05000528/LER-2007-007

Note: All times listed in this event report are approximate and Mountain Standard Time (MST) unless otherwise indicated.

1. REPORTING REQUIREMENT(S):

This LER (50-528/2007-007-00) is being submitted pursuant to 10CFR 50.73(a)(2)(iv)(A) and 10CFR 50.73(a)(2)(i)(A), to report both an event that resulted in the automatic actuation of an Engineered Safety Feature (ESF) (EIIS Code: JE), and the subsequent completion of a shutdown required by Technical Specification (TS) Limiting Condition for Operation (LCO) 3.8.1, Condition H. Specifically, on November 22, 2007, at approximately 19:18 hours Palo Verde Nuclear Generating Station (PVNGS) Unit 1 Train "A" Balance Of Plant (BOP) Engineered Safety Feature Actuation System (ESFAS) load sequencer experienced a spurious signal resulting in the actuation of the essential spray pond (ElIS Code: BS) pump. Due to the spurious signal, the Train "A" load sequencer was declared inoperable at 19:30 hours, and the station entered TS LCO 3.8.1, Condition F which requires restoration of the Train "A" load sequencer to operability within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Because the inoperable Train "A" load_ sequencer was not restored to operable status within 24'hours, at 19:30 hours on November 23, 2007, TS LCO 3.8.1, Condition H was entered, which requires the station be in Mode 3 (Hot Standby) within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and Mode 5 (Cold Shutdown) within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The resident inspector was notified of the shutdown, and at 23:13 hours an Event Notification System (ENS) call was made to report the event (ENS #43804). The reactor shutdown was completed at 00:21 hours on November 24, 2007, when Mode 3 was entered, and Mode 5 was entered at 02:47 hours on November 25, 2007.

2. DESCRIPTION OF STRUCTURE(S), SYSTEM(S) AND COMPONENT(S):

System Description:

The Balance of Plant (BOP) Engineered Safety Features Actuation System (ESFAS) provides initiating signals to various plant components which require automatic actuation when an ESFAS signal is generated. If preferred power is available to the Class lE bus following an ESFAS signal, the required Class 1E loads will be started through a load sequencer. However, in the event that preferred power is lost, the BOP ESFAS functions to shed Class 1 E loads. Once the standby power source is providing power to the Class 1E bus, the load sequencer then functions to start the required Class lE loads in programmed time increments.

The following actuation signals are generated by the BOP ESFAS when monitored parameters reach levels that require protective action:

Fuel building essential ventilation actuation signal (FBEVAS) Containment purge isolation actuation signal (CPIAS) Control room essential filtration actuation signal (CREFAS) Control room ventilation isolation actuation signal (CRVIAS) The BOP ESFAS system hardware and software also provides load sequencing and logic for the diesel generator start signal, loss of power, and load shed functions.

Component Description:

The diode involved was a 1N4005 rectifier diode having a forward current rating of one amp and a peak inverse voltage rating of 600 V. Since the diode was reverse-biased in the circuit, it should not have been conducting any current at the time the failure occurred.

3. INITIAL PLANT CONDITIONS:

Palo Verde Unit 1 was in Operating Mode 1 (Power Operations), at approximately 100 percent power at the time of this event. No additional equipment or components were inoperable at the time of the event that contributed to this condition.

4. EVENT. DESCRIPTION:

On November 22, 2007, at approximately 19:18 hours, the "BOP ESFAS A IN TEST" alarm (EIIS Code: IB) was received in the Unit 1 Control room. Shortly after this unexpected alarm, other unexpected alarms were received.

After receipt of the alarms, Operation's personnel observed a charred smell in the vicinity of the Train "A" BOP ESFAS panel and that there were several unexpected Train "A" load sequencer indicator lights illuminated. These were the "DG RUN", the "ESP", the "DG BKR", and the "DG ESS EXAFU" lights. The "DG RUN" light indicated that the Train "A" Diesel Generator (ENS Code: EK) was running. The "ESP" light indicated that the Train "A" Essential Spray Pond Pump was given a start signal. The "DG BKR" light indicated that the Train "A" Diesel Generator breaker was closed. The "DG ESS EXAFU" light indicated that the Train "A" Diesel Generator Essential Exhaust Fan was given a start signal. In reality the Train "A" Diesel Generator was not running, the Train "A" Diesel Generator breaker was not closed, and the Train "A" Diesel Generator Essential Exhaust Fan (EIIS Code: VJ) was not running. However, the Train "A" Essential Spray Pond Pump was running. No other equipment was noted to have been affected by the spurious signal.

The Train "A" load sequencer was declared inoperable at 19:30 hours on November 22, 2007, and troubleshooting to identify the cause of the failure commenced. Unit 1 was shut down in accordance with TS LCO 3.8.1, Condition H when troubleshooting and corrective maintenance were not completed in time to restore the Train "A" to operability within the 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> permitted by TS LCO 3.8.1, Condition F.

Subsequent investigation determined that the "A" Diesel Generator Essential Exhaust Fan was not running due to the actuation of the anti-pump circuit which was per design.

5. ASSESSMENT OF SAFETY CONSEQUENCES:

There was no actual impactto the health and safety of the public that occurred during the time period when the Train "A" load sequencer was inoperable. The failure was self-revealing through the annunciators, and there were no indications of a failure prior to the annunciators. There were no activities in progress that could be expected to cause a change in load sequencer status or result in a failure. Additionally, no failures had been indicated by the weekly auto testing that is performed on BOP ESFAS or during routine monitoring performed each shift by Operations personnel.

The event did not result in any challenges to the fission product barriers or result in the release of radioactive materials. Therefore, there were no adverse safety consequences or implications as a result of this event and the event did not adversely affect the safe operation of the plant or health and safety of the public.

The event did not result in a transient more severe than those analyzed in the updated Final Safety Evaluation Report Chapters 6 and 15. The event did not have any nuclear safety consequences or personnel safety impact.

During the period of inoperability of the Train "A" load sequencer, the Train "B" load sequencer remained operable. Additionally, manual actuation of the required systems can be performed by control room operators as directed by procedure. Therefore this condition would not have prevented the fulfillment of any safety function and did not result in a safety system functional failure as defined by 10 CFR 50.73(a)(2)(v).

6. CAUSE OF THE EVENT:

The direct cause of the Train "A" load sequencer spurious actuation was the failure of a relay coil voltage suppression 1N4005 rectifier diode installed across the coil of the "Auto Test On" annunciator relay. This annunciator relay is driven by the load sequencer module and is mounted inside the BOP ESFAS cabinet but outside the load sequencer module. The shorted diode allowed excessive current to be drawn through a driver pin of load sequencer integrated circuit (U42) which caused it to fail. U42 is a Sprague ULN2003A Seven Segment Darlington Transistor Array Driver. The excessive current caused several of the seven driver segments of U42 to short out resulting in the observed load sequencer indications and actuations.

This is the first occurrence of a shorting failure of a relay coil suppression diode in any of the BOP-ESFAS load sequencers at PVNGS. There are no recommendations in industry standards for performance of periodic testing and/or replacement of coil suppression diodes. The diodes are reverse biased and do not conduct any current except during the field collapse of a DC relay as it de-energizes. The electrical characteristics for the 1N4005 diode are more than sufficient for serving as a transient suppression network across the coil of the 28 VDC A231-K7 annunciator relay.

A root cause investigation into this event is in progress, and if any additional causal factors are identified which would significantly alter the reader's understanding of this event, a supplement to this LER will be submitted.

7. CORRECTIVE ACTIONS:

Troubleshooting was performed and the failed diode was identified. The relay module containing the failed diode was removed. This module contains seven relay assemblies. The failed diode was replaced and the remaining six coil suppression diodes in the other six relay assemblies were tested and found to be satisfactory.

Following corrective maintenance and successful retest of the Train "A" load sequencer, the affected equipment was declared operable at 16:20 hours on November 25, 2007.

If any additional corrective actions are identified which would significantly alter the reader's understanding of this event, a supplement to this LER will be submitted.

8. PREVIOUS SIMILAR EVENTS:

generators, and the subsequent Technical Specification required unit shutdown. As the cause of that event was distinctly different than the cause of this event, corrective actions associated with that event would not have prevented this event.