Information Notice 2010-17, Common Cause Failure of Boiling-Water Reactor Recirculation Pumps with Variable Speed Drives: Difference between revisions
StriderTol (talk | contribs) Created page by program invented by StriderTol |
StriderTol (talk | contribs) StriderTol Bot change |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
| issue date = 09/10/2010 | | issue date = 09/10/2010 | ||
| title = Common Cause Failure of Boiling-Water Reactor Recirculation Pumps with Variable Speed Drives | | title = Common Cause Failure of Boiling-Water Reactor Recirculation Pumps with Variable Speed Drives | ||
| author name = | | author name = Mcginty T, Tracy G | ||
| author affiliation = NRC/NRO, NRC/NRR | | author affiliation = NRC/NRO, NRC/NRR | ||
| addressee name = | | addressee name = | ||
| Line 14: | Line 14: | ||
| page count = 4 | | page count = 4 | ||
}} | }} | ||
{{#Wiki_filter: ML101330321 UNITED STATES NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION OFFICE OF NEW REACTORS WASHINGTON, DC 20555-0001 September 10, 2010 | {{#Wiki_filter:ML101330321 UNITED STATES | ||
NUCLEAR REGULATORY COMMISSION | |||
OFFICE OF NUCLEAR REACTOR REGULATION | |||
OFFICE OF NEW REACTORS | |||
WASHINGTON, DC 20555-0001 | |||
September 10, 2010 | |||
NRC INFORMATION NOTICE 2010-17: | |||
COMMON CAUSE FAILURE OF BOILING-WATER | |||
REACTOR RECIRCULATION PUMPS WITH | |||
VARIABLE SPEED DRIVES | VARIABLE SPEED DRIVES | ||
==ADDRESSEES== | ==ADDRESSEES== | ||
All holders of an operating license or construction permit for a nuclear power reactor issued under Title 10 of the Code of Federal Regulations (10 CFR) Part 50, | All holders of an operating license or construction permit for a nuclear power reactor issued | ||
under Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of | |||
Production and Utilization Facilities, except those who have permanently ceased operations | |||
and have certified that fuel has been permanently removed from the reactor vessel. | |||
All holders of or applicants for a standard design certification, standard design approval, or | |||
combined license issued under 10 CFR Part 52, Licenses, Certifications, and Approvals for | |||
Nuclear Power Plants. | Nuclear Power Plants. | ||
==PURPOSE== | ==PURPOSE== | ||
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice (IN) to inform | The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice (IN) to inform | ||
addressees about two international events at boiling-water reactor (BWR) plants that experienced a common cause failure of all recirculation pumps. The NRC expects that recipients will review this information for applicability to their facilities and consider actions, as appropriate, to avoid similar problems. However, suggestions contained in this IN are not NRC requirements; therefore, no specific action or written response is required. | addressees about two international events at boiling-water reactor (BWR) plants that | ||
experienced a common cause failure of all recirculation pumps. The NRC expects that | |||
recipients will review this information for applicability to their facilities and consider actions, as | |||
appropriate, to avoid similar problems. However, suggestions contained in this IN are not NRC | |||
requirements; therefore, no specific action or written response is required. | |||
==DESCRIPTION OF CIRCUMSTANCES== | ==DESCRIPTION OF CIRCUMSTANCES== | ||
On June 13, 2008, at Forsmark Unit 2 in Sweden, lightning strikes caused a short circuit on the | On June 13, 2008, at Forsmark Unit 2 in Sweden, lightning strikes caused a short circuit on the | ||
offsite power grid. This resulted in a transient that tripped all eight reactor recirculation pumps. | |||
recirculation pump | Each recirculation pump circuit contains an integral flywheel to prevent a rapid reduction in | ||
pump speed. The mass of the rotating flywheel stores mechanical energy that is converted to | |||
On May 30, 2008, Olkiluoto Unit 1 in Finland had a reactor trip from 60 percent power. An electrical transient resulted in a common cause failure that caused all six recirculation pumps to stop unexpectedly. Although the coastdown of the recirculation pumps was shorter than expected, the transient had no effect on fuel integrity. | electrical power by a flywheel-generator and inverter/rectifier to continue to power the drive | ||
system DC-bus (one DC-bus common for two pump-drive inverters) upon a dip in or loss of the | |||
normal electrical power. When the inverter/rectifier is operable, the alternate power allows for | |||
an unchanged pump speed (in case of power dips) or a more gradual reduction in pump speed | |||
(in case of significant loss, signaled by equipment protection). In the case of a reactor | |||
recirculation pump, the coastdown produces a correspondingly more gradual reduction in | |||
recirculation flow. However, at Forsmark Unit 2, the lightning strike tripped the normal electric | |||
power rectifier due to a sensitive protection setting; furthermore, due to a design flaw, the | |||
protective action was not signaled to the inverter/rectifier controller for the flywheel-generator. As a result, the recirculation pump motors rapidly consumed the flywheel-generators stored | |||
energy. With no available energy storage, the recirculation pumps reduced speed faster than | |||
the assumed transient analyses in the Forsmark Unit 2 safety analysis report. The reduced | |||
coastdown time resulted in a short violation of the safety limit minimum critical power ratio on | |||
84 core channels/fuel elements and a transient dryout condition in 18 of those core channels. | |||
Based on its review of the analysis and inspection results that revealed no fuel damage, the | |||
Swedish Radiation Safety Authority granted the licensees request for continued use of the | |||
affected fuel. | |||
On May 30, 2008, Olkiluoto Unit 1 in Finland had a reactor trip from 60 percent power. An | |||
electrical transient resulted in a common cause failure that caused all six recirculation pumps to | |||
stop unexpectedly. Although the coastdown of the recirculation pumps was shorter than | |||
expected, the transient had no effect on fuel integrity. | |||
==BACKGROUND== | ==BACKGROUND== | ||
Related NRC Generic Communications include the following: | Related NRC Generic Communications include the following: | ||
* NRC IN 96-56, | |||
* NRC IN 96-56, Problems Associated with Testing, Tuning, or Resetting of Digital Control | |||
Systems While at Power, dated October 22, 1996 (Agencywide Documents Access and | |||
Management System (ADAMS) Accession No. ML031050587). This IN highlighted the | |||
importance of evaluating and controlling on-line manipulations of digital control systems, such as resetting a processor or performing on-line software changes, to avoid reactor | |||
transients and plant trips. | transients and plant trips. | ||
* IN 2010-10, | * IN 2010-10, Implementation of a Digital Control System under 10 CFR 50.59, dated | ||
analysis is performed as part of the design process to ensure that the plant has adequate capability to cope with software common-cause failure vulnerabilities. | May 28, 2010 (ADAMS Accession No. ML100080281). This IN discusses that for digital | ||
upgrades to systems that are highly safety-significant, a defense-in-depth and diversity | |||
analysis is performed as part of the design process to ensure that the plant has adequate | |||
capability to cope with software common-cause failure vulnerabilities. | |||
==DISCUSSION== | ==DISCUSSION== | ||
Unlike Olkiluoto Unit 1 and Forsmark Unit 2, U.S. BWRs do not have recirculation pump designs that rely on energy storage separate from the recirculation pump motor and generator that could influence recirculation system flow following a scram. In the U.S. BWR designs, the combined rotating inertias of the recirculation pump and motor, the motor generator set, and the variable speed coupling are used to provide a relatively slow coastdown of flow following loss of power to the drive motors which helps ensure that the core is adequately cooled. | Unlike Olkiluoto Unit 1 and Forsmark Unit 2, U.S. BWRs do not have recirculation pump designs | ||
that rely on energy storage separate from the recirculation pump motor and generator that could | |||
influence recirculation system flow following a scram. In the U.S. BWR designs, the combined | |||
rotating inertias of the recirculation pump and motor, the motor generator set, and the variable | |||
speed coupling are used to provide a relatively slow coastdown of flow following loss of power | |||
to the drive motors which helps ensure that the core is adequately cooled. | |||
The specific common cause failure that occurred at Olkiluoto and Forsmark is not an issue for | |||
U.S. BWRs. However, digital variable speed drive (VSD) technology may increase the | |||
complexity of the recirculation pump control system and may introduce new failure modes such | |||
as software programming errors, network problems, loss of power, and the failure of control | |||
boards, that can lead to unplanned changes in pump speed. Previous operating experience for | |||
recirculation pump VSD includes instances of unintentional reactivity changes during power | |||
operation. Although the recirculation pump motors are generally non-safety related, as the | |||
industry upgrades their systems to digital VSD, it is important that licensees understand the potential unexpected recirculation pump behaviors that might affect core reactivity or safety | |||
limits. As part of the design process when upgrading to digital VSD technology on recirculation | |||
pump systems, the following are important considerations: | |||
* | * | ||
Perform evaluations to identify failure modes for digital VSDs to include sources of | |||
* Ensure the reactor protection system maintains plant safety within its design basis even with a common-cause failure. | common-cause failure, such as software. | ||
* | |||
Determine if the consequences of a digital VSD common-cause failure could lead to | |||
reactivity events that have not been analyzed in the plant safety analysis. | |||
* | |||
Ensure the reactor protection system maintains plant safety within its design basis even | |||
with a common-cause failure. | |||
==CONTACT== | ==CONTACT== | ||
This IN requires no specific action or written response. Please direct any questions about this matter to the technical contacts listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager. | This IN requires no specific action or written response. Please direct any questions about this | ||
Timothy McGinty, Director Glenn Tracy, Director Division of Policy and Rulemaking Division of Construction Inspection and Office of Nuclear Reactor Regulation | |||
matter to the technical contacts listed below or the appropriate Office of Nuclear Reactor | |||
Regulation (NRR) project manager. | |||
/RA/ | |||
/RA by JTappert for/ | |||
Timothy McGinty, Director | |||
Glenn Tracy, Director | |||
Division of Policy and Rulemaking | |||
Division of Construction Inspection and | |||
Office of Nuclear Reactor Regulation | |||
Operational Programs | |||
Office of New Reactors | |||
Technical Contacts: Joseph Giantelli, NRR | |||
Pong Chung, NRR | |||
301-415-0504 | |||
301-415-2473 | |||
E-mail: joseph.giantelli@nrc.gov | |||
E-mail: pong.chung@nrc.gov | |||
Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under Electronic Reading Room/Document Collections. potential unexpected recirculation pump behaviors that might affect core reactivity or safety | |||
limits. As part of the design process when upgrading to digital VSD technology on recirculation | |||
pump systems, the following are important considerations: | |||
* | |||
Perform evaluations to identify failure modes for digital VSDs to include sources of | |||
common-cause failure, such as software. | |||
* Determine if the consequences of a digital VSD common-cause failure could lead to | * | ||
Determine if the consequences of a digital VSD common-cause failure could lead to | |||
* Ensure the reactor protection system maintains plant safety within its design basis even with a common-cause failure. | reactivity events that have not been analyzed in the plant safety analysis. | ||
* | |||
Ensure the reactor protection system maintains plant safety within its design basis even | |||
with a common-cause failure. | |||
==CONTACT== | ==CONTACT== | ||
This IN requires no specific action or written response. Please direct any questions about this matter to the technical contacts listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager. | This IN requires no specific action or written response. Please direct any questions about this | ||
Timothy McGinty, Director Glenn Tracy, Director | |||
matter to the technical contacts listed below or the appropriate Office of Nuclear Reactor | |||
Regulation (NRR) project manager. | |||
/RA/ | |||
/RA by JTappert for/ | |||
Timothy McGinty, Director | |||
Glenn Tracy, Director | |||
Division of Policy and Rulemaking | |||
Division of Construction Inspection and | |||
}} | Office of Nuclear Reactor Regulation | ||
Operational Programs | |||
Office of New Reactors | |||
Technical Contacts: Joseph Giantelli, NRR | |||
Pong Chung, NRR | |||
301-415-0504 | |||
301-415-2473 | |||
E-mail: joseph.giantelli@nrc.gov | |||
E-mail: pong.chung@nrc.gov | |||
Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under Electronic Reading Room/Document Collections. | |||
ADAMS Accession Number: ML101330321 | |||
TAC ME3898 OFFICE DIRS/IOEB | |||
DE/EICB | |||
Tech Editor | |||
BC/DIRS/IOEB | |||
BC/D/EICB | |||
D/NRR/DE | |||
NAME | |||
JGiantelli | |||
PChung | |||
CHsu | |||
JThorp | |||
BKemper | |||
PHiland | |||
DATE | |||
07/27/10 | |||
07/27/10 | |||
08/15/10 e-mail 07/27/10 | |||
07/27/10 | |||
07/28/10 | |||
OFFICE NRR/PGCB | |||
NRR/PGCB | |||
BC/NRR/PGCB DD/OIP | |||
D/NRO/DCIP | |||
D/NRR/ DPR | |||
NAME | |||
CHawes | |||
DBeaulieu | |||
SRosenberg | |||
SMoore | |||
GTracy JTappert | |||
for | |||
TMcGinty | |||
OFFICE 08/26/10 | |||
08/25/10 | |||
08/26/10 | |||
09/09/10 | |||
09/10/10 | |||
09/10/10 | |||
OFFICIAL RECORD COPY}} | |||
{{Information notice-Nav}} | {{Information notice-Nav}} | ||
Latest revision as of 05:58, 14 January 2025
| ML101330321 | |
| Person / Time | |
|---|---|
| Issue date: | 09/10/2010 |
| From: | Mcginty T, Tracy G Office of New Reactors, Office of Nuclear Reactor Regulation |
| To: | |
| Joseph Giantelli, NRR/DIRS/IOEB | |
| References | |
| IN-10-017 | |
| Download: ML101330321 (4) | |
ML101330321 UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
OFFICE OF NEW REACTORS
WASHINGTON, DC 20555-0001
September 10, 2010
NRC INFORMATION NOTICE 2010-17:
COMMON CAUSE FAILURE OF BOILING-WATER
REACTOR RECIRCULATION PUMPS WITH
VARIABLE SPEED DRIVES
ADDRESSEES
All holders of an operating license or construction permit for a nuclear power reactor issued
under Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of
Production and Utilization Facilities, except those who have permanently ceased operations
and have certified that fuel has been permanently removed from the reactor vessel.
All holders of or applicants for a standard design certification, standard design approval, or
combined license issued under 10 CFR Part 52, Licenses, Certifications, and Approvals for
Nuclear Power Plants.
PURPOSE
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice (IN) to inform
addressees about two international events at boiling-water reactor (BWR) plants that
experienced a common cause failure of all recirculation pumps. The NRC expects that
recipients will review this information for applicability to their facilities and consider actions, as
appropriate, to avoid similar problems. However, suggestions contained in this IN are not NRC
requirements; therefore, no specific action or written response is required.
DESCRIPTION OF CIRCUMSTANCES
On June 13, 2008, at Forsmark Unit 2 in Sweden, lightning strikes caused a short circuit on the
offsite power grid. This resulted in a transient that tripped all eight reactor recirculation pumps.
Each recirculation pump circuit contains an integral flywheel to prevent a rapid reduction in
pump speed. The mass of the rotating flywheel stores mechanical energy that is converted to
electrical power by a flywheel-generator and inverter/rectifier to continue to power the drive
system DC-bus (one DC-bus common for two pump-drive inverters) upon a dip in or loss of the
normal electrical power. When the inverter/rectifier is operable, the alternate power allows for
an unchanged pump speed (in case of power dips) or a more gradual reduction in pump speed
(in case of significant loss, signaled by equipment protection). In the case of a reactor
recirculation pump, the coastdown produces a correspondingly more gradual reduction in
recirculation flow. However, at Forsmark Unit 2, the lightning strike tripped the normal electric
power rectifier due to a sensitive protection setting; furthermore, due to a design flaw, the
protective action was not signaled to the inverter/rectifier controller for the flywheel-generator. As a result, the recirculation pump motors rapidly consumed the flywheel-generators stored
energy. With no available energy storage, the recirculation pumps reduced speed faster than
the assumed transient analyses in the Forsmark Unit 2 safety analysis report. The reduced
coastdown time resulted in a short violation of the safety limit minimum critical power ratio on
84 core channels/fuel elements and a transient dryout condition in 18 of those core channels.
Based on its review of the analysis and inspection results that revealed no fuel damage, the
Swedish Radiation Safety Authority granted the licensees request for continued use of the
affected fuel.
On May 30, 2008, Olkiluoto Unit 1 in Finland had a reactor trip from 60 percent power. An
electrical transient resulted in a common cause failure that caused all six recirculation pumps to
stop unexpectedly. Although the coastdown of the recirculation pumps was shorter than
expected, the transient had no effect on fuel integrity.
BACKGROUND
Related NRC Generic Communications include the following:
- NRC IN 96-56, Problems Associated with Testing, Tuning, or Resetting of Digital Control
Systems While at Power, dated October 22, 1996 (Agencywide Documents Access and
Management System (ADAMS) Accession No. ML031050587). This IN highlighted the
importance of evaluating and controlling on-line manipulations of digital control systems, such as resetting a processor or performing on-line software changes, to avoid reactor
transients and plant trips.
- IN 2010-10, Implementation of a Digital Control System under 10 CFR 50.59, dated
May 28, 2010 (ADAMS Accession No. ML100080281). This IN discusses that for digital
upgrades to systems that are highly safety-significant, a defense-in-depth and diversity
analysis is performed as part of the design process to ensure that the plant has adequate
capability to cope with software common-cause failure vulnerabilities.
DISCUSSION
Unlike Olkiluoto Unit 1 and Forsmark Unit 2, U.S. BWRs do not have recirculation pump designs
that rely on energy storage separate from the recirculation pump motor and generator that could
influence recirculation system flow following a scram. In the U.S. BWR designs, the combined
rotating inertias of the recirculation pump and motor, the motor generator set, and the variable
speed coupling are used to provide a relatively slow coastdown of flow following loss of power
to the drive motors which helps ensure that the core is adequately cooled.
The specific common cause failure that occurred at Olkiluoto and Forsmark is not an issue for
U.S. BWRs. However, digital variable speed drive (VSD) technology may increase the
complexity of the recirculation pump control system and may introduce new failure modes such
as software programming errors, network problems, loss of power, and the failure of control
boards, that can lead to unplanned changes in pump speed. Previous operating experience for
recirculation pump VSD includes instances of unintentional reactivity changes during power
operation. Although the recirculation pump motors are generally non-safety related, as the
industry upgrades their systems to digital VSD, it is important that licensees understand the potential unexpected recirculation pump behaviors that might affect core reactivity or safety
limits. As part of the design process when upgrading to digital VSD technology on recirculation
pump systems, the following are important considerations:
Perform evaluations to identify failure modes for digital VSDs to include sources of
common-cause failure, such as software.
Determine if the consequences of a digital VSD common-cause failure could lead to
reactivity events that have not been analyzed in the plant safety analysis.
Ensure the reactor protection system maintains plant safety within its design basis even
with a common-cause failure.
CONTACT
This IN requires no specific action or written response. Please direct any questions about this
matter to the technical contacts listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager.
/RA/
/RA by JTappert for/
Timothy McGinty, Director
Glenn Tracy, Director
Division of Policy and Rulemaking
Division of Construction Inspection and
Office of Nuclear Reactor Regulation
Operational Programs
Office of New Reactors
Technical Contacts: Joseph Giantelli, NRR
Pong Chung, NRR
301-415-0504
301-415-2473
E-mail: joseph.giantelli@nrc.gov
E-mail: pong.chung@nrc.gov
Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under Electronic Reading Room/Document Collections. potential unexpected recirculation pump behaviors that might affect core reactivity or safety
limits. As part of the design process when upgrading to digital VSD technology on recirculation
pump systems, the following are important considerations:
Perform evaluations to identify failure modes for digital VSDs to include sources of
common-cause failure, such as software.
Determine if the consequences of a digital VSD common-cause failure could lead to
reactivity events that have not been analyzed in the plant safety analysis.
Ensure the reactor protection system maintains plant safety within its design basis even
with a common-cause failure.
CONTACT
This IN requires no specific action or written response. Please direct any questions about this
matter to the technical contacts listed below or the appropriate Office of Nuclear Reactor
Regulation (NRR) project manager.
/RA/
/RA by JTappert for/
Timothy McGinty, Director
Glenn Tracy, Director
Division of Policy and Rulemaking
Division of Construction Inspection and
Office of Nuclear Reactor Regulation
Operational Programs
Office of New Reactors
Technical Contacts: Joseph Giantelli, NRR
Pong Chung, NRR
301-415-0504
301-415-2473
E-mail: joseph.giantelli@nrc.gov
E-mail: pong.chung@nrc.gov
Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under Electronic Reading Room/Document Collections.
ADAMS Accession Number: ML101330321
TAC ME3898 OFFICE DIRS/IOEB
DE/EICB
Tech Editor
BC/DIRS/IOEB
BC/D/EICB
D/NRR/DE
NAME
JGiantelli
PChung
JThorp
BKemper
PHiland
DATE
07/27/10
07/27/10
08/15/10 e-mail 07/27/10
07/27/10
07/28/10
OFFICE NRR/PGCB
NRR/PGCB
BC/NRR/PGCB DD/OIP
D/NRO/DCIP
D/NRR/ DPR
NAME
CHawes
DBeaulieu
SRosenberg
SMoore
GTracy JTappert
for
TMcGinty
OFFICE 08/26/10
08/25/10
08/26/10
09/09/10
09/10/10
09/10/10
OFFICIAL RECORD COPY