Home > NRC Library > Document Collections > General Communications > Information Notices > 1994 > IN 94-20
UNITED STATES NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION WASHINGTON, D.C. 20555 March 17, 1994 Information Notice No. 94-20: COMMON-CAUSE FAILURES DUE TO INADEQUATE DESIGN CONTROL AND DEDICATION Addressees All holders of operating licenses or construction permits for nuclear power reactors. Purpose This information notice is being provided to alert addressees to potential common-cause failures resulting from inadequate design control and dedication measures implemented for the replacement of electro-mechanical relays with digital microprocessor-based relays. It is expected that recipients will review the information for applicability to their facilities and consider actions, as appropriate, to avoid similar problems. However, suggestions contained in this information notice do not constitute NRC requirements; therefore, no specific action or written response is required. Description of Circumstances A common-cause failure at the Beaver Valley Unit 2 Power Station rendered inoperable multiple trains of a system designed to mitigate the consequences of an accident. On November 4, 1993, during testing of the Train A, 2-1 emergency diesel generator (EDG) load sequencer, the sequencer failed to automatically load safety-related equipment onto the emergency bus. Two suspect relays were replaced and the surveillance test was successfully repeated. On November 6, 1993, during surveillance testing, the Train B, 2-2 EDG load sequencer failed to automatically load safety-related equipment onto the emergency bus. An NRC Augmented Inspection Team was sent to the site to review the circumstances surrounding these events (Inspection Report 50-412/93-81). Discussion The EDG load sequencers control the sequence in which safety-related equipment starts after the EDG restores power when normal power is lost on the emergency busses. Timer/relays are used to load the safety-related equipment in six discrete steps during a 1-minute period. The same type of timer/relay is also used to reset the diesel generator load sequencer if a safety injection or a 9403110132. IN 94-20 March 17, 1994 Page 2 of 3 containment isolation Phase B signal is received. Resetting the load sequencer allows necessary emergency core cooling system equipment to be loaded. The load sequencers originally used electro-mechanical timer/relays to generate the timed steps and sequencer reset function. The electro-mechanical timer/relays were replaced with microprocessor-based timer/relays during the second refueling outage, in November 1990. Each train of the load sequencer has eight Model 365A digital microprocessor-based timer/relays manufactured by Automatic Timer Controls Inc. The timer/relays were purchased as commercial-grade items and dedicated for safety-related service. A review of these events indicated that the microprocessor-based timer/relay failed as a result of the voltage spikes that were generated by the auxiliary relay coil controlled by the timer/relay. The voltage spikes, also referred to as "inductive kicks," were generated when the timer/relay time-delay contacts interrupted the current to the auxiliary relay coil. These spikes then arced across the timer/relay contacts. This arcing, in conjunction with the inductance and wiring capacitance, generated fast electrical noise transients called "arc showering" (electromagnetic interference). The peak voltage noise transient changes as a function of the breakdown voltage of the contact gap, which changes as the contacts move apart and/or bounce. These noise transients caused the microprocessor in the timer/relay to fail. The failure of the microprocessor-based timer/relay caused the time-delay contacts to reclose shortly after they had properly opened as part of the load sequencer operation. Closing the time-delay contact locked out (deenergized) the load sequencer master relay and prevented the load sequencer from operating. To correct the identified problem, the licensee installed diodes across the auxiliary relay coils to suppress the voltage spike that had caused the microprocessor-based timer/relay failure. This modification was confirmed to correct the problem through successful testing of the EDG load sequencer. The design control for the selection and review for suitability of the microprocessor timer/relays for this application was not adequate. The modification design data did not identify the potential for voltage spiking by the auxiliary relays and translate that potential into electromagnetic interference requirements for the equipment purchase specification and the dedication testing specification. As a result of inadequate design control, a common-cause failure mechanism was introduced into the diesel generator load sequencers. This event highlights the need to ensure proper design control activities when replacing discrete component electrical or electro-mechanical devices with digital microprocessor-based electronic devices. Specifically, the event . IN 94-20 March 17, 1994 Page 3 of 3 shows that safety-significant, common-mode failures can occur when the design review does not ensure that the digital, microprocessor-based replacement equipment is compatible for the specific application and service environment. This information notice requires no specific action or written response. If you have any questions about the information in this notice, please contact one of the technical contacts listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager. /s/'d by BKGrimes Brian K. Grimes, Director Division of Operating Reactor Support Office of Nuclear Reactor Regulation Technical contacts: John Calvert, RI (610) 337-5194 Eric Lee, NRR (301) 504-3201 Attachment: List of Recently Issued NRC Information Notices
Page Last Reviewed/Updated Wednesday, February 16, 2011