ML19281B342
| ML19281B342 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 04/06/1979 |
| From: | Harold Denton Office of Nuclear Reactor Regulation |
| To: | Kennedy R NRC COMMISSION (OCM) |
| Shared Package | |
| ML19281B343 | List: |
| References | |
| NUDOCS 7905090280 | |
| Download: ML19281B342 (4) | |
Text
,.
b' df
[
4 UNITED STATES NUCLEAR REGULATORY COMMISSION yN t
j jfJ j WASHINGTON, D. C. 20555 g v/ '
/
APR 0 t s 7 9 1
MEMORANDUM FOR:
Commissioner Kennedy THRU:
f L. Gossick, Executive Director for Operations FROM:
\\
H. Denton, Director, Office of Nuclear Reactor u
Regulation
SUBJECT:
SECY 79-90 ABNORMAL OCCURRENCE - DEGRADED ENGINEERED SAFETY SYSTEMS As part of the Commission's determination that the September 16, 1978 event at the Arkansas Nuclear One (ANO) station was an Abnomal Occurrence, you raised a question regarding any generic issues that may have been identified by this event. As discussed in our recommendation, we identified three safety concerns. Namely:
1.
The offsite power supply for ANO Unit 1 Engineered Safety Features was deficient; 2.
The design of the ANO site electrical system that provides offsite power to Units 1 and 2 did not fully meet the Commission's Regulations; and 3.
Deficiencies existed in the operation of the Unit 2 inverters that convert battery power to AC power for certain safety-related equipment.
All the above concerns have generic implications and actions have been taken to initiate implementation of any necessary changes to correct deficiencies. These actions are discussed below.
Degradation of Electric Power from Offsite Source The deficiency in the offsite power supply for Unit 1 Engineered Safety Features and the offsite power system, shared between the Units were design deficiencies. The licensee's analysis indicated that the immediate access circuit to Unit I lacked sufficient capacity 7 S0 ; 09 0 Z70 i
i !
i and capability to provide electric power for starting the engineered safety features equipment (Concern No.1, above). The failure in the immediate access circuit to the offsite power caused not only the loss of that circuit but also led to the failure of the backup access circuit (Concern No. 2, above). The licensees modified the electrical l
distribution system to preclude automatic transfer and added load sequencing features which corrected these concerns regarding power degradation.
Licensees have been advised of the ANO design deficiency by a telephone survey to all operating reactors and an IE Information Notice (No. 79-04) was issued on February 14, 1979 describing the i
event and corrective actions. Information received from the licensees as a result of the telephone survey indicate that some have load sequencing and all have indicated that analyses have been done to assure the adequacy of the electrical system.
To complete resolution of this concern and as a follow-up to the Information Notice, we are in the process of contacting each licensee to review their analyses to confirm the adequacy of their electric system design. Resources for this review are available from existing technical assistance programs and the staff and we plan to complete our review on a high priority basis.
In addition, our reviews of the electrical designs for applications for construction permits and operating licenses now include a detailed analysis of the electrical system to ensure its adequacy.
Inverter Deficiency The malfunction of the inverters (Item 3 above) was caused by a lack of adequate preoperational test procedures, inadequate knowledge of inverter operation and a lack of maintenance control. We have issued an IE Circular to inform licensees / applicants of these deficiencies and the need for improved quality assurance and administrative controls.
The failure of the inverters to function properly resulted in premature automatic switchover from the injection mode to the recirculation mode.
If this had occurred during an actual LOCA, the ECCS potentially would
l have been degraded to the point of insufficient core cooling.
Since the Arkansas occurrence was the result of several failures, it was beyond the scope of our single failure criterion.
In view of this, we have reconsidered our requirement regarding automatic switchover from injection to recirculation instead of i
relying entirely on operator action. Our conclusion remains that automatic switchover should be required. A manual switchover would require critical and sometimes complex actions within a relatively short time following a major loss-of-coolant accident.
i Previous human reliability studies suggest low confidence for prompt operator actions under high stress conditions that would exist following a LOCA. As a result, we have been implementing our position on automatic switchover using instrumentation and controls that satisfy our safety-grade requirements and meet the single failure criterion. We continue to support this position because we believe the automatic system is more reliable with its instruments and controls satisfying the criterion and requirements of current regulations.
Another aspect of the problem at Arkansas Nuclear One, Unit 2 (ANO-2) was action of the instrumentation logic which caused automatic switch-over to the recirculation mode upon loss of power. There are other logic designs which, had they been implemented on ANO-2, would not have caused that automatic switchover. Some of these logic designs have been implemented on other plants and the staff has found those designs acceptable. However, we do not require that a particular design be employed. The regulations, as stated in IEEE Standard 279, simply require that any single failure in the logic trains shall not negate the safety functions required for a given design basis event and the acceptability of the logic design is judged against that criterion.
While different logic designs could have prevented the premature actuation of the recirculation mode during the ANO-2 event, other design deficiencies and operational errors of the type that occurred at ANO-2 could be postulated which would still interfere with the operation of that logic. For any logic design there will be postulated events involving multiple failures that have the potential for jeopardiing the functional aspects of the safety system logic matrices, and thereby
4 i e i
the associated safety systems. For example, proper operation of the logic is dependent on the adequacy of those power systems which support i
the operation of the instrumentation logic. Reasonable assurance of the adequacy of those power systems can be obtained by proper design and appropriate periodic testing of these power systems. Therefore, l
we believe that there is no need to require any modifications in this area.
In summary, we believe that the ANO event did have generic implications t
and that we have taken the appropriate actions to be certain that all licensees are aware of the potential problems and that any necessary
]3 corrective actions will be taken, t
Original Signed By -
Roger S. Boyd i.,H.Denton, Director j
Office of Nuclear Reactor Regulation Chairman Hendrie Commissioner Gilinsky Commissioner Bradford Commissioner Ahearne General Counsel Acting Director, Policy Evaluation Director, Congressional Affairs Director, Public Affairs i