ML20133G608

From kanterella
Jump to navigation Jump to search
Forwards Addl Info on Results of AIT Re 940407 Event & Viewgraphs Presented by Summers at Public Insp Exit Meeting Held on 940426
ML20133G608
Person / Time
Site: Salem PSEG icon.png
Issue date: 05/10/1994
From: Martin T
NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION I)
To: Taylor J
NRC OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS (EDO)
Shared Package
ML20133F923 List:
References
FOIA-96-351 NUDOCS 9701160097
Download: ML20133G608 (33)


Text

1 j/

%g' UNITED STATES p-NUCLEAR REGULATORY COMMISSION j

y REGION I t

478 ALLENDALE ROAD k

[

KING of PRUSSIA, PENNSYLVANIA 19408 May 10,1994 1

l MEMORANDUM FOR:

James M. Taylor, Executive Director for Operations FROM:

Thomas T. Martin, Regional Administrator, Region I

SUBJECT:

SALEM 1 AUGMENTED INSPECTION TEAM (AIT)

FINDINGS In response to Commission questions dudng the course of the May 9,1994, Commission meeting, I have provided in Attachment 1 some additional information on the results of our Augmented Inspection of the Salem April 7,1994, Grass Intrusion Event.

For further

+

information, I have also provided, as Attachment 2, a copy of the viewgraphs presented by Mr.

Summers, the AIT Team leader, at the public inspection exit meeting held on April 26,1994.

M Thomas T. Martin Regional Administrator Attachments:

1. Preliminary Salem 4/7/94 Event AIT Findings
2. Viewgraphs from 4/26/94 Inspection Exit Meeting 9701160097 970113 PDR FOIA O'NEILL96-351 PDR

l l

ATI'ACHMENT I I

f PRFLIMINARY SALEM 4/7/94 EVENT AIT FINDINGS e

No abnormal releases of radiation to the environment occurred during the event.

The AIT developed an i%t sequence of events and performed an assessment of key operating parameters that would indicate a failure to a primary barrier such as fuel clad, reactor coolant pressure boundary or containment.

The AIT determined that the primary boundaries remained intact throughout the event. 'Ihere were no indications of fuel failure as determined by reactor coolant sample analysis. Further, upon discovery of the gas bubble in the vessel, the AIT ensured that the gas was sampled and analyzed to ensure that the gas was not generated as a result of fuel damage. This analysis clearly indicated that the source of the gas was external to the fuel. In addition, the AIT reviewed licensee engineering evaluations of the event and concluded that prior fuel reload analysis remained valid throughout the event.

The reactor coolant pressure boundary was challenged by the event, which resulted in a " solid" (filled) reactor coolant system; however, the pressurizer PORVs functioned properly on numerous occasions to maintain the RCS pressure boundary within the previously analyzed envelope. As a result of these operations, the pressurizer relief tank (PRT) rupture disk ruptured, as would be expected, to prevent destruction of the tank. As a result, a few gallons of reactor coolant from the PRT were released to the containment floor. The AIT reviewed the radiological surveys of the area near the PRT and concluded that the level of contamination was minor and consistent with the normal activity contained in the PRT.

Throughout the event, containment integrity was maintained. It was noted by the team that certain valves for the safety injection systems, containment isolation systems, feedwater isolation system, and steam line isolation system did not respond in the usual manner to the initial automatic safety injection actuation. This was a result of the short duration of the initiating signal, which was only of sufficient duration for parts of the protection logic to respond, resulting in the unexpected behavior noted. The initiating signal was due to a valid low Tave caused by operator error and an indicated high steam flow that was due to a pressure pulse resulting from the turbine trip, but not a valid accident signal. However, functional testing of the protection logic clearly indicated that it would have performed properly in response to real accident conditions had they been present.

The AIT further concluded that licensee troubleshooting methods clearly demonstrated the logic responded as would be expected to the short duration signals.

The AIT concluded that no barrier failures occurred.

g_ _

1 1

2 Event challenged RCS pressure boundary through multiple operations of pressurizer r

e l

PORVS.

As stated earlier, the AIT findings disclosed that the event sequence provided a challenge to the RCS pressure boundary. As a result of the initial safety injection, the RCS filled with water.

Without the normal pressurizer steam space to dampen pressure excursions, the continued injection, both from the initial and second automatic safety injection actuations, resulted in repeated actuations of the pressurizer PORVs to limit the RCS pressure within the analyzed envelope. As a result, the event sequence threatened the integrity of the RCS pressure boundary through either a stuck open PORV or pressurizer Safety Valve.

Licensee analysis of this event was reviewed and the AIT questioned whether any damage had resulted from this challenge. The licensee removed the internals of the PORVs for inspection and also sent the pressurizer code safeties to their testing vendor. The results of these inspections showed that excessive wear was exhibited on the PORVs and that excessive seat leakage and a higher than allowed lift setpoint was found on one of three code safeties.

Additionally, the licensee evaluated the associated pipe for these valves to ensure that no flaws in pipe integrity or supports resulted.-

The AIT concluded that the event did in fact pose a significant challenge to the pressure boundary; that the pressure boundary functioned properly and as expected throughout the event; that no limits were exceeded during the event; and that some equipment degradation resulted.

1 l

i l

I l

4 4

_ ~.

-,-n m

m

i.

l 3

i Operator errors occurred which complicated the event.

The AIT reviewed plant event data and interviewed the operators involved in the event. It was 4

i concluded that certain operator errors occurred throughout the event sequence, but were more frequent prior to the reactor trip and initial safety injection.

i The operators responded appropriately to the potential loss of condenser circulating water by j

decreasing reactor and turbine power, ultimately with the intent to remove the turbine-generator unit from service. During this rapid down power evolution, the operator on the turbine led the operator on the reactor, resulting in Tave being slightly higher than normal. However, the operator controlling the mactor power was doing so with a combination of inserting control rods manually and by boration through the charging system. (The injection of boron does not have j

an immediate effect on power since it takes time for the boron to mix with the RCS and affect power.)

i Power was reduced to a point that the operators began to switch electrical loads'in anticipation of removing the turbine from service. The shift supervisor directed the operator on the reactor i

controls to perform the electrical load swaps. Neither the shift supervisor nor the reactor operator recognized that the reactivity change was incomplete; however, both noted that the reactor was stable and that Tave was within it's program band, although slightly high. In fact, j

when the reactivity change was complete the reactor power was less than the turbine power and a decreasing Tave began. This decreasing Tave was not identified until Tave was below I

program. Initially, the shift supervisor responded to this condition by pulling rods in manual.

At that time, only three operators were present in the control room, a reactor operator on turbine i

and steam supply controls, reactor operator on electrical controls, and the senior reactor i

operator / shift supervisor on rod controls. The shift supervisor was no longer in a position to properly direct the activities of the reactor operators. The shift supervisor recognized this and j

directed the RO on the electrical controls to raise reactor power to restore Tave. That RO had just completed the electrical load s ap and commenced to raise reactor power He noted at that i

w l

time that Tave had gone below the Technical Specification minimum temperature for criticality, l

but failed to effectively communicate such to the senior reactor operator. The SRO's direction to raise power was not explicit regarding how far or fast to raise power.

J l

Absent such direction, the RO continued to raise reactor power while monitoring Tave for an indication that temperature was recovering and failed to identify that a reactor trip on low

~

power-high flux condition would occur. The AIT concluded that the operator was still pulling rods and raising reactor power when the trip occurred.

As a result of the above operator errors, a reactor trip occurred on high flux (25%) and the low Tave condition was still present. The low Tave condition in coincidence with the indicated high l

steam flow signal initiated the first automatic safety injection.

i l

w

4 After the reactor trip and safety injection, the operators appropriately en.ered the EOPs and successfully complete <1 the required actions. As a result of the unusual equipment response to the initial safety injmtion system actuation, described previously; numerous valves were not in the expected or ; _ quired position per the EOPs. The operator responded to these conditions per the EOPs. One containment isolation valve that was mispositioned was not initially identified and corrected by the operator. This was subsequently discovered by the operators during the termination / recovery actions after identifying that the safety injection was not needed. It is noted by the AIT that a redundant valve for this same isolation line did close. Further, the reason the valve failed to close was due to the equipment response anomalies previously discussed, and not due to problems with the valve itself.

At about this time in the event sequence at least one steam generator code safety valve lifts causing a rapid secondary and primary cooldown. This cooldown, frorn the solid RCS j

condition, induces a very rapid depressurization of the RCS, and ultimately the second safety injection. The AIT concluded that the operators were not properly monitoring the RCS heatup resulting from decay heat and the running Reactor Coolant Pumps, after the initial safety injection. At the time, the main steam system was isolated and the resultant heat up caused the steam generator pressure to rise until reaching the lift set point of at least one steam generator code safety. It should also be noted that the automatic steam generator atmospheric relief valves should have lifted before this set point was reached, but due to a malfunction that is discussed later, which the operators are trained to handle, the valves did not limit the main steam pressure rise.

Following the code safety lift, operators properly responded by taking manual control of the steam generator atmospheric relief valves in order to lower pressure to re-seat the safety (s). The resulting rapid RCS depressurization was observed by the operators and they appropriately determined to manually re-initiate safety injection. An automatic SI occurred prior to the manual operation; however, the operators continued with the manual activation since they were initially not sure that the automatic protection logic was operating properly. The operators appropriately re-entered their EOPs at this time without further error.

In addition to the above, the AIT also identified the following two concerns regarding operator actions:

During ne down power transient, the senior shift supervisor, also SRO qualified and the senior j

managen ent representative in the control room, left the control room area and intentionally bypassed a condenser vacuum permissive switch in an attempt to restart one of the inoperable i

circukting water pumps, hoping to restore adequate condenser cooling. In addition to manually bypassing the permissive switch without appropriate work controls, this led to the control room staffing previously described.

)

i 5

l After the initial safety injection the senior shift supervisor left the control room proper in order to classify the event and initiate notifications per the emergency plan implementing procedures.

While this activity was timely, the initial notification message developed for a communicator j

provided inadequate information to the NRC in that the numerous components found in an unexpected condition were not described nor was the cause of the reactor trip adequately described, i

J m

}

6 Management allowed equipment problems to exist that made operations difficult for plant operators.

1.

The AIT found that during this event and for about a month prior to the event, that the automatic rod control system was not in service. This led to the operators having to manually control reactor power to maintain RCS Tave within program.

During the event of April 7,1994, the operators initially decreased turbine power at 1%/ minute, but quickly increased that rate change to a maximum of 8%/ minute. At this rate of change, even the automatic rod control system was not designed to maintain Tave in program without operator action to assist by boration. With the rods in manual, as was the case, operator action in response to the 8%/ minute rate of changes was not a simple task.

The AIT noted that PSE&G management was addressing the automatic rod control system problems and that, in fact, the control system was available at the time of the event. However, operations management had not yet restored the system to service since one last surveillance test had not been completed. That test was scheduled for the day of the event.

2.

The AIT found that the anomolous, short duration high steam flow signal, resulting from the turbine trip, had been previously identified by the licensee following prior post-trip reviews conducted after similar turbine trips in the past. Information provided the AIT indicated this condition was recognized as early as 1989. The high steam flow signal I

was of very short duration, on the order of 20 to 30 milliseconds, and appeared about I second after the turbine trip. While this condition was recognized previously, the licensee attributed the cause to be a combination of the logic (the reactor trip automatically reduces the high steam flow setpoint from about 110% to about 40% of rated steam flow) and the actual decay in steam flow following a reactor trip-turbine trip.

Upon closer analysis following this event, the licensee identified that the actual cause of the indicated high steam flow signal following a turbine trip corresponds to a pressure wave initiated by the turbine stop valve closure.

i The AIT concluded that this pressure wave did cause the indicated high steam flow, and, coincident with the low Tave condition induced by operator error, resulted in the initial automatic safety injection actuation. The AIT further concluded that earlier licensee assessment ofindicated high steam flow after turbine trips was inadequate in that it failed to identify this mechanism and therefore the problem remained uncorrected.

3.

The AIT found that the automatic controls for steam generator atmosphere relief valves were not maintained. This, coincident with the operators failure to recognize that RCS and steam generator temperature and pressures were increasing after the initial safety injection, led to the steam generator code safety (s) actuation and resultant second safety injection actuation. The atmospheric relief valves (MS10s) coritrol system had been

e 7

modified in the late 1970's, which resulted in the controls not responding properly in automatic without operator action. Plant operators had been trained to make up for this -

deficiency by placing the system in manual for a few seconds and then restoring the

. system to automatic. This would result in the control system then working properly.

During the events of April 7,1994, the operators failed to take manual control of this system prior to pressure increasing to the lift setpoint of the steam generator code safety (s).

The AIT noted that the operator subsequently did take manual control of the MS10s in order to lower steam generator pressure to rescat the code safety. At that time, the operator noted that the control system for the 11MS10.did not respond properly. He then left that controller in manual and closed. He then controlled pressure and temperature with the remaining three MS10s, initially manually, and then in automatic mode.

Subsequent to the recovery actions after the second safety injection actuation, the 11MS10 opened partially inducing another temperature transient.

Operators were dispatched to the valve locations to isolate the 11MS10. The control room operator also switched controls to auto and back to manual with a close demand and the valve closed.

The AIT determined that the control system for the MS10s was known to be deficient.

Modifications were planned, but never implemented to correct these conditions and operators were expected, through training, to make up for the control deficiencies.

4.

The AIT found that the circulating water system was vulnerable to periodic grass attacks.

This had been documented by the licensee for a number of years. Records indicating that this condition was especially ap,gravated in the spring of 1994 were provided the to AIT.

However, the vulnerability was previously recognized by the licensee and modifications were planned to make the system less susceptible to grass intrusions.

These modifications had not been implemented prior to the event. During the spring of 1994, as the river grass conditions worsened, the licensee began to initiate special work teams and work controls at the circulating water structure in response to the predictable grass intrusions that occurred coincident with daily tide changes. These special practices were quite effective at responding to the degrading circulating water conditions and usually resulted in restoring inoperable traveling screens and cNidng water pumps without the need for control room operators tripping the turbine or reactor. The AIT noted that on one occasion prior to the April 7 event, operators were forced to remove the turbine from service as a result of a grass intrusion; but, the reactor was maintained in low power operation. No further complications occurred on that event. It was also noted by the AIT that the event of April 7 was apparently more severe than earlier events, resulting in operators decreasing power at a maximum of 8%/ minute. This was done to reduce turbine power fast enough to minimize the increasing back pressure in the condenser. The prior grass intrusion events did result in operators frequently reducing

8 power to maintain condenser vacuum, while the special work activities at the circulating water structure restored inoperable circulators. However, no prior event required such a high rate of change in power to compensate for the loss of circulating water.

The AIT determined that the grass intrusion event of April 7 was very severe; however, the vulnerability of the design was previously recognized and modifications to improve the system had not yet been implemented.

1 I

1

9 i

Some equipment was degraded by the event, but overall, the plant performed as e

designed.

The AIT observed the licensee's troubleshooting efforts. The AIT determined that the plant response to the event was as expected for the conditions that occurred. The troubleshooting 1

efforts clearly demonstrated that the protection logic mismatch, as well as the " failures" of the j

main steam and feedwater isolation systems, were a direct result of the instrument sensitivity and i

response behavior to short duration signals. Testing demonstrated that consistent, predictable behavior could not be achieved unless the input signal lasted longer that about 50 milliseconds.

Further, it was demonstrated that all safety systems would have appropriately responded to real accident conditions had they been present.

The vulnerability of the protection system to short duration signals had not been previously identified or evaluated by the licensee prior to the April 7 event.

As a result of the event sequence, the pressurizer steam space was lost resulting in a solid RCS.

Operator actions required by the EOPs to respond to the equipment anomalies previously discussed took significant time, which resulted in filling the RCS before meeting the ECCS termination criteria. The AIT attributed this to the prcaection logic mismatch which made the event quite complex for the operators.

Ultimately, due to this solid RCS condition and compounded by the second safety injection actuation, the pressurizer PORVs operated in excess of 300 times to maintain RCS pressure.

Subsequently, the AIT requested an assessment of the PORVs, pressurizer code safety valves and attendant piping and supports. The licensee and NRC inspected the PORV internals, which exhibited wear requiring further evaluation and corrective action prior to restart.

As a result of the troubleshooting activities, other equipment conditions requiring repairs were also identified, including the PRT rupture disk, main steam high steam flow input relays, and

)

various MS10 control components.

W 10 4

i 4

i Operator use of emergency procedures was good.

e

)

The AIT determined that the operators' use of the EOPs in response to the multiple automatic safety injection actuations was good; however, some errors happened after entry into the EOPs.

j l

The AIT found that operators were not specifically knowledgeable in the use of EOP " Yellow l

Path" procedures. " Yellow Path" restoration procedures are optional in the EOP scheme.

j Knowledge, training and practice in the use of " Yellow Path" procedures could have aided the operators in the recovery of the pressurizer steam space following the multiple SI actuations.

j

. Operator actions to manually initiate SI on rapidly decreasing RCS pressure and in declaring the alert to ensure appropriate engineering support for plant recovery from the solid RCS condition i

were considered appropriate by the AIT.

Prior to entry into the EOPs, the operators committed a number of errors. Most of these errors could have been avoided if appropriate guidance had been developed and implemented in the normal integrated operating procedures and in the abnormal or alarm response procedures.

/

Absent explicit management guidance on when to trip the turbine or the reactor, the operators 3ttempted to use the normal procedures in response to the transient conditions of April 7. These prwedural issues are further described in the AIT Exit Meeting slides that are attached.

l l

11 Licensee investigations and troubleshooting efforts were good e

The AIT closely monitored the licensee's troubleshooting activities and, to a lesser extent, the licensee's independent investigation. Based on the direct observation of the logic testing and other troubleshooting activities, the AIT determined that the licensee approach was clearly to ascertain the root causes of the events of April 7, identify necessary corrective actions and then implement such measures.

It was noted by the AIT that the licensee was prepared to accept the operability of the pressurizer PORVs without a visual inspection of the components. The AIT asked for the necessary engineering evaluation of the PORVs upon which the licensee was to base their operability assessment. Prior to developing this evaluation, the licensee then elected to open the components for a visual inspection. This led to the findings of the degraded PORV internals resulting from the event.

The AIT met with members of the licensee's investigation team to discuss preliminary findings; and, reviewed the operations post trip report and the investigation report. Information gathered from these reports was useful to the AIT assessment. Further, the licensee's sequence of events and facts supporting the event sequence were found to be consistent with the AIT's. The AIT concluded that there was evidence of management ineffectiveness due to the coincidence of equipment issues, both recent and historical, operator errors and procedural guidance deficiencies that all contributed significantly to the April 7 event. The licensee's investigations placed a greater emphasis on the operator errors in contributing to the event. The AIT noted that the licensee's investigation did not attempt to ascertain why the operator errors occurred, but identified the errors as root cause. However, it was also noted by the AIT that licensee's recommended corrective actions clearly addressed the equipment and procedural deficiencies that contributed to the event.

4

),

t a

4 NRC AUGMENTED INSPECTION TEAM 4

EXIT MEETING SALEM UNIT 1 REACTOR TRIP WITH MULTIPLE SAFETY INJECTIONS ARTIFICIAL ISLAND PROCESSING CENTER APRIL 26,1994, 10:00 A.M.

I AGENDA M. WAYNE HODGES I.

INTRODUCTIONS II.

PURPOSE OF INSPECTION ROBERT J. SUMMERS IH.

SEQUENCE OF EVENTS IV.

CAUSAL FACTOR ANALYSIS V.

SAFETY SIGNIFICANCE VI.

PRELIMINARY FINDINGS A) PLANT EQUIPMENT B) PROCEDURE ISSUES C) PERSONNEL PERFORMANCE ISSUES VII.

SUMMARY

s VIII.

CONCLUDING NRC REMARKS M. WAYNE HODGES STEVEN E. MILTENBERGER LX.

PSE&G REMARKS l

PURPOSE OF INSPECTION THE GENERAL OBJECTIVES OF THE AUGMENTED INSPECTION TEAM WERE TO:

CONDUCT A THOROUGH REVIEW OF THE 4/7/94 SALEM UNIT 1 EVENT o

t ASSESS OPERATORS' ACTIONS e

l DEVELOP A SEQUENCE OF EVENTS l

e COMPARE ACTUAL RESPONSE TO EXPECTED PLANT RESPONSE t

l i

i

i PURPOSE OF INSPECTION (cont.)

i REVIEW THE LICENSEE EVENT CLASSIFICATION AND NOTIFICATIONS e

ASSESS SAFETY SIGNIFICANCE OF THE EVENT e

EXAMINE EQUIPMENT FAILURES AND IDENTIFY ROOT CAUSES e

IDENTIFY ANY DESIGN DEFICIENCIES ASSOCIATED WITH THE EVENT e

J.-.A-..=--.aG-4-an d.AAe+=

4 F.--.

64

-A.n 3aAh-,

. A.h as A24aaa.,an d.-mmam._Aags-..=h-.am.ma.a.sm..ah-

.s.

eau.L.

--Eh

. mise Jmden

.mmam4gm-444.4mmen -

.uma auyammaa.ma.,,w:

-a e.s ea..

1-l-1 1

g i

8W a

i "x

w y.

e g,

i 5

~

8 g

e y

=

w 8

o f

F l

/

y ^

L I

p 8

x-a s

s a

i u

tk.

g C

tr i&!

i O

i i

w 4

+;

1 u, wwa.pe,-, -

p-M g o o.

h I

,. w m.:

-- m j

--e

=

o w

5 a

me 4,

<C i

n l

)

i O

5 x

l W

8 i

d=

- a s

h h

p.

g i

i d

g i

I

_J A

2 I

l FIGURE 11-5 0882 l

i t

i i

~

il i

-i 11! :

I, ll l ljjQ

!T II III '

i j ill.i i.

1 i! -

l

,1 i i

s 1

i

=

.36 I f l'1 ! !

l T

.I

,! l-l I!,

!!!.o

,1 i I' i !i!

81 flg !ut

-@y T

s'i s

!].

i n!-

g-i i!!

18 j o

Q ee=

g O

iigy

',g,h

,1 mf.

I e

.J llill'p{)!'i-d I!

I r

!i i_I i

e

  • 4j]

li!

't 7

j !!, !g!!-.ck ll!!

I

!ll i;

yl i

'l i

',i ii

=

et -

e

-Q E

8' i

i[I j!I g

ll lgli

[

! !!,jj!

si e

j!

,4 e

,!, i g!

"i..L _o3 pag j!

g

> ri.

'I

.g Ia O

3

!!li l.:!!

5 i

'i l'!i i 13-i i!.

!~FD 4

1, tie

!j;r 5

ll!

i g

i to i,

.ij.

lils, g

i'j!!

4

~3 l

" I!

l IS PAGE 11-73

I SEQUENCE OF EVENTS INITIAL CONDITIONS,0N APRIL 7,1994:

REACTOR POWER AT 75%

i CONTROL RODS IN MANUAL 12A CIRCULATING WATER PUMP OUT-OF-SERVICE

{

I i

10:16 TO 10:43 i

POWER REDUCTION DUE TO CLOGGING OF CIRCULATING WATER SCREENS BY RIVER GRASS. FIVE OF SIX CIRCULATING WATER PUMPS TRIP OUT OF SERVICE.

l i

UP TO SIX OF SIX CIRCULATING WATER SCREENS WERE OUT-OF-SERVICE 10:44 TO 10:47 REACTOR COOLANT SYSTEM TEMPERATURE DECREASES BELOW LOW-LOW SETPOINT, PLANT POWER AT 80 MWE. OPERATOR PULLS RODS TO RESTORE RCS TEMPERATURE. REACTOR POWER INCREASES FROM 7% TO 25%.

i

w a

LQL41 REACTOR TRIPS AT 25% POWER RANGE LOW SETPOINT.

AUTOMATIC SAFETY INJECTION OCCURS ON HIGH STEAM FLOW WITH LOW-LOW Tave ("A" PROTECTION TRAIN LOGIC ONLY) 10:49 TO 11:05 EMERGENCY OPERATING PROCEDURES ENTERED.

UNUSUAL EVENT DECLARED.

11:05 TO 11:26 PRESSURIZER PORVs AUTO OPEN ON HIGH PRESSURE.

THE PRESSURIZER WAS FILLING TO THE SOLID CONDITION.

OPERATORS IDENTIFIED THAT THE SAFETY INJECTION WAS NOT NECESSARY, TERMINATE THE ECCS INJECTION, AND COMMENCE RECOVERY ACTIONS TO RESTORE THE PLANT TO NORMAL CONTROL.

A STEAM GENERATOR SAFETY VALVE OPENS CAUSING THE REACTOR SYSTEM TO COOLDOWN AND DEPRESSURIZE.

~

~.

lh26 OPERATORS DECIDE TO MANUALLY RE-INITIATE ECCS DUE TO RAPID RCS i

PRESSURE DECREASE.

PRIOR TO THE OPERATOR ACTION, A SECOND ACTUAL AUTOMATIC SI OCCURS i

DUE TO LOW PRESSURIZER PRESSURE ("B" PROTECTION TRAIN OF LOGIC).

f l

1h42 PRESSURIZER POWER OPERATED RELIEF VALVES ACTUATE >300 TIMES TO MAINTAIN RCS PRESSURE WITHIN ACCEPTABLE PRESSURE RANGE.

t PRESSURIZER RELIEF TANK RUPTURE DISK RUPTURES DUE TO THE AMOUNT OF REACTOR COOLANT BEING RELEASED BY THE PRESSURIZER PORVS.

i L16 ALERT DECLARED TO ENSURE PROPER TECHNICAL STAFF AVAILABLE TO ASSIST PLANT OPERATORS IN RECOVERY TO NORMAL CONDITIONS FROM THE i

1 SOLID CONDITION.

i I

i f

I f

4l30 t

THE OPERATORS ESTABLISHED A STEAM SPACE IN THE PRESSURIZER (NO LONGER SOLID). THIS ALLOWED THE OPERATORS TO MAINTAIN RCS PRESSURE

{

AND LEVEL WITH THE NORMAL CONTROLS.

t 5115 t

EMERGENCY OPERATING PROCEDURES WERE EXITED AND THE NORMAL SHUTDOWN PROCEDURE ENTERED BY THE OPERATORS AND A NORMAL PLANT t

COOLDOWN WAS COMMENCED.

8120 i

THE ALERT WAS TERMINATED BECAUSE THE PLANT WAS NO LONGER IN AN EMERGENCY CONDITION. OPERATORS WERE COOLING DOWN THE PLANT IN A NORMAL MANNER.

APRIL 8,1994:

i 01:06 MODE 4 (HOT SHUTDOWN) ENTERED i

11:24 MODE 5 (COLD SHUTDOWN) ENTERED

I

>~

CAUSAL FACTOR ANALYSIS FOR KEY EVENTS

)

THE REACTOR TRIP WAS A RESULT OF HUMAN ERROR.

e l

THE INITIAL " SAFETY INJECTION" WAS A RESULT OF:

[

e A DESIGN DEFICIENCY: THE HIGH STEAM FLOW INSTRUMENTS I

ERRONEOUSLY IDEN11MED A PRESSURE PULSE AS AN ACTUAL HIGH STEAM FLOW CONDITION; AND

{

HUMAN ERROR: OPERATORS ALLOWED THE REACTOR COOLANT SYSTEM TEMPERATURE TO GO LOW.

l t

THE " UNEXPECTED" EQUIPMENT RESPONSE TO THE INITIAL SI WAS DUE

(

e TO THE DESIGN OF THE PROTECTION LOGIC AND THE TIME IT TAKES FOR

[

t RELAYS TO ACTUATE.

i i

THE SECOND " SAFETY INJECTION" WAS DUE TO HUMAN ERROR IN t

e MAINTAINING TEMPERATURE AND PRESSURE WITHIN NORMAL, NO-LOAD CONDITIONS.

I

[

r f

CAUSAL FACTOR ANALYSIS FOR KEY EVENTS (cont.)

THE HUMAN ERRORS THAT OCCURRED WERE ALL COMPLICATED BY PRE-e EXISTING EQUIPMENT PROBLEMS THAT RESULTED IN THE OPERATORS H.AVING TO RELY ON " MANUAL" OPERATIONS INSTEAD OF NORMAL,

" AUTOMATIC" CONTROLS.

THESE PRE-EXISTING CONDITIONS WERE ACCEPTED BY MANAGEMENT AND INDICATE A MANAGEMENT WEAKNESS IN MAINTAINING EQUIPMENT IN LESS THAN OPTIMAL CONDITION.

SAFETY SIGNIFICANCE EVENTS OF 4/7/94 DEPICTED AN UNUSUAL TRANSIENT IN WHICH PLANT e

CONDITIONS CHALLENGED BOTH THE AUTOMATIC PROTECTIVE FEATURES AND THE OPERATORS WHO CONTROL THE PLANT.

SOME EQUIPMENT PERFORMANCE WAS NOT AS EXPECTED AND OPERATOR e

PERFORMANCE EXHIBITED SOME WEAKNESS.

HOWEVER, ALL THREE PHYSICAL BARRIERS (FUEL CLADDING, RCS e

PRESSURE BOUNDARY, CONTAINMENT) PERFORMED ACCEPTABLY.

THERE WAS NO EVIDENCE OF DAMAGE TO EITHER THE FUEL OR ITS CLAD e

OR TO THE CONTAINMENT. THERE WAS MINOR, BUT IMPORTANT, DEGRADATION OF THE PRESSURIZER PORVS AND THE PRT RUPTURE DISK j

BLEW.

f t

e t

j

SAFETY SIGNIFICANCE (cont.)

A SIGNIFICANT CONCERN IDENTw1BD WAS THAT THE AUTOMATIC SAFETY e

INJECTION SYSTEM OPERATED IN A WAY THAT REQUIRED EXTENSIVE OPERATOR ACTION:

OPERATOR ACTION EXTENDED THE TIME TO MEET THE EMERGENCY CORE COOLING INJECTION TERMINATION CRITERIA IN THE EMERGENCY OPERATING PROCEDURES.

THIS RESULTED IN THE ECCS INJECTION PRODUCING A " SOLID" RCS.

THE SOLID RCS LED TO RELIANCE ON PRESSURIZER PORVS TO CONTROL RCS PRESSURE RESULTING IN MULTIPLE OPENINGS OF THE TWO VALVES (IN EXCESS OF 200 ON PR2 AND 100 ON PRI).

OPERATION OF THE PORVS FROM THE SOLID CONDITION COULD HAVE CHALLENGED THE RCS PRESSURE BOUNDARY.

THE DEGRADATION OF THE PORVS REQUIRED REPAIRS TO THE INTERNAL COMPONENTS OF THE VALVES.

PRELIMINARY FINDINGS PLANT EQUIPMENT PRE-EXISTING EQUIPMENT PROBLEMS CONTRIBUTING TO TIIE EVENT CONDENSER CIRCULATING WATER TRAVELING SCREENS HIGH STEAM FLOW INSTRUMENTS AUTOMATIC ROD CONTROL SYSTEM i

ATMOSPHERIC STEAM RELIEF CONTROL SYSTEM l

1 i

f

_...~ -_- _-.

_ = _

PRELIMINARY FINDINGS PLANT EQUIPhENT (cont.),

EQUIPMENT DEGRADED OR EQUIPMENT EXHIBITING UNEXPECTED OPERATION AS A RESULT OF THE EVENT:

SI LOGIC INPUT RELAY SENSITIVITY (LOGIC DISAGREEMENT)

MAIN STEAM ISOLATION RELAY " RACE" MAIN FEEDWATER ISOLATION RELAY " RACE" i

i PRESSURIZER PORV INTERNALS

[

PRELIMINARY FINDINGS PROCEDURE ISSUES INADEQUATE PROCEDURE GUIDANCE FOR OPERATION OF THE i

e ATMOSPHERIC RELIEF VALVES.

WEAK PROCEDURAL GUIDANCE FOR RAPID DOWN-POWER e

TRANSIENTS WITH THE ROD CONTROL SYSTEM IN MANUAL.

WEAK OPERATIONAL PROCEDURAL GUIDANCE FOR RESPONSE TO e

CIRCULATING WATER OR LOW CONDENSER VACUUM PROBLEMS.

r LOW-LOW CONDENSER VACUUM ALARM RESPONSE PROCEDURE HAD e

INCORRECT TURBINE TRIP SETPOINT INFORMATION.

AFTER RESET OF THE FIRST SAFETY INJECTION, PROCEDURAL l

e GUIDANCE TO THE OPERATORS FOR THE SI LOGIC TRAIN DISAGREEMENT WAS WEAK

PRELIMINARY FINDINGS PERSONNEL PERFORMANCE GOOD SHORT TERM INITIATIVE, PLANNING, AND TEAMWORK IN RESPONSE TO GRASS ATTACKS AT INTAKE l

e PRE-TRIP COMMAND AND CONTROL OF OPERATOR ACTIVITIES WAS e

WEAK POORLY CONTROLLED RAPID DOWN-POWER WITH MULTIPLE REACTIVITY CHANGES VAGUE DIRECTION TO PULL RODS TO RESTORE Tave LED TO EXCESSIVE ROD PULL AND REACTOR TRIP l

POOR DECISION-MAKING TO DIRECT OPERATOR TO MANIPULATE ELECTRICAL LOADS.

SHIFT SUPERVISOR OPERATED CONTROL RODS, MOMENTARILY AFFECTING HIS EFFECTIVENESS IN HIS SUPERVISORY ROLE DURING DOWN-POWER TRANSIENT.

SENIOR SHIFT SUPERVISOR LEFT CONTROL ROOM AREA IN ORDER TO MANUALLY BYPASS THE CONDENSER VACUUM PERMISSIVE.

PRELIMINARY FINDINGS PERSONNEL PERFORMANCE (cont.)

POST-TRIP COMMAND AND CONTROL OF OPERATOR ACTIVITIES WAS e

GOOD:

?

PROBLEM WITH OPERATOR RESPONSE TO MS-10 CONTROLLER PROBLEMS CONTRIBUTED TO STEAM GENERATOR SAFETY RELIEF LIFTING AND SECOND SI.

USE AND KNOWLEDGE OF " YELLOW CSF PATH" WAS WEAK, CONTRIBUTING TO OPERATOR NEED FOR ALERT DECLARATION.

OPERATORS DID USE AVAILABLE TECHNICAL SUPPORT TO PLACE THE PLANT IN A STABLE CONDITION FOLLOWING THE EVENT.

OPERATOR AWARENESS OF REACTOR PRESSURE AND WILLINGNESS TO INITIATE A MANUAL SI WAS GOOD.

i OPERATORS IMPLEMENTED AND FOLLOWED EOPS, ALLOWING SI TO RUN UNTIL EOP TERMINATION CRITERIA MET. HOWEVER, ONE OUT-OF-POSITION VALVE FOR THE SAFETY INJECTION FLOW

[

PATH CONFIGURATION WAS MISSED INITIALLY BY THE i

OPERATORS.

i

PRELIMINARY FINDINGS PERSONNEL PERFORMANCE (cont.)

i EVENT CLASSIFICATION AND NOTIFICATIONS WERE IN ACCORDANCE WITH l

e LICENSEE EVENT CLASSIFICATION GUIDE AND EMERGENCY PLAN INITIAL EVENT NOTIFICATION TO STATE AND LOCAL GOVERNMENTS WAS TIMELY AND COMPLETE INITIAL EVENT NOTIFICATION TO THE NRC WAS TIMELY; HOWEVER, A WEAKNESS WAS NOTED IN THE ADEQUACY OF TECHNICAL INFORMATION IN INITIAL NOTIFICATION LICENSEE DECISION TO DECLARE AN ALERT WAS BASED ON OBTAINING e

PROPER TECHNICAL SUPPORT FOR OPERATORS TO RE-ESTABLISH NORMAL RCS PRESSURE CONTROL THE ALERT DECLARATION AND NOTIFICATIONS WERE TIMELY AND e

COMPLETE EVENT DATA COMMUNICATIONS WITH THE NRC WERE INITIALLY WEAK e

BUT IMPROVED AFTER NRC REQUESTED THE LICENSEE TO PROVIDE A FULLTIME ENS COMMUNICATOR

F

SUMMARY

[

t e

NO ABNORMAL RELEASES OF RADIATION TO THE ENVIRONMENT OCCURRED DURING THE EVENT EVENT CHALLENGED RCS PRESSURE BOUNDARY e

OPERATOR ERRORS OCCURRED WHICH COMPLICATED THE EVENT MANAGEMENT ALLOWED EQUIPMENT PROBLEMS.TO EXIST e

THAT MADE OPERATIONS DIFFICULT FOR PLANT OPERATORS SOME EQUIPMENT WAS DEGRADED BY THE EVENT, BUT e

OVERALL, THE PLANT PERFORMED AS DESIGNED OPERATOR USE OF EMERGENCY OPERATING PROCEDURES e

t WAS GOOD LICENSEE INVESTIGATION AND TROUBLESHOOTING e

EFFORTS WERE GOOD r

-