05000346/LER-2016-001
| Davis-Besse Nuclear Power Station, Unit 1 | |
| Event date: | |
|---|---|
| Report date: | |
| Reporting criterion: | 10 CFR 50.73(a)(2)(iv), System Actuation 10 CFR 50.73(a)(2)(iv)(A), System Actuation |
| Initial Reporting | |
| ENS 51696 | 10 CFR 50.72(b)(2)(iv)(B), RPS System Actuation, 10 CFR 50.72(b)(3)(iv)(A), System Actuation |
| 3462016001R00 - NRC Website | |
| ML16091A114 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 03/29/2016 |
| From: | Boles B D FirstEnergy Nuclear Operating Co |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| LER 16-001-00 | |
| Download: ML16091A114 (8) | |
Reported lessons learned are incorporated into the licensing process and fed back to industry.
Send comments regarding burden estimate to the FOIA, Privacy and Information Collections Branch (T-5 F53), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by internet e-mail to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0104), Office of Management and Budget, Washington, DC 20503. If a means used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
3. LER NUMBER
05000-346 - 001 2016 00 Energy Industry Identification System (EIIS) codes are identified in the text as [XX].
System Description:
The Davis-Besse Nuclear Power Station (DBNPS) Reactor Protection System (RPS) [JC] initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) [AB] pressure boundary during anticipated operational occurrences. The RPS consists of four separate redundant protection channels that receive inputs of neutron flux, RCS pressure, RCS flow, RCS temperature, Reactor Coolant Pump (RCP) [AB-P] status, and containment pressure. Each protection channel is composed of measurement channels and a reactor trip module. If an RPS instrumentation setpoint is exceeded, a channel trip signal is generated. The generation of any two trip signals in any of the four RPS channels will result in the trip of the reactor.
The Steam and Feedwater Line Rupture Control System (SFRCS) [JB] is required to ensure an adequate feedwater supply to remove reactor decay heat during periods when the normal feedwater supply has been lost. The SFRCS is designed to automatically start the Auxiliary Feedwater System (AFW) [BA] in the event of a main steam line break, main feedwater line rupture, a low level in the Steam Generators [AB-SG] or a loss of all four RCPs. The SFRCS is designed to automatically isolate the Main Steam System (MS) [SB] and Main Feedwater System (MFW) [SJ] in the event of a main steam line break or main feedwater line rupture.
The AFW is automatically aligned to feed the unaffected steam generator upon a loss of steam pressure in one of the steam generators. Although not a safety function, the SFRCS also isolates MFW to the Steam Generators and initiates AFW to their respective Steam Generators in the event of high steam generator level. This is to prevent a steam generator overfill condition and subsequent spill over into the main steam lines and main turbine; which could cause thermal shock of steam generator internal structures, and could challenge the integrity of steam line piping and supports caused by excessive main feedwater addition. This high steam generator level trip isolates the Main Steam Isolation Valves (MSIVs) [SB-ISV] to prevent damage to downstream plant equipment.
The Integrated Control System (ICS) [JA] provides for coordination of the reactor, steam generator feedwater control, and turbine under all operating conditions. This coordination consists of producing the best load response to the unit load demand while recognizing the capabilities and limitations of the reactor, steam generator feedwater system, and turbine. When any single portion of the station is at an operating limit or a control section is on manual, the integrated control system uses the limited or manual section as a load reference. One of the features of the ICS Feedwater Subsystem is a Rapid Feedwater Reduction (RFR) scheme. The RFR scheme is designed to prevent refeeding the steam generators with feedwater when not warranted, which could cause a primary system (RCS) overcooling transient. The RFR circuitry provides for a rapid decrease in feedwater flow rate after a reactor trip and is also designed to preclude low steam generator level SFRCS actuations resulting from undershoot of the low level control limits. After a reactor trip, with all feedwater stations in automatic, an RFR demand signal equivalent to approximately four (4)
- percent of total feedwater flow is substituted for valve position.
Reported lessons learned are incorporated into the licensing process and fed back to industry.
Send comments regarding burden estimate to the FOIA, Privacy and Information Collections Branch (T-5 F53), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by Internet e-mail to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0104), Office of Management and Budget, Washington, DC 20503. If a means used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
3. LER NUMBER
05000-346 - 001 2016 00 Technical Specifications:
Technical Specification (TS) Limiting Condition for Operation (LCO) 3.3.1 requires four channels of RPS instrumentation be Operable in the Modes specified. With one RPS channel inoperable, Condition A requires the channel be placed in bypass or trip within one hour. With two channels inoperable, Condition B requires one channel be placed in trip and the second channel be placed in bypass within one hour. If the Required Action and associated Completion Time of Condition A or B are not met while in Mode 1, Conditions C and D require the unit be in Mode 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> along with the Control Rod Drive (CRD) trip breakers being opened for the applicable RPS functions.
DESCRIPTION OF EVENT:
On January 29, 2016, the DBNPS was operating in Mode 1 at approximately 100 percent power. Power Range Nuclear Instrumentation (NI) calibrations were being performed in accordance with TS Surveillance Requirements. Due to an existing issue that rendered RPS Channel 1 inoperable as discussed below, RPS Channel 1 was placed in a tripped status at 1214 hours0.0141 days <br />0.337 hours <br />0.00201 weeks <br />4.61927e-4 months <br /> after calibration of NI 6 was complete to support calibration of NIs 5, 7, and 8 in the other RPS Channels. At 1309 hours0.0152 days <br />0.364 hours <br />0.00216 weeks <br />4.980745e-4 months <br />, RPS Channel 2 was placed in Bypass to perform calibration of NI 5. At 1322 hours0.0153 days <br />0.367 hours <br />0.00219 weeks <br />5.03021e-4 months <br />, a failure occurred in the RCS Flow input to RPS Channel 4. With Channel 1 in trip, this failure satisfied the RPS logic and caused RPS Channel 4 to trip on Flux/Delta-Flux/Flow, tripping the reactor.
Initial unit response to the reactor trip was as designed, and all control rods fully inserted. Following the reactor trip, as the control room operators were progressing through the post-trip procedure steps, they observed Steam Generator levels rising due to a failure of the ICS to properly respond to the reactor trip. The operators took manual control of Loop 1 feedwater and attempted to reduce main feedwater flOw, approximately one minute after the reactor trip. However, SFRCS actuated on high Steam Generator 1 level as level reached the 220 inch setpoint. All SFRCS components responded as designed, with both Auxiliary Feedwater Pump Turbines starting, both MSIVs closing, and isolating the Main Feedwater System.
Additional equipment anomalies noted following the trip included: 1) Generator Output Breaker ACB34560 opened as designed on the trip with Generator Output Breaker ACB34561 failing to open quick enough (approximately 8 cycles), which led to the subsequent opening of switchyard breaker 34562 and de- energization of the Bayshore Line input to the switchyard (the other three offsite lines to the switchyard remained energized throughout the event, providing power to the two Startup Transformers, therefore, offsite power was not challenged throughout the event). 2) Main Steam Safety Valves (MSSV) [SB-RV] on both Main Steam lines were observed to not fully reseat following the reactor trip (Operators lowered Steam Generator pressures in accordance with procedures in order to allow the valves to reseat, and the Plant was stable in Mode 3 with the AFW System providing AFW to the SGs, as designed).
CAUSE OF EVENT:
The first direct cause and the root cause of the reactor trip was the spurious failure of fuse Y414 providing power to RPS Channel 4. The loss, of power caused cabinet C5756G to de-energize, which contains two modules that provide RCS flow input to RPS Channel 4 (FYRC1A4 and FYRC1B4). When these two modules lost power, the signals failed low, causing RPS Channel 4 to trip on Flux / Delta-Flux / Flow. A review of industry experience identified potential causes attributed to the manufacture and design of the fuse element: intergranular tearing of the fuse element which reduces the current carrying potential, and Reported lessons learned are incorporated into the licensing process and fed back to industry.
Send comments regarding burden estimate to the FOIA, Privacy and Information Collections Branch (T-5 F53), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by internet e-mail to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0104), Office of Management and Budget, Washington, DC 20503. If a means used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
3. LER NUMBER
05000-346 - 001 2016 00 CAUSE OF EVENT: (continued) weakening due to initial in-rush current; both of which can result in fuse failure during normal operations.
The second direct cause of the reactor trip was continued plant operation with RPS Channel 1 inoperable due to the failure of temperature element TERC3B2 monitoring RCS Loop 1 Hot Leg Narrow Range Temperature. Operating with RPS Channel 1 inoperable requires placing the channel in bypass and tripping the channel when it is required to be removed from bypass. RPS Channel 1 was removed from bypass and placed in trip status on January 29, 2016 to allow performance of NI calibrations in the other 3 channels of
- A contributing cause to the reactor trip was a deficient trend evaluation of failures of the A25X series fuse, such as was installed in Y414. Preventive Maintenance (PM) activities were created with a 15-year periodicity to replace the A25X10 (10 amp) and A25X15 (15 amp) fuses. Spurious failures of these fuses continued to occur following these periodic replacements. However, evaluation of the trend did not recognize that the PM frequency was not adequate to prevent failures.
The first direct cause of the failure of the ICS to properly respond to the reactor trip was due to the failure o,f the RFR circuitry to actuate, which was due to an ICS module not being properly wired for the installed application. In 1990, an ICS module that was used as the Borate Control Switch was removed by a modification and sent to the warehouse for later use. During the most recent refueling outage in 2014, this ICS module was obtained from the warehouse and installed in the ICS functional location for the RFR Defeat Switch. Because the module wiring was not properly wired for this installation, the RFR Defeat Switch prevented the RFR circuitry from actuating even though it was in the ON position.
The second direct cause of the failure of the ICS to properly respond to the reactor trip was due to the Steam Generator/Reactor Demand Hand/Auto,station transferring to Hand following the trip of the Main Turbine. If the ICS station would have remained in automatic, it would have reduced feedwater demand quickly enough to prevent reaching the SFRCS high level trip setpoint. The cause of the Hand/Auto station transferring to hand was an ineffective software change. Changes were made to the ICS during the 2014 refueling outage to improve control of the Unit Load Demand circuitry. However, these changes inadvertently introduced a new failure mode that caused the Hand/Auto station to transfer to hand whenever a large and rapid change in generated megawatts occurred, such as would occur during a reactor or turbine trip. This failure mode was identified while performing training scenarios on the simulator following the 2014 refueling outage, but the software change made in December 2015 to correct the failure mode was not successful.
The first root cause of the failure of the ICS to properly respond to the reactor trip was due to inadequate work package instructions for performing a bench check of the replacement ICS module, as they did not ensure the bench check adequately tested the module's intended function. A continuity check was performed followed by toggling the switch on and off ten times and then rechecking continuity to ensure the switch resistance had not increased. However, the bench check did not validate the switch position with the contact state of the output pins per the vendor manual or ICS drawing, and therefore did not verify the RFR switch was properly wired for the toggle ON position.
Reported lessons learned are incorporated into the licensing process and fed back to industry.
Send comments regarding burden estimate to the FOIA, Privacy and Information Collections Branch (1-5 F53), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by Internet e-mail to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0104), Office of Management and Budget, Washington, DC 20503. If a means used to impose an information collecfion does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
3. LER NUMBER
05000-346 - 001 2016 00 CAUSE OF EVENT: (continued) The second root cause of the failure of the ICS to properly respond to the reactor trip was that changes were made to the ICS Unit Load Demand (digital and analog) without ensuring it was tested through its full function, resulting in a new, unintended failure mode. A subsequent fix to this new failure mode did not quantify available operating margin or account for additional delay in the signal processing hardware, resulting in the change being ineffective when installed in the plant. The procedural guidance for making life cycle changes to in-house software was less than adequate for ensuring changes do not introduce new failure modes and documenting the basis for design and testing.
ANALYSIS OF EVENT:
With RPS Channel 1 inoperable and tripped due to the existing RTD issue and the in-progress NI calibrations for RPS Channel 2 requiring Channel 2 to be in bypass; when fuse Y414 spuriously failed, the 2 out of 4 trip logic for RPS was satisfied and the reactor trip was initiated. The control rods inserted fully as designed.
Post-trip, the SFRCS actuated due to high SG 1 level. All SFRCS components responded as designed, with both AFW Pump Turbines starting, both MSIVs closing, and isolating the MFW System.
Due to the demands on and priorities of the control room operators following a reactor trip, they would not be expected to identify and correct this improper response of the ICS within the short time period (approximately 60 seconds) available.
As noted above, two ICS anomalies occurred immediately after the reactor trip, which resulted in the SG 1 High Level trip. The first anomaly was the ICS RFR circuit did not function. The second anomaly was that the Steam Generator/Reactor Demand Hand/Auto Station transferred from Auto to Manual, which held the ICS Feedwater Demand Signal high. The combination of these two anomalies resulted in an increase in SG 1 level to the SFRCS high level setpoint. If either SG/RX Demand would have remained in Auto or RFR had fired, the SFRCS SG High level actuation would not have occurred. As discussed previously, the conditions leading to the ICS anomalies were found to have been in existence since the refueling outage in 2014 (i.e., greater than one year, which results in the incremental conditional core damage probability (ICCDP) for this period of 1.87E-06).
Investigation has shown that any Reactor/Turbine trip from 100 percent power while these conditions existed would have resulted in an SFRCS Isolation trip on high level that would effectively cause a loss of Main Feedwater.
When performance of a bounding quantitative evaluation was performed, using best available information to determine the significance of the event, the delta Core Damage Frequency (CDF) was estimated to be 1.87E- 6/yr which is considered to be low to moderate safety significance. Because the delta CDF for this event was determined to be greater than 1E-7/yr, a screening was conducted using the Large Early Release Frequency (LERF) screening criteria to assess whether any of the core damage sequences that were affected by the finding are potential LERF contributors. Evaluations of the external events were estimated to be: (Fire — delta CDF 1.94E-6/yr, low to moderate safety significance and seismic — no risk increase, very low safety significance), and delta LERF was estimated to be: (3.3E-8/yr, very low safety significance).
Reported lessons learned are incorporated into the licensing process and fed back to industry.
Send comments regarding burden estimate to the FOIA, Privacy and Information Collections Branch (T-5 F53), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by intemet e-mail to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0104), Office of Management and Budget, Washington, DC 20503: If a means used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
The automatic actuation of the RPS while the reactor is critical is reportable within four hours of occurrence per 10 CFR 50.72(b)(2)(iv)(B). The actuation of the Auxiliary Feedwater System by the Steam Feedwater Rupture Control System (SFRCS) on a valid high Steam Generator level is reportable within eight hours of the event in accordance with 10 CFR 50.72(b)(3)(iv)(A). On January 29, 2016, at 1643 hours0.019 days <br />0.456 hours <br />0.00272 weeks <br />6.251615e-4 months <br /> both of these events were reported to the NRC Operations Center (Event Number 51696).
These issues are being reported in accordance with 10 CFR 50.73(a)(2)(iv)(A), which requires reporting of any event or condition that resulted in manual or automatic actuation of the RPS, including a reactor scram or reactor trip, as well as automatic actuation of the Auxiliary Feedwater System. All safety systems performed as required to the event, and no loss of safety function occurred.
CORRECTIVE ACTIONS:
The following corrective actions have been or will be taken in response to the reactor trip:
The failed fuse Y414 as well as the associated power supply were replaced on January 30, 2016, to support plant restart.
TERC3B2 will be repaired in the next refueling outage, scheduled to commence March 26, 2016, to restore RPS Channel 1 to operable status.
A set of A25X series fuses will be replaced with KAB fuses during the upcoming refueling outage, and the removed A25X series fuses will be sent to a laboratory for analysis to determine if the cause of the fuse failures can be verified.
The existing stock of A25X series fuses rated at 30 amperes or less have been discarded, and as an interim measure only KAB or A30QS Series fuses will be utilized for replacements going forward. For A25X series fuses rated at 40 amperes or greater, no actions are recommended because these higher rated fuses are a different style than the lower amperage fuses, do not supply power to essential cabinets, and have not experienced spurious failures. An Engineering Change Package will be developed to replace the A25X series of fuses.
The following corrective actions have beers or will be taken in response to the failure of the ICS to properly respond to the reactor trip:
The ICS Module improperly wired for the RFR Defeat Switch Module was replaced with a module that was bench checked to verify it performed. its intended function prior to plant restart. The removed module was tagged to ensure it would not be used. A data package was also created for this module which provided guidance for proper bench checking the module.
The design of the Megawatt-generated output signal and feedback signal delta alarm logic will be reviewed to prevent the Steam Generator/Reactor Demand Station from going to Hand inadvertently, and the circuitry will be modified accordingly. In the interim, Operators have a contingency action to place SG/RX Demand back in Auto if the anomaly reoccurs.
Reported lessons learned are incorporated into the licensing process and fed back to industry.
Send comments regarding burden estimate to the FOIA, Privacy and Information Collections Branch (T-5 F53), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by intemet e-mail to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0104), Office of Management and Budget, Washington, DC 20503. If a means used to impose an information collection does not display a currently valid OMB control number, the NRC may not conduct or sponsor, and a person is not required to respond to, the information collection.
Procedure NOP-SS-1001, Administrative Program for Computer Related Activities, will be revised to incorporate current industry standards for controlling software life cycle changes that interface with plant systems.
PREVIOUS SIMILAR EVENTS:
Licensee Event Report (LER) 2013-001 reported the automatic trip of Reactor Coolant Pump (RCP) Motor 1-2 due an electrical differential current fault that resulted in a RPS actuation and reactor trip. LER 2015- 002 documents the manual actuation of RPS to manually trip the reactor, and a manual initiation of SFRCS in response to a steam leak in the turbine building. There have been no similar LERs at the DBNPS involving an automatic actuation of the RPS, or automatic actuation of the SFRCS due to high steam generator level in the past three years.