05000529/LER-2005-004

From kanterella
Jump to navigation Jump to search
LER-2005-004, Technical Specification Required Shutdown Due to Core Protection Calculators Inoperable
Palo Verde Nuclear Generating Station
Event date: 08-22-2005
Report date: 07-01-2006
Reporting criterion: 10 CFR 50.73(a)(2)(i)(A), Completion of TS Shutdown
10 CFR 50.73(a)(2)(i)(B), Prohibited by Technical Specifications
10 CFR 50.73(a)(2)(v), Loss of Safety Function
Initial Reporting
ENS 41939 10 CFR 50.72(b)(2)(i), Tech Spec Required Shutdown
5292005004R01 - NRC Website
v  d  e

Note: all times in this report are approximate and Mountain Standard Time unless otherwise indicated.

1. REPORTING REQUIREMENT(S):

This LER (50-529/2005-004-00) is being submitted pursuant to 10 CFR 50.73(a)(2)(i)(A), to report the completion of a reactor shutdown required by Technical Specifications. Specifically, on August 22, 2005 at 1750 hours0.0203 days <br />0.486 hours <br />0.00289 weeks <br />6.65875e-4 months <br /> Control Room personnel completed a reactor shutdown (entered Mode 3, Hot Shutdown) to comply with Limiting Condition for Operation (LCO) 3.0.3 as a result of all four channels of the Core Protection Calculators (CPC) being declared inoperable at 1326 hours0.0153 days <br />0.368 hours <br />0.00219 weeks <br />5.04543e-4 months <br />.

In addition, the event is being reported pursuant to 10 CFR 50.73(a)(2)(i)(B), to report a condition which was prohibited by technical specification LCO 3.3.1.

2. DESCRIPTION OF STRUCTURE(S), SYSTEM(S) AND COMPONENT(S):

The CPCs consist of four separate, redundant channels. Each channel is a computer system that continuously calculates thermal conditions and thermal limits. The CPC system is an integral part of the plant protective system (EIIS:JC) in that it provides two trips to the reactor protection system (RPS) (EIIS:JC); Departure from Nucleate Boiling Ratio (DNBR) and Local Power Density (LPD). Trip signals are provided to the RPS whenever the minimum departure from nucleate boiling ratio (DNBR) or fuel design limit Local Power Density is approached during reactor operation.

The four channels of CPCs are located inside the auxiliary protective cabinet where the channels are physically separated and isolated from each other. Each CPC channel provides contact outputs to its respective RPS channel. The following analog input sensors are processed in each CPC channel:

  • 2 Cold Leg Temperatures
  • 2 Hot Leg Temperatures
  • 1 Pressurizer Pressure
  • 3 Ex-core Neutron Flux Detectors In the event of a failure of one of the input sensors a trip signal for the applicable CPC channel should be generated.

Each input parameter is read by two separate analog input modules in a channel. One of the two redundant analog input modules is normally selected. In the event the normally selected module indicates a failure, the software will select the alternative module. In the event of a failure of both modules at the same time a trip signal for that channel should be generated.

Detectable CPC channel failures, resulting in a loss of protective function and channel inoperability, are required to generate CPC Fail indication and associated Low DNBR and High LPD channel trips. Input failures resulting in a sensor out of range affecting one or more CPC process inputs will result in a CPC Sensor Failure indication. In addition, since the CPC software limits the sensor value to the lower or upper range limit value, a CPC channel trip would be generated in most cases due to these extreme values.

3.� INITIAL PLANT CONDITIONS:

On August 22, 2005 at 1326 hours0.0153 days <br />0.368 hours <br />0.00219 weeks <br />5.04543e-4 months <br /> Unit 2 was operating in Mode 1, Power Operation, at approximately 100 per cent power when control room personnel declared all four channels of the CPCs inoperable.

No other major structures, systems, or components were inoperable that contributed to the event.

4.� EVENT DESCRIPTION:

On May 18, 2005 Westinghouse personnel identified a potential problem with the installed version of the CPC software for Unit 2. It was discovered that the installed version (release 6.1) of the Unit 2 CPC software was not consistent with the system requirements regarding the system response to analog input module errors. When both analog input modules within a CPC channel indicate an error simultaneously the CPC uses the last known good value. However, the system requirements state that a channel CPCs in May 2005 and resulted in the CPCs not being able to generate this trip signal.

On August 8, 2005 Westinghouse personnel completed an apparent cause analysis for the issue and concluded the issue was a nuclear safety concern.

At 0900 hours0.0104 days <br />0.25 hours <br />0.00149 weeks <br />3.4245e-4 months <br /> on August 22, 2005, during a weekly phone call, a Westinghouse engineer informed the Palo Verde Operations Computer System (OCS) section leader of the issue with the CPC software. The OCS section leader discussed the issue with the OCS department leader, an OCS engineer, OCS planner and a nuclear fuel analysis engineer and then performed a test in the shop that confirmed the problem. The OCS section leader informed the Unit 2 shift manager (SM) at 1300 on August 22, 2005 of the 'issue.

The SM made the decision to enter Technical Specification LCO 3.0.3 at 1326 due to the installed CPC software not supporting Technical Specification Bases 3.3.1 which states:

"Those detectable channel failures resulting in a loss of protective function and channel inoperability will result in a CPC Fail indication and associated Low DNBR and High LPD trips".

Plant shutdown commenced at 1605 on August 22, 2005 (reference ENS 41939) and LCO 3.0.3 was exited at 1750 when the unit entered Mode 3, Hot Standby.

5. ASSESSMENT OF SAFETY CONSEQUENCES:

Palo Verde Unit 2 CPCs provide the reactor trip functions for Low DNBR and High LPD.

The CPC system is a four channel system that uses a two out of four logic for reactor trip signal generation. Since a sensor failure most likely will occur as a result of a localized failure in one of four channels the CPC safety function will continue to be provided by the other three safety channels. Likewise, a failure of both analog input modules in more than one channel at the same time is not likely to occur. It should be noted that sensor failures involved in the identified condition would have to occur within approximately 50 milliseconds.

Both a sensor failure and an analog input module failure actuate contact output signals in the affected channel to the CPC Operator's Module Alarm and the plant annuciator alarm in the main control room which would alert the control room operators to the condition.

Plant Technical Specification LCO 3.3.1 requires that a failed channel be placed in bypass or trip within one hour. Alarm response procedure 42AL-2RK5A directs compliance with LCO 3.3.1 for a CPC sensor failure (alarm window 5A13B).

The event did not result in any challenges to the fission product barriers or result in the release of radioactive materials. Therefore, there were no adverse safety consequences or implications as a result of this event and the event did not adversely affect the safe operation of the plant or health and safety of the public.

The event did not result in a transient more severe than those analyzed in the updated Final Safety Evaluation Report Chapters 6 and 15. The event did not have any nuclear safety consequences or personnel safety impact.

The condition would not have prevented the fulfillment of any safety function and did not result in a safety system functional failure as defined by 10 CFR 50.73(a)(2)(v).

6. CAUSE OF THE EVENT:

The direct cause of the Unit 2 CPC software issue was a 2002 revision of the software requirements specification led to an inconsistency with the system requirements specification.

The root cause of the software requirements specification not being consistent with the system requirements specification was determined to be that no formal communication plan existed with the internal Westinghouse "downstream" users of reactor trip function.

The Westinghouse Reactor Protection and Monitoring Systems group did not communicate with the Transient Analysis and Setpoint group to discuss the trip functions when setting the software for the trip function during CPC system development.

7. CORRECTIVE ACTIONS:

On August 25, 2005 activities were completed to install CPC software version 6.3 in all four channels of Unit 2 CPCs.

Corrective actions to prevent recurrence are internal to Westinghouse and documented in a Vendor Corrective Action Report.

8. ADDITIONAL INFORMATION

The CPCs in Unit 2 were upgraded in November 2003. Unit 1 CPC upgrade was completed during 1R12 (October-December 2005) with the correct software installed.

Unit 3 is scheduled to receive the upgraded CPC system in a future refueling outage.

Changes will be made to the Unit 3 upgraded CPCs, prior to their use, to correct the problem.

9. PREVIOUS SIMILAR EVENTS:

In the past three years, Palo Verde reported reactor shutdowns required by Technical Specifications but none associated with the same root cause.

Retrieved from "https://kanterella.com/w/index.php?title=05000529/LER-2005-004&oldid=201540"