Information Notice 1992-65, Safety System Problems Caused by Modifications That Were Not Adequately Reviewed and Tested

Safety System Problems Caused by Modifications That Were Not Adequately Reviewed and Tested

ML031200373
Person / Time
Site:	Beaver Valley, Millstone, Hatch, Monticello, Calvert Cliffs, Dresden, Davis Besse, Peach Bottom, Browns Ferry, Salem, Oconee, Mcguire, Nine Mile Point, Palisades, Palo Verde, Perry, Indian Point, Fermi, Kewaunee, Catawba, Harris, Wolf Creek, Saint Lucie, Point Beach, Oyster Creek, Watts Bar, Hope Creek, Grand Gulf, Cooper, Sequoyah, Byron, Pilgrim, Arkansas Nuclear, Three Mile Island, Braidwood, Susquehanna, Summer, Prairie Island, Columbia, Seabrook, Brunswick, Surry, Limerick, North Anna, Turkey Point, River Bend, Vermont Yankee, Crystal River, Haddam Neck, Ginna, Diablo Canyon, Callaway, Vogtle, Waterford, Duane Arnold, Farley, Robinson, Clinton, South Texas, San Onofre, Cook, Comanche Peak, Yankee Rowe, Maine Yankee, Quad Cities, Humboldt Bay, La Crosse, Big Rock Point, Rancho Seco, Zion, Midland, Bellefonte, Fort Calhoun, FitzPatrick, McGuire, LaSalle, Fort Saint Vrain, Shoreham, Satsop, Trojan, Atlantic Nuclear Power Plant
Issue date:	09/03/1992
From:	Rossi C Office of Nuclear Reactor Regulation
To:
References
IN-92-065, NUDOCS 9208280105
Download: ML031200373 (5)
v • d • e

v)UNITED STATES NUCLEAR REGULATORY

COMMISSION

OFFICE OF NUCLEAR REACTOR REGULATION_

WASHINGTON, D.C. 20555 6 September

3, 1992 -7 'NRC INFORMATION

NOTICE 92-65: SAFETY SYSTEM PROBLEM flCAUSED BY MODIFICATIONS

THAT WERE NOT ADEQUATE-V

REVIEWED AND TESTED

Addressees

All holders of operating

licenses or construction

permits for nuclear power reactors.

Purpose

The U.S. Nuclear Regulatory

Commission (NRC) is issuing this information

notice to alert addressees

to problems caused by inadequate

review and testing of safety system modifications.

It is expected that recipients

will review the information

for applicability

to their facilities'and

consider actions, as appropriate, to avoid similar problems.

However, suggestions

contained

in this information

notice are not NRC requirements;

therefore, no specific action or written response is required.Description

of Circumstances

The following

describes

two examples of safety system design errors that went undetected

since construction, because design changes were not thoroughly

reviewed and tested.On October 10, 1991, during post overhaul testing, personnel

at Arkansas Nuclear One, Unit 1, observed that one of the high-pressure

safety injection (HPSI) pumps was losing its lubricating

oil at a rate of more than 15 gallons per hour as a result of oil spraying from the bearings.

The licensee found that the oil would always leak at this 'rate during emergency

operation

because of excessive

oil pressure caused by the simultaneous

operation

of two oil -pumps that-served

the HPSI pump. This condition

had-existed

since the plant began operation.

The bearings for each of the HPSI pumps are supplied with lubricating

oil by two oil pumps, one attached directly to the HPSI pump itself and the other a separate electric backup pump. Originally

the electric oil pumps were intended to be used during start up of a HPSI pump or to replace a malfunctioning

attached oil pump. The electric oil pumps could be started manually and would start automatically

when the oil pressure decreased

below a certain point. The licensee continues

to use this method of control when the HPSI pumps are used for normal reactor water makeup. However, during construction, the licensee decided that the HPSI pumps would be more reliable if the electric lubricating

oil pumps ran continuously

during emergency operation.

Consequently, the licensee modified the emergency

controls to keep 9208280105

?DR J4E fltc6-S-O c a0 7 0-3 W I

IN 92-65 September

3, 1992 the electric oil pumps-operating

whenever an emergency

safety features actuation

system (ESFAS) signal was present. Anticipating

that the simultaneous

operation

of both oil pumps could cause excessive

oil pressure, the licensee added an oil- pressure relief valve to the oil system. However, the relief valve settings were not appropriately

selected to prevent oil spraying from the bearings.In September

1991, the Gulf States Utilities

Company, licensee for the River Bend Station, discovered

that the outlet valves for the hydrogen mixing system would immediately

close if an operator attempted

to start up the system by opening these valves when a loss-of-coolant

accident (LOCA) signal was present. An interlock

prevented

the mixing system fans from operating

with the outlet valves closed. Consequently, the hydrogen mixing system would have been inoperable

if a LOCA signal were present. This condition

had existed since the plant was constructed.

The River Bend Station is a boiling water reactor with a Mark III containment

structure.

This containment

structure

consists of two chambers, a large outer primary containment

and a drywell which is inside the primary containment

and surrounds

the reactor vessel. This system suppresses

the steam pressure released during a LOCA by directing

the steam through the suppression

pool water into the primary containment.

After the initial pressure suppression

is complete following

a LOCA, hydrogen created by the zirconium-water

reaction would be mainly concentrated

in the drywell. The hydrogen mixing system is provided to reduce the concentration

of the hydrogen in the drywell by moving it into the primary containment

where it is diluted and reduced in concentration

by the hydrogen recombiners.

The redundant

hydrogen mixing systems each have two lines penetrating

the drywell; an outlet line having a recirculating

fan to draw suction from the drywell and an inlet line that allows diluted air to reenter the drywell.Each of these lines has two isolation

valves which are normally closed during plant operation.

In 1983, during construction, the licensee added a LOCA interlock

to the hydrogen mixing system that would automatically

close all eight of the mixing system valves upon receiving

a LOCA signal. In 1984, the licensee revised the control logic for the mixing system valves to automatically

override a LOCA signal when the operator opened the drywell inlet valves. However, the licensee did not provide this LOCA override capability

for the outlet line valves.Discussion

In both of these cases, the licensee changed the design with the intention

of increasing

the reliability

of safety systems. However, because the licensees did not adequately

review and test the designs, these changes introduced

errors that could have prevented

the systems from performing

their safety functions

as intended.At Arkansas Nuclear One, the licensee intended to increase the reliability

of the HPSI system by causing both HPSI oil pumps to operate simultaneously

when an ESFAS signal was present. However, the oil pumps had apparently

never been run simultaneously

for any extended period untiltthe

recent overhaul test.

IN 92-65 September

3, 1992 The licensee routinely

conducted

the' required periodic pump surveillance

tests with the HPSI operating

in the normal-reactor

makeup'mode

with only one oil pump running at a time. The licensee tested the effectiveness

of the ESFAS signal during each refueling

outage. However, the test only required verification

that the test signal would actuate the HPSI system and did not result in the simultaneous

operation'of

the two oil pumps for an extended time. As a result, neither of these tests revealed the oil leakage problem.The licensee estimated'that

a HPSI 'pump would have performed

satisfactorily

for only 80 minutes without-operator

action to replenish

the oil or to stop the electric oil pumps. With an ESFAS signal present, the electric oil pumps cannot be stopped from the control room,'but

must be'stopped

by opening local power supply breakers.The licensee has modified the oil pressure relief'valve

settings to minimize the oil leakage. Procedures

were established

that instruct the operators

to stop the electric oil pumps 15 minutes after an ESFAS actuation

of the pumps.At River Bend, the control logic to automatically

close all of the mixing system valves was provided to ensure that the drywell integrity

would be restored if a LOCA occurred during a mixing system test with the valves open.Apparently, the LOCA override for the inlet valves was provided later to permit the drywell to be depressurized

to clear a false LOCA signal that might be caused by a loss of offsite power. The false LOCA signal could be generated

by the drywell pressure rise that would accompany

a loss of drywell cooling. Since the drywell could be depressurized

without opening the outlet valves, the LOCA override was not provided for these valves. The need to open the outlet to operate the hydrogen mixing was apparently

not considered

for this change. Normal surveillance

testing did not reveal this design error because it was never conducted

with a LOCA signal present.When the licensee discovered

this design error, it declared both hydrogen mixing trains inoperable

and commenced

shutting down the reactor. The licensee then developed

a LOCA bypass procedure

for the hydrogen mixing system.These events highlight

the importance

of thoroughly

reviewing

any safety-related design change, including

considering

the effect of the change on all related systems. The events also show the need for completely

testing the systems affected by the design change under conditions

that simulate as nearly as possible those conditions

that are expected to exist when the systems are needed.

IN 92-65 September

3, 1992 This information

notice requires no specific action or written response.

If you have any questions

about the information

in this notice, please contact-the technical

contact listed below or the appropriate

Office of Nuclear Reactor Regulation (NRR) project manager.harles E. Rossi, Director'Division of-Operational

Events Assessment

Office of Nuclear Reactor Regulation

Technical

contact: Thomas F. Westerman, RIV (817) 860-8145 Attachment:

List of Recently Issued NRC Information

Notices

V)Attachment

IN 92-65 September

3, 1992 LIST OF RECENTLY ISSUED NRC INFORMATION

NOTICES Information

Date of Notice No. Subject Issuance Issued to 92-64 Nozzle on Low Relief Ring Settings Pressure Water-Valves 92-63 92-62 92-61 60 92-59 92-58 Cracked Insulators

in ASL Dry Type Transformers

Manufactured

by Westing-house Electric Corporation

Emergency

Response Information

Require-ments for Radioactive

Material Shipments Loss of High Head Safety Injection Valve Stem Failure Caused by Embrittlement

Horizontally-Installed

Motor-Operated

Gate Valves Uranium Hexafluoride

Cylinders

-Deviations

in Coupling Welds 08/28/92 08/26/92 08/24/92 08/20/92 08/20/92 08/18/92 08/12/92 All holders of OLs or CPs for nuclear power reactors.All holders of OLs or CPs for nuclear power reactors.All U.S. Nuclear Regulatory

Commission

licensees.

All holders of OLs or CPs for nuclear power reactors.All holders of OLs or CPs for pressurized

water reactors (PWRs).All holders of OLs or CPs for nuclear power reactors.All Fuel Cycle Licensees.

92-57 Radial Cracking of-Shroud Support Access Hole Cover Welds 08/11/92 All holders for boiling (BWRs).of OLs or CPs water reactors 92-56 92-55 Counterfeit

Valves in the Commercial

Grade Supply System Current Fire Endurance Test Results for Thermo-Lag

Fire Barrier Material 08/06/92 07/27/92 All holders of OLs or CPs for nuclear power reactors.All holders of OLs or CPs for nuclear power reactors.OL = Operating

License CP = Construction

Permit