05000261/LER-2015-001
| H. B. Robinson Steam Electric Plant, Unit No. 2 | |
| Event date: | 01-28-2015 |
|---|---|
| Report date: | 03-30-2015 |
| Reporting criterion: | 10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications 10 CFR 50.73(a)(2)(vii), Common Cause Inoperability |
| 2612015001R00 - NRC Website | |
Reported lessons learned are incorporated into the licensing process and fed back to industry Send comments regarding burden estimate to the FOIA, Privacy and lnformat on Co' ect ons Branch (T-5 F53), U.S. Nuclear Regulatory Commission, Washington DC 20555-0001 or by Internet e-mail to Infocollects.Resource@nrc.goy, and to the Desk Officer Office of Informal on and Regulatory Affairs, NEOB-10202, (3150-0104), Office of Management and Budget, Washington, DC 20503. If a means used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
2015 - 001 - 00
PLANT IDENTIFICATION
Westinghouse
- Pressurized Water Reactor
BACKGROUND
On 1/28/2015, with the plant operating at 100% power and no involvement of out-of-service structures, systems or components, it was discovered that the design bases for the Reactor Protection System (RPS) [JE] and 125V DC Electrical Distribution System (DC-EDS) [EJ] were challenged by the parallel connection of their redundant safety trains, effectively eliminating the required independency and redundancy of the systems' ability to perform their safety functions regardless of the condition of the redundant train. As such, upon discovery of this condition, both systems were declared inoperable.
The regulatory impact to the station as a consequence of this condition requires a 60-day licensee event report (LER) to the NRC under 10 CFR 50.73(a)(2)(i)(B), "Operation or Condition Prohibited by Technical Specifications," and 10 CFR 50.73(a)(2)(vii), "Common Cause Inoperability of Independent Trains or Channels.
EVENT DESCRIPTION
On 1/23/2015, with the plant operating in MODE 1 at 100% power and no structures, systems or components out of service at the time of this event that contributed to this event, licensed operators received trouble alarms [ALM] for the DC Electrical Distribution System (DC-EDS) Battery Chargers NA-1 and B/B-1[BYG]. Non-licensed Auxiliary Operators (AOs) were dispatched to troubleshoot 'A' and 'B' battery chargers and reported back low voltage readings of 42V. The normal voltage is 70V with a minimum of 50V. Further examination revealed a ground present on both 'A' and 'B' safety trains of the 125V DC-EDS. Ground fault locating efforts traced the grounds to a circuit installed during refueling outage (R0)28 where a field cable [CBL] was inadvertently left connected between racks [RK] R55 and R60 of the RPS, resulting in the Safety Injection Reactor Trip Signal relays [RLY] of both trains of RPS being electrically tied together.
The result of this configuration eliminated the ability of each safety train to initiate a reactor trip on safety injection independently, requiring both trains to initiate this reactor trip function simultaneously. Therefore, the design basis of the RPS has not been met since the field cable was inadvertently left installed (approximately fifteen months) as neither train was capable of independently tripping open its respective reactor trip breaker and generating a reactor trip. Furthermore, since the RPS relays were energized from the DC-EDS associated with their safety train, this wiring configuration also resulted in both 125V DC-EDS safety trains being electrically tied together. The required independence and redundancy between these subsystems was also inadvertently eliminated, rendering the DC-EDS inoperable while the field cable was connected.
When this condition was identified on 1/28/2015 at 1957 hours0.0227 days <br />0.544 hours <br />0.00324 weeks <br />7.446385e-4 months <br />, Improved Technical Specification (ITS) Limiting Condition for Operation (LCO) 3.0.3 was entered. At 2048 hours0.0237 days <br />0.569 hours <br />0.00339 weeks <br />7.79264e-4 months <br /> the cable connecting the both trains of the RPS and DC-EDS was cut and taped removing the cross connection and allowing ITS LCO 3.0.3 to be exited. A Condition Report (CR) was initiated and a cause evaluation was initiated.
CAUSAL FACTORS
The direct cause of the reactor protection and DC electrical distribution systems' inoperability is maintenance utility personnel failed to spare a previously installed field cable between RPS Racks R60 and R55 during modification implementation work performed during R028. An Engineering Change (EC) introduced new relays [RLY] into each train of the RPS to provide additional coincident logic to validate a reactor trip from safety injection thus eliminating a single point vulnerability. The electrical terminals that were to be used for the installation of these new relay circuits were originally configured as part of a Steam Flow/Feed Flow Mismatch reactor trip function and connected via a dual conductor cable (C2421V) [CBL]. The Steam Flow/Feed Flow Mismatch function removal work was performed prior to the installation of the new coincident logic relays CAUSAL FACTOR (Continued) and carried out by non-licensed craft personnel exactly as written. However, after close review of the EC and Work-Order (WO) instructions it was discovered that portions of the "Spare Cable List — Attachment D" that should have been referenced to achieve the desired wiring configuration were absent from the WO. The missing attachment resulted in cable C2421V not being spared and thus interconnecting RPS racks R55 (Train 'A') and R60 (Train 'B') after work was completed.
The root cause investigation related to this event is ongoing, and should the results of the investigation indicate causes significantly different from those stated below, a follow-up report will be submitted.
At present, it is believed that the root cause is inadequate communication between Engineering and Maintenance organizations, which failed to translate modification requirements into accurate and complete work instructions. Contributing causes include: 1) Post Modification Test development lacked adequate rigor regarding requirements to functionally test every design feature, which is procedurally required per EGR-NGGC-0155, "Specifying Electrical/I&C Modification Related Tests." 2) Engineers did not properly apply the risk assessment process as outlined in EGR-NGGC-0011, "Engineering Rigor.
CORRECTIVE ACTIONS
Corrective actions taken to restore compliance with regulations and examine the extent of this condition are listed below.
Immediate:
1. Cable C2421V was cut eliminating the electrical parallel connection of the RPS and the 125V DC-EDS. (WO 13482719) This restored compliance with TS 3.8.9, "Distribution Systems — Operating," and TS 3.3.1, "Reactor Protection System (RPS) Instrumentation," and allowed exit of LCO 3.0.3.
Completed:
1. Performed walk-downs of spared cables associated with ECs related to the event to assure wires/cables were properly spared and terminated. Located 50 improperly spared cables that were verified to be isolated from any in-service circuits.
2. Performed walk-down of terminal block 6V in safeguards racks [RK] R52 and R64.
3. Engineering analysis performed to support Operations determination of operability. (EC 99431) 4. Reviewed recent ECs affecting the RPS to determine whether any other conditions could have been created by using spare terminals; no other concerns found.
5. Performed a Stand Down to reinforce procedural expectations related to WO packages incorporating the entire scope of the EC.
Planned:
1. Revise Engineering Change procedure to require EC Implementation Work Order review considerations for all modifications regardless of risk levels. In addition, include new requirements that formally document concurrence from Engineering and Planning that the scope of the EC is adequately reflected in the Work Order Instructions.
2. Revise AD-MN-ALL-0005 Nuclear Planning - Section 5.5 Line 2 to include specific requirements for modification planning that will ensure the design is accurately translated into WO Instructions.
SAFETY ANALYSIS
Although the Reactor Trip from the Safety Injection signal would not have occurred unless both trains of Safeguards had generated the Safety Injection signal, all other functions related to the Safety Injection signal would have functioned as designed.
Specifically, the Safety Injection signal generates a Feedwater Isolation signal. A Feedwater Isolation signal generates a Turbine Trip signal, which subsequently generates a Reactor Trip signal when power is greater than 40%. Therefore, although the Safety Injection signal may not have directly generated a Reactor Trip as designed due to the remnant field cable, it would have generated Reactor Trip signals for the Hot Full Power (HFP) cases via the Reactor Trip on Turbine Trip at above 40% power.
SAFETY ANALYSIS (Continued) The HFP cases would have remained bounding of the expected plant response. If a Main Steam Line break were to occur at a power level less than 40% power, then a reactor trip on Low Pressurizer Pressure would still occur and the event would not result in a more severe challenge to fuel centerline melt or minimum departure from nucleate boiling than the HFP cases.
This condition was not risk significant. The change in Core Damage Frequency (CDF) was calculated to be 2.76E-08 and falls in the acceptable region (Region III) of the Figure 4 graph located in NRC Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," which indicates acceptable guidelines.
ADDITIONAL INFORMATION
A search for previous similar events at H. B. Robinson Steam Electric Plant, Unit No. 2, was conducted. No similar events were revealed.
Energy Industry Identification System (EIIS) codes for systems and components relevant to this event are identified in the text of this document within brackets H.