United States Nuclear Regulatory Commission - Protecting People and the Environment

Information Notice No. 96-56: Problems Associated with Testing, Tuning, or Resetting of Digital Control Systems While at Power

                                                 UNITED STATES
                                         NUCLEAR REGULATORY COMMISSION
                                     OFFICE OF NUCLEAR REACTOR REGULATION
                                         WASHINGTON, D.C.  20555-0001

                                               October 22, 1996


NRC INFORMATION NOTICE 96-56:  PROBLEMS ASSOCIATED WITH TESTING, TUNING,                                       
                                               OR RESETTING OF DIGITAL CONTROL SYSTEMS                         
                                                WHILE AT POWER

Addressees 

All holders of operating licenses or construction permits for nuclear power reactors.

Purpose

The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice to alert
addressees to recent reactor transient events, reactor trips, and engineered safety feature
actuations caused by testing, tuning, or resetting of digital control systems while at
power.  It is expected that recipients will review the information for applicability to their
facilities and consider actions, as appropriate, to avoid similar problems.  However,
suggestions contained in this information notice are not NRC requirements; therefore, no
specific action or written response is required. 

Description of Circumstances

Washington Nuclear Project 2 (WNP-2)

On July 20, 1996, the WNP-2 facility experienced a rapid change in power of 15 percent
in a 40-second timeframe.  Specifically, power dropped from 68 to 53 percent and
returned to  68 percent.  The licensee determined that the power transient resulted from
testing of the recently installed digital adjustable speed drive modification to the reactor
recirculation pumps.  The adjustable speed drive provides the capability to change the
speed of the reactor recirculation pump motors and eliminates the need for recirculation
flow control valves.                                       

Before the event, the licensee was preparing to increase reactor recirculation flow from 51
to 53 percent.  As part of the preparation, a nonlicensed General Electric (GE) test
engineer typed computer instructions that would return the reactor recirculation flow to 51
percent if electrical harmonics were experienced in the adjustable speed drive system
during the reactor recirculation flow increase.  Once these instructions were typed, a
licensed reactor operator would verify the entry and only had to strike the "ENTER" key on
the computer keyboard to execute the instruction.  It was intended that the licensed
operator would only hit the ENTER key and execute the instruction if the system started to
experience electrical harmonics as reactor recirculation flow was increased.  If there were
no electrical harmonics, 
the instruction would not be executed.  In this instance, the GE engineer typed an
incorrect 
 
9610160361.                                                                                     IN 96-56
                                                                                     October 22, 1996
                                                                                     Page 2 of 4


value (transposed numbers) and then mistakenly executed the instruction by striking the
ENTER key.  These actions caused reactor recirculation flow and reactor power to drop. 
Immediately after entering the data, the GE engineer recognized the error and corrected the
instruction, thereby increasing reactor power.  This event is discussed in NRC Inspection
Report 50-397/96-16 dated September 12, 1996 (Accession No. 9609190275).

Dresden Unit 2

On May 31, 1996, while at approximately 45-percent power, Dresden Unit 2 experienced
a loss of reactor feedwater control and a subsequent decrease in reactor vessel water level
while performing an on-line configuration change to the recently installed Bailey Network
90 digital feedwater control system.  Operators initiated a manual reactor scram as a result
of the decrease in the reactor vessel water level.  

Before the event, the licensee was performing startup testing of the Bailey Network 90
feedwater control system modification.  During the startup testing, the test team
determined that a minor software logic change was required to correct a problem
associated with automatic transition from the 2B feedwater regulating valve to the 2A
valve.  An original equipment manufacturer representative indicated that the proposed
software logic change could be completed with the control system on-line.  The
manufacturer representative indicated that the system would check the logic before going
into the control mode and, as a result, there would be no impact on plant operation.  The
test team reviewed and approved the on-line logic change; however, the approval process
was not documented per station procedure. 

The new software logic configuration was inserted on the backup control module. 
Automatic diagnostic checks indicated a successful load into the control module.  Upon
placing the backup control module in the execute mode, the 2B feedwater regulating valve
began to close, resulting in a sudden drop in feedwater flow and reactor vessel water
level.  

During a subsequent design review of the Bailey Network 90 feedwater control system, a
logic execution sequence error was found in the original logic design of the Bailey 
Network 90 firmware.  This error caused the 2B feedwater regulating valve to close when
the backup control module attempted to take over process control from the primary
module.  It was determined that the execution sequence error would have resulted in the
same process control failure any time the backup control module attempted to take control
from the primary control module with the control system in the automatic mode.  This
event is discussed in NRC Inspection Report 50-237/96-06 dated August 22, 1996
(Accession No. 9609030142).

Browns Ferry Unit 2

On May 10, 1996, Browns Ferry Unit 2 experienced an automatic reactor scram on low
reactor water level from full power.  The low water level resulted from an unexpected
runback of two of the three reactor feedwater pumps, which occurred while software
parameter changes were being made in the recently installed digital feedwater control
system.  Specifically, the flow biasing of the feedwater pumps was being adjusted and the
control system speed demand limit was being increased while at power in an effort to fine
tune the system and thereby enhance system performance.  When the software parameter.                                                                                     IN 96-56
                                                                                     October 22, 1996
                                                                                     Page 3 of 4


changes were made active (saved) in the control system, a reinitialization sequence
occurred within the control software block, which drove the feed pump speed demand
signal to zero for a few seconds.  Plant personnel were unaware that entering these new
software parameters would cause the feedwater control system to reinitialize.  

The cause of the event was attributed to inadequate design of the control system
software.  The digital feedwater control system is a Foxboro I/A distributed control
system.  The system software contains 380 software blocks, that is, logic functions
performed by the computer.  A design weakness existed in the installed system in that
making software parameter changes in certain software blocks would cause the control
system to automatically reinitialize to zero output.  During its investigation, the licensee
confirmed that for 5 of the 380 software blocks, a parameter change would result in a
control system reinitialization.  This characteristic of the software design was not known
to the plant personnel.  As part of its corrective actions, the licensee modified the five
affected software blocks to eliminate the reinitialization problem.  This event is discussed
in NRC Inspection Report 50-260/96-05 dated June 19, 1996 (Accession No.
9607030386).

Comanche Peak Unit 2

On May 5, 1996, while in Mode 3, Comanche Peak Unit 2 experienced an auto-start of the
motor-driven auxiliary feedwater pumps while personnel were resetting the central
processing units in the digital main feedwater pump turbine control system.  Before the
event, the vendor representative for the newly installed main feedwater pump control
system requested access to reset the central processing units following completion of
system testing.  The shift manager cautioned the vendor and nonlicensed utility
instrumentation and controls personnel that two of the three processors were required to
be in service to avoid a trip of the main feedwater pumps.  

The instrumentation and controls personnel and the vendor representative planned to reset
the three central processing units one at a time to avoid initiating a trip of the main
feedwater pumps.  The first two processors were rebooted.  However, during the reset of
the third processor, an inadvertent trip signal was generated for both main feedwater
pumps.  This signal caused an auto-start of the motor-driven auxiliary feedwater pumps
(an engineered safety feature actuation).  All four motor-driven auxiliary feedwater flow
control valves shifted to auto and opened.  Both motor-driven auxiliary feedwater pumps
were operating and supplying the required flow to the steam generators before the event.   

The licensee concluded that the personnel performing the rebooting task did not
adequately verify that the second processor was properly restored and functional before
rebooting the third processor.  The main feedwater pump trip signal was generated
because the system sensed that two of the three central processing units were not
functional.

Discussion

In recent years, many licensees have chosen to replace outdated analog control systems
with digital upgrades.  Digital system retrofits are intended to improve system
performance, reliability, flexibility, and operator interface characteristics.   .                                                                                     IN 96-56
                                                                                     October 22, 1996
                                                                                     Page 4 of 4


These systems also offer the capability to change software parameters, setpoints, or logic
configurations or to reset processors while at power.  However, as illustrated in the events
previously described, resetting processors in digital control systems or performing on-line
software manipulations as part of digital control system tuning or testing can result in
unforeseen transients, reactor trips, and engineered safety feature actuations.

The events described herein highlight the importance of evaluating proposed changes and
developing and implementing controls for performing any type of on-line manipulation of
digital control systems to avoid reactor transients and plant trips.  When it is deemed
necessary to reset a processor or to perform on-line software changes, it is important to
maintain control of these activities in order to minimize potential errors, and to be aware of
the potential effect on plant operation if errors occur while performing such activities.  

This information notice requires no specific action or written response.  If you have any
questions about the information in this notice, please contact one of the technical contacts
listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project
manager.


                                                            signed by D.B. Matthews

                                                   Thomas T. Martin, Director
                                                   Division of Reactor Program Management
                                                   Office of Nuclear Reactor Regulation

Technical contacts:   Charles Petrone, NRR                          Jerry L. Mauck, NRR
                            (301) 415-1027                          (301) 415-3248
                            Email:  cdp@nrc.gov                     Email:  jlm2@nrc.gov

                          John K. Ganiere, NRR
                               (301) 415-2921
                               Email:  jkg@nrc.gov
Page Last Reviewed/Updated Thursday, November 21, 2013