Information Notice 1992-65, Safety System Problems Caused by Modifications That Were Not Adequately Reviewed and Tested: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
 
(Created page by program invented by StriderTol)
 
(4 intermediate revisions by the same user not shown)
Line 3: Line 3:
| issue date = 09/03/1992
| issue date = 09/03/1992
| title = Safety System Problems Caused by Modifications That Were Not Adequately Reviewed and Tested
| title = Safety System Problems Caused by Modifications That Were Not Adequately Reviewed and Tested
| author name = Rossi C E
| author name = Rossi C
| author affiliation = NRC/NRR
| author affiliation = NRC/NRR
| addressee name =  
| addressee name =  
Line 13: Line 13:
| document type = NRC Information Notice
| document type = NRC Information Notice
| page count = 5
| page count = 5
| revision = 0
}}
}}
{{#Wiki_filter:v)UNITED STATESNUCLEAR REGULATORY COMMISSIONOFFICE OF NUCLEAR REACTOR REGULATION_WASHINGTON, D.C. 20555 6September 3, 1992 -7 'NRC INFORMATION NOTICE 92-65: SAFETY SYSTEM PROBLEM flCAUSED BY MODIFICATIONSTHAT WERE NOT ADEQUATE-V REVIEWED AND TESTED
{{#Wiki_filter:v)
                                  UNITED STATES
 
NUCLEAR REGULATORY COMMISSION
 
OFFICE OF NUCLEAR REACTOR REGULATION_
                            WASHINGTON, D.C. 20555 6 September 3, 1992         -
                                                        7     '
NRC INFORMATION NOTICE 92-65:   SAFETY SYSTEM PROBLEM flCAUSED BY MODIFICATIONS
 
THAT WERE NOT ADEQUATE-V REVIEWED AND TESTED


==Addressees==
==Addressees==
All holders of operating licenses or construction permits for nuclear powerreactors.
All holders of operating licenses or construction permits for nuclear power
 
reactors.


==Purpose==
==Purpose==
The U.S. Nuclear Regulatory Commission (NRC) is issuing this informationnotice to alert addressees to problems caused by inadequate review and testingof safety system modifications. It is expected that recipients will reviewthe information for applicability to their facilities'and consider actions, asappropriate, to avoid similar problems. However, suggestions contained inthis information notice are not NRC requirements; therefore, no specificaction or written response is required.
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information
 
notice to alert addressees to problems caused by inadequate review and testing
 
of safety system modifications. It is expected that recipients will review
 
the information for applicability to their facilities'and consider actions, as
 
appropriate, to avoid similar problems. However, suggestions contained in
 
this information notice are not NRC requirements; therefore, no specific
 
action or written response is required.


==Description of Circumstances==
==Description of Circumstances==
The following describes two examples of safety system design errors that wentundetected since construction, because design changes were not thoroughlyreviewed and tested.On October 10, 1991, during post overhaul testing, personnel at ArkansasNuclear One, Unit 1, observed that one of the high-pressure safety injection(HPSI) pumps was losing its lubricating oil at a rate of more than 15 gallonsper hour as a result of oil spraying from the bearings. The licensee foundthat the oil would always leak at this 'rate during emergency operation becauseof excessive oil pressure caused by the simultaneous operation of two oil -pumps that-served the HPSI pump. This condition had-existed since the plantbegan operation.The bearings for each of the HPSI pumps are supplied with lubricating oil bytwo oil pumps, one attached directly to the HPSI pump itself and the other aseparate electric backup pump. Originally the electric oil pumps wereintended to be used during start up of a HPSI pump or to replace amalfunctioning attached oil pump. The electric oil pumps could be startedmanually and would start automatically when the oil pressure decreased below acertain point. The licensee continues to use this method of control when theHPSI pumps are used for normal reactor water makeup. However, duringconstruction, the licensee decided that the HPSI pumps would be more reliableif the electric lubricating oil pumps ran continuously during emergencyoperation. Consequently, the licensee modified the emergency controls to keep9208280105 ?DR J4E fltc6-S-Oc a0 7 0-3 W I IN 92-65September 3, 1992 the electric oil pumps-operating whenever an emergency safety featuresactuation system (ESFAS) signal was present. Anticipating that thesimultaneous operation of both oil pumps could cause excessive oil pressure,the licensee added an oil- pressure relief valve to the oil system. However,the relief valve settings were not appropriately selected to prevent oilspraying from the bearings.In September 1991, the Gulf States Utilities Company, licensee for the RiverBend Station, discovered that the outlet valves for the hydrogen mixing systemwould immediately close if an operator attempted to start up the system byopening these valves when a loss-of-coolant accident (LOCA) signal waspresent. An interlock prevented the mixing system fans from operating withthe outlet valves closed. Consequently, the hydrogen mixing system would havebeen inoperable if a LOCA signal were present. This condition had existedsince the plant was constructed.The River Bend Station is a boiling water reactor with a Mark III containmentstructure. This containment structure consists of two chambers, a large outerprimary containment and a drywell which is inside the primary containment andsurrounds the reactor vessel. This system suppresses the steam pressurereleased during a LOCA by directing the steam through the suppression poolwater into the primary containment. After the initial pressure suppression iscomplete following a LOCA, hydrogen created by the zirconium-water reactionwould be mainly concentrated in the drywell. The hydrogen mixing system isprovided to reduce the concentration of the hydrogen in the drywell by movingit into the primary containment where it is diluted and reduced inconcentration by the hydrogen recombiners.The redundant hydrogen mixing systems each have two lines penetrating thedrywell; an outlet line having a recirculating fan to draw suction from thedrywell and an inlet line that allows diluted air to reenter the drywell.Each of these lines has two isolation valves which are normally closed duringplant operation. In 1983, during construction, the licensee added a LOCAinterlock to the hydrogen mixing system that would automatically close alleight of the mixing system valves upon receiving a LOCA signal. In 1984, thelicensee revised the control logic for the mixing system valves toautomatically override a LOCA signal when the operator opened the drywellinlet valves. However, the licensee did not provide this LOCA overridecapability for the outlet line valves.DiscussionIn both of these cases, the licensee changed the design with the intention ofincreasing the reliability of safety systems. However, because the licenseesdid not adequately review and test the designs, these changes introducederrors that could have prevented the systems from performing their safetyfunctions as intended.At Arkansas Nuclear One, the licensee intended to increase the reliability ofthe HPSI system by causing both HPSI oil pumps to operate simultaneously whenan ESFAS signal was present. However, the oil pumps had apparently never beenrun simultaneously for any extended period untiltthe recent overhaul tes IN 92-65September 3, 1992 The licensee routinely conducted the' required periodic pump surveillance testswith the HPSI operating in the normal-reactor makeup'mode with only one oilpump running at a time. The licensee tested the effectiveness of theESFAS signal during each refueling outage. However, the test only requiredverification that the test signal would actuate the HPSI system and did notresult in the simultaneous operation'of the two oil pumps for an extendedtime. As a result, neither of these tests revealed the oil leakage problem.The licensee estimated'that a HPSI 'pump would have performed satisfactorilyfor only 80 minutes without-operator action to replenish the oil or to stopthe electric oil pumps. With an ESFAS signal present, the electric oil pumpscannot be stopped from the control room,'but must be'stopped by opening localpower supply breakers.The licensee has modified the oil pressure relief'valve settings to minimizethe oil leakage. Procedures were established that instruct the operators tostop the electric oil pumps 15 minutes after an ESFAS actuation of the pumps.At River Bend, the control logic to automatically close all of the mixingsystem valves was provided to ensure that the drywell integrity would berestored if a LOCA occurred during a mixing system test with the valves open.Apparently, the LOCA override for the inlet valves was provided later topermit the drywell to be depressurized to clear a false LOCA signal that mightbe caused by a loss of offsite power. The false LOCA signal could begenerated by the drywell pressure rise that would accompany a loss of drywellcooling. Since the drywell could be depressurized without opening the outletvalves, the LOCA override was not provided for these valves. The need to openthe outlet to operate the hydrogen mixing was apparently not considered forthis change. Normal surveillance testing did not reveal this design errorbecause it was never conducted with a LOCA signal present.When the licensee discovered this design error, it declared both hydrogenmixing trains inoperable and commenced shutting down the reactor. Thelicensee then developed a LOCA bypass procedure for the hydrogen mixingsystem.These events highlight the importance of thoroughly reviewing any safety-related design change, including considering the effect of the change on allrelated systems. The events also show the need for completely testing thesystems affected by the design change under conditions that simulate as nearlyas possible those conditions that are expected to exist when the systems areneede IN 92-65September 3, 1992 This information notice requires no specific action or written response. Ifyou have any questions about the information in this notice, please contact-the technical contact listed below or the appropriate Office of NuclearReactor Regulation (NRR) project manager.harles E. Rossi, Director'Division of-Operational Events AssessmentOffice of Nuclear Reactor RegulationTechnical contact: Thomas F. Westerman, RIV(817) 860-8145
The following describes two examples of safety system design errors that went
 
undetected since construction, because design changes were not thoroughly
 
reviewed and tested.
 
On October 10, 1991, during post overhaul testing, personnel at Arkansas
 
Nuclear One, Unit 1, observed that one of the high-pressure safety injection
 
(HPSI) pumps was losing its lubricating oil at a rate of more than 15 gallons
 
per hour as a result of oil spraying from the bearings. The licensee found
 
that the oil would always leak at this 'rate during emergency operation because
 
of excessive oil pressure caused by the simultaneous operation of two oil -
pumps that-served the HPSI pump. This condition had-existed since the plant
 
began operation.
 
The bearings for each of the HPSI pumps are supplied with lubricating oil by
 
two oil pumps, one attached directly to the HPSI pump itself and the other a
 
separate electric backup pump. Originally the electric oil pumps were
 
intended to be used during start up of a HPSI pump or to replace a
 
malfunctioning attached oil pump. The electric oil pumps could be started
 
manually and would start automatically when the oil pressure decreased below a
 
certain point. The licensee continues to use this method of control when the
 
HPSI pumps are used for normal reactor water makeup. However, during
 
construction, the licensee decided that the HPSI pumps would be more reliable
 
if the electric lubricating oil pumps ran continuously during emergency
 
operation. Consequently, the licensee modified the emergency controls to keep
 
9208280105      ?DR J4E             fltc6-S-O
 
c a0 7 0-3           WI
 
IN 92-65 September 3, 1992 the electric oil pumps-operating whenever an emergency safety features
 
actuation system (ESFAS) signal was present. Anticipating that the
 
simultaneous operation of both oil pumps could cause excessive oil pressure, the licensee added an oil- pressure relief valve to the oil system. However, the relief valve settings were not appropriately selected to prevent oil
 
spraying from the bearings.
 
In September 1991, the Gulf States Utilities Company, licensee for the River
 
Bend Station, discovered that the outlet valves for the hydrogen mixing system
 
would immediately close if an operator attempted to start up the system by
 
opening these valves when a loss-of-coolant accident (LOCA) signal was
 
present. An interlock prevented the mixing system fans from operating with
 
the outlet valves closed. Consequently, the hydrogen mixing system would have
 
been inoperable if a LOCA signal were present. This condition had existed
 
since the plant was constructed.
 
The River Bend Station is a boiling water reactor with a Mark III containment
 
structure. This containment structure consists of two chambers, a large outer
 
primary containment and a drywell which is inside the primary containment and
 
surrounds the reactor vessel. This system suppresses the steam pressure
 
released during a LOCA by directing the steam through the suppression pool
 
water into the primary containment. After the initial pressure suppression is
 
complete following a LOCA, hydrogen created by the zirconium-water reaction
 
would be mainly concentrated in the drywell. The hydrogen mixing system is
 
provided to reduce the concentration of the hydrogen in the drywell by moving
 
it into the primary containment where it is diluted and reduced in
 
concentration by the hydrogen recombiners.
 
The redundant hydrogen mixing systems each have two lines penetrating the
 
drywell; an outlet line having a recirculating fan to draw suction from the
 
drywell and an inlet line that allows diluted air to reenter the drywell.
 
Each of these lines has two isolation valves which are normally closed during
 
plant operation. In 1983, during construction, the licensee added a LOCA
 
interlock to the hydrogen mixing system that would automatically close all
 
eight of the mixing system valves upon receiving a LOCA signal. In 1984, the
 
licensee revised the control logic for the mixing system valves to
 
automatically override a LOCA signal when the operator opened the drywell
 
inlet valves. However, the licensee did not provide this LOCA override
 
capability for the outlet line valves.
 
Discussion
 
In both of these cases, the licensee changed the design with the intention of
 
increasing the reliability of safety systems. However, because the licensees
 
did not adequately review and test the designs, these changes introduced
 
errors that could have prevented the systems from performing their safety
 
functions as intended.
 
At Arkansas Nuclear One, the licensee intended to increase the reliability of
 
the HPSI system by causing both HPSI oil pumps to operate simultaneously when
 
an ESFAS signal was present. However, the oil pumps had apparently never been
 
run simultaneously for any extended period untiltthe recent overhaul test.
 
IN 92-65 September 3, 1992 The licensee routinely conducted the' required periodic pump surveillance tests
 
with the HPSI operating in the normal-reactor makeup'mode with only one oil
 
pump running at a time. The licensee tested the effectiveness of the
 
ESFAS signal during each refueling outage. However, the test only required
 
verification that the test signal would actuate the HPSI system and did not
 
result in the simultaneous operation'of the two oil pumps for an extended
 
time. As a result, neither of these tests revealed the oil leakage problem.
 
The licensee estimated'that a HPSI 'pump would have performed satisfactorily
 
for only 80 minutes without-operator action to replenish the oil or to stop
 
the electric oil pumps. With an ESFAS signal present, the electric oil pumps
 
cannot be stopped from the control room,'but must be'stopped by opening local
 
power supply breakers.
 
The licensee has modified the oil pressure relief'valve settings to minimize
 
the oil leakage. Procedures were established that instruct the operators to
 
stop the electric oil pumps 15 minutes after an ESFAS actuation of the pumps.
 
At River Bend, the control logic to automatically close all of the mixing
 
system valves was provided to ensure that the drywell integrity would be
 
restored if a LOCA occurred during a mixing system test with the valves open.
 
Apparently, the LOCA override for the inlet valves was provided later to
 
permit the drywell to be depressurized to clear a false LOCA signal that might
 
be caused by a loss of offsite power. The false LOCA signal could be
 
generated by the drywell pressure rise that would accompany a loss of drywell
 
cooling. Since the drywell could be depressurized without opening the outlet
 
valves, the LOCA override was not provided for these valves. The need to open
 
the outlet to operate the hydrogen mixing was apparently not considered for
 
this change. Normal surveillance testing did not reveal this design error
 
because it was never conducted with a LOCA signal present.
 
When the licensee discovered this design error, it declared both hydrogen
 
mixing trains inoperable and commenced shutting down the reactor. The
 
licensee then developed a LOCA bypass procedure for the hydrogen mixing
 
system.
 
These events highlight the importance of thoroughly reviewing any safety- related design change, including considering the effect of the change on all
 
related systems. The events also show the need for completely testing the
 
systems affected by the design change under conditions that simulate as nearly
 
as possible those conditions that are expected to exist when the systems are
 
needed.
 
IN 92-65 September 3, 1992 This information notice requires no specific action or written response. If
 
you have any questions about the information in this notice, please contact
 
-the technical contact listed below or the appropriate Office of Nuclear
 
Reactor Regulation (NRR) project manager.
 
harles E. Rossi, Director'
                                    Division of-Operational Events Assessment
 
Office of Nuclear Reactor Regulation
 
Technical contact: Thomas F. Westerman, RIV
 
(817) 860-8145 Attachment:  List of Recently Issued NRC Information Notices
 
V)Attachment
 
IN 92-65 September 3, 1992 LIST OF RECENTLY ISSUED
 
NRC INFORMATION NOTICES
 
Information                                    Date of
 
Notice No.              Subject                Issuance    Issued to
 
92-64          Nozzle Ring Settings            08/28/92    All holders of OLs or CPs
 
on Low Pressure Water-                      for nuclear power reactors.
 
Relief Valves
 
92-63          Cracked Insulators in          08/26/92    All holders of OLs or CPs
 
ASL Dry Type Transformers                    for nuclear power reactors.
 
Manufactured by Westing- house Electric Corporation
 
92-62          Emergency Response              08/24/92    All U.S. Nuclear Regulatory
 
Information Require-                        Commission licensees.
 
ments for Radioactive
 
Material Shipments
 
92-61          Loss of High Head              08/20/92    All holders of OLs or CPs
 
Safety Injection                            for nuclear power reactors.
 
60          Valve Stem Failure              08/20/92    All holders of OLs or CPs
 
Caused by Embrittlement                      for pressurized water
 
reactors (PWRs).
 
92-59          Horizontally-Installed          08/18/92    All holders of OLs or CPs
 
Motor-Operated Gate                          for nuclear power reactors.
 
Valves
 
92-58          Uranium Hexafluoride            08/12/92    All Fuel Cycle Licensees.
 
Cylinders - Deviations
 
in Coupling Welds
 
92-57            Radial Cracking of-            08/11/92    All holders of OLs or CPs
 
Shroud Support Access                        for boiling water reactors
 
Hole Cover Welds                            (BWRs).
 
92-56            Counterfeit Valves in          08/06/92    All holders of OLs or CPs
 
the Commercial Grade                        for nuclear power reactors.
 
Supply System
 
92-55          Current Fire Endurance          07/27/92    All holders of OLs or CPs
 
Test Results for                            for nuclear power reactors.
 
Thermo-Lag Fire Barrier
 
Material
 
OL = Operating License


===Attachment:===
CP = Construction Permit}}
List of Recently Issued NRC Information Notices V)AttachmentIN 92-65September 3, 1992 LIST OF RECENTLY ISSUEDNRC INFORMATION NOTICESInformation Date ofNotice No. Subject Issuance Issued to92-64Nozzleon LowReliefRing SettingsPressure Water-Valves92-6392-6292-616092-5992-58Cracked Insulators inASL Dry Type TransformersManufactured by Westing-house Electric CorporationEmergency ResponseInformation Require-ments for RadioactiveMaterial ShipmentsLoss of High HeadSafety InjectionValve Stem FailureCaused by EmbrittlementHorizontally-InstalledMotor-Operated GateValvesUranium HexafluorideCylinders -Deviationsin Coupling Welds08/28/9208/26/9208/24/9208/20/9208/20/9208/18/9208/12/92All holders of OLs or CPsfor nuclear power reactors.All holders of OLs or CPsfor nuclear power reactors.All U.S. Nuclear RegulatoryCommission licensees.All holders of OLs or CPsfor nuclear power reactors.All holders of OLs or CPsfor pressurized waterreactors (PWRs).All holders of OLs or CPsfor nuclear power reactors.All Fuel Cycle Licensees.92-57Radial Cracking of-Shroud Support AccessHole Cover Welds08/11/92All holdersfor boiling(BWRs).of OLs or CPswater reactors92-5692-55Counterfeit Valves inthe Commercial GradeSupply SystemCurrent Fire EnduranceTest Results forThermo-Lag Fire BarrierMaterial08/06/9207/27/92All holders of OLs or CPsfor nuclear power reactors.All holders of OLs or CPsfor nuclear power reactors.OL = Operating LicenseCP = Construction Permit}}


{{Information notice-Nav}}
{{Information notice-Nav}}

Latest revision as of 03:21, 24 November 2019

Safety System Problems Caused by Modifications That Were Not Adequately Reviewed and Tested
ML031200373
Person / Time
Site: Beaver Valley, Millstone, Hatch, Monticello, Calvert Cliffs, Dresden, Davis Besse, Peach Bottom, Browns Ferry, Salem, Oconee, Mcguire, Nine Mile Point, Palisades, Palo Verde, Perry, Indian Point, Fermi, Kewaunee, Catawba, Harris, Wolf Creek, Saint Lucie, Point Beach, Oyster Creek, Watts Bar, Hope Creek, Grand Gulf, Cooper, Sequoyah, Byron, Pilgrim, Arkansas Nuclear, Three Mile Island, Braidwood, Susquehanna, Summer, Prairie Island, Columbia, Seabrook, Brunswick, Surry, Limerick, North Anna, Turkey Point, River Bend, Vermont Yankee, Crystal River, Haddam Neck, Ginna, Diablo Canyon, Callaway, Vogtle, Waterford, Duane Arnold, Farley, Robinson, Clinton, South Texas, San Onofre, Cook, Comanche Peak, Yankee Rowe, Maine Yankee, Quad Cities, Humboldt Bay, La Crosse, Big Rock Point, Rancho Seco, Zion, Midland, Bellefonte, Fort Calhoun, FitzPatrick, McGuire, LaSalle, Fort Saint Vrain, Shoreham, Satsop, Trojan, Atlantic Nuclear Power Plant  Entergy icon.png
Issue date: 09/03/1992
From: Rossi C
Office of Nuclear Reactor Regulation
To:
References
IN-92-065, NUDOCS 9208280105
Download: ML031200373 (5)
v  d  e


v)

UNITED STATES

NUCLEAR REGULATORY COMMISSION

OFFICE OF NUCLEAR REACTOR REGULATION_

WASHINGTON, D.C. 20555 6 September 3, 1992 -

7 '

NRC INFORMATION NOTICE 92-65: SAFETY SYSTEM PROBLEM flCAUSED BY MODIFICATIONS

THAT WERE NOT ADEQUATE-V REVIEWED AND TESTED

Addressees

All holders of operating licenses or construction permits for nuclear power

reactors.

Purpose

The U.S. Nuclear Regulatory Commission (NRC) is issuing this information

notice to alert addressees to problems caused by inadequate review and testing

of safety system modifications. It is expected that recipients will review

the information for applicability to their facilities'and consider actions, as

appropriate, to avoid similar problems. However, suggestions contained in

this information notice are not NRC requirements; therefore, no specific

action or written response is required.

Description of Circumstances

The following describes two examples of safety system design errors that went

undetected since construction, because design changes were not thoroughly

reviewed and tested.

On October 10, 1991, during post overhaul testing, personnel at Arkansas

Nuclear One, Unit 1, observed that one of the high-pressure safety injection

(HPSI) pumps was losing its lubricating oil at a rate of more than 15 gallons

per hour as a result of oil spraying from the bearings. The licensee found

that the oil would always leak at this 'rate during emergency operation because

of excessive oil pressure caused by the simultaneous operation of two oil -

pumps that-served the HPSI pump. This condition had-existed since the plant

began operation.

The bearings for each of the HPSI pumps are supplied with lubricating oil by

two oil pumps, one attached directly to the HPSI pump itself and the other a

separate electric backup pump. Originally the electric oil pumps were

intended to be used during start up of a HPSI pump or to replace a

malfunctioning attached oil pump. The electric oil pumps could be started

manually and would start automatically when the oil pressure decreased below a

certain point. The licensee continues to use this method of control when the

HPSI pumps are used for normal reactor water makeup. However, during

construction, the licensee decided that the HPSI pumps would be more reliable

if the electric lubricating oil pumps ran continuously during emergency

operation. Consequently, the licensee modified the emergency controls to keep

9208280105 ?DR J4E fltc6-S-O

c a0 7 0-3 WI

IN 92-65 September 3, 1992 the electric oil pumps-operating whenever an emergency safety features

actuation system (ESFAS) signal was present. Anticipating that the

simultaneous operation of both oil pumps could cause excessive oil pressure, the licensee added an oil- pressure relief valve to the oil system. However, the relief valve settings were not appropriately selected to prevent oil

spraying from the bearings.

In September 1991, the Gulf States Utilities Company, licensee for the River

Bend Station, discovered that the outlet valves for the hydrogen mixing system

would immediately close if an operator attempted to start up the system by

opening these valves when a loss-of-coolant accident (LOCA) signal was

present. An interlock prevented the mixing system fans from operating with

the outlet valves closed. Consequently, the hydrogen mixing system would have

been inoperable if a LOCA signal were present. This condition had existed

since the plant was constructed.

The River Bend Station is a boiling water reactor with a Mark III containment

structure. This containment structure consists of two chambers, a large outer

primary containment and a drywell which is inside the primary containment and

surrounds the reactor vessel. This system suppresses the steam pressure

released during a LOCA by directing the steam through the suppression pool

water into the primary containment. After the initial pressure suppression is

complete following a LOCA, hydrogen created by the zirconium-water reaction

would be mainly concentrated in the drywell. The hydrogen mixing system is

provided to reduce the concentration of the hydrogen in the drywell by moving

it into the primary containment where it is diluted and reduced in

concentration by the hydrogen recombiners.

The redundant hydrogen mixing systems each have two lines penetrating the

drywell; an outlet line having a recirculating fan to draw suction from the

drywell and an inlet line that allows diluted air to reenter the drywell.

Each of these lines has two isolation valves which are normally closed during

plant operation. In 1983, during construction, the licensee added a LOCA

interlock to the hydrogen mixing system that would automatically close all

eight of the mixing system valves upon receiving a LOCA signal. In 1984, the

licensee revised the control logic for the mixing system valves to

automatically override a LOCA signal when the operator opened the drywell

inlet valves. However, the licensee did not provide this LOCA override

capability for the outlet line valves.

Discussion

In both of these cases, the licensee changed the design with the intention of

increasing the reliability of safety systems. However, because the licensees

did not adequately review and test the designs, these changes introduced

errors that could have prevented the systems from performing their safety

functions as intended.

At Arkansas Nuclear One, the licensee intended to increase the reliability of

the HPSI system by causing both HPSI oil pumps to operate simultaneously when

an ESFAS signal was present. However, the oil pumps had apparently never been

run simultaneously for any extended period untiltthe recent overhaul test.

IN 92-65 September 3, 1992 The licensee routinely conducted the' required periodic pump surveillance tests

with the HPSI operating in the normal-reactor makeup'mode with only one oil

pump running at a time. The licensee tested the effectiveness of the

ESFAS signal during each refueling outage. However, the test only required

verification that the test signal would actuate the HPSI system and did not

result in the simultaneous operation'of the two oil pumps for an extended

time. As a result, neither of these tests revealed the oil leakage problem.

The licensee estimated'that a HPSI 'pump would have performed satisfactorily

for only 80 minutes without-operator action to replenish the oil or to stop

the electric oil pumps. With an ESFAS signal present, the electric oil pumps

cannot be stopped from the control room,'but must be'stopped by opening local

power supply breakers.

The licensee has modified the oil pressure relief'valve settings to minimize

the oil leakage. Procedures were established that instruct the operators to

stop the electric oil pumps 15 minutes after an ESFAS actuation of the pumps.

At River Bend, the control logic to automatically close all of the mixing

system valves was provided to ensure that the drywell integrity would be

restored if a LOCA occurred during a mixing system test with the valves open.

Apparently, the LOCA override for the inlet valves was provided later to

permit the drywell to be depressurized to clear a false LOCA signal that might

be caused by a loss of offsite power. The false LOCA signal could be

generated by the drywell pressure rise that would accompany a loss of drywell

cooling. Since the drywell could be depressurized without opening the outlet

valves, the LOCA override was not provided for these valves. The need to open

the outlet to operate the hydrogen mixing was apparently not considered for

this change. Normal surveillance testing did not reveal this design error

because it was never conducted with a LOCA signal present.

When the licensee discovered this design error, it declared both hydrogen

mixing trains inoperable and commenced shutting down the reactor. The

licensee then developed a LOCA bypass procedure for the hydrogen mixing

system.

These events highlight the importance of thoroughly reviewing any safety- related design change, including considering the effect of the change on all

related systems. The events also show the need for completely testing the

systems affected by the design change under conditions that simulate as nearly

as possible those conditions that are expected to exist when the systems are

needed.

IN 92-65 September 3, 1992 This information notice requires no specific action or written response. If

you have any questions about the information in this notice, please contact

-the technical contact listed below or the appropriate Office of Nuclear

Reactor Regulation (NRR) project manager.

harles E. Rossi, Director'

Division of-Operational Events Assessment

Office of Nuclear Reactor Regulation

Technical contact: Thomas F. Westerman, RIV

(817) 860-8145 Attachment: List of Recently Issued NRC Information Notices

V)Attachment

IN 92-65 September 3, 1992 LIST OF RECENTLY ISSUED

NRC INFORMATION NOTICES

Information Date of

Notice No. Subject Issuance Issued to

92-64 Nozzle Ring Settings 08/28/92 All holders of OLs or CPs

on Low Pressure Water- for nuclear power reactors.

Relief Valves

92-63 Cracked Insulators in 08/26/92 All holders of OLs or CPs

ASL Dry Type Transformers for nuclear power reactors.

Manufactured by Westing- house Electric Corporation

92-62 Emergency Response 08/24/92 All U.S. Nuclear Regulatory

Information Require- Commission licensees.

ments for Radioactive

Material Shipments

92-61 Loss of High Head 08/20/92 All holders of OLs or CPs

Safety Injection for nuclear power reactors.

60 Valve Stem Failure 08/20/92 All holders of OLs or CPs

Caused by Embrittlement for pressurized water

reactors (PWRs).

92-59 Horizontally-Installed 08/18/92 All holders of OLs or CPs

Motor-Operated Gate for nuclear power reactors.

Valves

92-58 Uranium Hexafluoride 08/12/92 All Fuel Cycle Licensees.

Cylinders - Deviations

in Coupling Welds

92-57 Radial Cracking of- 08/11/92 All holders of OLs or CPs

Shroud Support Access for boiling water reactors

Hole Cover Welds (BWRs).

92-56 Counterfeit Valves in 08/06/92 All holders of OLs or CPs

the Commercial Grade for nuclear power reactors.

Supply System

92-55 Current Fire Endurance 07/27/92 All holders of OLs or CPs

Test Results for for nuclear power reactors.

Thermo-Lag Fire Barrier

Material

OL = Operating License

CP = Construction Permit


Retrieved from "https://kanterella.com/w/index.php?title=Information_Notice_1992-65,_Safety_System_Problems_Caused_by_Modifications_That_Were_Not_Adequately_Reviewed_and_Tested&oldid=2200255"