Information Notice No. 99-21: Recent Plant Events Caused by Human Performance Errors
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C. 20555-0001
June 25, 1999
|NRC INFORMATION NOTICE 99-21:||RECENT PLANT EVENTS CAUSED BY HUMAN PERFORMANCE ERRORS|
- Description of Circumstances
All holders of licenses for nuclear power, test, and research reactors.
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice to alert addressees to a recently apparent increase in human performance weaknesses that have resulted in plant transients. It is expected that recipients will review the information for applicability to their facilities and consider actions, as appropriate, to prevent a similar occurrence. However, suggestions contained in this information notice are not NRC requirements; therefore, no specific action or written response to this notice is required.
At 1:38 a.m. on February 28, 1999, the Salem Unit 1 reactor automatically shut down because of a low bearing oil pressure turbine trip. The unit was operating at 60-percent power before the shutdown and was being maintained at this power to allow troubleshooting to be performed on a main feedwater pump. Preparations were also being made to allow maintenance to repair a leaking main turbine lube oil cooler. One of the two oil coolers had developed a leak on the previous shift, and the operators were adjusting the position of a cooler isolation valve in an attempt to more tightly close the valve.
While adjusting the isolation valve, the operators inadvertently positioned the valve off its closed seat, allowing oil from the in-service cooler to enter the partially drained out-of-service cooler. This diverted flow caused a momentary drop in the turbine bearing oil pressure and resulted in the automatic main turbine trip and subsequent reactor trip.
The cause of the transient has been attributed to misoperation of the cooler isolation valve. The valve used to swap the main turbine lube oil coolers is a Schutte & Koerting six-way isolation valve. This type of valve is only used for the main turbine lube oil coolers at Salem Units 1 and 2, and the valve is operated very infrequently. The operators did not know that their attempts to more tightly close the valve would result in moving the valve off its closed seat.
The operators responded to the automatic shutdown as directed by the plant's emergency operating procedures and the unit was stabilized in a shutdown condition.
At 5:06 p.m. on February 25, 1999, the Unit 1 annunciator alarmed in the control room for "Spent Fuel Pool Level/Temperature." Operators verified the alarm by checking the plant computer, which indicated an elevated temperature of 125 degrees F in the spent fuel pool. The shift foreman dispatched a nuclear operator to the spent fuel pool area. The nuclear operator noted that the local spent fuel pool temperature gauge indicated 126 degrees F. The nuclear operator subsequently found that spent fuel pool pump 1-2 was not operating as expected and restarted the pump at the direction of the shift foreman.
The licensee's investigation into the event revealed that operator logs prepared earlier on February 25, 1999, had verified that the spent fuel pool pump 1-2 was operating as required and that spent fuel pool temperature was 100 degrees F. Further investigation revealed that during the day, relay CIAX-H was replaced. This relay was associated with the containment Phase A isolation signal. The control circuit associated with the CIAX relay trips the spent fuel pool cooling pumps during an accident scenario to prevent overloading of the emergency diesel generators. The relay had been replaced at approximately 1 p.m., and as a result, spent fuel pool cooling had been lost for approximately 4 hours before the high level/temperature alarm was received in the control room. Licensee engineers determined that the spent fuel pool heatup rate was approximately 8 degrees F per hour and would have resulted in spent fuel pool boiling after approximately 16 hours.
A review of the work order associated with the relay replacement revealed that the clearance associated with the procedure did not contain any precautions or limitations to notify the operators of the trip of the spent fuel pool cooling pump as a result of removal of the relay.
The pre-job briefing apparently did not identify the condition, nor were the operators or electricians who performed the relay replacement aware of the resultant condition of the spent fuel pool cooling pumps.
A second factor that appears to have contributed to the duration of the event was a lack of controls or indications in the control room of the status of the spent fuel pool cooling pumps, the temperature of the spent fuel pool, or the level of the spent fuel pool, other than the aforementioned level/temperature alarm. These indications and controls were available locally in the spent fuel pool area but, as directed by plant procedures, were required to be reviewed and logged only once every 12 hours during operator rounds.
At 2:07 a.m. on March 2, 1999, operators manually shut down the Unit 2 reactor from 100-percent power because of an observed low water level in the #3 steam generator and a concurrent alarm of the "Steam Flow/Feed Flow Mismatch" annunciator. The cause of the level decrease was due to the unexpected closing of the Unit 2 loop 3 main feedwater isolation valve. The loop 3 main feedwater isolation valve closed because plant equipment operators mistakenly pulled the control power fuses to the Unit 2 isolation valve while hanging an outage clearance tag on the Unit 1 isolation valve.
Following the event, the licensee initiated a root cause analysis to determine the causes of the operator performance errors and determined that multiple factors contributed to the event, such as failure to implement self-checking using the dual concurrent verification (i.e., both operators were present, performed the function, and verified the correctness of the actions); lack of verbal feedback between the operators regarding the complete component identification tag number, including unit designation; and work schedule factors (one of the operators was working his sixth 12-hour shift of nine scheduled consecutive twelve hour shifts).
At 9:59 a.m. on February 1, 1999, a loss of shutdown cooling occurred at San Onofre Unit 2. The unit was in mode 6 and refueling was in progress. Before the event occurred, the Train A 4.16-kV vital bus 2A04 was being fed from the offsite transmission system by the unit auxiliary transformer. Train A bus 2A04 was the protected supply to the operating shutdown cooling pump and to the containment spray pump which was providing spent fuel pool cooling.
At the time of the event, the licensee was implementing a clearance order to facilitate maintenance on the reserve auxiliary transformer, which was an alternate power supply for the Train A 4.1-kV bus 2A04. The clearance called for racking out the already opened Train A 4.16-kV breaker to the reserve auxiliary transformer. In preparation for the activities, the reserve auxiliary transformer was disconnected from the switchyard and all three grounding disconnect switches on the primary side of the transformer (220-kV side) were closed. Subsequently, while attempting to rack out the breaker, electricians performing the work noted that the breaker was stuck and would not disengage.
Licensee personnel involved with the evolution discussed the matter and incorrectly concluded that discharging the closing springs would prevent the breaker from inadvertently closing, while attempting to again rack out the breaker. The operators and electricians involved in the effort believed that pushing a lever that discharges the closing springs would not cause the breaker to close. They based this belief on previous experience with using this button while the breaker was in the racked-out position and not having the breaker close as a result. However, when the electricians performed the action on the racked-in breaker, the breaker did close. This resulted in the grounded high side of the reserve auxiliary transformer becoming a near-infinite load on the low side, which was being supplied by Bus 2A04 through the now closed breaker. This created an undervoltage condition on Bus 2A04. All of the supply breakers for the affected bus tripped open, except for the breaker to the reserve transformer which was in an off normal configuration due to the actions of the electricians.
The standby emergency diesel generator automatically started but did not close onto the affected bus because of a protective relay lockout that prevented more than one feed to the bus at any one time. The standby emergency diesel generator was not designed to be capable of maintaining bus voltage under these circumstances. As a result, the affected bus deenergized, thereby causing a loss of the shutdown cooling and spent fuel pool cooling functions for approximately 26 minutes.
Following the event, the licensee initiated an investigation and determined that the procedure directing the grounding of the high side of the reserve auxiliary breaker before racking out the 4.16-kV breakers was inadequate in that the order of the activities should have been reversed.
Additionally, it was determined that although the plant personnel and management involved recognized the potential for serious consequences if the breaker inadvertently closed, their planning and control of the evolution did not adequately reflect the increase in risk associated with these activities.
The NRC has noticed an apparent increase in human performance related events that have resulted in plant transients. The four examples described above represent a sample of those recent events in which human performance played a key role, and each highlights the notable challenges that human performance weaknesses may present to plant operation. The importance of human error in determining risk from nuclear power plants is well known and is discussed in NUREG/CR-5319, "Risk Sensitivity to Human Error", April 1989. NUREG/CR-5527, "Risk Sensitivity to Human Error in the LaSalle PRA", March 1990, presents detailed risk sensitivity studies involving human performance that had previously shown notable sensitivity of risk to changes in human error probabilities. In light of these findings, there appears to be a large risk incentive to ensuring that human performance does not degrade below the performance level assumed in the plant-specific probabilistic risk assessments and remains consistent with licensee management expectations.
This information notice requires no specific action or written response. However, recipients are reminded that they are required by 10 CFR 50.65 to take industry-wide operating experience (including information presented in NRC information notices) into consideration, when practical, when setting goals and performing periodic evaluations. If you have any questions about the information in this notice, please contact one of the technical contacts listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager.
|/s/'d by J..E. Lyons
Ledyard B. Marsh, Chief
Events Assessment, Generic Communications and Non-Power Reactors Branch
Division of Regulatory Improvement Programs
Office of Nuclear Reactor Regulation
|Technical contacts:||Greg S. Galletti, NRR
Nick Fields, NRR
|Attachments:||u>List of Recently Issued NRC Information Notices|
(NUDOCS Accession Number 9906280086)