Information Notice No. 91-11: Inadequate Physical Separation and Electrical Isolation of Non-Safety-Related Circuits From Reactor Protection System Circuits

                              UNITED STATES
                         WASHINGTON, D.C.  20555

                            February 20, 1991

                              ELECTRICAL ISOLATION OF NON-SAFETY-
                              RELATED CIRCUITS FROM REACTOR 
                              PROTECTION SYSTEM CIRCUITS 


All holders of operating licenses or construction permits for 
Westinghouse (W)-designed nuclear power reactors.


This information notice is intended to alert addressees of a potential 
failure mechanism that could adversely affect the ability of the reactor 
protection system and the engineered safety features actuation system to 
perform their safety functions.  It is expected that recipients will 
review the information for applicability to their facilities and consider 
actions, as appropriate, to avoid similar problems.  However, suggestions 
contained in this information notice do not constitute NRC requirements; 
therefore, no specific action or written response is required.

Description of Circumstances:

On May 31, 1990, the licensee for the Trojan Nuclear Plant (Portland 
General Electric Company) informed the U.S. Nuclear Regulatory 
Commission's Operations Center of potential problems involving the 
circuits used to initiate reactor trip upon detection of undervoltage or 
underfrequency (UV/UF) conditions associated with the buses supplying 
power to the reactor coolant pump motors. The problems were discovered 
during a walkdown inspection of the solid state protection system (SSPS) 
as part of the design basis documentation program for the Trojan plant.  
The SSPS is a safety-related system used to automatically trip the 
reactor and to automatically initiate engineered safety features equip-
ment.  During the SSPS walkdown inspection, the licensee discovered that 
the circuits used to sense UV/UF conditions were installed as 
non-safety-related components and were not properly physically separated 
or electrically isolated from the safety-related SSPS circuits. 

There are four reactor coolant pumps in the Trojan design, with two pumps
powered from each of two 12 kv buses.  Each of the buses is monitored by 
two channels of UV detection circuitry and two channels of UF detection 
circuitry. The four channels of UV/UF circuits are arranged in a 
1-out-of-2 taken twice logic for reactor trip.  Each channel of UV/UF 
detection circuitry actuates an associated SSPS input relay upon 
detecting a degraded UV/UF condition. 


                                                       IN 91-11 
                                                       February 20, 1991 
                                                       Page 2 of 3 

The input relays in turn provide inputs to the logic.  Power to the SSPS 
input relays is provided by four 120 vac safety-related power supplies 
(buses Y11, Y22, Y13 and Y24).  The field contacts that actuate the SSPS 
input relays are non-safety-related, are located inside the 12 kv 
switchgear cabinets that house the 12 kv buses, are normally closed and 
carrying current supplied from the 120 vac safety buses, and are directly 
wired into the SSPS cabinets.  The 12 kv switchgear cabinets are not 
safety-related and are not designed to withstand seismic events.  
Several concerns have been identified with this configuration at Trojan.  
First, the design uses non-safety-related components to perform safety-
related reactor trip functions.  Credit is taken for the reactor coolant 
pump bus UV/UF trip function in the Trojan Final Safety Analysis Report 
(FSAR) safety analysis to protect the core if forced coolant flow is 

Second, inadequate physical separation and electrical isolation of 
non-safety-related circuits from safety-related SSPS circuits introduces 
the potential for challenges that can degrade the SSPS.  At Trojan, the 
coordination (i.e., location and size) of overcurrent protection devices 
within the SSPS was such that the effects of an electrical fault that 
originates in the non-safety-related circuits inside the 12 kv switchgear 
cabinets may not have been limited to the UV/UF circuits.  Because of 
inadequate isolation, such a fault could affect the SSPS slave relays.  
The SSPS slave relays, which are used to automatically actuate engineered 
safety features equipment, require power to accomplish their safety 
functions.  The slave relays share a common supply fuse (from Y11 for 
SSPS train A, and from Y24 for SSPS train B) with the associated reactor 
coolant pump bus UV/UF SSPS input relays.  Therefore, a fault in one of 
the 12 kv switchgear cabinets that causes the fuse to open to clear the 
fault in the UV/UF circuits could also result in the loss of power to 
that train of slave relays.  Because the two non-safety-related 12 kv 
switchgear cabinets are adjacent to each other, there are postulated 
faults (such as could be caused by a seismic event or equipment failure) 
which could result in common mode failure of both switchgear cabinets.  
During an accident, such a common mode failure could simultaneously cause 
a loss of power to all four reactor coolant pumps, disable the UV/UF 
reactor trip function and, because of the loss of power to both trains of 
SSPS slave relays, could result in the common mode failure of the 
automatic initiation capability for redundant trains of ESF equipment.  
However, the affected equipment could be manually initiated because this 
capability is independent of the SSPS. 

After discovering this problem, the licensee isolated the SSPS circuits 
from non-safety-related circuits.  This was accomplished by adding 
additional overcurrent protection and by improving coordination between 
protective devices in the SSPS circuits used to initiate reactor trip on 
reactor coolant pump UV/UF.  The licensee is planning to upgrade the 
UV/UF circuits to safety-related status. 


                                                       IN 91-11 
                                                       February 20, 1991 
                                                       Page 3 of 3 

Apparently, the UV/UF circuitry was not properly designed because the 
reactor vendor and the architect-engineering firm did not communicate 
adequately with one another during the original design of the plant.  The 
staff held discussions with the reactor vendor and the licensee and 
believes that other plants may have similar deficiencies in the UV/UF 
reactor trip circuitry. 

This information notice requires no specific action or written response.  
If you have any questions about the information in this notice, please 
contact one of the technical contacts listed below or the appropriate NRR 
project manager.

                              Charles E. Rossi, Director
                              Division of Operational Events Assessment
                              Office of Nuclear Reactor Regulation

Technical Contact:  Hulbert Li, NRR
                    (301) 492-0846

                    Walton Jensen, NRR
                    (301) 492-1157

Attachment:  List of Recently Issued NRC Information Notices


Page Last Reviewed/Updated Thursday, March 25, 2021