United States Nuclear Regulatory Commission - Protecting People and the Environment

Information Notice No. 92-06, Supplement 1: Reliability of ATWS Mitigation Systems and Other NRC-Required Equipment not Controlled by Plant Technical Specifications

                                 UNITED STATES
                         NUCLEAR REGULATORY COMMISSION
                     OFFICE OF NUCLEAR REACTOR REGULATION
                            WASHINGTON, D.C.  20555

                                 July 1, 1993


NRC INFORMATION NOTICE 92-06, SUPPLEMENT 1:  RELIABILITY OF ATWS MITIGATION
                                             SYSTEMS AND OTHER NRC-REQUIRED
                                             EQUIPMENT NOT CONTROLLED BY PLANT
                                             TECHNICAL SPECIFICATIONS


Addressees

All holders of operating licenses or construction permits for nuclear power
reactors.

Purpose

The U.S. Nuclear Regulatory Commission (NRC) is issuing this supplement to 
IN 92-06 to alert addressees to a situation at Indian Point 3 in which a lack
of quality assurance oversight led to the anticipated transient without scram
(ATWS) mitigation system being inoperable for a prolonged period of time.  It
is expected that recipients will review the information for applicability to
their facilities and consider actions, as appropriate, to avoid similar
problems.  However, suggestions contained in this information notice are not
NRC requirements; therefore, no specific action or written response is
required.

Background

In 1983, the Salem Nuclear Generating Station experienced an ATWS event. 
Following this event, efforts then in progress to establish requirements to
address ATWS events were completed, and the NRC issued, on June 1, 1984,
Section 50.62 of Title 10 of the Code of Federal Regulations (10 CFR 50.62),
"Requirements for reduction of risk from anticipated transients without scram
(ATWS) events for light-water-cooled nuclear power plants."  This regulation
required that each reactor have equipment, diverse from the reactor trip
system, that would automatically initiate actions to mitigate the consequences
of an ATWS.  The regulation also required that the equipment for this system
be independent from the existing reactor trip system and be designed to
perform its function in a reliable manner.  The NRC did not require licensees
to address the operability of this equipment in plant technical
specifications, nor did the NRC require that this equipment be designated as
safety-related.  However, Generic Letter (GL) 85-06, "Quality Assurance
Guidance for ATWS Equipment that is not Safety-Related," provided quality
assurance guidance for the nonsafety-related equipment encompassed by the ATWS
rule.  This guidance is similar to the requirements of 10 CFR Part 50,  





9306250303.

                                                      IN 92-06, Supplement 1
                                                      July 1, 1993
                                                      Page 2 of 4


Appendix B except for less stringent requirements for involvement of parties
outside the normal line organization and less stringent requirements for a
formalized program and detailed recordkeeping for all quality practices.

On January 15, 1992, the NRC issued Information Notice (IN) 92-06 in response
to findings at the South Texas Project in which the NRC found that the
licensee had failed to maintain the ATWS mitigation system in a reliable
manner.  Because the licensee had assigned a low priority to resolving
problems with the ATWS mitigation system, the system was inoperable or in a
bypassed condition for a large percentage of the time it was required to be
functional.

Description of Circumstances

On December 31, 1992, the New York Power Authority (the licensee for Indian
Point Unit 3) performed a routine semi-annual ATWS mitigation system actuation
circuitry (AMSAC) logic test.  The AMSAC system failed the test because a
required 40-second time delay in the logic was missing.  The missing time
delay would have prevented the automatic initiation of the motor-driven
auxiliary feedwater pumps in response to an AMSAC initiation signal.

After initial review, the licensee concluded that the deficiency had existed
since July 8, 1992, when the AMSAC computer hard drive had been reinstalled
and the associated software was manipulated by a Foxboro (vendor) field
technician.  When the hard drive was reinstalled, the vendor technician loaded
AMSAC software from an uncontrolled version in his possession.  The
controlled, plant specific version of the software had not been retained by
the licensee and, therefore, the licensee relied upon the vendor to maintain
configuration management.  The vendor technician attempted to modify the
uncontrolled version of the software to customize it for plant specific usage. 
Use of the improper version of the software caused the system to reboot
incorrectly.  The system failed the surveillance test, and the vendor
technician modified the software to allow the system to reboot.  During this
software manipulation, the 40-second time delay was incorrectly entered in the
software logic.  There was no documentation of this activity and, after the
changes were made, the AMSAC system was not adequately retested.  Since the
actual system logic was not retested, the vendor technician and the licensee
were unaware of the fact that the 40-second time delay of the AMSAC signal had
been mistakenly altered during the software manipulations, rendering the AMSAC
inoperable under certain conditions.

On January 13, 1993, the software problem was corrected and the 40-second time
delay feature was successfully retested.  However, after discussions with the
NRC staff, the licensee reported that certain AMSAC system periodic tests had
not been performed in accordance with the required frequency.  Based on these
findings, the licensee commenced a reactor shutdown on February 26, 1993, to
perform end-to-end testing (inputs through final actuation devices) of the
AMSAC system.  The system passed this end-to-end test.  However, during
dynamic testing (varying input power level) of the AMSAC software, the
licensee discovered that the AMSAC actuation timer did not lock in the power.

                                                      IN 92-06, Supplement 1
                                                      July 1, 1993
                                                      Page 3 of 4


level from which it was activated.  The licensee determined that this lock-in
feature was required to ensure the AMSAC system would operate in accordance
with design requirements.

The licensee has indicated that dynamic testing was not included in the
initial installation acceptance testing at the time the AMSAC system was
installed in June 1989.  Subsequent surveillance tests performed only static
input changes to the system in order to derive the required system outputs. 
The typical static test involves adjusting input test voltages to derive a
required output.  With the presence of the actuation timer lock-in feature,
the results of both the static and dynamic tests should be approximately the
same.  The initiation time delay is supposed to vary from 300 seconds at 
40-percent power to 25 seconds at 100-percent power.  However, dynamic test
results indicated that, for the worst case scenario, the actuation timer
deficiency would cause the AMSAC output to be initiated after a time delay of
166 seconds at 100-percent power.  The actuation timer design deficiency
caused the Indian Point 3 AMSAC system to be inoperable under certain
conditions since the initial installation in June 1989.

Discussion

GL 85-06 gave explicit quality assurance guidance for the nonsafety-related
equipment encompassed by the ATWS rule.  Although much of the equipment
required by 10 CFR 50.62 is not designated safety-related, it does perform an
important safety function if the primary reactor protection system fails.  The
regulation was issued to reduce the risk posed by such an event.  

The licensee had committed to treat the AMSAC equipment under a quality
assurance program that was consistent with and satisfied the guidance in 
GL 85-06.  Specifically, the licensee quality assurance criteria require
control of design; purchased services; testing; inspection, test and operating
status; and the identification of nonconformances.  However, the licensee
never fully implemented this commitment and also failed to implement a
commitment to perform end-to-end testing each refueling outage. 

AMSAC is not a safety-related system and is not governed by the plant
technical specifications.  The events described above indicate that licensees
may not be placing an appropriate priority on quality assurance and
maintenance of the ATWS mitigation system.  Proper quality assurance and
maintenance of AMSAC is needed to satisfy the requirements of 10 CFR 50.62
concerning system operability.  It is important that licensees maintain
equipment and systems required by NRC regulations in accordance with
commitments they have made to the NRC to ensure appropriate reliability, even
though they may not be addressed by plant technical specifications.
.

                                                      IN 92-06, Supplement 1
                                                      July 1, 1993
                                                      Page 4 of 4


This information notice requires no specific action or written response.  If
you have any questions about the information in this notice, please contact
the technical contact listed below or the appropriate Office of Nuclear
Reactor Regulation (NRR) project manager.

                                    orig /s/'d by BKGrimes


                                    Brian K. Grimes, Director
                                    Division of Operating Reactor Support
                                    Office of Nuclear Reactor Regulation

Technical contact:  Eric J. Benner, NRR
                    (301) 504-1171

Attachment:  
List of Recently Issued NRC Information Notices
.
Page Last Reviewed/Updated Tuesday, November 12, 2013