Information Notice 1979-04, Degradation of Engineered Safety Features
| ML031180118 | |
| Person / Time | |
|---|---|
| Issue date: | 02/16/1979 |
| From: | NRC/IE |
| To: | |
| References | |
| IN-79-004, NUDOCS 7912120548 | |
| Download: ML031180118 (7) | |
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF INSPECTION AND ENFORCEMENT
WASHINGTON, D.C.
20555
February 16, 1979
IE Information Notice No. 79-04
DEGRADATION OF ENGINEERED SAFETY FEATURES
Summary
On September 16, 1978, an unusual sequence of events occurred at Arkansas
Nuclear One, Units 1 and 2.
The events involved the electrical power
sources and culminated in the spurious activation and degraded operation
of Unit 2 Engineered Safety Features (ESF). Analysis of the course of
the incident has identified three safety concerns in the electrical
distribution system operation and design.
(1) The offsite power supply for ANO Unit 1 Engineered Safety Feature
loads was deficient in that degraded voltage could have resulted
in the unavailability of ESF equipment, if it were to be needed.
(2) The design of the ANO site electrical system that provides offsite
power to Units 1 and 2 did not fully meet the Commission's Regula- tions, 10 CFR 50, Appendix A, General Design Criterion 17, because
in certain circumstances a loss of one of the two offsite power
circuits would also result in a loss of the other such circuit.
(3) Deficiencies existed in the operation of the Unit 2 inverters
that convert DC to AC power for the uninterruptable 120 volt
vital AC buses.
Description of Circumstances
Initially Unit 1 was operating at 100 percent power; Unit 2 was in hot
standby performing hot functional testing in preparation for initial
criticality and power operational) Unit 1 auxiliary electrical loads
were being supplied from the Unit 1 main generator via the unit
auxiliary transformer. Unit 2 auxiliary electrical loads were being fed
from the offsite grid through Startup Transformer No. 3. The normal
operating status was interrupted by the failure of the Unit 1 Loop "A"
Main Steam Line Isolation Valve (MSIV) air operator solenoid causing the
MSIV to close as designed. The Unit 1 Reactor Protection System sensed
conditions requiring reactor shutdown and tripped the reactor.
The
1 The Unit 2 Operating License did not permit criticality of power
operation at the time of the incident.
l of 5
793208
7 903 02 0 3 8 3
IE Information Notice No. 79-04
February 16, 1979
Unit 1 turbine-generator tripped concurrently.
Because the Unit l
generator could no longer supply power for the Unit 1 auxiliary loads, these loads were automatically transferred to Startup Transformer No. 1 to supply this power from offsite. The sequence of events should have
ended at this point.
The power to Startup Transformer No. 3, which was feeding Unit 2, and to
Startup Transformer No. 1, now feeding Unit 1, normally passes through a
single piece of equipment, the Bus Tie Auto-Transformer.
(Figure 1 shows a simplified block diagram of the principal electrical equipment
involved.) The Auto-Transformer has the capacity to provide power for
both units, but due to an error, the protective relays were still adjusted
for the operation of Unit 1 only. As a result, when both units concur- rently drew power from the Auto-Transformer these protection relays
tripped and cut off power to Startup Transformer Nos. 1 and 3.
Startup Transformer No. 2, also shown in Figure 1, thus became the only
source of offsite power for both Units 1 and 2. The onsite switching
equipment automatically transferred the full auxiliary loads for both
units to this transformer. However, this transformer is not designed to
carry full auxiliary loads for both units.
For this reason, Startup
Transformer No. 2 became overloaded and the voltage dropped on the
station distribution system for offsite power. At this time and during
most of the incident t
perating personnel at both units were unaware of
the degraded voltage 2dondition due to the overloaded Startup Trans- former No. 2.(3)
2 Two other events involving degraded voltage for ESF equipment occurred
at Millstone Unit 2 in July 1976. These events were reported as an
abnormal occurrence (No. 76-9) in NUREG-0900-5, Report to Congress on
Abnormal Occurrences, July-September 1976.
3 It was subsequently determined that the following combinations of
Unit 1 and Unit 2 operation would lead to the loss of the Bus Tie
Auto-Transformer and the subsequent overloading of Startup Transformer
No. 2:
1. Both Units in either the startup or shutdown mode, or
2. Trip of one unit while the other is in either the startup
or shutdown mode, or
3. Simultaneous trip of both units.
2 of 5
IE 'Information Notice No. 79-04
February 16, 1979
At Unit 2, eight seconds after the switch to Startup Transformer No. 2, the relays (4) which operate to protect Engineered Safety Feature (ESF)
equipment from low (degraded) voltage disconnected and therefore
deenergized both Unit 2 ESF buses as designed. At the same time, the
Unit 2 Core Protection Calculator (CPC) instrumentation registered trips
which indicated a loss of AC power to the circuits (5) that supply at
least two instrument channels.
The loss of power on two 120 volt vital AC Instrument buses caused, as
designed, an actuation of all Unit 2 Engineered Safety Features.
Thus, when the two Unit 2 emergency diesel generators started and provided
power to the previously deenergized ESF buses, the Engineered Safety
Features equipment began to operate.
However, due to inverter failures, premature actuation of the Recirculation Actuation System (RAS)
occurred. This actuation momentarily opened a flow path directly
between the Refueling Water Tank (RWT) and the containment sump.
operation and premature RAS operation combined to transfer approximately
60,000 gallons of borated refueling water to the containment sump in
about 90 seconds.
4 These relays are the second level of undervoltage protection required
as a result of the NRC staff review of the 1976 Millstone 2 degraded
voltage event.
Corrective design changes (i.e., undervoltage relays
and load sequencing to offsite power) had been implemented on Unit 2 for degraded voltage protection. These design changes had not been
implemented on Unit 1 at the time of the event.
5 Each one of the four CPC instrumentation circuits receives power from
a vital AC bus which in turn receives power from a battery through an
inverter that converts DC power to AC power.
Each inverter normally
provides power through a circuit with access to both an ESF bus and
the station batteries.
Each inverter also has an automatic switch
that can cut off this normal supply circuit and shift the loads to
an alternate supply circuit, which includes just the ESF bus.
(See
-
insert on Figure 1.) With both Unit 2 ESF buses momentarily deenergized
the only source of instrument power was from the station batteries
through the normal switch position. However, although the exact cause
is unknown, all four inverter automatic switches were found in the
alternate position. Three of four inverters had improper settings on
time delay relays and one inverter had the undervoltage trip setting
too high, which may have In part been the cause.
IE Circular No. 79-02, Failure of 120 Volt Vital AC Power Supplies, dated January 16, 1979, provided details of the inverter problems and recommended items to be
reviewed to avoid similar problems.
3 of 5
IE Information Notice No. 79-04
February 16, 1979
The normal design sequence calls for the RAS to automatically change the
valve lineup when signals from the level instruments on the Refueling
Water Tank (RWT) indicate that the tank is nearly empty, which is
expected to occur approximately 30 minutes after the LOCA. During this
incident, the RAS acted immediately in response to the failure of the
inverters and made the change in lineup while the RWT was nearly full.
The loss of power from the inverters caused a false low water level
indication in the RWT. This false indication provided the signals for
the automatic actuation of the RAS.
Had the Emergency Core Cooling System and/or the Containment Spray
System been needed in the event of a design basis loss of coolant
accident, it would not have performed as designed because of the pre- mature RAS valve actuation.
ESF degradation on Unit 2 did not involve a
threat to the health and safety of the public because Unit 2 was pre- operational and had no radioactive fission product inventory in the
core.
However, there was no assurance that the inverter deficiencies
which caused the premature operation of the RAS valves would have been
corrected prior to Unit 2 power operation.
In the event of a LOCA with a fission product inventory, if the RAS were
to initiate at the beginning of the accident, as it did in this incident, the low pressure and high pressure coolant injection subsystems (LPCI
and HPCI) of Emergency Core Cooling (ECC) and the Containment Spray
System might not function properly. Actuation of RAS causes isolation
of the water in the RWT, which is the source of short term cooling water
for Emergency Core Cooling and Containment Spray.
The premature actua- tion of RAS also causes these pump suction lines to be connected to the
containment sump when there may not be sufficient water available.
Initially, the sequence of events on September 16 did not Indicate any
problem with the electrical distribution system of Unit 1. However, subsequent analysis indicated that in the event of a LOCA at Unit 1 during which Startup Transformer No. 1 received both the auxiliary
electrical loads and starting loads of the Engineered Safety Features a
voltage reduction would result.
The safety loads might not initially
transfer to the Unit 1 diesel generators but could remain on the startup
transformer with reduced (degraded) voltage. Although there is margin
in the sizing of emergency equipment and the conditions of operation of
such equipment, this situation could cause fuses to blow in Engineered
Safety Feature circuits which could result in disabling the safety
equipment.
4 of 5
IE Information Notice No. 79-04
February 16, 1979
Cause or Causes The immediate causes of the unusual event at Arkansas
Nuclear One were:
(1) loss of the Bus Tie Auto-Transformer which
resulted in degraded power operation through Startup Transformer No. 2, and (2) multiple Unit 2 inverter failures.
The loss of the Bus Tie Auto-Transformer was caused by inappropriate
setpoints for its protective relays. The Bus Tie Auto-Transformer loss
had not been adequately reviewed prior to this event in that the over- loading of the shared Startup Transformer No. 2 had not been identified
during the design and review process.
The primary cause of the failure of the inverters to perform as a
reliable power supply was the lack of adequate preoperational test
procedures, inadequate knowledge of inverter operation and lack of
maintenance control (maintenance has been performed on the inverters
several times prior to this event).
This Information Notice provides details of a significant occurrence
that is still under review by the NRC staff. After completion of the
staff review, this Information Notice will be followed with specific
actions to be taken by licensees.
No written response is required. If you desire additional information
regarding this matter, contact the Director of the appropriate NRC
Regional Office.
Attachment:
Figure 1, Simplified
Block Diagram, Electrical
Distribution
5 of 5
IE Information Notice Nlo. 79-04 INlVERTER
[
l
yVR1 str1
-v
AUTOMATIC
j
SWITCH IN
NORMAL
POSITION
I
VITAL
VIT)
IAC
I
BUS
,BU
AC OUT
I
INVERTER UNIT
ANO-UNIT 2 (TYPICAL OF FOUR)
(ONE
OF TWO ESF
TRAINS SHOWW.)
SIiMPLIFIED BLOCK VIAGRAfl - ELECTRIC DISTRIBUTION
FIGURE 1 Attachnent
IE Information Notice No. 79-04
February 16, 1979
LISTING OF IE INFORMATION NOTICES
ISSUED IN 1979
Information
Notice No.
Subject
79-01
79-02 Bergen-Paterson Hydraulic
Shock and Sway Arrestor
Attempted Extortion -
Low Enriched Uranium
Limitorque Valve Geared
Limit Switch Lubricant
Date
Issued
2/2/79
2/2/79
2/9/79 Issued To
All power reactor
facilities with an
All Fuel Facilities
All power reactor
facilities with an
79-03