Information Notice No. 92-65: Safety System Problems Caused by Modifications that were not Adequately Reviewed and Tested
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C. 20555
September 3, 1992
NRC INFORMATION NOTICE 92-65: SAFETY SYSTEM PROBLEMS CAUSED BY MODIFICATIONS
THAT WERE NOT ADEQUATELY REVIEWED AND TESTED
Addressees
All holders of operating licenses or construction permits for nuclear power
reactors.
Purpose
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information
notice to alert addressees to problems caused by inadequate review and testing
of safety system modifications. It is expected that recipients will review
the information for applicability to their facilities and consider actions, as
appropriate, to avoid similar problems. However, suggestions contained in
this information notice are not NRC requirements; therefore, no specific
action or written response is required.
Description of Circumstances
The following describes two examples of safety system design errors that went
undetected since construction, because design changes were not thoroughly
reviewed and tested.
On October 10, 1991, during post overhaul testing, personnel at Arkansas
Nuclear One, Unit 1, observed that one of the high-pressure safety injection
(HPSI) pumps was losing its lubricating oil at a rate of more than 15 gallons
per hour as a result of oil spraying from the bearings. The licensee found
that the oil would always leak at this rate during emergency operation because
of excessive oil pressure caused by the simultaneous operation of two oil
pumps that served the HPSI pump. This condition had existed since the plant
began operation.
The bearings for each of the HPSI pumps are supplied with lubricating oil by
two oil pumps, one attached directly to the HPSI pump itself and the other a
separate electric backup pump. Originally the electric oil pumps were
intended to be used during start up of a HPSI pump or to replace a
malfunctioning attached oil pump. The electric oil pumps could be started
manually and would start automatically when the oil pressure decreased below a
certain point. The licensee continues to use this method of control when the
HPSI pumps are used for normal reactor water makeup. However, during
construction, the licensee decided that the HPSI pumps would be more reliable
if the electric lubricating oil pumps ran continuously during emergency
operation. Consequently, the licensee modified the emergency controls to keep
9208280105.
IN 92-65
September 3, 1992
Page 2 of 4
the electric oil pumps operating whenever an emergency safety features
actuation system (ESFAS) signal was present. Anticipating that the
simultaneous operation of both oil pumps could cause excessive oil pressure,
the licensee added an oil pressure relief valve to the oil system. However,
the relief valve settings were not appropriately selected to prevent oil
spraying from the bearings.
In September 1991, the Gulf States Utilities Company, licensee for the River
Bend Station, discovered that the outlet valves for the hydrogen mixing system
would immediately close if an operator attempted to start up the system by
opening these valves when a loss-of-coolant accident (LOCA) signal was
present. An interlock prevented the mixing system fans from operating with
the outlet valves closed. Consequently, the hydrogen mixing system would have
been inoperable if a LOCA signal were present. This condition had existed
since the plant was constructed.
The River Bend Station is a boiling water reactor with a Mark III containment
structure. This containment structure consists of two chambers, a large outer
primary containment and a drywell which is inside the primary containment and
surrounds the reactor vessel. This system suppresses the steam pressure
released during a LOCA by directing the steam through the suppression pool
water into the primary containment. After the initial pressure suppression is
complete following a LOCA, hydrogen created by the zirconium-water reaction
would be mainly concentrated in the drywell. The hydrogen mixing system is
provided to reduce the concentration of the hydrogen in the drywell by moving
it into the primary containment where it is diluted and reduced in
concentration by the hydrogen recombiners.
The redundant hydrogen mixing systems each have two lines penetrating the
drywell; an outlet line having a recirculating fan to draw suction from the
drywell and an inlet line that allows diluted air to reenter the drywell.
Each of these lines has two isolation valves which are normally closed during
plant operation. In 1983, during construction, the licensee added a LOCA
interlock to the hydrogen mixing system that would automatically close all
eight of the mixing system valves upon receiving a LOCA signal. In 1984, the
licensee revised the control logic for the mixing system valves to
automatically override a LOCA signal when the operator opened the drywell
inlet valves. However, the licensee did not provide this LOCA override
capability for the outlet line valves.
Discussion
In both of these cases, the licensee changed the design with the intention of
increasing the reliability of safety systems. However, because the licensees
did not adequately review and test the designs, these changes introduced
errors that could have prevented the systems from performing their safety
functions as intended.
At Arkansas Nuclear One, the licensee intended to increase the reliability of
the HPSI system by causing both HPSI oil pumps to operate simultaneously when
an ESFAS signal was present. However, the oil pumps had apparently never been
run simultaneously for any extended period until the recent overhaul test. .
IN 92-65
September 3, 1992
Page 3 of 4
The licensee routinely conducted the required periodic pump surveillance tests
with the HPSI operating in the normal reactor makeup mode with only one oil
pump running at a time. The licensee tested the effectiveness of the
ESFAS signal during each refueling outage. However, the test only required
verification that the test signal would actuate the HPSI system and did not
result in the simultaneous operation of the two oil pumps for an extended
time. As a result, neither of these tests revealed the oil leakage problem.
The licensee estimated that a HPSI pump would have performed satisfactorily
for only 80 minutes without operator action to replenish the oil or to stop
the electric oil pumps. With an ESFAS signal present, the electric oil pumps
cannot be stopped from the control room, but must be stopped by opening local
power supply breakers.
The licensee has modified the oil pressure relief valve settings to minimize
the oil leakage. Procedures were established that instruct the operators to
stop the electric oil pumps 15 minutes after an ESFAS actuation of the pumps.
At River Bend, the control logic to automatically close all of the mixing
system valves was provided to ensure that the drywell integrity would be
restored if a LOCA occurred during a mixing system test with the valves open.
Apparently, the LOCA override for the inlet valves was provided later to
permit the drywell to be depressurized to clear a false LOCA signal that might
be caused by a loss of offsite power. The false LOCA signal could be
generated by the drywell pressure rise that would accompany a loss of drywell
cooling. Since the drywell could be depressurized without opening the outlet
valves, the LOCA override was not provided for these valves. The need to open
the outlet to operate the hydrogen mixing was apparently not considered for
this change. Normal surveillance testing did not reveal this design error
because it was never conducted with a LOCA signal present.
When the licensee discovered this design error, it declared both hydrogen
mixing trains inoperable and commenced shutting down the reactor. The
licensee then developed a LOCA bypass procedure for the hydrogen mixing
system.
These events highlight the importance of thoroughly reviewing any safety-
related design change, including considering the effect of the change on all
related systems. The events also show the need for completely testing the
systems affected by the design change under conditions that simulate as nearly
as possible those conditions that are expected to exist when the systems are
needed..
IN 92-65
September 3, 1992
Page 4 of 4
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please contact
the technical contact listed below or the appropriate Office of Nuclear
Reactor Regulation (NRR) project manager.
ORIGINAL SIGNED BY
Charles E. Rossi, Director
Division of Operational Events Assessment
Office of Nuclear Reactor Regulation
Technical contact: Thomas F. Westerman, RIV
(817) 860-8145
Attachment: List of Recently Issued NRC Information Notices.
Page Last Reviewed/Updated Tuesday, March 09, 2021