Information Notice 1992-65, Safety System Problems Caused by Modifications That Were Not Adequately Reviewed and Tested

From kanterella
Revision as of 03:21, 24 November 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Safety System Problems Caused by Modifications That Were Not Adequately Reviewed and Tested
ML031200373
Person / Time
Site: Beaver Valley, Millstone, Hatch, Monticello, Calvert Cliffs, Dresden, Davis Besse, Peach Bottom, Browns Ferry, Salem, Oconee, Mcguire, Nine Mile Point, Palisades, Palo Verde, Perry, Indian Point, Fermi, Kewaunee, Catawba, Harris, Wolf Creek, Saint Lucie, Point Beach, Oyster Creek, Watts Bar, Hope Creek, Grand Gulf, Cooper, Sequoyah, Byron, Pilgrim, Arkansas Nuclear, Three Mile Island, Braidwood, Susquehanna, Summer, Prairie Island, Columbia, Seabrook, Brunswick, Surry, Limerick, North Anna, Turkey Point, River Bend, Vermont Yankee, Crystal River, Haddam Neck, Ginna, Diablo Canyon, Callaway, Vogtle, Waterford, Duane Arnold, Farley, Robinson, Clinton, South Texas, San Onofre, Cook, Comanche Peak, Yankee Rowe, Maine Yankee, Quad Cities, Humboldt Bay, La Crosse, Big Rock Point, Rancho Seco, Zion, Midland, Bellefonte, Fort Calhoun, FitzPatrick, McGuire, LaSalle, Fort Saint Vrain, Shoreham, Satsop, Trojan, Atlantic Nuclear Power Plant  Entergy icon.png
Issue date: 09/03/1992
From: Rossi C
Office of Nuclear Reactor Regulation
To:
References
IN-92-065, NUDOCS 9208280105
Download: ML031200373 (5)
v  d  e


v)

UNITED STATES

NUCLEAR REGULATORY COMMISSION

OFFICE OF NUCLEAR REACTOR REGULATION_

WASHINGTON, D.C. 20555 6 September 3, 1992 -

7 '

NRC INFORMATION NOTICE 92-65: SAFETY SYSTEM PROBLEM flCAUSED BY MODIFICATIONS

THAT WERE NOT ADEQUATE-V REVIEWED AND TESTED

Addressees

All holders of operating licenses or construction permits for nuclear power

reactors.

Purpose

The U.S. Nuclear Regulatory Commission (NRC) is issuing this information

notice to alert addressees to problems caused by inadequate review and testing

of safety system modifications. It is expected that recipients will review

the information for applicability to their facilities'and consider actions, as

appropriate, to avoid similar problems. However, suggestions contained in

this information notice are not NRC requirements; therefore, no specific

action or written response is required.

Description of Circumstances

The following describes two examples of safety system design errors that went

undetected since construction, because design changes were not thoroughly

reviewed and tested.

On October 10, 1991, during post overhaul testing, personnel at Arkansas

Nuclear One, Unit 1, observed that one of the high-pressure safety injection

(HPSI) pumps was losing its lubricating oil at a rate of more than 15 gallons

per hour as a result of oil spraying from the bearings. The licensee found

that the oil would always leak at this 'rate during emergency operation because

of excessive oil pressure caused by the simultaneous operation of two oil -

pumps that-served the HPSI pump. This condition had-existed since the plant

began operation.

The bearings for each of the HPSI pumps are supplied with lubricating oil by

two oil pumps, one attached directly to the HPSI pump itself and the other a

separate electric backup pump. Originally the electric oil pumps were

intended to be used during start up of a HPSI pump or to replace a

malfunctioning attached oil pump. The electric oil pumps could be started

manually and would start automatically when the oil pressure decreased below a

certain point. The licensee continues to use this method of control when the

HPSI pumps are used for normal reactor water makeup. However, during

construction, the licensee decided that the HPSI pumps would be more reliable

if the electric lubricating oil pumps ran continuously during emergency

operation. Consequently, the licensee modified the emergency controls to keep

9208280105 ?DR J4E fltc6-S-O

c a0 7 0-3 WI

IN 92-65 September 3, 1992 the electric oil pumps-operating whenever an emergency safety features

actuation system (ESFAS) signal was present. Anticipating that the

simultaneous operation of both oil pumps could cause excessive oil pressure, the licensee added an oil- pressure relief valve to the oil system. However, the relief valve settings were not appropriately selected to prevent oil

spraying from the bearings.

In September 1991, the Gulf States Utilities Company, licensee for the River

Bend Station, discovered that the outlet valves for the hydrogen mixing system

would immediately close if an operator attempted to start up the system by

opening these valves when a loss-of-coolant accident (LOCA) signal was

present. An interlock prevented the mixing system fans from operating with

the outlet valves closed. Consequently, the hydrogen mixing system would have

been inoperable if a LOCA signal were present. This condition had existed

since the plant was constructed.

The River Bend Station is a boiling water reactor with a Mark III containment

structure. This containment structure consists of two chambers, a large outer

primary containment and a drywell which is inside the primary containment and

surrounds the reactor vessel. This system suppresses the steam pressure

released during a LOCA by directing the steam through the suppression pool

water into the primary containment. After the initial pressure suppression is

complete following a LOCA, hydrogen created by the zirconium-water reaction

would be mainly concentrated in the drywell. The hydrogen mixing system is

provided to reduce the concentration of the hydrogen in the drywell by moving

it into the primary containment where it is diluted and reduced in

concentration by the hydrogen recombiners.

The redundant hydrogen mixing systems each have two lines penetrating the

drywell; an outlet line having a recirculating fan to draw suction from the

drywell and an inlet line that allows diluted air to reenter the drywell.

Each of these lines has two isolation valves which are normally closed during

plant operation. In 1983, during construction, the licensee added a LOCA

interlock to the hydrogen mixing system that would automatically close all

eight of the mixing system valves upon receiving a LOCA signal. In 1984, the

licensee revised the control logic for the mixing system valves to

automatically override a LOCA signal when the operator opened the drywell

inlet valves. However, the licensee did not provide this LOCA override

capability for the outlet line valves.

Discussion

In both of these cases, the licensee changed the design with the intention of

increasing the reliability of safety systems. However, because the licensees

did not adequately review and test the designs, these changes introduced

errors that could have prevented the systems from performing their safety

functions as intended.

At Arkansas Nuclear One, the licensee intended to increase the reliability of

the HPSI system by causing both HPSI oil pumps to operate simultaneously when

an ESFAS signal was present. However, the oil pumps had apparently never been

run simultaneously for any extended period untiltthe recent overhaul test.

IN 92-65 September 3, 1992 The licensee routinely conducted the' required periodic pump surveillance tests

with the HPSI operating in the normal-reactor makeup'mode with only one oil

pump running at a time. The licensee tested the effectiveness of the

ESFAS signal during each refueling outage. However, the test only required

verification that the test signal would actuate the HPSI system and did not

result in the simultaneous operation'of the two oil pumps for an extended

time. As a result, neither of these tests revealed the oil leakage problem.

The licensee estimated'that a HPSI 'pump would have performed satisfactorily

for only 80 minutes without-operator action to replenish the oil or to stop

the electric oil pumps. With an ESFAS signal present, the electric oil pumps

cannot be stopped from the control room,'but must be'stopped by opening local

power supply breakers.

The licensee has modified the oil pressure relief'valve settings to minimize

the oil leakage. Procedures were established that instruct the operators to

stop the electric oil pumps 15 minutes after an ESFAS actuation of the pumps.

At River Bend, the control logic to automatically close all of the mixing

system valves was provided to ensure that the drywell integrity would be

restored if a LOCA occurred during a mixing system test with the valves open.

Apparently, the LOCA override for the inlet valves was provided later to

permit the drywell to be depressurized to clear a false LOCA signal that might

be caused by a loss of offsite power. The false LOCA signal could be

generated by the drywell pressure rise that would accompany a loss of drywell

cooling. Since the drywell could be depressurized without opening the outlet

valves, the LOCA override was not provided for these valves. The need to open

the outlet to operate the hydrogen mixing was apparently not considered for

this change. Normal surveillance testing did not reveal this design error

because it was never conducted with a LOCA signal present.

When the licensee discovered this design error, it declared both hydrogen

mixing trains inoperable and commenced shutting down the reactor. The

licensee then developed a LOCA bypass procedure for the hydrogen mixing

system.

These events highlight the importance of thoroughly reviewing any safety- related design change, including considering the effect of the change on all

related systems. The events also show the need for completely testing the

systems affected by the design change under conditions that simulate as nearly

as possible those conditions that are expected to exist when the systems are

needed.

IN 92-65 September 3, 1992 This information notice requires no specific action or written response. If

you have any questions about the information in this notice, please contact

-the technical contact listed below or the appropriate Office of Nuclear

Reactor Regulation (NRR) project manager.

harles E. Rossi, Director'

Division of-Operational Events Assessment

Office of Nuclear Reactor Regulation

Technical contact: Thomas F. Westerman, RIV

(817) 860-8145 Attachment: List of Recently Issued NRC Information Notices

V)Attachment

IN 92-65 September 3, 1992 LIST OF RECENTLY ISSUED

NRC INFORMATION NOTICES

Information Date of

Notice No. Subject Issuance Issued to

92-64 Nozzle Ring Settings 08/28/92 All holders of OLs or CPs

on Low Pressure Water- for nuclear power reactors.

Relief Valves

92-63 Cracked Insulators in 08/26/92 All holders of OLs or CPs

ASL Dry Type Transformers for nuclear power reactors.

Manufactured by Westing- house Electric Corporation

92-62 Emergency Response 08/24/92 All U.S. Nuclear Regulatory

Information Require- Commission licensees.

ments for Radioactive

Material Shipments

92-61 Loss of High Head 08/20/92 All holders of OLs or CPs

Safety Injection for nuclear power reactors.

60 Valve Stem Failure 08/20/92 All holders of OLs or CPs

Caused by Embrittlement for pressurized water

reactors (PWRs).

92-59 Horizontally-Installed 08/18/92 All holders of OLs or CPs

Motor-Operated Gate for nuclear power reactors.

Valves

92-58 Uranium Hexafluoride 08/12/92 All Fuel Cycle Licensees.

Cylinders - Deviations

in Coupling Welds

92-57 Radial Cracking of- 08/11/92 All holders of OLs or CPs

Shroud Support Access for boiling water reactors

Hole Cover Welds (BWRs).

92-56 Counterfeit Valves in 08/06/92 All holders of OLs or CPs

the Commercial Grade for nuclear power reactors.

Supply System

92-55 Current Fire Endurance 07/27/92 All holders of OLs or CPs

Test Results for for nuclear power reactors.

Thermo-Lag Fire Barrier

Material

OL = Operating License

CP = Construction Permit


Retrieved from "https://kanterella.com/w/index.php?title=Information_Notice_1992-65,_Safety_System_Problems_Caused_by_Modifications_That_Were_Not_Adequately_Reviewed_and_Tested&oldid=2200255"