Pump B motor amperage was low, and the RHR system pressure and pump B discharge pressure were equal. Based on these factors, RHR pump B was 1
tripped and RHR train B was declared inoperable at 1650. The FWST to RHR pump isolation valve was twice cycled to provide core cooling and raise RC system level with water from the Fueling Water Storage Tank, while venting the RHR suction line and pump B.
The core temperature rate of rise decreased after the first water addition and the second addition resulted in slightly decreased core temperatures. RHR pump D was restarted at 1720 and flow was restored.
i On January 9,1984, operators were again de-creasing level in the reactor coolant loops when i
a computer alarm for low RHR pump A discharge pressure was received. Fluctuations in RHR pump A motor amperage were noted and simultaneous fluctuations in discharge pressure and flow also occurred. After the " Low RHR Flow" annunciator alarmed RHR pump A was tripped at 1246, and RHR train A was therefore inoperable. Operators manually opened the RHR system to FWST isolation valve, raising the reactor coolant loop level with water from the.FWST. The suction line and pump were vented and the pump was restarted at 1348.
These incidents were attributed to procedural
]
deficiencies, due to inadequate guidelines regarding the water level to be maintained in the reactor coolant loops during RHR operation. A number of design and procedural changes were made to prevent recurrence of this event.
4 a
.._.w--.~
,..,,.,n_
,,.,.ws,,,,.,m
-wn,
,_,m
_,,,.,.,-,,-_,,_,,,.n,.,n_
_..,.,m
C-36 APPENDIX C-1 (Continued)
LER #
Plant Event Date Description / Notes 370-84-002 840115 During filling and venting operations for McGuire 2 Unit 2 startup, operators closed the breakers for valves 2ND-1B and 2ND-2A ('C' reactor coolant (RC) loop to residual heat removal (RHR)
^
pumps isolation valves on January 15, 1984.
Fuses for the A and B train output relay cabinets of the solid state protection system (SSPS) had been removed on January 9,1984, to permit transmitter time response testing. Normally closed contacts in the CLOSE circuits of the valves are controlled by SSPS output relays.
With SSPS outputs deenergized, the contacts completed the circuits, providing CLOSE signals for 2ND-1B and 2A. Thus, when the breakers for 2ND-1B and 2ND-2A were closed the valves immediately closed, isolating RHR suction.
Both RHR trains were declared inoperable at 2207. Unit 2 was in Mode 5 with the reactor coolant loops not filled at the time of the incident. Operators responded by tripping RHR pump A and chemical and volume control pump A and reopening the breakers for 2ND-1B and 2A.
The valves were manually opened and RHR pump A was restarted.
The incident was attributed to personnel error.
Appropriate measures to ensure control over 2ND-1B and 2A were not taken on January 9,1984, when the SSPS output relay cabinets were deenergized. Procedures were revised and appropriate personnel were counseled.
l t
,m_e-.c,,,__-._.._,,y
_,y
.-y--_,_ys
._,y__.,,_ _ _ _
,-,_._.,m-a
C-37 APPENDIX C-1 (Continued)
-LER #
Plant Event Date Description / Notes 370-84-004 840115 Chemical and volume control (CVC) pump 2A was McGuire 2 declared inoperable at 2317 on January 15, 1984, after the pump was started and run for approximately 19 minutes without suction. The volume control tank outlet isolation valve inadvertently closed prior to starting the pump, causing destruction of the pump. During this time, CVC pump 2B was inoperable for maintenance. With both CVC pumps inoperable, the limiting conditions of technical specifications were not met. However, the Action Statements were met since no operation involving core alterations or positive reactivity changes were conducted. Unit 2 was in Mode 5 at the time of this incident.
This event was attributed to personnel error due to the operators' failure to verify a suction path prior to operating CVC pump 2A. Alto, they subsequently failed to identify the loss of suction to the pump during operation despite control board indications and numerous indirect operator aid computer (OAC) alarms.
CVC pump 2A was repaired. Appropriate personnel were to be counseled with emphasis placed on verification of flow paths prior to starting any pump and giving OAC alarms proper attention.
i
C-38 APPENDIX C-2 LOSSES OF SAFETY SYSTEM FUNCTION INVOLVING HUMAN ERROR Descriptions of BWR Events
- LER #
Plant Event Date Descriptions / Notes 155-81-022 810917 Reactor depressurizing system (RDS) Channel A Big Rock Pt.
(one of four channels) was being removed from service at 1230 hours0.0142 days <br />0.342 hours <br />0.00203 weeks <br />4.68015e-4 months <br /> on September 17,1981 to allow maintenance work on the battery power supply for that channel. Switching had been completed at the actuation and sensor control panels making one of four blowdown loops inoperable.
The auxiliary operator then went to a remote location to complete the switching and tagging order for Channel A.
He inadvertently entered the small room containing the battery and power supply controls for Channel C and opened two breakers (CB-8 and CB-9) which made a second loop inoperable. Unaided by any indication or other communication he realized that he was at the wrong panel and immediately reenergized the equipment. Several more steps on the switching and tagging order had not been done. The auxiliary operator then notified the control operator in the main control room of the error.
Annunciations of an abnormal condition with Channel C registered properly in the control room so the potential for operation with less than three loops in service for any extended time would be improbable. Reset of the two breakers (CB-8 and CB-9) by the auxiliary operator cleared the abnormal condition. Additional verification of operability of Channel C was subsequently made using the standard monthly surveillance test.
The auxiliary operator was briefly misled because the four RDS battery rooms and equipment were similiar in appearance and were unidentified and corresponding circuit breakers and controls'on the four power panels in the separate rooms had
- Events are in order of increasing Docket /LER number.
C-39 APPENDIX C-2 (Continued)
LER #
Plant Event Date Descriptions / Notes _
155-81-022 (Continued) identical markings (i.e., there were four breakers marked Ch-8").
Prominent identification was installed in the four individual rooms and on the panels.
l The event was reported because two of four blow down loops were Inoperable, when three of four were required to be operable to mitigate a small break LOCA. However, minor safety significance was associated with this event because the operator immediately returned the third loop to operation.
219-82-031 820614 While at power, with control rod drive (CRD)
Oyster Creek Pump A out of service, the diesel generator associated with CR0 Pump B was removed from service for monthly maintenance.
In this configuration, if off-site ac power was lost, both CRD pumps would be ur.available. This was in violation of technical specifications, Sectwa 3.7.C.2 which required that none of the enginee ed safety features normally fed by the operational diesel generator be out.of service before the reactor was placed in the cold shutdown condition. Diesel generator surveillance pro-cedures were changed to give prerequisites for removal from service. Licensed operators were informed of this problem.
237-81-030 810526 During normal operation an operator noticed the Dresden 2 HPCI steam line was cold and filled with water.
Investigation found the valve disc had been installed backwards in the HPCI turbine steam supply valve (thus preventing the drainage of condensate). The procedure for this job was changed to require verification of correct disc installation.
m C-40 APPENDIX C-2 (Continued)
LER #
Plant Event Date Descriptions / Notes 254-81-024 811209 Secondary Containment was inadvertently lost Quad Cities I while making preparations for an internal inspection of the underground length of the Unit One RHR "A" Service Water Line. Both ends of the pipe were open for a seven hour period during which time Secondary Containment was open to the Unit One Turbine Building. This happened because procedures for opening secondary contain-ment were not properly used in preparation for the job. The personnel involved were trained in the proper use of the procedure.
277-83-006 830323 On March 23, 1983, investigation of a downward Peach Bottom 2 spike on a torus level recorder identified an open instrument vent valve to the containment.
This valve should have been closed and capped during reactor operation. The investigation found that during a previous investigation (March 20, 1983) into a torus level recorder spiking problem, the torus level transmitter was removed from service for calibration. After completion of the calibration, the transmitter was apparently returned to service without isolating the test connection (improper return to service). Based on the primary containment integrity definition in the technical specifications, primary containment was not established for about 80 hours9.259259e-4 days <br />0.0222 hours <br />1.322751e-4 weeks <br />3.044e-5 months <br /> during reactor operation.
278-81-008 During the installation of a new penetration test Peach Bottom 3 connection to a 1" containment atmospheric dilution line (CAD), primary containment integrity was breached to secondary containment for 90 minutes.
With unit at full load, a safety block was applied to a portion of the CAD system to install a new test connection. A section of the "A" loop CAD
s C-41 APPENDIX C-2 (Continued)
LER #
Plant Event Date Descriptions / Notes 278-81-008 81 (Continued)
Peach Bottom 3 system piping to be modified sbauld have been isolated by closing the manual valve between containment and the location where the pipe was to be cut. Due to an incorrect location identifi-cation for the manual valve on a system check-off list, the manual isolation valve was closed on the "B" CAD loop instead of the isolation valve on the "A" loop. The construction work force then proceeded to cut the "A" loop piping and to install a new welded tee connection. The slight differential pressure which existed between containment and secondary containment alerted the craftsmen to the problem.
This event occurred because the system check-off list incorrectly located the "A" loop valve and a valve on the "B" loop was isolated. When the valving error was discovered, the "A" loop isolation valve was closed, reestablishing primary containment integrity. The system check-off list was corrected, and identification tags were put on the valves.
This event had medium significance because primary containment was unknowingly breached to secondary containment.
It was fortuitous that containment integrity could be reestablished by closing the "A" manual isolation valve.
1 A
o C-42 APPENDIX C-2 (Continued)
,LER#
Plant Event Date Descriptions / Notes 278-84-007 840602 On June 2,1984, at approximately 8:05 a.m., with Peach Bottom 3 unit 3 at zero percent power level, the high pressure coolant injection (HPCI) system was made inoperable for maintenance work with the reactor pressure greater than 105 psig. At the time of the event, RCIC was out-of-service due to the inoper-ability of the inboard isolation valve. In less than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, the reactor pra sure was reduced below 105 psig and HPCI was ho longer required by technical specifications to be op able.
Unit 3 was in the process of being p1'ced in the cold shutdown condition at the time of the event and was in such a condition within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The cause of the event was the failure of operations personnel to realize that making HPCI inoperable would lead to a technical specification limiting condition for operation. The individual involved was counseled on the importance of adhering to technical specifications.
293-81-64 811211 During a refueling outage while performing a Pilgrim 1 power supply transfer, power was momentarily lost causing a high reactor pressure isolation signal.
This resulted in automatic closure of the residual heat removal (RHR) shutdown cooling suction valves.
The running RHR pump should have tripped when the RHR valves left their full open position, but did not because of corroded contacts in the trip logic.
However, there was indication in the contr.', room that the valves were closed. This condition went unrecognized by the operators of two shifts for approximately 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. The control room operator failed to notice the discrepancy (running pump and shut valve).
I l
l l
C-43 APPENDIX C-2 (Continued)
LER#
Plant Event Date Descriptions / Notes 293-81-64 811211 (Continued)
Pilgrim 1 Operators on two consecutive shifts were so over-loaded with administrative duties and distracted by control room activity that they failed to notice loss of all shutdown cooling. Contributing factors were (1) poor shift turnover procedures, and (2) failure by management to recognize the importance of controlling activity in the control room and controlling the responsibilities of control room operators. Licensee now has " shift administrative assistants" to help relieve operators from this burden.
293-83-048 830929 (Referred to in AE00 Preliminary Case Study Pilgrim 1 "0verpressurization of Emergency Core Cooling Systems in Boiling Water P.eactors," dated February 1985.) On September 29, 1983, during HPCI system logic testing while the plant was at 98% power, the low-pressure suction piping of the HPCI system was overpressurized to near operating reactor pressure and temperature. The event occurred when two HPCI pump discharge motor operated valves were simultaneously opened as a result of personnel errors. The errors consisted of conducting more than one surveillance test at the same time and not ensuring that test prerequisites and initial test conditions for all steps in the test procedures were met. The overpressurization occurred, when the pump discharge valves were opened, because the testable isolation check valve downstream of the discharge valves was also partially stuck open at the time. The over-pressurization of the suction piping (which is designed for 150 psi) ruptured the gland seal condenser gasket on the HPCI turbine. This in turn caused a mixture of water and steam to spray from the condenser onto a limit switch. The water
V
=
C-44 APPENDIX C-2 (Continued)
LER #
Plant Event Date Descriptions / Notes 293-83-048 830929 (Continued)
Pilgrim i spray resulted in a 250V de battery ground and a large amount of water on the HPCI room floor.
Smoke detector alarms also were set off by the vapors from the heated paint on the low-pressure piping. A high suction pressure alarm and a lube oil high temperature alarm were also actuated.
To prevent a recurrence of the personnel errors, instructions for verbal communications were to be implemented at the plant.
298-81-017 810613 During hot startup, while attempting to wann Cooper up the steam supply line, RCIC-M0V-M016 failed to open. Troubleshooting revealed a wiring error which resulted in the torque switch being in the open control circuit instead of being bypassed. The jumper required to bypass the torque switch during valve movement in the open direction was missing. The purpose of the jumper was to positively ensure that the valve opened during system initiation without regard for over-torque protection of the motor operator.
This jumper was probably omitted from the limit switch contact block when the block was replaced during maintenance on July 5,1978. The problem was immediately corrected by increasing the setting of the 'open' torque switch during troubleshooting. After a subsequent engineering evaluation by the licensee, the jumper was installed and the valve tested satisfactorily.
A copy of the LER was routed to the electrical maintenance personnel, i
298-84-007 840419 While scheduled construction work was in progress, Cooper a bulldozer inadvertently sheared a hydrant from the fire protection system within the Cooper' nuclear l
station restricted security area. The station fire pumps automatically started, but were later i
l l
L
i /
C-45 APPENDIX C-2 (Continued)
LER #
Plant Event Date Description / Notes 298-84-007 840419 (Continued)
Cooper temporarily secured while the hydrant was being s
isolated from the system. At this point, the fire protection system header pressure had dropped from 140 psig to approximately 10 psig. After the hydrant, was isolated, the fire protection system was repressurized by using the electric fire pump.
Starting of the electric fire pump caused a pressure surge which resulted in a system water hammer. This water hammer forced open the clappers on the SBGTS automatic deluge valves which flooded the charcoal filters on the SBGTS trains, rendering both trains inoperable. This placed the plant in a technical specification LC0 requiring cold shutdown. The reactor was placed in a cold i
shutdown condition until the inoperable SBGT trains were made operable.
Immediately after declaring the SBGTS inoperable, steps were taken to acquire new charcoal filters to relace the damaged sets. The new charcoal filters arrived April 20, 1984. Dioctyl phthalate (D0P) and freon tests were completed and the system l
was returned to an operable condition. The SBGTS l
was inoperable for a total of 31-1/2 hours.
l
}
Lack of attention paid by the bulldozer operator to his working environment, and the failure of the control room operators to restore system pressure gradually, were personnel errors which were identified.
e.
C-46 APPENDIXC-2(Continued)
LER #
Plant Event Date Descriptions / Notes 324-83-069 830825 During unit power operation while attempting Brunswick 2 to place 2A and 2B RHR room coolers into service in order to cool the RHR rooms, it was found that neither room cooler would start. RHR room coolers are related support subsystems of the RHR system. As a result of this event, the LPCI and suppression pool cooling modes of the RHR were declared inoperable. Neither room cooler started because the fan start limit switch of 2A was out of adjustment while the airflow dampers of 2B were mechanically binding. The subject limit switches of 2A were adjusted and the damper joints of 2B were lubricated to return each cooler to service.
A preventative maintenance prograc for the RHR and core spray room coolers' dampers was to be implemented.
325-81-031 810220 During normal plant operation a RCIC system Brunswick 1
" turbine tripped" annunciator was received in the Control Room. An investigation determined that the RCIC turbine had tripped and could not be reset from the Control Room. The RCIC system was declared inoperable. This event occurred because an auxiliary operator manually tripped the RCIC turbine without the consent of the Control Operator while demonstrating to another employee how to reset.a RCIC turbine mechanical overspeed trip. At the time of this event, the HPCI system was undergoing periodic maintenance and was unavailable for service. The RCIC turbine was reset and the RCIC system restored to operability. All operations personnel were counseled concerning this event with particular emphasis on good plant communications.
C-47 APPENDIX C-2 (Continued)
LER #
Plant Event Date Descriptions / Notes 333-84-003 840207 During normal full power operation the high Fitzpatrick pressure coolant injection (HPCI) system was intentionally removed from service to permit maintenance and modification. On February 7, 1984, the I&C technicians assigned the task of calibration of HPCI speed indication reported to the I&C supervisor that the task was complete and noted that the speed indication circuit had been found out of procedural tolerance by approximately 40 percent. The magnitude of the "as found" out of tolerance speed indication lead the supervisor to initiate an investigation into the cause. The investigation revealed that the I&C technicians had calibrated the RCIC turbine speed indication using the procedure for HPCI speed indication. Cali-bration of the RCIC turbine speed indication utilizing the proper procedure was initiated immediately under the direct supervision of an I&C supervisor.
(Completed approximately six and one-half hours later.) Long term licensee corrective action to reduce the probability of recurrence or similar errors with other systems /
components was as follows:
(1) label the HPCI and RCIC turbine control enclosures for positive identification; (2) develop and implement a program for verifying the awareness of I&C technicians with respect to the physical locations of safety related equipment; and (3) continue a program in which I&C technicians complete a plant specific BWR technology course.
333-84-004 840210 During power operation with the high pressure Fitzpatrick coolant injection (HPCI) system out of service for scheduled maintenance, a dc ground occurred on "A" station battery. During the performance of the ground isolation procedure the dc control
.4
C-48 APPENDIX C-2 (Continued)
LER #
Plant Event Date Descriptions / Notes 333-84-004 840210 (Continued)
Fitzpatrick power to the RCIC inverter was momentarily interrupted. The momentary loss of dc power to the RCIC inverter requires a manual reset to repower up the inverter. The ground isolation procedure did not inform the operator that a manual reset was required. The loss of both HPCI and RCIC placed the plant on a 24-hour limiting condition for operation. The operator, after determining that the inverter would not reset automatically, perfonned a manual reset.
Surveillance testing for RCIC operability was immediately conducted and RCIC was declared operable. The consequences of this occurrence were minor due to the short outage of the RCIC system (approximately 30 minutes) and because the ADS and low pressure injection systems were operable.
A change to the ground isolation procedure was incorporated to instruct the operator to manually reset the RCIC inverter.
366-82-095 820817 With "B" loop of residual heat removal service Hatch 2 water system (RHRSWS) out of service for maintenance, personnel tasked with closing "B" loop strainer inlet valve secured the "A" loop valve instead.
This blocked the only open flow path in the "A" loop and thus made the "A" loop inoperable.
For corrective action new identification tags were added to both "A" and "B" loop valves. Also, valve locks were changed such that the key for one loop would not open locks on valves of the other loop (design improvement).
1 C-49 APPENDIX C-2 (Continued)
LER #
Plant Event Date Descriptions / Notes 387-83-026 830301 While operating at 100% power, an operator tagged Susquehanna 1 out the "A" standby gas treatment system to allow removal of a test canister from the charcoal bed.
However, due to the extent of the blocking used, the operator unknowingly caused both trains of SGTS to be inoperable. The reactor building HVAC was operable and maintained a 1/4" negative pressure during the event. No other events occurred which required SGTS to operate.
The operator used a common point for tagging out equipment without knowing the consequences of his actions. This resulted from inadequate planning ar.d understanding. The control room operator had accepted the responsibility for specifying the electrical tagout, although the electrical diagrams were of poor quality and were hard to follow. Administrative procedures were changed to relieve the operator from things like speci-fying tagouts (operators could still approve).
387-83-033 830310 While the reactor was in a cold shutdown condition Susquehanna 1 and the standby gas treatment system was being run to verify secondary containment integrity, two blank flanges were found to be missing on HVAC duct-work that established a flow path from unit 2 to unit 1.
By definition this compromised secondary containment integrity and resulted in higher flow rates than allowed for secondary containment integrity per technical specification.
(This was the result of an inadequate tagout program, i.e., program to control the boundary for separation of the units.)
The blanks were removed by an unknown person (s) on an unknown date (secondary containment flow rate was last checked five months earlier).
C-50 APPENDIX C-2 (Continued)
LEP, #
Plant Event Date Descriptions / Notes 387-83-033 830310 (Continued)
Susquehanna 1
_ The blanks were installed, the fasteners were tack welded and the blanks were tagged as unit separation items. The SGTS surveillance test was performed and resulted in an acceptable flow rate for secondary containment integrity. To prevent recurrence, the following actions were planned or in progress: (1) perfom an adequacy review of unit separation; (2) revise the boundary tag program to include as a controlled document the summary sheets of separation components; (3) revise the plant modification request program to include a unit separation review and the implementation of the boundary tag program when a modification is being perfonned; (4) verify that the identified boundaries have a unique boundary tag utilizing operations and electrical maintenance personnel followed by an independent verification by quality control personnel; (5) perform a review on unit separation components located in Unit 2 for adequate security control in order to avert unauthorized removal; (6) review the analysis reports of the ctarcoal beds made from the SGTS test cannisters that were removed; and (7) develop surveillance procedures to routinely check safety related and radiation protection components that are part of the separation program.
387-83-044 830311 While in Operating Condition 2 (startup) with Susquehanna 1 steam dome pressure greater than 150 psig, a technician inadvertently caused the high pressure coolant injection system to isolate. A technician was perfonning a monthly surveillance functional test of the main steam line tunnel temperature channels and inadvertently connected his test equipment to an adjacent HPCI temperature isolation switch and brought in a trip signal,..
1
C-51 APPENDIX C-2 (Continued)
LER #
Plant Event Date Descriptions / Notes 387-83-044 830311 The core spray, LPCI, ADS and RCIC system were Susquehanna 1 operable. HPCI was unisolated and returned to service. Personnel were counseled on the importance of proper test connections.
416-83-069 830523 While personnel were attempting to reenergize Grand Gulf I some RWCU system and RHR shutdown cooling MOVs following a planned Division II electrical outage, the valves isolated (during the outage the valves were blocked open per a temporary directive for the Division II electrical outage), as a result of an isolation signal fran the M0V's isolation logic. The isolation logic relays deenergize to produce an isolation signal. This signal was present due to some power fuses being removed during work under an approved design change package. Since the fuses were not in place this removed voltage from the isolation logic relays and placed the logic in the actuated state. The end result of this event was that both shutdown cooling loops and the RWCU system were isolated, therefore, decay heat removal /
coolant circulation capability was lost for approximately one hour. Immediate actions were to manually override the closed valve signal.and place both systems back in operation.
A licensee investigation verified the above information. Power fuses were installed and normal system operation was attained.
h
e r
C-52 APPENDIX C-2 (Continued)
LER #
Plant Event Date Descript'ons/ Notes 416-84-004 840114 On January 14, 1984, at approximately 1632 Grand Gulf 1 hours1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, shutdown cooling system isolation occurred while a utility technician was performing work in an electrical panel.
The technician loosened a screw on a relay which was deenergized to install a spade lug
,^
behind the terminal. The relay terminal also had a jumper installed in accordance with a temporary directive to prevent the isolation of shutdown cooling during the Division 1 outage.
It was concluded that the technician caused a momentary break or short in the circuit causing a fuse to blow and isolating the suction valve common to both shutdown cooling loops.
The plant was in cold shutdown at the time of the incident and in a Division 1 outage for maintenance work. Approximately 58 minutes elapsed between the time of the iso'iation and system restoration. The reactor water clean-up system was operated as an alternate method of reactor coolant circulation until shutdown cooling was returned to service.
The technician was installing the spade lugs for the purpose of connecting test equipment or jumpers for use during future surveillances. The work instructions specifically stated that the task was to be performed during the Division 1 outage.
The technician was counseled and instructed that he should have investigated the abnormality (temporary jumper) prior to performing the activity.
416-84-008 840202 At 1430 hours0.0166 days <br />0.397 hours <br />0.00236 weeks <br />5.44115e-4 months <br /> on February 2,1984, while the Grand Gulf 1 plant was in cold shutdown, control power was lost to the HPCS pump for about 30 minutes. This left LPCI "B" the only operable ECCS system available. The control power was lost when its supply breaker was opened in error. The breaker
~~
-,.-4-,
-- - e --
a C-53 APPENDIX C-2 (Continued)
LER #
Plant Event Date Descriptions / Notes 416-84-008 840202 (Continued)
Grand Gulf 1 was incorrectly opened while performing an electrical lineup for the HPCS diesel generator (the diesel was being tagged out for maintenance).
This happened due to a procedural error in the system operating instruction electrical lineup for the HPCS diesel generator which listed the breaker incorrectly. The error was found and HPCS was returned to operable status within 30 minutes.
LPCI "B" was available during this time period and there were no evolutions in progress with a potential for oraining the vessel. The system operating instructions for HPCS and the HPCS diesel generator were changed to correct the breaker information in the electrical lineup.
416-84-013 840411 At 1445 hours0.0167 days <br />0.401 hours <br />0.00239 weeks <br />5.498225e-4 months <br /> on March 22, 1984, while the plant Grand Gulf 1 was in cold shutdown, an MP&L instrument technician was performing the functional surveillance test for the reactor vessel high pressure trip systems.
This involves the logic for RPS scram and shutdown cooling isolation. The technician failed to verify that the trip generated by the test was reset, as required by the procedure. As a result, the trip was still present when power was restored to the shutdown cooling suction isolation valve's motor operator. The valve shut, and since the isolation valves are in series, both loops of shutdown cooling were isolation.
The isolation valve was immediately reopened (making both shutdown cooling loops operable) and a shutdown cooling loop was returned to operation. The technician involved was verbally reprimanded.