Information Notice 1993-11, Single Failure Vulnerability of Engineered Safety Features Actuation Systems
UNITED STATES NUCLEAR REGULATORY
COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C. 20555 February 4, 1993 NRC INFORMATION
NOTICE 93-11: SINGLE FAILURE VULNERABILITY
OF ENGINEERED
SAFETY FEATURES ACTUATION
SYSTEMS
Addressees
All holders of operating
licenses or construction
permits for nuclear power reactors.
Purpose
The U.S. Nuclear Regulatory
Commission (NRC) is issuing this notice to alert addressees
to potential
single failure vulnerabilities
in engineered
safety features actuation
systems. It is expected that recipients
will review the information
for applicability
to their facilities
and consider actions, as appropriate, to avoid similar problems.
However, suggestions
contained
in this information
notice are not NRC requirements;
therefore, no specific action or written response is required.DescriDtion
of Circumstances
On July 6, 1992, during a planned outage at the Millstone
Nuclear Power Station, Unit 2, with the core off loaded to the spent fuel pool, the licensee, the Northeast
Nuclear Utilities
Company, was preparing
to replace two vital inverters.
Millstone
Unit 2 uses four inverters, two on each vital dc bus, to power two trains of engineered
safety feature actuation
comprised of four sensor cabinets and two actuation
cabinets.
Operators
removed power from one actuation
train, which caused a false loss of normal power signal and a false start signal for the emergency
core cooling system. The effect of this action was similar in consequence
to the complete loss of one of the two vital dc buses.One emergency
diesel generator (EDG) started and tied onto the bus. The second EDG did not start because it was out of service for maintenance.
After the one EDG started, the safety loads failed to sequence onto the bus because of a continuous
false load shed signal. Operators
recovered
from the event by stopping the EDG and restoring
power to one of the sensor cabinets.This action removed the false loss of power signal and thus the load shed signal.The licensee reviewed the event and concluded
that an unblocking
feature of the automatic
test insertion (ATI) system had caused the continuous
load shedding signal. The ATI system, a continuous, on-line, logic tester that is common for both trains, was still energized
and permitted
the spurious loss of power signal to continue to shed the loads. The ATI system applies 2-millisecond
unblocking
pulses to the input of the actuation
logic modules 9301290025
7 '.
IN 93-11 February 4, 1993 and checks the module outputs for proper operation.
The 2-millisecond
pulses are too brief to actuate relays and start equipment.
In 1978, the licensee added a feature to permit ATI testing of the loss of normal power logic.To test the logic, the licensee determined
that the ATI system needed to provide an unblocking
of the loss of power signal for 500 milliseconds.
In the actual event, the false signal generated
by the lack of control power was continuously
present during the 500 ms ATI unblocking
signal. This caused a recurring
load shed signal to be generated
even though the EDG was ready to accept loads; therefore, the EDG load breakers never closed.In reviewing
the event, the licensee determined
that the engineered
safety feature actuation
system could also cause other unintended
actions under certain power supply failure conditions.
These automatic
actions are not related to the ATI modification.
(1) If power is lost to either one of the two dc vital buses, both the safety injection
actuation
signal and sump recirculation
actuation signal'would
be simultaneously
initiated.
The recirculation
actuation signal would result in tripping all low pressure injection
pumps. Also, the spurious sump recirculation
actuation
signal would cause one of the containment
sump outlet valves to open.(2) If power was lost only to the sensor cabinets in one actuation
train, both containment
sump outlet valves would open. If this occurred during a-loss-of-coolant--accident, high-pressure
in containment-could
shut both refueling
water storage tank check valves, inhibiting
flow to all emergency
coolant injection
pumps.(3) The loss of all dc power to one actuation
train would cause a power operated relief valve in the other train to open. In addition, when control power alone is lost to only the sensor cabinets in a single actuation
train, spurious high pressurizer
pressure signals would cause the relief valves in both trains to open. Both cases would result in a loss of primary coolant.Discussion
The design deficiency
in the on-line testing feature could have prevented
both emergency
diesels from accepting
emergency
loads under certain single failure conditions.
The licensee investigated
this event at Millstone
Unit 2 and found several single failure vulnerabilities
related to loss of a vital dc bus which may apply to engineered
safety features actuation
systems at other plants. Although the described
event resulted from an ATI modification, the other vulnerabilities
are inherent in the actuation
system design and its power supplies.Millstone
Unit 2 uses two-out-of-four
logic supplied by Consolidated
Controls Incorporated
to actuate automatically
a number of safety features.
In the actuation
system, a sensor, and subsequent
interposing
electronic
logic, condition
the signal for use by the actuation
logic. Upon loss of power, the interposing
logic generates
a signal to perform the safety function.
The problems discussed
above result from having a two-out-of-four
logic powered by
I -.IN 93-11 February 4, 1993 only two safety-related
power sources coupled with a lack of coherence
in specifying
the preferred
failure mode for automated
safety-related
actions, given a loss of power.The licensee is preparing
modifications
to correct these problems and is reviewing
the design of Unit 2 for other similar problems.In NRC Bulletin 79-27, "Loss of Non-Class
lE Instrumentation
and Control Power System Bus During Operation," the NRC requested
licensees
to evaluate the effects of a loss of power to IE and Non-lE instrument
and control systems.In addition, in NRC Generic Letter 89-18, "Systems Interactions
in Nuclear Power Plants," the NRC highlighted
concerns regarding
actuation
system designs which may have automated
safety-related
actions with no preferred
failure modes.This information
notice requires no specific action or written response.
If you have any questions
about the information
in this notice, please contact one of the technical
contacts listed below or the appropriate
Office of Nuclear Reactor Regulation (NRR) project manager.an K rimes, Director--Division of Operating
Reactor Support Office of Nuclear Reactor Regulation
Technical
contacts:
Ram S. Bhatia, Region I (215) 337-5262 Thomas Koshy, NRR (301) 504-1176 Attachment:
List of Recently Issued NRC Information
Notices Ste- (--
Attachment
IN 93-11 February 4, 1993 Page 1 of I LIST OF RECENTLY ISSUED NRC INFORMATION
NOTICES)Information
Date of Notice No. Subject Issuance Issued to 93-10 Dose Calibrator
Quality 02/02/93 All Nuclear Regulatory
Cor-Control mission medical licensees.
93-09 Failure of Undervoltage
02/02/93 All holders of OLs or CPs Trip Attachment
on for nuclear power reactors.Westinghouse
Model DB-SO Reactor Trip Breaker 93-08 Failure of Residual 02/01/93 All holders of OLs or CPs Heat Removal Pump for nuclear power reactors.Bearings due to High Thrust Loading 93-07 Classification
of Trans- 02/01/93 All Licensees
required to portation
Emergencies
have an emergency
plan.93-06 Potential
Bypass Leak- 01/22/93 All holders of OLs or CPs age Paths Around Filters for nuclear power reactors.Installed
in Ventilation
Systems 93-05 Locking of Radiography
01/14/93 All Nuclear Regulatory
Exposure Devices Commission
industrial
radiography
licensees.
93-04 Investigation
and Re- 01/07/93 All U.S. Nuclear Regulatory
porting of Misadministra- Commission
medical tions by the Radiation
licensees.
Safety Officer 93-03 Recent Revision to 01/05/93 All byproduct, source, and 10 CFR Part 20 and special nuclear material Change of Implementa- licensees.
tion Date to January 1, 1994 93-02 Malfunction
of A Pres- 01/04/93 All holders of OLs or CPs surizer Code Safety for nuclear power reactors.Valve 01 -Operating
License CP -Construction
Permit a oU0 0 0 O 0 C 0 O 0 0 Lb Loo (00L (00 wCC W' I<0 0 co'II zn Ul o .W U 0 a0.I*1 Q IZ
IN 93-11 February 4, 1993 only two safety-related
power sources coupled with a lack of coherence
in specifying
the preferred
failure mode for automated
safety-related
actions, given a loss of power.The licensee is preparing
modifications
to correct these problems and is reviewing
the design of Unit 2 for other similar problems.In NRC Bulletin 79-27, "Loss of Non-Class
1E Instrumentation
and Control Power System Bus During Operation,N
the NRC requested
licensees
to evaluate the effects of a loss of power to IE and Non-1E instrument
and control systems.In addition, in NRC Generic Letter 89-18, "Systems Interactions
in Nuclear Power Plants," the NRC highlighted
concerns regarding
actuation
system designs which may have automated
safety-related
actions with no preferred
failure modes.This information
notice requires no specific action or written response.
If you have any questions
about the information
in this notice, please contact one of the technical
contacts listed below or the appropriate
Office of Nuclear Reactor Regulation (NRR) project manager.Original signed by Brian K. Crimog Brian K. Grimes, Director Division of Operating
Reactor Support Office of Nuclear Reactor Regulation
Technical
contacts: Ram S. Bhatia, Region I (215) 337-5262 Thomas Koshy, NRR (301) 504-1176 Attachment:
List of Recently Issued NRC Information
Notices*SEE PREVIOUS CONCURRENCES
- OGCB:DORS
- NRR *OGCB:DORS:NRR
RMoore JBirmingham
10/22/92 11/18/92*TECH ED JMain 10/19/92*C/OGCB:DORS:NRR
GMarcus 01/22/93*HICB:DRCH:NRR
IAhmed 11/15/92*SC/OEAB:DORS
EGoodwin 01/15/93 Document Name:*C/HICB:DRCH:NRR
SNewberry 11/24/92 NRC:DRS:RI
WRuland 01/ /93 S:\DORS SEC\93-11.If
- C/EELB:DE:NRR
- CBerlinger
12/17/92*C/OEAB:DORS-:NRR
AChaffee 01/19/93 OEAB:DORS:NRR
TKoshy 01/2X 3/ 12.r 9 3 IN 93-January , 1993 only two safety-related
power sources coupled with a lack of coherence
in specifying
the preferred
failure mode for automated
safety-related
actions, given a loss of power.The licensee is preparing
modifications
to correct these problems and is reviewing
the design of Unit 2 for other similar problems.In NRC Bulletin 79-27, "Loss of Non-Class
1E Instrumentation
and Control Power System Bus During Operation," the NRC requested
licensees
to evaluate the effects of a loss of power to IE and Non-lE instrument
and control systems.In addition, in NRC Generic Letter 89-18, "Systems Interactions
in Nuclear Power Plants," the NRC highlighted
concerns regarding
actuation
system designs which may have "Automated
Safety-Related
Actions with No Preferred
Failure Modes." This information
notice requires no specific action or written response.
If you have any questions
about the information
in this notice, please contact one of the technical
contacts listed below or the appropriate
Office of Nuclear Reactor Regulation (NRR) project manager.Brian K. Grimes, Director Division of Operating
Reactor Support Office of Nuclear Reactor Regulation
Technical
contacts: Ram S. Bhatia, Region I (215) 337-5262 Thomas Koshy, NRR (301) 504-1176 Attachment:
List of Recently Issued NRC Information
Notices*SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR
- OGCB:DORS:NRR
RMoore JBirmingham
10/22/92 11/18/92*TECH ED JMain 10/19/92*HICB:DRCH:NRR
IAhmed 11/15/92*SC/OEAB:DORS
EGoodwin 01/15/93*C/HICB:DRCH:NRR
SNewberry 11/24/92 NRC:DRS:R1 WRuland 01/ /93*C/EELB:DE:NRR
CBerlinger
12/17/92*C/OEAB:DORS:NRR
AChaffee 01/19/93*C/OGCB:DORS:NRR
GMarcus 01/22/93 OEAB:DORS:NRB
TKoshy/ LX793 D/DORS:NRR
BKGrimesp/ /93 Document Name: S:\DORSSEC\ESASIN.TK
IN 93-January , 1993 only two safety-related
power sources coupled with a lack of coherence
in specifying
the preferred
failure mode for automated
safety-related
actions, given a loss of power.The licensee is preparing
modifications
to correct these problems and is reviewing
the design of Unit 2 for other similar problems.In NRC Bulletin 79-27, "Loss of Non-Class
IE Instrumentation
and Control Power System Bus During Operation," the NRC required licensees
to evaluate the effects of a loss of power to lE and Non-lE instrument
and control systems.In addition, in NRC Generic Letter 89-18, "Systems Interactions
in Nuclear Power Plants," the NRC highlighted
concerns regarding
actuation
system designs which may have "Automated
Safety-Related
Actions with No Preferred
Failure Modes." This information
notice requires no specific action or written response.
If you have any questions
about the information
in this notice, please call the technical
contacts listed below or the appropriate
Office of Nuclear Reactor Regulation (NRR) project manager.Brian K. Grimes, Director Division of Operating
Reactor Support Office of Nuclear Reactor Regulation
Technical
contacts: Ram S. Bhatia, Region I (215) 337-5262 Thomas Koshy, NRR (301) 504-1176 Attachment:
List of Recently Issued NRC Information
Notices*SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR
- OGCB:DORS:NRR
RMoore JBirmingham
10/22/92 11/18/92*TECH ED JMain 10/19/92 C/OGCB:DORS:NRR
GMarcus glfDg, I /2,/93*HICB:DRCH:NRR
IAhmed 11/15/92*C/HICB:DRCH:NRR
SNewberry 11/24/92 C/EELB:DE:NRR
CBerlinger*
12/17/92 OEAB:DORS:NRR.TKoshy*01/15/93 SC/OEAB:DORS
EGoodwin*01/15/93 Document Name: NRC:DRS:R1 C/OEAB:DORS:NRR
WRuland* AChaffee*01/ /93 01/19/93 S:\DORSSEC\ESASIN.TK
D/DORS:NRR
BKGrimes/ /93 IN 93-January , 1992 specifying
the preferred
failure mode for automated
safety-related
actions, given a loss of power.The licensee is preparing
modifications
to correct these problems and is reviewing
the design of Unit 2 for other similar problems.In NRC Bulletin 79-27, "Loss of Non-Class
lE Instrumentation
and Control Power System Bus During Operation," the NRC required licensees
to evaluate the effects of a loss of power to lE and Non-lE instrument
and control systems.In addition, in NRC Generic Letter 89-18, NSystems Interactions
in Nuclear Power Plants," the NRC highlighted
concerns regarding
actuation
system designs which may have "Automated
Safety-Related
Actions with No Preferred
Failure Modes." This information
notice requires no specific action or written response.
If you have any questions
about the information
in this notice, please call the technical
contacts listed below or the appropriate
Office of Nuclear Reactor Regulation (NRR) project manager.Brian K. Grimes, Director Division of Operating
Reactor Support Office of Nuclear Reactor Regulation
Technical
contacts: Ram S. Bhatia, Region I (215) 337-5262 Thomas Koshy, NRR (301) 504-1176 Attachment:
List of Recently Issued NRC Information
Notices*SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR
- OGCB:DORS:NRR
RMoore JBirmingham
10/22/92 11/18/92*TECH ED JMain 10/19/92 C/OGCB:DORS:NRR
GMarcus 't lt_ h & H K to /32493*HICB:DRCH:NRR
IAhmed 11/15/92 SC/OEAB:DO0)
EGoodwin/ /g-/93 Document Name:*C/HICB:DRCH:NRR
SNewberry 11/24/92 NRC:DRS:Rl
WRuland e/ /93 C/EELB:DE:NRR
CBerlinger*
12/17/92 C/ ff .DORS:NRR A affee I /17/93 OEAB:DORS:NRR
9 TKoshy E/ //r793 D/DORS:NRR
BKGrimes/ /93 S:\DORS SEC\ESASIN.TK
IN 93-January , 1992 specifying
the preferred
failure mode for automated
safety-related
actions, given a loss of power.The licensee is preparing
modifications
to correct these problems and is reviewing
the design of Unit 2 for other similar problems.In NRC Bulletin 79-27, "Loss of Non-Class
lE Instrumentation
and Control Power System Bus During Operation,*
the NRC required licensees
to evaluate the effects of a loss of power to IE and Non-lE instrument
and control systems.In addition, in NRC Generic Letter 89-18, "Systems Interactions
in Nuclear Power Plants," the NRC highlighted
concerns regarding
actuation
system designs which may have 'Automated
Safety-Related
Actions with No Preferred
Failure Modes.'This information
notice requires no specific action or written response.
If you have any questions
about the information
in this notice, please call the technical
contacts listed below or the appropriate
Office of Nuclear Reactor Regulation (NRR) project manager.Brian K. Grimes, Director Division of Operating
Reactor Support Office of Nuclear Reactor Regulation
Technical
contacts: Ram S. Bhatia, Region I (215) 337-0%W.5s,.2Cp1
-Thomas Koshy, NRR (301) 504-1176 Attachment:
List of Recently Issued NRC Information
Notices*SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR
- OGCB:DO RS:NRR RMoore JBirmingham
10/22/92 11/18/92*TECH ED JMain 10/19/92 C:OGCB:DORS:NRR
GMarcus/ /93*HICB:DRCH:NRR
IAhmed 11/15/92 SC/OEAB:DORS
EGoodwin/ /93*C:HICB:DRCH:NRR
SNewberry 11/24/92 NRC:DRS:R1A
".P.WRuland
WU*4 l /93 C:EELB:DE:NRR
CBerlinger*
12/17/92 C:OEAB:DORS:NRR
AChaffee/ /93 OEAB:DORSA
RR TKoshy I #4/9 D:DORS:NRR
BKGrimes/ /93 Document Name: S:\DORSSEC\ESASIN.TK
'J/IN 92-December , 1992 The licensee is preparing
modifications
to resolve these vulnerabilities
and is reviewing
the design of Unit 2 for other similar problems.It should be noted that in NRC Bulletin 79-27, "Loss of Non-Class
lE Instrumentation
and Control Power System Bus During Operation," the NRC required licensees
to evaluate the effects of a loss of power to 1E and Non-lE instrument
and control systems. In addition, in NRC Generic Letter 89-18,"Systems Interactions
in Nuclear Power Plants," the NRC highlighted
concerns regarding
actuation
system designs which may have "Automated
Safety-Related
Actions with No Preferred
Failure Modes." This information
notice requires no specific action or written response.
If you have any questions
about the information
in this notice, please call the technical
contacts listed below or the appropriate
Office of Nuclear Reactor Regulation (NRR) project manager.Brian K. Grimes, Director Division of Operating
Reactor Support Office of Nuclear Reactor Regulation
Technical
contacts: Ram S. Bhatia, Region I (215) 337-9465 Thomas Koshy, NRR (301) 504-1176 Attachment:
List of Recently Issued NRC Information
Notices*SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR
- OGCB:DORS:NRR
RMoore JBirmingham
10/22/92 11/18/92*TECH ED JMain 10/19/92 C:E R CBerl ingr 12/1 7/92 C:OGCB:DORS:NRR
GMarcus 12/ E OEAgW1~S:NRR
TKoshy 12//17/92*HICB:DRCH:NRR
IAhmed 11/15/92*C:HICB:DRCH:NRR
SNewberry 11/24/92 NRC:DRS:RI
C:OEAB:DORS:NRR
WRuland AChaffee 12/ /92 12/ /92 Document Name: A:\ESASIN.TK
D:DORS:NRR
BKGrimes 12/ /92 IN 92-November , 1992 _..........In NRC Bulletin 79-27, uLoss of Non-Class
IE Instrumentation
and Control Power System Bus During Operation,'
the NRC addressed
the review of this type of design vulnerability.
The NRC required licensees
to evaluate the effects of a loss of power to IE and Non-lE instrument
and control systems and to describe any proposed modifications
resulting
from the evaluation.
This information
notice requires no specific action or written response.
If you have any questions
about the information
in this notice, please call the technical
contacts listed below or the appropriate
Office of Nuclear Reactor Regulation (NRR) project manager.Brian K. Grimes, Director Division of Operating
Reactor Support Office of Nuclear Reactor Regulation
Technical
contacts: Ram S. Bhatia, Region I (215) 337-9465 Thomas Koshy, NRR (301) 504-1176 Attachment:
List of Recently Issued NRC Information
Notices ,- I ;,. .i .0..*SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR
OGCB:DORS:NRR
RMoore JBirmingham
10/22/92 11/1926vf
6 HICB:DRCH:NRR
IAhmed S24., 11 /792 C:H .DRCH:NRR SN erry 11/92*TECH ED JMain 10/19/92 1 C:EEL :-E:NRR CBerlinger
11/ /92;C:OGCB:DORS:NRR
GMarcus 11/ /92 OEAB:DORS:NRR
TKoshy 11/ /92 NRC:DRS:R1 C:OEAB:DORS:NRR
WRuland AChaffee 11/ /92 11/ /92 Document Name: A:\ESASIN.TK
D:DORS:NRR
BKGrimes 11/, /92 IN 92-XX October XX, 1992 Page 3 power. The design problems resulted from having two-out-of-four
logic combined with a single safety-related
power source for two sensor cabinets.The licensee is preparing
modifications
to resolve these vulnerabilities
and is reviewing
the design of Unit 2 for similar problems.In NRC Bulletin 79-27, "Loss of Non-Class
1E Instrumentation
and Control Power System Bus During Operation," the NRC addressed
the review of this type of design vulnerability.
The NRC required the licensees
to determine
which instrument
and control system loads connected
to 1E and non-lE power sources and evaluate the effects of a loss of power to those loads.This information
notice requires no specific action or written response.
If you have any questions
about the information
in this notice, please call the technical
contacts listed below or the appropriate
Office of Nuclear Reactor Regulation (NRR)project manager.Brian K. Grimes, Director Division of Operating
Reactor Support Office of Nuclear Reactor Regulation
Technical
contacts:
Ram S. Bhatia', Region I (215) 337-9465 Thomas Koshy, NRR (301) 504-1176 DISTRIBUTION:
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR
OGCB:DORS:NRR
- TECH ED C:OGCB:DORS:NRR
Moore Ago- JBirmingham
JMain GMarcus 10/22/92 10/ /92 10/19/92 10/ /92 HICB:DRCH:NRR
C:HICB:DRCH:NRR
C:EELB:DE:NRR
OEAB:DORS:NRR
IAhmed SNewberry
CBerlinger
TKoshy 10/ /92 10/ /92 10/ /92 10/ /92 C:OEAB:DORS:NRR
DD:DRCH:NRR
D:DORS:NRR
AChaffee CThomas BKGrimes 10/ /92 10/ /92 10/ /92