Information Notice No. 94-20: Common-Cause Failures due to Inadequate Design Control and Dedication


March 17, 1994



All holders of operating licenses or construction permits for nuclear power


This information notice is being provided to alert addressees to potential
common-cause failures resulting from inadequate design control and dedication
measures implemented for the replacement of electro-mechanical relays with
digital microprocessor-based relays.  It is expected that recipients will
review the information for applicability to their facilities and consider
actions, as appropriate, to avoid similar problems.  However, suggestions
contained in this information notice do not constitute NRC requirements;
therefore, no specific action or written response is required.

Description of Circumstances

A common-cause failure at the Beaver Valley Unit 2 Power Station rendered
inoperable multiple trains of a system designed to mitigate the consequences
of an accident.  On November 4, 1993, during testing of the Train A, 2-1
emergency diesel generator (EDG) load sequencer, the sequencer failed to
automatically load safety-related equipment onto the emergency bus.  Two
suspect relays were replaced and the surveillance test was successfully
repeated.  On November 6, 1993, during surveillance testing, the Train B, 2-2
EDG load sequencer failed to automatically load safety-related equipment onto
the emergency bus.  An NRC Augmented Inspection Team was sent to the site to
review the circumstances surrounding these events (Inspection Report


The EDG load sequencers control the sequence in which safety-related equipment
starts after the EDG restores power when normal power is lost on the emergency
busses.  Timer/relays are used to load the safety-related equipment in six
discrete steps during a 1-minute period.  The same type of timer/relay is also
used to reset the diesel generator load sequencer if a safety injection or a

9403110132.                                    IN 94-20
                                    March 17, 1994
                                    Page 2 of 3

containment isolation Phase B signal is received.  Resetting the load
sequencer allows necessary emergency core cooling system equipment to be
loaded.  The load sequencers originally used electro-mechanical timer/relays
to generate the timed steps and sequencer reset function.  The
electro-mechanical timer/relays were replaced with microprocessor-based
timer/relays during the second refueling outage, in November 1990.  Each
train of the load sequencer has eight Model 365A digital microprocessor-based
timer/relays manufactured by Automatic Timer Controls Inc.  The timer/relays
were purchased as commercial-grade items and dedicated for safety-related
service. A review of these events indicated that the microprocessor-based
timer/relay failed as a result of the voltage spikes that were generated by
the auxiliary relay coil controlled by the timer/relay.  The voltage spikes,
also referred to as "inductive kicks," were generated when the timer/relay
time-delay contacts interrupted the current to the auxiliary relay coil.
These spikes then arced across the timer/relay contacts.  This arcing, in
conjunction with the inductance and wiring capacitance, generated fast
electrical noise transients called "arc showering" (electromagnetic
interference).  The peak voltage noise transient changes as a function of the
breakdown voltage of the contact gap, which changes as the contacts move
apart and/or bounce.  These noise transients caused the microprocessor in the
timer/relay to fail.  The failure of the microprocessor-based timer/relay
caused the time-delay contacts to reclose shortly after they had properly
opened as part of the load sequencer operation.  Closing the time-delay
contact locked out (deenergized) the load sequencer master relay and
prevented the load sequencer from operating.  To correct the identified
problem, the licensee installed diodes across the auxiliary relay coils to
suppress the voltage spike that had caused the microprocessor-based
timer/relay failure.  This modification was confirmed to correct the problem
through successful testing of the EDG load sequencer.

The design control for the selection and review for suitability of the
microprocessor timer/relays for this application was not adequate.  The
modification design data did not identify the potential for voltage spiking by
the auxiliary relays and translate that potential into electromagnetic
interference requirements for the equipment purchase specification and the
dedication testing specification.  As a result of inadequate design control, a
common-cause failure mechanism was introduced into the diesel generator load

This event highlights the need to ensure proper design control activities when
replacing discrete component electrical or electro-mechanical devices with
digital microprocessor-based electronic devices.  Specifically, the event .
IN 94-20                                     March 17, 1994
                                    Page 3 of 3

shows that safety-significant, common-mode failures can occur when the design
review does not ensure that the digital, microprocessor-based replacement
equipment is compatible for the specific application and service environment.

This information notice requires no specific action or written response.  If
you have any questions about the information in this notice, please contact
one of the technical contacts listed below or the appropriate Office of
Nuclear Reactor Regulation (NRR) project manager.

/s/'d by BKGrimes

                        Brian K. Grimes, Director
                        Division of Operating Reactor Support
                        Office of Nuclear Reactor Regulation

Technical contacts:  John Calvert, RI
               (610) 337-5194

               Eric Lee, NRR
               (301) 504-3201

List of Recently Issued NRC Information Notices


Page Last Reviewed/Updated Thursday, March 25, 2021