Information Notice No. 95-15: Inadequate Logic Testing of Safety-Related Circuits
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C. 20555
March 7, 1995
NRC INFORMATION NOTICE 95-15: INADEQUATE LOGIC TESTING OF
All holders of operating licenses or construction permits for nuclear power
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information
notice to alert addressees to logic testing methods that may not completely
test the functionality of a safety-related control circuit. It is expected
that recipients will review the information for applicability to their
facilities and consider actions, as appropriate, to avoid similar problems.
However, suggestions contained in this information notice are not NRC
requirements; therefore, no specific action or written response is required.
Description of Circumstances
The following logic system functional testing deficiencies have been reported
recently and serve as examples of inadequate surveillance testing.
Cooper Nuclear Station
On May 23, 1994, during review of test procedures for automatic load shedding,
the licensee determined that load shedding of nonsafety loads from safety-
related electrical buses was not being verified. In addition to five
nonsafety-related motor control centers, the load shed capability of the
service water booster pumps, the station air compressors, and the control rod
drive pumps was not verified. As a result, both emergency diesel generators
were declared inoperable, the licensee declared an Unusual Event, and the
reactor was shut down.
On July 15, 1994, the licensee discovered that the permissive interlocks for
the 4160-Vac emergency bus undervoltage relays were not being adequately
tested. While the reviewing engineer was verifying that proper test overlap
existed between an electrical logic functional test procedure and a related
instrumentation and control (I&C) logic functional test procedure for the
residual heat removal system, he determined that neither the electrical
procedure nor the I&C procedure fully tested the pump logic.
9503010381. IN 95-15
March 7, 1995
Page 2 of 4
Neither procedure included testing of the conductors that connected the
electrical and the I&C portions of the circuit. Additionally, verification
that a switchgear circuit breaker would not close following initiation of an
undervoltage relay was not included in the procedure.
On September 7, 1994, the licensee discovered that surveillance test
procedures did not adequately verify that safety-related 4160-Vac and 480-Vac
electrical buses designed to swap from one power source to another ("swing"
buses) would properly deenergize and subsequently automatically realign to
the proper source. Before performing the integrated emergency diesel
generator testing, the swing buses were routinely aligned to the electrical
division not under test.
A licensee investigative team concluded that the swing buses may have been
deleted from the preoperational test procedure because of a misunderstanding
of what constituted a "permanently connected load" in their technical
specifications. Although the swing buses can be aligned to more than one
power source, the transfer from one source to another requires that the buses
be momentarily deenergized (a "dead bus" transfer) and therefore should be
considered permanently connected loads. The licensee subsequently revised the
definition of a permanently connected load in the technical specification
Grand Gulf Nuclear Station
On September 29, 1994, during a review of logic system functional testing
overlap, the licensee discovered that one of four sets of contacts in the "B"
containment spray train high drywell pressure initiation logic was not being
verified to function during testing. Because of a difference in logic between
the "A" and "B" trains, the manual initiation pushbutton had to be held in
while the trip signal was introduced in the "B" train logic. Holding the
pushbutton in created a current path that bypassed one set of contacts, and
these contacts were not tested elsewhere in the procedure.
Arkansas Nuclear One, Unit 2 (ANO-2)
On October 7, 1994, in response to a query about logic system functional
testing from the NRC senior resident inspector, the licensee discovered that
the swing high-pressure safety injection pump actuation logic was not being
fully tested under the engineered safety features surveillance test procedure.
The swing pump safety injection actuation signal was not being verified when
the pump was being powered from either emergency diesel generator. Further
review of the service water pump surveillance methodology found that
individual contacts in the engineered safety feature starting circuitry also
were not being tested. These contacts prevent redundant service water pumps
from automatically starting and loading onto a 4160-Vac bus being powered by a
diesel generator to ensure that the diesel is not overloaded.
. IN 95-15
March 7, 1995
Page 3 of 4
Arkansas Nuclear One, Unit 1 (ANO-1)
On October 8, 1994, the licensee performed a review of engineered safety
feature testing methodology as a result of concerns raised during operation of
ANO-2 and discovered two discrepancies. The licensee found that integrated
testing of the high-pressure injection pumps did not include complete
verification of the circuit breaker position interlocks used in the pump auto-
start circuitry. Also, integrated testing did not verify that the swing high
pressure injection pump would start if the logic path containing the normal
feeder breaker contact was used. Review of the service water system showed
that the automatic restart logic for the service water pumps is not verified
for the condition when power is supplied from the offsite feeder breaker.
Because testing of the engineered safety feature logic is performed during
reactor operation when actuation of the system under test would be
undesirable, the logic test must be broken up into parts so that the system
does not actuate. To ensure that no part of the logic is overlooked, the
procedures for these partial functional tests must assure an overlap between
where one section of testing ends and the next section begins.
Inadequate logic system functional testing of safety-related circuits has been
the topic of numerous information notices issued by the NRC, but licensees
continue to report instances in which a particular component or section of
logic has not been included in the testing. The complexity of some of these
circuits, combined with a lack of understanding of the depth of the review
required to verify the testing overlap, has resulted in continuing occurrences
of inadequate test scope.
Related Generic Communications
Information Notice 93-38, "Inadequate Testing of Engineered Safety Features
Actuation Systems," was issued on May 24, 1993, to alert licensees to
inadequate testing of engineered safety feature actuation systems.
Information Notice 92-40, "Inadequate Testing of Emergency Bus Undervoltage
Logic Circuitry," was issued on May 27, 1992, to alert licensees to a test
method that failed to verify the capability of undervoltage logic circuitry to
deenergize safety-related buses, thus preventing an emergency diesel generator
from closing onto the bus.
Information Notice 88-83, "Inadequate Testing of Relay Contacts in Safety-
Related Logic Systems," was issued on October 19, 1988, to alert licensees to
inadequate testing of relay contacts in safety-related logic systems.
. IN 95-15
March 7, 1995
Page 4 of 4
This information notice requires no specific action or written response. If
you have any questions about the information in this notice, please contact
one of the technical contacts listed below or the appropriate Office of
Nuclear Reactor Regulation (NRR) project manager.
/s/'d by BKGrimes
Brian K. Grimes, Director
Division of Project Support
Office of Nuclear Reactor Regulation
Technical contacts: Hukam Garg, NRR
David Skeen, NRR
List of Recently Issued NRC Information Notices
Page Last Reviewed/Updated Thursday, March 25, 2021