Technical Review Rept, Degradation of Safety Sys Due to Component Misalignment &/Or Mispositioned Control/Selector Switches

ML20212F658
Person / Time
Site:	Kewaunee, Cook, 05000000
Issue date:	12/31/1986
From:	Tripathi R NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD)
To:
Shared Package
ML20212F647	List: ML20212F641 ML20212F658
References
TASK-AE, TASK-T612 AEOD-T612, NUDOCS 8701120098
Download: ML20212F658 (18)
v • d • e

Text

_ _ .

AE0D/T612 l -

[

=

TECHNICAL REVIEW REPORT

(

DEGRADATION OF SAFETY SYSTEMS DUE TO m =

COMPONENT MISALIGNMENT AND/OR MISPOSITIONED CONTROL / SELECTOR SWITCHES Office for Analysis and Evaluation of Operational Data December 1986 Prepared by: Dr. Raji Tripathi Reactor Operations Analysis Branch Section 2 hpOII$$0$ N oh305 9S PDR NOTE: This report supports ongoing AE0D and NRC activities and does not represent the position or requirements of the responsible NRC Program Office.

A ---

- _ _ _ _ _ _ _ _ _ _ _ - - _ _ _ . - - - - - - _ - - --- I

TABLE OF CONTENTS Page

SUMMARY

............................. I

1.0 INTRODUCTION

........................ 2 2.0 DISCUSSION ......................... 2 2.1 D.C. Cook--Loss of the Engineered Safety Features Equipment Ventilation Exhaust System . . . . . . . . . . 2 2.1.1 Pu rpose of the System . . . . . . . . . . . . . . 2 2.1.2 Event Description . . . . . . . . . . . . . . . . 2 2.1.3 Root Cause(s) . . . . . . . . . . . . . . . . . . 2 2.1.4 Licensee Response ............... 3 2.1.5 Regulatory Action . . . . . . . . . . . . . . . . 3 2.2 D.C. Cook--Degradation of the Auxiliary Feedwater System . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2 1 Purpose of the System . . . . . . . . . . . . . . 3 2.2.2 Event Descriptions ............... 3 2.2.3 Root Cause(s) . . . . . . . . . . . . . . . . . . 4 2.2.4 Licensee Response ............... 5 2.2.5 Re gu l a to ry Ac tion . . . . . . . . . . . . . . . . 6 2.3 Kewaunee--Degradation of the Safety Injection System . . 6 2.3.1 Purpose of the System . . . . . . . . . . . . . . 6 2.3.2 Event Description . . . . . . . . . . . . . . . . 6 2.3.3 Root Cause(s) . . . . . . . . . . . . . . . . . . 8 2.3.4 Licensee Response ............... 8 2.3.5 Regulatory Action . . . . . . . . . . . . . . . . 10 2.4 Other Operational Experience . . . . . . . . . . . . . . 11 2.5 Safety Significance of the Events ........... 12 2.5.1 D.C. Cook--Loss of the ESF Equipment Ventila-t 1 Exhaust System . . . . . . . . . . . . . . . 12 2.5.2 D.C. Cook--Degradation of the Auxiliary Feed-water System .................. 12 2.5.3 Kewaunee -- Degradation of the Safety Injection System ..................... 13 3.0 FINDINGS .......................... 13

4.0 CONCLUSION

S . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.0 SUGGESTIONS . . . . . . . . . . . . . . . . . . . . . . . . . 15

6.0 REFERENCES

......................... 15 i i

LIST OF FIGURES Page

1. Flow Diagram of Emergency Core Cooling System--Kewaunee . . . 7

2. - Simplified Logic Diagram for HPSI Transfer from BAT to RWST--

Kewaunee .......................... 9 4

4 i

e d

J J

4 l

i 11 t __. _

. t?

4 s

AE00 TECHNICAL REVIEW REPORT 4

i j UNITS: D.C. Cook Units 1 and 2 .TR REPORT NO: AE0D/T612 i Kewaunee Nuclear Power Plant DATE: December 31, 1986 DOCKET.NOS: 50-315 and 50-316 EVALUATOR / CONTACT: R. Tripathi 50-305

LICENSEES: Indiana and Michigan Electric Company

!- . Wisconsin Public Service Corp.

SUBJECT:

DEGRADATION OF SAFETY SYSTEMS DUE TO COMPONENT MISALIGNMENT AND/0R MISPOSITIONED CONTROL / SELECTOR SWITCHES EVENT DATES /LER NOS:

?

1 June 20, 1984/LER 50-315/84-011-00 August 8,1984/LER 50-315/84-016-00 August 8,1984/LER 50-315/84-019-00 December 18, 1984/LER 50-305/84-021-00

SUMMARY

l .This study was initiated as a result of our review of three events at D.C. Cook

. and one event at Kewaunee. Two of the events at D.C. Cook concerned inoper-i ability of the auxiliary feedwater pumps and the other event at D.C.' Cook was related to the loss of both trains of the engineered safety features (ESF)

,. equipment ventilation exhaust system. The event at Kewaunee resulted in the j degradation of'the safety injection (SI) system. All four events were caused by mispositioned control / selector switches. Various events concerning loss of i safety systems due to human errors have been addressed in detail in other AE0D j reports.

A review of the recent operating reactor experience has shown that many events l have occurred at U.S. nuclear power plants in the past few years where the automatic function of the safety.syste c had been inadvertently compromised.

In most cases, the occurrences were caused by human error and complicated by i inadequate component / subsystem status indications. Nearly 91% of the additional l'

55 events examined during the course of this study occurred at PWRs and the

. rest at BWRs. We did not make an effort to establish the cause(s) for the un-usually large number of occurrences at the PWRs as compared to the BWRs. The i systems most affected in these events were the safety infection (SI) system,

the residual heat removal (RHR) system, and the containment spray (CS) system, l

in that order.

The events addressed in this report emphasize the need for adequate maintenance and surveillance procedures, independent verification, and effective comunica-tion among plant personnel to prevent degradation of the safety systems which may compromise plant safety. Since occurrences of this nature are widespread I and frequent among licensees, it is suggested that the results of this study be published in Power Reactor Events.

r

1.0 INTRODUCTION

A review of the recent operational experience at U.S. nuclear power plants has revealed a significant number of events where human error resulted in the degradation or complete loss of a safety system. These errors have. included component misalignment or switch mispositioning which, if undetected, could have compromised plant safety due to the loss of automatic function of a safety system. In the absence of timely operator action, undetected component mis-alignment or switch mispositioning could significantly delay plant recovery during an accident.

Four of the events, where the ability of a safety system to automatically perfonn its design function was compromised due to human error, are discussed in detail in this report.

2.0 DISCUSSION 2.1 D.C. Cook--Loss of the Engineered Safety Features Equipment Ventilation Exhaust System 2.1.1 Purpose of the System The ESF equipment ventilatirn exhaust system prevents essential components (e.g., pumps) from overheating during normal and emergency operation, and ensures that radioactive aerosols leaking from the safeguards equipment fol-lowing a loss-of-coolant accident (LOCA) are filtered prior to release to the environment. There are two 100% capacity trains. Each train consists of an air handling unit and one fan, which starts automatically when any component in the associated ESF train has started.

2.1.2 Event Description On June 20, 1984, while D.C. Cook Unit I was in hot standby, it was discovered that both trains of the ESF equipment ventilation exhaust system were inoperable.

During a performance test, the operable fan was made incapable of starting auto-matically after the other fan had been declared inoperable due to incomplete testing. The operable fan could not start automatically because its control switch had been placed in "STOP" instead of "AUT0". Both ESF equipment ventilation exhaust system trains were technically inoperable for nearly 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

2.1.3 RootCause(s)

The error of putting the fan switch in "STOP" was caused by misinterpretation of D.C. Cook Surveillance Test Procedure (STP) 228 which prohibits the operation of the train which is not being tested to ensure that the air flow from this train does not interfere with the test being conducted on the other train.

This was misinterpreted to mean "take the control switch to 0FF," without the personnel realizing that this error inhibited the automatic start feature on the fan.

The inadequacy of D.C. Cook's STP 228 for conducting tests is noted in an NRC inspection report (Ref.1). This report states that there are no initial con-ditions specified in this procedure, no applicable limiting condition for

. = _ _ . .

operation (LCO) referenced and no precautions included to aid the operators. d' The control room operators failed to recognize the technical specification  !

violation by placing the only operable fan in the "0FF" position. In fact, this error was not detected during the subsequent shift turnover and panel walkdowns at 11:30 p.m. on June 20, 1984.

2.1.4 Licensee Response In September 1984, the plant's emergency operating procedures (EOPs) were modi-fied to include a step that the operators should verify after each ESF actua-tion that the associated ESF equipment ventilation exhaust fan has started.

2.1.5 Regulatory Action Reference 1 discusses in detail the NRC's evaluation of this event. The root cause(s) of this occurrence was established during a followup by the NRC inspectors. A Notice of Violation was issued and a civil penalty was imposed.

2.2 D.C. Cook--Dearadation of the Auxiliary Feedwater System 2.2.1 Purpose of the System The auxiliary feedwater system (AFWS), consisting of two motor-driven auxiliary feedwater pumps (MDAFPs) and one turbine-driven auxiliary feedwater pump (TDAFP),

provides, in the event of a loss or isolation of the main feedwater supply, suf-ficient feedwater to the steam generators to remove the residual heat in the primary coolant system. The system has adequate capacity to maintain the reactor at hot standby and then cool down the reactor coolant system (RCS) to i the temperature at which the RHR system may be placed in operation. The AFWS is designed to start automatically on loss or isolation of the main feedwater supply.

2.2.2 Event Descriptions Two separate events at D.C. Cook resulted in the degradation of the AFWS.

They are described below:

Inoperability of the motor-driven auxiliary feedwater pumps. On August 8, 1984, during startup operations at D.C. Cook Unit 1, the MDA Ps were placed in "NEV- .

TRAL" to prevent them from restarting while the main feed pumps were tripped.

There were controls in the procedures to ensure proper switch lineup upon entry into the hot standby mode. However, there were no procedural controls to en-sure that the switches were reset in "AUT0" after the steam generators were filled and maintained to the required levels. As a result of the switch mis-positioning, the MDAFPs were rendered incapable of starting automatically.

In this event, both MDAFPs were rendered inoperable, intennittently, for a period not exceeding the 72-hour LCO. However, on August 8, it was discovered, as discussed below, that the unit's TDAFP was incapable of delivering full flow at its rated capacity as assumed in the safety analyses. Therefore, the plant's AFWS was technically inoperable while the MDAFPs were incapable of starting automatically on August 8.

_4 Inoperability of the turbine-driven auxiliary feedwater pump. As mentioned earlier, on August 8, during an NRC audit of the in-service test (IST) program at D.C. Cook Unit 1, an NRC inspector questioned the ability of the TDAFP to fulfill its required safety function. The concern was regarding a procedural step which permitted a TDAFP governor valve setting of approximately 50%. It was suspected that this setting may not admit enough steam to the TDAFP to meet the plant's technical specification requirement of 700 gpm auxiliary feedwater flow rate at 1285 psig discharge pressure (LER 84-019). After subsequent test-ing and analysis, it was determined that at a 50% governor valve setting, the TDAFP could not meet the technical specification requirements. The pumps were declared inoperable at the 50% governor setting and the NRC Incident Response Center was notified that the plant had been operating in a condition that was outside the design basis of the plant.

Table 3.3.5 for D.C. Cook Technical Specification 3.3.2.1 requires a TDAFP response time of less than or equal to 60 seconds. Rated operating conditions for the TDAFP are 4350 rpm with a 900 gpm flow rate at a discharge pressure of 1184 psig. Upon receipt of an automatic start signal, the TDAFP should deliver the design flow at rated conditions within 60 seconds. As noted in Reference 1, during the surveillance test on August 8,1984, a discharge pressure of 900 psig was observed. A discharge pressure over 1000 psig is required to inject water into the steam generators after a reactor trip. Subsequent testing confirmed that at 50% valve position, the required pump discharge pressure and flow would not have been obtained on an auto-start. To meet the design flow, a TDAFP governor valve setting of 85% for Unit I and 90% for Unit 2 is required. This was donc and the pumps delivered the desired flow at the rated discharge pres-sure. Tests were conducted on August 18, 1984 to eliminate the concern that at these high governor settings, an auto-start signal may cause the pumps to trip on overspeed.

2.2.3 RootCause(s)

Inoperability of the motor-driven auxiliary feedwater pumps. In the past, due to lack of well-defined procedures for the hot standby mode, the control switches on the MDAFPs were manipulated as needed to m-Jntain the steam generator levels.

After this incident, the operators were instructed to leave the switches in "AUT0" or "RUN" until this issue is resolved.

Regarding the inoperability of the HDAFPs, the NRC Inspector's interview with D.C. Cook Unit 1 operators stated that:

...The practice of stopping the MDAFPs was based on two considerations.

First, running the pump on recirculation heats up the condensate storage tank which is not considered to be advantageous from the pump performance standpoint. Second, the feed control valves had a history of leaking, and, at low steam generator pressures (just after entering Mode 3)* when no water was needed, the steam generators would continue to fill. These concerns had never received adequate attention by management and required operation of the AFW system in a manner that some operators knew was not in literal compliance with the Technical Specifications.

An additional Technical Specification problem noted by the inspector was the misconception on the part of several licensed operators that the ESFAS l instrumentation operability requirements were considered separate and l

• Hot standby.

l

distinct from the pump operability requirements in determining compliance with Technical Specifications. The operators erroneously thought that the Technical Specifications were met so long as the auto-start features for a pump could be considered operable, even though the feature had been defeated." (Ref. 1)

Inoperability of the turbine-driven auxiliary feedwater pump. The cause of this inadequacy was lack of specific guidance in the surveillance test proce-dures regarding the final setting of the governor valve. The past revisions of the applicable procedures were reviewed. Investigation of the procedural step which permitted governor valve setting at 50% revealed that a revision to the procedures, dated August 8,1978, instructed the operators to set the speed of the turbine to obtain a discharge pressure approximately 50 psig higher than the main feed pump discharge pressure. This corresponds to the 50% governor valve setting on the TDAFP. No reason for this change was documented. Origi-nally, the test procedures were common to both units. In 1980, they were split into two unit-specific procedures without significant changes to the original procedure.

2.2.4 Licensee Response After these events, the operators were instructed to leave the MDAFP switch in "AUT0" or "RUN" until this issue was resolved. The licensee requested NRR's permission to modify the applicable technical specifications to require the MDAFPs to be in "AUT0" or "RUN" only during startup and power operation. Also, the plant-specific procedures for both D.C. Cook units have been modified to reflect the appropriate governor valve settings for their respective TDAFPs.

The licensee also performed safety evaluations of the design basis main steam line break, loss of main feedwater accompanied by station blackout, and feed-water line break to show that at a 50% governor setting, the resulting reduction in the auxiliary feedwater flow, did not adversely affect the public health and sa fety. However, we note that not all the assumptions of these evaluations were valid when the AFWS at D.C. Cook was technically inoperable. The follow-ing points are noted:

(1) Steam line break: In the safety analysis, the maximum delivery of auxiliary feedwater is assumed because it would maximize the RCS cooldown thus leading to the worst overcooling transient. However, the 50% governor t valve setting and the resultant reduction in the TDAFP flow delivery to l

the steam generators tends to mitigate the severity of the overcooling transient.

(2) Loss of normal feedwater/ station blackout: The licensee contends that the auxiliary feedwater flow delivered to the two steam generators by one MDAFP l

is sufficient to provide the required heat removai capability. The TDAFP flow is not considered in the safety analyses. However, on August 8, 1984, when both MDAFPs were inoperable, the TDAFP flow corresponding to the 50%

governor valve setting might not have been sufficient to meet the safety l

analyses requirements.

(3) Feedwater line break: This event is not a part of the D.C. Cook Unit I design basis but has been analyzed for Unit 2 assuming a maximum auxiliary l

- _ -_. _~ .-

A feedwater flow rate. Westinghouse advised the licensee that the basic assumptions include a single failure of one MDAFP, leaving the other MDAFP and the TDAFP to provide the auxiliary feedwater to the steam generators. '

TFe' August 8, 1984 event which occurred at Unit I did not violate any assumptions used in the safety analyses for this unit. However, the Unit 2 TDAFP governor valve was also discovered to be mispositioned.

Therefore, under similar circumstances, the fundamental assumptions used for Unit 2 would not have been valid.

2.2.5 Regulatory Action

, The adequacy of-the TDAFP governor setting was questioned by the NRC inspector during the in-service test. The inspector followed up this issue. Tests were conducted to establish the inadequacy of the existing TDAFP governor valve set-ting and to determine the appropriate settings for the TDAFPs for both units.

! As a result of these tests, the plant-specific procedures were changed. Also, additional tests were conducted to eliminate the concern that no potential for overspeed trips existed at the newly established settings for the TDAFPs for both units.

The NRC issued a Notice of Violation and imposed a civil penalty concerning these two events which resulted in the inoperability of the AFWS at D.C. Cook Unit 1.

! 2.3 Kewaunee--Degradation of the Safety Injection System 2.3.1 Purpose of the System The safety injection (SI) system - an emergency core cooling system - is 4

designed to cool the core and provide shutdown capability through boron addition.

2.3.2 Event Description On December 18, 1984, while the Kewaunee Nuclear Power Plant was at 100% power, i the " BORIC ACID TANK OUT OF SERVICE" monitor light on the SI Status Panel was noticed to be " bright." Normally, this Ifght is " dim," thus, the " bright" light

suggested an abnormal condition. The control room su dications and learned that the boric acid tank (BAT) pervisor selector examined switch wasthe in in-the "Tk A" position when actually Tank B was phycically aligned to provide suction to the SI pumps. The selector switch was immediately returned to the correct position--indicating "Tk B." The mispositioning of the BAT selector switch would have prevented an automatic transfer of the SI pump suction to the refueling water storage tank (RWST) after the BAT had emptied.

In Figure I, a simplified flow diagram of the Kewaunee SI system is illustrated.

In normal operation, either of the manually operated valves SI-1A and SI-18

' provide boric acid flow from the selected BAT to the pump suction. If an SI signal occurs, valves SI-2A and SI-2B (and normally open valve SI-3) will receive an OPEN signal. When the BAT level reaches 10%, the following happens:

j (1) RWST provides suction to the SI pumps via open valves SI-4A and SI-48, and (2) Valves SI-2A and SI-28 close to prevent back flow to the BAT from the RWST.

i 4

- , - - ,n, - . - - . -,,-..,-.,----,-.~-.-,-----n ,,,..,.n_,.- . . - - ,..,.,,_.,.,_n,,,, -e.,--,n , . . . , , . - . . . . . - - - - - , - - , - , , - - . , - - ,

. 9 9

=

9

', .  ;=

ESGS JL

l  ::si . ..

S s ho L $ mee L

• ~ C '~C*~ .Wh * *~

&n St Ja][@ 60-20][@

' 5

^  :.: gu Cs I T

.,~ # WST

" '" ', l,t,0" Hpsg 5 - ,-

I;- *

• f- Ad N  :{.

8 l .,

ie k>f- M-N-e "s. E p e 1 2 '

c oNT. 5P A A f R P e- l 4 .

g a a

/. ,, ,,

- 6

g. a n g l u et.

'i~

,C +M: f} M j- M _

5

- o ,, l ,,

, " ,, z ACC 'I'E t '

t

.o' lA E53 "*S' LOOP OOP r--- e- a B A l 8

ik l*=

g.

LPSI I -

O '

'~ f' O

, a i- wkq:4 ' "

[6 M"' *

.- *g -

H" 0 '. x i95 Z

4-L""

MOT LtG

,_ q,,,,. !

I g'FlW eOQ mg *'"'

9

• CONT.5 pear

$ - Mt e r 6mJEC teon g q g_g to aEv Saceemt FIGURE-1 Flow Diagram of Emergency Core Cooling System -- Kewaunee

'l (080 f 4 $Nu[asI su== s, D W-*

1 As indicated in the logic diagram (Figure 2), if the selector switch is in the "Tk A" position and valve SI-1B is open, the sequence of operations to open valves SI-4A and SI-48, and to close valves SI-2A and SI-2B cannot be completed if an SI signal is received. For valves SI-4A and SI-4B to open, the level indication from the appropriate BAT has to be consistent with the selected tank. If this condition is not met, the " BORIC ACID TANK OUT OF SERVICE" monitor becomes " bright" as an indication of the abnormal status.

2.3.3 RootCause(s)

This event was caused by a procedural deficiency and a lack of comunication between plant personnel and the control room staff, and compounded by a deficient status display system in the control room. The cause of this switch misposi-tioning was twofold:

(1) The mispositioning occurred earlier in the day during repairs. Due to inadequate surveillance procedures, there was no explicit mention of the

" desired position" of the BAT selector switch following the completion of the surveillance. Furthermore, no one was specifically assigned to sign off this step on the data sheet. There was no operator log entry to indicate the completion of the test. The Instrumentation and Control (I&C)

Supervisor, however, signed off the test completion in his log and assumed that the control room operators were aware of the completion of the test.

There was a lack of communication between the maintenance crew, the control rocm operators and the shift supervisor. Prior to the shift change, the operators verified the tank level to be greater than 60% as required and circled BAT IB under " BAT selected" entry on the check list. The shift turnover check list did not explicitly include verification of the monitor light to ensure that it was " dim."

(2) The situation was further complicated by the indication on the panel in the control room. The " BORIC ACID TANK OUT OF SERVICE" monitor light when

" dim" is the only indication of the proper valve and tank alignment. The light is normally " dim"; if it is " bright," it indicates an abnonnal status in the system lineup. The brightness of a " bright" or " dim" light is a subjective matter. It is also dependent on:

the lighting in the room the type, batch and the age of the bulbs the age of the plastic status windows the age of the circuit resistor (s)

The status display system deficiencies were specifically noted in the

, Kewaunee Control Room Design Review (Ref. 2).

2.3.4 Licensee Response In a subsequent investigation, the licensee recognized the seriousness of this event. However, the Shift Technical Advisor and the Shift Supervisor, initially, upon discovery of the mispositioned switch, did not censider this event to be imediately reportable because the misalignment of the SI system is covered in the plant's E0Ps. They believed that the misalignment would have been corrected

I l

_g_

om z *-

mz - =5 OTW O

- ' In% $

13 A 37 01-0 1, 2 III-fl 9I l' O _

d3

<(

V 13A 31 07-01. -

T 1G-D 91 IV8' >

a wa 13A37 01-01 ll-901-11 VI IV9' _O _

'_"-JO 13A37 01-01 V "

$U 961-17 VI IV9 -O m w m UO __J n wm 13A31 07-01  ; 201-D G I IV9' O _

O -+ >UW 73A31 07-07 6BI-D 91 IV9; V _ d 13A37 07-01 _

$ e O

211-D VI IV9' .

W GE V $ S!

13A31 01-01. _

061-D VI IV9' N3dC 10N H - C 9, y GI-IS $ g * *5g 3 ZSe c O 59 5g x x y h" g w Z Gm MeJ 3r

< ~ ax 38 co < _

- Do 4 C "s 2e EW N S bi _

- N 3d010N y [* **

)

73A31 01-01 VI-IS o e

lil-fl 91 1V9' O _ ,

g V

73A31 07-0 1  :

7,5-161-fl 91 IV9'

^

=

13 A37 07-01 m V- v W< $

O 901-D VI IV9'

~

_ _ ._ o N S 13A31 01-07 961-D VI IVE,

. V "

d3 '

13A31 01-01 201-fl 91 IV9'

~_

O _

13 A31 01-01 _ V "

681-D 91 IV9'

~

~

m 'P'r 13 A31 01-01, e < o >-

Q$

211-17 VI IVG' O E 13A31 01-07 . D '

• W3 061-D VI IV9'

~

U-

by the operators in response to an accident. Also, since the charging pumps and the RHR system were available, the licensee contends that under no con-ceivable accident situation will the SI pumps be needed to maintain the plant in a shutdown condition. The RHR system was available for long-term cooling.

All other ESF equipment was available to mitigate the consequences of an accident.

The licensee further contends that the severity of any accident while the SI system was degraded would have been minimized because of the availability of a 2-inch bypass line, expected operator action and non-safeguards systems (Ref. 2).

Their specific arguments were that:

(1) The 2-inch suction line from the RWST to the SI pumps (200 gpm) is suffi-cient to provide the net positive suction head to the SI pumps (47 gpm is requi red) . Thus, the potential problem of SI pump cavitation due to draw-ing on an empty BAT did not exist. This would have provided the operators enough time for manual operation in the event of a small, and possibly an intermediate, break LOCA.

(2) The SI pumps are not needed for a double-ended break. Operator action can depressurize the RCS to below 600 psi allowing the cold leg accumulators to inject into the RCS to make up for lost coolant inventory. Subsequently, the RHR system could be used for decay heat removal.

(3) The operators could manually align the SI system to the RWST before the SI pump suction could be lost in case of a small (or intermediate) break LOCA.

Therefore, there would have been a limited range of events for which, without operator action, the assumptions used in the safety analysis would not have been valid. Sucn events include LOCAs with break sizes smaller than those able to depressurize the primary coolant system to the accumulator injection setpoint, but large enough to cause partial depressurization of the RCS. Fur-thermore, there are several direct indications in the control room to enable the operators to manually transfer the SI pump suction to the RWST or to reposi-tion the BAT selector switch to "Tk B" and allow the transfer to occur auto-matically (Ref. 2). The E0Ps include appropriate steps with operator training.

After this incident, the licensee counseled all operations and maintenance personnel to emphasize the need for effective communications among plant staff.

Applicable procedures were also upgraded.

, 2.3.5 Regulatory Action The NRC Region III met with the licensee to review the event and the post-incident actions by the licensee. The NRC also informed other licensees of W PWRs of the safety implications of this occurrence. This event was also '-

reported in Power Reactor Esents (Ref. 3).

4

_ _ _ _ , _ _ - _ , ___.,_,,__m_.

_ ____-_-__.,.r _

_.c.,__ _ _ _ _ . - _ , , _ . - _ - _ , _ . _. . . _ , _ _ . . _.___.m ,_ ,,,

2.4 Other Operational Experience A review of recent operating experience has shown that between 1981 and 1985, 55 other events occurred at U.S. nuclear power plants in which a switch mispositioning or a component misalignment compromised the automatic function of a plant safety system.

Of the 55 additional events, 50 (91%) occurred at PWRs and 5 (9%) took place at

. BWRs. Twenty-nine PWRs and five BWRs were involved in these events. D.C. Cook had eight events in addition to the three events discussed in detail in this report; four events occurred at Unit 1 and four at Unit 2. In this period, i D.C. Cook Unit I had one event (involving a degradation of an ECCS) which had six similar occurrences between 1976 and 1980. Kewaunee had only one event.

Four events occurred at Trojan and three each at Calvert Cliffs Unit 2, McGuire i lMit 1 and St. Lucie Unit 1. Six other plants had two occurrences each, and 21 plants, besides Kewaunee, reported one event each.

The additional 55 events involved the degradation or complete loss of at least j- one of the following systems or functions:

ECCS, 30 events (54%; SI 31% and RHR 23%),

! Containment Spray System, 8 events (15%),

! Reactivity Control Systems, 6 events (11%),

AFWS, 4 events (7%),

Emergency Power Source, 3 events (5%),

Solid State Protection System, 2 events (4%),

Component Cooling Water System, 2 events (4%).

i Due to the limited scope of this study, we did not investigate these 55 events

in detail to identify their root cause(s) that explains the fundamental j reasons for the observed disparity between the PWRs and the BWRs. Our i preliminary examination of the events suggests that the reasons for the

! observed differences in the two types of reactors may include, but not be limited to, the following:

(1) The reason for the large number of PWR events compared to BWR events

can probably'be traced to the fact that PWR safety systems require

more manual operations to align safety systems than do BWRs.

BWRs have more automatic features to align systems to their correct

' (safety) configuration than PWRs. This follows from a difference in design philosophy between the PWRs and BWRs. The BWRs were designed with extensive automatic switchover and interlocks. The PWRs rely much more heavily on operator manual actions for component / system alignments during all phases of operation including accidents.

(2) These 55 events occurred in the post-TMI era--between 1981 and 1985. It is possible that as a result of the post-TMI backfitting, the PWR systems became relatively more complicated, however, mainte-nance and surveillance procedures were not sufficiently upgraded to reflect all the systems modifications. As a result, there was more room left for possible errors in component alignment or system line-up verifications. Furthermore, the control room design reviews at

several plants have revealed many deficiencies which due to inadequate displays may have, as in the' event at Kewaunee, contributed to the component misalignment and subsequent degradation or complete loss of a safety system.

We recognize the significance of the observed performance of the two types of reactors. Considering the_ extent of efforts involved in reviewing the control room design of the contributing plants, examining the differences in the basic system designs in the two types of reactors, and assessing the impact of the regulatory history on the U.S. commercial nuclear power, we believe that there is a definite need for additional efforts to establish the root causes for the disproportionately large number of events involving degradation or complete loss of safety systems.at PWRs as compared to BWRs. We believe that only a separate study can do justice to this matter.

2.5 lSafety Sionificance of the Events 2.5.1 D.C. Cook--Loss of ESF Equipment Ventilation Exhaust System D.C. Cook Technical Specification 3.7.6.1 requires the operability of both trains from power operation through hot shutdown, but allows inoperability of one train for 7 days. When both trains are inoperable, Technical Specifica-tion 3.0.3 requires the plant to enter an action statement within I hour, be in hot standby in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, be in hot shutdown within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and be in cold shutdown in the next 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This technical specification was violated since the plant did not enter hot shutdown within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> of discovery that both trains were inoperable.

The safety significance of this event was reduced by the fact that the fan which was not demonstrated to be operable was later found to be operable. This fan had also been operating during the period the other fan was inadvertently switched to "0FF." If needed, the operators could have turned the disabled fan "0N." It is important to note that at the time of the event, the E0Ps did not require that the operators verify that the fan has started.

2.5.2 D.C. Cook--Degradation of the Auxiliary Feedwater System l Technical Specification 3.7.1.2 requires that during hot standby and power I operation, three independent auxiliary feedwater pumps (AFPs)--two MDAFPs and

one TDAFP--and the associated flow paths be operable. If one AFP is inoperable,

!' then the action statement requires that this AFP be restored within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or the plant be in hot shutdown in the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

On August 8,1984, the MDAFPs were capable of an auto-start on a safety injec-

!' tion signal and/or loss of voltage to the 4 kV bus. However, the low-low steam

' generator level and loss of main feedwater pump start signals were defeated.

On ontering the hot standby mode, the two MDAFPs were inoperable due to mispositioned switches. At the time, the steam generators were approximately 60% full and the average temperature of the RCS was slightly above 350*F. Since there was very little decay heat to be removed, and there was adequate residual heat capability, under the existing plant conditions, there was minimal safety significance in defeating the two aforementioned start signals. However, the plant operating staff failed to recognize this violation which continued to

~

exist through a shift turnover, thus the violation continued as the RCS continued to heat up. The NRC inspectors noted that the licensee's response in this matter was not prompt and there were no immediate corrective actions to assure compliance with applicable technical specifications (Ref. 1).

The condition of the TDAFP governor valve setting at 50% existed, intermittently since August 1978. However, the plant procedures specifically require the verification of feedwater flow to the steam generators following the safety injection and, in the past, the operators have routinely adjusted the auxiliary feedwater flow following a reactor trip to control the plant cooldown. Therefore ,

if needed, the system function could have been restored through operator action.

No similar reported events in the recent past involving the degradation of the AFWS were found.

2.5.3 Kewaunee--Degradation of the Safety Injection System The mispositioning of the BAT selector switch at Kewaunee resulted in a viola-tion of the plant's technical specifications and presented a potential safety concern. Upon demand, without operator action, the lack of automatic transfer of SI pump suction to the RWST upon low-low BAT level would have resulted in an inadeouate supply to the high head safety injection pumps. There would have been a limited range of events for which, without the operator action, the assumptions used in the safety analysis would not have been valid. However, the seriousness of this event was significantly reduced due to possible operator action and the available design features discussed in Section 2.3.4. Further-more, all the ESF equipment was operational to mitigate the consequences of an accident and the RHR system was available for long-term cooling.

3.0 FINDINGS (1) A review of recent operating experiences at U.S. nuclear power plants has shown that many events have occurred which compromised the automatic function of the safety systems. In most cases, the occurrences were caused by human error and complicated by inadequate component / subsystem ,

status indication (s).

(2) On August 8,1984, the low-low steam generator level and loss of main feedwater pump auto-start signals for the MDAFPs were defeated rendering the two MDAFPs inoperable. The licensee failed to recognize this violation, which continued to exist through a shift turnover, and the potential significance of the violation continued to increase as the RCS continued to heat up.

(3) The Kewaunee incident involving degradation of the safety injection system resulted in a technical specification violation lasting several hours. The mispositioned BAT selector switch went undetected for several hours.

(4) In our review of recent operational data at other U.S. plants similar to the events discussed in detail in this report, we found unusually large numbers of reported occurrences at the PWRs as compared to the BWRs.

However, we did not examine the cause(s) for this disparity.

l

We believe that the basic system design difference and the post-TMI backfitting may be possible explanations, among others, for the observed disparity between the two types of reactors. A separate study would be needed to investigate this disparity.

4.0 CONCLUSION

S (1) The events at D.C. Cook and Kewaunee described here anc other similar events examined during the course of this study demonstrate tte fact that a per-sonnel error can result in the degradation of a safety system. Undetected mispositioning of the control / selector switch, and/or valve / component misalignment, could result in a loss of automatic controls and, in the absence of timely operator intervention, could delay plant recovery during an accident. Specifically, The June 20, 1984 event at D.C. Cook involving the loss of ESF equipment ventilation exhaust fan demonstrated the fact that during maintenance and surveillance activities, the licensees need to exert more caution in manipulating the controls on safety components to ensure that the redundant trains are not lost.

During the August 8,1984 event when the MDAFPs at D.C. Cook were inoperable, there was adequate decay heat removal capability under the existing plant conditions. Therefore, there was little safety signifi-cance in defeating the two auto-start signals.

The condition of the TDAFP governor valve setting at 50% existed at D.C. Cook, off and on, perhaps since August 1978. However, the plant procedures specifically required the verification of feedwater flow to the steam generators following the safety injection and, in the past, the operators have routinely adjusted the auxiliary feedwater flow following a reactor trip to control the plant cooldown. Based on these factors, it is concluded that on August 8, 1984, the auxiliary feedwater system was technically inoperable, however, the safety function of the system could have been preserved through reasonable operator action.

• In the December 18, 1984 event at Kewaunee, there were several missed opportunities to detect the mispositioned BAT selector switch. However, the seriousness of this event was significantly reduced due to the availability of a 2-inch bypass line and the expected operator action.

Furthermore, all the ESF equipment was operational to mitigate the conse-quences of an accident and the RHR system was available for long-term cooling.

(2) Based on our review of the additional 55 operational events during the course of this study, the following conclusions are drawn:

From the human factors point of view, local manual action required to restore the component / subsystem of a safety system should be kept to a minimum.

It is important that the procedures are complete and that they have adequate steps to ensure proper component / subsystem alignment.

The impact of switch repositioning on the redundancy of the safety ,

system or its capacity to automatically start should be evaluated carefully during each surveillance or maintenance operation.

i

Independent verification should be made an integral part of all surveillance and maintenance procedures to ensure satisfactory completion of surveillance and maintenance activities.

Appropriate system status display would be beneficial.

It is crucial that appropriate log entries are made of all ongoing repairs and the status of all repairs / maintenance jobs are made avail-able during shift turnovers to ensure that the control room operators are always aware of work initiated during the previous shift and its current status.

The need for effective comunications between operation staff and maintenance personnel should be greatly emphasized.

5.0 SUGGESTIONS This review of the recent operational data indicates that several U.S. nuclear power plants have had a variety of events involving the loss of automatic function of a safety system due to a mispositioned switch or a misaligned com-ponent. In these events, the error was discovered prior to a demand on the safety system. However, had there been a demand, then in the absence of timely operator intervention, these errors, if uncorrected, would have delayed plant recovery during an accident.

It is suggested that the results and findings of this study be published in power Reactor Events. This will make the licensees of the U.S. nuclear power plants aware of the events caused by human error involving switch and mis-positioning or component misalignment which could have compromised plant safety due to the loss of automatic function of a safety system and failure to meet its design requirements. The need for adequate surveillance maintenance procedures, effective comunications between plant personnel, and the importance of independent verification should be emphasized in this proposed Power Reactor Events article.

Finally, in our review of the recent operational data at other U.S. nuclear power plants, we observed a large number of reported occurrences (similar to the events discussed in detail in this report), roughly in the ratio of 9:1, at the PWRs as compared to the BWRs. However, we did not make an effort to establish the cause(s) for this observed disparity. It is suggested that AE00 should initiate a separate study to examine the disparity between the loss of specific system functions at the two types of reactors. Such a stud additional important insights into the root cause(s)y may of theprovide some observed disparity.

6.0 REFERENCES

1. U.S. NRC Region III Inspection Reports 50-315/84-18 and 50-316/84-20,

2. Testimony of Wisconsin Public Service Co. Management during Enforcement Conference with U.S. NRC Region III on January 7, 1985.

3. Power Reactor Events, Vol. 7, No. 2.

- - . _ _ - _ - _ _ _ _ . - - . - - - . - -