Information Notice 1993-11, Single Failure Vulnerability of Engineered Safety Features Actuation Systems
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C. 20555 February 4, 1993 NRC INFORMATION NOTICE 93-11: SINGLE FAILURE VULNERABILITY OF ENGINEERED
SAFETY FEATURES ACTUATION SYSTEMS
Addressees
All holders of operating licenses or construction permits for nuclear power
reactors.
Purpose
The U.S. Nuclear Regulatory Commission (NRC) is issuing this notice to alert
addressees to potential single failure vulnerabilities in engineered safety
features actuation systems. It is expected that recipients will review the
information for applicability to their facilities and consider actions, as
appropriate, to avoid similar problems. However, suggestions contained in
this information notice are not NRC requirements; therefore, no specific
action or written response is required.
DescriDtion of Circumstances
On July 6, 1992, during a planned outage at the Millstone Nuclear Power
Station, Unit 2, with the core off loaded to the spent fuel pool, the
licensee, the Northeast Nuclear Utilities Company, was preparing to replace
two vital inverters. Millstone Unit 2 uses four inverters, two on each vital
dc bus, to power two trains of engineered safety feature actuation comprised
of four sensor cabinets and two actuation cabinets. Operators removed power
from one actuation train, which caused a false loss of normal power signal and
a false start signal for the emergency core cooling system. The effect of
this action was similar in consequence to the complete loss of one of the two
vital dc buses.
One emergency diesel generator (EDG) started and tied onto the bus. The
second EDG did not start because it was out of service for maintenance.
After the one EDG started, the safety loads failed to sequence onto the bus
because of a continuous false load shed signal. Operators recovered from the
event by stopping the EDG and restoring power to one of the sensor cabinets.
This action removed the false loss of power signal and thus the load shed
signal.
The licensee reviewed the event and concluded that an unblocking feature of
the automatic test insertion (ATI) system had caused the continuous load
shedding signal. The ATI system, a continuous, on-line, logic tester that is
common for both trains, was still energized and permitted the spurious loss of
power signal to continue to shed the loads. The ATI system applies
2-millisecond unblocking pulses to the input of the actuation logic modules
9301290025 7 '.
IN 93-11 February 4, 1993 and checks the module outputs for proper operation. The 2-millisecond pulses
are too brief to actuate relays and start equipment. In 1978, the licensee
added a feature to permit ATI testing of the loss of normal power logic.
To test the logic, the licensee determined that the ATI system needed to
provide an unblocking of the loss of power signal for 500 milliseconds. In
the actual event, the false signal generated by the lack of control power was
continuously present during the 500 ms ATI unblocking signal. This caused a
recurring load shed signal to be generated even though the EDG was ready to
accept loads; therefore, the EDG load breakers never closed.
In reviewing the event, the licensee determined that the engineered safety
feature actuation system could also cause other unintended actions under
certain power supply failure conditions. These automatic actions are not
related to the ATI modification.
(1) If power is lost to either one of the two dc vital buses, both the
safety injection actuation signal and sump recirculation actuation
signal'would be simultaneously initiated. The recirculation actuation
signal would result in tripping all low pressure injection pumps. Also, the spurious sump recirculation actuation signal would cause one of the
containment sump outlet valves to open.
(2) If power was lost only to the sensor cabinets in one actuation train, both containment sump outlet valves would open. If this occurred during
a-loss-of-coolant--accident, high-pressure in containment-could shut both
refueling water storage tank check valves, inhibiting flow to all
emergency coolant injection pumps.
(3) The loss of all dc power to one actuation train would cause a power
operated relief valve inthe other train to open. In addition, when
control power alone islost to only the sensor cabinets in a single
actuation train, spurious high pressurizer pressure signals would cause
the relief valves inboth trains to open. Both cases would result in a
loss of primary coolant.
Discussion
The design deficiency inthe on-line testing feature could have prevented both
emergency diesels from accepting emergency loads under certain single failure
conditions. The licensee investigated this event at Millstone Unit 2 and
found several single failure vulnerabilities related to loss of a vital dc bus
which may apply to engineered safety features actuation systems at other
plants. Although the described event resulted from an ATI modification, the
other vulnerabilities are inherent inthe actuation system design and its
power supplies.
Millstone Unit 2 uses two-out-of-four logic supplied by Consolidated Controls
Incorporated to actuate automatically a number of safety features. Inthe
actuation system, a sensor, and subsequent interposing electronic logic, condition the signal for use by the actuation logic. Upon loss of power, the
interposing logic generates a signal to perform the safety function. The
problems discussed above result from having a two-out-of-four logic powered by
I -.
IN 93-11 February 4, 1993 only two safety-related power sources coupled with a lack of coherence in
specifying the preferred failure mode for automated safety-related actions, given a loss of power.
The licensee is preparing modifications to correct these problems and is
reviewing the design of Unit 2 for other similar problems.
In NRC Bulletin 79-27, "Loss of Non-Class lE Instrumentation and Control Power
System Bus During Operation," the NRC requested licensees to evaluate the
effects of a loss of power to IE and Non-lE instrument and control systems.
In addition, in NRC Generic Letter 89-18, "Systems Interactions in Nuclear
Power Plants," the NRC highlighted concerns regarding actuation system designs
which may have automated safety-related actions with no preferred failure
modes.
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please contact
one of the technical contacts listed below or the appropriate Office of
Nuclear Reactor Regulation (NRR) project manager.
an K rimes, Director
--Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts: Ram S. Bhatia, Region I
(215) 337-5262 Thomas Koshy, NRR
(301) 504-1176 Attachment: List of Recently Issued NRC Information Notices
Ste- (--
Attachment a
IN 93-11 February 4, 1993 Page 1 of I
oU0
LIST OF RECENTLY ISSUED O
0 C
NRCINFORMATION NOTICES
0 0
Information Date of
Notice No. Subject Issuance Issued to
0 O
93-10 Dose Calibrator Quality 02/02/93 All Nuclear Regulatory Cor- Control mission medical licensees.
93-09 Failure of Undervoltage 02/02/93 All holders of OLs or CPs
Trip Attachment on for nuclear power reactors.
Westinghouse Model DB-SO
) 93-08 Reactor Trip Breaker
Failure of Residual 02/01/93 All holders of OLs or CPs
Heat Removal Pump for nuclear power reactors.
Bearings due to High
Thrust Loading
93-07 Classification of Trans- 02/01/93 All Licensees required to
portation Emergencies have an emergency plan.
93-06 Potential Bypass Leak- 01/22/93 age Paths Around Filters for nuclear power reactors.
Installed in Ventilation
Systems
93-05 Locking of Radiography 01/14/93 All Nuclear Regulatory
Exposure Devices Commission industrial
radiography licensees.
93-04 Investigation and Re- 01/07/93 All U.S. Nuclear Regulatory
porting of Misadministra- Commission medical
tions by the Radiation licensees.
Safety Officer
93-03 Recent Revision to 01/05/93 All byproduct, source, and
10 CFR Part 20 and
Change of Implementa- licensees. 0 Loo
(00L
0
co
tion Date to 'II
January 1, 1994
93-02 Malfunction of A Pres- 01/04/93 All holders of OLs or CPs (00
Ul
- 1 surizer Code Safety for nuclear power reactors.
Valve
wCC .I
zn
01 - Operating License
CP - Construction Permit
W Q
W' I
<
oU 0 .
a0
IZ
IN 93-11 February 4, 1993 only two safety-related power sources coupled with a lack of coherence in
specifying the preferred failure mode for automated safety-related actions, given a loss of power.
The licensee is preparing modifications to correct these problems and is
reviewing the design of Unit 2 for other similar problems.
In NRC Bulletin 79-27, "Loss of Non-Class 1E Instrumentation and Control Power
System Bus During Operation,N the NRC requested licensees to evaluate the
effects of a loss of power to IE and Non-1E instrument and control systems.
In addition, in NRC Generic Letter 89-18, "Systems Interactions in Nuclear
Power Plants," the NRC highlighted concerns regarding actuation system designs
which may have automated safety-related actions with no preferred failure
modes.
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please contact
one of the technical contacts listed below or the appropriate Office of
Nuclear Reactor Regulation (NRR) project manager.
Original signed by
Brian K. Crimog
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts: Ram S. Bhatia, Region I
(215) 337-5262 Thomas Koshy, NRR
(301) 504-1176 Attachment: List of Recently Issued NRC Information Notices
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS :NRR *OGCB:DORS:NRR *TECH ED *C/OGCB:DORS:NRR
RMoore JBirmingham JMain GMarcus
10/22/92 11/18/92 10/19/92 01/22/93
- HICB:DRCH:NRR *C/HICB:DRCH:NRR *C/EELB:DE:NRR * OEAB:DORS:NRR
IAhmed SNewberry CBerlinger TKoshy
11/15/92 11/24/92 12/17/92 01/2X 3
- SC/OEAB:DORS NRC:DRS:RI *C/OEAB:DORS-:NRR
EGoodwin WRuland AChaffee
01/15/93 01/ /93 01/19/93 /12.r 93 Document Name: S:\DORS SEC\93-11.If
IN 93- January , 1993 only two safety-related power sources coupled with a lack of coherence in
specifying the preferred failure mode for automated safety-related actions, given a loss of power.
The licensee is preparing modifications to correct these problems and is
reviewing the design of Unit 2 for other similar problems.
In NRC Bulletin 79-27, "Loss of Non-Class 1E Instrumentation and Control Power
System Bus During Operation," the NRC requested licensees to evaluate the
effects of a loss of power to IE and Non-lE instrument and control systems.
In addition, in NRC Generic Letter 89-18, "Systems Interactions in Nuclear
Power Plants," the NRC highlighted concerns regarding actuation system designs
which may have "Automated Safety-Related Actions with No Preferred Failure
Modes."
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please contact
one of the technical contacts listed below or the appropriate Office of
Nuclear Reactor Regulation (NRR) project manager.
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts: Ram S. Bhatia, Region I
(215) 337-5262 Thomas Koshy, NRR
(301) 504-1176 Attachment: List of Recently Issued NRC Information Notices
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR *OGCB:DORS:NRR *TECH ED *C/OGCB:DORS:NRR
RMoore JBirmingham JMain GMarcus
10/22/92 11/18/92 10/19/92 01/22/93
- HICB:DRCH:NRR *C/HICB:DRCH:NRR *C/EELB:DE:NRR OEAB:DORS:NRB
IAhmed SNewberry CBerlinger TKoshy
11/15/92 11/24/92 12/17/92 / LX793
- SC/OEAB:DORS NRC:DRS:R1 *C/OEAB:DORS:NRR D/DORS:NRR
EGoodwin WRuland AChaffee BKGrimesp
01/15/93 01/ /93 01/19/93 / /93 Document Name: S:\DORSSEC\ESASIN.TK
IN 93- January , 1993 only two safety-related power sources coupled with a lack of coherence in
specifying the preferred failure mode for automated safety-related actions, given a loss of power.
The licensee is preparing modifications to correct these problems and is
reviewing the design of Unit 2 for other similar problems.
In NRC Bulletin 79-27, "Loss of Non-Class IE Instrumentation and Control Power
System Bus During Operation," the NRC required licensees to evaluate the
effects of a loss of power to lE and Non-lE instrument and control systems.
In addition, in NRC Generic Letter 89-18, "Systems Interactions in Nuclear
Power Plants," the NRC highlighted concerns regarding actuation system designs
which may have "Automated Safety-Related Actions with No Preferred Failure
Modes."
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please call the
technical contacts listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager.
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts: Ram S. Bhatia, Region I
(215) 337-5262 Thomas Koshy, NRR
(301) 504-1176 Attachment: List of Recently Issued NRC Information Notices
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR *OGCB:DORS:NRR *TECH ED C/OGCB:DORS:NRR
RMoore JBirmingham JMain GMarcus glfDg,
10/22/92 11/18/92 10/19/92 I /2,/93
- HICB:DRCH:NRR *C/HICB:DRCH:NRR C/EELB:DE:NRR OEAB:DORS:NRR
IAhmed SNewberry CBerlinger* .TKoshy*
11/15/92 11/24/92 12/17/92 01/15/93 SC/OEAB:DORS NRC:DRS:R1 C/OEAB:DORS:NRR D/DORS:NRR
EGoodwin* WRuland* AChaffee* BKGrimes
01/15/93 01/ /93 01/19/93 / /93 Document Name: S:\DORSSEC\ESASIN.TK
IN 93- January , 1992 specifying the preferred failure mode for automated safety-related actions, given a loss of power.
The licensee is preparing modifications to correct these problems and is
reviewing the design of Unit 2 for other similar problems.
In NRC Bulletin 79-27, "Loss of Non-Class lE Instrumentation and Control Power
System Bus During Operation," the NRC required licensees to evaluate the
effects of a loss of power to lE and Non-lE instrument and control systems.
In addition, in NRC Generic Letter 89-18, NSystems Interactions in Nuclear
Power Plants," the NRC highlighted concerns regarding actuation system designs
which may have "Automated Safety-Related Actions with No Preferred Failure
Modes."
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please call the
technical contacts listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager.
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts: Ram S. Bhatia, Region I
(215) 337-5262 Thomas Koshy, NRR
(301) 504-1176 Attachment: List of Recently Issued NRC Information Notices
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR *OGCB:DORS:NRR *TECH ED C/OGCB:DORS:NRR
RMoore JBirmingham JMain GMarcus 't lt_ h & H K
10/22/92 11/18/92 10/19/92 to/32493
- HICB:DRCH:NRR *C/HICB:DRCH:NRR C/EELB:DE:NRR OEAB:DORS:NRR 9 IAhmed SNewberry CBerlinger* TKoshy E
11/15/92 11/24/92 12/17/92 / //r793 SC/OEAB:DO0) NRC:DRS:Rl C/ff .DORS:NRR D/DORS:NRR
EGoodwin WRuland e A affee BKGrimes
/ /g-/93 / /93 I /17/93 / /93 Document Name: S:\DORS SEC\ESASIN.TK
IN 93- January , 1992 specifying the preferred failure mode for automated safety-related actions, given a loss of power.
The licensee is preparing modifications to correct these problems and is
reviewing the design of Unit 2 for other similar problems.
In NRC Bulletin 79-27, "Loss of Non-Class lE Instrumentation and Control Power
System Bus During Operation,* the NRC required licensees to evaluate the
effects of a loss of power to IE and Non-lE instrument and control systems.
In addition, in NRC Generic Letter 89-18, "Systems Interactions in Nuclear
Power Plants," the NRC highlighted concerns regarding actuation system designs
which may have 'Automated Safety-Related Actions with No Preferred Failure
Modes.'
This information notice requires no specific action or written response. the If
you have any questions about the information in this notice, please call
technical contacts listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager.
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts: Ram S. Bhatia, Region I
(215) 337-0%W.5s,.2Cp1 -
(301) 504-1176 Attachment: List of Recently Issued NRC Information Notices
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR *OGCB:DO RS:NRR *TECH ED C:OGCB:DORS:NRR
RMoore JBirmingham JMain GMarcus
10/22/92 11/18/92 10/19/92 / /93
- HICB:DRCH:NRR *C:HICB:DRCH:NRR C:EELB:DE:NRR OEAB:DORSA RR
IAhmed SNewberry CBerlinger* TKoshy
11/15/92 11/24/92 12/17/92 I #4/9 SC/OEAB:DORS NRC:DRS:R1A ". C:OEAB:DORS:NRR D:DORS:NRR
EGoodwin P.WRuland WU*4 AChaffee BKGrimes
/ /93 l /93 / /93 / /93 Document Name: S:\DORSSEC\ESASIN.TK
'J/
IN 92- December , 1992 The licensee is preparing modifications to resolve these vulnerabilities and
is reviewing the design of Unit 2 for other similar problems.
It should be noted that in NRC Bulletin 79-27, "Loss of Non-Class lE
Instrumentation and Control Power System Bus During Operation," the NRC
required licensees to evaluate the effects of a loss of power to 1E and Non-lE
instrument and control systems. In addition, in NRC Generic Letter 89-18,
"Systems Interactions in Nuclear Power Plants," the NRC highlighted concerns
regarding actuation system designs which may have "Automated Safety-Related
Actions with No Preferred Failure Modes."
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please call the
technical contacts listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager.
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts: Ram S. Bhatia, Region I
(215) 337-9465 Thomas Koshy, NRR
(301) 504-1176 Attachment: List of Recently Issued NRC Information Notices
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR *OGCB:DORS:NRR *TECH ED C:OGCB:DORS:NRR
RMoore JBirmingham JMain GMarcus
10/22/92 11/18/92 10/19/92 12/ E
- HICB:DRCH:NRR *C:HICB:DRCH:NRR C:E R OEAgW1~S:NRR
IAhmed SNewberry CBerl ingr TKoshy
11/15/92 11/24/92 12/1 7/92 12//17/92 NRC:DRS:RI C:OEAB:DORS:NRR D:DORS:NRR
WRuland AChaffee BKGrimes
12/ /92 12/ /92 12/ /92 Document Name: A:\ESASIN.TK
IN 92- November , 1992
_.
......... In NRC Bulletin 79-27, uLoss of Non-Class IE Instrumentation and Control Power
System Bus During Operation,' the NRC addressed the review of this type of
design vulnerability. The NRC required licensees to evaluate the effects of a
loss of power to IE and Non-lE instrument and control systems and to describe
any proposed modifications resulting from the evaluation.
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please call the
technical contacts listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager.
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts: Ram S. Bhatia, Region I
(215) 337-9465 Thomas Koshy, NRR
(301) 504-1176 Attachment: List of Recently Issued NRC Information Notices
,- I ;,. .
i . 0..
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR OGCB:DORS:NRR *TECH ED C:OGCB:DORS:NRR
RMoore JBirmingham JMain GMarcus
10/22/92 11/1926vf 6 10/19/92 1 11/ /92 HICB:DRCH:NRR C:H .DRCH:NRR C:EEL :-E:NRR OEAB:DORS:NRR
IAhmed S24., SN erry CBerlinger TKoshy
11 /792 11/92 11/ /92; 11/ /92 NRC:DRS:R1 C:OEAB:DORS:NRR D:DORS:NRR
WRuland AChaffee BKGrimes
11/ /92 11/ /92 11/, /92 Document Name: A:\ESASIN.TK
IN 92-XX
October XX, 1992 Page 3 power. The design problems resulted from having two-out-of-four
logic combined with a single safety-related power source for two
sensor cabinets.
The licensee is preparing modifications to resolve these
vulnerabilities and is reviewing the design of Unit 2 for similar
problems.
In NRC Bulletin 79-27, "Loss of Non-Class 1E Instrumentation and
Control Power System Bus During Operation," the NRC addressed the
review of this type of design vulnerability. The NRC required
the licensees to determine which instrument and control system
loads connected to 1E and non-lE power sources and evaluate the
effects of a loss of power to those loads.
This information notice requires no specific action or written
response. If you have any questions about the information in
this notice, please call the technical contacts listed below or
the appropriate Office of Nuclear Reactor Regulation (NRR)
project manager.
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts: Ram S. Bhatia', Region I
(215) 337-9465 Thomas Koshy, NRR
(301) 504-1176 DISTRIBUTION:
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR OGCB:DORS:NRR *TECH ED C:OGCB:DORS:NRR
Moore Ago- JBirmingham JMain GMarcus
10/22/92 10/ /92 10/19/92 10/ /92 HICB:DRCH:NRR C:HICB:DRCH:NRR C:EELB:DE:NRR OEAB:DORS:NRR
IAhmed SNewberry CBerlinger TKoshy
10/ /92 10/ /92 10/ /92 10/ /92 C:OEAB:DORS:NRR DD:DRCH:NRR D:DORS:NRR
AChaffee CThomas BKGrimes
10/ /92 10/ /92 10/ /92