[Federal Register Volume 60, Number 98 (Monday, May 22, 1995)]
[Notices]
[Pages 27141-27143]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 95-12468]
-----------------------------------------------------------------------
NUCLEAR REGULATORY COMMISSION
Proposed Generic Communication Testing of Safety-Related Logic
Circuits
AGENCY: Nuclear Regulatory Commission.
ACTION: Notice of opportunity for public comment.
-----------------------------------------------------------------------
SUMMARY: The Nuclear Regulatory Commission (NRC) is proposing to issue
a generic letter concerning problems with the testing of safety-related
logic circuits. This draft generic letter requests addresses to review
surveillance procedures to determine whether any of the procedures fail
to test all required portions of the logic circuitry and, if any
problems are found, to correct the problems. The NRC is seeking comment
from interested parties regarding both the technical and regulatory
aspects of the proposed generic letter presented under the
Supplementary Information heading. This proposed generic letter and
supporting documentation were discussed in meeting number 272 of the
Committee to Review Generic Requirements (CRGR) on April 25, 1995. The
relevant information that was sent to the CRGR to support their review
of the proposed generic letter will be made available in the NRC Public
Document Room. The NRC will consider comments received from interested
parties in the final evaluation of the proposed generic letter. The
NRC's final evaluation will include a review of the technical position
and, when appropriate, an analysis of the value/impact on licensees.
Should this generic letter be issued by the NRC, it will become
available for public inspection in the Public Document Rooms.
The staff recognizes that during implementation of the requested
actions in the proposed generic letter, licensees may identify
conditions in violation of their technical specifications or other NRC
requirements. Consequently, the staff is considering the possibility of
exercising enforcement discretion under certain circumstances during
the period of implementation of the requested actions in order to
encourage licensees to perform effective reviews.
DATES: Comment period expires on July 21, 1995. Comments submitted
after this date will be considered if it is practical to do so, but
assurance of consideration cannot be given except for comments received
on or before this date.
ADDRESSES: Submit written comments to Chief, Rules Review and
Directives Branch, U.S. Nuclear Regulatory Commission, Washington, DC
20555. Written comments may also be delivered to 11545 Rockville Pike,
Rockville, Maryland, from 7:30 am to 4:15 pm, Federal workdays. Copies
of written comments received may be examined at the NRC Public Document
Room, 2120 L Street, NW., (Lower Level), Washington, DC.
FOR FURTHER INFORMATION CONTACT:
Hukam Garg, (301) 415-2929.
SUPPLEMENTARY INFORMATION:
NRC Generic Letter No. 95-XX: Testing of Safety-Related Logic Circuits
Addresses
All holders of operating licenses or construction permits for
nuclear power reactors.
Purpose
The U.S. Nuclear Regulatory Commission (NRC) is issuing this
generic letter to: (1) notify addressees about problems with testing of
safety-related logic circuits, (2) request that all addresses implement
the actions described herein, and (3) require that all addressees
submit a written response to this generic letter regarding
implementation of the requested actions.
Background
The Nuclear Regulatory Commission staff had previously issued the
following information notices (INs) regarding problems with testing of
safety-related logic circuits: IN 88-83, ``Inadequate Testing of Relay
Contacts in Safety-Related Logic Circuits,'' dated October 19, 1988; IN
91-13, ``Inadequate Testing of Emergency Diesel Generators (EDGs),''
dated March 4, 1991; IN 92-40, ``Inadequate Testing of Emergency Bus
Undervoltage Logic Circuitry,'' dated May 27, 1992; IN 93-15, ``Failure
to Verify the Continuity of Shunt Trip Attachment Contacts in Manual
Safety Injection and Reactor Trip Switches,'' dated February 18, 1993;
and IN 93-38, ``Inadequate Testing of Engineered Safety Features
Actuation Systems,'' dated May 24, 1993. Despite these notices, recent
events have occurred similar to those described in the INs which
indicate that licensees have not taken sufficient action to correct
previously identified problems in logic circuit surveillance testing.
On March 7, 1995, NRC issued IN 95-15, ``Inadequate Logic Testing of
Safety-Related Circuits,'' which informed licensees about these recent
events at Cooper Nuclear Station, Fermi 2, Waterford 3, Grand Gulf
Nuclear Station, and Arkansas Nuclear One, Unit 1 and Unit 2.
Description of Circumstances
The NRC has documented a significant number of instances involving
problems with logic testing of safety-related circuits in the
information notices described above. These information notices discuss
events at various pressurized water and boiling water reactors. The
examples of problems with logic testing cover a wide range of systems
including safety injection system actuation, containment spray system
actuation, residual heat removal system actuation, diesel generator
load sequencing, and rector protection system actuation. In most cases,
the affected logic circuits functioned properly when testing in
accordance with technical specification [[Page 27142]] (TS)
requirements was performed. The NRC has taken enforcement action in
many of these cases since they resulted in violations. The details of
these instances are included in the information notices cited above. An
example of the details associated with this issue at Fermi Station are
repeated here.
On July 15, 1994, during a routine review of surveillance
procedures required by the Fermi Unit 2 TS, the licensee (Detroit
Edison Company) discovered that neither the procedures used for testing
the load shedding of the 4160 volt Residual heat Removal (RHR) pumps
nor the related instrumentation and control (I&C) logic functional test
procedure provided for the full testing of the RHR pump start logic.
Also, the test procedures did not include verification that the
switchgear breaker would not close with an undervoltage signal present
at the bus.
After investigating further, the licensee discovered additional
deficiencies in the undervoltage functional test surveillance
procedures including the logic functional test surveillance procedures
for the three other engineered safety buses. Also, the surveillance
test overlap did not include sufficient overlap of the logic circuit to
cover the degraded voltage trip input to the non-interruptible air
supply system isolation logic, the degraded voltage trip input to the
bus feeder breaker position, and the alternative automatic closure
circuits for the EDG output breakers. The licensee further determined
that the 480 volt load shed logic had not been fully tested.
On September 9, 1994, the licensee identified additional
surveillance deficiencies and expanded the investigation of its
surveillance procedures for EDGs and I&C overlap testing. During this
investigation, the licensee determined that (1) multiple pathways for
starting an EDG through the emergency core cooling system (ECCS) logic
were not being tested, (2) emergency equipment cooling water (EECW)
actuation from the load sequencer was not being differentiated from
EECW actuation on reactor building closed cooling water low pressure,
and (3) test acceptance criteria permitted performance outside of the
TS limits.
On November 30, 1994, the licensee identified several other test
deficiencies in its surveillance procedures. These deficiencies were
related to the core spray system, RHR system, reactor protection
system, safety relief valves, alternate rod insertion and main steam
isolation valve leadage control system logic, remote shutdown panel,
primary containment manual isolation valves, and alternate shutdown
panel transfer switches.
To address the above deficiencies, the licensee has taken the
following correction actions: (1) Reviewed deficient procedures and
performed required surveillance to establish operability, (2) reviewed
similar procedures to identify other deficiencies. The licensee has
taken the following corrective actions: (1) reviewed deficient
procedures and performed required surveillance to establish
operability, (2) reviewed similar procedures to identify other
deficiencies, (3) created electrical overlap drawings, and (4) trained
authors and technical reviewers of procedures to be fully aware of
logic surveillance requirements. The NRC staff issued a notice of
violation to Detroit Edison Company concerning the above issue (NRC
Inspection Report No. 50-341/94-12).
Discussion
A number of NRC regulations document the requirements to test
safety-related systems to ensure that they will function as designed
when called upon. For example, Title 10 of the Code of Federal
Regulations (10 CFR), Section 50.36, ``Technical Specifications,''
paragraph (c)(3) states that, ``surveillance requirements are
requirements relating to test, calibration or inspection to assure that
the necessary quality of systems and components is maintained, that
facility operation will be within the safety limits, and that the
limiting conditions of operation will be met.'' surveillance
requirements to assure continued operability of safety related logic
circuits have been included in the plant-specific technical
specifications for all operating nuclear power plants
Other documents that provide a basis for these requirements
include:
10 CFR 50.55a, ``Codes and Standards,'' paragraph (h)
which includes reference to Institute of Electrical and Electronic
Engineers (IEEE) Standard 279, ``Criteria for Protection Systems for
Nuclear Power Generating Stations''
Appendix A to 10 CFR 50, General Design Criterion (GDC)
21, `Protection System for Reliability and Testability''
Appendix A to 10 CFR 50, General Design Criterion (GDC)
18, ``Inspection and Testing of Electric Power Systems''
Appendix B to 10 CFR 50, Criterion XI, ``Test Control''
Regulatory Guide (RG) 1.118, ``Periodic Testing of
Electric Power and Protection Systems''
RG 1.32, ``Criteria for Safety-Related Electric Power
Systems for Nuclear Power Plants''
As noted above, the NRC staff has issued a number of information
notices (identified in the ``Background'' section) that document
identified deficiencies in actuation logic surveillance test programs.
However, because of the number of more recently identified similar
deficiencies, the NRC staff has determined that licensees may not have
yet adequately addressed this issue and further action is necessary.
The NRC staff finds that the failure to adequately test safety-
related actuation logic circuitry is safety significant in that
inoperable essential electric components required for automatic
actuation of post-accident mitigation systems may be undetected for
extended periods. This is particularly true for the reactor protection
system, whose unavailability is shown in probabilistic risk assessments
to be a dominant contributor to potential core damage scenarios.
Undetected reactor protection system availability/reliability
degradation is also a potentially significant contributor to overall
risk. Unavailability of those circuits associated with automatic
emergency core cooling system (ECCS) actuation, especially in a loss-
of-offsite-power situation, is a lesser contributor to overall risk but
is important in ensuring post-accident recovery in accordance with
licensing bases. Failure to automatically actuate safety systems also
places the additional burden on the operators of having to manually
actuate required functions and thus increases the chance for operator
error.
The NRC staff notes that even in cases where surveillance testing
of the logic circuits has not been complete, it is likely that only
very small portions of the circuit have been omitted from the test.
Further, the NRC staff is not aware of instances of specifically
identified surveillance inadequacies that resulted in the
unavailability of the safety system when called on during an event.
Nevertheless, as indicated above, the NRC staff finds that compliance
with the plant-specific technical specifications is essential in order
to maintain the validity of the assumptions in the licensing basis
accident analyses. On the basis of the recent events, previously issued
INs, complexity of the logic, and contribution to the core damage
frequency, the NRC staff has further determined that licensees should
review their surveillance procedures for the reactor protection system,
EDG load shedding and sequencing, and actuation logic for the
engineered safety features systems to ensure that complete testing
[[Page 27143]] is being performed as required by the technical
specifications.
Requested Actions
The NRC staff requests that all holders of operating licenses for
nuclear power reactors take the following actions:
(1) Compare electrical schematic drawings and logic diagrams for
the reactor protection system, EDG load shedding and sequencing and
actuation logic for the engineered safety features systems against
technical specification surveillance test procedures to ensure that all
portions of the logic circuitry, including the parallel logic,
interlocks, bypasses and inhibit circuits, are adequately covered in
the surveillance procedures. This review should also include relay
contacts, control switches, and other relevant electrical components
within these systems, utilized in the logic circuits.
(2) Modify the surveillance procedures as necessary for complete
testing to comply with the technical specifications. Additionally, the
licensee may request an amendment to the technical specifications if
relief from certain testing requirements can be justified.
It is requested the completion of these actions not go beyond the
first refueling outage commencing 90 days after the issuance of this
generic letter.
Note: Some licensees may have already performed the requested
reviews and taken appropriate corrective actions. These licensees do
not need to perform any additional review unless modifications have
been made to the logic circuits for these systems. In these cases
the modifications should be reviewed.
Required Response
All addressees, including those who have already completed the
requested actions, are required to submit a written response to this
generic letter as follows:
(1) Within 60 days of the date of this generic letter, a written
response indicating whether or not the addressee will implement the
actions requested above. If the addressee intends to implement the
requested actions, submit a schedule for completing implementation. If
an addressee chooses not to take the requested actions, submit a
description of any proposed alternative course of action, the schedule
for completing the alternative course of action (if applicable), and
the safety basis for determining the acceptability of the planned
alternative course of action.
(2) Within 30 days of completion of the requested actions, a
response confirming completion.
Backfit Discussion
The actions requested in this generic letter are considered
backfits in accordance with NRC procedures. Because established
regulatory requirements exist but were not satisfied, these backfits
are necessary to bring the addressees into compliance with existing
requirements. Therefore, on the basis of 10 CFR 50.109(a)(4)(i), a full
backfit analysis was not performed.
An evaluation was performed in accordance with NRC procedures,
including a statement of the objectives of and reasons for the
requested actions and the basis for invoking the compliance exception.
Response to question ix in the CRGR review package contains this
evaluation.
Dated at Rockville, Maryland, this 15th day of May, 1995.
For the Nuclear Regulatory Commission.
Brian K. Grimes,
Director, Division of Project Support, Office of Nuclear Reactor
Regulation.
[FR Doc. 95-12468 Filed 5-19-95; 8:45 am]
BILLING CODE 7590-01-M
