05000260/LER-2001-003

From kanterella
Revision as of 10:11, 27 November 2017 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
LER-2001-003,
Event date:
Report date:
Reporting criterion: 10 CFR 50.73(a)(2)(iv)(A), System Actuation
2602001003R00 - NRC Website

NAME

Steve Austin, Licensing Engineer TELEPHONE NUMBER (Include Area Code) (256) 729-2070 COMPLETE ONE LINE FOR EACH COMPONENT FAILURE DESCRIBED IN THIS REPORT 113)

CAUSE SYSTEM COMPONENT MANUFACTURER REPORTABLE TO

NPRDS

.:.:

, .

CAUSE SYSTEM COMPONENT MANUFACTURER REPORTABLE

TO NPRDS

.,

  • .

...

SUPPLEMENTAL REPORT EXPECTED (14) I EXPECTED

SUBMISSION

MONTH DAY YEAR

YES

(If yes, complete EXPECTED SUBMISSION DATE).

X DATE (15)

NO

ABSTRACT (Limit to 1400 spaces, i.e., approximately 15 single-spaced typewritten lines) 116) On July 25, 2001, at 1047 hours0.0121 days <br />0.291 hours <br />0.00173 weeks <br />3.983835e-4 months <br /> Central Daylight Time (CDT) Unit 2 received an automatic scram from 100 percent power due to a main turbine trip from a power-load unbalance that occurred during Combined Intermediate Valve (CIV) testing. Vendor (General Electric Global Services) developed software contained a numerical error that resulted in an inadvertent turbine trip. The reactor scam caused the water level to go below the low level setpoint (level 3) which generated an additional scram signal and initiated Primary Containment Isolation Signals. All systems responded as expected and all control rods fully inserted. The root cause of this event was a weakness in the process for procurement of non-safety related SSCs that potentially impact generation. TVA will review procedures controlling software requisition, and revise as necessary, the requirements for non-safety related software that potentially impacts generation. TVA is reporting this event in accordance with 10 CFR 50.73(a)(2)(iv)(A), as an event that resulted in manual or automatic actuation of any systems listed in paragraph (a)(2)(iv)(B), (i.e., Reactor Protection System (RPS) including reactor scram or reactor trip).

FACILITY NAME 11) DOCKET � LER NUMBER (6) PAGE (3)

PLANT CONDITION(S)

At the time of the event, Units 2 and 3 were at 100 percent power. Unit 1 was shutdown and defueled.

II. � DESCRIPTION OF EVENT

A. Event:

On July 25, 2001, at 1047 hours0.0121 days <br />0.291 hours <br />0.00173 weeks <br />3.983835e-4 months <br /> Central Daylight Time (CDT) Unit 2 received an automatic scram from 100 percent power due to a Main Turbine [TA] trip that occurred during the Combined Intermediate Valve (CIV) [SB] testing portion of Operating Instruction, Turbine Generator System, 2-01-47. The reactor scram caused the reactor water level to go below the low level setpoint (level 3) which generated an additional scram signal and initiated a Primary Containment Isolation System (PCIS) [JE] signal. The low water level also initiated the Standby Gas Treatment (SGT) [BH] and Control Room Emergency Ventilation (CREV) [VI] Systems.

Following the initial pressure transient, which peaked at 1148 psig, eight (8) Main Steam Relief Valves [RV] opened. Reactor pressure was subsequently controlled with the Main Steam System Bypass Valves [PCV]. Reactor water level was maintained by the Feedwater Level Control System. Subsequent to the scram, reactor water level was being controlled by the Feedwater [SJ] System, and the normal heat removal path was maintained through the Main Condenser. All systems responded as expected. At 1050 hours0.0122 days <br />0.292 hours <br />0.00174 weeks <br />3.99525e-4 months <br /> CDT, Operations reset PCIS.

By 1100 hours0.0127 days <br />0.306 hours <br />0.00182 weeks <br />4.1855e-4 months <br /> CDT, Operations reset the reactor scram, and secured SGT and CREVS.

As a result of the low reactor water level and high reactor pressure, Operations briefly entered Emergency Operating Instruction, Reactor Pressure Vessel Control. The scram resulted in the expected automatic actuation or isolation of the following PCIS systems and components.

  • PCIS group 8, Traverse lncore Probe (TIP) [1G].

This event is reportable in accordance with 10 CFR 50.73(a)(2)(iv)(A), as an event that resulted in an automatic actuation of the systems listed in paragraph (a)(2)(iv)(B) (i.e., Reactor Protection System including: reactor scram or reactor trip).

FACILITY NAME (1) DOCKET LER NUMBER (6) PAGE (3) 2001 -- 003 -- 00 B. Inoperable Structures, Components, or Systems that Contributed to the Event:

None.

C. Dates and Approximate Times of Major Occurrences:

July 25, 2001, at 1047 hours0.0121 days <br />0.291 hours <br />0.00173 weeks <br />3.983835e-4 months <br /> CDT Operations receive a turbine trip and reactor scram during Combined Intermediate Valve testing.

July 25, 2001, at 1100 hours0.0127 days <br />0.306 hours <br />0.00182 weeks <br />4.1855e-4 months <br /> CDT Operations reset the scram and PCIS isolations. They secured SGT and CREV.

July 25, 2001, at 1430 hours0.0166 days <br />0.397 hours <br />0.00236 weeks <br />5.44115e-4 months <br /> CDT TVA made a four hour non-emergency report per 10 CFR 50.72(b)(iv)(B) and an eight hour non-emergency report per 10 CFR 50.72(b)(3)(iv)(A).

D. Other Systems or Secondary Functions Affected

None.

E. Method of Discovery

Operations received alarms indicating a turbine trip and subsequent reactor scram occurred.

F. Operator Actions

Operations personnel responded to the event in accordance with applicable plant procedures.

G. Safety System Responses

All required safety systems operated as designed.

Ill. C CAUSE OF THE EVENT

A. Immediate Cause

Vendor (General Electric Global Services) developed software contained a numerical error that resulted in an inadvertent turbine trip.

B. Root Cause

The root cause of this event was a weakness in the process for procurement of non-safety related SSCs that pose a risk to generation. The process used to procure and test non-safety related equipment, particularly software and software controlled systems, does not differentiate between those items that potentially impact generation and those items that are less important.

The Electro-Hydraulic Control (EHC) [JI] software is non-safety related. As such, the contract FACILITY NAME (1) DOCKET LER NUMBER (61 PAGE (3) Browns Ferry Nuclear Plant - Unit 2 05000260 with the vendor did not require a structured validation and verification process. The purchase specification required the vendor to apply his software quality assurance plan which included use of the vendor's software validation and verification program. The specification did not require the level of review, or independence of the review, that would have been necessary to identify the software error.

C. Contributing Factors

None.

IV. ANALYSIS OF THE EVENT

The turbine trip signal was generated from an erroneous power-load unbalance signal within the Electro-Hydraulic Control (EHC) System. The power-load unbalance feature is designed to initiate a turbine trip when the difference between electrical load and turbine load exceeds 40 percent of rated power. This is accomplished by micro-processor software that subtracts indicated generator output power (normalized to 100 percent of rated) from indicated turbine intermediate pressure (normalized to 100 percent power). When the difference between these two signals exceeds 40 percent, a power-load unbalance signal is generated. The purpose of the trip is to mitigate turbine overspeed in the event of sudden loss of electrical load.

The erroneous power-load unbalance signal was caused by an incorrect numerical value within the EHC controller software used to normalize generator output power signals. The generator output power signal was divided by 1.5 instead of the correct 1.15. This resulted in a lower normalized generator output and a 24 percent base mismatch between electrical output and turbine load at 100 percent power when calculating the power-load unbalance signal. The incorrect value was introduced by the vendor in the original development of the software and was not revealed during the software verification and validation process conducted by either the vendor or TVA. This number was established based upon the range of the power transducers supplied by the vendor (0- 1500 Megawatts electric (MWe) rather than BFN specific rated output of 1150 MWe. Vendor checking and verification, with sufficient rigor and independence, should have identified an invalid constant value. Because it was not required by the TVA contract, this value was not independently verified by the vendor, Testing performed on July 25, 2001, closed the number 1 CIV which raised pressure in the crossover piping upstream of the CIV which is where the turbine intermediate pressure is sensed. Closing a CIV also results in lowering of the generator output power which results in a lowering of the Generator Megawatt signals to the EHC System. The anticipated result of this testing is a small sensed power-load unbalance that should not exceed the trip setpoint of 40 percent mismatch. However, when the effects of this test are applied with an additional unidentified base mismatch of 24 percent, the result would closely approach a power-load unbalance turbine trip. Pre-installation testing, post-modification testing, and several CIV tests during power operation prior to this event, approached but did not reach the trip setpoint and therefore, the error was not discovered earlier.

V. ASSESSMENT OF SAFETY CONSEQUENCES

The scram from turbine trip is an analyzed transient for which the plant is designed. Control rod insertion was accomplished as designed. The reactor water level was maintained well above the FACILITY NAME 111 DOCKET LER NUMBER (6) � II PAGE (3) Browns Ferry Nuclear Plant - Unit 2 05000260 2001 -- � 003 -- � 00 top of active fuel by the Feedwater System and pressure was maintained below design by the MSRVs and the Turbine Bypass valves. No emergency make up was required. All safety functions performed as expected.

Based on the above, it is concluded that there is no adverse impact on safety as a result of this event.

VI. CORRECTIVE ACTIONS

A. Immediate Corrective Actions

Operations personnel responded to the event in accordance with Abnormal Operating Procedure, Reactor Scram. Emergency Operating Procedure, Reactor Pressure Vessel was taken to Mode 3, Hot Shutdown.

B. Corrective Actions to Prevent Recurrence

TVA will review procedures controlling software requisition, and revise as necessary to clearly detail the appropriate software procurement, and validation and verification requirements for non-safety related software that potentially impacts generation'.

VII. ADDITIONAL INFORMATION

A. Failed Components

None.

B. Previous LERs on Similar Events None.

C. Additional Information

None.

1 TVA does not consider this corrective action a regulatory commitment. The completion of this item will be tracked in TVA's corrective Action Program.

FACILITY NAME 11) DOCKET LER NUMBER 16) PAGE (3) D. Safety System Functional Failure/Scram With Loss Of Normal Heat Removal:

This event did not result in a safety system functional failure in accordance with NEI 99-02.

The main condenser was available providing a normal heat removal path following the scam.

Accordingly, this event did not result in a scram with a Loss Of Normal Heat Removal as defined in NEI 99-02.

VIII. COMMITMENTS

None.

Energy Industry Identification system (El IS) system and component codes are identified in the TEXT with brackets (i.e., [XX]).