Information Notice 1993-11, Single Failure Vulnerability of Engineered Safety Features Actuation Systems
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C.
20555
February 4, 1993
SINGLE FAILURE VULNERABILITY OF ENGINEERED
SAFETY FEATURES ACTUATION SYSTEMS
Addressees
All holders of operating licenses or construction permits for nuclear power
reactors.
Purpose
The U.S. Nuclear Regulatory Commission (NRC) is issuing this notice to alert
addressees to potential single failure vulnerabilities in engineered safety
features actuation systems. It is expected that recipients will review the
information for applicability to their facilities and consider actions, as
appropriate, to avoid similar problems. However, suggestions contained in
this information notice are not NRC requirements; therefore, no specific
action or written response is required.
DescriDtion of Circumstances
On July 6, 1992, during a planned outage at the Millstone Nuclear Power
Station, Unit 2, with the core off loaded to the spent fuel pool, the
licensee, the Northeast Nuclear Utilities Company, was preparing to replace
two vital inverters. Millstone Unit 2 uses four inverters, two on each vital
dc bus, to power two trains of engineered safety feature actuation comprised
of four sensor cabinets and two actuation cabinets.
Operators removed power
from one actuation train, which caused a false loss of normal power signal and
a false start signal for the emergency core cooling system. The effect of
this action was similar in consequence to the complete loss of one of the two
vital dc buses.
One emergency diesel generator (EDG) started and tied onto the bus.
The
second EDG did not start because it was out of service for maintenance.
After the one EDG started, the safety loads failed to sequence onto the bus
because of a continuous false load shed signal.
Operators recovered from the
event by stopping the EDG and restoring power to one of the sensor cabinets.
This action removed the false loss of power signal and thus the load shed
signal.
The licensee reviewed the event and concluded that an unblocking feature of
the automatic test insertion (ATI)
system had caused the continuous load
shedding signal. The ATI system, a continuous, on-line, logic tester that is
common for both trains, was still energized and permitted the spurious loss of
power signal to continue to shed the loads. The ATI system applies
2-millisecond unblocking pulses to the input of the actuation logic modules
9301290025 7
'.
IN 93-11 February 4, 1993 and checks the module outputs for proper operation.
The 2-millisecond pulses
are too brief to actuate relays and start equipment.
In 1978, the licensee
added a feature to permit ATI testing of the loss of normal power logic.
To test the logic, the licensee determined that the ATI system needed to
provide an unblocking of the loss of power signal for 500 milliseconds.
In
the actual event, the false signal generated by the lack of control power was
continuously present during the 500 ms ATI unblocking signal.
This caused a
recurring load shed signal to be generated even though the EDG was ready to
accept loads; therefore, the EDG load breakers never closed.
In reviewing the event, the licensee determined that the engineered safety
feature actuation system could also cause other unintended actions under
certain power supply failure conditions. These automatic actions are not
related to the ATI modification.
(1) If power is lost to either one of the two dc vital buses, both the
safety injection actuation signal and sump recirculation actuation
signal'would be simultaneously initiated. The recirculation actuation
signal would result in tripping all low pressure injection pumps. Also, the spurious sump recirculation actuation signal would cause one of the
containment sump outlet valves to open.
(2) If power was lost only to the sensor cabinets in one actuation train, both containment sump outlet valves would open.
If this occurred during
a-loss-of-coolant--accident, high-pressure in containment-could shut both
refueling water storage tank check valves, inhibiting flow to all
emergency coolant injection pumps.
(3) The loss of all dc power to one actuation train would cause a power
operated relief valve in the other train to open. In addition, when
control power alone is lost to only the sensor cabinets in a single
actuation train, spurious high pressurizer pressure signals would cause
the relief valves in both trains to open.
Both cases would result in a
loss of primary coolant.
Discussion
The design deficiency in the on-line testing feature could have prevented both
emergency diesels from accepting emergency loads under certain single failure
conditions. The licensee investigated this event at Millstone Unit 2 and
found several single failure vulnerabilities related to loss of a vital dc bus
which may apply to engineered safety features actuation systems at other
plants. Although the described event resulted from an ATI modification, the
other vulnerabilities are inherent in the actuation system design and its
power supplies.
Millstone Unit 2 uses two-out-of-four logic supplied by Consolidated Controls
Incorporated to actuate automatically a number of safety features. In the
actuation system, a sensor, and subsequent interposing electronic logic, condition the signal for use by the actuation logic. Upon loss of power, the
interposing logic generates a signal to perform the safety function. The
problems discussed above result from having a two-out-of-four logic powered by
I
-.
IN 93-11 February 4, 1993 only two safety-related power sources coupled with a lack of coherence in
specifying the preferred failure mode for automated safety-related actions, given a loss of power.
The licensee is preparing modifications to correct these problems and is
reviewing the design of Unit 2 for other similar problems.
In NRC Bulletin 79-27, "Loss of Non-Class lE Instrumentation and Control Power
System Bus During Operation," the NRC requested licensees to evaluate the
effects of a loss of power to IE and Non-lE instrument and control systems.
In addition, in NRC Generic Letter 89-18, "Systems Interactions in Nuclear
Power Plants," the NRC highlighted concerns regarding actuation system designs
which may have automated safety-related actions with no preferred failure
modes.
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please contact
one of the technical contacts listed below or the appropriate Office of
Nuclear Reactor Regulation (NRR) project manager.
an K
rimes, Director
--Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts: Ram S. Bhatia, Region I
(215) 337-5262
Thomas Koshy, NRR
(301) 504-1176 Attachment:
List of Recently Issued NRC Information Notices
Ste- (--
Attachment
February 4, 1993
Page 1 of I
LIST OF RECENTLY ISSUED
NRC INFORMATION NOTICES
)
Information
Date of
Notice No.
Subject
Issuance
Issued to
93-10
Dose Calibrator Quality
02/02/93 All Nuclear Regulatory Cor- Control
mission medical licensees.
93-09 Failure of Undervoltage
02/02/93
All holders of OLs or CPs
Trip Attachment on
for nuclear power reactors.
Westinghouse Model DB-SO
Reactor Trip Breaker
93-08 Failure of Residual
02/01/93
All holders of OLs or CPs
Heat Removal Pump
for nuclear power reactors.
Bearings due to High
Thrust Loading
93-07 Classification of Trans-
02/01/93
All Licensees required to
portation Emergencies
have an emergency plan.
93-06 Potential Bypass Leak-
01/22/93
All holders of OLs or CPs
age Paths Around Filters
for nuclear power reactors.
Installed in Ventilation
Systems
93-05 Locking of Radiography
01/14/93
All Nuclear Regulatory
Exposure Devices
Commission industrial
radiography licensees.
93-04 Investigation and Re-
01/07/93
All U.S. Nuclear Regulatory
porting of Misadministra-
Commission medical
tions by the Radiation
licensees.
Safety Officer
93-03 Recent Revision to
01/05/93
All byproduct, source, and
10 CFR Part 20 and
Change of Implementa- licensees.
tion Date to
January 1, 1994
93-02 Malfunction of A Pres-
01/04/93
All holders of OLs or CPs
surizer Code Safety
for nuclear power reactors.
Valve
01 - Operating License
CP - Construction Permit
a
oU0
0
0
O
0
C
0
O
0
0
Lb
Loo
(00L
(00
wCC
W' I
<
00co
'II
zn
Ul
o .
W
U 0a0
.I*1 QIZ
IN 93-11 February 4, 1993 only two safety-related power sources coupled with a lack of coherence in
specifying the preferred failure mode for automated safety-related actions, given a loss of power.
The licensee is preparing modifications to correct these problems and is
reviewing the design of Unit 2 for other similar problems.
In NRC Bulletin 79-27, "Loss of Non-Class 1E Instrumentation and Control Power
System Bus During Operation,N the NRC requested licensees to evaluate the
effects of a loss of power to IE and Non-1E instrument and control systems.
In addition, in NRC Generic Letter 89-18, "Systems Interactions in Nuclear
Power Plants," the NRC highlighted concerns regarding actuation system designs
which may have automated safety-related actions with no preferred failure
modes.
This information notice requires no specific action or written response.
If
you have any questions about the information in this notice, please contact
one of the technical contacts listed below or the appropriate Office of
Nuclear Reactor Regulation (NRR) project manager.
Original signed by
Brian K. Crimog
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts:
Ram S. Bhatia, Region I
(215) 337-5262
Thomas Koshy, NRR
(301) 504-1176 Attachment:
List of Recently Issued NRC Information Notices
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS :NRR
- OGCB:DORS:NRR
RMoore
JBirmingham
10/22/92
11/18/92
- TECH ED
JMain
10/19/92
- C/OGCB:DORS:NRR
GMarcus
01/22/93
- HICB:DRCH:NRR
IAhmed
11/15/92
- SC/OEAB:DORS
EGoodwin
01/15/93 Document Name:
- C/HICB:DRCH:NRR
SNewberry
11/24/92 NRC:DRS:RI
WRuland
01/ /93 S:\\DORS SEC\\93-11.If
- C/EELB:DE:NRR *
CBerlinger
12/17/92
- C/OEAB:DORS-:NRR
AChaffee
01/19/93 OEAB:DORS:NRR
TKoshy
01/2X 3
/ 12.r 9 3
IN 93- January , 1993 only two safety-related power sources coupled with a lack of coherence in
specifying the preferred failure mode for automated safety-related actions, given a loss of power.
The licensee is preparing modifications to correct these problems and is
reviewing the design of Unit 2 for other similar problems.
In NRC Bulletin 79-27, "Loss of Non-Class 1E Instrumentation and Control Power
System Bus During Operation," the NRC requested licensees to evaluate the
effects of a loss of power to IE and Non-lE instrument and control systems.
In addition, in NRC Generic Letter 89-18, "Systems Interactions in Nuclear
Power Plants," the NRC highlighted concerns regarding actuation system designs
which may have "Automated Safety-Related Actions with No Preferred Failure
Modes."
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please contact
one of the technical contacts listed below or the appropriate Office of
Nuclear Reactor Regulation (NRR) project manager.
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts:
Ram S. Bhatia, Region I
(215) 337-5262
Thomas Koshy, NRR
(301) 504-1176 Attachment:
List of Recently Issued NRC Information Notices
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR
- OGCB:DORS:NRR
RMoore
JBirmingham
10/22/92
11/18/92
- TECH ED
JMain
10/19/92
- HICB:DRCH:NRR
IAhmed
11/15/92
- SC/OEAB:DORS
EGoodwin
01/15/93
- C/HICB:DRCH:NRR
SNewberry
11/24/92 NRC:DRS:R1 WRuland
01/
/93
- C/EELB:DE:NRR
CBerlinger
12/17/92
- C/OEAB:DORS:NRR
AChaffee
01/19/93
- C/OGCB:DORS:NRR
GMarcus
01/22/93 OEAB:DORS:NRB
TKoshy
/ LX793 D/DORS:NRR
BKGrimesp
/
/93 Document Name:
S:\\DORSSEC\\ESASIN.TK
IN 93- January , 1993 only two safety-related power sources coupled with a lack of coherence in
specifying the preferred failure mode for automated safety-related actions, given a loss of power.
The licensee is preparing modifications to correct these problems and is
reviewing the design of Unit 2 for other similar problems.
In NRC Bulletin 79-27, "Loss of Non-Class IE Instrumentation and Control Power
System Bus During Operation," the NRC required licensees to evaluate the
effects of a loss of power to lE and Non-lE instrument and control systems.
In addition, in NRC Generic Letter 89-18, "Systems Interactions in Nuclear
Power Plants," the NRC highlighted concerns regarding actuation system designs
which may have "Automated Safety-Related Actions with No Preferred Failure
Modes."
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please call the
technical contacts listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager.
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts:
Ram S. Bhatia, Region I
(215) 337-5262
Thomas Koshy, NRR
(301) 504-1176 Attachment:
List of Recently Issued NRC Information Notices
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR
- OGCB:DORS:NRR
RMoore
JBirmingham
10/22/92
11/18/92
- TECH ED
JMain
10/19/92 C/OGCB:DORS:NRR
GMarcus glfDg, I /2,/93
- HICB:DRCH:NRR
IAhmed
11/15/92
- C/HICB:DRCH:NRR
SNewberry
11/24/92 C/EELB:DE:NRR
CBerlinger*
12/17/92 OEAB:DORS:NRR
.TKoshy*
01/15/93 SC/OEAB:DORS
EGoodwin*
01/15/93 Document Name:
NRC:DRS:R1 C/OEAB:DORS:NRR
WRuland*
AChaffee*
01/
/93
01/19/93 S:\\DORSSEC\\ESASIN.TK
D/DORS:NRR
BKGrimes
/
/93
IN 93- January , 1992 specifying the preferred failure mode for automated safety-related actions, given a loss of power.
The licensee is preparing modifications to correct these problems and is
reviewing the design of Unit 2 for other similar problems.
In NRC Bulletin 79-27, "Loss of Non-Class lE Instrumentation and Control Power
System Bus During Operation," the NRC required licensees to evaluate the
effects of a loss of power to lE and Non-lE instrument and control systems.
In addition, in NRC Generic Letter 89-18, NSystems Interactions in Nuclear
Power Plants," the NRC highlighted concerns regarding actuation system designs
which may have "Automated Safety-Related Actions with No Preferred Failure
Modes."
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please call the
technical contacts listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager.
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts:
Ram S. Bhatia, Region I
(215) 337-5262
Thomas Koshy, NRR
(301) 504-1176 Attachment:
List of Recently Issued NRC Information Notices
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR
- OGCB:DORS:NRR
RMoore
JBirmingham
10/22/92
11/18/92
- TECH ED
JMain
10/19/92 C/OGCB:DORS:NRR
GMarcus 't lt_ h & H K
to /32493
- HICB:DRCH:NRR
IAhmed
11/15/92 SC/OEAB:DO0)
EGoodwin
/ /g-/93 Document Name:
- C/HICB:DRCH:NRR
SNewberry
11/24/92 NRC:DRS:Rl
WRuland e
/
/93 C/EELB:DE:NRR
CBerlinger*
12/17/92 C/
ff
.DORS:NRR
A affee
I /17/93 OEAB:DORS:NRR 9 TKoshy
E
/ //r793 D/DORS:NRR
BKGrimes
/
/93 S:\\DORS SEC\\ESASIN.TK
IN 93- January , 1992 specifying the preferred failure mode for automated safety-related actions, given a loss of power.
The licensee is preparing modifications to correct these problems and is
reviewing the design of Unit 2 for other similar problems.
In NRC Bulletin 79-27, "Loss of Non-Class lE Instrumentation and Control Power
System Bus During Operation,* the NRC required licensees to evaluate the
effects of a loss of power to IE and Non-lE instrument and control systems.
In addition, in NRC Generic Letter 89-18, "Systems Interactions in Nuclear
Power Plants," the NRC highlighted concerns regarding actuation system designs
which may have 'Automated Safety-Related Actions with No Preferred Failure
Modes.'
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please call the
technical contacts listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager.
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts:
Ram S. Bhatia, Region I
(215) 337-0%W.5s,.2Cp1 -
Thomas Koshy, NRR
(301) 504-1176 Attachment:
List of Recently Issued NRC Information Notices
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR
- OGCB:DO RS:NRR
RMoore
JBirmingham
10/22/92
11/18/92
- TECH ED
JMain
10/19/92 C:OGCB:DORS:NRR
GMarcus
/
/93
- HICB:DRCH:NRR
IAhmed
11/15/92 SC/OEAB:DORS
EGoodwin
/
/93
- C:HICB:DRCH:NRR
SNewberry
11/24/92 NRC:DRS:R1A ".
P.WRuland WU*4 l /93 C:EELB:DE:NRR
CBerlinger*
12/17/92 C:OEAB:DORS:NRR
AChaffee
/
/93 OEAB:DORSA RR
TKoshy
I #4/9 D:DORS:NRR
BKGrimes
/
/93 Document Name:
S:\\DORSSEC\\ESASIN.TK
'J/
IN 92- December
, 1992 The licensee is preparing modifications to resolve these vulnerabilities and
is reviewing the design of Unit 2 for other similar problems.
It should be noted that in NRC Bulletin 79-27, "Loss of Non-Class lE
Instrumentation and Control Power System Bus During Operation," the NRC
required licensees to evaluate the effects of a loss of power to 1E and Non-lE
instrument and control systems. In addition, in NRC Generic Letter 89-18,
"Systems Interactions in Nuclear Power Plants," the NRC highlighted concerns
regarding actuation system designs which may have "Automated Safety-Related
Actions with No Preferred Failure Modes."
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please call the
technical contacts listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager.
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts:
Ram S. Bhatia, Region I
(215) 337-9465
Thomas Koshy, NRR
(301) 504-1176 Attachment:
List of Recently Issued NRC Information Notices
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR
- OGCB:DORS:NRR
RMoore
JBirmingham
10/22/92
11/18/92
- TECH ED
JMain
10/19/92 C:E
R
CBerl ingr
12/1 7/92 C:OGCB:DORS:NRR
GMarcus
12/
E
OEAgW1~S:NRR
TKoshy
12//17/92
- HICB:DRCH:NRR
IAhmed
11/15/92
- C:HICB:DRCH:NRR
SNewberry
11/24/92 NRC:DRS:RI C:OEAB:DORS:NRR
WRuland
AChaffee
12/
/92
12/
/92 Document Name: A:\\ESASIN.TK
D:DORS:NRR
BKGrimes
12/
/92
IN 92- November
, 1992 _.
.........
In NRC Bulletin 79-27, uLoss of Non-Class IE Instrumentation and Control Power
System Bus During Operation,' the NRC addressed the review of this type of
design vulnerability. The NRC required licensees to evaluate the effects of a
loss of power to IE and Non-lE instrument and control systems and to describe
any proposed modifications resulting from the evaluation.
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please call the
technical contacts listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager.
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts:
Ram S. Bhatia, Region I
(215) 337-9465
Thomas Koshy, NRR
(301) 504-1176 Attachment:
List of Recently Issued NRC Information Notices
,-
I ;,.
.
i . 0..
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR
OGCB:DORS:NRR
RMoore
JBirmingham
10/22/92
11/1926vf 6 HICB:DRCH:NRR
IAhmed S24.,
11 /792 C:H .DRCH:NRR
SN erry
11/92
- TECH ED
JMain
10/19/92 1 C:EEL :-E:NRR
CBerlinger
11/ /92;
C:OGCB:DORS:NRR
GMarcus
11/ /92 OEAB:DORS:NRR
TKoshy
11/ /92 NRC:DRS:R1 C:OEAB:DORS:NRR
WRuland
AChaffee
11/
/92
11/
/92 Document Name: A:\\ESASIN.TK
D:DORS:NRR
BKGrimes
11/, /92
IN 92-XX
October XX, 1992
Page 3 power.
The design problems resulted from having two-out-of-four
logic combined with a single safety-related power source for two
sensor cabinets.
The licensee is preparing modifications to resolve these
vulnerabilities and is reviewing the design of Unit 2 for similar
problems.
In NRC Bulletin 79-27, "Loss of Non-Class 1E Instrumentation and
Control Power System Bus During Operation," the NRC addressed the
review of this type of design vulnerability.
The NRC required
the licensees to determine which instrument and control system
loads connected to 1E and non-lE power sources and evaluate the
effects of a loss of power to those loads.
This information notice requires no specific action or written
response.
If you have any questions about the information in
this notice, please call the technical contacts listed below or
the appropriate Office of Nuclear Reactor Regulation (NRR)
project manager.
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contacts: Ram S. Bhatia', Region I
(215) 337-9465
Thomas Koshy, NRR
(301) 504-1176 DISTRIBUTION:
- SEE PREVIOUS CONCURRENCES
- OGCB:DORS:NRR OGCB:DORS:NRR *TECH ED C:OGCB:DORS:NRR
Moore Ago- JBirmingham
JMain
GMarcus
10/22/92
10/ /92
10/19/92
10/ /92 HICB:DRCH:NRR C:HICB:DRCH:NRR
C:EELB:DE:NRR OEAB:DORS:NRR
IAhmed
SNewberry
CBerlinger
TKoshy
10/ /92
10/ /92
10/ /92
10/ /92 C:OEAB:DORS:NRR
DD:DRCH:NRR
D:DORS:NRR
AChaffee
CThomas
BKGrimes
10/
/92
10/
/92
10/
/92