NRC Generic Letter 1996-01
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C. 20555 January 10, 1996 NRC GENERIC LETTER NO. 96-01: TESTING OF SAFETY-RELATED LOGIC CIRCUITS
Addressees
All holders of operating licenses or construction permits for nuclear power reactors.
Purpose
The U.S. Nuclear Regulatory Commission (NRC) is issuing this generic letter to: (1) notify addressees about problems with testing of safety-related logic circuits, (2) request that all addressees implement the actions described herein, and (3) require that all addressees submit a written response to this generic letter regarding implementation of the requested actions.
Background The NRC staff had previously issued the following information notices (Ins)
regarding problems with testing of safety-related logic circuits:
IN 88-83, "Inadequate Testing of Relay Contacts in Safety-Related Logic Circuits," dated October 19, 1988; IN 91-13, "Inadequate Testing of Emergency Diesel Generators (EDGs)," dated March 4, 1991; IN 92-40, "Inadequate Testing of Emergency Bus Undervoltage Logic Circuitry," dated May 27, 1992; IN 93-15,
"Failure to Verify the Continuity of Shunt Trip Attachment Contacts in Manual Safety Injection and PRrotor Trip Switches," dated February 18, 1993; and IN 93-38, "Inadequate Iesting of Engineered Safety Features Actuation Systems," dated May 24, 1993. Despite these notices, recent events have occurred similar to those described in the INs which indicate that licensees have not taken sufficient action to correct previously identified problems in logic circuit surveillance testing. On March 7, 1995, NRC issued IN 95-15,
"Inadequate Logic Testing of Safety-Related Circuits," which informed licensees about these recent events at Cooper Nuclear Station, Fermi 2, Waterford 3, Grand Gulf Nuclear Station, and Arkansas Nuclear One, Unit 1 and Unit 2.
Description of Circumstances
The NRC has documented a significant number of instances involving problems with logic testing of safety-related circuits in the information notices described above. These information notices discuss events at various pressurized water and boiling water reactors. The examples of problems with logic testing cover a wide range of systems including safety injection system
9601050193 Am f CW OS p P 11C
2)v,k, ;- 5-
1s /q' /tA
GL 96-01 January 10, 1996 actuation, containment spray system actuation, residual heat removal system actuation, diesel generator load sequencing, and reactor protection system actuation. In most cases, the affected logic circuits functioned properly when testing in accordance with technical specification (TS) requirements was performed. The NRC has taken enforcement action in many of these cases since they resulted in TS violations. The details of these instances are included in the information notices cited above. An example of the details associated with this issue at Fermi Station is repeated here.
On July 15, 1994, during a routine review of surveillance procedures required by the Fermi Unit 2 TS, the licensee (Detroit Edison Company) discovered that neither the procedures used for testing the load shedding of the 4160 volt Residual Heat Removal (RHR) pumps nor the related instrumentation and control (I&C) logic functional test procedure provided for the full testing of the RHR
pump start logic. The conductors which connect the I&C and electrical portions of the circuit were not tested. Also, the test procedures did not include verification that the switchgear breaker would not close with an undervoltage signal present at the bus.
After investigating further, the licensee discovered additional deficiencies in the undervoltage functional test surveillance procedures including the logic functional test surveillance procedures for the three other engineered safety buses. Also, the surveillance test overlap did not include sufficient overlap of the logic circuit to cover the degraded voltage trip input to the non-interruptible air supply system isolation logic, the degraded voltage trip input to the bus feeder breaker position, and the alternate automatic closure circuits for the EDG output breakers. The licensee further determined that the 480 volt load shed logic had not been fully tested.
On September 9, 1994, the licensee identified additional surveillance deficiencies and expanded the investigation of its surveillance procedures for EDGs and I&C overlap testing. -luring this investigation, the licensee determined that (1) multiple pathways for starting an EDG through the emergency core cooling system (ECCS) logic were not being tested separately,
(2) emergency equipment cooling water (EECW) actuation from the load sequencer was not being differentiated from EECW actuation on reactor building closed cooling water low pressure, and (3) test acceptance criteria permitted performance outside of the TS limits.
In October and November 1994, the licensee identified several other test deficiencies in its surveillance procedures. These deficiencies were related to the core spray system, RHR system, reactor protection system, safety relief valves, alternate rod insertion and main steam isolation valve leakage control system logic, remote shutdown panel, primary containment manual isolation valves, and alternate shutdown panel transfer switches.
To address the above deficiencies, the licensee has taken the following corrective actions: (1) reviewed deficient procedures and performed required surveillance to establish operability, (2) reviewed similar procedures to
GL 96-01 January 10, 1996 identify other deficiencies, (3) is creating electrical overlap drawings, and
(4) is training authors and technical reviewers of procedures to be fully aware of logic surveillance requirements. The NRC staff issued a notice of violation to Detroit Edison Company concerning the above issue (NRC Inspection Report No. 50-341/94-12).
Discussion A number of NRC regulations document the requirements to test safety-related systems to ensure that they will function as designed when called upon. For example, Title 10 of the Code of Federal Regulations (10 CFR), Section 50.36,
"Technical Specifications," paragraph (c)(3) states that, "surveillance requirements are requirements relating to test, calibration or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within the safety limits, and that the limiting conditions of operation will be met." Surveillance requirements to assure continued operability of safety-related logic circuits have been included in the plant-specific technical specifications for all operating nuclear power plants.
Other documents that provide a basis for these requirements include:
- 10 CFR 50.55a, "Codes and Standards," paragraph (h) which includes reference to Institute of Electrical and Electronic Engineers (IEEE) Standard 279, "Criteria for Protection Systems for Nuclear Power Generating Stations"
- Appendix A to 10 CFR 50, General Design Criterion (GDC) 21,
"Protection System for Reliability and Testability"
- Appendix A to 10 CFR 50, General Design Criterion (GDC) 18,
"Inspection and Testing of Electric Power Systems"
- Appendix B to 10 CFR 50, Criterion XI, "Test Control"
- Regulatory Guide (RG) 1.118, "Periodic Testing of Electric Power and Protection Systems"
- RG 1.32, "Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants"
As noted above, the NRC staff has issued a number of information notices (identified in the "Background" section) that document identified deficiencies in actuation logic surveillance test programs. However, because of the number of more recently identified similar deficiencies, the NRC staff has determined that licensees may not have yet adequately addressed this issue and further action is necessary.
GL 96-01 January 10, 1996 The NRC staff finds that the failure to adequately test safety-related actuation logic circuitry is safety significant in that inoperable essential electric components required for automatic actuation of post-accident mitigation systems may be undetected for extended periods. This is particularly true for the reactor protection system, whose unavailability is shown in probabilistic risk assessments to be a dominant contributor to potential core damage scenarios. Undetected reactor protection system availability/reliability degradation is also a potentially significant contributor to overall risk. Unavailability of those circuits associated with automatic emergency core cooling system (ECCS) actuation, especially in a loss-of-offsite-power situation, is a lesser contributor to overall risk but is important in ensuring post-accident recovery in accordance with licensing bases. Failure to automatically actuate safety systems also places the additional burden on the operators of having to manually actuate required functions and thus increases the chance for operator error.
The NRC staff notes that even in cases where surveillance testing of the logic circuits has not been complete, it is likely that only very small portions of the circuit have been omitted from the test. Further, the NRC staff is not aware of instances of specifically identified surveillance inadequacies that resulted in the unavailability of the safety system when called on during an event. Nevertheless, as indicated above, the NRC staff finds that compliance with the plant-specific technical specifications is essential in order to maintain the validity of the assumptions in the licensing basis accident analyses. On the basis of the recent events, previously issued INs, complexity of the logic, and contribution to the core damage frequency, the NRC staff has further determined that licensees should review their surveillance procedures for the reactor protection system, EDG load shedding and sequencing, and actuation logic for the engineered safety features systems to ensure that complete testing is being performed as required by the technical specifications.
Requested Actions The NRC staff requests that all addressees take the following actions:
(1) Compare electrical schematic drawings and logic diagrams for the reactor protection system, EDG load shedding and sequencing, and actuation logic for the engineered safety features systems against plant surveillance test procedures to ensure that all portions of the logic circuitry, including the parallel logic, interlocks, bypasses and inhibit circuits, are adequately covered in the surveillance procedures to fulfill the TS
requirements. This review should also include relay contacts, control switches, and other relevant electrical components within these systems, utilized in the logic circuits performing a safety function.
GL 96-01 January 10, 1996 (2) Modify the surveillance procedures as necessary for complete testing to comply with the technical specifications. Additionally, the licensee may request an amendment to the technical specifications if relief from certain testing requirements can be justified.
It is requested the completion of these actions be accomplished prior to startup from the first refueling outage commencing one year after the issuance of this generic letter.
Note: Some licensees may have already performed the requested reviews and taken appropriate corrective actions. These licensees do not need to perform any additional review unless modifications have been made to the logic circuits for these systems. In these cases the modifications should be reviewed. Licensees are reminded that following modifications to safety- related logic circuits, full functional testing of the modification should be conducted. Licensees should not rely on routine surveillance testing to confirm proper performance of logic circuits following modifications.
Required Response All addressees, including those who have already completed the requested actions, are required to submit a written response to this generic letter as follows:
(1) Within 60 days of the date of this generic letter, a written response indicating whether or not the addressee will implement the actions requested above. If the addressee intends to implement the requested actions, submit a schedule for completing implementation. If an addressee chooses not to take the requested actions, submit a description of any proposed alternative course of action, the schedule for completing tog 2lternative course of action (if applicable), and the safety basis for determining the acceptability of the planned alternative course of action.
(2) Within 30 days of completion of the requested actions, a response confirming completion.
Address the required written report(s) to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington, D.C. 20555-0001, under oath or affirmation under the provisions of Section 182a, Atomic Energy Act of
1954, as amended, and 10 CFR 50.54(f). In addition, submit a copy to the appropriate regional administrator.
Backfit Discussion
The actions requested in this generic letter are considered backfits in accordance with NRC procedures. Because established regulatory requirements exist but were not satisfied, these backfits are necessary to bring the addressees into compliance with existing requirements. Therefore, on the
GL 96-01 January 10, 1996 basis of 10 CFR 50.109(a)(4)(i), a full backfit analysis was not performed.
An evaluation was performed in accordance with NRC procedures, including a statement of the objectives of and reasons for the requested actions and the basis for invoking the compliance exception. Response to Question IX in the CRGR review package which is available for inspection in the Commission Public Document Room, Gelman Building, 2120 L Street, N.W., Washington, D.C., 20037, contains this evaluation.
Federal Register Notification
A notice of opportunity for public comment was published in the Federal Register (60 FR 27141) on May 22, 1995. Comments were received from 10
licensees, 2 industry organizations, and 1 individual. Copies of the staff's evaluation of these comments have been made available in the public document room.
Paperwork Reduction Act Statement
The information collections contained in this request are covered by the Office of Management and Budget clearance number 3150-0011, which expires July 31, 1997. The public reporting burden for this collection of information is estimated to average 2,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to the Information and Records Management Branch (T-6 F33), U.S.
Nuclear Regulatory Commission, Washington, D.C. 20555-0001, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202,
(3150-0011), Office of Management and Budget, Washington, D.C. 20503.
Compliance with the following request for information is purely voluntary.
The information would assist NRC in evaluating the cost of complying with this generic letter:
(1) the licensee staff time and costs to perform requested evaluation, corrective actions, and associated testing
(2) the licensee staff time and costs to prepare the requested response and documentation
GL 96-01 January 10, 1996 If you have any questions about this matter, please contact the technical contact(s) listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager.
ten .Cr Director Division of Reactor rogram Management Office of Nuclear Reactor Regulation Technical contact: Hukam Garg, NRR
(301) 415-2929 Internet:hcg@nrc.gov Lead Project Manager: Glenn Kelly, NRR
(301) 415-3028 Internet:gbk@nrc.gov Attachment: List of Recently Issued NRC Generic Letters
Attachment GL 96-01 January 10, 1996 LIST OF RECENTLY ISSUED GENERIC LETTERS
Generic Date of I an++nb cllkiar+ T zciiinri T~-iissud Tn
-ALL -- DIE- S OF
-- HL
95-10 RELOCATION OF SELECTED 12/15/95 ALL HOLDERS OF OLs OR
TECHNICAL SPECIFICATIONS CPs FOR NPRs REQUIREMENTS RELATED TO
INSTRUMENTATION
95-09 MONITORING AND TRAINING OF 11/03/95 ALL U.S. NRC LICENSEES
SHIPPERS AND CARRIERS OF
RADIOACTIVE MATERIALS
95-08 10 CFR 50.54(p) PROCESS FOR 10/31/95 ALL HOLDERS OF OLs &
CHANGES TO SECURITY PLANS CPs FOR NPRs WITHOUT PRIOR NRC APPROVAL
88-20, INDIVIDUAL PLANT EXAMINATION 09/08/95 ALL HOLDERS OF OLs Supp. 5 OF EXTERNAL EVENTS FOR SEVERE (EXCEPT THOSE LICENSES
ACCIDENT VULNERABILITIES THAT HAVE BEEN AMENDED
TO POSSESSION-ONLY
95-07 PRESSURE LOCKING AND THERMAL 08/17/95 ALL HOLDERS OF OLs BINDING OF SAFETY-RELATED (EXCEPT THOSE LICENSES
POWER-OPERATED GATE VALVES THAT HAVE BEEN AMENDED
TO POSSESSION-ONLY
95-06 CHANGES IN THE OPERATOR 08/15/95 ALL HOLDERS OF OLs LICENSING PROGRAM (EXCEPT THOSE LICENSES
THAT HAVE BEEN AMENDED
TO A POSSESSION ONLY
NPRs.
OL = OPERATING LICENSE
CP = CONSTRUCTION PERMIT
NPR = NUCLEAR POWER REACTORS
GL 96-01 Janaury 10, 1996 If you have any questions about this matter, please contact the technical contact(s) listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager.
original signed by Dennis M. Crutchfield, Director Division of Reactor Program Management Office of Nuclear Reactor Regulation Technical contact: Hukam Garg, NRR
301) 415-2929 Internet:hcg@nrc.gov Lead Project Manager: Glenn Kelly, NRR
(301) 415-3028 Internet:gbk@nrc.gov Attachment: List of Recently Issued NRC Generic Letters DOCUMENT NAME: 96-01.GL
Tech Ed reviewed this document 11/1/95 SECY 95-287 DTD 12/4/95 To receive a copy of this document. Indicate In the box: 'C' - Copy without enclosures "EE - Copy with enclosures 'N" = No copy OFFICE IOGC* I C/PECB* I D/DRWM,1-4 I I Il INAME ISLewis AChaffee Dritchifield DATE 11/07/95 11/27/95 0116/96 01/ /96 01/ /96 OFFICIAL RECORD COPY