Information Notice 2005-04, Single-Failure and Fire Vulnerability of Redundant Electrical Safety Buses: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
| Line 13: | Line 13: | ||
| document type = NRC Information Notice | | document type = NRC Information Notice | ||
| page count = 4 | | page count = 4 | ||
}} | }} | ||
{{#Wiki_filter: | {{#Wiki_filter: | ||
Revision as of 11:51, 4 March 2018
| ML050400090 | |
| Person / Time | |
|---|---|
| Issue date: | 02/14/2005 |
| From: | Hiland P L NRC/NRR/DIPM/IROB |
| To: | |
| Koshy T, NRR/DE/EEIB, 415-1176 | |
| References | |
| IN-05-004 | |
| Download: ML050400090 (4) | |
February 14, 2005
NRC INFORMATION NOTICE 2005-04:SINGLE-FAILURE AND FIRE VULNERABILITYOF REDUNDANT ELECTRICAL SAFETY BUSES
ADDRESSEES
All holders of operating licenses for nuclear reactors, except those who have permanentlyceased operations and have certified that fuel has been permanently removed from the reactor vessel.
PURPOSE
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice to informaddressees of a potential single-failure and fire vulnerability whereby a circuit failure couldresult in bus lockouts and prevent the reenergization of the redundant electrical safety buse It is expected that recipients will review the information for applicability to their facilities andconsider appropriate actions to avoid similar problem However, suggestions contained in this information notice are not NRC requirements; therefore, no specific action or written responseis required.
DESCRIPTION OF CIRCUMSTANCES
On January 27, 2005, during a triennial fire protection inspection of the Crystal River nuclearstation, NRC inspectors discovered an electrical protection and metering circuit which ifdamaged, could electrically lock out redundant safety buses and prevent reenergization of the buses both from offsite power sources and emergency diesel generators (EDGs).The power sources for the safety buses generally consist of two offsite power supplies, both ofwhich are designed to supply power to each of the safety buse The normal bus alignment has one offsite power supply selected as the source for each safety bu Each safety bus also has one EDG as a standby power sourc The electrical protection and metering system usescurrent transformers (CTs) for measuring power consumption and sensing overloads and faulted condition At Crystal River, the electrical protection and metering circuit for each offsite power supply included three CTs at the feeder breaker to each safety bus, phase overcurrent relays, and ground overcurrent relays, all connected in a basic residual schem The circuit also included one watt-hour meter which would sum the power to both safety busse This interconnection of a protection and metering circuit between two safety busses was identified by the inspectors as a common-mode failure vulnerabilit A failure on this interconnected circuit(e.g., a fire-induced cable fault or watt-hour meter failure) would be interpreted by the protection system as an electrical bus fault on both safety busse Consequently, the relay logic wouldlock out both redundant safety buses and prevent reenergization from any power source. The licensee has modified the wiring in the overcurrent protection circuits to align eachmonitoring circuit to one safety bus and to disconnect the watt-hour meter In this corrected configuration, each circuit is contained within one switchgear, a single fault will affect only onesafety bus, and a fire in any area (e.g., at the watt-hour meters in the main control room) will notaffect safety busses that are relied upon for safe shutdown.
BACKGROUND
The design function (to prevent single- failure vulnerabilities) is implemented through train-specific metering, monitoring, and protection systems to limit the probability of worst casefailures to a trai Whenever a signal is needed to the redundant train, the signal is electrically isolated (i.e., any potential failure or its deleterious effects cannot be transmitted to the redundant train). The redundant safety buses are expected to be fully independent (i.e., neither componentfailure, degradation of equipment, or electrical faults could disable both trains). NRC regulations in Title 10, of the Code of Federal Regulations (CFR) Part 50.55a(h)(2), requiresprotection systems to meet IEEE Std 279 -1971 "Criteria for Protection Systems for NuclearPower Generating Stations." This standard requires all electric and mechanical components (e.g., from sensors to actuation devices) to be free from single failure vulnerability. That is, no single failure in the protection system shall prevent proper protective actions at the systemlevel.General Design Criterion (GDC)17, of 10 CFR Part 50 Appendix A, states that "The onsiteelectric power supplies...and the onsite electric distribution system... shall have sufficientindependence [and] redundancy ....to perform their safety functions assuming a single failure."
There may be other plant-specific commitments for keeping the plant configuration free ofsingle-failure vulnerability.
DISCUSSION
The design deficiency identified at Crystal River had a protection scheme that used CTs formonitoring and metering power flow. The CTs installed on power feeders to redundant safety buses were electrically connected to generate a selective tripping scheme to isolate overcurrent and ground fault conditions on the bu This design is economical but results in a common- mode failure vulnerability disabling two redundant trains of safety buse Further, the CToutputs from redundant safety buses were also connected to the same watt-hour meter, resulting in the same vulnerability to common-mode failur The significance of such a vulnerability is that the failure of redundant buses generally disablesmost of the accident mitigation/emergency core cooling systems, except the steam-drivensystems actuated by DC powe Such electrical failures cannot be isolated with a reasonablechance of system recovery without expert help because of the interdependent electricalprotection syste In most cases, manually closing the breaker will result in a prompt trip. Thisis because the logic is designed to prevent such operations when actual fault conditions persis Similar problems could exist in the buses that supply related plant pumping systems (e.g.,reactor coolant pumps, circulating water pumps, service water pumps), where a single failure could disable the full system of pumps connected to different buses.Similar common-mode failure vulnerabilities were identified at Quad Cities, Dresden, LaSalle,Prairie Island, and Monticello.GENERIC IMPLICATIONS After reviewing the events at the six sites (10 units), the staff concludes that such deficienciesare potentially wide-spread with varying levels of risk significance depending on plant-specific, unique design configurations.
CONTACT
This information notice requires no specific action or written respons Please direct anyquestions about this matter to the technical contact listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager./RA/Patrick L. Hiland, Chief Reactor Operations Branch Division of Inspection Program Management Office of Nuclear Reactor Regulation
Technical Contact:
Thomas Koshy, NRR/EEIB301-415-1176 E-mail: txk@nrc.govNote: NRC generic communications may be found on the NRC public Website,http://www.nrc.gov, under Electronic Reading Room/Document Collection IN 2005-04