United States Nuclear Regulatory Commission - Protecting People and the Environment

Information Notice No. 79-04, Degradation of Engineered Safety Features

IN79004 

                            February 14, 1979 

MEMORANDUM FOR:     B. H. Grier, Director, Region I  
                    J. P. O'Reilly, Director, Region II  
                    J. G. Keppler, Director, Region III  
                    K. V. Seyfrit, Director, Region IV  
                    R. H. Engelken, Director, Region V 

FROM:               Norman C. Moseley, Director, ROI:IE 

SUBJECT:            Information Notice No. 79-04, DEGRADATION OF 
                    ENGINEERED SAFETY FEATURES 

The subject document is transmitted for issuance on February 16, 1979.  The 
Information Notice should be issued to all holders of Reactor Operating 
Licenses and Construction Permits. 

Also enclosed is a draft copy of the transmittal letter. 


                                        Norman C. Moseley, Director  
                                        Division of Reactor Operations 
                                          Inspection  
                                        Office of Inspection and Enforcement

Enclosures: 
1.   IE Information Notice
       No. 79- 
2.   Draft Transmittal Letter

CONTACT:  J. C. Stone, IE 
          49-28019 
.

(Transmittal letter for Information Notice 79-04 to each holder of an NRC 
Operating License and Construction Permit.) 

                                           Information Notice No. 79-04 

Addressee: 

This Information Notice is provided as an early notification of a possibly 
significant matter. It is expected that recipients will review the 
information for possible applicability to their facilities. No specific 
action or response is requested at this time. If further NRC evaluations so 
indicate, an IE Circular, Bulletin or NRR Generic Letter will be issued to 
recommend or request specific licensee actions. If you have questions 
regarding the matter, please contact the Director of the appropriate NRC 
Regional Office. 


                                        Signature 
                                        (Regional Director) 

Enclosures: 
1.   Information Notice No. 79-04 
2.   List of IE Information 
       Notices Issued in 1979
.

                             UNITED STATES 
                      NUCLEAR REGULATORY COMMISSION 
                   OFFICE OF INSPECTION AND ENFORCEMENT 
                          WASHINGTON, D.C. 20555 
                                     
                             February 16, 1979 

                                           Information Notice No. 79-04 

DEGRADATION OF ENGINEERED SAFETY FEATURES 

Summary 

On September 16, 1978, an unusual sequence of events occurred at Arkansas 
Nuclear One, Units 1 and 2. The events involved the electrical power sources
and culminated in the spurious activation and degraded operation of Unit 2 
Engineered Safety Features (ESF). Analysis of the course of the incident has
identified three safety concerns in the electrical distribution system 
operation and design. 

(1)  The offsite power supply for ANO Unit 1 Engineered Safety Feature loads
     was deficient in that degraded voltage could have resulted in the 
     unavailability of ESF equipment, if it were to be needed. 

(2)  The design of the ANO site electrical system that provides offsite 
     power to Units 1 and 2 did not fully meet the Commission's Regulations, 
     10 CFR 50, Appendix A, General Design Criterion 17, because in certain 
     circumstances a loss of one of the two offsite power circuits would 
     also result in a loss of the other such circuit. 
     
(3)  Deficiencies existed in the operation of the Unit 2 inverters that 
     convert DC to AC power for the uninterruptable 120 volt vital AC buses.

Description of Circumstances 

Initially Unit 1 was operating at 100 percent power; Unit 2 was in hot 
standby performing hot functional testing in preparation for initial 
criticality and power operation.(1)  Unit 1 auxiliary electrical loads were 
being supplied from the Unit 1 main generator via the unit auxiliary 
transformer. Unit 2 auxiliary electrical loads were. being fed from the 
offsite grid through Startup Transformer No. 3. The normal operating status 
was interrupted by the failure of the Unit 1 Loop "A" Main Steam Line 
Isolation Valve (MSIV) air operator solenoid causing the MSIV to close as 
designed. The Unit 1 Reactor Protection System sensed conditions requiring 
reactor shutdown and tripped the reactor. The 
___________________________________________________________________________ 
 (1) The Unit 2 Operating License did not permit criticality of power 
     operation at the time of the incident. 

                                  1 of 5 
.

Information Notice No. 79-04                         February 16, 1979 

Unit 1 turbine-generator tripped concurrently.  Because the Unit 1 generator
could no longer supply power for the Unit 1 auxiliary loads, these loads 
were automatically transferred to Startup Transformer No. 1 to supply this 
power from offsite. The sequence of events should have ended at this point. 

The power to Startup Transformer No. 3, which was feeding Unit 2, and to 
Startup Transformer No. 1, now feeding Unit 1, normally passes through a 
single piece of equipment, the Bus Tie Auto-Transformer. (Figure 1 shows a 
simplified block diagram of the principal electrical equipment involved.) 
The Auto-Transformer has the capacity to provide power for both units, but 
due to an error, the protective relays were still adjusted for the operation
of Unit 1 only. As a result, when both units concurrently drew power from 
the Auto-Transformer these protection relays tripped and cut off power to 
Startup Transformer Nos. 1 and 3. 

Startup Transformer No. 2, also shown in Figure 1, thus became the only 
source of offsite power for both Units 1 and 2.  The onsite switching 
equipment automatically transferred the full auxiliary loads for both units 
to this transformer. However, this transformer is not designed to carry full
auxiliary loads for both units. For this reason, Startup Transformer No. 2 
became overloaded and the voltage dropped on the station distribution system
for offsite power. At this time and during most of the incident operating 
personnel at both units were unaware of the degraded voltage(2) condition 
due to the overloaded Startup Transformer No. 2.(3) 
___________________________________________________________________________ 
 (2) Two other events involving degraded voltage for ESF equipment occurred 
     at Millstone Unit 2 in July 1976. These events were reported as an 
     abnormal occurrence (No. 76-9) in NUREG-0900-5, Report to Congress on 
     Abnormal Occurrences, July-September 1976. 

 (3) It was subsequently determined that the following combinations of Unit 
     1 and Unit 2 operation would lead to the loss of the Bus Tie 
     Auto-Transformer and the subsequent overloading of Startup Transformer 
     No. 2: 

     1.   Both Units in either the startup or shutdown mode, or 
     2.   Trip of one unit while the other is in either the startup or 
          shutdown mode, or 
     3.   Simultaneous trip of both units. 

                                  2 of 5 
.

Information Notice No. 79-04                          February 16, 1979 

At Unit 2, eight seconds after the switch to Startup Transformer No. 2, the 
relays(4) which operate to protect Engineered Safety Feature (ESF) equipment
from low (degraded) voltage disconnected and therefore deenergized both Unit
2 ESF buses as designed. At the same time, the Unit 2 Core Protection 
Calculator (CPC) instrumentation registered trips which indicated a loss of 
AC power to the circuits(5) that supply at least two instrument channels. 

The loss of power on two 120 volt vital AC instrument buses caused, as 
designed, an actuation of all Unit 2 Engineered Safety Features. Thus, when 
the two Unit 2 emergency diesel generators started and provided power to the
previously deenergized ESF buses, the Engineered Safety Features equipment 
began to operate. However, due to inverter failures, premature actuation of 
the Recirculation Actuation System (RAS) occurred. This actuation 
momentarily opened a flow path directly between the Refueling Water Tank 
(RWT) and the containment sump. ESF operation and premature RAS operation 
combined to transfer approximately 60,000 gallons of borated refueling water 
to the containment sump in about 90 seconds. 

___________________________________________________________________________ 
 (4) These relays are the second level of undervoltage protection required 
     as a result of the NRC staff review of the 1976 Millstone 2 degraded 
     voltage event. Corrective design changes (i.e., undervoltage relays and
     load sequencing to offsite power) had been implemented on Unit 2 for 
     degraded voltage protection. These design changes had not been 
     implemented on Unit 1 at the time of the event. 

 (5) Each one of the four CPC instrumentation circuits receives power from 
     a vital AC bus which in turn receives power from a battery through an 
     inverter that converts DC power to AC power. Each inverter normally 
     provides power through a circuit with access to both an ESF bus and the
     station batteries. Each inverter also has an automatic switch that can 
     cut off this normal supply circuit and shift the loads to an alternate 
     supply circuit, which includes just the ESF bus. (See insert on Figure 
     1.) With both Unit 2 ESF buses momentarily deenergized the only source 
     of instrument power was from the station batteries through the normal 
     switch position. However, although the exact cause is unknown, all four
     inverter automatic switches were found in the alternate position. Three
     of four inverters had improper settings on time delay relays and one 
     inverter had the undervoltage trip setting too high, which may have in 
     part been the cause. IE Circular No. 79-02, Failure of 120 Volt Vital 
     AC Power Supplies, dated January 16, 1979, provided details of the 
     inverter problems and recommended items to be reviewed to avoid similar
     problems. 

                                  3 of 5 
.

Information Notice No. 79-04                         February 16, 1979 

The normal design sequence calls for the RAS to automatically change the 
valve lineup when signals from the level instruments on the Refueling Water 
Tank (RWT) indicate that the tank is nearly empty, which is expected to 
occur approximately 30 minutes after the LOCA. During this incident, the RAS 
acted immediately in response to the failure of the inverters and made the 
change in lineup while the RWT was nearly full. The loss of power from the 
inverters caused a false low water level indication in the RWT. This false 
indication provided the signals for the automatic actuation of the RAS. 

Had the Emergency Core Cooling System and/or the Containment Spray System 
been needed in the event of a design basis loss of coolant accident, it 
would not have performed as designed because of the premature RAS valve 
actuation. ESF degradation on Unit 2 did not involve a threat to the health 
and safety of the public because Unit 2 was preoperational and had no 
radioactive fission product inventory in the core.  However, there was no 
assurance that the inverter deficiencies which caused the premature 
operation of the RAS valves would have been corrected prior to Unit 2 power 
operation. 

In the event of a LOCA with a fission product inventory, if the RAS were to 
initiate at the beginning of the accident, as it did in this incident, the 
low pressure and high pressure coolant injection subsystems (LPCI and HPCI) 
of Emergency Core Cooling (ECC) and the Containment Spray System might not 
function properly. Actuation of RAS causes isolation of the water in the 
RWT, which is the source of short term cooling water for Emergency Core 
Cooling and Containment Spray. The premature actuation of RAS also causes 
these pump suction lines to be connected to the containment sump when there 
may not be sufficient water available. 

Initially, the sequence of events on September 16 did not indicate any 
problem with the electrical distribution system of Unit 1. However, 
subsequent analysis indicated that in the event of a LOCA at Unit 1 during 
which Startup Transformer No. 1 received both the auxiliary electrical loads
and starting loads of the Engineered Safety Features a voltage reduction 
would result. The safety loads might not initially transfer to the Unit 1 
diesel generators but could remain on the startup transformer with reduced 
(degraded) voltage. Although there is margin in the sizing of emergency 
equipment and the conditions of operation of such equipment, this situation 
could cause fuses to blow in Engineered Safety Feature circuits which could 
result in disabling the safety equipment. 

                                  4 of 5 
.

Information Notice No. 79-04                          February 16, 1979 

Cause or Causes  The immediate causes of the unusual event at Arkansas 
Nuclear One were:  (1) loss of the Bus Tie Auto-Transformer which resulted 
in degraded power operation through Startup Transformer No. 2, and (2) 
multiple Unit 2 inverter failures. 

The loss of the Bus Tie Auto-Transformer was caused by inappropriate 
setpoints for its protective relays. The Bus Tie Auto-Transformer loss had 
not been adequately reviewed prior to this event in that the overloading of 
the shared Startup Transformer No. 2 had not been identified during the 
design and review process. 

The primary cause of the failure of the inverters to perform as a reliable 
power supply was the lack of adequate preoperational test procedures, 
inadequate knowledge of inverter operation and lack of maintenance control 
(maintenance has been performed on the inverters several times prior to this
event). 

This Information Notice provides details of a significant occurrence that is
still under review by the NRC staff.  After completion of the staff review, 
this Information Notice will be followed with specific actions to be taken 
by licensees. 

No written response is required. If you desire additional information 
regarding this matter, contact the Director of the appropriate NRC Regional 
Office. 

Attachment: 
Figure 1, Simplified 
  Block Diagram, Electrical 
  Distribution

                                  5 of 5 

Page Last Reviewed/Updated Thursday, November 13, 2014