05000382/LER-2002-002

From kanterella
Revision as of 23:57, 30 November 2017 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
LER-2002-002, Reactor Trip Circuit Breakers Rendered Inoperable During Response Time Testing
Waterford Steam Electric Station, Unit 3
Event date:
Report date:
Reporting criterion: 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications
3822002002R00 - NRC Website
v  d  e

REPORTABLE OCCURRENCE

Reactor trip circuit breaker response time testing was being performed in accordance with an approved maintenance procedure. The procedure required the installation of jumpers that bypass the actuation signals for the undervoltage trip function for the eight breakers simultaneously. A reactor trip circuit breaker is considered inoperable when either the undervoltage or shunt trip devices are not functional. This condition is being reported pursuant to 10CFR50.73(a)(2)(i)(B) as a condition prohibited by Technical Specifications (TS), since the channels were inoperable for more than four hours, which is beyond the allowed outage time of one hour specified in TS 3.0.3.

INITIAL CONDITIONS

Upon discovery of this event, Waterford 3 was operating in mode 1 at 100% reactor power. There were no major systems, structures or components that were inoperable at the time of discovery that contributed to the condition.

BACKGROUND INFORMATION

Procedure Ml-003-207, "Reactor Protective System Response Time Test," approved on December 12, 1982 provided instructions for performing Reactor Trip Breaker Response Time Testing. The purpose of this procedure, in part, was to measure Reactor Protection System (RPS) [JC] logic response time in accordance with TS surveillance 4.3.1.3. The intent was to test the response time of each Reactor Trip Breaker by independently testing each undervoltage and shunt trip device.

The procedure allowed performance of the test in any plant mode. The procedure directed installation of jumpers in the eight undervoltage relay circuits followed by testing of the breakers one channel at a time. The technician performing the test considered the breakers operable, as the shunt trip device was available to trip the breaker on demand. A technical review and safety evaluation screening were independently performed. No affect on licensing basis documents was identified. Plant Operations Review Committee (PORC) review and approval was obtained. There was no cross discipline review performed by Operations Department personnel. Personnel associated with the procedure development and review process did not have detailed knowledge of the Technical Specifications associated with Reactor Trip Circuit Breakers.

MI-003-207 was revised in 1990 to remove subsections and make the procedure more manageable. This resulted in development and approval of procedures for the removed subsections. MI-003-222, "Matrix Response Time Verification for Reactor Protection System and Engineered Safety Features Actuation System," was developed and approved on August 24, 1990 to replace the Reactor Trip Breaker Response Time testing section removed from MI-003-207.

The testing methodology was not questioned during the review and approval process and remained consistent with the previous procedure MI-003-207.

The surveillance was first performed on-line in 1995 prior to Refuel Outage 7. The earlier surveillances performed during refueling outages had no impact on operability because Reactor Trip Circuit Breakers were not required when the surveillance was performed. A review of the surveillance procedure failed to identify the impact on operability of the breakers when the decision was made to perform the surveillance online.

EVENT DESCRIPTION

The task to perform reactor trip circuit breaker response time testing was scheduled to occur on February 4, 2002. In preparation for writing an impact statement at the T-3 work-week, the Work Control Supervisor met with the l&C Coordinator and an l&C Technician to discuss the procedure methodology. A general discussion occurred describing the procedure steps; however, there was no discussion about the initial setup of the surveillance.

The technicians performed a package walkdown on January 28, 2002. A pre-job brief occurred on January 31, 2002 at approximately 0600 in the maintenance shop. The technicians informed the control room at 0630 on February 4, 2002 that the job was to be performed on day shift. The work control center opened the package at 0645. The work control center questioned the methods of the maintenance procedure. The technicians provided a general overview of the procedure. The overview did not include discussion about the jumpers or lifted leads.

A shift briefing, led by the Control Room Supervisor, was held in the Control Room at 0730. The participants included the Shift Manager, Control Room Supervisor, Secondary Reactor Operator, Shift Technical Advisor, and an l&C Technician. The briefing included discussions about test methodology including the importance of testing one channel at a time and resetting prior to moving to the next channel. The need to install optical sensors on the four channels was also discussed. The briefing did not include a discussion about bypassing the undervoltage devices for any Reactor Trip breakers, although the maintenance procedure required this action. The control room personnel were informed that this test would be similar to performance of Operations Procedure OP-903-107, "Plant Protection System Channel A & B & C & D Functional Test," matrix test that is performed quarterly, except that in this case the optical sensors would be installed to perform timing of the actuation. It was identified during the brief that the test had been previously performed on-line. Other discussion included Technical Specifications entry and contingencies for unexpected conditions.

Control Room personnel entered TS 3.3.1 and 3.3.2 at 0840 prior to commencing the surveillance.

The l&C technician obtained keys for the four channels of the Plant Protection System (PPS) cabinets to begin the test. The technician then installed jumpers for the undervoltage actuation relay circuits for the eight Reactor Trip Breakers. The technicians installed optical pickups in the eight reactor trip breaker indicating light circuits to support timing of trip devices. The optical pickups have no impact on breaker operability.

The technicians performed the shunt trip test portion of the procedure one channel at a time and ensured each channel was reset prior to moving to the next channel. After the shunt trip test was completed, the technicians removed the jumpers from the undervoltage actuation relays.

The technicians then began lifting leads to disable the shunt trip devices for the eight reactor trip breakers in preparation for performance of the undervoltage device test. The technician successfully lifted leads for breakers 1 and 5. While in the process of lifting the lead for breaker 2, the technician was informed by Control Room personnel to halt the test due to an unanticipated annunciator.

The Control Room Supervisor investigating the alarm questioned the l&C technicians regarding the step of the procedure that was being performed when the alarm was received. The I&C technicians stated that they were lifting leads in accordance with the procedure. The Control Room Supervisor continued to investigate and discovered that the procedure also required jumpers to be used. By verifying the jumper locations, the Control Room Supervisor determined that the surveillance, as performed, rendered the Reactor Trip Breakers technically inoperable. The technicians performing the test believed that the breaker would still function because the shunt trip was available. Review of the sequence of events attached to the Condition Report indicated that the undervoltage trip devices were bypassed for more than four hours. The Control Room Supervisor stopped the test and had the plant restored to a normal configuration.

CAUSAL FACTORS

Root Cause

A Latent Organization Weakness was discovered in the initial procedure development, review and approval process of Ml-003-207. The procedure directed installation of jumpers for the undervoltage trip devices to allow testing of the shunt trip device. The procedure also directed lifting leads for the shunt trip devices to allow testing of the undervoltage trip devices. These steps rendered the Reactor Trip Breaker channels inoperable concurrently. This weakness was carried forward into new procedure Ml-003-222. The errors made in the initial development of the procedure were not recognized during subsequent reviews of the procedure and performance of this surveillance since 1982.

CORRECTIVE ACTIONS

Immediate Actions:

  • The system was restored to normal configuration.
  • Control Room evaluated implication of TS 3.0.3 and issued a condition report.
  • Established Significant Event Response Team to evaluate process and determine corrective actions to prevent recurrence.

Interim Actions:

Operations Work Control Center assigned designated licensed personnel to thoroughly review maintenance procedures and work instructions associated with work packages prior to opening work packages. This review includes particular emphasis on multiple trains and TS implications.

This is an interim action until long term corrective actions are identified and implemented.

Corrective Actions to Prevent Recurrence:

  • Ml-003-222 was revised to ensure that only one trip path is tested at a time. This includes bypassing the undervoltage or shunt trips one trip path at a time.
  • Other corrective actions, including issues such as training, review of other tasks that may have the same vulnerability, and improvements in the impact statements developed during the work control process, have been initiated and are being tracked via the corrective action program (reference CR-WF3-2002-0200).

SAFETY SIGNIFICANCE

The function of the reactor trip breakers is to open on a valid reactor trip signal interrupting power to the Control Element Assembly (CEA) drive mechanisms. This results in the CEAs inserting into the core, providing negative reactivity to shutdown the nuclear reaction. Each breaker is tripped simultaneously by an undervoltage relay, which functions on a loss of control power, or a shunt device, that is energized to actuate. This design provides redundancy and diversity in the trip breaker operation.

CR-WF3-2002-0200 identifies that the response time testing surveillance procedure required installation of jumpers affecting the undervoltage devices for the breakers simultaneously during shunt trip testing and then leads to be lifted on the shunt trip devices during undervoltage testing.

The impact of this condition eliminated the redundancy provided by the undervoltage and shunt trip devices. However, the reactor trip breakers would still have been able to perform their function during this condition. When the actuation signals for the undervoltage devices for the breakers were jumpered, the shunt device was operable and would have tripped the breaker on a valid reactor trip actuation signal. Loss of voltage to the undervoltage device would also have initiated a reactor trip. Similarly, when the shunt devices for the breakers were disabled, the undervoltage device would have functioned to open the breaker on a valid reactor trip signal. A single failure of any one breaker would not have prevented a reactor trip due to the logic configuration of the eight breakers.

The risk impact of this condition was quantified using the anticipated transient without scram (ATWS) event tree in the risk model. This evaluation conservatively assumes that the condition exists for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> every 18 months while response time testing is being conducted. The Diverse Reactor Trip System (DRTS) is credited since this initiates reactor trip in a manner diverse from the reactor trip breakers (removing power from the motor generators that holds the CEAs above the core). The dominant scenario contributing most to the risk is a common cause failure of the undervoltage devices when the shunt trip is bypassed. The instantaneous change in core damage frequency during performance of the response time testing is about 1.5E-6. Assuming the condition exists for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> every 18 months, this results in an increase in the average core damage frequency of 1.4E-9. This is a negligible risk increase.

Therefore, the condition identified in this LER results in negligible risk impact and has minimal safety significance. This event is not considered a Safety System Functional Failure (SSFF).

SIMILAR EVENTS

Searches were performed via Waterford 3's Plant Condition Reporting System (PCRS) using the keyword "Reactor Trip Breaker". Two hits referenced testing methodology. Both of these issues discussed the failure of the manual pushbutton test to adequately test the shunt trip circuit. In dispositioning these Condition Reports, the review focused on the functional test performed via the Operations surveillance procedure. The Maintenance procedure used to perform response time testing was not reviewed.

Information Notice 84-37 detailed an applicable event at Sequoyah Unit 1 in September, 1983.

Both trains of the automatic actuation logic for reactor trip were made inoperable when the undervoltage coils of the reactor trip breakers were jumpered with the breakers closed and the control rods capable of withdrawal. A procedural error in the manual reactor trip functional test called for placing jumpers on the undervoltage coils and closing the reactor trip breakers thus defeating both trains of automatic reactor trip logic. Waterford 3's review of this document focused on the general control of lifted leads and jumpers and did not specifically review maintenance procedures for this specific event.

A review of LER 2002-001 identified a similar condition where tasks moved from offline maintenance to online maintenance were not adequately evaluated for impact on operability. Corrective action document CR-2002-0552 has been generated to address this issue.

ADDITIONAL INFORMATION

Energy Industry Identification System (EIIS) codes are identified in the text within brackets [ ].

Retrieved from "https://kanterella.com/w/index.php?title=05000382/LER-2002-002&oldid=202998"