ML20147A797
| ML20147A797 | |
| Person / Time | |
|---|---|
| Site: | Peach Bottom  |
| Issue date: | 02/23/1988 |
| From: | Gallagher J PECO ENERGY CO., (FORMERLY PHILADELPHIA ELECTRIC |
| To: | |
| Shared Package | |
| ML20147A788 | List: |
| References | |
| NUDOCS 8803010355 | |
| Download: ML20147A797 (61) | |
Text
- . . .. . ._. .. _ - - . _ _ _
Y @
, 'pg SERVICE -
cas l
l
.: e * .
l" m
- k.
^
? . ,
lM 4
s I
f i
^
N g
$[ifl 6:g5 := -
g
==
ili1
=
e 1
=
mww:% w -~. = & .__~_--; -i- 3 ;-
_e - - - - wm _ - -
PEACH BOTTOM ATOMIC POWER STATION l
l 8803010355 880226 PDR ADOCK 05000277 0 DCD l
ROOT CAUSE INVESTIGATION OF SHUTOOWN COOLING ISOLATIONS PEACH BOTTOM ATOMIC POWER STATION Prepared by: Evaluation Team P.L. Bushek, Supervisor, PBAPS ISEG, Chairman Dorian Conger, Director, EG&G K. R. Young, Engineer, LGS ISEG S. M. Herr, Engineer, PBAPS ISEG A. Hasija, Engineer, PSE&G M. Alderfer, Shift Technical Adviser, PBAPS Date: 2/23/88
Report Contents Page Executive Summary 2 A brief discussion of the major root causes of the shutdown cooling isolations.
4 Introduction A brief discussion of the major sections of the report.
8 Section I - Methods Describes the investigation team, the information gathering process and the analytical methods used.
16
'r_ction II - Results Report s the conclusions drawn f rom the analysis of each event. Methods used are listed. MORT cross references are shown.
Section III - Causal factors 57 Reports 8 significant causal factors identified by comparing the individual l 1
event conclusions. l l
l l
l I
I l
Executive Summary This report documents the root cause investigation of thirteen (13) shutdown cooling isolations at Peach Bottom Atomic Power Station that occurred during the period July 1987 tnrough December 1987. The events were each analyzed using current state-of-the-art metnods for determination of root cause.
The investigation identified 8 significant causal factors which were associated with I cr r. ore of the Shutdoan Cooling isolations. The first causal factor was a design feature functioning appropriately as designed. Additionally, various isolations ere caused by 5 common factors and 2 root causes identified by analyzing eacn isolation event.
Tne first causal factor, Tne cesign feature, nnile functioning as intended to place the Fesidual heat Removal (RHR) system in a safe mode by isolating shutdoan cooling, was associated with 10 of the 13 isolations. This design of the RHR system and its logic and of the Primary Containment Isolation System (PCIS) are such that a single loss of either control or bulk power (off site or on site) can result in a Shutdonn Cooling isolation. This feature is not unique to Peach Bottom but is a typical BWR design.
1 The remaining 7 significant causal factors are 5 specific, systematic prcblems which were associated with at least 6 of the events, identified in this report as common factors (items 1 through 5 belci , and two significant root causes associated with 1 or 2 events (items 6 anc 'below). They are:
- 1. Job site work controls, procedures and supervision, were not sufficient to prevent actions leading to shutdown cooling isolations.
I
- 2. Procedures for 'short term' work (e.g. trouble shooting) lacked sufficient guidance to prevent the inadvertent Shutdown Cooling isolations. !
- 3. The scope of job planning and review for work performed on site often did not identify potential problems which might be encountered in the course of the work.
- 4. Tnere was a lack of specific criteria to be used during the independent review of "temporary" changes.
- i . Tnere is a lack of numan factors reviews being a part of the job planning or design process.
- 6. There was a lack of nands on training on equipment for personnel who will be responsible for troubleshooting equipment.
- 7. Clearly defined lines of authority / responsibility eitner did not exist or were not known, which would enable personnel responsible for the performance of a task to know the proper interface relationships that must be established in order to safely accomplish the task.
Introduction The goal of this report is to provide a concise description of the methods usea in performing and the results of the root cause(s) analysis done for a serits of shutdown cooling isolations. The thirteen isolations investigated toot place betoeen July and Decemoer of 1957. A five-person team, under the direction of the Peach Bottom Atomic Poner Station Independent Safety Engineering Group, was assembled to conduct the investigation. All members have completed root cause(s) analysis training. A six-step process was folloned:
- 1. Perform initial analysis.
- 2. Identify information gaps.
- 3. Gather additional information.
- 4. Complete the analysis.
- 5. Identify common factors.
- 6. Complete the report.
The report consists of three sections - Methods, Results, and Common Factors.
Each of these sections is outlined below.
Section 1 of the report describes the composition of the team, the methods of information gathering and each of the analytical techniques used by the team. In setting up the investigation team, there were three CD]ectives.
First, the team members had to be familiar with the analytical prc: esses required. Seccnd, the team, overall, had to reflect independence and objectivity. Third, the team needed to have a wide variety of background experiences and eaucation. Each of these goals was met.
- . . - .. .-. =. . . -- . - -
1 I
l Information was gathered through three methods - direct observation, i interviewing,-and document review. Where possible, work sit'es were visited.-
i Interviews were conducted with people. ranging from managers to the workers involved. Supporting do'cuments such as logs,. procedures, policies, and work orders were reviewed.- This.information was analyzed using various formal techniques. ,
The analytical techniques used to guide and support'the work are j considered the state-of-the-art. These techniques are used by the National Aeronautics and Space Administration (NASA), the Unitec States Navy, the Department of Energy (DOE), the Federal Aviation Administration (FAA), the National Transportation Safety Board (NTSE), tne Institute of Nuclear Power Operations (INPO) and the U.S. Nuclear Regulatory Commission Incident Investigation Teams (NRC-IIT). Adcitionally, the methods are being applied.in such commercial industries as oil, chemical, aerospace, and nuclear power. The
- use of tnese methods assured consistent and comprehensive investigations. Using consistent and documented methods also facilitated the comparison of the ,
- individual investigation results.
Section Il contains a summary description, a diagram and list of conclusions (i.e. individual root causes) for each event. The 1 page Events and Causal Factors Diagram is provided to give a "picture" cf each incident and a ;
i sequence of major events. The conclusions are taken directly from the results of tne analysis. Furthermore, the conclusions are cross referenced with the 1
l analytical techniques utilized in reaching each conclusion. For example:
'l l
1
- 1. The test procedure in use was unclear and did not fit the situation, j * (MORT - 46, c32; 47, d11, 47, d12;47, d13; and 47, d15). ;
I i
1 l
- 2. The design of the circuit logic is inadequate. ** (E(H)-B-T - loss t
of power / shutdown cooling pair).
All conclusions presented in the report are documented.
Section !!I presents 8 significant causal factors associated with one or more Snutdoar. Cooling isolations.
First, Section 111 describes the first causal factor, a typical BWR design feature nnich nas associated with 10 of the 13 Shutdown Cooling isolations, i.e. tnat tne Shutocan Coci1ng moae of R6 isolates on the loss of a single poner supply.
Section III also describes roct causes wnicr. oere common to at least 6 of the events investigated, i.e. common factors. Inese common factors were identified by comparing the conclusions fror the individua events shoan in Section II. All of the common factors presented in Section III -ere taken from the conclutions section of the presentations of the individual events. Finally, Section Ill aescribes two additional significant root causes of one or two s shutdown cooling isolations.
Correcting these 8 significant causal factors and all other root causes unique tc a specific event is the key to preventing events which stem from common root causes.
l
- Tne MORT references in:,1uce the Users Manual page number and the iten, number which supports the conclusion. (MORT chart -
July 1987 version, Users Manual - January 1987 version developed by EGtG Services).
i
(
(
- Energy (Hazard) - Barrier - Target Analysis is described in Section I of the report. References will indicate the applicable part of the analysis, i
1 l
I l
Section 1 - Methods This section contains a discussion of the methods used during this investigation to determine root causes, it includes an explanation of the team composition and information gathering proc.ess. Also included is a brief descriptior: of eacn of the analytical techniques used. This section is not intended to present any of the conclusions arawn relative to the causes found.
This secticn M intended only to describe the methods used.
Tne Team In assembling tne team, there -ere three primary objectives. First, it nas recognized Inat tne aoility to use systematic, comprehensive analytical techniques *as a ne:essity. As a result, eacn of tne six investigation team members completec eitner tne M';RT Seminar, tne Accicent/ Incident Investigation Workshop or both. Additionally, some team members had also completed Human Performance Evaluation System training and Kepner-Tregoe Decision / Problem Analysis training.
The second goal for assembling the team was independence. Because of the nature of this investigation, the level of independence and objectivity achieved on the team would be reflected in a non-biased review of the events.
To that end, tnree of the six team members nere not from the Peach Bottom site.
One was a member of the Limerick Independent Safety Engineering Group (ISEG);
anotner was a Nuclear Safety Review group engineer from Puolic Service Electric and Gas; and tne third outside member was the Director of the Atlanta Office of EGLG Interlech who teaches and consults on MORT technology. The fourth team member was a Peach Bottom ISEG engineer. The fifth team member was a Peach l
Bottom STA. The team was led by the head of the Peach Bottom ISEG. This mix was aimed directly at assuring independence.
1
! finally, the breadth of the analysis required a broad set of l
experiences and backgrounds. individuals on tne team held Bachelor's cegrees in areas such as physics, engineering, and communication. Masters degrees in Nuclear Engineering and Organizational Communication were also held by team members. Une of the team memoers was a certified Management Oversight and Risk Tree instructor. The team leader was a senior licensed operator. This team jielcec a diverse and highly qualified mixture of abilities.
The five primary team members were supplemented as needed by technical experts, including shift technical advisors, operators, etc. This team composition met the original objectives of analytical ability, inaependente, and broad experience.
Information Gathering Three mathods of information gathering were used direct observations, interviews, and document reviews. Systems were walked down and work sites were visited to check for human factors considerations such as accessibility, iignting, labeling, etc.
Interviews were conducted to gather additional information. Because of the need for investigating in depth and breadth, intervien's were conducted with people at all levels of the organization. Managers, planners, engineers, opt-ators, and maintenance worke s were s;2e cf the positions which were considered for interviews.
_g.
Necessary documents were obtained and reviewed. Documents reviewed included procedures, logs, maintenance records, LERs, preliminary upset reports, temporary procedure changes, management policies and directives. These documents were checked against criteria found in the appropriate analytical techniques.
Analytical Techniques During the course of the investigation, six analytical techniques were applied to Ine events. The techniques ere:
- 1. Change Analysis (CA);
- 2. Energy (Hazard) - Barrier - Target Analysis (E(H)-B-T)
- 3. Fault Tree Analysis (qualitative);
- 4. Human Performance Questionnaire (HPQ);
- 5. Events and Causal Factors Analysis (ECF); and
- 6. Management Oversight and Risk Tree Analysis (MORT).
Each technique was applied to the events which could best benefit from a particular form of analysis. All techniques were not used on every event.
Change Analysis is a systematic approach to identifying, analyzing and evaluating the intended and un'ntended effects of changes. A problem - free situation serves as a baseline com;arison for a problem (usually indicated by an accident or incident) situation. Cnange Analysis is similar to Kepner-Tregoe decision and problem analyses, but charge analysis is more condensed and takes less time to apply.
Energy (Hazard) - Barrier - Target - Analysis is based on the idea that energ) is botn necessary to do work and hazardous. In any work situation a number of hazards can do damage to targets of value. A system which is properly designed will have planned barriers to prevent the hazard from reaching the target. A system creaks doan onen tne barriers are insufficient to prevent targets from being damagec by tne hazards.
Qualitative fault Tree Analysis begins with an output (top event on the fault trr.e) and identifies the ways that output can occur. The fault tree uses "and" and "cr" logic tc organize necessary anc sufficient requirements for system failures to occur.
The Human Performance Questionnaire (HPQ), cevelooed by the institute of Nuclear Fo-er Operations, nelps discover tne uncerlying causes of human errors.
Events and Causal Factors Analysis begins witr tne construction of a sequence of events. It adds context to the events and helps explain why the events happened with the addition of secondary events, conditions attendant to those events and background systematic factors which influence the events.
I figure I shows the symbols used in preparing the summary events and casual I l
factors chart. l figure i Symbol Name Definition Events Ac t ions or happenings that occur during some activity. Primary events are actions directl3 leading up to and following the event being analyzed. Secondary events are actions that impact the primary events but are not directly involved in the situation.
/ \,
Causal Factors Conditions that influence the
\ / course of events.
' Presumptive Events Actions or conditions that I
t i [ 1 I
\-' and Causal Factors are assumed because they appear logical in the sequence.
i Heavy Arroas Connect primary events I Light Arroas Connect secondary events
b Dotted Arrows Connect conditions to other conditions and/or events.
Ine Management Oversight and f<isk Tree Analysis (MORT) is the most comprehensive tecnnique. MORT, organized as a generic, qualitative fault tree, examines tr,e entire operating system for weaknesses contributing to losses and insufficiencies (including accidents and incidents). MORT is based on the "ideal" system where the elements of people, procedures and plant and hardware nave proper "fit". Specific factors related to Dreakdowns as well as management system factors are examined to determine what and w 2 ,_
l l
I I
Section 11 - Conclusions Tnis section contains a brief description for each of the 13 shutdonn cooling isolation events investigated. Each write-up m nsists of a one paragrapn esent synopsis, a listing of the analytical tecnniques usec, a summary Ever.ts ar.: "a sal Factors Diagram, and a listing cf the con;1usions (root causes) cetised from and cross referenced eith the analytical technique used.
In tr.is section, the events are treated independently. Tne events analy:ec nere:
Unit P - Event Title LER 2-87-11 Loss of Po.er to System 11 B RHR System Logic B and PCIS Group 11 E LER 2-87-12 Primary Containment 1 solation System Actuation Due to Ligt.tning Strike LER 2-87-13 Shutcoon Cooling Isolation Caused by Mod Work in Panel LER 2-87-14 PCIS Group 11 Outboard Isolation From E-22 Bus Fast Transfer on E322 Breaker Trip LER 2-87-15 Primary Containment Isolation Due to Partial Loss of Offsite Poaer LER 2-87-16 Containment isolation on Loss of A Startup Source Due to Crane Operation LER 2-87-M Shutdown Cooling Isolation Due to Reapplication of A Block ;
LER 2-87-19 Shutdoan Cocling Isolation Due To Loose Connection in RHR Logic Panel LER 2-67-21 Frimary Containment isolation LER 2-87-26 Unit 2 Reactor S: ram and Group 11/111 Isolation Associated With Celibration Testing of PS-2-2-3-1028 LER 2-87-30 Shutdon'n Cooling isolation Due to Crane Contacting Line Offsite l
Unit 3 -
LER 3-87-08 Containment Isolation Due to load Center Breaker Trip LER 3-87-09 Unexpected M0-3-10-258 Isolation During TPC Performance of ST 1.3.3 l
f l
I l
Event
Title:
Loss of Power to System 11 B RHR System Logic B and PCIS Group 11 B.
Event tiumbcr: LER 2-87-11 Event Date: July 10, 1957 l
l Synopsis: On July 10, 1987 at 0905 hours0.0105 days <br />0.251 hours <br />0.0015 weeks <br />3.443525e-4 months <br />, the Unit 2 Shutdown Cooling system i
isolated. Tne isolation resulted from a loss of power to the System 11 B Residual Heat Removal System Logic Bus when fuse 10A-F2B blew.
The loss of poaer de-energized relay 10A-Kil4E, nich provided a high reactor pressure signal to tne Primary Centainment Isolation System Logic. As a result of this nign reactor pressure signal, Shutocan Cooling isolated. At the time cf tne isolation, plant personnel were working on new equipment inat nad been installed as part of MDD-1457.
Altnough this new equipment interfaces oitn tne RHR logic, post event testing and investigation coald ::stermine no f ault or situation tnat could cause the fuse to blow.
Analytical Tecnniques Used:
Energy (Hazard) - Barrier - Target (E(H)-8-T) i Event and Causal Factors (ECF)
Change Analysis (CA) 1 l
l
4 =4. 4 a. _ A- eA- . . - - p_ _ . a - - a. 4 e . -- -- 4 e-~ - . -4 ._#.._ mm.a - - - -- - - - ---
i i
K b
( s??
oOe
- eg
.E ow .e.
M k ,
6 i
e Me2m 0 i
c=E e m w w IS ewMg6 I
=weX .
f d 6 j L
t l
E !
.~
g5
., w e +
I g E I et a w ,
i h
h 4? I
/*- li !
f i f w= i 'i ..e ~
/*ig is $,i j wh> ,i -------> . ji 8, 1 4------- j*Egi
- w w i I r -
g
- . Io a y
' g"_ O
_ ,/
' s _*p_
c -,/
& 4
) -
m 4 55; q g35 2 r z.goEa ,
se we .s i, g_ ni i
- k k"-----** "% I l
--6 e-so a.w*g" g
is r -a 4i
- I l
\
% S /
em W
5~
ze 4 sH we ed
+
d 4
1 17-l 1 .
1
- m. , . , . _ , , , . _ _ , , ,=.. _ _ _ , . . _ - . , _ . . . . , , _ - , _ _ _ _
. . ,.m .. -- _ . - ~ _ . - .
l 1
Conclusicit (includi,1 supporting references):
- 1. By design, the loss of a single poner supply to the RHR logic will result in an isolation of shutdowr. cooling. (E (H) - B-T Loss of poaer/ Logic pair)
- 2. Pcst event testing did not sho that modification work could result i in a blown fuse. Tne fuse appears to have blown due to end of life rather than due to an overcurrent. (CA)
.I
Euent
Title:
Primary Containment Isolation System Actuation Due to Lightning Strike Event Number: LER 2-87-12 Event Date: 7/11/87 l
l Synopsis: On July i 1987 at 3:28 pm, the #3 SU Feed Breaker #3435 tripped on protective r elay operation. An apparent lightning strike on the 220 KV line cut o' thc horth Substation caused the breaker trip. This resulted in a fast transfer of Emergency Buses E13, E22, E33, and E42. A momentary 'oss of poner during tne fast transfer de-energized tne Primary containment 15?tation System relays. Shutdoo n cooling isolated on both Unit #2 and Unit #3.
Analytical Techniques Used:
Er. yy (Ha'ard)-Barrier-Target Analysis (E(H)B-T)
. Eve,? and Ccv;il Factors Analysis (ECF)
Maragement Over :ight and Risk Tree Analysis (MORT) l l
i
or m ~l
-zo.
d*og W E, Z--
I 000 sm.
l m-I sw l
t l
\
I u v I - wWW rur . w~-~
D e,- s-e-wood m
,p. +g.
,,..e ._-- ---y E m. a -
meer
%.s w - >w,-. "W F .C uo - .,. a -
gg s u l
l w
c
,Esu g~t
-ro-CCWww rG E.-:.4 E
s w v
3 e .--~
. . .k. .
=es
- e. --
- x. r; <
a s k l- - . w - , 7q o
l0 i 5*=E l f i
rz zN vr i i
t$5 i l
t {bgsi ie_xzel 4------- lEEg - i l
l -e s ~
" 1 l (e "*s5
'E ./ I I
l t--- J i
I Ne E
f [
e~
t4 se k ". W old E? Ed5
.n n cu< v d
Conclusions (including supportir.g references):
- 1. Ey cesign, the loss of a single off-site poner supply will result in 1
an isolation of snutdonn cooling due to a loss of power to PCIS Logic. (M3RT-19, b? and E(H)-B-T-Loss of poner/ logic pair).
l 2. Ine transmission and distribution protective relay logic is designed l
to protect the electric distribution system reliability, and not to l
ensure a source of off-site poner to the plant. (MORT - 19, c1 and E(H)-E-I-Ligntning/ Distribution Fair) l
Event
Title:
Snutdo n Cooling Isolation Caused by kod Work in Panel Fvent Number: LER 2-87-13 Event Date: 8/20/87 Synopsis: On August 20, 19E7, ILC technicians went to replace HFA relays for M;D 095DA in the 20:32 panel ir :ne Cable Spreading r :m. Tne 10a-K132A relay hich as tc te replaceJ is located inside the panel nea-some flexible conduit. Tne tecnnicians rep;sitioned the conduit to fa:ilitate rem: sal uf tne 10A-K132A relay. Tne relay was replaced, ana ne technician: closec up :ne panel ai:ncut restoring the flex conaui :: its original positicn. At 10:15 am, the flex conduit a; pears te nave sniftec and ccndait contacted tne neutral side of :ne 100-K132A relay coil. This groanced relay caused fuse 10A-F2A in tne RHR logic :: D 10.~ . Relay 10A-K114a ceenergi ed anen the fuse bien and snutccon cooling isolated.
's. .. .~,.
Analytical Tecnniques Used:
Event & C,ustl Factors (ECF)
Management Oversign; and Risk iree Analysis (MORT)
- t
\
N - . - _ - _ _
, c.
1 l
a wg l e=
- ~
l l
l W5 8., -r o
4 %
WNY p[8s s -
1i q.. o. _v_,.
.;gggg._______r ;ggp._______r ;;g3; q..
l t
t I
r m., . <_
., _ r _8 .82
,s r::;6-
- g g w.s i
g.o. ._--_--_F s.,.
== g
..ga.ow w o. .s t a .s
- .t -2 o 8,2
\ / /
, s _
l I
t i
1 I
w W
i ._-,.
W
. e.
' SE~rE EbE I
.n_s,.
p 57
._______r g.2 z .:
h, ose/
- 1 I
I i
l
- #3 \ hpO. W
[ tt E * *l ll;;ig *o~s ti 'er > = ui ... Ew g .
i s h r', -------F
? ". Y_
F s ei s-g. i ilE_.E E , *i E tr E"eg
".*" ' UK p K uf .
__o
Cc :lusions, (including supporting references):
- 1. The flex conduit was n0t rigidly attached within the 20C32 panel.
Its normal position did not alloa easy access to relays in the cabinet and aas less tnan 2' anay from the exposed neutral side of the relay. (HORT-19,c1)
- 2. The RHR logic aesign initiates a snutdoon cooling isolation when only half the logic is deenergized. (MORT 19 ,cl)
- 3. ine Lab pro;ecure covering ine relay replacement work nas riot job specific. It cic n:t contain any cautions concerning flex conduit.
(MORT - 44, c23; 47, d12; 47, d13; 47, d14; 42, b3; 45, c2E; and 45, c5) j
- 4. Tne procedu e dic not dire:: personnel :: return con:;it to normai position if moved. (MDET - 48, c35; 4c, d9) l
- 5. Pre-job planning is not required to be performed to look at the potential problems that could exist during the performance of work.
(Including the condition of the job site when work is not in progress). (MORT - 30, 09) l
1 l
l -
Event
Title:
PCIS Group 11 Outboard Isolation From E-22 Bus Fast Transfer on E322 Breaker Trip Event Number: LER 2-87-14 . ,
Event Date: 7/26/87 Synopsis: C;ntractor constru:: ion perscnnel aere inspe::ing overhead conduit for the E22 bus. There was a ladaer and a 4KV ground truck in the vicinity of tne E322 creaker, wnicn is an end breaker on :ne E22 bus.
Tne contractors nearc a treaker tri; c.: s:ctec :ney did not bump :ne E322 creaker. Tne E322 Dreater trippe:, tu: no relay targe:s at: a:ec. Pas: experien:es have sh:an 4KV creakers will trip wnen
- te cc:r is tum;ed, aitnc.: relay targets a:tuating.
Tre E322 creaker trip initia e: a E-22 c.s fas: transfer to :ne E224 oreater su; ply fee:. Tne resultant 43 vol 3 second lo:kout temporarily ceenergizes tne E-224-T-E ous an1ch feeds the 20Y34 120 V distribution panel. The PCIS Group II outboard isolation logic, fed by the 20Y34 panel, deenergized resulting in an isolation.
Analytical Techniques Used: .
Energy (Hazard) - Earrier - Target Analysis (E(H)-B-T) '
'3gg-Manageren: Oversight and Risk Tree Analysis (M RT) i Events and Causal Factors Analysis (ECF)
r I d ra QL:
- d50 10v*
e s k l
C "I m e $
- 3 e5' -
z.
6 4------- e J. =*e 2 3 .Z w
.fa p V ed e
l
\
s k l
l l
O > a y * . %~
LG vnw c zw
- o ww
""=N=
an. :: ." 6 o e
e VO - Uwm
=
- .c-asp* *** WEg ace" a 2, v.w.8C
=r" c
a *5 wm sw -
R;EV 3 :
s k
%-. -g 1 s: I t - h #
- l nem I rU. -e .z c . .a i3 I t_
.m = cwe i
- 'S"t*I I
5t "ka j WggMG l M.hagg .o 4- -
-->w l
< i wr e c o-mi I *#-
w.s.2 :
,I wsc l ha i I
L A
5- - ) l----l a i l 1 I I I I i 1 i i I i 1
/*
Ec50
[ EFb
~c .eGE "oaansw usu v
=.a.
E N t' / .
\ 2 j
1 0
- I
- 1 I I I i i l i 1
> u,W\ !w t, m s
- - eve l w E
. ~T 3"E. Y c5vg* =
'T
.~ t'.c.e a
a v. .E z.E .,s#"
== "*
h co s
s h-"/ N -r
Conclusions (including supporting references):
- 1. Inere is no written or distributed policy regarding the cor. trol of contractor work around safety related equipment (MDRT - 39, MA1)
- 2. Contractor control is not imoiementee tnro.gn a formal process.
l 1
(Ms FT - 39, MA2; 40, a 2-5; 40, aS; 41, a 9-10)
- 3. No analysis was done to cetermine tne potential for inacvertently actuating 4KV breakers due to vibration and shocks. (MORT - 41, MB3; 41, a;; 42, t2, 44, Di; 29, t3;
- 4. ine use of work ecuipment such as lacaers is not adequatelf contr:lltd. (f'.f - Ladder near creaker, MORT - 29, b3; 35, e24, an i E(n)-E-T-Eump/Dreaker pair).
- 5. Ej cssign the loss of a single poner supply will result in an istiat.'on Of snutacan cooling cae to a loss of ocaer to PCIS logic.
(MORT 19, b2 and E(H)-B-i-Loss of power / Logic pair) 1 i
i
'T l
1 l
l l
i l
i
Event
Title:
Primary Containment isolation Due to Partial loss of Offsite Power Event tiumber: LER 2-87-15 i
Event Date: August 16, 1987 L
Synopsis: On August 16, 1987, a Primary Containment Isolation System (PCIS) l Group 11 in board isolation occurred on Unit 2 and a PCIS Group II outboard isolation occurred on Unit 3. These actions occurred oue to a fault on the 220-05 line caused by a tree contact. Due to temporary wiring installec on prote;;ive relays at an off site substation, the fault was n0: is:iate: and cause: the 220-05 line
( ti; . 2 Startup Source) to trip. ine temporary -iring aas installed due : faelty relay coeration. ine i ss Of :ne 220-05 line resulted ir. a fast transfer of four Of :ne eign: 4KV emergen:y buses. During
- ne 3 second io:kout, snutcoan eccling isola:ec cn b tn Units.
Analytical Techniques Used:
Energy (Hazard) - Barrier - Target Analysis (E(H)-B-T)
Everts and Causal Factors Analysis (ECF)
Management Oversight and Risk 1ree Analysis (MORT) j i
l l
f Eo!
GL 93 8 EO8 d u a v 0
.ge, 1 =3 ;
g =3
-=
e5 "35 C.I w
G by
- s w
= l D;:,
551 ettt
. !:6 ces-Eis o=3E
- e d b
=f-g-
E' , *w
- w[;;o s u
/>H-N
[*
Ie: g-e-
OEf --- -
> g*g1 IE Es 2 *. sg
- d a
.r f.
- .d Y
.a .t.t U h..j MN
/ *aN y
- t e. 26-
e
.r-vs I :r: ss 4 -*-
-E;w,
- ee Ej Conclusions (including supporting references):
- 1. Temporary jumpers in the protective relay icgic on the 220-05 line failed to prevent the electrical fault from reaching the 220-08 line (HORT - 17, c1; 19, b3; 16, b3 and E(H)-B-T-Faulted line/ plant system pair)
- 2. The information needed to assess hoa the plant is affected by temporary changes to offsite equipment was not communicated between T&D and station personnel. (MORT - 41, M32; 21, b2; 21, c4)
- 3. Tne reviea- process is inadequate for changes to offsite eauipment inat can affect tne plant and the responsibility for performing such revieas is not clearly establisnec. (M3RT - 42, 02; 42, c3-cS; 41, M53, 44, a2; 41, al)
- 4. Tne tree triming program f ailed to prevent a tree from coming into contact witn the 220-05 line. (MORT - 17, b1; 19, b2 and E(H)-B-T-Tree /Line Pair)
- 5. Hazards to the plant created by the length of time a jumper is in ,
place offsite, such as the temporary wiring on the protective relays which was installed for about a year, are not reviewed. (MORT - 43, b6; 43, c16-c19) :
t
- 6. By design, the icss of a single off-site power supply will result in an isolation of shutdown cooling. (E(H)-B-T-Loss of poaer/ shutdown cooling pair) 1
Event
Title:
Containment Isolation on Loss Of A Startup Source Due to Crane Operation Event Numoer: LER 2-87-16 Event Date: August 20, 1987 Synopsis: On August 20, 1987 at 1305 hours0.0151 days <br />0.363 hours <br />0.00216 weeks <br />4.965525e-4 months <br />, Unit 2 "B" and Unit 3 "C" RHR pump, the only ones operating in the Shutdown Cooling Mode tripped. Their suction valves had closed due to a Group 11 isolation. The Primary Containment isolation was caused when an 80 ton mobile crane dre an arc from tne 220-05 cffsite poner supply line. This, in turn, caused SU-25 breaker to trip resulting in a fast transfer of 4 Emergency ouses. Tne crane was being used to move containers out of the way to oegin tne annual ciesel generator inspection. Due to a lack of storage space, to:ls an.1 equipment are stored in containers inroughout tne site. Tnere was no control on the use of cranes near the high voltage offsite line, wnich the personnel involved assumed to be deenergized. There were no physical barriers, e.g. trapeze or caution signs on or near the high voltage line.
Analytical Techniques used:
Energy (Ha:ard) Barrier - Target Analysis (E(H)-B-T)
Management Oversight and Risk Tree Analysis (MDRT)
Events and Causal factors Analysis (ECF)
- l
9 l 11
'.i.l
$. !I!
E3
(- i p
il a If 14 n!**
le o,l*;
11 V;!
i!!gj g v;i l7 grg!)
v _ _.
l :
l
- 11 2
. b 9
[
I di ;
h!! 3 :
h.l ii!.s_ p-ir
. .s
. 5 ,
,E l
r n
li:d !-:.
I 9..::
l ------->
Igs:'i'8gg e------- :
{j::g @ jefe .
O n u{-h!
i!il 4
Flll l !
- r ss .
- t kI,I i
'I n --~.7 N ;
m
@ p I.!ll!
m! .
i
?
\ .
I5f3 lus 31 i
i r
. . _ , .- , . . - - _ _ - , . . . , . . . . ~ - , - . . . . , , . - _ _
I Conclusions (including supporting references): '
- 1. By design, the loss of a single off-site power supply will result in I
an isolation of shutdon'n cooling. (E(H)-B-T-Loss of po.er/ logic pair)
- 2. Peripheral tasks not directly related to the *0rk, but inat are j
important to the safe conduct of the work, are not planned or controlled. (MORT - 37, SDS, a5, b4)
- 3. ho pre-job planning or safety supervision at jets near nign vcitage lines is recuire:. (MDRT - 26, SD5; 39, MA2: 41, M53)
- 4. h: arning signs or anysi:a1 carriers preven:ing Ine intrusion inte eie:tric clearance space aroun: nign $0itage lines mere present.
E(H)-B-T-Crane / kine Pair, an: M ET - 19, 5:2; 44, M53, a2, b7).
- 5. Tne Crane c;erator an: ne aus services g-0.;; for en nere either n0; aware of OSHA requirements on crane clearance around high voltage lines er did not get a refresher training on the subject. (MORT -
33, 505, b3, c14, dl5).
- 6. Tne crane operator and the foreman who visited the site did not detect the ha:ard, or commanicate with shift supervision or electrical supervisicn the work that was to be done. (MORI - 20, 501; 23, 502; 26, 5D5)
Event
Title:
Shutdown Cooling isolation Due to Reapplication of A Block Eveng Number: LER 2-87-18 Event Date: August 28, 1987 Synopsis: On August 28, 1987 at 1048 hours0.0121 days <br />0.291 hours <br />0.00173 weeks <br />3.98764e-4 months <br />, the shutdown cooling Suction valves automatically closed and the 'D' Residual Heat Removal (RHR) pump tripped. The cause of the isolation was the deenergization of the
'A' RHR Logic when a temporarily cleared safety block was reapplied
.itncat realizing that it would isolate tne snutcown cooling system, anicn nad since been returned to service.
Analytical Techniques Used:
Energy (Hazard) - Barrier - Target Analysis (E(H)-B-T)
Events and Causal factors Analysis (ECF)
Management Oversight and Risk Tree Analysis (MDRT) 4 l
1
,s- 4 _m ..----4u,.e ...+wi L -.-eLi . - .
_,d.$-._ 4 h ~%n Ji... . 4 c4 .a , 5 f4 s __, W 1 a EoE8 !
d5==
E b *E Eo8" m v::8
- I y a b I
i.
l I
i i
2 Iw3 e
s 6
?
I
. e ,.. x w-2 e: i3
- E 91 s !
I. a ._------ y Ep- 4------- g,25 ;
4 aga rg .su i
\ s r/ se j ;
s s i e i
i o -
dc 5 t a,- i
- -------- > *t[& i
~
1 B:- "t**
3 -o
~
\ / a w I
l l I l 1
l q
4 /2N Ba u 1 j d59aE --y ga 8
- ogg.g .-----
.,tna
- 3. g ,
M= t;:
g N*/
I l
I W, F-Ei 4
.4 e ad 4
1
- 35-
?
l
. . ... , . - - . . l
l 1
i i
==
Conclusion:==
, (inc.uding supporting references):
- 1. The temporarily cleared block was reapplied without performing a new review to determine the consequences of reapplying the block. (MORT
- 17, b3 and E(H)-B-T - Loss of power /'A' RHR logic pair)
- 2. The permits and blocking program does not require that a review of the potential consequences of reapplying the block be performed when reapplying a temporarily cleared block. (MORT - 17, b3;18, b3; 42, c3; 42, c4; 42, b2; 43, cl3) and E(H) - B - T - Loss of power /'A' RHR logic pair)
- 3. ine metnod for developing permits and blocking was based on that used at fossil fuel plants. Tne program does not adequately address the design differences and requirements of the nuclear plant. (M3RT -
41, al; 44, a2; 49 b20) I i
l l
l 1
l 1
I l
Event
Title:
Shutdown Cooling isolation Due To Loose Connection in RHR logic Panel Event Number: LER 2-87-19 Event Date: September 4, 1987 Synopsis: A shutdown cooling isolation and trip of the 'D' RHR pump occurred at 0305 on September 4, 1987 as a result of the 'A' RHR logic being temporarily deenergized. Prior to submitting a blocking procedure, the Snift Technical Adviser (STA) needed to verify that logic fuses in the 20C32 panel were properly labeled. As the STA moved a wire in order to read its label, he noticed a small arc at the BB-F2 fuse terminal, and heard relay operation. The wire had pulled free from its lug, causing the 'A' RHR logic to deenergize. It was determined inat the wire was not fastened securely to the lug. Further investigation revealed that ex. tensive work in the 20C32 panel, especially in the area of fuse BB-F2, had been done during the outage.
Analytical Techniques Used:
Events and Causal Factors Analysis (ECF)
Management Oversight and Risk Tree Analysis (M3RT)
I 1
l
82 I.g
,iwW" s 6
==
-$3 1
E s 6 E
[3"31f\2 :E*s 8!.!ig i =.
i,ij w
j
\2s / s 6
/e _t >N t.d s-t ti;;!
s=s -
.-------> gj s2 e w e a s h 4
4 a .
.=,1
-e.-
j x,-
5,
.-------> g ,.
5 8 w $
V s .
l
=
==
! i bea u (4 t**o:=
- 5 .-------> r
- sg was E
.? sir i 512g Conclusions (including supporting references):
- 1. The extensive work performed in the 20C32 panel appears to be the most likely cause of the loose connection. A post-maintenance / post ;
modification inspection did not ensure that all affected wires were '
securely fastened. (MORT - 24, 504; 25, a2; 25 b5)
- 2. Work procedures did not assure the secure re-fastening of all wires after performing a task. (MORT-24,al)
- 3. The post work inspection program was not sufficient to address potential errors. (HORT - 24, al: 46, b9; 46, b10)
- 4. The discovery of the loose connection and the knowledge that extensive work was performed in the panel was not adequately used to signal Ine need to inspect the other wiring in the area of the work.
(MDRT - 14, b1; 14, b2; 15 d2; 20 al; 21, a2; 23, a4)
I
- 5. By design the loss of a single power supply to the RHR logic will result in an isolation of shutdown cooling. (E(H)-B-T-Loss of poner/ Logic pair) ,
i 1
i i
i Eeeng
Title:
Primary Containment isolation Cuen% Number: LER ?-87-21 Event Date: September 16, 1987 Synopsis: A plant modification ass in progress, which required the installation of three temporary leads to avoid interrupting po er to 20Y33 and other panels. The three leads were installed without the use of a <
procedure and with no human factors review. The alternate power supply for the 20Y33 panel included 3 disconnect swittnes locatt' at various locations in the plant. One switch was left witnout adequate labeling and was placed in a ell travelled area well aaay from the L
location of the original power supply. At 8:15, tnere was a loss of po.er to the 20Y33 panel which resulted in a shutdown Cooling isolation. The most likely source of this loss of poner was the i
inacvertent actuation of the mislabled disconnect switch.
Investigations of ot5er potential sources turned up negative.
Analytical Techniques Used:
Change Analysis (CA)
Energy (Hazard) - Earrier - Target Analysis (E(H)-B-T)
Events and Causal Factor Analysis (ECF)
Management Oversignt and Risk Tree Analysis (MDRT) l l l I
i 1
e P
/ N T.Jils u;,ge
\ /
i t
I i
1 1
- , '.N - f.
- e
.. y .m.
/ ,4F*' '
/
e
- m. 4 7,s.
T
- sp
.....>/p pgiqT
, g** 86-*j
.,. . . .. . p.- . .- y . -- . ) ET qwescgay i ...
I I I I I i i l I I ,,
i v v
/ m .in h / wee re%.:: / etu.MI r re p , sk.,.,.N '
(o,. $;.t?4i (D , ( =*tY13 / i i i i l i l -
I i 1 t i I g g .. L l.,** ,
I I t .?
- i i i -
v v v
'91. W 4 .v l!m$..; W P,g&,
qyr l .
t..
f
. . i l i i l 1 1 1
i l i 1 l 1 1 1
'
- I e t
l l T
/,.2l7 T
,.s N o N me N
/ e)#4" 8' ....... . .... .... al.!P"m
. ,$g,q i -,,
sja::tu/ (.e...s,i;',.I.
i- i ir 3 en e :i.p % .. a. .. ,/ t p
e A
- l. I 3 1 I l i I l I i
! I I l I i i
it}.i.hmII . o. .. - m.
aw10 t
I toweats este Dr PMi LO"II -l f
( egnet / \ 047 /
i I
-41 ;
Conclusioni, (including supporting references)*
- 1. There was an inadequate human factors review of the use and ,
installation of the terrporary leads. (MORT - 45, c28; 45, dl-3; 46, c6 and 9, 23, 502).
- 2. There were insufficient barriers to pre,enting inadvertent mispositioning of the disconnect saitch. (E(H)-B-T - Loss of Po er/20Y33 pair and MORT - 46, bil; 19, cl; 44, b8; 44, c23; 46, d6 and 9; 47, c34; 23, 502).
- 3. The installation of the temporary leads was not a controlled activity. Pro:edure A42 Proteaure for Control of Temocrary Circuit Modifications (TCM) was nct usec. (MORT - 23 SD2; 17, b3; 17, c1; 18, b3; 41 MS3, 41 al 44, a2).
- 4. The implementation of the program controlling temporary work was inadequate to prevent Inis event. (MORT - 39, PA2; 40 al-5; 41, a9-i 10) 1
- 5. The criteria for analyzing and reviewing the temporary cnange is inadequate to identify safety concerns. (MORT - 42, c3-6; 42, b2; 42, b3; 43, b6; 41, al) 1
- 6. The design of the temporary change did not preclude this event.
(MORT - 44, a2; 46, bil; 44, c23; 46, b13; 42, b17-16; 49, b20; 49, I I
c3; 49, c41-42; 49, c45)
I j 7. The specification and procedure for installing the temporary change were less than needed to accomplish the work. (MDRT - 46, b13; 46, l c32; 47 c33-34; 48, c35-38) 42-I
- 8. By design the loss of a single power supply will result in an isolation of shutdown cooling due to a loss of power to PCIS logic.
(HORT 19, b2 and E(H).B.T. Loss of power / logic pair) ;
i i
i i i I
l T
l i
I f
-43 :
1 l
l l
4
Event
Title:
Unit 2 Reactor Scram ano e cup i;/Ill isolation Associated With Calibration Testing of F, f-?-3-102B Eeent Number: LER-2-87-26 Event Date: Decemoer 6, 1987 i
Synopsis: On December 6, 1987 at 2100 hours0.0243 days <br />0.583 hours <br />0.00347 weeks <br />7.9905e-4 months <br /> a Group !! and !!! isolation was generated from the actuation of reactor level transmitters LT 101A and B. This terminated the operation of the shutdown cooling mode of the RHR system and generated a reactor scram signal. The reactor was in the cold snutdoan condition. LT101A and B sensed false reactor level oscillations during the calibration of pressure s' itch, PS 1028. The actuation of tne level transmitters was caused by a leaking shutoff v11ve during the Calibration cf the pressure switch.
In accordance with technical specificatien ;ressure smitches PS 102 l
A, E. C, and 0 are calibrateo once per refueling cycle. Tnis incident happened while performing procedure ST.2-1-12 B on PS 102B.
The surveillance test procedure did not require double isolation.
Analytical Techniques Used:
I Event and Causal Factor Analysis (ECF)
Change Ar.alysis (CA)
Management Oversight and Risk Tree Analysis (MORT) l -44 l
l l
<,,5--a+ +oo @ , 4~--- 2-a m = - d .a e b i
! d s i hH ;
4 ,
h 6
t
};!i :
l :-
n-i P ii'il 31 it .
1 E
a 4
h;ylt I s l- b e
i 6 i
(
! Hil
=
lijl l
1 f
l hl} ll.1, i
If m , l, i i l - j 3 . ._. i!jjji .........mi qgjg ; j ! l
- p l ;
# t '
l I ! ' i j gal- i sj [hy3e....... @l !!!
> i 3 I i ~~
i s. i pi 1 ! '"i
-l,-
I! ~!!
' @;ii l .
f i I 1 i ! l , i l 4
'lIl M d:*-
3
-l i
1' ! J 45 1 1 J ! l I
Conclusions (including supporting references):
- 1. Double isolation of pressure switches was not Considered. (MORT -
19, SC2; 20. 501; 41, MB3al)
- 2. Caliorations of tne pressure switenes should be performed wnen tne l
adverse conseovences of an incident on the plant due to a componet failure would be minimized. This test procedure permitted the test to be performed with reactor at poner in which case a scram would have occurred. (MORT - 20 SC2, 44; 41, M33, al, bl) l 4 b l 1 i
Event
Title:
Shutdo.n Cooling Isolation Due To Crane Contacting Line Offsite Event Number: LER 2-87-30 Event Date: 12/30/87 Synopsis: On (>ecember 30, 1987, private contractors ere using a crane to move equipment in the vicinity of the 2313 line which connects the Northeast and Graceton Substations. This non-utility work was being i performed in the BGLE territory. A ground also existed on the l protective rels,,s for the breakers at Gracten Substation (BGLE). In addition tne relay tnat provices alarm circuitry was not working, so
! BGLE personnel did not knoa a problem existed with the protective relays. At 9:10 am the crane contacted tne 2313 line. Tne protective relays at Graceton did not respond to the fault, so relays e.t Nottingham Substation acted to protect the distribution system.
These relays transferreo the trip signal back to PBAPS causing a loss of the 220-08 transmission line feeding the #2 SU Bus. The 4 KV emergency buses fast transferred to the #3 emergency auxiliary
! transformer when the #2 SU-E breaker tripped. Shutdown cooling 1
isolated during the three second loss of poner from the fast transformer. Analytical Technicwes Use0: Energy (Ha: erd) - Barrier - Target (E(H) E-T) i Events f. Causal Factors Analysis (ECF) Management Oversight Risk Tree Analysis (HORT)
-47
_ _ _ , __ _ _ . . _ _ . _ _ _ _ _ - - - - - - '- '~ W 1 ln; M' ^ /} w *.- 23 e-gi.g. .-------> Is.a :. g - . a g *j:. ee.* A b ** e m
\
eye
.ns- .e g.
i.85, si
'$f]I a
- j b 9
i..1:
- n. :
g s.AI 8& I'Na
- C:
s h* EIk-e m
.lis ..g
- g. .
..a
. 4-_----- g: 4- --------,
e
.e 4 ab .
w f 9 O. Ire II3 w V:= 51 (r:!.l - i i mur3]1 < c.6 .5 l
-- , . m, It6s
$$3 $
Eg.*f e.c I mt .~.L. O.v.. 1H;I 4------- 3s [s v,h..
.q, r:Ellt t.
U m , m - --'-
e , Conclusions (including supporting references): . e
- 1. The protective breakt'rs and system logic were unable to prevent -
shutdown cooling isolation: , By design, the loss of a single power supply will result in a
~
- a. -- .
shutdoan cooling isolation. (MOP.T - 19, b2 end E(H)-B-T- Loss . of poner/ logic Pair) hr '
- b. No other relay / breaker protectior. is available between BG&E and .
PECo territorics. (MORT - 19, c1 and E(H)-B-T - loss of , poaer/shutdoan cooling pair) . ,
. km
- e m
- s e
4
- n h
s e
Event
Title:
Cov.ainment Isolation Due to Load Center Breaker Trip Event Number: LER 3-87-08 Event Date: October 5, 1987 i Synopsis: On October 5,1987 at 2026 hours, a Group 11 primary containment isolation occurred resulting in a Shutdon'n Cooling isolation. The event was initiated when a test engineer racked out a potential transforr..er (POT). This action resulted in the trippino of the E-334 emergency load center. At the time, the engineer was troubleshooting proolems with the Unit 3 "C" Hign Pressure Service Water Pump breaker. Tnere were no signs on the POT compartment door warning the engineer that opening the door aould trip the E-334 breaker. Decnergizing the load Center resulted in a loss of power '.o one-half cf ?.ne primary containment isolation logic. This resulted in a Snutdoan cooling isolation. Analytical Techniques Used: Event anc Causal Factors Analysis (ECF) Management Oversight and Risk Tree Analysis (MORT) Energy (Hazard) - Barrier - Target Analysis (E(H)-B-T)
M 8E5 5g8 f,v s w
/o -x r 8-89
"="w ii3=IE'
,_ _ _ _ _ .- - y = = ,. o < B E5g- 'rofyg '
Tv 9 w
>= -
o sj s - 8 EU
"=3g =0 Ed w 7*E5 w :!;
a u o G f 23
=A 2
-a E b tt 1
TI n.x es s w-x -s ;
==.
ess ._______y Ina
=; 5 .-------F I 4-------
4:.ht au nc agz 2 ce rv s.!Eg
- v. .
z Eo n, - - EE ZO " E \ / \ j N /
. sw i I I t I l 5 1
i ( l i i i l 1 I I /, a 3> a de gh
-e.- go.c 2 2<g.
.a e
-o $5 -.j6'o g $,
5"5
,$_5 m3 gg5=w, ga: 1 32*
*;g w..x ms g -y Q* fj ,
Conclusions (including supporting references):
- 1. The barriers present were inadequate to keep the engineer from opening the door. No warning signs were present on breaker compartment. No locks are installed on the door. (MORT - 19.582, 19,5C2, 19.al, 19.bl, 27.dl, 44.c2, and E(H)-B-T-Loss of power / logic pair
- 2. After painting the breaker compartment, no checklist was available to verify that aarning signs should be installed. The painting group nould not paint over signs, but would not knon wnat signs were missing. (HORT - 20 SC.1, 20.bl, 20.dl, 20.d2, 26.cl, 26.c2)
- 3. There is ne formal method for Controllir.g permanet labels and for notifying the plant labeling group about tne required signs wnen they are missing. (MORT '7.C4)
- 4. The na neer performing the trouble shooting was not adequately traised. He had received no training in 4KV breakers. (MORT 48.c36, 45.c27,20.dl,20.d2)
- 5. Planning and control of trouble shooting were not sufficient to prevent this event. Prior planning and review is limited and possible negative consequences are not fully addressed. (Procedure A42.1, Temporary Circuit Hodifications During Troubleshooting of Plant Equipment or Verification of Equipment Operability, is not required to be folicaed during trouble shooting if no system configuration changes are made. Tnere is no separate procedure / guideline for trouble shooting.) (MORT 39.MA1, 40.al, 40.a2, 40.a5, 41.MB3, 42.c3, 42.c8 43, c13)
- 6. By design the loss of a single power supply will result in a shu+dow.1 cooling isolation. (MORT 19, b2 and E(H)-B-T-Loss of power / Logic pair)
~
Event
Title:
Unexpected MO-3-10-25B Isolation During TPC Performance of ST 1.3.3 l Event Number: LER 3-87-09 Event Date: 10/12/87 Synopsis: A temporary procedure change (TPC) to preclude a shutdown cooling isolation during secondary containment testing did not prevent the . LPCI injection valve MO-3-10-258 from isolating. PCIS Logic System
\
Functional Test ST 1.3-3 did not mention that the MO-3-10-25B valve J would isolate during the test step. The TPC to prevent the isolation did not accress M3-3-10-258. Both omissions were not recognized by tne review process reauired by A (aaministrative) procedures. During ST 1.3-3 performance, a Group II isolation signal was manually initiated and causea an unexpected M3-3-10-25S isclation. 2 Analytical Techniques Used: Energy (Hazard) - Barrier - Target Analysis (E(H)-8-Y) Management Oversight and Risk Tree Analysis (MORT) Events and Causal factors Analysis (ECF)
LER rit MaFR 3-81-09
!!PCDIOMO ACCeE55 ENJ E C llGN Vmt vE Q*0- 3 25f I
I b
<.n l
I
' I I
I T [OsJtC1C#\ IPC - is st (NG f INISHID IPC SEVIF6sf D SV nam HINitif f E k 3 gggy Of PnF55tD SHU100tM 1FC 10 PCIS IE SUPV ggggggg, k THF IE st k (DOLING APO IE SIING L OG SYS T WHUNT) L T F IHF Al f UN BEGAN lE55 PUSH 8UfION T LPCIINJ If 5r 55 PER PROC
\ Finnt 5ts)-) A-3 nn-575s vat vE CL OSE D g 4 4 4 g i 1 1 g i 1 i g i I I g I I I g i i i g I I I y i 1 1
[ frC h [PRIVINIfrC 10 \ [ R F oylp f D REVIFta ritit THIS LJR5 INTIN,CEO g ggp 10 nrrt.lt pet E _) 5HUIDO W Ct1JLING AND ~~-----) n0E00AIE 10 IDFMftfY FFR strP 2-22 IN IHF FRUCEDUAE UNE XP EC TE D Aw0 DCCt/MtED At IU
\ SEC110N5/ (15 AfID \tHE ERROR / ( / \0006 HRS /
Conclusions (including supporting references):
- 1. The TPC did not describe the steps of the job, nor was there an attempt to predict errors and write instructions to preclude them.
(MORT - 44, b8: 45, c28; 45, d6; 45, d7-9; 47, d11-13; 47, d15; 47, c34; 25, c2-3)
- 2. The test engineer was not provided the resources (e.g. proper procedure, proper pre-job review) necessary to do the job safely.
(MORT - 29, c8-9; 30, c10; 33, c13-14; 33, d14-16; 35, e24-25; 35, e27; 36, e29-30)
- 3. Tne independent verification failed to detect errors in the TPC.
(MORT - 48, bl6; 43, b2-3; 26, al-2; 26, a4; 26 505; 35, f13; 26, b1; 26, c1; 39, MA2)
- 4. The analysis of tne TPC for safety was insufficient. (M3RT - 41, bl-2; 42, c3-4 and c5-8; 42, b3; 43, c13; 43, b5; 43, c13-14; 41, al)
- 5. The method for implementing the TPC was inadequate. (MORT - 30, mal-1 l 2; 40, al-2; 40, a4-5; 40-a8-10)
Section III - Causal Factors The first causal factor identified showed that a design feature, while functioning as intended to place the Residual Heat Removal (RHR) system in a safe mode by isolating Shutdown Cooling, was associated with 10 of the 13 isolations. This design of the RHR system and its logic and of the Primary Containment Isolation System (PCIS) are sucn that a single loss of either control or Dulk poner (off site or on site) can result in a Shutdown Cooling Isolation. Inis feature is not unique to Peach Bottom but is a typical BWR
+
design. Tne follo.ing 10 isolation events nere associated with this design , feature LEPs numbered 2-87-11, 2-67-12, 2-87-13, 2-87-14, 2-67-15, 2-87-16, 2-87-19, 2-s7-21, 2-87-33, anc 3-57-05. This section cescribes 5 significant causal f actors that are common to at least 6 of the shutdoan cooling isolation events and too significant root causes associated with 1 or 2 of the isolations. Each common factor identified below is presented along with a listing of the LER's in which it was a contributing factor. All of the common factors were , taken from the conclusion section of the presentations of the events in Section II.
- 1. Job site work controls, procedures and supervision, were not sufficient to prevent actions leading to shutdoan cooling isolations.
(LERs 2-87-14; i-87-13; 2-67-15; 2-5)-15; 2-87-18; 2-87-19; 2-87-21; 2-57-26; 3-87-05; 3-E7-09)
- 2. Procedures (including oral or written instructions) for 'short term' work (e.g. TPC's, trouble shooting, etc.) did not provide adequate
guidance for the work being performed and accordingly did not prevent the Shutdown Cooling 150lations. (LERs 2-87-14; 2-87-15; 2-87-16; 2-87-18; 2-87-21; 3-87-08 3-87-09)
- 3. The scope of job planning and review for work performed on site often did not identify potential problems which might be encountered in the course of the work. Consequences of incorrect acts or the affects of work on nearby equipment or circuits, etc., were not addressed.
(LERs 2-87-13; 2-87-14; 2-87-15; 2-87-16; 2-87-18; 2-87-19; 2-87-21; 2-87-26; 3-87-08; 3-87-09)
- 4. Tnere was a lack of specific criteria to be used during the independent reviea of "temporary" changes. (LERs 2-87-14; 2-87-15; 2-87-16; 2-87-18; 2-87-21; 3-87-09;3-87-08)
- 5. There was a lack of appropriate human factors reviews in joo planning for and design of sensitive plant equipment. (LERs 2-87-13; 2-87-14; 2-87-16; 2-87-21; 3-87-08; 3-87-09)
In addition to the causal factors described above, there were two significant root causes associated with one or two shutdown cooling isolations, they are:
- 1. There was a lack of hands on training on equipment for personnel who will be responsible for troubleshooting equipment in the plant such as 4KV breakers, 480V breakers, motor operated valves, etc. (LER 3-87-08)
- 2. Clearly defined lines of authority / responsibility either did not exist or were not known, which would enable personnel responsible for the performance of a task to know the proper interface relationships
that must be established in order to safely accomplish the task. (LERs 3-87-08, 2-87-16) __ _ _ _ _ _ _ _ _}}