Information Notice No. 93-17, Revision 1:Safety Systems Response to Loss of Coolant and Loss of Offsite Power
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C. 20555
March 25, 1994
NRC INFORMATION NOTICE 93-17, REVISION 1: SAFETY SYSTEMS RESPONSE TO LOSS OF
COOLANT AND LOSS OF OFFSITE POWER
Addressees
All holders of operating licenses or construction permits for nuclear power
reactors.
Purpose
The U.S. Nuclear Regulatory Commission (NRC) is issuing this revision to NRC
Information Notice (IN) 93-17, "Safety Systems Response to Loss of Coolant and
Loss of Offsite Power," to make it clear that no backfitting was intended or
approved by issuance of the original notice and to clarify the recipient
applicability under that notice. This revision, like the original, alerts
addressees to a condition in which automatic safety systems could have
responded inappropriately to certain sequences of loss of coolant and loss of
offsite power. It is expected that recipients will review the information for
applicability to their facilities and consider actions, as appropriate, to
avoid similar problems. However, suggestions contained in this information
notice are not NRC requirements; therefore, no specific action or written
response is required.
Background
This revision, which supersedes the original IN 93-17, revises portions of the
original Description of Circumstances and Discussion to identify more clearly
the nature of the loss-of-coolant accident (LOCA) and loss of offsite power
sequences addressed by the information notice, and to alleviate a concern that
the original notice could be perceived as a backfit for those facility designs
that were licensed without demonstrating the capability to respond to the
subject sequences. Accordingly, the following revisions have been made to the
original notice.
In the Description of Circumstances, the Surry Power Station discussion has
been revised to emphasize the more pertinent insight derived from the example
(i.e., the diesel generator loading logic was only designed to accommodate a
LOCA that occurs exactly at the same time as a loss of offsite power).
In the Discussion section of the notice, clarification is given that the NRC
has normally not required that sequences other than simultaneous LOCA and loss
of offsite power be analyzed in Chapter 15 of plant Safety Analysis Reports.
A change is also made to indicate that the Chapter 15 analysis for a
simultaneous LOCA and loss of offsite power may have been used as the basis
for the safety system design at some plants. An addition to the end of the
9403220236. IN 93-17, Revision 1
March 25, 1994
Page 2 of 4
first paragraph in the Discussion section makes a clarification that the
sequences discussed in Generic Issue 17 are not the subject of this
information notice.
The revisions made to the end of the Discussion section clarify that, while
the information in this notice may be of interest to all facility designs, not
all facilities may be required to demonstrate the ability to cope with this
sequence as part of their licensing basis. The NRC staff is considering as a
separate generic action whether all facilities should be required to include
these design capabilities.
Description of Circumstances
In a report of May 1, 1989, the Virginia Electric Power Company, the licensee
for the Surry Power Station, reported a deficiency in the emergency diesel
generator (EDG) loading logic that could have resulted in overloading the EDGs
if a loss of offsite power had occurred after a LOCA or other design basis
event causing the automatic start of the safety system electrical loads. The
information supplied by the licensee indicated that consideration had not been
given to this sequence of events in the design of the original EDG loading
logic. Only a simultaneous LOCA and loss of offsite power was used as the
design basis for the EDGs. During recent work on the Improved Standard
Technical Specification program and through discussion with nuclear steam
supply system owners groups, the NRC has determined that licensees may have
similar design logic problems at other plants. The logic at these plants may
have been designed to respond properly to a simultaneous LOCA and loss of
offsite power but may not be capable of responding to other sequences which
may also result in a loss of offsite power because of the characteristics of
the particular design.
Discussion
General Design Criteria 17 (GDC 17) of Appendix A to Part 50 of Title 10 of
the Code of Federal Regulations requires that, following a loss of offsite
power, the onsite power system be sufficient to ensure that the core is cooled
and containment integrity and other vital functions are maintained in the
event of postulated accidents. Licensees typically include an analysis in
Chapter 15 of the plant Safety Analysis Report for a simultaneous occurrence
of a loss of offsite power and a LOCA. However, licensees may not always
analyze for other possible sequences; the NRC has normally not required that
other sequences be analyzed in the Final Safety Analysis Report. Thus, if the
Chapter 15 analysis was used as the basis for establishing safety system
design, the safety systems in some plants may have been designed to respond
properly if these events occurred alone or if they occurred simultaneously,
but not for other possible sequences. In its prioritization of Generic
Issue 17 regarding loss of offsite power unrelated to the initiating event
occurring approximately two minutes after a LOCA and following operator reset
of the safety injection signal, the NRC staff determined that that particular
sequence had an extremely low probability and concluded that the issue was in
the DROP category. That particular LOCA/delayed loss of offsite power
sequence is therefore not a concern; however other LOCA and loss of offsite
IN 93-17, Revision 1
March 25, 1994
Page 3 of 4
power sequences that occur more rapidly and are a consequence of the
initiating event remain a concern.
A LOCA with a delayed loss of offsite power may occur in various ways. In one
scenario, the LOCA results in a turbine trip and a loss of power generation to
the grid causing grid instability and a subsequent loss of offsite power. In
another scenario, the loss of power generation causes a degraded voltage at
the plant switchyard, which causes the degraded voltage relays to actuate,
resulting in a delayed loss of offsite power to the safety buses. In plants
where the safety buses are normally fed from a unit auxiliary transformer
normally connected to the output of the main generator, the loss of offsite
power could result from a failure of the buses to transfer to the offsite
source after the LOCA, or a failure of the offsite transformer to carry the
additional load. In such events, offsite power will be lost to the safety
buses during the sequencing of the LOCA loads (if LOCA loads are designed to
be sequenced on offsite power) or shortly thereafter. The control logic and
piping systems (safety injection, service water, etc.) at some plants may not
be designed to meet the consequences of such events. Possible adverse results
include the failure to re-energize loads required to respond to a LOCA,
improper loading and loss of the diesel generators, and water hammer in the
piping systems. Depending on the plant design, such sequences may occur as
the consequence of the LOCA and not be a result of a separate failure.
The opposite sequence is a loss of offsite power followed by a delayed LOCA.
One way in which this sequence could occur is if, after the loss of power
occurred, a safety relief valve lifted and failed to reseat properly,
resulting in a loss of reactor coolant inventory and a LOCA initiation signal.
For most plant designs, sequences such as this may require postulation of a
single failure after the loss of offsite power.
The Final Safety Analysis Reports of some licensees clearly describe a design
that includes the capability to respond to a LOCA followed by a loss of
offsite power and/or a loss of offsite power followed by a LOCA. The design
of the control logic, the electrical power and control systems, and the fluid
systems all contribute to ensuring that safety systems respond appropriately
to these events. Some plant FSARs do not explicitly describe such design
capabilities. The NRC staff is considering generic action to determine if all
power reactor licensees should be required to demonstrate the subject
capabilities.. IN 93-17, Revision 1
March 25, 1994
Page 4 of 4
This information notice revision requires no specific action or written
response. If you have any questions about the information in this notice,
please contact the technical contact listed below or the appropriate Office of
Nuclear Reactor Regulation (NRR) project manager.
/S/'D BY BKGRIMES
Brian K. Grimes, Director
Division of Operating Reactor Support
Office of Nuclear Reactor Regulation
Technical contact: James Lazevnick, NRR
(301) 504-2782
Page Last Reviewed/Updated Tuesday, March 09, 2021