Information Notice No. 97-81: Deficiencies in Failure Modes and Effects Analyses for Instrumentation and Control Systems
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C. 20555-001
November 24, 1997
|NRC INFORMATION NOTICE 97-81:||DEFICIENCIES IN FAILURE MODES AND EFFECTS ANALYSES FOR INSTRUMENTATION AND CONTROL SYSTEMS|
All holders of operating licenses for nuclear power reactors except those who have ceased operations and have certified that fuel has been permanently removed from the vessel.
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice to alert addressees to design inadequacies in safety-related instrumentation and control systems in which the original failure modes and effects analysis (FMEA) failed to identify the inability to perform intended function(s) in the presence of a single failure, which defeats the system independence and redundancy. It is expected that recipients will review the information for applicability to their facilities. However, suggestions contained in this information notice are not NRC requirements; therefore, no specific action or written response is required.
Description of Circumstances
Five events have been identified related to the design deficiency noted above:
1.On July 1, 1997, while Crystal River Unit 3 was in mode 5, the licensee discovered that in a postulated design-basis loss-of-coolant accident (LOCA), concurrent with a loss of offsite power (LOOP) and a single failure (such as a loss of the train A dc bus), the train B engineered safeguards system actuation (ESSA) signal could not be bypassed. The inability to bypass the train B ESSA signal removes the operator's ability to restore control complex chillers and causes certain train B high pressure injection (HPI) valves to remain open. These valves cannot be closed remotely when the LOCA is caused by a break on one of the HPI lines. This condition could lead to a potential for inadequate core cooling. In addition, the operators may not be able to cope with the event, because the station emergency operating procedures (EOPs) did not contain adequate guidance (LER 97-21, Accession No: 9708290125).
2.On July 25, 1997, while Three Mile Island, Unit 1 (TMI-1) was at 100-percent power, the TMI licensee discovered that in a postulated condition of a large-break LOCA, concurrent with LOOP and a single failure (such as a loss of the train A dc bus), the engineered safeguards (ES) system components of train B would be actuated. However, because of the loss of power to ESSA system channels A and C (due to loss of the train A dc bus), the operators would not be able to bypass the train B ESSA signal. The plant's design for accident conditions with loss of dc bus "A", did not consider the need for throttling low-pressure injection and building spray pump flow to ensure adequate net positive suction head when the suction is transferred to the reactor building sump from the borated water storage tank. Maintaining the minimum required flow ensures that these pumps remain operable, so that the cooling requirements of the reactor core and reactor building are met. However, the plant design upon loss of train A dc power, prevents the operators from taking manual control of the valves required to transfer low-pressure injection and reactor building spray pump suction from the refueling water storage tank (RWST) to the reactor building sump upon indication of a low-water-level condition in the RWST (LER 97-009, Accession No: 9709020257).
3.On May 15, 1997, while Waterford Unit 3 was at 100-percent power, the licensee discovered that in the postulated conditions of a LOCA with one RWST-level monitoring channel placed in a tripped state [as allowed by the Technical Specifications(TS)], if a single failure, such as a failure of another RWST-level channel occurs, a potential for premature initiation of the recirculation mode exists. In another situation, with one channel of steam generator (SG) differential pressure (DP) instrumentation associated with the emergency feedwater actuation signal (EFAS) placed in a tripped state, an event such as a main steam line break or a feedwater line break concurrent with a single failure such as loss of another SG DP instrument channel, results in a potential for not isolating the faulted SG from the emergency feedwater supply line (LER 97-16, Accession No: 9706180379).
4.On September 16, 1997, while Arkansas Nuclear One, Unit 2 (ANO-2) was at 100-percent power, the licensee discovered that a potential for premature actuation of the recirculation mode exists in case of a LOCA concurrent with one of the RWST-level instrumentation channels in a tripped state and a failure in another RWST-level monitoring channel. In another situation, the automatic isolation of a faulted SG during certain main steam line or feedwater line breaks will not occur if one instrumentation channel monitoring SG DP is in a tripped state and another SG DP channel has failed (LER 97-03, Accession No: 9706190213).
5.On October 30, 1996, while ANO-2 was at 100-percent power, the licensee discovered that while one plant protective system (PPS) channel is in bypass, a scenario consisting of a LOOP concurrent with a single failure, such as a loss of the train A dc bus, would result in a failure of certain engineered safeguard function (ESF) systems to actuate automatically. ESF systems affected are the containment isolation system (CIS), containment spray system (CSS), and emergency feedwater system (EFWS). The consequence of a dc bus failure alone could lead to the same failures with loss of off-site power and loss of on-site power in the affected train (LER 96-04-01, Accession No: 9702120360).
The first two events described above are examples in which a single failure in a train (loss of dc bus A) not only prevented the train A safety system from performing the intended design function(s), but also prevented equipment in train B safety systems from performing their intended design function(s). The basic logic design of the ES system at both Crystal River Unit 3 and Three Mile Island Unit 1 consists of three primary analog monitoring instrumentation channels, powered from two redundant battery-backed dc buses and provides an ESSA signal to train A and train B equipment in a two-out-of-three logic scheme. Two of the three monitoring channels are powered from the train A dc bus and the third channel is powered from the train B dc bus. Since the logic arrangement is based on a two-out-of-three configuration and the train A dc bus feeds two channels, if dc bus A is lost, the ESSA signal cannot be bypassed because the bypass circuitry is powered from the same source as the signal initiation channels. This problem could exist at any other plant at which the ESSA signal is generated with a two-out-of-three logic configuration with the three monitoring channels fed from only two power sources.
As described in events 3 and 4 above, a failure in a single instrument channel with one other instrument channel of the same function placed in the "tripped" state as permitted by the TS, created a unique control-logic configuration that could prevent certain safety system(s) from performing intended design function(s) for mitigating a LOCA or steam/feedwater line break event(s). The ANO-2 vital power design for the plant protective system (PPS) consists of one emergency diesel generator (EDG), one battery/dc distribution system and two inverters for each power division. The ESF system actuation logic is based on a two-out-of four configuration. The design configuration for some measurement channels (steam generator pressure, pressurizer pressure, containment pressure) is such that upon loss of power, these channels do not fail to their safe state and, therefore, during a loss-of-power condition, are unable to automatically actuate the associated ESF systems if needed.
As described in event 5 above, during a postulated LOOP event concurrent with a loss of one dc bus, the CIS, CSS, and EFWS will fail to actuate if one PPS channel fed from the operable dc bus is in a bypassed state as permitted by the TS. The result of this existing condition is that during the period when one PPS channel is bypassed, the plant could have been operated outside its original design basis since many required automatic safety functions would have been unavailable. If a channel is not in bypass, all PPS functions except the function that controls feedwater flow/SG level to prevent SG overfill, will be available even if one power division is lost concurrent with a LOOP. The SG overfill prevention feature is not a required safety function for the postulated loss-of-power scenario.
The previous ANO-2 TS allowed one PPS channel to be in bypass for up to 48-hours to perform maintenance or testing based upon the low probability of a fault such as loss of a power division affecting more than one channel during the 48 hour interval. Thus, the failure of the automatic actuation capability of some ESFAS functions was considered sufficiently unlikely for the limited time one channel was permitted to be in bypass. Amendment 159 to the ANO-2 TS issued on April 3, 1995, increased the allowed time in bypass for one PPS channel during plant operation at full power from "48 hours" to "until the next cold shutdown." Reviews to support this amendment concluded that bypassing of a specific protective channel combined with a single failure would not prevent required protective actions. The discovery of the potential unavailability of required protective actions under the conditions described above indicated that the FMEA providing an acceptable basis for Amendment 159, was in error.
The FMEA did indicate that any of those PPS channels that generate a trip on a decreasing value of the process signal will actuate on loss of power (because the logic will perceive the loss of power as a decrease in the value of the process signal). However, the FMEA failed to recognize that those PPS channels that generate a trip on an increasing value of the process signal will never actuate if power is lost to the measurement channel. Thus, the FMEA was in error in its conclusion that "the vital ac power system did not have a single failure mechanism that could cause failure of two vital AC power channel inputs" (a minimum of two channels is required for a two-out-of four logic).
To alleviate the problem described in events 1 and 2 above, the Crystal River licensee decided to revise the EOPs to provide procedural guidance on a loss of ES train bypass capability upon loss of dc bus A. The revised EOPs will provide guidance to recognize the failure and an alternative method to bypass the B train ESSA signal. This will allow the operators to regain control of the necessary ES equipment to assure adequate high-pressure injection flow to the reactor. It will also allow operators to throttle HPI flow when the subcooling margin is restored to maintain RCS pressure below pressurized thermal shock limits. The TMI licensee is also revising the EOPs to (1) proceduralize methods to diagnose an inability to bypass the ESSA signal, (2) provide alternate methods to energize the train A dc bus so that the ESSA signals can be bypassed, and (3) identify required operator actions necessary to achieve minimum flow requirements for reactor core and reactor building cooling.
For the concerns described in events 3 and 4 above, relating to events (LOCA, main steam line break or feedwater line break) with one instrument channel in a tripped state while another channel has failed, the ANO-2 licensee provided the needed temporary administrative controls until a permanent fix involving a TS change is implemented. The Waterford licensee has also evaluated the conditions related to channel trip and provided temporary administrative controls until a permanent fix involving a TS change is implemented.
To address the problem described in event 5 above, the ANO-2 licensee evaluated the condition and concluded that the PPS will continue to perform its design function if a channel is bypassed for no longer than 48 hours. As a short term corrective action, the licensee established administrative controls which prevent a PPS channel from remaining in bypass for more than 48 hours. A "Night Order" was issued to the ANO-2 operations personnel to remind them of the guidance contained in the EOPs regarding actions to mitigate potential SG overfill events. The licensee has indicated that its long term corrective action will be to install hardware modifications which will allow a single channel to remain in bypass indefinitely with no loss of safety function. The licensee will install these modifications by the end of refueling outage 2R13 in 1999, and incorporate changes to the Safety Analysis Report (including the FMEA for dc bus failures) to reflect those modifications and resolve issues discovered during the root cause evaluation of the condition following that outage.
The preceding examples describe inadequacies in the "design-process," in which the original FMEA failed to identify and correct potential failure modes in the plant design, and the independent design verification process failed to detect the FMEA inadequacies. This concern is addressed in Title 10, Code of Federal Regulations, Part 50, Appendix B, Criterion III, "Design Control," which stipulates, "Measures shall be established to assure that applicable regulatory requirements and the design basis, as defined in 50.2 and as specified in the license application, for those structures, systems, and components to which this appendix applies are correctly translated into specifications, drawings, procedures, ... components. The design control measures shall provide for verifying or checking the adequacy of design ...."
This information notice requires no specific action or written response. If you have any questions about the information in this notice, please contact one of the technical contacts listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager.
Jack W. Roe, Acting Director
S.V. Athavale, NRR
Thomas Koshy, NRR