Information Notice 2010-17, Common Cause Failure of Boiling-Water Reactor Recirculation Pumps with Variable Speed Drives
| ML101330321 | |
| Person / Time | |
|---|---|
| Issue date: | 09/10/2010 |
| From: | McGinty T J, Tracy G M Office of New Reactors, Office of Nuclear Reactor Regulation |
| To: | |
| Joseph Giantelli, NRR/DIRS/IOEB | |
| References | |
| IN-10-017 | |
| Download: ML101330321 (4) | |
ML101330321 UNITED STATES NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION OFFICE OF NEW REACTORS WASHINGTON, DC 20555-0001 September 10, 2010 NRC INFORMATION NOTICE 2010-17: COMMON CAUSE FAILURE OF BOILING-WATER REACTOR RECIRCULATION PUMPS WITH
VARIABLE SPEED DRIVES
ADDRESSEES
All holders of an operating license or construction permit for a nuclear power reactor issued under Title 10 of the Code of Federal Regulations (10 CFR) Part 50, "Domestic Licensing of Production and Utilization Facilities," except those who have permanently ceased operations and have certified that fuel has been permanently removed from the reactor vessel. All holders of or applicants for a standard design certification, standard design approval, or combined license issued under 10 CFR Part 52, "Licenses, Certifications, and Approvals for
Nuclear Power Plants."
PURPOSE
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice (IN) to inform
addressees about two international events at boiling-water reactor (BWR) plants that experienced a common cause failure of all recirculation pumps. The NRC expects that recipients will review this information for applicability to their facilities and consider actions, as appropriate, to avoid similar problems. However, suggestions contained in this IN are not NRC requirements; therefore, no specific action or written response is required.
DESCRIPTION OF CIRCUMSTANCES
On June 13, 2008, at Forsmark Unit 2 in Sweden, lightning strikes caused a short circuit on the offsite power grid. This resulted in a transient that tripped all eight reactor recirculation pumps.
Each recirculation pump circuit contains an integral flywheel to prevent a rapid reduction in pump speed. The mass of the rotating flywheel stores mechanical energy that is converted to electrical power by a flywheel-generator and inverter/rectifier to continue to power the drive system DC-bus (one DC-bus common for two pump-drive inverters) upon a dip in or loss of the normal electrical power. When the inverter/rectifier is operable, the alternate power allows for an unchanged pump speed (in case of power dips) or a more gradual reduction in pump speed (in case of significant loss, signaled by equipment protection). In the case of a reactor
recirculation pump, the coastdown produces a correspondingly more gradual reduction in recirculation flow. However, at Forsmark Unit 2, the lightning strike tripped the normal electric power rectifier due to a sensitive protection setting; furthermore, due to a design flaw, the protective action was not signaled to the inverter/rectifier controller for the flywheel-generator. As a result, the recirculation pump motors rapidly consumed the flywheel-generator's stored energy. With no available energy storage, the recirculation pumps reduced speed faster than the assumed transient analyses in the Forsmark Unit 2 safety analysis report. The reduced
coastdown time resulted in a short violation of the safety limit minimum critical power ratio on 84 core channels/fuel elements and a transient dryout condition in 18 of those core channels. Based on its review of the analysis and inspection results that revealed no fuel damage, the Swedish Radiation Safety Authority granted the licensee's request for continued use of the affected fuel.
On May 30, 2008, Olkiluoto Unit 1 in Finland had a reactor trip from 60 percent power. An electrical transient resulted in a common cause failure that caused all six recirculation pumps to stop unexpectedly. Although the coastdown of the recirculation pumps was shorter than expected, the transient had no effect on fuel integrity.
BACKGROUND
Related NRC Generic Communications include the following:
- NRC IN 96-56, "Problems Associated with Testing, Tuning, or Resetting of Digital Control Systems While at Power," dated October 22, 1996 (Agencywide Documents Access and
Management System (ADAMS) Accession No. ML031050587). This IN highlighted the importance of evaluating and controlling on-line manipulations of digital control systems, such as resetting a processor or performing on-line software changes, to avoid reactor
transients and plant trips.
- IN 2010-10, "Implementation of a Digital Control System under 10 CFR 50.59," dated May 28, 2010 (ADAMS Accession No. ML100080281). This IN discusses that for digital upgrades to systems that are highly safety-significant, a defense-in-depth and diversity
analysis is performed as part of the design process to ensure that the plant has adequate capability to cope with software common-cause failure vulnerabilities.
DISCUSSION
Unlike Olkiluoto Unit 1 and Forsmark Unit 2, U.S. BWRs do not have recirculation pump designs that rely on energy storage separate from the recirculation pump motor and generator that could influence recirculation system flow following a scram. In the U.S. BWR designs, the combined rotating inertias of the recirculation pump and motor, the motor generator set, and the variable speed coupling are used to provide a relatively slow coastdown of flow following loss of power to the drive motors which helps ensure that the core is adequately cooled.
The specific common cause failure that occurred at Olkiluoto and Forsmark is not an issue for U.S. BWRs. However, digital variable speed drive (VSD) technology may increase the complexity of the recirculation pump control system and may introduce new failure modes such as software programming errors, network problems, loss of power, and the failure of control boards, that can lead to unplanned changes in pump speed. Previous operating experience for
recirculation pump VSD includes instances of unintentional reactivity changes during power operation. Although the recirculation pump motors are generally non-safety related, as the industry upgrades their systems to digital VSD, it is important that licensees understand the potential unexpected recirculation pump behaviors that might affect core reactivity or safety limits. As part of the design process when upgrading to digital VSD technology on recirculation pump systems, the following are important considerations:
- Perform evaluations to identify failure modes for digital VSDs to include sources of common-cause failure, such as software.
- Determine if the consequences of a digital VSD common-cause failure could lead to reactivity events that have not been analyzed in the plant safety analysis.
- Ensure the reactor protection system maintains plant safety within its design basis even with a common-cause failure.
CONTACT
This IN requires no specific action or written response. Please direct any questions about this matter to the technical contacts listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager. /RA/ /RA by JTappert for/
Timothy McGinty, Director Glenn Tracy, Director Division of Policy and Rulemaking Division of Construction Inspection and Office of Nuclear Reactor Regulation Operational Programs Office of New Reactors
Technical Contacts: Joseph Giantelli, NRR Pong Chung, NRR 301-415-0504 301-415-2473 E-mail: joseph.giantelli@nrc.gov E-mail: pong.chung@nrc.gov Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under Electronic Reading Room/Document Collections. potential unexpected recirculation pump behaviors that might affect core reactivity or safety limits. As part of the design process when upgrading to digital VSD technology on recirculation pump systems, the following are important considerations:
- Perform evaluations to identify failure modes for digital VSDs to include sources of common-cause failure, such as software.
- Determine if the consequences of a digital VSD common-cause failure could lead to reactivity events that have not been analyzed in the plant safety analysis.
- Ensure the reactor protection system maintains plant safety within its design basis even with a common-cause failure.
CONTACT
This IN requires no specific action or written response. Please direct any questions about this matter to the technical contacts listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager. /RA/ /RA by JTappert for/
Timothy McGinty, Director Glenn Tracy, Director Division of Policy and Rulemaking Division of Construction Inspection and Office of Nuclear Reactor Regulation Operational Programs Office of New Reactors
Technical Contacts: Joseph Giantelli, NRR Pong Chung, NRR 301-415-0504 301-415-2473 E-mail: joseph.giantelli@nrc.gov E-mail: pong.chung@nrc.gov Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under Electronic Reading Room/Document Collections.
ADAMS Accession Number: ML101330321 TAC ME3898 OFFICE DIRS/IOEB DE/EICB Tech Editor BC/DIRS/IOEB BC/D/EICB D/NRR/DE NAME JGiantelli PChung CHsu JThorp BKemper PHiland DATE 07/27/10 07/27/10 08/15/10 e-mail 07/27/10 07/27/10 07/28/10 OFFICE NRR/PGCB NRR/PGCB BC/NRR/PGCB DD/OIP D/NRO/DCIP D/NRR/ DPR NAME CHawes DBeaulieu SRosenberg SMoore GTracy JTappert for TMcGinty OFFICE 08/26/10 08/25/10 08/26/10 09/09/10 09/10/10 09/10/10 OFFICIAL RECORD COPY