05000346/LER-2016-008
Davis-Besse Nuclear Power Station, Unit 1 | |
Event date: | |
---|---|
Report date: | |
Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications |
Initial Reporting | |
ENS 52079 | 10 CFR 50.72(b)(2)(i), Tech Spec Required Shutdown |
3462016008R01 - NRC Website | |
ML17060A239 | |
Person / Time | |
---|---|
Site: | Davis Besse |
Issue date: | 02/27/2017 |
From: | Boles B D FirstEnergy Nuclear Operating Co |
To: | Document Control Desk, Office of Nuclear Reactor Regulation |
References | |
L-16-280 LER 16-008-01 | |
Download: ML17060A239 (8) | |
used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
- 008 05000 - 346 YEAR 2016 - 01 Energy Industry Identification System (EIIS) codes are identified in the text as [XX].
DESCRIPTION OF OCCURRENCE:
System Description:
The Safety Features Actuation System (SFAS) [JE] at the Davis-Besse Nuclear Power Station (DBNPS) is designed to automatically prevent or limit fission product and energy release from the core, to isolate the containment vessel and to initiate the operation of Engineered Safety Features equipment in the event of a loss of coolant accident and main steam line break. The SFAS operates in a distributed manner to initiate the appropriate systems. The SFAS does this by determining the need for actuation in each of four channels monitoring each actuation parameter. Once the need for actuation is determined, the condition is transmitted to automatic actuation logics, which perform the two-out-of-four logic to determine the actuation of each end device. Four plant parameters are used for automatic SFAS actuation. The fifth parameter, the Borated Water Storage Tank (BWST) [BP-T] Level — Low Low, is used to provide a permissive to allow manual transfer from the BWST to the containment emergency sump.
The SFAS consists of four identical redundant instrument (sensing) and logic channels and two identical redundant actuation channels, and each instrument channel includes trip bistable modules with digital isolation devices. The isolated output of the trip bistable module is used to comprise coincidence matrices with the terminating relays within the actuation channel of the SFAS. The trip bistables monitor the station variables and normally feed continuous electrical (fail-safe) signals into two-out-of-four coincidence matrices.
Should any of the station variables exceed their trip setpoints, the corresponding bistables in each of the four channels will trip and cease sending output signals. If two of the four channel bistables monitoring the same station variable cease to send output signals, the corresponding normally-energized terminating relays on all channels will trip.
The SFAS is a fail-safe, de-energize to trip, system. Therefore, if the power supply to a channel is lost, that channel will trip, reducing the system coincidence matrices from two-out-of-four to one-out-of-three mode.
The terminating relays of sensing and logic channels 1 and 3 must both be de-energized to activate safety actuation channel 1. Similarly, sensing and logic channels 2 and 4 must both be de-energized to activate safety actuation channel 2. The terminating relays (also known as output relays) [JE-RLY] act on the actuation control devices such as motor controllers and solenoid valves.
The BWST supplies borated water for emergency core cooling via the Decay Heat Removal/Low Pressure Injection (LPI) System [BP] and High Pressure Injection (HPI) System [BJ], and as a source of borated water for the Containment Spray System [BE]. During accident conditions, the BWST provides containment cooling and depressurization, core cooling, and replacement inventory and is a source of negative reactivity for reactor shutdown. The BWST ensures that an adequate supply of borated water is available to cool and depressurize the containment in the event of a Design Bases Accident (DBA); to cool and cover the core in the event of a Loss of Coolant Accident (LOCA.), and to ensure an adequate level exists in the containment sump to support ECCS and containment spray pump operation in the recirculation mode.
The BWST level is monitored by four independent level transmitters. Each of the differential pressure signals generated by these transmitters is monitored by a bistable to provide a trip signal at a low low level. The BWST allowable value of greater than or equal to 101.6 inches of water and less than or equal to 115.4 used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
U.S. NUCLEAR REGULATORY COMMISSION 008 05000 - 346 - 01 DESCRIPTION OF OCCURRENCE: (continued) inches of water was chosen to provide the operator with an alarm and a permissive to allow timely operation of the BWST outlet and containment emergency sump valves to the long term recirculation position. This is to protect the pumps from cavitation for lack of proper net positive suction head and allow transfer of ECCS suction to the containment emergency sump from the BWST during the recirculation mode of operation before the inventory of the BWST is depleted.
Technical Specification(s):
Technical Specification (TS) Limiting Condition for Operation (LCO) 3.3.5 requireS four channels of SFAS instrumentation for each parameter to be operable in each SFAS train. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected parameter and affected systems or components. With one or more parameters with one channel inoperable, Condition A requires one channel be placed in trip in one hour. With one channel placed in trip in an hour and Condition A not met, or one or more parameters with two or more channels rendered inoperable, Condition B requires the unit to be in Mode 3 in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and Mode 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.
DESCRIPTION OF EVENT:
On June 30, 2016, at 0829, with the DBNPS operating in Mode 1 at approximately 100 percent power, BWST SFAS Channel 1 Level Transmitter LT1525A was taken out of service for maintenance to replace the enclosure box and for calibration activities. SFAS Channel 1 was declared inoperable and TS LCO 3.3.5, Condition A was entered and the associated bistable for BWST Level was tripped. At 2342 hours0.0271 days <br />0.651 hours <br />0.00387 weeks <br />8.91131e-4 months <br /> with LT1525A still out of service, a failure of SFAS Channel 2 +15 Volt Power Supply occurred, rendering the SFAS Channel 2 inoperable, including SFAS Channel 2 BWST level instrument LT1525B. BWST Level Transmitters for SFAS Channel 3 (LT1525C) and SFAS Channel 4 (LT1525D) remained operable. A separate entry into TS LCO 3.3.5 Condition A was made at 2342 hours0.0271 days <br />0.651 hours <br />0.00387 weeks <br />8.91131e-4 months <br />, but no entry into TS LCO 3.3.5 Condition B was made. At approximately 0140 hours0.00162 days <br />0.0389 hours <br />2.314815e-4 weeks <br />5.327e-5 months <br /> on July 1, 2016, the Operations Crew became aware that TS LCO 3.3.5 Condition B should have been entered and various members of the Duty Team organization were contacted to discuss applicability of TS LCO 3.3.5 Conditions A and B.
On July 1, 2016, at 0245 hours0.00284 days <br />0.0681 hours <br />4.050926e-4 weeks <br />9.32225e-5 months <br /> following a plant Duty Team discussion where the condition was re-assessed, the proper additional TS LCO 3.3.5, Condition B was entered as required for two channels of BWST level functions inoperable, which requires a plant shutdown to Mode 3 in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Following further discussions, between Operations and select Duty Team personnel, it was believed that SFAS Channel 1 could be considered operable with compensatory actions due to the BWST Level - Low Low level being a transfer permissive that allows transfer to the Emergency Sump with 'less than nine feet of level in the BWST. The compensatory actions were specific to SFAS Channel 1. Therefore, Operations exited TS LCO 3.3.5 Condition B at 0330 hours0.00382 days <br />0.0917 hours <br />5.456349e-4 weeks <br />1.25565e-4 months <br />.
After further review, it was determined the compensatory actions associated with BWST Level - Low Low level transmitter could not be credited and the previous operability determination for SFAS Channel 1 was invalid. Operations re-entered TS LCO 3.3.5, Conditions A and B at 1325 hours0.0153 days <br />0.368 hours <br />0.00219 weeks <br />5.041625e-4 months <br />.
2016 used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
- 008 05000 - 346 YEAR - 2016 - 01 DESCRIPTION OF EVENT: (continued) Upon completion of maintenance and successful testing, SFAS Channel 1 BWST Level Transmitter (LT1525A) was declared operable at 1351 hours0.0156 days <br />0.375 hours <br />0.00223 weeks <br />5.140555e-4 months <br /> and TS LCO 3.3.5 Condition B was exited. Upon replacement and testing of the +15 Volt power supply, SFAS Channel 2 was declared operable and TS LCO 3.3.5 Condition A was exited at 1800 hours0.0208 days <br />0.5 hours <br />0.00298 weeks <br />6.849e-4 months <br /> on July 1, 2016.
CAUSE OF EVENT
The direct cause for the failure to properly apply TS 3.3.5 was determined to be that the Shift Manager failed to initially recognize that entry conditions for TS LCO 3.3.5 Condition B had been met following a loss of power to SFAS Channel 2. The TS was not reviewed in its entirety and provided peer checks were not performed independently.
A contributing cause of the improper application of TS 3.3.5 was determined to be that station personnel failed to use or rigorously implement required processes and procedures involving the conduct of operations, event reporting, operability determination, and regulatory communications and interface.
The root cause for the failure to properly apply TS 3.3.5 was determined to be that station management failed to recognize in a timely manner that a normalized deviation in organizational behaviors has occurred surrounding the accountability for.critical performance standards and expectations. Additionally, organizational biases such as maintaining an unrealistic optimism towards an outcome, technical arrogance, overconfidence in knowledge and expertise, and the failure to seek or respond effectively to challenges, have resulted in the tendency to rationalize behaviors.
ANALYSIS OF EVENT
The BWST Level Transmitters monitor the BWST Level and initiate an SFAS Level 5 signal on BWST Level - Low Low. This output signal provides a passive permissive interlock to allow operators the ability to shift ECCS suction from the BWST to the Emergency Sump by allowing operators to Open the Decay Heat Pump Suction From Emergency Sump Valves and close the associated BWST Isolation Valves. The transfer of suction source from the BWST to the Emergency Sump is a manual transfer. The Probabilistic Risk Analysis (PRA) models failure of the SFAS. Level 5 permissive signal, as well as failure of the valves to be repositioned (or failure of the human action to manually transfer the suction), which could result in the inability of the plant to shift ECCS suction from the BWST to the Emergency Sump.
The four-channel SFAS system is a 2-out-of-four circuit, such that any two level instruments which sense a BWST Level — Low Low will actuate the permissive interlock for both trains. With both LT1525A and LT1525B out of service, the SFAS BWST Level — Low Low passive permissive transfer was active (i.e., the valves could be repositioned to shift from the BWST to the Emergency Sump) as indicated by Annunciator 5- 3-A, BWST LO-LO LVL XFER TO EMER SUMP. Since the permissive interlock was met, a failure of this SFAS Level 5 permissive signal is not possible.
Having the transfer permissive interlock active while the BWST was still full could permit operators to inadvertently transfer suction from the BWST to the Emergency Sump (violating procedure guidance) before there was adequate volume in the Emergency Sump. Additionally, having the transfer permissive annunciator 5-3-A lit significantly prior to reaching the BWST Level procedurally directing the transfer to the used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required'to respond to, the information collection.
- 008 05000 - 346 YEAR 2016 - 01 ANALYSIS OF EVENT: (continued) Emergency Sump could potentially increase the probability that the Operators would not take the action to transfer suction when the appropriate level was reached. However, by procedure and by training, Operators would monitor, log, and trend BWST level, so they would be aware when the proper time to transfer occurred, and there would be minimal increase in the failure to perform the required action.
Based on the above, the condition of having two BWST Level Transmitters out of service does not result in an increase in CDF, as calculated by the PRA model, and this condition would be considered to have a very low safety significance.
Reportability Discussion:
On June 30, 2016, at 2342 hours0.0271 days <br />0.651 hours <br />0.00387 weeks <br />8.91131e-4 months <br />, with the failure of SFAS Channel 2 Power supply, and SFAS Channel 1 BWST Level Transmitter previously declared inoperable for maintenance, TS 3.3.5, Condition B should have been entered due to the BWST parameter being inoperable for two channels of SFAS, requiring a 6-hour shutdown of the unit. However, as described above, while Condition B was entered on July 1, 2016 at 0245 hours0.00284 days <br />0.0681 hours <br />4.050926e-4 weeks <br />9.32225e-5 months <br />, it was inappropriately exited at 0330 hours0.00382 days <br />0.0917 hours <br />5.456349e-4 weeks <br />1.25565e-4 months <br />, and no shutdown initiated. Because the unit continued to operate after July 1, 2016, at 0542 hours0.00627 days <br />0.151 hours <br />8.96164e-4 weeks <br />2.06231e-4 months <br /> with two channels of SFAS inoperable, this represents continued operation or condition prohibited by the plant's Technical Specifications, which is reportable per 10 CFR 50.73(a)(2)(i)(B). On July 10, 2016, a retrospective notification was made to the NRC (Event Number 52079) for initiation of a plant shutdown as required by the TS that should have been made in accordance with 10 CFR 50.72(b)(2)(i). All safety systems performed as required in response to the event, and no loss of safety function occurred.
CORRECTIVE ACTIONS:
Immediate and Completed Actions:
Upon completion of maintenance and successful testing, SFAS Channel 1 BWST Level Transmitter (LT1525A) was declared operable at 1351 hours0.0156 days <br />0.375 hours <br />0.00223 weeks <br />5.140555e-4 months <br /> on July 1, 2016. Upon replacement and testing of the +15 Volt power supply, SFAS Channel 2 was declared operable at 1800 hours0.0208 days <br />0.5 hours <br />0.00298 weeks <br />6.849e-4 months <br /> on July 1, 2016.
The individual human performance issues by station personnel determined to have been in responsible decision making roles during the events were addressed in accordance with the company performance management process.
Station Leadership sought support of independent observers from the First Energy Nuclear Operating Company (FENOC) fleet to monitor activities in the control room during plant start-up from the most recent forced outage. An intended focus was to observe TS implementation.
Site Leadership conducted an All-Hands session with station personnel emphasizing the series of significant events in 2016 which resulted from gaps in performance standards. The Site Vice-President communicated that culpability for the deficiencies was shared among all station organizations. As such, it was emphasized that all personnel must internalize the need to modify behaviors to achieve event free operation.
used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
- 008 05000 - 346 - 01 2016 CORRECTIVE ACTIONS (continued):
Site Leadership issued a site-wide communication reaffirming the strict commitment to literal compliance with DBNPS TSs. The communications identifies Senior Reactor Operators (SROs) as having primary responsibility for TS compliance. Expected behaviors for the review and independent peer check of license conditions was also emphasized. The communication also establishes the role of other Station and Fleet personnel who may provide support to the SROs in assessing plant conditions, as having a shared responsibility for understanding TS and assuring literal compliance.
As an immediate action, a Standing Order was issued on July 6, 2016, to reinforce the expectations for review of TS and Operability Determinations, and Duty Team and Licensed Operator standards and expectation. Subsequently, Fleet Operations Procedure, "Conduct of Operations", and Operations Business Practice, "Conduct of Operations Handbook" was revised to improve Operator understanding and implementation of the TS. Specifically, a thorough review of the entire TS LCO and TS Bases shall be reviewed by both the reviewer and peer checker. An independent check shall be performed by a Licensed Operator. Both of these documents include direction for conducting briefs for equipment challenges to safety, risk, or reliability where no transient has occurred.
The standing order guidance has also been institutionalized in Fleet Operations Business Practice, "Operations Briefings and Challenge Calls". This business practice was revised to include a review of each Condition in its entirety for current license requirements. The review focuses on the potential for entry/escalation into additibnal Conditions due to subsequent determination on an inoperable System, Structure, or Component (SSC).
Additionally, Fleet Operations Business Practice, "First Energy Nuclear Operating Company (FENOC), Duty Teams", has been revised to include the following:
- Expectations for Shift Manager communications to the Duty Team regarding unplanned Technical Specification entries and/or emergent issues - Expectations for Duty Team members regarding decision-making and any subsequent changes to a decision or course of action requires consultation of the full Duty Team and other affected stakeholders - An expectation to consider staffing the Outage Control Center in the event of an unplanned TS LCO less than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is entered - Include the use of the R.E.A.D.E (Recognize, Express, Appraise, Decide, Evaluate) Tool when addressing emergent equipment issues Refresher training on TS has been provided to a targeted audience of key station stakeholders including select SROs (a Shift Manager, a Shift Engineer, a Unit Supervisor, and a Licensed Operator Training instructor at a minimum), a Duty Team Leader, a Duty Operations Manager, and a Duty Regulatory Compliance Manager.
lessons teamed are incorporated into the licensing process and fed back to industry. Send comments F53), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
U.S. NUCLEAR REGULATORY COMMISSION - 008 Davis-Besse Nuclear Power Station Unit 1 ' 05000 - 346 YEAR 2016 - 01 CORRECTIVE ACTIONS (continued):
A case study was developed to include the applicable lessons learned regarding; literal compliance with TS, TS vulnerability awareness, applicability of the Operability Determination process, applicability of Surveillance Requirement (SR) 3.0.1, and inappropriate bias and group think tools.
The Operations Manager shall develop and communicate a new expectation for Duty Directors, Duty Team Leads, Duty Operations, and Duty Regulatory Compliance Managers to conduct weekly observations of licensed operators implementing and applying TS.
The Davis-Besse Leadership Performance Improvement Commitment Plan, which recognizes leadership's contribution to the decline in performance involving the erosion of standards and expectations, has been implemented to provide for achieving Leadership and Team Effectiveness.
Scheduled Actions:
Based on the initial refresher training on TS provided to a targeted audience of key stakeholders, the training will be further customized and be presented to all Licensed Operators along with applicable Duty Team members. The curricula shall include, at a minimum, complex TS case studies, Operability Determination and Functionality Assessment including case studies and application of station procedures, case studies involving the use of compensatory measures, insights to regulatory positions, and Notices of Enforcement Discretion (NOED).
The case study that was developed to include the applicable lessons learned regarding; literal compliance with TS, TS vulnerability awareness, applicability of the Operability Determination process, applicability of Surveillance Requirement (SR) 3.0.1, and inappropriate bias and group think tools will be presented to the Supervisor Curriculum Review Committee for incorporation into the Supervisor Continuing Training Program for 2017. Training shall include all licensed reactor operators.
PREVIOUS SIMILAR EVENTS
DBNPS LER 2015-001 documents that the seismic BWST had been aligned in the past to the non-seismic Spent Fuel Pool system for purification. This rendered the BWST inoperable for periods of time longer than allowed per Technical Specification 3.5.4 while the plant was operating in Modes 1 through 4. However, this previous condition was not associated with the SFAS transfer permissive on BWST Level - Low Low, and the corrective actions taken for the previous event are not applicable to the current event.