Information Notice No. 79-04, Degradation of Engineered Safety Features
IN79004
February 14, 1979
MEMORANDUM FOR: B. H. Grier, Director, Region I
J. P. O'Reilly, Director, Region II
J. G. Keppler, Director, Region III
K. V. Seyfrit, Director, Region IV
R. H. Engelken, Director, Region V
FROM: Norman C. Moseley, Director, ROI:IE
SUBJECT: Information Notice No. 79-04, DEGRADATION OF
ENGINEERED SAFETY FEATURES
The subject document is transmitted for issuance on February 16, 1979. The
Information Notice should be issued to all holders of Reactor Operating
Licenses and Construction Permits.
Also enclosed is a draft copy of the transmittal letter.
Norman C. Moseley, Director
Division of Reactor Operations
Inspection
Office of Inspection and Enforcement
Enclosures:
1. IE Information Notice
No. 79-
2. Draft Transmittal Letter
CONTACT: J. C. Stone, IE
49-28019
.
(Transmittal letter for Information Notice 79-04 to each holder of an NRC
Operating License and Construction Permit.)
Information Notice No. 79-04
Addressee:
This Information Notice is provided as an early notification of a possibly
significant matter. It is expected that recipients will review the
information for possible applicability to their facilities. No specific
action or response is requested at this time. If further NRC evaluations so
indicate, an IE Circular, Bulletin or NRR Generic Letter will be issued to
recommend or request specific licensee actions. If you have questions
regarding the matter, please contact the Director of the appropriate NRC
Regional Office.
Signature
(Regional Director)
Enclosures:
1. Information Notice No. 79-04
2. List of IE Information
Notices Issued in 1979
.
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF INSPECTION AND ENFORCEMENT
WASHINGTON, D.C. 20555
February 16, 1979
Information Notice No. 79-04
DEGRADATION OF ENGINEERED SAFETY FEATURES
Summary
On September 16, 1978, an unusual sequence of events occurred at Arkansas
Nuclear One, Units 1 and 2. The events involved the electrical power sources
and culminated in the spurious activation and degraded operation of Unit 2
Engineered Safety Features (ESF). Analysis of the course of the incident has
identified three safety concerns in the electrical distribution system
operation and design.
(1) The offsite power supply for ANO Unit 1 Engineered Safety Feature loads
was deficient in that degraded voltage could have resulted in the
unavailability of ESF equipment, if it were to be needed.
(2) The design of the ANO site electrical system that provides offsite
power to Units 1 and 2 did not fully meet the Commission's Regulations,
10 CFR 50, Appendix A, General Design Criterion 17, because in certain
circumstances a loss of one of the two offsite power circuits would
also result in a loss of the other such circuit.
(3) Deficiencies existed in the operation of the Unit 2 inverters that
convert DC to AC power for the uninterruptable 120 volt vital AC buses.
Description of Circumstances
Initially Unit 1 was operating at 100 percent power; Unit 2 was in hot
standby performing hot functional testing in preparation for initial
criticality and power operation.(1) Unit 1 auxiliary electrical loads were
being supplied from the Unit 1 main generator via the unit auxiliary
transformer. Unit 2 auxiliary electrical loads were. being fed from the
offsite grid through Startup Transformer No. 3. The normal operating status
was interrupted by the failure of the Unit 1 Loop "A" Main Steam Line
Isolation Valve (MSIV) air operator solenoid causing the MSIV to close as
designed. The Unit 1 Reactor Protection System sensed conditions requiring
reactor shutdown and tripped the reactor. The
___________________________________________________________________________
(1) The Unit 2 Operating License did not permit criticality of power
operation at the time of the incident.
1 of 5
.
Information Notice No. 79-04 February 16, 1979
Unit 1 turbine-generator tripped concurrently. Because the Unit 1 generator
could no longer supply power for the Unit 1 auxiliary loads, these loads
were automatically transferred to Startup Transformer No. 1 to supply this
power from offsite. The sequence of events should have ended at this point.
The power to Startup Transformer No. 3, which was feeding Unit 2, and to
Startup Transformer No. 1, now feeding Unit 1, normally passes through a
single piece of equipment, the Bus Tie Auto-Transformer. (Figure 1 shows a
simplified block diagram of the principal electrical equipment involved.)
The Auto-Transformer has the capacity to provide power for both units, but
due to an error, the protective relays were still adjusted for the operation
of Unit 1 only. As a result, when both units concurrently drew power from
the Auto-Transformer these protection relays tripped and cut off power to
Startup Transformer Nos. 1 and 3.
Startup Transformer No. 2, also shown in Figure 1, thus became the only
source of offsite power for both Units 1 and 2. The onsite switching
equipment automatically transferred the full auxiliary loads for both units
to this transformer. However, this transformer is not designed to carry full
auxiliary loads for both units. For this reason, Startup Transformer No. 2
became overloaded and the voltage dropped on the station distribution system
for offsite power. At this time and during most of the incident operating
personnel at both units were unaware of the degraded voltage(2) condition
due to the overloaded Startup Transformer No. 2.(3)
___________________________________________________________________________
(2) Two other events involving degraded voltage for ESF equipment occurred
at Millstone Unit 2 in July 1976. These events were reported as an
abnormal occurrence (No. 76-9) in NUREG-0900-5, Report to Congress on
Abnormal Occurrences, July-September 1976.
(3) It was subsequently determined that the following combinations of Unit
1 and Unit 2 operation would lead to the loss of the Bus Tie
Auto-Transformer and the subsequent overloading of Startup Transformer
No. 2:
1. Both Units in either the startup or shutdown mode, or
2. Trip of one unit while the other is in either the startup or
shutdown mode, or
3. Simultaneous trip of both units.
2 of 5
.
Information Notice No. 79-04 February 16, 1979
At Unit 2, eight seconds after the switch to Startup Transformer No. 2, the
relays(4) which operate to protect Engineered Safety Feature (ESF) equipment
from low (degraded) voltage disconnected and therefore deenergized both Unit
2 ESF buses as designed. At the same time, the Unit 2 Core Protection
Calculator (CPC) instrumentation registered trips which indicated a loss of
AC power to the circuits(5) that supply at least two instrument channels.
The loss of power on two 120 volt vital AC instrument buses caused, as
designed, an actuation of all Unit 2 Engineered Safety Features. Thus, when
the two Unit 2 emergency diesel generators started and provided power to the
previously deenergized ESF buses, the Engineered Safety Features equipment
began to operate. However, due to inverter failures, premature actuation of
the Recirculation Actuation System (RAS) occurred. This actuation
momentarily opened a flow path directly between the Refueling Water Tank
(RWT) and the containment sump. ESF operation and premature RAS operation
combined to transfer approximately 60,000 gallons of borated refueling water
to the containment sump in about 90 seconds.
___________________________________________________________________________
(4) These relays are the second level of undervoltage protection required
as a result of the NRC staff review of the 1976 Millstone 2 degraded
voltage event. Corrective design changes (i.e., undervoltage relays and
load sequencing to offsite power) had been implemented on Unit 2 for
degraded voltage protection. These design changes had not been
implemented on Unit 1 at the time of the event.
(5) Each one of the four CPC instrumentation circuits receives power from
a vital AC bus which in turn receives power from a battery through an
inverter that converts DC power to AC power. Each inverter normally
provides power through a circuit with access to both an ESF bus and the
station batteries. Each inverter also has an automatic switch that can
cut off this normal supply circuit and shift the loads to an alternate
supply circuit, which includes just the ESF bus. (See insert on Figure
1.) With both Unit 2 ESF buses momentarily deenergized the only source
of instrument power was from the station batteries through the normal
switch position. However, although the exact cause is unknown, all four
inverter automatic switches were found in the alternate position. Three
of four inverters had improper settings on time delay relays and one
inverter had the undervoltage trip setting too high, which may have in
part been the cause. IE Circular No. 79-02, Failure of 120 Volt Vital
AC Power Supplies, dated January 16, 1979, provided details of the
inverter problems and recommended items to be reviewed to avoid similar
problems.
3 of 5
.
Information Notice No. 79-04 February 16, 1979
The normal design sequence calls for the RAS to automatically change the
valve lineup when signals from the level instruments on the Refueling Water
Tank (RWT) indicate that the tank is nearly empty, which is expected to
occur approximately 30 minutes after the LOCA. During this incident, the RAS
acted immediately in response to the failure of the inverters and made the
change in lineup while the RWT was nearly full. The loss of power from the
inverters caused a false low water level indication in the RWT. This false
indication provided the signals for the automatic actuation of the RAS.
Had the Emergency Core Cooling System and/or the Containment Spray System
been needed in the event of a design basis loss of coolant accident, it
would not have performed as designed because of the premature RAS valve
actuation. ESF degradation on Unit 2 did not involve a threat to the health
and safety of the public because Unit 2 was preoperational and had no
radioactive fission product inventory in the core. However, there was no
assurance that the inverter deficiencies which caused the premature
operation of the RAS valves would have been corrected prior to Unit 2 power
operation.
In the event of a LOCA with a fission product inventory, if the RAS were to
initiate at the beginning of the accident, as it did in this incident, the
low pressure and high pressure coolant injection subsystems (LPCI and HPCI)
of Emergency Core Cooling (ECC) and the Containment Spray System might not
function properly. Actuation of RAS causes isolation of the water in the
RWT, which is the source of short term cooling water for Emergency Core
Cooling and Containment Spray. The premature actuation of RAS also causes
these pump suction lines to be connected to the containment sump when there
may not be sufficient water available.
Initially, the sequence of events on September 16 did not indicate any
problem with the electrical distribution system of Unit 1. However,
subsequent analysis indicated that in the event of a LOCA at Unit 1 during
which Startup Transformer No. 1 received both the auxiliary electrical loads
and starting loads of the Engineered Safety Features a voltage reduction
would result. The safety loads might not initially transfer to the Unit 1
diesel generators but could remain on the startup transformer with reduced
(degraded) voltage. Although there is margin in the sizing of emergency
equipment and the conditions of operation of such equipment, this situation
could cause fuses to blow in Engineered Safety Feature circuits which could
result in disabling the safety equipment.
4 of 5
.
Information Notice No. 79-04 February 16, 1979
Cause or Causes The immediate causes of the unusual event at Arkansas
Nuclear One were: (1) loss of the Bus Tie Auto-Transformer which resulted
in degraded power operation through Startup Transformer No. 2, and (2)
multiple Unit 2 inverter failures.
The loss of the Bus Tie Auto-Transformer was caused by inappropriate
setpoints for its protective relays. The Bus Tie Auto-Transformer loss had
not been adequately reviewed prior to this event in that the overloading of
the shared Startup Transformer No. 2 had not been identified during the
design and review process.
The primary cause of the failure of the inverters to perform as a reliable
power supply was the lack of adequate preoperational test procedures,
inadequate knowledge of inverter operation and lack of maintenance control
(maintenance has been performed on the inverters several times prior to this
event).
This Information Notice provides details of a significant occurrence that is
still under review by the NRC staff. After completion of the staff review,
this Information Notice will be followed with specific actions to be taken
by licensees.
No written response is required. If you desire additional information
regarding this matter, contact the Director of the appropriate NRC Regional
Office.
Attachment:
Figure 1, Simplified
Block Diagram, Electrical
Distribution
5 of 5
Page Last Reviewed/Updated Thursday, March 25, 2021