Home > NRC Library > Document Collections > Generic Communications > Information Notices > 1993 > IN 93-11
Information Notice No. 93-11: Single Failure Vulnerability of Engineered Safety Features Actuation Systems
UNITED STATES NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION WASHINGTON, D.C. 20555 February 4, 1993 NRC INFORMATION NOTICE 93-11: SINGLE FAILURE VULNERABILITY OF ENGINEERED SAFETY FEATURES ACTUATION SYSTEMS Addressees All holders of operating licenses or construction permits for nuclear power reactors. Purpose The U.S. Nuclear Regulatory Commission (NRC) is issuing this notice to alert addressees to potential single failure vulnerabilities in engineered safety features actuation systems. It is expected that recipients will review the information for applicability to their facilities and consider actions, as appropriate, to avoid similar problems. However, suggestions contained in this information notice are not NRC requirements; therefore, no specific action or written response is required. Description of Circumstances On July 6, 1992, during a planned outage at the Millstone Nuclear Power Station, Unit 2, with the core off loaded to the spent fuel pool, the licensee, the Northeast Nuclear Utilities Company, was preparing to replace two vital inverters. Millstone Unit 2 uses four inverters, two on each vital dc bus, to power two trains of engineered safety feature actuation comprised of four sensor cabinets and two actuation cabinets. Operators removed power from one actuation train, which caused a false loss of normal power signal and a false start signal for the emergency core cooling system. The effect of this action was similar in consequence to the complete loss of one of the two vital dc buses. One emergency diesel generator (EDG) started and tied onto the bus. The second EDG did not start because it was out of service for maintenance. After the one EDG started, the safety loads failed to sequence onto the bus because of a continuous false load shed signal. Operators recovered from the event by stopping the EDG and restoring power to one of the sensor cabinets. This action removed the false loss of power signal and thus the load shed signal. The licensee reviewed the event and concluded that an unblocking feature of the automatic test insertion (ATI) system had caused the continuous load shedding signal. The ATI system, a continuous, on-line, logic tester that is common for both trains, was still energized and permitted the spurious loss of power signal to continue to shed the loads. The ATI system applies 2-millisecond unblocking pulses to the input of the actuation logic modules 9301290025. IN 93-11 February 11, 1993 Page 2 of 3 and checks the module outputs for proper operation. The 2-millisecond pulses are too brief to actuate relays and start equipment. In 1978, the licensee added a feature to permit ATI testing of the loss of normal power logic. To test the logic, the licensee determined that the ATI system needed to provide an unblocking of the loss of power signal for 500 milliseconds. In the actual event, the false signal generated by the lack of control power was continuously present during the 500 ms ATI unblocking signal. This caused a recurring load shed signal to be generated even though the EDG was ready to accept loads; therefore, the EDG load breakers never closed. In reviewing the event, the licensee determined that the engineered safety feature actuation system could also cause other unintended actions under certain power supply failure conditions. These automatic actions are not related to the ATI modification. (1) If power is lost to either one of the two dc vital buses, both the safety injection actuation signal and sump recirculation actuation signal would be simultaneously initiated. The recirculation actuation signal would result in tripping all low pressure injection pumps. Also, the spurious sump recirculation actuation signal would cause one of the containment sump outlet valves to open. (2) If power was lost only to the sensor cabinets in one actuation train, both containment sump outlet valves would open. If this occurred during a loss-of-coolant accident, high pressure in containment could shut both refueling water storage tank check valves, inhibiting flow to all emergency coolant injection pumps. (3) The loss of all dc power to one actuation train would cause a power operated relief valve in the other train to open. In addition, when control power alone is lost to only the sensor cabinets in a single actuation train, spurious high pressurizer pressure signals would cause the relief valves in both trains to open. Both cases would result in a loss of primary coolant. Discussion The design deficiency in the on-line testing feature could have prevented both emergency diesels from accepting emergency loads under certain single failure conditions. The licensee investigated this event at Millstone Unit 2 and found several single failure vulnerabilities related to loss of a vital dc bus which may apply to engineered safety features actuation systems at other plants. Although the described event resulted from an ATI modification, the other vulnerabilities are inherent in the actuation system design and its power supplies. Millstone Unit 2 uses two-out-of-four logic supplied by Consolidated Controls Incorporated to actuate automatically a number of safety features. In the actuation system, a sensor, and subsequent interposing electronic logic, condition the signal for use by the actuation logic. Upon loss of power, the interposing logic generates a signal to perform the safety function. The problems discussed above result from having a two-out-of-four logic powered by. IN 93-11 February 4, 1993 Page 3 of 3 only two safety-related power sources coupled with a lack of coherence in specifying the preferred failure mode for automated safety-related actions, given a loss of power. The licensee is preparing modifications to correct these problems and is reviewing the design of Unit 2 for other similar problems. In NRC Bulletin 79-27, "Loss of Non-Class 1E Instrumentation and Control Power System Bus During Operation," the NRC requested licensees to evaluate the effects of a loss of power to 1E and Non-1E instrument and control systems. In addition, in NRC Generic Letter 89-18, "Systems Interactions in Nuclear Power Plants," the NRC highlighted concerns regarding actuation system designs which may have automated safety-related actions with no preferred failure modes. This information notice requires no specific action or written response. If you have any questions about the information in this notice, please contact one of the technical contacts listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager. ORIGINAL SIGNED BY Brian K. Grimes, Director Division of Operating Reactor Support Office of Nuclear Reactor Regulation Technical contacts: Ram S. Bhatia, Region I (215) 337-5262 Thomas Koshy, NRR (301) 504-1176 Attachment: List of Recently Issued NRC Information Notices .
Page Last Reviewed/Updated Friday, May 22, 2015