Home > NRC Library > Document Collections > Generic Communications > Information Notices > 1992 > IN 92-06, Supplement 1
Information Notice No. 92-06, Supplement 1: Reliability of ATWS Mitigation Systems and Other NRC-Required Equipment not Controlled by Plant Technical Specifications
UNITED STATES NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION WASHINGTON, D.C. 20555 July 1, 1993 NRC INFORMATION NOTICE 92-06, SUPPLEMENT 1: RELIABILITY OF ATWS MITIGATION SYSTEMS AND OTHER NRC-REQUIRED EQUIPMENT NOT CONTROLLED BY PLANT TECHNICAL SPECIFICATIONS Addressees All holders of operating licenses or construction permits for nuclear power reactors. Purpose The U.S. Nuclear Regulatory Commission (NRC) is issuing this supplement to IN 92-06 to alert addressees to a situation at Indian Point 3 in which a lack of quality assurance oversight led to the anticipated transient without scram (ATWS) mitigation system being inoperable for a prolonged period of time. It is expected that recipients will review the information for applicability to their facilities and consider actions, as appropriate, to avoid similar problems. However, suggestions contained in this information notice are not NRC requirements; therefore, no specific action or written response is required. Background In 1983, the Salem Nuclear Generating Station experienced an ATWS event. Following this event, efforts then in progress to establish requirements to address ATWS events were completed, and the NRC issued, on June 1, 1984, Section 50.62 of Title 10 of the Code of Federal Regulations (10 CFR 50.62), "Requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plants." This regulation required that each reactor have equipment, diverse from the reactor trip system, that would automatically initiate actions to mitigate the consequences of an ATWS. The regulation also required that the equipment for this system be independent from the existing reactor trip system and be designed to perform its function in a reliable manner. The NRC did not require licensees to address the operability of this equipment in plant technical specifications, nor did the NRC require that this equipment be designated as safety-related. However, Generic Letter (GL) 85-06, "Quality Assurance Guidance for ATWS Equipment that is not Safety-Related," provided quality assurance guidance for the nonsafety-related equipment encompassed by the ATWS rule. This guidance is similar to the requirements of 10 CFR Part 50, 9306250303. IN 92-06, Supplement 1 July 1, 1993 Page 2 of 4 Appendix B except for less stringent requirements for involvement of parties outside the normal line organization and less stringent requirements for a formalized program and detailed recordkeeping for all quality practices. On January 15, 1992, the NRC issued Information Notice (IN) 92-06 in response to findings at the South Texas Project in which the NRC found that the licensee had failed to maintain the ATWS mitigation system in a reliable manner. Because the licensee had assigned a low priority to resolving problems with the ATWS mitigation system, the system was inoperable or in a bypassed condition for a large percentage of the time it was required to be functional. Description of Circumstances On December 31, 1992, the New York Power Authority (the licensee for Indian Point Unit 3) performed a routine semi-annual ATWS mitigation system actuation circuitry (AMSAC) logic test. The AMSAC system failed the test because a required 40-second time delay in the logic was missing. The missing time delay would have prevented the automatic initiation of the motor-driven auxiliary feedwater pumps in response to an AMSAC initiation signal. After initial review, the licensee concluded that the deficiency had existed since July 8, 1992, when the AMSAC computer hard drive had been reinstalled and the associated software was manipulated by a Foxboro (vendor) field technician. When the hard drive was reinstalled, the vendor technician loaded AMSAC software from an uncontrolled version in his possession. The controlled, plant specific version of the software had not been retained by the licensee and, therefore, the licensee relied upon the vendor to maintain configuration management. The vendor technician attempted to modify the uncontrolled version of the software to customize it for plant specific usage. Use of the improper version of the software caused the system to reboot incorrectly. The system failed the surveillance test, and the vendor technician modified the software to allow the system to reboot. During this software manipulation, the 40-second time delay was incorrectly entered in the software logic. There was no documentation of this activity and, after the changes were made, the AMSAC system was not adequately retested. Since the actual system logic was not retested, the vendor technician and the licensee were unaware of the fact that the 40-second time delay of the AMSAC signal had been mistakenly altered during the software manipulations, rendering the AMSAC inoperable under certain conditions. On January 13, 1993, the software problem was corrected and the 40-second time delay feature was successfully retested. However, after discussions with the NRC staff, the licensee reported that certain AMSAC system periodic tests had not been performed in accordance with the required frequency. Based on these findings, the licensee commenced a reactor shutdown on February 26, 1993, to perform end-to-end testing (inputs through final actuation devices) of the AMSAC system. The system passed this end-to-end test. However, during dynamic testing (varying input power level) of the AMSAC software, the licensee discovered that the AMSAC actuation timer did not lock in the power. IN 92-06, Supplement 1 July 1, 1993 Page 3 of 4 level from which it was activated. The licensee determined that this lock-in feature was required to ensure the AMSAC system would operate in accordance with design requirements. The licensee has indicated that dynamic testing was not included in the initial installation acceptance testing at the time the AMSAC system was installed in June 1989. Subsequent surveillance tests performed only static input changes to the system in order to derive the required system outputs. The typical static test involves adjusting input test voltages to derive a required output. With the presence of the actuation timer lock-in feature, the results of both the static and dynamic tests should be approximately the same. The initiation time delay is supposed to vary from 300 seconds at 40-percent power to 25 seconds at 100-percent power. However, dynamic test results indicated that, for the worst case scenario, the actuation timer deficiency would cause the AMSAC output to be initiated after a time delay of 166 seconds at 100-percent power. The actuation timer design deficiency caused the Indian Point 3 AMSAC system to be inoperable under certain conditions since the initial installation in June 1989. Discussion GL 85-06 gave explicit quality assurance guidance for the nonsafety-related equipment encompassed by the ATWS rule. Although much of the equipment required by 10 CFR 50.62 is not designated safety-related, it does perform an important safety function if the primary reactor protection system fails. The regulation was issued to reduce the risk posed by such an event. The licensee had committed to treat the AMSAC equipment under a quality assurance program that was consistent with and satisfied the guidance in GL 85-06. Specifically, the licensee quality assurance criteria require control of design; purchased services; testing; inspection, test and operating status; and the identification of nonconformances. However, the licensee never fully implemented this commitment and also failed to implement a commitment to perform end-to-end testing each refueling outage. AMSAC is not a safety-related system and is not governed by the plant technical specifications. The events described above indicate that licensees may not be placing an appropriate priority on quality assurance and maintenance of the ATWS mitigation system. Proper quality assurance and maintenance of AMSAC is needed to satisfy the requirements of 10 CFR 50.62 concerning system operability. It is important that licensees maintain equipment and systems required by NRC regulations in accordance with commitments they have made to the NRC to ensure appropriate reliability, even though they may not be addressed by plant technical specifications. . IN 92-06, Supplement 1 July 1, 1993 Page 4 of 4 This information notice requires no specific action or written response. If you have any questions about the information in this notice, please contact the technical contact listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager. orig /s/'d by BKGrimes Brian K. Grimes, Director Division of Operating Reactor Support Office of Nuclear Reactor Regulation Technical contact: Eric J. Benner, NRR (301) 504-1171 Attachment: List of Recently Issued NRC Information Notices .
Page Last Reviewed/Updated Tuesday, November 12, 2013