Text

Part 4 of 4 - Westinghouse Advanced Course R-504P
	ML023030334
Person / Time
Site:	Beaver Valley
Issue date:	09/19/2002
From:	; Westinghouse
To:	; Office of Nuclear Reactor Regulation
References
	FOIA/PA-2002-0343
	Download: ML023030334 (157)
	v • d • e

Westinghouse Technology Advanced Manual Section 4.11 Risk Management

Westinghouse Technology Advanced Manual Risk Management Westinghouse Technology Advanced Manual Risk Management TABLE OF CONTENTS 4.11 RISK MANAGEMENT ........................................ 4.11-1 4.11.1 Introduction ........................................... 4.11-1 4.11.2 H istory ........................................ ...... 4.11-1 4.11.2.1 Deterministic Analysis ............................ 4.11-1 4.11.2.2 Probabilistic Risk Assessment ....................... 4.11-2 4.11.2.3 Severe Accident Policy ............................ 4.11-4 4.11.3 Risk-Based Regulation .................................... 4.11-6 4.11.4 PRA Policy Statement and Implementation Plan ................... 4.11-8 4.11.4.1 Risk Management .................... 4.11-9 4.11.4.2 Configuration Management ............. 4.11-10 4.11.4.3 On-Line Maintenance ................. .4.11-10 4.11.4.4 Maintenance Rule ................... 4.11-11 4.11.4.5 Inspection of Configuration Management .... 4.11-14 4.11.5 Summary S............................................ 4.11-15 4.11.6 References ................................. 4.11-16 LIST OF TABLES 4.11-1 Insights from Review of Plant IPEs ................................. 4.11-19 USNRC Technical Training Center 4.11-i Rev 0396

-1 Westinghouse Technology Advanced Manual Risk ha3nsb a -+

WestnghuseTecholoy Avancd Mnua R~d M~~rnmU, Ik LIST OF FIGURES 4.11-1 Deterministic Analysis ....................................... 4.11-21 4.11-2 Probabilistic Risk Assessment .................................. 4.11-23 4.11-3 Elements of PRA .......................................... 4.11-25 4.11-4 Historical Perspective ....................................... 4.11-27 4.11-5 Major Contributors to Core Damage by Accident Types ................. 4.11-29 4.11-6 Relative Importance Factors for BWR Systems ...................... 4.11-31 4.11-7 Relative Importance Factors for PWR Systems ....................... 4.11-33 4.11-8 Risk-Based Regulation ....................................... 4.11-35 4.11-9 PRA Policy Statement ....................................... 4.11-37 4.11-10 PRA Implementation Plan ..................................... 4.11-39 4.11-11 Risk and Configuration Management - Definitions .................... 4.11-41 4.11-12 Risk M anagement Factors ..................................... 4.11-43 4.11-13 Maintenance Rule - Objectives .................................. 4.11-45 4.11-14 M aintenance Rule - Scope ..................................... 4.11-47 4.11-15 Configuration Risk Monitoring Methods ........................... 4.11-49 4.11-16 Preventive Maintenance Equipment Out-of-Service Matrix ............... 4.11-51 4.11-17 Risk Monitoring ............................................ 4.11-53 4.11-18 Risk M onitoring Predictive .................................... 4.11-55 4.11-19 Risk Profile for Allowed Outage Time Determination ................... 4.11-57 ATTACHMENTS NRC Inspection Report Nos. 50-334/94-24 and 50-412/94-25 ......... 4.11-59 USNRC Technical Training Center 4.11-ii Rev 0396

Westinghouse Technology Advanced Manual Risk Management Westinghouse Technology Advanced Manual Risk Management 4.11 RISK MANAGEMENT reduce risk and to ensure safety. This section discusses the major regulatory and industry Learning Objectives: actions that have been or are being incorporated to address operational and accident risk manage

1. Describe what is meant by the term "defense ment in nuclear power plants.

in depth," and explain how nuclear power plants have been designed to incorporate this 4.11.2 History concept.

4.11.2.1 Deterministic Analysis

2. Describe how probabilistic risk assessments (PRAs) of nuclear power plants can comple Nuclear power plants in the U. S. have been ment deterministic analyses. designed and constructed in accordance with deterministic analyses. Deterministic analyses

3. Define the term "configuration management," involve standard good engineering practices, and explain why configuration management calculations, and judgements; and in the case of is necessary in managing risk at nuclear nuclear power plants, design bases which include power plants. the assumption .of worst-case conditions for accident analyses. Examples of these worst-case

4. Describe methods that are used by nuclear conditions include the assumptions of an initial utilities to incorporate risk insights into reactor power of greater than 100%, restrictive maintenance planning. power distributions within the core, conservative engineering factors, the minimum-required

5. Describe how PRA results are used by the accident mitigation equipment available, and pipe NRC for risk-based regulation. breaks of all possible sizes.

4.11.1 Introduction In a large nuclear generating station with a core output rated at over 3000 MW thermal, Nuclear power plants in the U.S. have been about six pounds of fission products are pro designed and constructed in accordance with duced each day that the unit is operated at full deterministic analyses. The design bases of each power. To protect the public from these fission nuclear unit are documented in its Final Safety products during normal and accident situations, a Analysis Report (FSAR), which is updated "defense in depth," or multiple levels of assur yearly as the Updated Safety Analysis Report ance and safety, exists to minimize risk to the (USAR). Nuclear power plant operation, includ public from nuclear power plant operation.

ing maintenance and surveillance of safety-related equipment, is controlled and restricted by techni -A multiple, barrier concept was used in cal specification requirements. designing and building nuclear units. The first barrier against fission product release is the fuel Throughout the history of commercial nuclear cladding. The fuel cladding is a cylindrical power, the regulatory agencies (the AEC and sheath that is designed to contain fuel pellets and Slater, the NRC) and the nuclear industry have fission products during normal and abnormal continued to research and implement new and/or transients. The second barrier, if isolated, is the better methods of operating, maintaining, testing, reactor coolant pressure boundary. This barrier and analyzing nuclear plants and equipment to is designed to withstand high pressures and Rev 1)396 ° USNRC Technical Training Center 4.11-1 Rev 0396

I Westinghouse Technolos, v Advanced Manual Risk Management Westn~huse Adance MaualRisk echolo~ Manatement temperatures. The thickness of this barrier varies acceptance criteria following an accident. Redun 1m the reactor vessel tickness of several inches dant pumps, valves, instrument sensors, instru

,he steam generator tube thickness of less than ment strings, and logic devices are required to one-tenth of an inch. Since the reactor coolant ensure that no single failure will prevent at least pressure boundary surrounds the first barrier, it one of these trains from performing its intended should contain any fission products which escape function.

from the cladding. The containment (reactor building) provides the final barrier. There are All engineered safety feature systems must be many approved containment designs; each physically separated so that a catastrophic failure contains the reactor coolant system and consti of one systeff will not prevent another engi tutes a barrier to the release of radioactivity to the neered safety feature system from performing its public. These barriers and the protection against intended function. Electrical power to the engi the loss of each barriei are requiied by the Code neered safety features comes from the transmis of Federal Regulations. sion grid via transformers, breakers and busses.

Redundant diesel generators are normally the Engineered safety features (ESFs) are provid standby power supply.

ed in nuclear power plants to mitigate the conse quences of reactor plant accidents. Sections of ESF systems are designed to remain func the General Design Criteria in'Appendix A of 10 tional if a safe shutdown earthquake occurs and CFR, Part 50 require that specific systems be are thus designated as Seismic Category I. The provided to serve as ESF systems. Containment reactor coolant pressure boundary, reactor core systems, a residual heat removal (RHR) system, and vessel internals, and systems or portions of emergency core cooling systems. (ECCSs), systems that are required for emergency core containment heat removal systems, containment cooling, post-accident containment heat removal, atmosphere cleanup systems, and certain cooling and post-accident containment atmosphere water systems are typical of the systems required cleanup are designed to Seismic Category I to be provided as ESF systems. Each of the ESF requirements. ESF systems are also designed to systems is designed to withstand a single failure include diversity. "Diversity" refers to different without the loss of its protective functions during methods of providing the same safety protection or following an accide nt condition. However, or function.. Two systems which illustrate this single failure is limited to either an active diversity are the containment fan cooler system failure during the injection phase following an and the contaihiment spray system. Each of these accident, or an active or a passive failure during systems is designed to lower the pressure inside the recirculation phase. Most accident analyzes the containrient following a steam break or a loss assume the loss of offsite power. This loss of of coolant accident inside the containment.

offsite power is considered in addition to the "single active failure." 4.11.2.2 Probabilistic Risk Assessment The engineered safety features which contain A PRA is an engineering tool used to quanti active components are designed with two inde fy the risk to a facility. Risk is defined as the pendent trains. Examples of systems'e'nploying likelihood and consequences of rare events at this design feature are- the ECCSs, in which nuclear power plants. These events are generally either train can satisfy 'all the' requiiements to referred to as severe accidents. The PRA aug safely shut down the plant -61meet the final ments traditional deterministic engineering 4.11-2 Rev 0396 USNRC Technical Center Training Center Technical Training 4.11-2 Rev 0396

Westinghouse Technology Advanced Manual Risk Management WestinEbouse TechnoloEy Advanced Manual Risk Management analyses by providing quantitative measures of variety of accident types are important; (4) safety and thus a means of addressing the relative design-basis accidents are not dominant contribu significance of issues in relation to plant safety. tors to risk; and (5) significant differences in Basically, a nuclear power plant PRA answers containment designs are important to risk. The three questions: basic PRA approach developed by the RSS is still used today.

0 What can go wrong? Because the RSS was the first broad-scale 0 How likely is it? application of event- and fault-tree methods to a 0 What are the consequences? system as complex as a nuclear power plant, it was one of the more controversial documents in Probabilistic risk assessment is a the history of reactor safety. The RSS also multidisciplinary approach employing various analyzed conditions beyond the design basis and methods, including system reliability, contain attempted to quantify risk. A group called the ment response modeling, and fission release and Lewis Committee performed a peer review of the public consequence analyses, as depicted graphi RSS and published a report, NUREG/CR-0400, cally in Figure 4.11-3. A PRA treats the entire to the NRC three years later to describe the plant and its constituent systems in an integrated effects of the RSS results on the regulatory fashion, and thus subtle interrelationships can be process. The report concluded that although the discovered that are important to risk. Another RSS had some flaws and that PRA had not been important attribute of probabilistic risk assess formally used in the licensing process, PRA ment is that it involves analyses of both single methods were the best available and should be and multiple failures. Multiple failures often lead used to assist in the allocation of the limited to situations beyond the plant design basis and, resources available for the improvement of in some cases, are more likely than single fail safety.

ures. By addressing multiple failures, a PRA can cover a broad spectrum of potential accidents at a The 1979 accident at Three Mile Island (TMI) plant. substantially changed the character of the NRC's regulatory approach. The accident revealed that The first comprehensive development and perhaps nuclear reactors might not be safe application of PRA techniques in the commercial enough and that new policies and approaches nuclear power industry was the NRC-sponsored were required. Based on comments and recom "Reactor Safety Study" (RSS). The principal mendations from the Kemeny and Rogovin objective of the RSS was to quantify the risk to investigations of the TMI accident, a substantial the public from U.S. commercial nuclear power program to research - severe accident plants. The RSS analyzed both a BWR (Peach phenomenology was initiated (i.e., those acci Bottom) and a PWR (Surry). The report of the dents beyond the design basis which could result RSS results, generally referred to as WASH in core damage). It was also recommended that 1400, was published in October of 1975. The PRA be used more by the staff to complement its results of the study can be summarized as fol traditional, non-probabilistic methods of analyz lows: (1) risks from nuclear power plant opera ing nuclear plant safety. Rogovin also suggested tion are small as compared to non-nuclear haz in a report to the Commissioners and the public, ards; (2) the frequencies of core melt accidents NUREG/CR-1250,- that the NRC policy on are higher than previously thought (calculated to severe accidents consider (1) more severe acci be approximately 5 X 10-5 per reactor year); (3) a dents in the licensing process and (2)

Rev Ui9b USNRC Technical Training Center 4.11-3 Rev 0396

-1 Westinghouse Technology Advanced Manual Westnghuse Adance MaualRisk echolog b

Manavement probabilistic safety goals to help define what is process has aided licensees in determin an acceptable level of plant safety. ing which design modifications are desirable from both risk-reduction and In late 1980, the NRC sponsored a current cost-benefit standpoints for the improve assessment of severe accident risks for five ment of plant safety. PRA results have commercial nuclear power plants' in a report more recently been used by licensees in called "Severe Accident Risks: An Assessment enforcement discussions and in support for Five U.S. Nuclear Power Plants," NUREG of technical specification change requests.

1150. This report included an update of the RSS risk assessments of Surry and Peach Bottom and 4. PRAs have pointed out some general provided the latest NRC version of the state of differences with respect to BWRs and the art in PRA models, methods, and approach PWRs as classes of plants. For example, es. NUREG-1 150 states that for BWRs, the principal initiating event contributors to A summary of the insights gained from early core damage frequency are station black risk assessments are as follows: outs (SBOs) and anticipated transients without scram (ATWSs); for PWRs, the

1. As illustrated by the NUREG-1150 principal contributors to core damage results and early! plant PRAs, the PRAs frequency' are LOCAs. NUREG-1 150 reflect details of plant sysiems, operations also states that the core damage frequen and physical layouts. Since nuclear cies for PWRs are higher than those for power plants in the U.S. are not stan BWRs, because BWRs have more dardized, the PRA results are very plant redundant 'methods of supplying water to specific. Reactor design, equipment, the reactor coolant system. However, location, and operation (power levels, PWRs have lower probabilities of early testing and maintenance, operator actions) containment failure given a core-damage have large impacts on the results. There sequence, since PWR containments are fore, in detail, the results can differ larger and can withstand higher pressures significantly from plant to plant. than BWR containments.

2. Even with the differences in the detailed 4.11.2.3 Severe Accident Policy results between plant studies, PRAs can be used for some generic applications as In August of 1985, the NRC issued the listed in NUREG-1050. Some examples "Policy Statement on Severe Accidents Regard are: ing Future Designs and Existing Plants" that introduced the Commission's plan to address

"* Regulatory activity prioritization, severe accident issues for existing commercial

"* Safety issue evaluation, nuclear power plants. The stated policy was that

"* Resource allocation, the public should be subject to no undue risk

"* Inspection program implementation, from the operation of commercial nuclear reac and tors. A year later, in August of 1986, the NRC

"* NRC policy development. established' both qualitative and quantitative safety goals for the nuclear industry. The quali

3. Using PRA in the decision- making tative safety goals are as follows:

Center 4.11-4 Rev 0396 Technical Training USNRC Technical USNRC Training Center 4.11-4 Rev 0396

Westinghouse Technology Advanced Manual Risk Management Westinghouse Technology Advanced Manual Risk Management

" Individual members of the public should be However, because of arbitrary assumptions provided a level of protection from the in calculations, uncertainties in PRA analyses, consequences of nuclear power plant opera and gaps in equipment reliability data bases, the tion such that individuals bear no significant safety goals are not definitive requirements, but additional risk to life and health. serve as aiming points or numerical benchmarks.

" Societal risks to life and health from nuclear In addition, it should be noted that the goals power plant operation should be comparable apply to the industry as a whole and not to to or less than the risks of generating electric individual plants. The safety goals are not in and ity by viable competing technologies and of themselves meant to serve as the sole bases for should not be significant additions to other licensing decisions. However, when information societal risks. is available that is applicable to a specific licens ing decision, it is to be considered as one factor The corresponding quantitative safety goals in the licensing.

are:

Implementation of the NRC plan to address

" The risk to the average individual in the severe accident risk included development of vicinity of a nuclear power plant of prompt plant-specific examinations that would reveal fatalities that might result from a reactor vulnerabilities to severe accidents and cost accident should not exceed one-tenth of one effective safety improvements that would reduce percent of the sum of prompt fatality risks or eliminate the important vulnerabilities. In resulting from other accidents to which Generic Letter 88-20 dated November 23, 1988, members of the U.S. population are generally all utilities with licensed nuclear power plants exposed. were requested to perform such examinations.

The specific objectives for these individual plant

" The risk to the population near a nuclear examinations (IPEs) are for each utility to:

power plant of cancer fatalities that might result from nuclear power plant operation "* Develop an overall appreciation of severe should not exceed one-tenth of one percent of accident behavior, the sum of cancer fatality risks resulting from all other causes. "* Understand the most likely severe accident sequences that could occur at its plant, The average accident fatality rate in the U.S.

is approximately 5 X 10-4 per individual per " Gain a more quantitative understanding of the year, so the quantitative value for the first goal is overall probability of core damage and 5 X 10-7 per individual per year. The "vicinity of radioactive material releases, and a nuclear power plant" is defined to be the area within one mile of the plant site boundary. The " If necessary, reduce the overall probability of average U.S. cancer fatality rate is approximately core damage and radioactive material release 2 X 10-3 per year, so the quantitative value for by appropriate modifications to procedures the second goal is 2 X 10-6 per average individu and hardware that would help prevent or al per year. The "population near a nuclear mitigate severe accidents.

N power plant" is defined as the population within 10 miles of the plant site. Many of the IPEs submitted to the NRC have 4.11-5 Rev 0396 USNRC USNRC Technical Center Training Center Technical Training 4.11-5 Rev 0396

Westinghouse Technology Advanced, Manual Risk Management Westinghouse TechnoIoy Advanced, Manual Risk Manaenient identified unique and/or important safety fea ministic system and engineering analyses to tures. Table 4.11-1 includes a list of insights focus licensee and regulatory attention on issues obtained through analysis of 72 IPEs (25 BWRs commensurate with their importance to safety.

and 47 PWRs) covering 106 commercial nuclear units (35 BWRs and 71 PWRs). The items in Examples of uses of risk insights for risk the list indicate vulnerabilities identified during based regulation include the prioritization of the IPE process at various plants and modifica generic safety issues, evaluation of regulatory tions that may have been made to plant equipment requirements, assessment of design or operation or procedures to reduce the vulnerabilities and al adequacy, evaluation of improved safety hence, the calculated core damage frequencies. features, prioritizing inspection activities, evalua tion of events, and evaluation of technical specifi Risk- and reliability-based methods can be cation revision requests and enforcement issues.

used for evaluating allowed outage times, sched uled or preventive maintenance, action statements Using risk- and reliability-based methods to requiring shutdown where shutdown risk may be improve technical specifications and other regula substantial, surveillance test intervals, and tory requirements has gained wide interest analyses of plant configurations resulting from because they can:

outages of systems or components. Because of the limitations in thie IPE process such as arbi " Quantitatively evaluate risk impacts and trary assumptions in calculations, uncertainties in justify changes in requirements based on PRA analyses, and gips in equipment ireliability objective risk arguments, and data bases, the insights identified in and of themselves do not require iny action by the "* Provide a defensible bases for improved individual licensee, btit'provide information on requirements for regulatory applications.

where vulnerabilities exist in its plant.

Caution must be applied when using the 4.11.3 Risk-Based Regulation results of risk assessments, however, because of the limitations of PRA methodology. The plant's Technical specification requirements for initial PRA (and/or IPE) is a snapshot of the plant nuclear power plants define the limiting condi at the time the plant configuration and data were tions for operationd (LCOs)' and surveillance collected and analyzed. The analyses must be requirements (SRs) to assire safety during revised as modifications are made to the plant operation. In general, these requirements are design, operating methods, procedures, etc., to based on deterministic analyses and engineering maintain the risk assessment results current. In judgements. Experiences with all modes of plant addition, a'PRA model is not a complete or operation indicate thai some elements of the accurate model of the plant during all modes of requirements are unnecessarily restrictive, while operation. For example, for PWRs, the removal a few may not be conducive to safety. Improv of both boric acid makeup pumps from service is ing these requirements involves many consider not very risky during mode I operations; howev ations and is facilitated by the availability of er, these pumps are very importanit when the plant-specific IPEs and' the development of achievemeni of the required shutdown margin in related methods for analy'sis. Risk-based regula mode 5 is considered. Other limitations of PRAs tion is a regulatory approach in which insights include the uncertainties in the equipment failure fronm PRAs are used in combination with deter- data bases, the level of understanding of physical 4.11-6 Rev 0396 Technical Training USNRC Technical Center Training Center 4.11-6 Rev 0396

Westinghouse Technology Advanced Manual Risk Management Westinghouse Technology Advanced Manual Risk Manaaement processes, the uncertainties in quantifying human would be maintained, and to have procedures reliability, the sensitivity of results to analytical addressing station blackout events. The rule assumptions, and modeling constraints. allows utilities several design alternatives to ensure that an operating plant can safely shut Quantitative risk estimates have played an down in the event that all ac power is lost.

important role in addressing and resolving One alternative is the installation of a full regulatory issues including: capacity alternate ac power source that is capable of powering at least one complete set

" Anticipated transient without scram: Risk of normal safe shutdown loads.

assessments contributed to development of the ATWS rule, 10CFR50.62, which re Backfits: There are many cases where PRAs quires all PWRs to have equipment diverse have been used to support the backfit deci and independent from the reactor protection sion process. For example, after the TMI system for auxiliary feedwater initiation and accident several TMI action plan issues turbine trip, requires all CE and B&W PWRs evolved. Consumers Power performed a and BWRs to have a diverse scram system, PRA of the Big Rock Point nuclear plant to provides functional requirements for the assist in identifying those TMI generated standby liquid control systems of BWRs, and changes which might actually have an impact requires that BWRs have equipment for on the risk at the plant. As a result, Consum automatically tripping reactor coolant recircu ers Power was able to negotiate exemptions lation pumps. on seven issues which did not significantly lower risk at Big Rock Point, saving over

" Auxiliary feedwater (AFW) system reliability: $45 million. In addition, Consumers Power The NRC has reviewed information provided used the PRA to identify changes necessary on auxiliary feedwater systems in safety to reduce the core damage frequency at Big analysis reports. As part of each review, the Rock Point to an acceptable level. The cost of NRC assures that an AFW system reliability a change is generally considered to be the analysis has been performed. The Standard dollar cost associated with design, licensing, Review Plan states that an acceptable AFW implementation, operation and maintenance.

system should have an unreliability in the Sometimes the cost of replacement power is range of 10-4 to 10-5. Compensating factors included for a backfit requiring a plant such as other methods of accomplishing the shutdown to implement. The benefit of the safety functions of the AFW system or other change is the reduction in risk if the change is reliable methods for cooling the reactor core implemented. The most cost-effective change during abnormal conditions may be consid provides the most improvement in safety for ered to justify a larger unavailability of an the least cost. This type of cost-benefit AFW system. analysis was done extensively during the ATWS rule-making process.

Station blackout (loss of all ac power): Risk assessments contributed to development of Risk-based inspections: A PRA provides the blackout rule, 10CFR50.63, which information on dominant accident sequences requires licensees to determine a plant and their minimal cut sets. This information specific station blackout duration, during has already been used to design the risk which core cooling and containment intergrity based portions of some plant-specific inspec-4.11-7 Rev 0396 USNRC Technical Training Center Center 4.11-7 Rev 0396

L_

Westinghouse Technology Advanced Manual Westnghuse Adance MaualRisk echolog Manavement tion programs. Inspection programs can be by:

prioritized to address the minimization of hardware challenges, the assurance of hard "* Allowing consideration of a broader set of ware availability, and the effectiveness of potential challenges to safety, plant staff actions as they relate to the sys "* Providing a: logical means for prioritizing tems and faults included in the dominant these challenges based on risk significance, accident sequences. A PRA supports the and assessment of a plant change by providing a "* Allowing consideration of a broader set of quantitative measure of the relative level of resources to defend against these challenges.

safety associated with the change. This is accomplished by performinr sensitivity In August of 1995, the NRC issued the studies. A sensitivity study is a study of how "Policy Statement on the Use of Probabilistic different assumptions, configurations, data or Risk Assessment Methods in Nuclear Regulatory other potential changes in the basis of the Activities." The overall objectives of the policy PRA impact the results. statement are to improve the regulatory process through improved risk-informed safety decision The NRC staff is expected to use PRA results making, through more efficient use of staff to assist in prioritizing regulatory activities, and resources, through a reduction in unnecessary plant inspectors are expected to use IPE results to burdens on licensees, and through the strength prioritize inspection activities. The inspectors ening of regulatory requirements. The policy should be alert for situations which constitute statement contains the following elements regard near misses. That is, the inspector needs to ing the expanded NRC use of PRA:

recognize those events that come close to accident sequences. Recognizing the significance of " Increased use of PRA in reactor regulatory events at the plant is especially important for matters should be implemented to the extent those related to sequences initiated by an ATWS supported by the state of the art in PRA or an intersystem LOCA, whichi can have severe methods and data' and in a manner that consequences. Finally, the NRC staff will be complements the NRC's deterministic ap involved in more and more discussions in which proach and supports the NRC's traditional PRA results are used or misused to justify a defense-in-depth philosophy.

particular action'or inaction.' Thierefore, .it is imp6rtant that the staff be familiar with the types " PRA should be used to reduce unnecessary of information that a PRA provides and that the conservatism associated with current regula staff can use PRA informationi accurately in tory requirements. Where appropriate, PRA discussions and decisions. should be used to support additional regulato ry requirements.

4.11.4 PRA Policy Statement and Implementation Plan " PRA evaluations in support of regulatory decisions should be as realistic as possible, Deterministic approaches to regulation and appropriate supporting data should be consider a set of challenges'to -safety and deter publicly available.

mine how those challenges 'should be mitigated.

A probabilistic approach to regulation enhances "* Uncertainties in PRA evaluations need to be and extends the traditional deterministic approach considered in applying the Commission's 4.11-8 Rev 0396 USNRC Technical USNRC Training Center Technical Training Center 4.11-8 Rey 0396

Westinghouse Technology Advanced Manual Risk Management Westinghouse Technology Advanced Manual Risk Management safety goals for nuclear power plants. 1. To support plant operations, mainte nance, inspection, and planning activities; An agency-wide plan has been developed to and implement the PRA policy statement. The scope 2. To provide information regarding chang of the PRA implementation plan includes reactor es to improve plant safety and reliability.

regulation, reactor safety research, analysis and evaluation of operational experience, staff train A plant's PRA can be used during all modes ing, nuclear material, and low and high level of plant operation to prioritize operations and waste regulations. The plan provides mecha maintenance resources to maintain safety at nisms for monitoring programs and management acceptable levels. This is accomplished, in part, oversight of PRA-related activities. The plan by periodically updating the PRA results to keep includes both ongoing and new PRA-related current with plant configuration and component activities. The following are PRA-related regula failure data. Importance measures can be used to tory activities that are underway within the NRC: indicate where preventive actions would be most beneficial and what is most important to maintain

"* Graded quality assurance, at acceptable safety levels. Based on the updated

"* The maintenance rule, results, adjustments in plant activities and design

"* In-service inspection and testing, can be made, as appropriate, to maintain the

"* The IPE insights program, desired level of safety as indicated by the results

"* PRA training for the staff, and of the PRA.

"* The reliability data rule.

The PRA supports plant activities by provid 4.11.4.1 Risk Management ing information on the risk-significant areas in plant operation, maintenance, and design.

Risk management is a means of prioritizing Operations, maintenance, inspection, and plan resources and concerns to control the level of ning personnel can then appropriately address safety. As discussed above, the NRC's and these areas to control the risk at acceptable levels.

nuclear industry's use of risk analyses have shown that: The risk-significant areas are identified by the results of the PRA. These areas are where the

"* The risk from nuclear power plant operation most attention and effort should be focused.

is generally low, Several useful PRA results are (1) dominant

"* Low cost improvements can sometimes have contributors (these indicate which failures are the significant safety and economic benefits, and largest contributors to the likelihood of accident

"* Subtle design and operational differences sequences), (2) dominant accident sequences make it difficult to generalize dominant risk (these depict the failure paths that contribute most contributors from plant to plant or for a class to core damage frequency), and (3) importance of plants. measures (these evaluate what contributes most to core damage, what would reduce the core Because each nuclear power plant is essen damage frequency the most, and what has the tially unique, the most powerful use of the PRA greatest potential for increasing core damage is as a plant-specific tool. PRAs can be used in frequency should it not be as reliable as desired).

two basic ways: The major contributors to core damage by acci dent type for the NUREG-1 150 PWR and BWR USNRC Technical Training Center 4.11-9 Rev 0396

Westinghouse Technology Advanced Manual Risk Managzement Westinghouse Technolo2y Advanced Manual Risk Management plants are shown in Figure 4.11-5, and the and systems, and outage frequencies.

relative importance of BWR and PWR systems from NUREG-1050 are shown in Figures 4.11-6 4.11.4.3 On-Line Maintenance and 4.11-7.

Licensees are increasing the amount and PRA results can be used in many ways frequency of maintenance performed during during planning and olerational activities at a power operation. Licensees' expansion of the nuclear plant. The results have an important role on-line maintenance concept without thorough in risk management, maintenance planning, and consideration of the safety (risk) aspects raises risk-based inspections. significant concerns. The on-line maintenance concept extends the use of technical specification 4.11.4.2 Configuration Management allowed outage times beyond the random single failure in a system and a judgement of a reason Configuration management is one element of able time to effect repairs upon which the allowed risk management and risk-based regulation. outage times were based. Compliance with GDC Configuration risk refers to the risk associated single failure criteria is demonstrated during plant with a specific configuratiori of the plant. A licensing by assuming a worst-case single configuration usually refers to the status of a failure, which often results in multiple equipment plant in which multiple components are simulta failures. This does not imply that it is acceptable neously unavailable. The risk associated with to voluntarily remove equipment from service to simultaneous outages of multiple components can perform on-line maintenance on the assumption be much larger than that associated with single that such actions are bounded by a worst-case component outages. Technicai specifications single failure.

forbid outages of redundant trains within a safety system, but many other combinations of compo A simplified qualitative model (shown nent outages can pose significant risk. In con graphically in Figure 4.11-12) for evaluating risk trolling operational risk, these configurations can be thought of as including three factors need to be analyzed. The configuration manage combined in the following way:

ment process can be predictive in planning maintenance activities and 6utage schedules, and Risk = Pi x Pm x Pc can be retrospective in evaluating the risk signifi cance of plant events.

Where:

When a component is taken out of service for maintenance or surveillance, it has ani associated P, =. The probability of an initiating event, downtime and risk. If the component is con such as a LOCA, turbine trip, or loss trolled by an allowed outage time in the Technical of offsite power.

specifications, then this dowvntime is limited by the allowed outage time. Configurition manage PM= The probability of not being able to ment involves taking measures to avoid risk mitigate the event, with core damage significant configurations. It involves managing prevention as the measure of success multiple *equipment taken out of service at the ful mitigation.

same time, the outage times of compn'onents and systems, the availability of backup components 4.11-10 Rev 0396 USNRC USNRC Technical Training Center Technical Training Center 4.11-10 Rev 0396

Westinghouse Technology Advanced Manual Risk Management Westinghouse Technology Advanced Manual Risk Management Pc = The probability of not being able to concept of division or train outages to ensure that mitigate the consequences, with they do not have a loss of system function. In containment integrity preservation as the extreme, this could result in all of the equip the measure of success. ment in a division being out of service at a time with unexamined risk consequences, while the The intersection of all three occurrences licensee is in literal compliance with its plant's (initiating event occurs + mitigating equipment technical specifications. For example, one fails + containment fails) indicates a worst-case facility that used a division or train approach had scenario, with core melt and subsequent radioac planned to take out of service the following tive release to the public (a Chernobyl-type event, equipment: the B AFW pump, the B Battery for example). The intersection of the initiating charger, the B service water pump, the B RHR pump, and the B charging pump. -Because event and mitigating equipment failure would be redundant train equipment was available, no LCO a TMI-type event, in which there is core melt was exceeded. However, in the event of a without a release. If the consequence of an event is defined as financial loss (a viable definition), design-basis transient,; such 'as a loss of offsite one would have to say that this intersection power precipitated by maintenance or instrumen represents a serious scenario itself. Even consid tation calibration activities associated with non ering the traditional definition of consequence safety-related equipment in the switchyard, the plant would be in a configuration with significant (potential for core melt), the intersection of an risk implications due to the diminished capability initiating event and mitigating equipment failure to remove decay heat at a high pressure. This is is of concern to the utility and to the NRC.

an example of maintenance simultaneously increasing the probability of an initiating event, in An effective risk-assessment process includes this case the loss of offsite power, and diminish consideration of the impact of maintenance ing the plant's capability to mitigate the event.

activities on all three of these risk factors. It also considers the impact of maintenance activities on There is a clear link between effective mainte both safety-related and non-safety-related equip nance and safety with regard to such issues as the ment. Multiple or single maintenance activities number of plant transients -and challenges to that simultaneously, or within a short time frame, safety systems and the associated need to maxi impact two or more risk factors tend to increase mize the operability, availability, and reliability of risk the greatest. In addition, on-line mainte equipment important to safety. In many cases, nance tends to increase component the only plant changes needed to reduce the unavailabilities. With increased scheduling of probability of core damage are procedure chang maintenance during power operation, the overall es. An example at one plant included staggering impact on train unavailability, when averaged the quarterly tests of the station batteries to over a year, has in many cases increased dramati reduce the probability of common-cause failures cally and in some cases to the point of invalidat of the dc power supplies.

ing the assumptions licensees themselves have made in their plant-specific IPEs.

4.11.4.4 Maintenance Rule Licensees may not have thoroughly consid The maintenance rule, 10CFR50.65, be ered the safety (risk) aspects of doing more on comes effective in July of 1996. One objective line maintenance. Some licensees have used the of the rule is to monitor the effectiveness of USNRC Technical Training Center 4.11-11 Rev 0396

Westinghouse Technology Advanced Manual Westnghuse Adance MaualRisk echolo~ b Minnaopmnt maintenance activities at, the plants for safety The rule requires that licensees monitor the significant plant equipment in order to minimize performance or condition of certain structures, the likelihood of failures and events caused by systems and components (SSCs) against licens the lack of effective maintenance. Another ee-established goals in a manner sufficient to objective of the rule is to ensure that safety is not provide reasonable assurance that those SSCs degraded when maintenance activities are per will be capable of performing their intended func formed. The rule requires all nuclear power plant tions. Such monitoring would take into account licensees to monitor the effectiveness of mainte industry-wide operating experience. The extent nance activities at their plants. The rule provides of monitoring may vary from system to system, for continued emphasis on the defense-in-depth depending on the contribution to risk. Some principle by including selected balance-of-plant monitoring at the component level may be neces (BOP) structures, systems, and components sary; most of the monitoring could be done at the (SSCs); integrates risk consideration into the plant, system, or train level. Monitoring is not maintenance process; establishes an enhanced required where it has been demonstrated that regulatory basis for inspection and enforcement an appropriate preventive maintenance program is of BOP maintenance-related issues; and gives a effectively maintaining the performance of an strengthened regulatory basis for ensuring that SSC. Each licensee is required to evaluate the the progress achieved is sustained in the future. overall effectiveness of its maintenance activities The maintenance rule is' a -results-oriented, at least every refueling cycle, again taking into perfoirmance-based rule. A resiults-oi'iented rule account industry-wide operating experience, and places a,greater burden on the licensee to develop to adjust its programs where necessary to ensure the supporting details needed to implement the that the prevention of failures is appropriately rule, as opposed to that necessary for compliance balanced with the minimization of unavailability with a traditional prescriptive, process-oriented of SSCs. Finally, in performing monitoring and regulation. maintenance activities, licensees should assess the total plant equipment that is out of service and The maintenance rule consists of three parts: determine the overall effect on the performance of (1) goals and monitoring, (2) effective preventive safety functions.

maintenance, and (3) periodic evaluations and safety assessments.' The scope of the rule In June of 1995, the NRC published a report includes safety-related' structures, systems, and (NUREG-1526, "Lessons Learned from Early components that are relied upon to remain func Implementation of the Maintenance Rule at Nine tional during and following design-basis events Nuclear Power Plants") which documents to ensure reactor coolant pressure boundary methods, strengths, and weaknesses found with integrity, reactor shutdown' capability, and the the implementation of the rule at nine plant sites.

capability to prevent or mitigate the'consequences These licensees implemented the rule. using the of a~cidents, and those non-safety-related SSCs guidance in NUMARC 93-01, "Industry Guide (1) that are relied upon to mitigate accidents or line for Monitoring the Effectiveness of Mainte tr insients or are used in emergency operating nance at Nuclear Power Plants," which the NRC piocedures; (EOPs), (2) whose failure could has endorsed in Regulatory Guide 1.160. Most prevent safety-related SSCs from fulfilling their licensees were thorough in determining which intended functions, or (3) whose failure could SSCs are within the scope of the rule. Some cause a scram or safety system actuation. licensees incorrectly failed to classify a few non safety-related systems as being within the scope 4.11-12 Rev 0396 USNRC Training Center Technical Training USNRC Technical Center 4.11-12 Rev 0396

Westinghouse Technology Advanced Manual Risk Management Westinghouse TechnoIoy Advanced Manual Risk Mana2ement of the rule. These systems included control room criteria, taking into account performance history, annunciators, circulating water systems, reactor preventive maintenance activities, and out-of coolant pump vibration monitoring systems, service times when developing the performance extraction steam systems, condenser air removal criteria. SSCs rendered unavailable because of systems, screen wash water systems, generator preventive maintenance can be trended and gas systems, and turbine lubricating oil systems. evaluated, and adjustments can be made where necessary to balance the unavailability with The rule requires that reliability goals be reliability. In addition, the risk contribution established commensurate with safety (risk). In associated with the unavailability of the system determining which SSCs are risk significant, the caused by preventive maintenance activities and typical licensee uses an expert panel consisting of the risk contribution associated with the reliability a multidisciplinary team of PRA, operations, and of the SSC can be calculated and then used to systems experts in a working group format. The evaluate adjustments needed to balance the panel uses deterministic and operational experi contribution from each source to ensure consis ence information to complement PRA or IPE tency with PRA or IPE evaluations. A fourth insights (importance measures) to establish the method involves using the PRA to determine relative risk significance of SSCs. The risk values for unavailability and reliability which, if determination is then used when setting goals and met, would ensure that certain threshold core monitoring as required by the rule. The rule damage frequency values would not be exceeded, requires that appropriate corrective action shall be and then establish performance criteria in accor taken when the performance or condition of an dance with the resulting unavailability and SSC does not meet established goals. Many reliability values.

licensees have assigned the task of determining the root cause and developing corrective action to The rule requires that when performing the responsible system engineer at the site; at monitoring and preventive maintenance activities, some sites the expert panel participates in the an assessment of the total plant equipment that is process. The relative risk significance of SSCs out of service should be considered to determine must be reevaluated based on new information, the overall effect on performance of safety design changes, and plant modifications. functions. As expected by the results- or perfor mance-oriented nature of the rule, various meth The rule addresses preventive maintenance ods are being developed and implemented by activities in the following manner: "adjustments licensees to fulfill this requirement. One method shall be made where necessary to ensure that the is a matrix approach, which involves listing objective of preventing failures of [SSCs] preanalyzed configurations to supplement exist through maintenance is appropriately balanced ing procedural guidance for voluntary on-line against the objective of minimizing the effect of maintenance. The list of preanalyzed configura monitoring or preventive maintenance on the tions is developed using importance measures to availability of [SSCs]." In other words, the rank configurations according to risk. The unavailability of SSCs must be balanced with equipment out-of-service matrix includes their reliability. Various methods are being preanalyzed combinations of out-of-service implemented by licensees to perform these equipment. A multilevel approach is then used to evaluations. For example, unavailability and either (1) permit the concurrent activities, (2) reliability can be evaluated and balanced as an require further evaluation, or (3) forbid the integral part of monitoring against performance performance of the activities in parallel. A simpli-4.11-13 Rev 039bo Technical Training Center USNRC Technical Center 4.11-13 Rev 0396

I Westinghouse Technology Advanced Manual Risk Man*oprnpnt Westnghuse Adance MaualRisk echolog Manaivement fied example of an equipment out-of-service then the configuration is not allowed.

matrix is shown in Figure 4.11-16. Although the matrix approach is simple to use, it defines a Some licensees have implemented or are limited number of combinations and may not considering computer-based safety (risk) moni address all operational situations and may unnec tors that will-calculate and display the risk chang essarily limit operational flexibility. es associated with changes in plant configuration.

Maintenance planners using the system in the Another method of monitoring the safety predictive mode, or operators using the system (risk) impact of plant configuration involves on-line in real time, would be required by plant using the plant IPE to evaluate the changes in the procedures to take predetermined actions and/or core damage frequency resulting from equipment initiate further evaluations based on the magni outages. In Figure 4.11-17, the core damage tude of any indicated increase in risk (decrease in freoiuency was calculated, for each day, based on safety margin) due to a change in plant configura tl plant configuration, that existed at the time, tion or operating condition. In order for this type and plotted against time. This plant actually of system to be used for other than full power operated during the charted time period more operating conditions, development and imple conservatively than in its IPE, since the time mentation of PRA models for shutdown plant averaged core damage frequency, based on the conditions would be necessary.

actual plant configurations, was lower than the core damage frequency cal6ulated in accordance 4.11.4.5 Inspection of Configuration with the IPE methodology. The "spikes" in core Management damage frequency correspond to periods of more risk-intensive configurations. Using this method The processes used by the licensees to in the predictive mode, the analysis of changes in schedule and:plah on-line maintenance should the core damage frequency would be done during ensure that maintenance and testing schedules are the maintenance planning and scheduling pro appropriately modified to account for degraded or cess. The maintenance schedule would be adjust inoperable equipment. The following are exam ed to minimize significant spikes in the core ples of questions that should help to determine damage frequency. Figure 4.11-18 is a similar the operations/maintenance level of familiarity example from a different plant. This type of with the process employed by a licensee in configuration control analysis is also being used managing its scheduled maintenance activities.

at some foreign plants as the basis for risk-based When planning on-line maintenance:

technical specifications. In Figure 4.11-19, the magnitude of the' projected increase in core "* Does the licensee take probabilistic risk damage frequency determines the amount of time insights into account?

the plant is allowed to be in the analyzed configu "* Does the licensee allow multiple train outag ration. For example, if the calculated increase in es?

core damage frequency is a factor of 10 or less "* How does the licensee take into account aboVe the baseline, the allowed duration in that component and system dependencies?

configuration is 30 days; if the calkulated increase "* How does the licensee assure that important is between a factor of 10 and a factor of 30 above combinations of equipment needed for the baseline, the allowed duration is 3 days. If accident mitigation are not unavailable at the the calculated increase in core damage frequency same time?

is greater than a factor of 30 above the baseline, "* By what process does the licensee determine Center 4.11- 14 Rev 0396 USNRC Technical Training Center Technical Training 4.11-14 Rey 0396

Westinghouse Technology Advanced Manual Risk Management Westinghouse Technology Advanced Manual Risk Management the procedures and testing to emphasize in that the technical specifications allow certain minimizing component unavailability and configurations of plant equipment involving reducing the potential for accident or transient auxiliary feedwater pumps and high head initiation, including the impact of mainte safety injection pumps that could potentially nance activities involving non-safety-related place the plant in an unanalyzed condition.

equipment?

" How does the licensee determine the maxi This report illustrates how rigorous imple mum amount of time to allow for the mainte mentation of risk-based inspection techniques nance and how does it determine the risk and insights with regard to the plant's configura associated with the decision? tion management and on-line maintenance prac

" At any given time, how much planned tices can identify and resolve safety-significant maintenance is in progress and how is it issues, thereby reducing risk and improving coordinated to minimize risk? safety.

" Are there occurrences of scheduled mainte nance activities that simultaneously, or within 4.11.5 Summary a short period of time, impact two or more of the risk factors discussed in section Deterministic approaches to regulation 4.11.4.3? consider a set of challenges to safety and deter mine how those challenges should be mitigated.

Specific guidance and inspection require A probabilistic approach to regulation enhances ments for maintenance activities can be found in and extends the traditional deterministic approach the NRC Inspection Manual, chapter 62700. by (1) allowing consideration of a broader set of Attachment I contains an example of an inspec potential challenges to safety, (2) providing a tion report that includes various items related to logical means for prioritizing these challenges the inspection of risk and configuration manage based on risk significance, and (3) allowing ment: consideration of a broader set of resources to defend against these challenges.

" IPE results were used to focus the inspectors' attention on the emergency switchgear Licensees are increasing the amount and ventilation, the loss of which was identified frequency of maintenance performed during by the IPE as the initiator of the top-ranked power operation. Licensees' expansion of the sequence contributing to core damage fre on-line maintenance concept without thoroughly quency (cover letter, Notice of Violation, and considering the safety (risk) aspects raises section 3.1.2 of the inspection report). significant concerns. The maintenance rule is being implemented to ensure that safety is not

" The associated violation regarding the white degraded during the performance of maintenance control power light for the emergency activities. The rule requires all nuclear power switchgear ventilation fans was cited against plant licensees to monitor the effectiveness of 10CFR50, Appendix B, Criterion XVI, maintenance activities.

"Corrective Actions." After July, 1996, this type of violation could be cited against the The attached inspection report's content maintenance rule, 10CFR50.65. reinforces some of the concepts discussed in this section, such as risk-informed inspections (using

" Section 4.4 of the report discusses the fact IPE results to prioritize inspection activities - see

4. 11-1 Rev U3Yb USNRC Technical Training Center Training Center 4.11-15 Rev 0396

Westirighouse Technology Advanced Manual Westri~huseTecholoy Adancd MaualRisk ¶!uiauýmpn t,

section 3.1.2 of the inspection report) and 1150, U.S. Nuclear Regulatory Commis maintenance rule applications (same section, sion, June 1989.

which discusses maintenance trending, etc), and plant configurations which are allowed by the 9. "Individual Plant Examination for Severe technical specifications but put the plant in an Accident Vulnerabilities," Generic Letter No.

undesirable (unsafe/unanalyzed) condition (see 88-20, U.S. Nuclear Regulatory Commis section 4.4 of the inspection report). sion, Washington, DC, November 1988.

4.11.6 References 10. "Fundamentals of PRA," Idaho National Engineering Laboratory, Idaho Falls, ID,

1. "Reactor Safety Study - An Assessment of January 1990.

Accident Risks in U.S. Commercial Nuclear Power Plants" (WASH-1400), NUREG 11."Analysis of Core Damage Frequency:

75/014, U.S. Nuclear Regulatory Commis Internal Events Methodology," NUREG/CR sion, Washington, DC, October 1975. 4550, Vol. 1, Rev. 1, SAND86-2048, Sandia National Laboratories, Albuquerque,

2. "Risk Assessment Review Group Report to NM, January 1990.

the U.S. Nuclear Regulatory Commission,"

NUREG/CR-0400, September 1978. 12."Fault Tree Handbook," NUREG-0492, U.S. Nuclear Regulatory Commission,

3. "Report of the President's Commission on Washington, DC, January 1981.

the Accident at Three Mile Island," J.G.

Kemeny et al., October 1979. 13. "Evaluation of Station Blackout Accidents at Nuclear Power Plants - Technical Findings

4. "Three Mile Island - A Report to the Com Related to Unresolved Safety Issue A-44,"

missioners and to the Public," NUREG/CR NUREG-1032, U.S. Nuclear Regulatory 1250, Vol. 1, January 1980. Commission, Washington, DC, June 1988.

5. "Interim Reliability Evaluation Program 14. "Anticipated Transients Without Scram for Procedures Guide," NUREG/CR-2728, Light Water Reactors," NUREG- 0480, Vol.

U.S. Nuclear Regulatory Commission, 1, U.S. Nuclear Regulatory Commission, Washington, DC, January 1983. Washington, DC, April 1978.

6. "PRA Procedures Guide," NUREG/CR 15. "Study of the Value and Impact of Alternative 2300, U.S. Nuclear Regulatory Commis Decay Heat Removal Concepts for Light sion, Washington, DC, January 1983. Water Reactors," NUREG/CR-2883, Vol.

1,2,3, U.S. Nuclear Regulatory Commis

7. "Probabilistic Risk Assessment Reference sion, Washington, DC, June 1985.

Document," NUREG-1050, U.S. Nuclear Regulatory Commission, Washington, DC, 16. "PRA Applications Program for Inspection at September 1984. ANO-1," NUREG/CR-5058, U.S. Nuclear Regulatory' Commission, Washington, DC,

8. "Severe Accident Risks: An Assessment for March 1988.

Five U.S. Nuclear Power Plants," NUREG-4.11-16 Rev 0396 USNRC USNRC Technical Training Center Technical Training Center 4.11-16 Rev 0396

Westinghouse Technology Advanced Manual Risk Management Westinghouse Technology Advanced Manual Risk Management

17. "Insights on Plant Specific Unique and/or Important to Safety Features Identified from 72 IPEs for 106 BWR and PWR Units,"

U.S. Nuclear Regulatory Commission, Washington, DC, July 1995.

18."Handbook of Methods for Risk-Based Analyses of Technical Specifications,"

NUREG/CR-6141, December 1994.

19. "Lessons Learned from Early Implementation of The Maintenance Rule at Nine Nuclear Power Plants," NUREG-1526, U.S. Nuclear Regulatory Commission, Washington, DC, June 1995.

20. "Individuil Plant Examination: Submittal Guidance," NUREG-1335, U.S. Nuclear Regulatory Commission, Washington, DC, August 1989.

21. "Perspectives on Reactor Safety," NUREG CR-6042, SAND93-0971, Sandia National Laboratories, Albuquerque, NM, March 1994.

22. NRC Inspection Report Nos. 50-334/94-24 and 50-412/94-25, November 1994.

4.11-17 Rev 0396 Center USNRC Technical Training Center 4.11-17 Rev 0396

Westinghouse Technology Advanced Manual Risk Management Westinghouse Technology Advanced Manual Risk Management TABLE 4.11 -1 INSIGHTS FROM REVIEW OF PLAN'~T IPEs Insight Description Applicability Additional Nitrogen A backup nitrogen supply can usually reduce BWR and PWR Supply calculated core damage frequency (CDF) caused by loss of pneumatic power supply to important plant components such as safety/relief valves and main steam isolation valves inside containment.

Gas Turbine Genera Gas turbines can be an alternate ac power source tors to keep the plant functioning during a station BWR and PWR blackout (SBO) or loss of offsite power (LOSP) during which even the emergency diesel genera tors (DGs) fail to start.

Containment Venting Containment venting can prevent core damage BWR Capability and provide containment overpressure protection under certain severe accident scenarios. Loss of containment heat removal has been identified in many BWR PRAs as a significant contributor to CDF. A hardened vent provides a means of removing heat from the containment, indepen dent of the RHR and plant service water sys tems.

Additional Diesel Increased redundancy and diversity in electrical BWR and PWR Generators power supply systems substantially reduces the likelihood of certain accident events. Several IPEs identified the need to perform maintenance and testing of the DGs on a separate schedule using different personnel, and the need for operators to be thoroughly trained in its use.

Bleed and Feed Most PWRs have bleed and feed (once-through PWR core cooling) capability. Bleed and feed requires high pressure injection pump(s) and PORVs.

____________________________ 1 ____________

4.11-lY Key tJ.IYO USNRC Technical Training Center Center 4.11-19 Rev 0396

Deterministic Analysis

Standard good engineering practices, calculations, and judgements Defense-In-Depth

"* Multiple fission product barriers

"* Redundancy

"* Diversity

"* Single Failure Criteria

"* Worst Case Assumptions Figure 4.11-1 Deterministic Analysis 4.11-21

Probabilistic Risk Assessment

"* What can go wrong?

"* Likelihood?

"* Consequences?

Results

"* Dominant Contributors

"* Dominant Accident Sequences

"* Importance Measures Figure 4.11-2 Probabilistic Risk Assessment 4.11-23

Level 1 Level 2 Level 3 F--

Event Tree r

,, aa Ar al ai

[

Tree i

a a

, a , -F i a Releae Categories 10E-1 Valve I LOCA s FC FA FAC FD 1OE-2

'r anJenht1 1 vav] Vale "~,Valve -1$ý oCfPower .... T L .......- lSI I 1OE-3

.TurbineTrtp * . I - I

Steam Bmak a a lOE-4 a a I Extemal Eventt

-r.arhquake i ! l . 10E-5

.ncicb~dng S ault Tree IOE-6 1OE-7 101E 10E3 10E5 U' Plant and Sstem Accident Release Description Design Data Initiators Co nsequences Figure 4.11-3 Elements of PRA 0o

History 1975 Reactor Safety Study (WASH-1400) 1980 Severe Accident Risks: An Assessment An Assessment for Five U.S. Nuclear Power Plants (NUREG-1150) 1985 Severe Accident Policy 1988 Individual Plant EHamination (IPE) Program (Generic Letter 88-20) 1993 Evaluation of Potential Severe Accidents During Low Power and Shutdown Operations (NUREG-6143)

Figure 4.11-4 Historical Perspective 4.11-27

1094 CO'.' -SEAL SGTR INT SYS STATION BLACKOUT LOCA ATWS INT SYS LOCA TRANSIENT STATION "SW-SEAL BLACKOUT LOCA SEQUOYAH ZION INS S LO TRANSIEN" STATION BLACKOUT SURRY LOCA TRANSII ATWS(

GRAND GULF PEACH BOTTOM Figure 4.11-5 Major Contributors To Core Damage By Accident Types 4.11-29

PWR I I I II11111 I I 111111 I I I 11111 SYSTEMS Maximum Minwnum Relative Relative a 0 AFWS Importance Importance 0p HPRS Averag Relative I

PCs Importance DC il HPIS ) I I-I CSIS sws po I P,

EMERGENCY AC

-L RHRS po I RPS t0 PORV LPRS 4 0 I

I LPSI ESAD 4 0 SUMP "1

I I I I I, , , , I I I II III I SI rII I I II0 10.3 10- 2 10-1 I Source Nufleg-1050 Relative Importance of PWR Systems considering dominant accident sequences from 15 PRAs (0O Figure 4.11-7 Relative Importance Factors

I I I I I I 'liii I I II I111111 11111 BWR I I I I I I II I SYSTEMS I I I III HII I I I 111111I 0

p SWS Maximum Minimum Relative Relative Importance Importance PCS Average RPS Relative Importance p0 HPCI

-I 0 LPCI Me 0 SIR-VALVE 0

EMERGENCY AC 0

.A ADS pd FEEDWATER SYS RHRS

- -0 I RCIC S 0 I DC POWER LPCS

-0 I I I 11111 l I I 11111 I I K l I I I I I I I I I I II I .....

10-2 10-1 1 10-3 Relative Importance of BWR Systems considering dominant accident sequences from 15 PRAs Source Nufleg-1050 0

Figure 4.11-6 Relative Importance Factors (D

Risk-Based Regulation A regulatory approach in which insights derived from PRA are used in combination with deterministic and engineering analyses to focus licensee and regulatory attention on issues commensurate with their importance to safety.

0 RTWS Rule ( OCFR58.62)

Auxiliary Feedwater System Reliability

Blackout Rule ( OCFR58.63)

Backfit ( 8CFR58.1 09)

Risk-Based Inspection Figure 4.11-8 Risk Based Regulation 4.11-35

PRA Policy Statement (August 16, 1 995)

Increased use of PRA in reactor regulatory matters should be implemented to the extent supported by state of the art in PRA methods and data and in a manner that complements the NRC's deterministic approach and supports the NRC's traditional defense-in-depth philosophy.

"* PRA should be used to reduce unnecessary conservatism associated with current regulatory requirements. Where appropriate, PRA should be used to support additional regulatory requirements.

"* PRA evaluations in support of regulatory decisions should be as realistic as possible and appropriate supporting data should be publicly available.

"* Uncertainties in PRA evaluations need to be considered in applying the Commission's safety goals for nuclear power plants.

Figure 4.11-9 PRA Policy Statement 4.11-37

PRA Implementation Plan

"* Agency-Wide Plan to Implement the PRA Policy Statement

"* Includes both on-going and new PRA related activities

"* Encourages risk-based initiatives from licensees PRA Applications

"* Graded Quality Assurance

"* Inservice Testing

"* Inservice Inspection

"* Technical Specifications

Maintenance Rule

IPE Insights

Reliability Data Rule (proposed)

Figure 4.11-10 PRA Implementation Plan 4.11-39

Risk Management R means of prioritizing resources and concerns to control the leuel of safety (risk).

Configuration Management Managing the configuration of plant systems to control the leuel of safety (risk).

Figure 4.11-11 Risk and Configuration Management - Definitions 4.11-41

0196-X RISK MANAGEMENT FACTORS Risk = Pi X Pm X Pc Figure 4.11-12 Risk Management Factors 4.11-43

Maintenance Rule (I OCFR58.65)

Effective July 1996 Overall objective of rule is to monitor the effectiveness of maintenance actiuities...for safety significant plant equipment...in order to minimize the likelihood...of failures and events...caused by the lack of effective maintenance.

"* Goals and Monitoring

"* Effective Preventive Maintenance

"* Periodic Evaluations and Safety Assessments.

Figure 4.11-13 Maintenance Rule - Objectives 4.11-45

Scope

Safety-related structures, systems, and components that are relied upon to remain functional during and following design basis events to ensure RCS pressure boundary integrity, reactor shutdown capability, safe shutdown capability, and the capability to prevent or mitigate the consequences of accidents

non-safety-related SSCs (1) that are relied upon to mitigate accidents or transients or are used in emergency operating procedures (EOPs),

(2) whose failure could prevent safety-related SSCs from fulfilling their intended functions, or (3) whose failure could cause a scram or safety system actuation.

Figure 4.11-14 Maintenance Rule - Scope 4.11-47

Configuration Risk Monitoring Methods 0 Matrix approach (pre-analyzed configurations)

COF impact analysis

Safety (risk) monitor Figure 4.11-15 Configuration Risk Monitoring Methods 4.11-49

IHPCI IRCIC lLPCI A LPCIB ICS A ICS B ALT INJ I BINJ COND BALT BSTR I MPMPS FWS PCOND MS ICHOR R HPCI RCIC LPCI A LPCI B 4 4 4. I CS A 1 4 4 4. I CS B IALT INJ II I S J. I I AI I

4 4. I 4 PM Not "TSLCO Or Very ALT INJ Allowed: <12 hrs High Risk B 4 I 4 Risk Eval Ops Mgr COND Reqd & OK Reqd BSTR 11 I 4 COND PMPS TSLCO<7 Or Medium Ops Mgr FW days Risk OK ReqdI PMPS STA BAT CHGR TS ICO >7 And Risk Ops Supv DG BAT days Low OK Reqd CHGR

J Figure 4.11-16 Preventive Maintenance Equipment Out-Of-Service Matrix 4.11-51

- - New CDF 1.001E-03 -- Baseline

-- IPE 0 New Average CDF I I I LL a0

-L (0 1.00E-04 -

oA

--L

-A*

4.40E l I I W IZT W 9 I 7- -------

0 2.60E-05 d TIL\I1 II 1 II IIII II

...... .i -4 1.60E-05 -->*

I Il11 II I III VI! ýIAII A I I1 I J m

n n i i . ... ..

I

1. f!A;RR:

l i i " " = * =

I ýJq !I

=-* ...........

RNTR

== 16..

IW P

2d 1A ..La.. .

...*I*I! ......

......... HH"Huu H !ill HiMM nMHH" c~o~O N ~ CO~ CD ICJ O CU) 0 (a Co) 0 Ný 00 D Ifm CJ0 N m 0

0196-X UNIT 2 INSTANTANEOUS RISK GRAPH 2.OOE-04 1.50E-04 M

G 1.OOE-04 cI FJ 0*

to E A 0

DF H 5.OOE-05 BC

'if' O.OOE+0O (A) Emergency Chilled Water Pump P162 Control Transformer Replacement (B) Train B Cold Leg Injection Valves 2HV9329/HV9323 Transformer Replacement (C) Train B Cold Leg Injection Valves 2HV9326/HV9332 Transformer Replacement (D) Diesel Generator 2G003 Annual Maintenance and HPSI 2P019 Preventive Maint.

(E) Diesel Generator 2G003 Annual Maintenance and SWC 2P1 14 Preventive Maint.

(F) AFW Pump P141 Preventive Maintenance (G) AFW Pump P141 Preventive Maintenance and PPS Testing (H) Diesel Generator 2G002 Annual Maintenance and SWC 2P1 12 Preventive Maint.

Core damage frequency (CDF) calculated for Mode 1 operations only.

Average CDF for 3 month period = 2.4E-05/yr.

Figure 4.11-18 Risk Monitoring Predictive 4.11-55

FOREIGN REACTOR RISK PROFILE 35 30 25 Cumulative Target Lifetime Cumulative Average (0

UI 12 Month Cumulative Average CD 20 CD 0 I,- -Point Actual s.1 CD 15

-Factor of 10 0

10

3 kUn 5

0 100 200 300 400 0

DAYS a

- NRC Inspection Report Nos. 50-334/94-24 AND 50-412/94-25 November 29, 1994 Mr. James E. Cross Senior Vice President Nuclear Power Division Duquesne Light Company Post Office Box 4 Shippingport, Pennsylvania 15077

SUBJECT:

NOTICE OF VIOLATION (NRC INSPECTION REPORT NOS. 50-334/94-24 AND 50-412/94-25)

Dear Mr. Cross:

This refers to the inspection conducted by Messrs. L. Rossbach, P. Sena, and S. Greenlee of this office from October 11 to November 14, 1994. The inspection included a review of activities at the Beaver Valley facility. At the conclusion of the inspection, the findings were discussed with Messrs.

G. Thomas, T. Noonan, and other members of your staff.

Areas examined during the inspection are identified in the report. The inspection consisted of interviews, observations, document reviews, and independent evaluations of activities important to public health and safety.

The purpose of the inspection was to determine whether activities authorized by the license were conducted safely and in accordance with NRC requirements.

Our inspection found that, overall, the activities observed were effective in assuring the safe operation of the Beaver Valley power plants. However, based on the results of this inspection, certain of your activities appeared to be in violation of NRC requirements as specified in the enclosed Notice of Violation (Notice). Specifically, a deficiency in the control circuitry for the Unit 2 emergency switchgear ventilation fans was not identified and corrected prior to NRC involvement, despite a history of related work requests. This is of concern for three reasons: First, your Unit 2 Individual Plant Examination (IPE) identified loss of emergency switchgear ventilation as the top ranked initiating sequence contributing to core damage frequency. Although this implies that deficiencies in this system could be of high safety significance, your staff most directly responsible for assuring the reliability of this system were not aware of the IPE rankings. Second, several work requests related to this circuit deficiency were worked in the past, but your staff did not identify the deficiency. Third, programs such as maintenance trending, problem reporting, and system engineering did not identify the recurring nature of this problem and the need for further follow up. We note that your staff has now corrected this circuit deficiency and been that staff in operations, maintenance, and system engineering have now cause to the root of informed of the IPE conclusions. However, your attention these concerns is requested.

You are required to respond to this letter and should follow the instructions your specified in the enclosed Notice when preparing your response. In response, you should document the specific actions taken and any additional to this actions you plan to prevent recurrence. After reviewing your response future Notice, including your proposed corrective actions and the results of

I inspections, the NRC will determine whether further NRC enforcement action is necessary to ensure compliance with NRC regulatory requirements.

In accordance with 10 CFR 2.790 of the NRC's "Rules of Practice," a copy of this letter, its enclosures, and your response will be placed in the NRC Public Document Room. Accordingly, your response should not, to the extent possible, include any personal privacy, proprietary, or safeguards information so that it can be released to the public and placed in the NRC Public Document Room.

The responses directed by this letter and the enclosed Notice are not subject to the clearance procedures of the Office of Management and Budget as required by the Paperwork Reduction Act of 1980, Pub. L. No. 96.511.

Your cooperation with us is appreciated.

Sincerely, Original Signed By:

James C. Linville, Chief Projects Branch No. 3 Division of Reactor Projects Docket Nos. 50-334; 50-412

Enclosures:

1. Notice of Violation

2. NRC Inspection Report Nos. 50-334/94-24 and 50-412/94-25 cc w/encls:

G. S. Thomas, Vice President, Nuclear Services T. P. Noonan, President, Nuclear Operations L. R. Freeland, General Manager, Nuclear Operations Unit K. D. Grada, Manager, Quality Services Unit N. R. Tonet, Manager, Nuclear Safety Department H. R. Caldwell, General Superintendent, Nuclear Operations K. Abraham, PAO (2 copies)

Public Document Room (PDR)

Local Public Document Room (LPDR)

Nuclear Safety Information Center (NSIC)

NRC Resident Inspector Commonwealth of Pennsylvania State of Ohio

ENCLOSURE 1 NOTICE OF VIOLATION Duquesne Light Company Docket Nos. 50-412 Beaver Valley Power Station, Unit 2 License Nos. NPF-73 During an NRC inspection conducted between October 11 and November 14, 1994, one violation of NRC requirements was identified. In accordance with the "General Statement of Policy and Procedure for NRC Enforcement Actions,"

10 CFR Part 2, Appendix C, the violation is listed below:

10 CFR Part 50, Appendix B, Criterion XVI, "Corrective Actions," states, in part, that measures shall be established to assure that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and non-conformances are promptly identified and corrected.

Contrary to the above, as of October 21, 1994, established measures did not assure that conditions adverse to quality were promptly identified and corrected. Specifically, the investigations of an unusually dim white control power light for emergency switchgear ventilation fans 2HVZ-FN261A on October 30, 1993, and 2HVZ-FN261B on September 24, 1994, failed to identify that the standby fan would not start if called upon following the loss of the running fan except when started by the emergency diesel sequencer. Equipment maintenance history was not used to identify that a trend of similar problem descriptions of a dim white control power light has existed since 1989.

This is a Severity Level IV violation (Supplement I).

Pursuant to the provisions of 10 CFR 2.201, Duquesne Light Company is hereby required to submit a written statement or explanation to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington, D.C. 20555 with a copy to the Regional Administrator, Region I, and a copy to the NRC Resident Inspector at the facility that is the subject of this Notice, within 30 days of the date of the letter transmitting this Notice of Violation 94-25-01. This reply should be clearly marked as a "Reply to a Notice of Violation" and should include for each violation: (1) the reason for the violation, or, if contested, the basis for disputing the violation, (2) the corrective steps that have been taken and the results achieved, (3) the corrective steps that will be taken to avoid further violations, and (4) the date when full compliance will be achieved. If an adequate reply is not received within the time specified in this Notice, an order or a Demand for Information may be issued to show cause why the license should not be modified, suspended, or revoked, or why such other action as may be proper should not be taken. Where good cause is shown, consideration will be given to extending the response time.

Dates at King of Prussia. Pennsylvania this 221h day of November, 1994

U. S. NUCLEAR REGULATORY COMMISSION REGION I Report Nos. 94-24 94-25 Docket Nos. 50-334 50-412 License Nos. DPR-66 NPF-73 Licensee: Duquesne Light Company One Oxford Center 301 Grant Street Pittsburgh, PA 15279 Facility: Beaver Valley Power Station, Units 1 and 2 Location: Shippingport, Pennsylvania Inspection Period: October 11 - November 14, 1994 Inspectors: Lawrence W. Rossbach, Senior Resident Inspector Peter P. Sena, Resident Inspector Scot A. Greenlee, Resident Inspector Approved by: Date W. J. Lazarus, Chief Reactor Projects Section 3B Inspection Summary This inspection report documents the safety inspections conducted during day and backshift hours of station activities in the areas of: plant operations; maintenance and surveillance; engineering; and plant support.

EXECUTIVE

SUMMARY

Beaver Valley Power Station Report Nos. 50-334/94-24 & 50-412/94-25 Plant Operations Good operator performance was demonstrated during response to a loss of pressure in the control room temperature control air system, and to a blown fuse in the Unit 1 solid state protection system. Troubleshooting of a decrease in vacuum on the 2-1 emergency diesel generator was well planned and documented. Operators at Unit 1 demonstrated a-strong questioning attitude when they identified a potential relationship between an out-of-service quench spray pump and net positive suction head to the recirculation spray pumps.

However, the recirculation spray pumps were unnecessarily removed from service before it was determined that one quench spray pump will ensure adequate net positive suction head.

Maintenance An unusually dim control power light for emergency switchgear ventilation fans led to identification of a deficiency with the control circuitry.

Specifically, if the running fan was to fail for any reason, the standby fan could not auto-start or be manually started without first placing the failed fan control switch in "pull to lock" unless sequenced on by the emergency diesel sequencer. Previous troubleshooting efforts did not identify or correct this problem, and maintenance history trending was not used to identify the need for additional investigations of this control circuitry despite a history of work requests with a similar problem description.

Additionally, operations and maintenance personnel, and the system engineer, were unaware that the licensee's Individual Plant' Examination identified the loss of emergency switchgear ventilation as the top ranked initiating sequence contributing to core damage frequency. The failure to promptly identify the emergency switchgear ventilation control circuitry deficiency is a violation of 10 CFR 50, Appendix B, Criterion XVI, "Corrective Actions."

Operations personnel re-identified a previous deficiency associated with the SLCRS system that had not been repaired for almost three years. Good management attention has been subsequently focused on the timely repair of this deficiency. Test data showed that the system still would have performed its function. Corrective actions to address problems with the diesel speed sensing circuit and the rod control system were also appropriate.

Engineerin The licensee continued to demonstrate leadership in the nuclear industry through the identification of significant generic issues. Specifically, the licensee identified an AMSAC design deficiency which would have made the system inoperable if feedwater flow on one channel was outside its normal band, and issued a 10 CFR Part 21 notification concerning an anomaly with the test circuits on the Unit I solid state protection system. The AMSAC issue is still under evaluation for Part 21 applicability.

ii

(EXECUTIVE

SUMMARY

CONTINUED) in an Appropriate controls were not in place to prevent placing the plants unanalyzed condition if the steam driven auxiliary feedwater (AFW) pump is out were promptly put in place pending a of service. Appropriate controls found revision to the Technical Specifications. Additionally, the inspectors AFW the minimum that the emergency operating procedures (EOPs) did not reflect The flow required during small break loss of coolant accident conditions.

issue of AFW flow requirements for the EOPs is an unresolved item (50-334/94-24-02 and 50-412/94-25-02) pending further review by the NRC.

Plant Support Health physics and security programs continue to be effectively implemented.

this subject Improvements in plant housekeeping and management attention on have been noted.

iii

TABLE OF CONTENTS EXECUTIVE

SUMMARY

......................................................... ii TABLE OF CONTENTS ......................................................... iv 1.0 MAJOR FACILITY ACTIVITIES ........................................... 1 2.0 PLANT OPERATIONS (71707) ............................................. 1 2.1 Operational Safety Verification ...............................

2.2 Loss of Control Room Temperature Control Air Pressure ......... 2 2.3 Unit I Quench Spray Pump Maintenance ........................... 2 2.4 Operator Response to Unit 1 Solid State Protection System. 3 2.5 Unit 2 Emergency Diesel Generator Troubleshooting ............. 3 4

3.0 MAINTENANCE (62703, 61726, 71707) ................................... 4 3.1 Maintenance Observations ....................................... 5 3.1.1 Unit 2 Rod Control ....................................... 5 3.1.2 Unit 2 Emergency Switchgear Ventilation ................. 7 3.2. Surveillance Observations .....................................

3.2.1 Supplemental Leak Collection System (SLCRS) Duct 8 Damage at Unit 1 .........................................

3.2.2 Unit I Emergency Diesel Generator Speed Sensing 9 Circuit Failures .........................................

10 4.0 ENGINEERING (71707, 37551, 92903) ................................... 10 4.1 AMSAC Design Omission .........................................

4.2 Calibration of CREBAPS Pressure Switches (Unresolved Item 11 50-334/94-17-01) (closed) ..................................... 12 4.3 Solid State Protection System 10 CFR Part 21 (closed) ......... 12 4.4 Auxiliary Feedwater Flow Margin ...............................

13 5.0 PLANT SUPPORT (71750, 71707) ......................................... 13 5.1 Radiological Controls ......................................... 13 5.2 Security ....................................................... 14 5.3 Housekeeping ...................................................

14 6.0 ADMINISTRATIVE ....................................................... 14 6.1 Preliminary Inspection Findings Exit ...........................

6.2 Attendance at Exit Meetings Conducted by Region-Based 14 Inspectors ..................................................... 14 6.3 NRC Staff Activities ...........................................

iv

DETAILS 1.0 MAJOR FACILITY ACTIVITIES Both units operated at full power for the duration of the period.

2.0 PLANT OPERATIONS (71707) 2.1 Operational Safety Verification Using applicable drawings and check-off lists, the inspectors independently verified safety system operability by performing control panel and field walkdowns of the following systems: supplemental leak collection and release, control room ventilation, temperature control air pressurization, and emergency switchgear ventilation. The emergency switchgear ventilation walkdown was a semi-annual engineered safety system inspection and resulted in safety significant findings as described in Section 3.1.2. These systems were properly aligned. The inspectors observed plant operation and verified that the plant was operated safely and in accordance with licensee procedures and regulatory requirements. Regular tours were conducted of the following plant areas:

a Control Room Safeguards Areas

Auxiliary Buildings a Service Buildings 0 Switchgear Areas

Turbine Buildings 0 Access Control Points

Intake Structure

Protected Areas

Yard Areas

Spent Fuel Buildings

Containment Penetration Areas

Diesel Generator Buildings During the course of the inspection, discussions were conducted with operators concerning knowledge of recent changes to procedures, facility configuration, and plant conditions. The inspectors verified adherence to approved procedures for ongoing activities observed. Shift turnovers were witnessed and staffing requirements confirmed. The inspectors found that control room access was properly controlled and a professional atmosphere was maintained.

Inspectors' comments or questions resulting from these reviews were resolved by licensee personnel.

Control room instruments and plant computer indications were observed for correlation between channels and for conformance with technical specification (TS) requirements. Operability of engineered safety features, other safety related systems, and onsite and offsite power sources were verified. The inspectors observed various alarm conditions and confirmed that'operator with response was in accordance with plant operating procedures. Compliance of TS and implementation of appropriate action statements for equipment out entries service was inspected. Logs and records were reviewed to determine if records were accurate and identified equipment status or deficiencies. These included operating logs, turnover sheets, system safety tags, and the jumper the condition of various and lifted lead book. The inspectors also examined fire protection, meteorological, and seismic monitoring systems.

2 2.2 Loss of Control Room Temperature Control Air Pressure On November 14, 1994, at 3:25 p.m., the plant operators at Unit 1 received a control room temperature control air pressure low alarm. The air system pressure was found at 15 psig. Normal system pressure is between 50 and 70 psig. The alarm response procedure refers the operators to the control room emergency habitability system technical specification (3.7.7.1) and Updated Final Safety Analysis Report (UFSAR) Section 9.13.4 "Main Control Area."

After reviewing these references, the Shift Supervisor concluded that he could not be assured of operability of the Unit I control room supply and exhaust dampers. These dampers, VS-D-40-1A through D, have a flexible boot seal which provides for air-tight isolation of the control room during accident conditions. The control room temperature control air system supplies air to these seals. Consequently, at 4:10-p.m., it was identified that both Units I and 2 were required to enter Technical Specification 3.0.3, which requires action within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to initiate plant shutdown. Both units were in Mode 1 and both units began preparations for plant shutdown. The operators determined that the loss of air pressure was due to-a stuck open automatic moisture blowdown valve. The valve was isolated and the low pressure alarm cleared at 4:27 p.m. The units exited Technical Specification 3.0.3 at 4:34 p.m. Neither unit progressed to the point of reducing power.

The inspectors reviewed this event and concluded that-the operators took appropriate response actions. The inspectors did note that the event indicated a potential single failure vulnerability in the safety-related control room temperature control air system. The vulnerability is "potential" because the damper seals have backup accumulators and isolation check valves which may allow the seals to work even with a loss of pressure in the rest of the system. However, the accumulators and the check valves are apparently not tested to ensure this capability. The licensee was still evaluating this failure vulnerability when the report period ended.

2.3 Unit 1 Quench Spray Pump Maintenance During a routine control room walkdown, the inspectors noted that the licensee had removed the Unit 1 'A' train recirculation spray and quench spray pumps from service. The pumps were taken out of service by a clearance for maintenance on the quench spray pump (oil leak repair). The inspectors asked why the recirculation spray pumps were included on the clearance. The inspectors found that'the night-shift crew had a concern about net positive suction head to the recirculation spray pumps when-removing a quench spray pump from service. Some of the flow from the quench spray pumps is diverted directly to the containment sump. This provides added cooling for the sump water to ensure adequate net positive suction head for the recirculation spray and low head safety injection pumps under all design basis conditions. The from night-shift operators were concerned that removing one quench spray pump might service, while leaving all the recirculation spray pumps in service, leave the opposite train recirculation spray pumps without sufficient net positive suction head.

3 The inspectors researched the operators' concern and found that -the analysis for containment sump net positive suction head adequately accounted for the loss of one quench spray pump. Additionally, the analysis document stated that the cooling water from the quench spray pumps was only needed under certain conditions, primarily large break loss of coolant accidents.

Consequently, taking the recirculation spray pumps out of service was not necessary. The licensee's Nuclear Safety Department confirmed this assertion shortly after the inspectors questioned the licensee's actions, and told the operators that the pumps should be placed back in service. The inspectors complemented the operators questioning attitude, but noted that their actions unnecessarily increased the risk of system failure during an accident.

Furthermore, the implications of taking multiple pieces of safety'equipment out of service at the same time must be carefully evaluated. The analysis for containment sump net positive suction head did not specifically address the condition of one quench spray pump and two recirculation spray-pumps out of service at the same time (without a low head pump out of service). The licensee has since determined that the analysis does bound the condition. The inspector's observations were discussed with the Unit 1 Operation Manager, who had already reached similar conclusions, and had discussed the issue'with the personnel involved.

2.4 Operator Response to Unit 1 Solid State Protection System The inspectors observed the operator response to a partial failure the Unit 1 solid state protection system (SSPS). The control room received simultaneous annunciators for reactor coolant pump IA undervoltage, underfrequency, breaker trip, turbine stop valve closure, and turbine auto-stop low oil pressure.

Operators immediately evaluated these annunciators and noted that normal operating parameters existed for the reactor coolant pump and main turbine and that the plant was in a safe condition. It was concluded that an off-normal condition existed with the SSPS and immediate assistance was provided by instrumentation and controls engineers. Subsequent troubleshooting activities are discussed in Section 3.1.

2.5 Unit 2 Emergency Diesel Generator Troubleshooting The 2-1 diesel generator has experienced a reduction of crankcase vacuum over the past several months from 1.1 to 0.8 inches water. Under normal conditions, the crankcase operates with a slight vacuum to prevent the buildup of flammable vapors. A positive pressure can result from the failure of the crankcase ventilation system or excessive combustion gases passing-the piston rings. Operations and maintenance personnel developed a troubleshooting plan to investigate this degrading trend. Through these efforts, it was identified that a flow restriction exists in the discharge line of the crankcase blower.

The licensee will continue to monitor crankcase pressure and plans on correcting this restriction during the upcoming refueling outage. The inspector found this to be acceptable, since there is no actual degradation of the diesel engine, a vacuum still exists, and there exists a safety-risk the associated with removing an operable diesel from service. Additionally, inspectors considered the troubleshooting efforts to be well planned and documented.

4 3.0 MAINTENANCE (62703, 61726, 71707) 3.1 Maintenance Observations The inspectors reviewed selected maintenance activities to assure that: the activity did not violate-Technical Specification Limiting Conditions for Operation and that redundant components were operable; required approvals and releases had been obtained prior to commencing work; procedures used for the task were adequate and. work,was within the skills of the trade; activities were accomplished by qualified personnel; radiological and fire prevention controls were adequate and implemented; QC hold points were established where required and observed;- and equipment was properly tested and returned to service.

The maintenance work requests (MWRs) listed below were observed and reviewed.

Unless otherwise indicated, the activities observed and reviewed were properly conducted.

MWR 035464 No. 2 EDG Jacket Water Pressure Alarm Troubleshoot and Repair See Section 3.2.2 of this report.

MWR 036230 Troubleshoot and Rep. SSPS Alarms On November 4, 1994, plant operators at Unit I received several intermittent alarms and indications associated with the solid-state protection system (SSPS). The intermittent nature of the alarms told;the. operators that the problem was associated with only one channel of the, SSPS (because of the multiplexing arrangement; a problem with only one-channel of the SSPS will cause the indications to-flash in and out). The problem was quickly isolated to a blown fuse in channel 1-of train 'B' in the SSPS. The inspectors observed the licensee's efforts to verify and replace the fuse. The inspectors observed excellent coordination between the operations and maintenance personnel. Part of the maintenance included removing power from the affected channel of the SSPS. This evolution was very thoroughly researched and briefed. The Unit I Operations Manager reminded everyone of the importance of'self-checking, and the pitfalls of haste. This was particularly appropriate since the plant entered a 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Technical Specification action statement.

MWR 036371 Troubleshoot and Repair SSPS Intermittent Alarms MWR 035759 Investigate Emergency Switchgear Ventilation Relay 162-HVZBB MWR 036084 Emergency Switchgear Ventilation Fan 2HVZ-FN261A Troubleshooting MWR 036084 Emergency Switchgear Ventilation Fan 2HVZ-FN261B Troubleshooting MWR 036447 Blocking Diode Installation Per DCP 2124 MWRs 035759, 036084, 036084, and 036477 are discussed in Section 3.1.2.

5 3.1.1 Unit 2 Rod Control Unit 2 has experienced three rod control system "urgent" failure alarms over toa recent one-week period. Any failure that affects the ability of the system move rods is considered urgent. An urgent alarm will automatically de and the energize the lift coil and energizes both the stationary gripper coils movable gripper coils at reduced current.

On each occasion, the urgent failures were generated by rod control power cabinet 2BD. This power cabinet is associated with Group 2 rods for- control banks 'B' and 'D' and shutdown bank 'B'. Each alarm was received when no rod movement was demanded, and operators were able to reset the alarm. Proper rod movement was verified following alarm reset in order to verify operability.

The lift regulation circuit board and the failure detector circuit board were replaced in an attempt to correct the spurious alarms. Subsequent investigation of the boards by Westinghouse determined that no deficiencies and existed with these boards. Brainstorming sessions between Westinghouse licensee engineers lead to a suspicion involving the -24VDC power supplies.

3) had Monitoring of the power supplies found the primary power supply (Number drifted to -30VDC. This was determined to be the cause of the spurious has alarms. As corrective action, the voltage on the primary power supply The former been lowered so that it has now become the backup power supply. supply. The backup power supply (Number 4) has now become the primary power the power supplies are auctioneered. The licensee is currently evaluatingswapping replacement of the Number 3 power supply-for the next outage. Since occurred.

the two power supplies, no additional rod control urgent alarms have to be timely The inspectors considered the licensee's resolution of this issue and thorough.

3.1.2 Unit 2 Emergency Switchgear Ventilation switchgear The inspectors performed a walkdown of the safety related emergencythat could ventilation system in order to identify if any conditions existed Plant degrade system performance. The Beaver Valley Unit 2 Individual to core Examination (IPE) determined that the top ranked sequence contributing by a complete loss of both trains of emergency damage frequency is initiated switchgear ventilation. The consequential events if operators fail.to of establish alternate room cooling within a prescribed time include:-loss coolant emergency AC power; loss of vital bus instrumentation; and a reactor pump seal loss of coolant accident without high head safety injection.

During the inspector's walkdown of the control panel on October 21, the light for emergency switch gear supply inspectors noted that the control power system alignment, fan 2HVZ-FN261B did not appear to be energized. Per normal

'B' fan was in standby. A normal white light the 'A' fan was running and removal of the indicates that the fan is ready to auto-start if needed. Upon unusually dim.

lens cover by an'operator, -the light bulb was noted as being there was a The inspectors questioned why this condition existed.and whether review of the'control deficiency with the fan control circuitry. Upon further knowledge by circuitry, the reactor operator demonstrated excellent system maintaining relay determining that a sneak circuit path existed which was

6 162-HVZBB energized with the fan in a standby condition. The inspectors and licensee personnel physically verified that this relay was indeed energized.

This relay should be de-energized when the fan is in standby. The consequence of this relay being energized is that fan 2HVZ-FN261B will not auto-start as designed upon loss of the 'A' train fan. Operators would also be unable to manually start the "B' fan since relay 162-HVZBB is maintaining the "anti pump" and trip coils of the fan breaker energized. The inspectors observed various fan manipulations which verified that the 'B' fan would not auto start if a very dim white-light condition existed. It was possible to clear this locked-up relay and obtain a normal white control power light by first placing the control switch in "pull to lock," then back to auto. Some operators knew of this condition and considered it to be a "workaround." Current operating and alarm response -procedures (fan auto-stop and high switchgear area temperature) did not specify the need for this control switch manipulation upon failure of the running fan. Further review, of-the fan start circuitry with relay personnel determined that both trains of, fans would properly auto start with the emergency diesel sequencer if called upon during a loss of power to the respective emergency bus.

The inspectors reviewed the maintenance history (since 1993) for both'trains of emergency switch gear supply ventilation fans and noted that three recent MWRs were generated to investigate the dim white light condition. Each MWR is summarized below:

MWR 015912 was opened on January 14, 1993, and worked on October 10, 1993, to investigate the dim white control power light for fin 2HVZ-FN261A. Since the control switch was in pull to lock during this maintenance, no problems were found and post maintenance testing verified proper fan operation.

MWR 032143, was opened on June 11, 1994, to investigate the dim white control power light for fan 2HVZ-FN261A. This MWR was scheduled to be worked during the upcoming refueling outage.

MWR 35001 was opened September 24, 1994, to investigate relay 162-HVZBB following observation of a dim white control power light. This MWR was voided the same day by the Nuclear Shift Supervisor who was subsequently able to auto start both trains of fans byflrstplacing the control switch in "pull to lock." The shift supervisor attributed this condition to "system design, not equipment deficiency." However, no additional follow-up action was pursued.

To eliminate the sneak circuit path, Design Change 2124 has been implemented to install a blocking diode which will allow relays 162-HVZAB/BB to drop out as required with the fans in standby.- The licensee's troubleshooting, as found testing, design change implementation, and post-modification testing during this inspection period were considered by the inspectors to be thorough and adequate to preclude future auto-start circuitry problems.

7 The inspectors interviewed shift supervisors, the responsible system engineer, and maintenance personnel regarding the emergency switchgear ventilation system. These individuals had either limited or no knowledge of the plant's IPE and could not identify the dominant core damage sequence or the most important safety system reported in the IPE. Upon the request of operating personnel, the inspectors provided the Unit 2 crew with a copy of the executive summary of the licensee's IPE. The training department is-scheduled to provide formal training to the operators on PRA in early 1995. At the end of this inspection period, an additional summary document was provided to operators and maintenance personnel by the licensee's engineering department.

The inspectors also reviewed the status of the licensee's enhancements to resolve the loss of emergency switchgear ventilation as identified by the IPE.

Section 6.3.1.1 of the IPE states that alarm response procedures are being reviewed to determine if they can provide more explicit guidance on how to establish sufficient alternate cooling in the event of a failure of both trains of emergency switchgear fans. Per the licensee's IPE, "simply opening doors will not produce a chimney effect." The inspectors previously noted (see NRC inspection report 50-412/94-14) that little progress was evident to resolve this vulnerability. Engineering memorandum (EM) 108125 was

subsequently issued on June 24, 1994, for engineering to provide information on the number of temporary fans needed to maintain adequate room cooling, their locations, and source of supply air. This EM was completed October 21, 1994. No interim guidance had yet been provided to operators, but the alarm response procedure is currently on schedule for completion by December 31.

The inspector also noted that Quality Assurance (QA) audit (BV-C-94-09),

issued October 10, 1994, stated that IPE Vulnerability 6.3.1.1, "Loss of Emergency Switchgear Ventilation," has not been scheduled for corrective actions or engineering analysis. This QA observation was.written against the Nuclear Safety Department. The inspectors, however, noted that the QA observation could have been more accurate, since the procedure group and engineering were taking proper action following the previous observations by the NRC.

Overall, the inspectors concluded that licensee personnel had prior of opportunities to identify the potential problem with the start capability was the emergency switchgear ventilation fans. Equipment maintenance history not used to identify the multiple MWRs (including pre 1993 work requests) that had been generated due to the dim white light condition, or that additional investigation was warranted. The inspectors concluded that the lack of awareness of the importance of this system (in terms of probabilistic risk assessment) also contributed to the failure to thoroughly-follow-up on the suspected control circuit deficiency by operations. Although licensee personnel identified the sneak circuit-path, it required the prompting of the inspectors regarding the adequacy of the fan control circuitry. The failure to promptly identify the emergency switchgear ventilation system control deficiency and thus take corrective action to preclude repetition is a violation (50-412/94-25-01) of 10 CFR 50, Appendix B, Criterion XVI, "Corrective Actions."

8 3.2. Surveillance Observations The inspectors witnessed/reviewed selected surveillance tests to determine whether properly approved procedures were in use, details were adequate, test instrumentation was-properly calibrated and used, technical specifications were satisfied, testing was~performed by qualified personnel, and test results satisfied acceptance criteria or were properly dispositioned. The operational surveillance-tests.(OSTs), loop calibration procedures (LCPs), and relay calibration procedures (RCPs) listed below were observed and reviewed. Unless otherwise indicated, the activities observed and reviewed were properly conducted without any notable deficiencies.

OST 1.43.6 Containment High Range Monitors Functional Test OST 1.43.7 Noble Gas Monitor Functional Test OST 2.47.1 Containment Airlock Test LCP-2-44F-P21B Emergency Switchgear Area Supply Pressure Loop Calibration 1/2RCP-30A-PC Calibration of ATC and Agastat Timing Relays 3.2.1 Supplemental Leak Collection System (SLCRS) Duct Damage at Unit 1 On October 16, 1994,: the licensee's Operations Department identified some large holes (several square feet in area) in the SLCRS duct leading to the Unit 1 waste gas storagevault. The licensee also recognized that the deficiency had an outstanding maintenance work request (MWR) that was written in October of 1991., The function of this part of the SLCRS is to maintain~a negative pressure on the waste gas storage vault, in order to reduce the magnitude of a radioactive release from a leak in one of the waste gas storage tanks. Any release from the waste gas storage tanks would also be changed to an elevated (vice a ground) release because of the SLCRS. The inspectors reviewed this issue'to determine why the licensee had not repaired the damaged duct after almost 3 years, and to evaluate the impact of the damaged duct on the performance of the SLCRS.

The original MWR was categorized as a Priority 2 (urgent/highly desirable),

but was downgradedithe day after it was written to a Priority 3 (expedite/desirable). The deficiency was not repaired immediately because proper work instructions were not readily available.for the repair.

Construction'maintenance personnel informally told the Engineering Department that they needed a Plant Installation Process, Standard (PIPS) to repair the duct. The need for the PIPS was never formally communicated to engineering management personnel, and, thus, a high priority was never given to completing this document- -The SLCRS System Engineer was aware of the deficiency, and had adequate test data to demonstrate that SLCRS would perform its design basis functions even with the hole. The test data also showed that the condition was not degrading. Because of the test data, the maintenance engineering and planning personnel did not place a high priority on the repair, and did not

9 pursue the delay in generating a PIPS. Based on this test data, the inspectors concluded that SLCRS would have performed its design basis function in this degraded condition.

This portion of the SLCRS is not routinely accessed because it is in the lower level of the east valve trench, which is a contaminated, high radiation area.

Consequently, plant operators were not routinely reminded of the existence of the deficiency. Although this deficiency did not receive appropriate attention in the past, the inspectors observed very good management attention since the Operations Department re-identified the SLCRS deficiency in October, 1994. The PIPS has been completed and approved for use. Repair of the deficiency is scheduled to begin November 16. Although the deficiency did not receive appropriate attention, management attention to deficiencies in safety related systems has been very timely in the recent past. The inspectors have noted that plant management is better focused on safety-related plant deficiencies since recent management changes, and plan of the day meeting changes were implemented. The licensee is going to discuss the SLCRS issue with all system engineers and will emphasize the need to raise any similar issues to an appropriate level of management.

3.2.2 Unit 1 Emergency Diesel Generator Speed Sensing Circuit Failures On October 6, 1994, during the monthly surveillance on the No. 1-2 Emergency Diesel Generator (EDG), the low jacket water pressure alarm was received with the diesel at idle speed (approximately 490 rpm). The alarm cleared before the unit reached normal operating speed (approximately 900 rpm). This~was the only deficiency noted during the surveillance. According to'the alarm response procedure (ARP), the alarm is set to occur at <20 psig if the diesel is operating at >870 rpm. Since the alarm cleared prior to the EDG reaching 870 rpm, and none of the problems outlined in the ARP were apparent, the operating crew assumed that the associated pressure switch was somehow malfunctioning. The surveillance test was determined to be satisfactory, and a maintenance work request was written to determine the cause of the low jacket water pressure alarm. On October 10, the EDG System Engineer recognized that the problem with the low pressure alarm might be associated with the diesel speed sensing circuits. One of the functions of the circuits is to block the low pressure alarm when the diesel is below 870 rpm. Since a malfunction in a speed sensing circuit could affect EDG operability, the No. 2 EDG was declared inoperable and troubleshooting was initiated.

The licensee found the cause of the problem was associated with one of the speed sensing relays. The relay had drifted from its setpoint of 870 rpm to less than 490 rpm. Each EDG has two identical speed sensing circuits with three relays per circuit. The relays are set at 40 rpm, 140 rpm, and 870 rpm.

The licensee checked all of the relays for proper operation, and found that all of the 140 rpm and 870 rpm relays were outside of their required +/- 20 rpm setpoint tolerance band. Two of the relays (including the one-which drifted below 490 rpm) were replaced because of repeatability problems. The 140 and 870 rpm relays were adjusted, and all of the relays were verified to operate properly during a post-maintenance test.

10 The inspectors observed selected parts of the relay calibrations and the post maintenance test. The maintenance and testing was adequately controlled.

However, the licensee was not using calibrated instrumentation to verify the relay set points during the post-maintenance test. The post-maintenance test procedure specified using the diesel skid-mounted tachometer which is not in the licensee's calibration program. This was pointed out by the inspectors, and the licensee obtained a calibrated stroboscope to ensure the set-points were accurate.

Because of the problems-with the No. 1-2 EDG, the licensee checked the operation of the No. 1-1 EDG speed sensing relays during its next regularly scheduled surveillance test. All of the 140 and 870 rpm relays were found slightly out of tolerance, and were adjusted prior to returning the unit to service. The licensee has determined that the repeatability problems with the relays on the No. 1-2 EDG were due to contact corrosion. Other licensee's with the same type of EDGs were contacted, and reported similar problems with the diesel speed sensing circuits. The speed circuit vendor (MKS Power Systems) does not sell a safety-related version of the circuit any more because of the-lack of long-term-relay reliability.. The licensee is going to monitor the performance of the relays during every EDG surveillance test until the next refueling outage. During the refueling outage, the licensee plans to replace the speed sensing circuits with newer, more reliable circuits (similar to the circuits installed at Unit 2).

The inspectors concluded that the licensee's corrective actions to address the problems with the-speed sensing circuits were appropriate. The as-found relay set-points would-not-have affected the operation of the EDGs under design basis conditions. In general, deviations which would have affected EDG operability would have been noted during surveillance testing. The 870 rpm relay which drifted below 49o rpm was also determined not to affect operability.- This relay has a close-permissive function for the EDG output breaker; however, the licensee's test data shows that the diesel will reach rated speed before the generator reaches rated output voltage. Therefore, the voltage permissive would have prevented the EDG output breaker from closing early.

The initial actions to address the jacket water, low pressure alarm could have been more aggressive. The deficiency was allowed to exist for 4 days before anyone recognized that it might impair operabilityoof the EDG. The licensee's ARP for low jacket water pressure was a contributing factor to the lack of attention to the alarm. The ARP did not consider problems with the speed sensing circuits as a possible cause, and all theverifications required by the procedure led the operators to conclude that the pressure detector- had malfunctioned. This observation was discussed with the Unit 1 Operations Manager. The Operations Manager had already arrived at a similar conclusion and was discussing~the event at licensed operator retraining.

4.0 ENGINEERING (71707, 37551, 92903) 4.1 AMSAC Design Omission At Beaver Valley Units 1 and 2, the Anticipated Transient Without Scram (ATWS)

11 Mitigation Actuation Circuitry (AMSAC) system was found to contain a design omission which could render the system inoperable under certain conditions.

The system is required by 10 CFR 50.62 and is designed to limit reactor coolant system pressure, diverse from the reactor protection system, by automatically initiating the auxiliary feedwater system and a turbine trip under conditions indicative of an ATWS.

Both Beaver Valley Units have an AMSAC system based on the Westinghouse Owners Group WCAP-10858P-A, Revision 1, "AMSAC Generic Design Package." The system is designed to initiate auxiliary feedwater flow and trip'the main turbine whenever the unit is above 40 percent power and 2 of 3 normal feedwater loops are below 25 percent of full flow. The AMSAC system at Beaver Valley is a Foxboro Spec 200 Micro Control System. As discussed in-WCAP-10858, the frequency of inadvertent AMSAC actuations shall be minimized. In order to satisfy this aspect of the design, AMSAC logic monitors the feedwater.flow signals entering the AMSAC cabinets for levels indicative of an instrument loop failure. If any of the feedwater input channels deviate outside-the normal range (i.e., indicating a failed low channel), then the AMSAC actuation output is automatically blocked. Design requirements include trip switches for the three feedwater flow channels on the AMSAC control panel. -Placing a feedwater flow channel in a tripped condition is supposed to remove the automatic block feature in the logic created when AMSAC sensed the'bad feedwater flow input and create a logic condition where AMSAC would actuate on a 1 of 2 low feedwater flow condition. During a review of the AMSAC logic, the licensee has found that these trip switches do not remove the automatic blocking feature. Thus, AMSAC is-rendered inoperable at any time one of the three feedwater flow inputs is outside their normal range. This omission was not identified during the system acceptance tests performed at the vendor facility or during the initial installation testing since this unblock feature was not specifically examined during these tests.

Based on the vendor's recommendations, a minor design change is currently being developed so that placing the bad feedwater flow channel in a tripped condition will remove the AMSAC block as originally designed. For thea pre interim, if a feedwater channel fails 'low, the licensee has developed approved temporary modification which will insert a flow signal of less than 25 percent for the appropriate channel. This will remove the actuation block signal and produce a remaining coincidence logic of 1/2. The inspectors reviewed the adequacy of the licensee's translation of~the design basis offound AMSAC into the design requirements for the AMSAC vendor. The inspectors Purchase Specification 8700-DES-0162, Revision 3, contained the sufficientfrom information for the vendor on removing a low main feedwater flow input this AMSAC. The licensee has determined that the failure to incorporate aspect of the system design was due to an oversight by Foxboro. The inspectors were satisfied with the licensee's corrective actions and personnel considered the identification of this design omission by engineering CFR to be noteworthy. The licensee is currently evaluating this issue for 10 21 reportability since AMSAC is considered to be a "basic component."

- I___________

12 4.2 Calibration of CREBAPS Pressure Switches (Unresolved Item 50-334/94-17-01) (closed)

During a routine walkdown of the control room emergency bottled air pressurization system (CREBAPS), the inspectors noted that several pressure switches, which protect the system from an over-pressure condition, had not been calibrated since 1987. The switches sense a high pressure condition in the piping downstream of the pressure regulators. The licensee initiated calibration checks and an analysis of the failure modes of these switches.

The issue was identified as an unresolved item (50-334/94-17-01) pending review of the licensee's failure analysis and the calibration data.

The calibration checks showed that all of the switches would have operated as intended. The licensee's failure modes analysis showed that failure to isolate one of the air lines on a high pressure condition would not challenge the CREBAPS or the control room pressure boundary. However, the licensee found, through-recent operating experience, that if a switch fails low, CREBAPS system operationcan be degraded (the associated discharge line is disabled). Consequently, the switches will be entered into the licensee's safety-related component calibration program. This issue is closed.

4.3 Solid State Protection System 10 CFR Part 21 (closed)

On September 1, 1994, the Duquesne Light Company submitted a 10 CFR Part 21 report to the NRC concerning the Beaver Valley Unit 1 Solid State Protection System (SSPS). The report concerned an anomaly with the train "B' SSPS semi automatic tester. The semi-automatic tester is used to test various logic card circuits. The licensee found that the tester card was producing extra test pulses. The extra pulses could prevent testing some logic combinations, which could mask a logic card failure. This problem was discovered by the licensee during troubleshooting of an unrelated logic card failure indication.

An observant engineer noticed that the test pulse train on the input of the logic card (with the unrelated failure indication) was not correct.

The licensee found that the system clock counter for the semi-automatic tester was causing the additional pulses. This card was replaced and train 'B' of the SSPS was successfully tested. The Unit 1 train 'A' and the Unit 2 SSPS logic testers were also checked for proper operation,. and no further problems were noted. The licensee has initiated periodic surveillance checks to verify proper operation of all SSPS logic test circuits. Westinghouse has issued a Nuclear Safety Advisory Letter as a resultoof the Duquesne Light Company findings. The letter recommends that all utilities with Westinghouse solid state protection systems check the semi-automatic test circuits, as a minimum, during each refueling outage.

The inspectors concluded that the licensee demonstrated a strong questioning attitude in the, identification of the SSPS semi-automatic tester anomaly, and took appropriate, conservative actions to report and correct the deficiency.

This 10 CFR Part 21 issue is considered closed for Beaver Valley.

13 4.4 Auxiliary Feedwater Flow Margin During a review of the Offsite Review Committee meeting minutes, the inspectors discovered that the licensee's analysis for a small break loss of coolant accident (SBLOCA) did not bound all of the conditions which are allowed by the Unit 1 and Unit 2 Technical Specifications. Specifically, any time the steam driven Auxiliary Feedwater (AFW) pump is out of service, both high head safety injection (HHSI) pumps and both motor driven AFW pumps must be in service. The Technical Specifications at both units allow the steam driven AFW pump and a motor driven AFW pump to be out of service for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and place no restrictions on taking a HHSI pump out of service at the same time as the steam driven AFW pump.

The inspectors asked several shift supervisors if they were-aware that taking a HHSI pump or a motor driven AFW pump out of service at the same time as the steam driven AFW pump was an unanalyzed condition. The inspectors found-that none of the shift supervisors were aware that this condition was unanalyzed, and no controls were in place to prevent placing the plant in-such a condition. The inspectors reviewed the Quality Services Unit Technical Specification data base for both units. No instances were found where aservice steam driven AFW pump and a HHSI pump or a motor driven AFW pump were out of at the same time with a Plant in Mode 1.

not The inspectors were not able to determine exactly why plant operators were were aware of the required controls on AFW and HHSI pumps. The requirements known to the Nuclear Safety Department in early 1993, and were communicated to the Operations Department in the form of letters and a "basis for continued operation" determination. Additionally, the Operations Department was told to that the Emergency Operating Procedures (EOPs) must be revised immediately reflect the required AFW flow rates. Apparently, there was some internal or disagreement/questions concerning the necessity to implement more controls change the EOPs. The disagreement/questions were not fully resolved and no changes were made. After the inspectors identified that controls were lacking to prevent placing the plant in this unanalyzed condition, the licensee implemented appropriate controls at both units. The licensee was already working on Technical Specification changes to reflect the required controls.flows.

The EOPs, however, have not been changed to reflect the required AFW issue of The licensee is still evaluating the necessity for the change. The reflecting design basis AFW flows in the EOPs is an unresolved Item (50-334/94-24-02 and 50-412/94-25-02) pending NRC review of the licensee's determination.

5.0 PLANT SUPPORT (71750, 71707) 5.1 Radiological Controls Posting and control of radiation and high radiation areas were inspected.

devices were Radiation work permit compliance and use of personnel monitoring checked. Conditions of step-off pads, disposal of protective clothing, radiation control job coverage, area monitor operability and calibration a sampling (portable and permanent), and personnel frisking were observed on

I 14 basis. Licensee personnel were observed to be properly implementing the radiological protection program.

5.2 Security Implementation of the physical security plan was observed in various plant areas with regard to the following: protected area and vital area barriers were well maintained and not compromised; isolation zones were clear; personnel and vehicles entering and packages being delivered to the protected area were properly searched and access control was~in accordance with approved licensee procedures; persons granted access to the site were badged to indicate whether they have unescorted access or escorted authorization; security access controls to vital areas were maintained and persons in vital areas were authorized; security posts were adequately staffed and equipped, security personnel were alert and knowledgeable regarding position requirements, and that written procedures were available; and adequate illumination was maintained. Licensee personnel were observed to be properly implementing and following the Physical Security Plan.

5.3 Housekeeping Plant housekeeping controls were monitored, including control and storage of flammable material and other potential safety hazards. The inspectors conducted detailed walkdowns of accessible areas of both Unit 1 and Unit 2.

There has been improvement in housekeeping since the last inspection period, and the inspectors have noted management attention to housekeeping.

6.0 ADMINISTRATIVE 6.1 Preliminary Inspection Findings Exit At periodic intervals during this inspection, meetings were held with senior plant management to discuss licensee activities and inspector areas of concern. Following conclusion of the report period, the resident inspector staff conducted an exit meeting on November 16, 1994, with Beaver Valley management summarizing inspection activity and findings for this period.

6.2 Attendance at Exit Meetings Conducted by Region-Based Inspectors During this inspection period, the inspectors attended the following exit meetings:

Inspection Reot o Reporting Inspector Dates Sujc October 14, 1994 Engineering 94-22/23 R. Paolino October 14, 1994 Unit-1 SRO Exams 94-21 P. Bissett October 28, 1994 EDSFI Open Items 94-25/26 R. Bhatia November 10, 1994 MOV Open Items 94-23/24 F. Bower

15 6.3 NRC Staff Activities Inspections were conducted on both normal and backshift hours: 18.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months of direct inspection were conducted on backshift; 20.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months were conducted on deep backshift. The times of backshift hours were adjusted weekly to assure randomness.

W. Lazarus, Chief, Region I Section 3B, visited the site1 on October 27 and 28, and J. Linville, Chief, Projects Branch 3, on November and 2, 1994. During both visits, discussions were held with the inspectors and utility management and tours were conducted of the site.

Westinghouse Technology Advanced Manual Chapter 5 TRANSIENTS

Westinghouse Four-Loop Design Transients Westina'house Tecbnololpv Advanced Manual Wsigos orLo einTaset TABLE OF CONTENTS 5.0 WESTINGHOUSE FOUR-LOOP DESIGN TRANSIENTS ................... 5.0-1 5.0-1 5.1 Introduction .................................................

5.0-2 5.2 Transient Analysis .............................................

Energy Equilibrium .................... 5.0-2 5.2.1 5.2.2 Reactivity Balance ..................... 5.0-4 5.2.3 Steam Generators ..................... 5.0-5 5.2.4 Instrument Failures .................... 5.0-6 5.2.5 A ccidents ...........................

5.0-6 5.0-7 5.3 Parameter Behavior during Transients ...............

5.0-7 5.3.1 Pressurizer Pressure ............................ .. . . . . . . . .

5.0-7 5.3.2 Bank D Rod Position ............................ ...........

5.0-8 5.3.3 Nuclear Power ................................

5.0-8 5.3.4 Generator Load ................................

5.0-8 5.3.5 Tavg/Tref ....................................

5.0-9 5.3.6 Pressurizer Level .............................. ...........

5.0-9 5.3.7 Charging Flow ................................ .. . . .. .. , . . .

5.0-9 5.3.8 Steam Dump Demand ........................... ... , . o. . . ..

5.0-9 5.3.9 Steam Flow .................................. . . . . . . . . . .

5.0-9 5.3.10 Feedwater flow ................................

5.0-10 5.3.11 Steam Generator Level ........................... .. . . . . . . . .

5.0-10 5.3.12 Steam Pressure ................................

LIST OF TABLES 5-1 Transient Information ............................................. 5.0-11 LIST OF FIGURES 5.0-15 5-1 NSSS Response ................................................

+/-~~~i I..

1Of)

£. OA USNRC Technical Training Center Z.V-I e-.-_o P*.* 1*ev

I Westinghouse Technology Advanced Manual Westinghouse Four-Loop Design Transients Westinghouse Technology Advanced Manual Westinghouse Four-Loop Design Transients LIST OF TRANSIENTS 5.0 Power Changes 5.01 Ramp Load Increase: 50% - 100%, 5%/min 5.02 Ramp Load Decrease: 100% - 50%, 5%/min 5.03 Rapid Load Decrease: 100% - 90%

5.04 Rapid Load Decrease: 100% - 15%

5.1 Power Changes with Complications 5.11 Manual Reactor Trip 5.12 Rapid Load Decrease: 100% - 50%, Rods in Manual 5.13 Rapid Load Decrease: 100% - 50%, Steam Dumps Off 5.14 Rapid Load Decrease: 100% - 50%, Steam Dumps Off, Rods in Manual 5.2 Control Rod Transients 5.21 Dropped Rod (Shutdown Bank A Rod M-14) 5.22 Fast Rod Withdrawal, 45% Load 5.23 Fast Rod Withdrawal from Source Range 5.3 Instrument Failures Affecting Rod Control and Steam Dumps 5.31 Loop #1 Cold-Leg RTD Fails High 5.32 Loop #1 Hot-Leg RTD Fails High, 25% Load 5.33 Power Range Channel NI-41 Fails High 5.34 Steam Dump Loss-of-Load Controller Fails to Maximum Demand 5.35 Impulse Pressure Channel PT-505 Fails Low 5.36 Impulse Pressure Channel PT-505 Fails High 5.4 Instrument Failures Affecting Pressurizer Pressure and Level 5.41 Controlling Pressurizer Pressure Channel Fails High 5.42 Controlling Pressurizer Level Channel Fails Low 5.43 Controlling Pressurizer Pressure Channel Fails Low Rev 1296 USNRC Technical Training Center Technical Training Center Rev 1296

Westinghouse Technology Advanced Manual Westinghouse Four-Loop Design Transients LIST OF TRANSIENTS (CONT'D) 5.5 Instrument Failures Affecting Steam Generator Water Level Control 5.51 Controlling Steam Generator Level Channel Fails Low 5.52 Controlling Steam Generator Level Channel Fails High 5.53 Controlling Steam Generator Feed Flow Channel Fails Low 5.54 Controlling Steam Generator Feed Flow Channel Fails High 5.6 Equipment Failures 5.61 Trip of #1 Main Feed Pump 5.62 Inadvertent MSIV Closure 5.63 RCP Trip 5.7 Accidents 5.71 Atmospheric Relief Valve Fails Open 5.72 Large Steam Break Inside Containment with Loss of Offsite Power, 10-9 amps in I.R.

5.73 Large Steam Break Inside Containment, 100% Power 5.74 Large Steam Break Downstream of MSIVs, 10-9 amps in I.R.

5.75 Steam Generator Tube Rupture in SG #1 5.76 6-in. Cold-Leg Break 5.77 Loss-of-Feedwater ATWS

. .. . " V.,-

U" 170i.

0... U-I USNRC Technical Training Center

Westinghouse Four-Loop Design Transients W-.tjn ho~use Tec'hnology Advanced Manual VsihoeFurLpDsgnTaint 5.0 WESTINGHOUSE FOUR-LOOP relatively minor changes in setpoints, capacities, DESIGN TRANSIENTS or plAnt configurations could cause significant differences in indicated responses.

Learning Objectives:

During analysis and study of the curves, the

1. Given a set of transient curves and Table 5-1, student should concentrate on explaining the demonstrate an understanding of plant changes in various parameters caused by the characteristics and control, protection, and initiating event and by the subsequent operation safeguards systems by: of control, protection, and safeguards systems.

When explaining a numbered point, the student

a. Explaining why the parameter values are should always try to relate "cause" and "effect" trending as shown at selected numbered (e.g., pressurizer level is increasing because the portions of the curves, reactor coolant system [RCS] average tempera

b. Explaining plant effects caused by param ture is increasing, and the coolant is expanding eters reaching certain values at selected into the pressurizer). Do not place too much numbered points, and emphasis on an isolated portion of or a minor

c. Explaining the cause(s) of the reactor trip deviation in the graph of a particular parameter and/or engineered safety features (ESF) unless it is associated with a numbered point.

actuation, if either occurs. Generally, a numbered point will bracket a portion of a curve, indicating that the student Introduction should try to explain why a parameter is trending 5.1 or changing in the bracketed area. If a numbered The transient curves contained in this chapter point is associated with a reactor trip or engi neered safety features actuation, the student were compiled and analyzed by staff members of should attempt to explain not only that the protec the NRC's Technical Training Center (TTC).

tive action has occurred but also what reactor trip They were produced from the dynamic responses signal or ESF actuation signal is present.

of the Trojan (a Westinghouse four-loop reactor plant) training simulator. Specific parameter The following general notes are applicable to responses of the simulator were recorded by a all transients unless other information is provid data acquisition program and then graphed with a ed:

graphics program.

1. Pressurizer pressuire is from one of the The instructor explanations provided in class four pressuirizer pressuie instruments. In for these curves are the results of analysis by the a few traniients, wide-range RCS pres TTC staff during the actual simulator "runs" and sure from one of the pressure detectors during subsequent staff seminars. For each on the residual heat removal (RHR) transient, the sequence of numbered points has system suction line is also provided.

been established to aid the instructor's classroom presentation.

2. Bank D rod position is from the digital rod position indication system.

Caution is advised when trying to apply these simulator curves to any operating plant. Even

.lZ.1 Rev 1296

7 o q3--JL USNRC Technical Tralning Center

I-Westinghouse Technology Advanced Manual Westn~buse echoloa Adance MaualWestinizhouse Four-Loon Design Transients

3. Nuclear power is from one of the four four main steam lines but is indicative of excore nuclear instruments. the pressure in any steam line.

4. Generator load is in electrical MW. 13. Additional parameters are monitored and graphed if they are pertinent to the tran

5. Average RCS temperature (Tayg) is the sient analysis.

Tavg from one of the four coolant loops, derived from the narrow-range resistance 14. When a transient is caused by a control temperature detectors (RTDs) in the system response to an instrument failure, bypass manifold. The programmed Tavg the output of a redundant instrument is for a particular turbine load (Tref) is a graphed to display the actual changes in function of turbine impulse pressure. the parameter of interest.

6. Pressurizer level is from one of the three 15. Initial plant conditions not available from pressurizer level detectors. the transient curves are given by the instructor during the introduction to the

7. Charging flow is from the flow transmit transient and listed in a box adjacent to ter downstream of the'charging pumps the transient curves. For transients used and includes flow supplied to both the on the final exam, the initial conditions normal charging line and to reactor are given as part of the problem state coolant pump seal injection. ments.

8. Steam dump demand is the ouput of 5.2 Transient Analysis either the loss-of-load, the turbine trip, or the steam pressure controller, whichever The following sections discuss various is in service. aspects of transient analysis.

9. Steam flow (W,) is the flow in one of the 5.2.1 Energy Equilibrium four main steam lines but is indicative of total steam flow. Transient analysis begins with an examina tion of the stored energy of the reactor coolant.

10. Feedwater flow (Wf) is the flow supplied As shown in Figure 5-1, the internal energy of to one of the four steam generators but is the reactor coolant is dependent on two factors, indicative of total feedwater flow. the energy input from the core and the energy removal by the secondary system (steam genera

11. Steam generator level is from one of the tors). If the energy input equals the energy three narrow-range level detectors on one removal, then the internal energy of the reactor of the four steam generators but is indica coolant is not changing. Therefore, the average tive of the level in any steam generator. coolant temperature is stable. However, if an upset in the energy equilibrium occurs, then the

12. Steam pressure (Pstm) is from one of the internal energy of the reactor coolant changes, three pressure detectors on one of the resulting in a change in coolant temperature.

5.0-2 Rev 1296 USNRC Technical Training Center Technical Training Center 5.0-2 Rev 1296

Westinghouse Technology Advanced Manual Westinghouse Four-Loop Design Transients When a change in coolant temperature occurs, the of a change from an initial equilibrium between density of the reactor coolant changes. The "theenergy input to and energy removal from the reactor coolant.

changes in temperature and density affect several of the' parameters that are shown in the transient curves of this chapter. A change in the Stored energy of the reactor "coolant-canlý identified by comparing the reactor Assume that with an initial equilibrium -power and'the steam demand on the steam between energy production and energy removal, generators. Generally, if the turbine load is less a transient occurs that results in a reduction in tlie than the reactor power, then the average coolant rate ofdenergy removal (e.g., a turibine load temperature is increasing, and conversely, if the Sreduction).' Since the rate of energy production 'turbine'load is greater than the reactor power, (reactor power) can not immediately drop, the' then the average coolant temperature is decreas internal energy of the reactor coolant increases, ing. Any time the turbine is not in service or an additional steam demand from steam dump and the average coolant temperature increases.

.When the coolant temperature increases, the operation or a steam break is present, a compari

density of the coolant decreases. This decrease son of steam flow and reactor power leads to the in density results in an increase in the volume of same c6nclusion's. 'Once the direction of the the reactor coolant, causing an insurge into the energy mismatch is known, the changes in pressurizer and an increase in pressurizer level. coolant temperature and in pressurizer level and The pressurizer level insurge compresses the pressure can be explained.

steam bubble, and pressurizer pressure increases.

The two examples in the 'previous discussion Now consider an increase in the rate of are representative of two types of transients. In energy removal by the secondary system (e.g., a the first type, reactor power exceeds the rate of turbine load increase) from equilibriium condi 'energy rem6val by the secondary; if the mismatch tions. Initially, the rate of energy removal from is extreme, the'transient is referred to as an the reactor coolant exceeds the rate of energy overheiting event. This type of transient in production by the reactor, the internal energy of: cludes turbine trips, load rejections, and normal

.the reactor coolant decreases, and the average. pow'er decreases. In the second type, the rate of

,- coolant temperature decreases. When the coolant energy removal by the secondary excieeds reactor temperature decreases, the density of the coolant* pbwer;'if the mismatch is extieme, the transient is increases. The immediate consequence of aii referred to as an', overcooling or excessive heat increase in coolant density is an outsurge from' transfer event. Examples of this' type of transient the pressurizer and a corresponding decrease in "arenormal power increases, steam dump opera pressurizer level. When the pressurizer'le'vel tion, steam generator power-operated relief valve decreases, the volume of the steam bubble (PORV)openings, turbine valve failures, and increases. The expanding steam bubble results in'. steam line breaks.

a decrease from the initial pressurizer pressure'.

In addition to determining the direction and In each of the examples discussed above, the" - m fgiitude of the-energy input/energy removal reactor coolant temperature and density and the mismatch, the student must analyze the responses pressurizer level and pressure change as a result of the control systems. If nuclear power exceeds RV iYb

"-USNRC Technical Training Center, Training Center, +/-.Ii-i

5. 0-.5 Rtev 1296

'USNRC Technical

a Westinghouse Technoldgy' Advanced' Manual Westinghouse Four-Loop Design-Trilnsients Westinghouse Technology Advanced Manual Westinghouse Four-Loop Design- Transients turbine load, Tavg increases.: If Tavg increases be added by the power defect and compensated above Tref, then the' control rods are inserted by by a change in control rod position. The power the rod control system (assuming automatic defect (the power coefficient integrated over a operation). Also, the pressurizer level increases. power change) accounts for the change in reactiv If the increase in level exck'eds the increase in the ity associated with the'changes in fuel tempera pressurizer level setpoint, the pressurizer level ture and moderator temperature, with the modera control system decreases charging flow. The tor temperature assumed to be-maintained at accompanying increase in pressurizer pressure is programmed values. When the operat'or changes compared to the pressure setpoint in the pressur the turbine load at the turbine electrohydraulic izer pressure control system. The 'control system control (EHC) station, the resulting primary-to reduces the output of the proportional heaters secondary mismatch causes the average coolant and, if the pressure error is large enough, opens temperature to initially increase or decrease. The the spray valves. Finally, if the increase in rod control system (if in automatic) responds to pressurizer pressure is large enough, the pressur the Tavg/Tref error and the power mismatch izer PORVs open. The rod control system and associated with the load'change by inserting or the pressurizer level and pressure control systems withdrawing rods.' When the new steady state will react in similar but opposite fashions to a has been reached at the end of the load change, transient in which turbine load exceeds nuclear the reactivity balance (p = 0) is restored, with the power. reactivity 'associated with the power defect completely balanced by the reactivity added by 5.2.2 Reactivity Balance the change in control rod position.

Transient analysis also involves an examina As an 'example, consider a turbine load tion of the reactivity balance The transients in reduction with the rod control system in automat this section can involve changes'in fuel tempera ic. Initially, the drop in load relative to the ture, moderator temperature, '1and control rod unchanged nuclear power causes the average position, any, of which can 'idd positive or reactor coolant temperature to increase, and the negative reactivity to an initial statelof equilibrium temperature and power mismatch circuits of the reactivity (p = 0). For the transients of this rod control system call for control rod insertion.

section, the fuel and moderator temperature The control rod insertion suppresses nuclear coefficients of reactivity are always negative. No power and drives down Tang to match the de transient time span is l6ng enough' fr changes in creasing tref. Meanwhile, the fuel temperature is fission product (poison) concentrations to signifi decreasing with the decrease in nuclear power.

cantly, affect reactivity, and no transient involves When the load change is complete, the primary

,an operator-controlled change in boron concen power again equals the secondary load, and the tration. If the transient, terminates at a new positive reactivity addition associated with the steady-state endpoint witiou't 'a plant trip, the power defect (both fuel and moderator tempera positive reactivity added by one source must be tures are lower at the transient endpoint) is completely balanced by the niegative reactivity completely balanced by the negative reactivity added by another., added by the control rod insertion.

During a normal load change, reactivity will Next, consider the load reduction with the

- - - A ii.

ztv i-me iu Training Center USNRC Technical Training USNRC Center .3.U-4 Rev 1276O

Westinighouse Technolog~y Advanced Manual Westinghouse Four-Loop Design Transients Westin2house Tecbnoloy Advanced Manual Westinghouse Four-Loop Design Transients rod control system in manual. The primary-to transients involves-the changes that occur in secondary power mismatch increases the coolant steam generator level and pressure. The initial temperature and thereby adds negative reactivity.. changes in steam generator level that are caused The negative reactivity addition decreases reactor by changes in steam flow from'the steam genera power. The decrease in reactor power adds, tor are ,called "shrink" and "swell." Many positive reactivityyia the fuel temperature coeffi-. explanations are used to characterize these cient (the fuel temperature is decreasing), result phenomena. According to one such explanation, ing in a dampening of the power decrease. As a load change causes a change in the pressure of long as the rate of reactor energy production is the-saturated steam generators, resulting in greater than the rate of energy removal by the changes in the boiling rate and steam d6nsity. As turbine, the coolant temperature continues to rise. a result, the steam volumes within the tube

-The transient is terminated when the rate of bundle and riser regions of the steam generators

.energy input to the coolant by the reactor exactly either increase or decrease, with an accompany

_matches the rate of energy, removal by the sec ing change inthe feedwater flows from the ondary system, and the positive reactivity addi downcomer regions (where steam generator tion associated with the decrease in fuel tempera levels are measured).

-ture exactly matches the negative reactivity addition associated with the increase in coolant For example, during a turbine load increase, temperature. The endpoint conditions are equal the increased steam flow decreases the pressure values of reactor and secondary power and a Tavg in each steam generator. The pressure is now that is higher than that at the start of the transient. lower ihan the saturation pressure for the prevail ing steam generator temperature, resulting in an The- examples discussed above involve increase in the boiling rate and an accompanying changes initiated by the secondary plant. How expansion of the steam volume in the tube bundle S, ever, transients can be initiated in the primary region. This"epansi6n Irestricts' flow from the system. An uncontrolled rod withdrawal and a downcomer region to the tube bundle region,

,dropped rod are -two examples.- However, the resulting in an increasing level. In addition, the considerations of any existing energy mismatch, increased steam flow causes an increase in control system actions, and the effects of reactivi moisture removal in the moisture separators and a

',ty coefficients remain applicable. For the tran corresponding increase in recirculation of sients in this section, the moderator and fuel feedwater'from the moisture separators to the

£_ temperature coefficients and the reactivity chang downcomei, which contribute's to the increase in es associated with rod motion account for the downcomer level. This le',el increase is referred changes in reactor power. In actual plant opera to as a swell. Following the initial change in tion, long-term changes in the concentrations of level, the steam generator water. level control Ssysteni' (SGWLCS) returns the level to the fission product poisons and operator-controlled -normal progriammed value through a reduction in changes in the boron concentration must also be considered. , feedwatef flow.

5.2.3,Steam Generators Conversely, a decrease in steam demand results in a temporary steam generator level Another consideration in the analyses of decrease. The decreased steam flow increases

-5.0-5 -1 InIr USNRC Technical Training Center--, ev L*'

Wistinahouse Teclinology Advanced Manual Westinghouse Four-Loop Design Transients Wetnhos ecnlv AdacdMnalWsigos Fu-opDsinTaset steam generator pressure. The increased pres transmitter failing low. The inaccurate level is sure now exceeds the saturation pressure for the provided to the SGWLCS; the function of the prevailing steam generator temperature, and the SGWLCS is to maintain the steam generator level boiling rate decreases, resulting in a contraction at the setpoint'value. The first question in the of the steam volume in the tube bundle region. above list is now answered. The SGWLCS The decreased steam volume in the tube bundle controls'the steam generator level at setpoint by region permits increased flow from the controlling the 'psition of the main feedwater downcomer region, resulting in an initial de regulating valve. The second question is now crease in level in the*downcomer region. Also, answered. Finially, if the steam generator level is the decreased steam flow causes a decrease in low, the feedwater regulating valve opens further moisture removal in te moisture separators and a to increase the level in the steam generator. Since corresponding decrease in recirculation of the SGWLCS has no way of "knowing" that it feedwater from the moisture separators to the has a faulty input, this response occurs even with downcomer, which contributes to the decrease in an initially normal, steam generator level. Now downcomer level. This initial level decrease is consider the resulting effects. Feedwater flow referred to as a shrink. now exceeds steam flow, and the steam generator level increase's: This example illustrates the basic 5.2.4 Instrument Failures questiojs to' be' kept in mind for analyses of transients initiated by instrument failures.

A knowledge of control system functions and actions that are taken at particular setpoints is 5.2.5 Accidents necessary to analyze instrument failure transients.

A failure of an instrument which feeds an input to Analyses of accidents generally involve the a control systemrcan be analyzed by asking the trends in primary and secondary levels and following questions: pressures and the responses of plant safeguards systems. Iri the case of a loss of coolant accident

1. What is the- function of the control sys (LOCA), the pressurizer pressure and level drop, tem? but the steam generator pressures and levels are

2. What actiohs does the control system take largely unaffected. Since a steam generator tube to accomplish its function? rupture (SGTR) is a special form of LOCA, the

3. What actions are taken if the ictual value primary conditions will change similarly during of the parameter is above or below the an SGTR, while the level in the affected steam setpoint value? generator increases with the influx of reactor coolant through the rupture. Steam line breaks In short, if the output of a failed instrument is "canbe-groUped into breaks upstream of the main supplied to a control system, the student should steam isolation'valves (MSIVs) and downstream determine the response of the control system and of the MSIVs. During a break upstream of the how the controlled component changes plant isolation valves, the steam pressure in the affect conditions. ed steam generator decreases more rapidly than the pressures in the unaffected steam generators.

As an illustration of this technique, consider Following isolation of the faulted steam generator the case of a controlling steam generator level by its check ,alve, the pressures in the intact Key Lhb Technical Training USNRC Technical Center Training Center b.U-D K ev 1296

Westinghouse Four-Loop Design Transients Westinehouse Technoloey Advanced Manual Wsicos orLo einTaset steam generators should recover, while the order with which the graphs of the parameters are affected steam generator blows down to atmo presented.

spheric pressure. A break downstream of the MSIVs results in ,equal pressure drops in all 5.3.1 Pressurizer Pressure steam generators, which are terminated by MSIV closure. Of course, the overcooling of the 1. Pressurizer pressure is affected by reactor coolant caused by a steam break also components controlled by the pressurizer lowers pressurizer pressure and level. pressure control system. This is particu larly evident during transients involving For any accident, an ESF actuation is indicat the failure of the controlling pressure ed by the change in charging flow upon the channel.

isolation of normal charging and the initiation of 2. AK rapid change in pressurizer level can high head injection, and by the change in, have such a large effect on the dimen feedwater flow upon the isolation of main sions of the pressurizer steam bubble feedwater and the initiation of the auxiliary and, as a result, on pressurizer'pressure feedwater system. During steam line breaks and that the pressurizer pressure control some small LOCAs, high head injection eventual system cannot 'immediately restore ly reverses the drop in pressurizer level caused pressure to setpoint.

by overcooling of the reactor coolant or by 3. This parameter is an input into the OTAT inventory loss. For some transients, plots of trip and turbine runback setpoint calcula high, intermediate, and low head injection are tions and can cause the sei46ints to provided to illustrate the responses of the emer increase or decrease. -Evidence of a gency core cooling systems to an ESF actuation turbine runback can ebeseen on the and plant conditions, and plots of containment generator load plot.

pressure are provided to illustrate the progress of the accident and the response of containment 5.3.2 Bank D Rod Position' pressure suppression systems.

1. Bank D rod position is affected by the In an actual reactor, plant, indications of powermismatch and temperature mis accidents would include the responses of radia match inputs t6the rod control system.

tion detectors. Elevated containment radiation 2. It is" possible for the power mismatch levels would result from a LOCA, and higher circuit output to be equal and opposite to secondary radiation indications would result from e temperature mismatch circuit output.

a primary-to-secondary leak. No radiation Thiscon'dition results in'no rod motion, indications are included as part of the transient even thobugh" a Tref- Tavg difference exists.

curves provided in this manual.

3. Thef ailure -ofan the input to the power 5.3 -Parameter Behavior during Tran mismatch circuit causes rapid rod motion sients initiallydu'e t6othe high rate of change of nuclear powei relative to turbine load; the The following descriptions of parameter output of the power mismatch circuit then behavior during transients are provided in ihe decays 'exponentially, allowing any

- a - ---- 'want RiCY LYO "USNRC Technical Training -Center *° *:* ° U ° rl Rev 12.76

' Westing house Technology Advanced Manual Westnahuse echolo~ Adance MaualWestinehouse Four-Loon Design' Transients existing temperature mismatch to gradual drops below 90% of the throttle pressure ly increase its impact on rod control. for rated power. The response of this

4. A step drop in bank D rod position to 0 EHC system featur'e is evident in certain steps is indicative of a reactor trip. generatoi load reductions in some tran sients:*

5.3.3 Nuclear Power 4. A turbine runback is indicated by an abrupt change in load to a new lower Nuclear power responds to reactivity effects value. "

associated with fuel temperature, moderator 5. A step drop in generator load to 0 MW is temperature, and control 'rod, position. No indicative of a turbine trip.

transient time span is long enough for changes in fissi6n product (poison) concentrations to signifi 5.3.5 Tref/Tavg cantly affect reactivity.' No transient involves an operator-controlled change in'boron concentra 1. Since Tref varies linearly with impulse tion; changes in the coolant boron concentration pressure, it reflects changes in generator occur only during transients involving significant load:

injection of the refueling' water storage tank 2. Tavg is generated 'from the hot-leg and contents. cold-leg'temperatures (TH and Tc) mea sured inr the resistance temperature 5.3.4 Generator Load detectoi (RTD) bypass manifolds. This arrangement contributes to the inherent

1. During power level changes, the change dela~y between the time a Tavg change in generator load is usually the initiating occurs'and the time the Ta.g change is event. A load change can be input indicated. The delay involved is due to gradually by the operator with the selec the coolant loop transport time and the tion of a new demanded load and loading time required for coolant to flow through rate or rapidly via operation of the control the brpass manifold to the narrow-range valve position limiter. RTD locations. Therefore, during a rapid

2. The Trojan GE turbine EHC system transient the pressurizer level provides a generates a demanded control valve better initial 'indication of a coolant position for a giveh demanded load and temperitu're change (see section 5.3.6 does not incorporate impulse pressure below).

feedback. Thus, once the control valves 3. Tavg is a reflection of the balance between reach their'deman'ded positions, they will the rate of energy production in the not respond to loadz changes if the de primary 'and the rate of energy removal by manded load remains unchanged. With the secondary. If the two are equal, Tayg the control valves in fixed positions, the will remain constant. Any imbalance, generator load varies with the secondary whether initiated in the primary or sec side steamr1pressure. ondary, causes a change in Tayg.

3. The Trojan GE EHC system includes an initial pressure limiter Which closes the control valves' when -throttle pressure USNRC Technical Training Center 5.0-8 Rev 1296

Westing~house Technology Advanced Manual Westinghouse Four-Loop Design Transients Westinbouse TechnoIoy Advanced Manual Westinghouse Four-Loop Design Transients 5.3.6 Pressurizer Level the RCS pressure and the position of FCV-121, which continues to modulate

1. A change in pressurizer level is often a in response to pressurizer level control direct reflection of a change in reactor system commands.

coolant density and thus provides an indication of a primary temperature 5.3.8 Steam Dump Demand change.

2. A decrease in pressurizer level can be During power operation a steam dump indicative of a loss of coolant inventory. demand indication reflects a Tavg - Tref difference

3. A somewhat small but visible change in of greater than 5 F (the loss-of-load controller is pressurizer level can result from a change in service). Following a turbine trip, an existing in coolant density associated with a demand indicates that Ta'g exceeds the no-load moderately large pressure change. Tavg (the turbine trip controller is in service).

During plant heatups and startups, an existing 5.3.7 Charging Flow demand indicates that steam pressure exceeds the no-load steam pressure setpoint of 1092 psig. A

1. Generally, charging flow varies with the demand indication does not necessarily mean that position of charging flow control valve the steam dumps are opening; an arming signal FCV-121, which responds to the output must also be present. The best confirmation of of the pressurizer level control system (all steam dump operation is a change in steam flow.

transients begin with charging flow When steam dump demand is indicated, an supplied by one centrifugal charging increase in steam flow indicates that dump valves pump). Charging flow increases when are open.

the pressurizer level is less than the level setpoint and decreases when the level is 5-.3.9 Steam Flow greater than the setpoint. Often during a transient the pressurizer level and the Steam flow responds to changes in turbine level setpoint (a function of auctioneered control valve position, steam generator PORV high Tavg) are changing in the same operation, steam generator safety valve opera direction simultaneously but not in step, tion, and steam dump operation.

so that charging flow undergoes "swings" in which it first increases and 5.3.10 Feedwater Flow then decreases, or vice versa.

2. An ESF actuation signal causes a charac 1.,,Feedwater flow6 is governed by the teristic perturbation in charging flow "positionof the main feedwater regulating during which the second centrifugal valve,, which is controlled by the charging pump starts, the normal charg SGWLCS' ing line isolates, and charging flow 2.,,At the 6outset of a transient, the change in becomes seal injection only. This pertur feedwater flow is governed by the feed bation appears on the charging flow plot flow/steam flow mismatch. As the as a "zigzag." The steady-state charging transient 'progresses and the level error flow after an ESF actuation depends on has a chance to build, the level error z'.vv 17o USNRC Technical Training Center - , D.U- 7 ReCv Jld,7

Wistinghouse Technology Advanced -Manual Westinghouse Four-Loop Design Transients Westinghouse Technology Advanced Manual Westinghouse Four-Loop Design Transients signal will dominate feedwater flow and safety valves and steam line breaks.

changes.

3. Feedwater' flow often undergoes many oscillations during i transient. Large swings in feed flow correspond to significant changes in main feed regulat ing valve position; small-amplitude fluctuations in feed flow may be consid ered as normal steady-state operation.

4. The feedwater flow indication following the isolation of main feedwater reflects auxiliary feedwater addition to the steam generator. In'the control room, main feedwater flow and auxiliary feedwater flow are indicated on separate meters.

5.3.11 Steam Generator Level

1. A rapid change in steam demand causes a shrink or swell to '6ccur (see section 5.2.3).

2. A change in the reactor coolant tempera ture, especially a decrease,-can result in a change in the secondary temperature of the steam generators' and changes in steam density and steam generator level.

3. Following the isolation of main feedwater, level is affected by auxiliary feedwater addition.

5.3.12 Steam Pressure

1. In general, steam pressure increases with a load decrease and decreases with a load increase.

2. Steam pressure can be affected by-a change in Tavg if the'change is large enough to affect the conditions governing primary-to-secondary heat transfer (see section 5.3.11).

3. A rapid drop in steam pressure can reflect operation'of the steam generator PORVs u4i Rev.1296 USNRC Technical Training Center 5 .U-JLU Rev 1296

Westinghouse Technology Advanced Manual Westinghouse Four-Loop Design Transients Westinghouse Technology Advanced Manual Westinghouse Four-Loop Design Transients TABLE 5-1 TRANSIENT -INFORMATION I. Setpoints A. Reactor Coolant Temperature (*F) 564 Low Tavg 557 - 584.7 Tavg program from 0% to 100% power 553 Low-low Tavg (P-12)

B. Pressurizer Level (% level) 92 High level reactor trip 25 - 61.5 Level program from 0% to 100% power 17 Low level heater cutoff and letdown isolation C. Pressurizer Pressure (psig) 2485 Code safety valves open 2385 High pressure reactor trip 2335 PORVs open w 2310 Spray valves full open, 2260 Spray valves begin to open 2250 Variable heaters full off 2235 Nominal operating pressure 2220 Variable heaters full on 2218 Backup heaters off 2210 Backup heaters on 1915 Low pressure ESF block permissive (P-1 1) 1865 Low pressure reactor trip 1807 Low pressure ESF actuation D. Steam Generator Level (% level) 69 High level turbine trip, feedwater isolation, trip of main feed pumps (P-14) 44 Program level from 20% to 100% power 44 'Level program from 0% to 20% power, 25.5 Low level reactor trip (with steam flow > feed flow by 1.51 X 106 lbm/hr) 11.5 Low-low level reactor trip, AFW actuation KY LYD

-.... USNRC Technical Training Center I 5.,U -11 . Rev 1296

I Westinghouse Technology Advanced Manual Wesingoue Tchnloy AvanedManalWestinphouse Fniur-Tnn flhivsa - r-E. Steam Dump System Controller Inputs (*F) 5 - 16.4 Generates 0 - 100% output from loss-of-load controller 0 - 27.7 Generates 0 - 100% output from turbine trip controller F. Nuclear Instrumentation

1. Source Range (cps) 105 High flux reactor trip

2. Intermediate Range 25% current equivalent High flux reactor trip 20% current equivalent High flux rod stop 10-10 amps Source range block permissive (P-6)

3. Power Range (% power) 109 High flux, high setpoint reactor trip 103 High power rod stop, 39 Loss of loop flow permissive (P-8) 25 High flux, low setpoint reactor trip 10 Nuclear at-power block perm'hissive (P- 10)

+5 (w/ 2-sec time constant) Positive high flux rate reactor trip

-5 (w/ 2-sec time constant) Negative high flux rate reactor trip G. Main Steam Pressure (psig) 1170-1230 Range of code safety valve lift setpoints 1125 Atmospheric relief valve lift setpoint 600 Low steam pressure ESF actuation (with high steam flow)

H. ESF Actuation Signals High steam flow (variable setpoint) coincident with low steam pressure (600 psig) or low-low Tavg (553"F)

High steam line AP: I steam line 100 psig lower than at least 2 of the remaining 3 Low pressurizer pressure: 1807 psig High containment pressure: 3.5 psig Manual USNRC Technical Training Center 5.0-12 Rev 129 i

- Westinghouse Technology Advanced Manual ,Westinghouse Four-Loop Design Transients I. Containment Spray System Actuation Signals High-high containment pressure: 30 psig Manual II. Significant Parameters (Typical Values)

A. Reactivity Values

1. Moderator Temperature Coefficient (no-load)

BOL: -4 pcmFF (1500 ppm boron)

EOL: -26 pcm/*F (0 ppm boron)

2. Doppler-Only Power Coefficient BOL: -13 pcm/% power EOL: -11 pcm/% power

3. Power Defect at 100% power BOL: -1500 pcm EOL: -2400 pcm

4. Control Rod Worths 1 Bank: 1000 pcm Individual: 150 pcm Differential worth: to 12 pcnrlstep 4

5. Xenon Reactivity (BOL)

Equilibrium at 100% power: -2741 pcm Peak following reactor trip: -5200 pcm

6. Reactor Makeup Parameters Boric acid worth: 8 pcm/ppm (BOL)

Maximum dilution rate: 120 gpm Maximum boration rate: 40 gpm (4 weight % boric acid)

Automatic makeup rate: 80 gpm total blended flow

-. . . in 12* R ev 1296 USNRC Technical Training Center

Westinghouie Technology 'Advanced Manual -. 'Westinehouse Four-Loop Design Transients Westinghouse Technology Advanced Manual Westinehouse Four-Loon Desien Transients B. System and Component Parameters

1. RCS Range of AT from 0% to 100% power: 0 - 59*F

2. Pressurizer 1% change in level per "F change in Tavg 130 gal per % level 10 psi change in pressure per % change in level 10 psi change in pressure per "F change in Tavg

3. Main Steam System No-load pressure (corresponds to Tavg of 557"F): 1092 psig Full-load pressure: 792 psig Steam flow per generator (100% power): 3.77 X 106 ibm/hr Total steam flow (100% power): 15.07 X 106 lbm/hr

4. ECCS Maximum Pressures for Injection (psig) 2670 HPI pumps 1520 SI pumps 650 Cold-leg accumulators 200 RHR pumps USNRC Technical Training Center 5.0-14 Rev 1296

Ir z

V)

C" Cl)

Cl)

ý:V Ul CD CD 74

Westinghouse Technology Advanced Manual Chapter 6 PLANT DIFFERENCES (Later)

Westinghouse Technology Advanced Manual Chapter 7 PLANT EVENTS Section 7.1 Zion Loss of DC Power 7.2 V. C. Summer Inadvertent Criticality 7.3 Water Hammer at San Onofre 7.4 Salem Load Reduction 7.5 Sequoyah Incore Thimble Tube Ejection Event

Westinghouse Technology Advanced Manual Section 7.1 Zion Loss of DC Power

Zion Loss of DC Power Wac*; lnahnups Technolocry Advanced ManualZinLsofD Pwe TABLE OF CONTENTS 7.1-1 7.1 ZION LOSS OF DC POWER ........................................

7.1-1 7.1.1 Introduction ..............................................

7.1-1 7.1.1.1 PlantStatus .......................................

7.1-1 7.1.1.2 Description of Zion Electrical Distribution ...................

7.1-2 7.1.2 Loss of DC Control Power ....................................

7.1-2 7.1.3 Problems and Corrective Actions Taken ............................

7.1-2 7.1.4 Summ ary ................................................

7.1-3 7.1.5 Reference ................................................

LIST OF TABLES 7.1-5 7.1-1 Sequence of Events: Zion Unit 2 Loss of DC Control Power September 1976 .....

LIST OF FIGURES 7.1-7 7.1-1 Zion Unit 2 Electrical Distribution ..................................

.. . Rev 0196 4 . II--lt USNRC Technical Training Center

Westinahouse Technolosy Advanced Manual Zion Loss of DC Power Westinghouse TecbnoloEv Advanced Manual Zion Loss of DC Power 7.1 ZION LOSS OF DC POWER former 241, and 4.16-kV buses 242 and 244 were being supplied by system auxiliary trans Learning, Objectives: former 242. Diesel generator 2A was tied to the system through 4.16-kV bus 248 and was loaded

1. State the cause of the loss of dc power at to approximately 3300 kW while undergoing an

" Zion. extended test run. Battery 211 was.undergoing a monthly equalizing charge and was disconnected

,2.- Explain how the loss of dc control poimier from 125-Vdc ,control -bus 211, :which was affected the following: powered from the Unit 1 125-Vdc control bus 111 via a cross-tie.

a. Main control board indications.

b. Ability to control and/or trip equipmc-nt .7.1.1.2 Description -of Zion Electrical

-'-automatically, remote manually,- a nd - - Distribution

-locally.

- 7The Zion electrical distribution is shown in 3.: Discuss the causes of the reactor trip and 1the. Figure 7.1-1. The nonsafety-related electrical engineered safety features (ESF) actuati.on distribution system for Zion -Unit 2 consists of signal. Sfive 4.16-kV service buses. The normal power supply to the service buses is the unit auxiliary

4. Discuss the cbrrective-measures taken a!s a transformer, with the reserve supply from the result of this incident. -system auxiliary transformer. The unit auxiliary transformer is located on the output side of the 7.1.1 Introduction main generator, and the system auxiliary trans former is connected to the main grid. Bus 241 Zion Unit 2 is a fou'r-loop Westinghoi ise supplies the electric driven main feedwater pump design plant located in Zion,; Illinois. It is ralted and is the reserve supply for Unit 1 safeguards at 3250 MWt and 1098 MWe. buses. The otheroservice buses carry the large

- non-emergency loads associated with the plant, 7.1.1.1 Plant-Status such as circulating water pumps, reactor coolant

-pumps, condensate pumps, etc. Also, buses At the time of the incident, September 1976,, .242, 243, and 244 supply normal power to the the unit was operating at 25% reactor power v6ith --Unit 2 safeguards buses.

the load being increased. The 2C main feedwELter, pump and the main feedwater regulating val ves The safeguards buses consist of three 4.16 were in automatic, and the main feedwaLter kV buses, which are normally supplied from the regulating bypass.valves were in the process of three service buses mentioned above. The being closed (2A and 2B bypass valves were reserve power supply for these buses is bus 141 partially open). .

from Unit 1. :Theo emergency power is supplied S--by diesel generators, one of which is a swing Electrically, the main'generator was synct.Lro- diesel (can be used to supply Unit 1 or Unit 2).

nized with the grid. The 4.16-kV buses 243 and 245 were being supplied by unit auxiliary trgmns-, - -~The 125-Vdc buses receive their power from S- . ... .. . ... .. .. D , A109 USNRC Technical Training Center /.l-J.

Westinghouse Technology Advanced Manual Zion Loss of DC Power Westinghouse Technology Advanced Manual Zion Loss of DC Power battery chargers powered from the 480-Vac vital This results in a lineup of buses 242 and 245 on buses. Each of these buses supplies two auxiliary transformer 241 and buses 243 and 244 inverters, which power the 120-Vac instrument on system auxiliary transformer 242. This buses. The 120-Vac buses can also receive alignment would prevent more than one bus from power directly froffi the 480-Vac vital buses via being de-energized on a loss of dc power and 480/120-Vac transformers: The system normally prevent overloading a diesel generator that was uses the inverters to power the 120-Vac buses, paralleled to the system during a loss of a dc bus.

with the transformers as a backup power supply. A separate procedure was to be developed for the O diesel generator.

7.1.2 Loss of DC Control Power The possibility of eliminating the trip of all The loss of dc control power was the result reactor coolant: pumps on two-out-of-four of an operator improperly opening the tie breaker underfrequency was examined. After a discus between 125-Vdc bus 111 and 211 prior to sion with Westinghouse, this was ruled out due reconnecting battery 211 to bus 211. The result to the possibility of causing a sequential loss of was a loss of dc power to the loads supplied flow accident, which is an unanalyzed accident.

from bus 211. The results of the loss of these loads are discussed in the attached sequence of The installation of an automatic transfer events. switch to change the computer power supply from the battery fed inverter to regulated ac 7.1.3 Problems and Corrective Actions power was to be performed. This would be done Taken rapidly enough to ensure no loss of data from the computer.

The first measure to be considered was a key lock system on the dc breakers which would Two modifications associated with the main require the breakers to be operated in the proper control board annunciators were performed.

sequence during realignment: This idea was First, annunciators for the ac buses were sup rejected due to personnel safety considerations. plied from ac power from the opposite unit.

Secondly, mimic buses were added to the control The diesel generator which was destroyed by board to provide indication of power status for fire was removed and repaired. Tlhe diesel was the dc distribution system.

then tested to ensure it met the original specifica tions. The outage required for this repair was 7.1.4 Summary approximately 6 weeks.

This incident is important in that it demon The procedure- for aligning the 4.16-kV strates the importance of maintaining proper dc service buses was 'riised to place two buses control power in the plant, and the consequences with the same source of dc control 'power on of a loss of the dc control power. In this case, different transformers. The service buses which the loss resulted in a reactor trip and an ESF provide power to the 4.16-kV ESF buses (except actuation, filling the pressurizer relief tank to the for the bus supplied by the 0 diesel generator) point of breaking the rupture disk, and causing would be supplied by the system transformer. significant, damage to an emergency diesel Center 1.1-h Key UIYO USNRC Technical USNRC Training Center Technical Training I. I-ZO Rev 0196

Zion Loss of DC Power Ca 3tSflt air, ***E*%J 4: 6 U W"O' fr 11 h - -In Sj

,Y Z5tA3 IV Advanced Manual generator.

It should be noted that each plant could have a different response to a loss of dc control power due to differences in the designs of their electrical distribution systems. The incident at Zion Unit 2, however, demonstrates the importance of this source of power to safe operation.

7.1.5 Reference Nuclear Power Experience Manual, Volume PWR-2,Section XI, Subsection A, entries 166 and 192.

Riv 0196 USNRC Technical Training Center 7.1-3 Rev 0196

SZion Loss of DC Power "TABLE 7.1-1 Sequence of Events: Zion Unit-2 Loss of DC Control Power September 1976

-I Equipment operator opens the tie breaker between 125-Vdc control bus 111 and bus 211

- prior to paralleling bus 211 with battery 211.,

2. DC control power lost to the following loads:

a. 4.16-kV buses 241, 243, 245, and 248,

b. All generator and transformer relaying and -metering, and c: All main control board annunciator windows and horns.

3. Underfrequency relays on 2B and 2D RCPs drop out, generating a reactor coolant pump

-trip signal to all reactor coolant pumps. 2A and 2C RCPs trip (pumps 2B and 2D do not trip due to loss of dc control power to their breakers).

4. -Reactor trips on loss'of two reactor coolant pumps with power greater than 10% (P-7).

5. 'Reactor trip causes a turbine trip. However, the main generator does not automatically trip "dtieto loss'of the dc power. Main generator motorizes.

6. Running main feed pump does not automatically trip due to loss of generator relaying (main

- feed pumps at Zion tripon 'a main generator trip) and cannot be tripped from the main in control board. Due to the shrink in the steam generators, the pump goes to full speed rapidly due response to the low steam generator levels. 2A and 2B steam generators refill 1.5 to the partially open main feedwater bypass valves (about 3000 gpm for approximately minutes).

in the

7. The rapid cooldown caused by the overfeeding causes a drop in the steam pressure psid differential 2A and 2B steam generators. This results in an ESF actuation on 100 valves.

pressure. The ESF signal causes a feedwater isolation signal and shuts the bypass at the control

8. The main generator output breakers and the field breaker are opened manually board (dc control power to the breaker trip coils is transferred to another source).

the unit auxiliary

9. 4.16-kV buses 243 and 245 do not automatically transfer from transformer to the system auxiliary transformer because of loss of DC power.

7. 1 - 5 . - Rev 0196 USNRC Technical Training Center

Westinghouse TechnoloLv Advanced Manual '_ Zion Loss of DC Power Wetin house - Techno1ov Advanced Manual Zion Loss of DC Power TABLE 7.1-1 (CONTINUED)

Sequence of Events: Zion Unit 2 Loss of DC Control Power September 1976,

10. Diesel generator 2A attempts to carry the loads of buses 243 and 245 through transformer 241. Since the diesel is only sized for ESF loads, these buses overload the generator. The overload condition results in the diesel generator overheating and catching on fire.

11. Running main feedwater pump is manually tripped by the shift engineer at the EHC station.

12. Attempts are made to manually trip the running diesel generator; however, the smoke and fire prevent success. Eventually; the generator windings burn open, and the components powered from the affected buses coast to a stop. Cardox is initiated to extinguish the fire.

13. The pressiirizer safety valves lift (maximum RCS pressure of 2550 psig) and continue to lift several times. The pressurizer relief tank rupture disk breaks, resulting in about 2500 gallons of water spilling into the containment. The safeties are lifting due to the input of water from the ECCS equipment (high head injection) which started with the ESF actuation.

14. DC bus 211 is reenergized. Control board annunciators are restored, 2B and 2D RCP breakers are opened, and the 4.16-kV buses are-re-energized from the unit auxiliary transformer (inoperable for about 20 minutes).

15. ESF signal is reset and diesel 2A is tripped. All safeguards pumps are stopped. About 7650 gallons of water was injected into the plant.

4 Rcv. UlYD n.nr USNRC Technical Training Center ReCv UJ17

I UNIT ~~~1~~

241 0

LN NO NIO I NO NO NO MA1 J 1 ESF 247 ESF 248 ESF 249 00

_J 480Batt;FROM 480Catter r Jy UNIT GEERTO 11,--kNOtw Baet

3ry r r yc* *,c ,

From UniS1F2__3-qI Ty1c1Di2l12, CoInvrtPer bL L

Westinghouse Technology Advanced Manual Section 7.2 V. C. Summer Inadvertent Criticality

V.C. Summer Inadvertent Criticality Wactin hnuicq Tpechnoloar Advanced ManualV..Sm e Ind rttCiicit TABLE OF CONTENTS 7.2 V. C. SUMMER INADVERTENT CRITICALITY ......................... 7.2-1 7.2-1 7.2.1 Introduction ............................ ..................

7.2-1 7.2.2 Causes ................................ ... °..............

7.2-2 7.2.3 Safety Implications ........................ ......... °°.......

7.2-2 7.2.4 Generic Implications ....................... 7.2-3 7.2.5 Corrective Actions ........................ 7.2-3

.... °..°°°........

7.2.6 Summ ary ..............................

LIST OF TABLES 7.2-5 7.2-1 Incorrect ECRPs ..............................................

ew - Rv 0191

.. h1 I/.,A-!

USNRC Technical Training Center Rev 0196

Westing~house Technology -Advanced Manual V.C.- Summer Inadvertent Criticality

,7.2 V. C. SUMMER INADVERTENT. mined to be 168 steps on control bank D (CBD).

CRITICALITY The trainee 'was, instructed to withdraw the control banks until the CBD position reached 100 Learning Objectives: steps. It was thought that this would provide a convenient. stopping point with a sufficient

1. Briefly discuss the V. C. Summer start margin prior to criticality. Based on calculations accident.- after the event, the reactor actually went critical when CBD reached about 40 steps, but no one in 2.- Explain the causes of the accident. the control room realized that the reactor had attained criticality. The trainee continued to add

3. Explain the, safety implications of the acci positive reactivity after the reactor was critical dent. " I I with continued rod withdrawal. The SRO blocked the source range reactor trip when the P

4. Explain what procedural limitations and 6 permissive was received without noticing the administrative controls should have prevented rate at which reactor power was increasing.

- this accident. - Without the 105 cps trip from the source range instruments to stop the power increase, reactor "7.2.1 Introduction power increased to approximately 6% of rated thermal power with a startup rate of about 16-17 V. C. Summer Nuclear Station is a single Sdpm (based on post-accident calculations) before unit three-loop Westinghouse plant located in the reactor tripped on high positive flux rate in

--Fairfield County, South Carolina, and operated the power range. -Control bank D was at about

...- by South Carolina Electric and Gas Co. The 76 steps when the trip occurred.

plant began commercial operation on January 1, 1982. -7.2.2.Causes On February 28, 1985, during a startup, the The reactor startup which took place around reactor experienced an inadvertent criticality 1:30 p.m. on February 28 followed intermittent which resulted in a reactor trip. A combination operation of the unit during the previous month.

of errors associated with improper, operation,,,,,, One of the primary causes of the inadvertent "inadequate supervision of an operator trainee; -:,criticality was the incorrect calculation of the and miscalculation of the estimated critical rod- ECRP. The calculation for the startup used the position (ECRP) led to the inadvertent criticality..',, power block ,method of predicting xenon and The event could have been easily prevented by':: samarium reactivity worths, which can produce better.- training, supervision and procedural -,;significant errors.if the power history is intermit control. The reactor protection system func-: tent. The ECRP calculation was made based on a tioned as designed to shut the reactor down - brief period (three hours) of power operation before any fuel damage was-experienced. . --. earlier in the day rather than on previous periods

-- ,,, "..of, extended operation. -Another problem with the The startup was being conducted by a reactor calculation involyed using middle of life (MOL) operator trainee under the supervision of a senior rod worth curves rather than beginning of life reactor operator (SRO). The ECRP was deter- (BOL) curves, which would have been more

-- - - -Y - - ~1 . ~ - . ),... Ain,<Z~Y L~

SUSNRC Technical Training Center - .I / . 15 - I - tLIev UFJ.

1 Westinghouse Technology 'Advanced Manual V.C. Summer Inadvertent Criticality Y V.C. Su mer Inadvertent Criticalitv appropriate. The licensee's pr6cedure lacked any the power range neutron flux trip (low setpoint) guidance regarding when the change should have would activate at 35% power (the positive rate been made to the MOL curves: trip is not assumed to activate). The peak power attained, limited by the fuel doppler coefficient, is The operator performing the startup was a about 600% of rated thermal power (the energy trainee and did not have an NRC license. This is release from an instantaneous power pulse would allowable if the trainee has received sufficient be very low). No fuel or clad damage results, training to be able to perform the task normally and the departure from nucleate boiling ratio performed by licensed personnel and is directly remains greater than 1.3, according to the analy supervised by a licensed operator. The trainee sis. The V. C. Summer inadvertent criticality apparently had not received appropriate training event was bounded by the accident analysis with because he did not know what the indications of considerable margin.

reactor criticality are and he did' not know that plant procedures required that the Excore instru 7.2.4 Generic Implications mentation should be moniiored for indications of criticality any time positive reactivity is being The inability to accurately predict criticality is added to the core. a safety concern because technical specifications require that the calculation be performed to verify Supervision of the trainee was inadequate, that the reactor will be critical with rods with even though several reactor operators and senior drawn above the rod insertion limit. This is reactor operators were' in the control room necessary to ensure that there is enough negative performing other tasks related to the startup. reactivity available from the control rods that the None of the licensed' operators recognized "reactorcan be made subcritical from all operating criticality and the supervising senior operator conditions assuming the worst case conditions.

even blocked the source range trip as reactor power was increasing into the intermediate range. Even though the inadvertent criticality event was bounded by an aiialyzed accident, it demon 7.2.3 Safety Implications strated significant weaknesses in the utility's procedures and training for licensed operators.

An event more severe than the February 28 The plants procedure did-not provide adequate inadvertent criticality is analyzed in the V. C. guidance for the calculation of an ECRP during a Summer final safety analysis report. The uncon period of unstable or unpredictable xenon behav "trolledrod cluster control assembly bank with ior. Adequate guidance on the correct source of d**wal from a subcritical condition (a Condition data was not available as demonstrated by the use "IIfault'of moderate freqtency) is' analyzed to of the incorrect rod worth curves.

determine if acceptable fuel limits are maintained during the transient. The event is initiated with a -The major contributor to the incorrect ECRP simultaneous withdrawal of two sequential calculation at Summer was the incorrect determi "control banks having a maximum combined nation of the reactivity worth of xenon. Summer worth at a maximum speed of 105 pcm/sec (the and other licensees typically used the power addition rate was deiermined to be 10 pcm/sec for block history method to calculate the equivalent the 2/28/85 event). The analysis determined that power for determining xenon and samarium 7.2-2 Rev 0196 USNRC Training Center Technical Training USNRC Technical Center 7.2-2 Rev 0196

_V.C. Summer Inadvertent Criticality U1ectin housei Technology AdIvanced ManualV..Sm e Iadetn Crialt reactivity worths. With this method the core recurrence. Procedural inadequacies were power level readings are logged periodically in addressed, and inverse multiplication plots were order to describe the previous core power histo used for subsequent startups to predict criticality ry. Xenon reactivity is based on the hourly and to verify the accuracy of ECRPs. These average core power for the 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months prior to actions did not prevent the problem that occurred shutdown. Samarium reactivity is based on the on 5/11/85. Administrative controls on the daily average power for the eight days prior to conduct of training were improved to ensure shutdown. In determining the reactivity worth of proper supervision of on-the-job training.

xenon and samarium, each logged entry has a different coefficient or multiplier associated with Following a special inspection by USNRC it. The entries nearest to the time of shutdown Region II, enforcement action was taken for the are the most heavily weighted. The power block procedural violations and inadequacies. In method of determining the equivalent power level additon, the licensed operator supervising the for estimating xenon and samarium reactivities is evolution received a letter of reprimand.

not very accurate when previous reactor opera tion is intermittent at widely varying power 7.2.6 Summary levels. It was determined that some of the ECRP calculations were in error by more than 50 rod The major contributor to the incorrect ECRP steps when non-equilibrium critical data were calculation at Summer was the incorrect determi used. nation of the reactivity worth of xenon. Similar instances of incorrect ECRP calculations have Other methods, such as computer programs, occurred on numerous occasions at Westing are available to determine xenon and samarium house plants. The use of inverse multiplication worths for use in ECRP calculations. Although plots to predict criticality and to verify the accura potentially more accurate and not subject to cy of ECRPs and the proper monitoring of calculation errors, problems are still possible available indications help to prevent uncontrolled with computer programs. Improper data input criticalities and power excursions.

and software errors during development and updating of the software can introduce problems during use.

Similar instances of incorrect ECRP calcula tions have occurred on numerous occasions at Westinghouse plants, but proper monitoring of available indications have prevented uncontrolled criticalities and power excursions. Table 7.2-1 is a partial listing of similar events.

7.2.5 Corrective Actions Following the incident at V. C. Summer, the licensee initiated corrective actions to prevent

. .. ,7 2 R ev 0196E

. A. ,

USNRC Technical Training Center

V.C. Summer Inadvertent Criticality Westin husec Technoloav Advanced ManualVC.Sm eIadretCrialy TABLE 7.2-1 Incorrect ECRPs Date Plant Primary Cause 5/11/85 V.C. Summer Incorrect ECRP, went critical below the RIL, inverse multiplication plot failed to identify error.

5/17/85 McGuire 2 Incorrect ECRP, went critical below the RIL, error caused by incorrect Xenon worth program.

8/23/84 Turkey Point 3 Incorrect ECRP, went critical 85 steps below ECRP, calculation error.

5/12/84 Turkey Point 3 Incorrect ECRP, went critical 145 steps below ECRP, calculation error.

10/31/84 Turkey Point 4 Unable to achieve criticality, calculation error resulted in improper boron addition to RCS.

5/15/85 Turkey Point 3 Incorrect ECRP, used wrong RCS temperature in calculation (525"F vs. 535"F) 1D-- fl1o INkl* *g U ,IkJ V US-NRC Technical Training Center 4 *.,, -

Westinghouse Technology Advanced Manual Section 7.3 Water Hammer at San Onofre

-.- Water Hammer at San Onofre Westinahn,,sp Technology Advanced Manual WtrHme tSnOor

"" TABLE OF CONTENTS 7.3 WATER HAMMER AT SAN ONOFRE ................................ 7.3-1 7.3-1

".7.3.1 History of Water Hammer at Nuclear Power Plants ........... .........

.I.. 7.3-2 7.3.2 Water Hammer .......................................

7.3-3 7.3.3 San Onofre Water Hammer Incident ..............................

7.3-4 7.3.4 Plant Conditions Leading to Water Hammer ..........................

......... 7.3-6 7.3.5 Water Hammer-Induced Damage .....................

7.3-6 7.3.5.1 Piping and Piping Support Damage ...............

7.3-7

-7.3.5.2 Feedwater Loop B Flow Control Station Damage ..............

7.3-7 7.3.5.3 AFW Piping Damage ...............................

............ 7.3-7 7.3.5.4 Valve Malfunctions ........................

7.3-7 7.3.6 Valve In-Service Testing ............... .......................

7.3-8 7.3.7 Valve Failure Findings ................ .......................

7.3-9 7.3.8 Flash Evaporator Unit ................. .......................

7.3-9 7.3.9 Turbine Breakable Diaphragms (Rupture Disks) .......................

7.3-10 7.3.10 Summary ......................... .*..............o..-...

LIST OF TABLES

.... 7.3-11 7.3-1 Description of Feedwater Pipe Damage Following SONGS-I Water Hammer 7.3-12 7.3-2 Inspection Findings ...........................................

_ ,'. :. . .. 92& y ft0196 USNRC Technical Training Center , , , I

Water Hammer at San Onofre W-.ct;n ohnuse Technoloov Advanced Manual WtrHme tSnOor LIST OF FIGURES 7.3-1 Filling of a Voided Feedwater Line ................................. 7.3-13 7.3-2 San Onofre Electrical System ..................................... 7.3-15 7.3-3 Condensate System ........................................... 7.3-17 7.3-4 M ain Feed System ............................................ 7.3-19 7.3-5 Auxiliary Feedwater System ..................................... 7.3-21 7.3-6 SONGS-1 Feedwater Flow Diagram ................................ 7.3-23 7.3-7 SONGS-1 Loop B Steam Generator Flow Control Station -................. 7.3-25 7.3-8 SONGS-i Auxiliary Feedwater System .............................. 7.3-27 7.3-9 FW Loop B Piping and Support Layout .............................. 7.3-29 7.3-10 Overview of Feedwater Piping and Support Damage Due to Water Hammer ..... 7.3-31 7.3-11 Typical Swing Check Valve ...................................... 7.3-33 7.3-12 Check Valve FWS-346 ......................................... 7.3-35 7.3-13 Check Valve FWS-348 ......................................... 7.3-37

-.. . 'v 2* 1 a., nil-I Olt USNRC Technical Training Center I . .- lI *,CV UJ~l

Westinahonse Technology Advanced Manual Water Hammer at San Onofre Wptinphn,,q TrhnnIov Advanced Manual Water Hammer at San Onofre 7.3: WATER HAMMER AT SAN heat and cool down after a reactor trip.

ONOFRE lFollowing the SGWH that occurred at Indian Learning Objectives: ,Point Unit 2,in 1972, which resulted in a circumferential weld failure in one of the

1. Describe three types of water hammer and feedwater line's, the NRC required all utilities to their causes. submit design and operational information describing design features for avoiding SGWH.

2. -Describe corrective actions that were taken to In 1978, the generic subject of water hammer was classified as-an unresolved safety issue (USI prevent previous' steam generator w'ater, hammer problems. A-I) and received increased NRC and industry attention.

'ater

3. Describe the damage caused by the w hammer event at San Onofre Nuclear Ge.ner- SGWH can occur -following a reactor trip when the steam generator top feedring drains and refills with cold auxiliary feedwater. NRC 4.+ Describe how multiple check valve fail ures attention was directed at t&e f'eedring design and internal steam generator (SG) components near

- contributed to the initiation of the meater

, hammer at SONGS-I "the feedwater (FW) nbzzle. Experience had revealed that internal damage to the feedring and

5. Discuss how check valve testing require d by. supports could occur. Modifications implement the-American Society of Mechanical l 'ngi- ed to prevent SGWH genierally inv6lied installa neers Boiler and Pressure Vessel Code c-ould tion of J-tubes to prevent _the draindown of

' have prevented the SONGS-i water haramer . feedrings, short horizontal runs of FW piping incident. adjacent to SG feedwater nozzles to minimize the magnitude of water hammerfs, and limits on auxiliary feedwater (AFW) system flow rates to 7.3.1-History of Water Hammer at IS[u-clear Power Plants, avoid the rapid refill of SGs. with cold water. In general, attentio'n focused on the internal struc

-ture and design of the sieam generator rather than During the early 1970s, the NRC be'came water on conditions in the FW lines and flow control aware of the increasing frequency of

tems components.,

hammer events in nuclear power plant sy.

- "and became concerned about-the potential chal-.

Y'that The NRC was dware'of the 'iossibility of "lenges to system integrity and operabilit]

could result from these incidents. For prc.ssur- developing c6ndensation-induced water hammer ized water reactors, the major contributor to these 'extending back into the 'feedwater'piping as a enera- result of line voiding because of a water hammer incidents was a phenomenon called steam g¢ h the occurrence at the KRSKO plant in Yugoslavia in

.tor. water,.hammer (SGWH). . Althoug ant to, 1979. Limriitd 'information on that event sug significance of these events varied from pl evere 'gests that leaky checlk valves 'or pre-operation

-plant, the NRC 'was concerned that a ls

[water pump testing (i.e6.,'start anid trip test), or both, SGWH could cause a complete loss of feed decay, were'the underlying ,causes. Similar occurrences and affect the ability of a plant to remove Vw (11Q1

___ - - I.-,-'-,

,, '1 USNRC Technical Training Center _ Rev 0196

3-Westinghouse Technology Advanced Manual Water Hammer at San Onofre had not been reported for U.S. plants, and transient is a'fluid shock wave in -which the apparently check valve failures were not consid pressure change is the result of the conversion of ered a significant contributor to feedwater system kinetic energy into pressure waves (compression water hammer by'the NRC. Implicit in the waves) or the conversion of pressure into kinetic reliance the NRC placed on J-tubes to prevent energy (rarefaction waves). Regardless of the steam generator feedring voiding to prevent underlying causes, this phenomenon is generally SGWH, was the assumption that,feedwater referred to as water hammer.

system check valves do not leak. It appears that the NRC did not consider feedwater piping water A water hammer event can be characterized as hammer due to failed check valves to be a sub one of the following three major types:

stantial contributor and did not pursue this issue further. 1. "Classical water hammer" generally identifies a fluid shock, accompanied by noise, which 7.3.2 Water Hammer results from the sudden, nearly instantaneous stoppage of a moving fluid column. Unex This section discusses the water" hammer pected valve closures, backflow against a which occurred at'SONGS-il, its underlying check-valve, and pump startup into voided causes, and the damage incurred. Since failed lines where valves are closed downstream are check valves' ifi the feedwater pipiig' were the common underlying causes of classical water underlying cause,' this section also discusses hammer and are generally well understood.

valve nfiaintenance and in-service testing related to these valves. To clarify' the discussions that Analytical methods have been developed to follow, a brief review of water hammer phenom predict loads for this type of fluid hammer ena and commonly accepted definitions are and include the effects of initial pressure, provided. fluid inertia, piping dimensions and layout, pipe wall elasticity, fluid bulk modulus, valve Hydraulic instabilities occur frequently in operating characteristics (time to open or pipifig networks'as a result of changes in fluid close), etc.

velocity or pressure. Some of the better under stood occurrences include induced flow tran 2. "Condensation-induced water hammer" sients due to starting and stopping pumps, resul& when cold water (such as auxiliary opening and closing valves, water filling voided feedwater) comes in contact with steam.

(empty) lines, and pressure changes due to pipe Conditions conducive to this type of water breaks or ruptures. 'As a consequence 'of the hammer are an abundant steam source and a change in fluid velocity or pressure, pressure long empty horizontal pipe run being refilled waves are creafed'which propagate throughout slowly with cold water. The cold water the fluid within the piping network and produce draws energy from the steam, with the rate of audible noise, line' vibrations and, if sufficient energy itrnsfer being governed by local flow energy transfer occurs between" the pressure conditions. As the steam condenses, addi wave and the pressure boundary, structural tional steam will flow countercurrent to the damage to piping, piping'supports, and attached cold water,- and as the pipe fills up (i.e., the equipment. More' specifically, this pressure void decreases) the steam velocity increases, Rev U19t USNRC USNRC Technical Training CenterCenter Rev 0196

.Westinghouse Technology-Advanced Manual - , Water Hammer at San Onofre Westinghouse Technology Advanced Manual Water Hammer at San Onofre setting up waves on the surface of the water,,, occurred principally, in pressurized water eventually, entraining water and causing slug reactors (PWRs) with ,steam generators "flow. Slug ýflow entraps steam pockets and ,,,having top feedrings for feedwater injection.

.promotes significant heat transfer between the: The underlying causes are similar to those steam and colder water. Figure 7.3-1 illus -; discussed above (i.e., the voiding of the trates in simplified form the flow conditions horizontal feedring and feedwater piping which would come about during the refilling immediately adjacent to the steam generator of a voided horizontal feedwater line. Once and the subsequent injection of cold water).

slug flow conditions commence, a steam Damage -from SGWH has generally been pocket will suddenly condense, creating a confined to the feedring and its supports and localized depressurization instantaneously. to the steam generator feedwater nozzle "Theresulting pressure imbalance across the region. However, damage to feedwater line slug (approximately 700 psi at SONGS-i) snubbers and supports has also occurred. An causes the slug to accelerate away from the SGWH resulted in a fractured weld in a source of pressure and toward the region of,-. feedwater line at Indian Point Nuclear Power

.:

condensation.-* . Plant Unit 2 in 1972.

Condensation is extremely rapid, and predict 7.3.3 San Onofre Water. Hammer Inci ing its exact location is impossible. When the

dent .

- . water slug suddenly strikes water in a previ

- ously filled pipe, it produces a traveling San Onofre Nuclear Generating Station Unit pressure wave which imposes loads of the 1, operated by the Southern California Edison magnitude that would be induced by classical Company (SCE), is a 450-MWe Westinghouse water hammer in the piping network. This pressurized water reactor located on the Pacific phenomenon, called condensation-induced Ocean, approximately four miles south of San water hammer, occurred at SONGS-1. Clemente, California. The plant received an NRC S-. - , :'operating license in

I.

Predicting loads associated with this type of water hammer is extremely difficult because. - At 4:51 a.m.-on November 21, 1985, with of the interactive and complex hydrodynaamic the plant operating at 60 percent power, a ground and heat transfer phenomena which precede -:fault was detected by protective relays associated

-the sudden condensation. Yoid fraction (or,-, with a transformer which was supplying power how empty the pipe is) and subcooling (or to one of two safety-related 4160-V electrical how much colderthe water is than the satura- -buses (see Figure 7.3-2). The resulting isolation tion temperature of the steam when steam and* 'of the transformer caused the safety-related bus water come in contact) are two important .to de-energize and, tripped all feedwater and parameters currently used lin models for condensate pumps on the east side of the plant.

predicting this type of water hammer occur- The pumps on the.west side of the plant were rence and its associated loads.-. - :.,unaffected, since their power was supplied from S,., * ..another bus.:The continued operation of the west

3. :."Steam generator water hammer" is a conden-, feedwater and condensate pumps, in combination Ssation-induced water hammer which has- .with the failure of the east feedwater pump

- - - -. -, ,----, - T.....

Rtv fl1fl U1,,

USNRC Technical Training Center S.. .. I * .,* -- ,.* ' Rev 0176

Westinghouse Technology Advanced Manual Water Hammer at San Onofre Westinghouse Technology Advanced Manual Water Hammer at San Onofre discharge check valve to close, resulted in the Later, operators isolated the feedwater lines from overpressurization and rupture of an east-side the steam generators, as required by procedure, flash evaporator low pressure heater unit. The which resulted in refilling the feedwater lines in operators, as required by emergency procedures the containment building. Before all feedwater dealing with electrical systems, tripped the lines'were refilled, a severe water hammer reactor and turbine-generator. As a result, the occurred that bent and cracked one feedwater plant experienced its first complete loss of steam pipe in the containment building, damaged its generator feedwater and in-plant ac electrical associated pipe supports and snubbers, broke a power since it began operation. feedwater, control valve actuator yoke, and stretched the studs, lifted the bonnet, and blew The subsequent four-minute loss of in-plant the gasket' of a four-in. feedwater check valve.

electrical power started 'the, emergency diesel The damaged check valve developed a significant generators (which by design did not load), de steam/water leak, the second leak in the event.

energized all safety-related pumps and motors, significantly reduced the number of control room Despite these problems, operators later instruments available, produced spurious indica succeeded in recovering level indications in the tions of safety injection system actuation, and two steam generators not directly associated with caused the NRC red phone on thie operator's the feedwater piping leak. With the re-establish desk to ring. Restoration of in-plant electric ment of steam generator levels, the operators power was delayed by the unexpected response safely brought the plant to a stable cold shutdown of an automatic sequence that should have condition, without a significant release of radio established conditions for delayed remote-manual activity to the environment (an existing primary access to offsite power still available in the to-secondary' leak was not exacerbated) and switchyard. without significant additional damage to plant equipment.

The loss of steam generator feedwater was the direct result of the loss of p6wer to the two A brief description of how the SONGS-1 main feedwater and one auxiliary feedwater mechanical-and electrical systems involved in this pump motors, and the designed three-minute event function-and interact is provided. Under startup delay of the steam-powered auxiliary standing the major differences between this plant feedwater pump. The loss of the feedwater and more recently designed pressurized water pumps, in combinationrwith the failure of four reactors will clarify the basis for operator actions.

additional feedwater check valves to close,

'allowed the loss of ihvdhit6ry from all three steam 7.3.4 Plant Conditions Leading to Water generators and the partial voiding of the long Hammer horizontal runs 6f fe~dwateirpiping Within the containment building. The subseq uent automatic The plant conditions at SONGS-I which led start of feedwater injection by tlie'steam-powered to a steam condensation-induced water hammer auxiliary feed waier'pmpuni did not result in the included the voiding of long horizontal lengths of recovery of steiam generator levels because the feedwater lines, which allowed the backflow of "backflow of steam and water to "the leak in the steam from all steam generators before operators evaporator carried the'auxiliary feedwater with it. isolated the FW lines (by closing motor-operated 7.3-4 Rev 0196 USNRC USNRC Technical Training Center Technical Training Center 7 .3-4 Rev 0196

Westinghouse Technologiy Ailvanced Manual - ,Water Hammer at San Onofre Westin!house Technoloav Advanced Manual Water Hammer at San Onofre valves MOV-20, 21, and 22), and the subsequent steam generators by the steam blowing down refilling of the FW lines with relatively cold (i.e., through the failed check valves in all three FW

less than 100*F) AFW. Figures 7.3-3, 7.3-4, control stations and out the leak in the flash 7.3-5, 7.3-6, 7.3-7. and 7.3-8 illustrate the evaporator.

Sflowpaths, valves and other equipment affected by this water hammer. Following restoration of unit-power, the motor-driven AFW pump started automatically, Upon detection of the fault on the C auxiliary increasing the indicated -AFW, flow rate to a transformer, relay-protection de-energized 4.16 preset rate of 155 gpm per steam generator.

, kV bus 2C, de-energizing east-side main However, all three steam generator levels contin feedwater - (MFW) pump FWS-G-3A. The ued to drop since the FW check valves remained continued operation of west-side MFW pump open, the main steam -system had not been FWS-G-3B, due to the unusual electrical align-, jisolated, and steam generator blowdown had not ment, combined with the -failure of east-side been isolated.. Subsequently, in accordance with MFW pump discharge check valve FWS-438 to,, an emergency operating procedure for reactor trip K-S ,,seat; resulted in the overpressurization and failure response, operators isolated the failed FW check of the east flash evaporator tube and shell. The valves by shutting the three FW control isolation

- -subsequent unit trip de-energized the west-side valves, MOV-20, 21, and 22, at approximately

.MFW pump and denied power to electric-driven 4:55 -a.m.-, Isolation of the feedwater trains

- -AFWpump AFW-G-1OS. -With the cessation of occurred before the water hammer in the FW line "flowto the steam generators, the failure of check to SG B.

valve FWS-438, and the failure of the check

valves in the SG feedwater supply lines (valves Subsequent to the,isolation of the main FW FWS-346, FWS-345, and FWS-398), a path lines, and recognition in the control Iroom that was provided for the blowdown of all three -both AFW pumps were delivering water, the

,:-,steam-

-' generators through their respective -operators became concerned about overcooling of feedwater lines to the atmosphere through the the reactor coolant system and the decrease in

'failed flash evaporator.' pressurizer level, The operators decreased the AFW flows from 155 gpm to zero,.and then The drop in the steam generator water levels increased them to 40 gpm. Refilling the FW

, following the unit trip initiated the AFW system, lines downstream of the flow control stations Sbut the electric pump was de-energized, and was thus halted and then resumed at a much steam-driven AFW pump AFW-G-10 took 3.5 lower flow rate.

minutes to deliver flow because of a programmed warmup period for the turbine. Thus, for three cnThe slow refilling of the FW lines within the to four minutes 'no flow was being provided to "containmentbuilding continued from when AFW the steam generators, ,and ,the leaking check flow was first throttled to when the water ham valves permitted the horizontal feedwater lines to - mer was reported to have occurred seven minutes void. Further, the initiation of AFW.flow at a later by a plant equipment operator. As noted rate of about 135 gpm from the steam-driven previously, conditions conducive to steam pump was not effective in halting the voiding, condensation-induced water hammer in the

- because flow was being carried away from the : feedwater lines were present for quite some time.

S. .. .. . . .- ' *' P .. . . .. .. . .l*_. a i rflt R*e¥ U17LY0 USNRC Technical Training Center =..-

I Westinghouse Technology Advanced Manual Water Hammer at San Onofre Westinghouse Technology Advanced Manual Water Hammer at San Onofre The gross failure of upstream check valves, large to damage pipe supports and piping and to which permitted water to, drain from the transmit loads through the containment building feedwater lines and be replaced with steam, was penetration structure outward to the'loop B the underlying cause for water hammer. Leaky feedwater regulating station. No damage was check valves have been previously cited in evident tO-the steam generator B feedring or reports of other water hammer occurrences. Five nozzle region that can be attributed to water check valves are known to have been failed hammer, nor was there evident damage to or during the SONGS-I event. movement of the piping between support HOOC and the steam generator B feedwater nozzle.

7.3.5 Water Hammer-Induced Damage Table 7.3-1 and Figures 7.3-9 and 7.3-10 illustrate the piping and support damage.

The following sections detail water hammer induced damage to loop B feedwater piping and 7.3.5.2 Feedwater Loop B Flow Con supports, to the loop B FW flow'control station, trol'Station Damage and to the loop B AFW piping and-describe the existing damage to feedwater system check Figure 7.3-11 shows the typical internal valves. arrangement of a swing check valve.' The water hammer originating in the feedwater line within 7.3.5.1 Piping and Piping Support the containment building generated a'water slug Damage which transmitted a pressure wave upstream to the loop Bflow control station. Check valves Damage to the loop B FW piping was con FWS-346 and FWS-378, downstream of the fined to plastic yielding of the-northeast elbowv control valves, were designed to prevent and to a visible crack on the outside of 'the pipe, backflow,' although post-event inspection re extending approximately 80 inches axially. The vealed that the closure disk for FWS-346 (see crack penetrated approximately 30 percent of the Figure 7.3-12) was lying in the bottom of the pipe wall at its deepest point froim the outside and valve chamber. Thus, any closed valve upstream approximately 25 percent on average.' Damage to of the check valve would be subjected to the supports was severe in some instafi6es. This water hammer loads. In addition to check valve siction provides a description of the damage FWS-378, flow control valve FCV-457 and visible after the FW' piping insulation was re m~tor-operated valve MOV-20 were subjected to moved. the water hammer loads; because they had been closed' by operators following the emergency Figure 7.3-9 shows the loop B FW piping operating procedures.

layout and identifies the piping support stations where damage occurred. This figure also pro Because check valve FWS-378 was intact vides directional orientation and indicates piping and operational, it was subjected to water ham dimensions. Figure 7.3-10 shows principal mer'loads and absorbed much of the water areas' of damage and indicates how the pipe hammer energy,' whereupon the bonnet studs moved. yielded and the gasket was forced outward against the studs. The failure of the gasket The water hammer forces were sufficiently relieved much of the internal pressure, thereby 7.3-6 Rev 0196 Training Center USNRC Technical Training Center 7.3-6 Rev 0196

,I- . Westinghouse Technology -Advanced Manual ,

Wesingous TehnoogyAdvnce Maual- -Water Hammer at San Onofre

- minimizing damage. to other equipment andI plant operation shall be on -a frequency valves at this station. Valve FCV-457 did incuir determined by the intervals between shut

. damage to the flow-actuator yoke and a ben, t -downs as follows:, for intervals of 3 months

- -valve stem. , - or longer, exercise during each shutdown; for intervals of less than 3 months, full-stroke 7.3.5.3 AFW Piping Damage , -.exercise is not required unless 3 months have passed since last shutdown exercise.

The AFW injection points to the mair

-feedwater piping at SONGS-1 lie in the "breeze - Additionally, the NRC staff position on cold way" upstream of the containment building steel1 shutdown testing of valves is as follows:

shell. The AFW, lines run horizontally and ther vertically to tie into the main feedwater lines,

1. -The licensee is to commence testing as Water hammer loads were imposed on AFW loo1

soon-as the cold shutdown condition is B piping.. Although pipe movement extendedI achieved, but not later than 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months after several -hundred feet upstream, there was nc shutdown, and continue until complete or evidence of piping damage. until the plant is ready to return to power.

7.3.5.4 Valve Malfunctions - 2. Completion of all valve testing is not a prerequisite for returning to power.

Post-event disassembly and examination ouf valves that contributed to water hammer condi. 3. Any testing not completed during one tions confirmed that check valve failures were the cold shutdown should be performed underlying causes forthe occurrence of watel r -: during any subsequent cold shutdowns, hammer. Inspection findings identified the valvt S 5starting from the last test performed at the conditions listed in Table 7.3-2. S .- previous cold shutdown.

7.3.6. Valve In-Service Testing, All feedwater system check valves are period

- ically tested in the closed position. The main and The ASME Boiler and Pressure Vessel Code bypass feedwater regulating check valves are Section- XI, which specifies valve in-service normally tested in cold shutdown (mode 5) and testing, (IST), requirements for valves like tht .the feedwater pump discharge check valves are SONGS-1 feedwater check valves, states: tested in hot standby (mode 3).

Valves shall be.exercised to the positior 1- 7There

! are 121 valves that are subject to IST required to fulfill their function unless suclh, during. cold shutdown. Although IST was operation is not practical during plant opera. performed during each outage, all of the valves tion.... Valves that cannot be exercisecI were not tested. Consequently, the feedwater during plant operation shall be specificall3 -,valves had been tested only one time since

. identified by the owner and shall be full - October 1984. The available opportunities for stroke exercised during cold shutdowns valve 1ST were not always fully utilized due to Full-stroke exercising during cold shutdown s higher priority operational requirements.

,. for all valves not full-stroke exercised durinf 7.3 Rev 0196 USNRC Technical

_.. ."USNRC Training Center Technical Training Center 7.3 m -Rev. 0196

Westinghouse Techiiology Advanced Manual, Water Hammer at San Onofre Westinghouse Technology Advanced Manual Water Hammer at San Onofre Surveillance' test procedures for verification made that "little or no flow" has occurred.

of check valve closure for the main feed pump discharge check valves, (FWS-438 and FWS Valves FWS-345 and FWS-346 failed the 439) require one main feed pump to be running IST on February 24, 1985, when tested during while the other pump is stopped. The discharge mode 5 (cold shutdown). Maintenance work valve at the idle pump is then opened and the orders were prepared to repair both valves.

pressure is monitored between' the pump and its However, on February 26, 1985, "Non-routine discharge check valve. An increase in pressure and Increased Frequency IST" was performed or an operator observation that the pump is during mode 3 (hot standby), and' the valves rotating backwards would indicate that the check passed. During mode 3 the steam generator valve is not closed. While providing reasonable pressure increased the differential pressure assurance of check valve cl6oure, this testing available to seat the check valves (to approxi method also subjects the' low pressure pump mately 700 psi) and thereby enabled them to suction piping to some relatively high pressures pass. The work orders were then cancelled, and if the check valve fails to close (as in the Novem no corrective maintenance was performed.

ber 1985 event), and thus'damage is possible to such components as the flash evaporator. 7.3.7 Valve Failure Findings Testing with the idle pump suction valve shut would provide a more rigorous test. Check valve failures caused by partial disas sembly 'while in service do not appear to be Surveillance test procedures for verifying unique to SONGS-1 or to the valve manufacturer closure of other main feedw'ater check valves (MCC Pacific). A limited review of licensee require testing to be performed during cold event reports (LERs) indicates that these valve shutdown with the steam generators filled to a failures are not unique.

level above the feedrings. The motor-operated valve upstream of each check valve is closed, and Failures of FWS-438 and FWS-439, the the drain valve between this valve 'and the associ main feed pump'discharge check valves, may ated check valve is opeiied. 'The column of water have been due to inadequate valve design, since in the steam generator -provides approximately the disc-retaining nut of each valve was not 4.5 psi of differential pressure across the valve to provided with a positive locking device that provide the closing force on the check valve disc. should have reduced the probability of the disc The procedure states that the 'section of piping working loose, wedging into the valve seat, and between the motor-operated valve and check failing open. Additionally, excessive clearances valve is to be drained, and that "little or no flow" between the hinge and disc assemblies allowed from the drain should be v-erifie'd. This test the discs to rotate past the anti-rotation devices.

procedure leaves the 'surveillance operator to "make the decision about how much flow is The, failure of FWS-346, the B feedwater "little" and thus indicative of positive verification header check'valve, may have been caused by the of chieck valve closure. The IST records do not inadequate hardness of the disc-attaching stud, provide a means of determining whether flow which allowed the threads to strip and the end to occurs or its extent, or for verifying complete mushroom over, conditions contributing to the valve cavity drainage before a determination is ultimate valve' failure. However, the service USNRC Technical Training Center n7.3-8 Rev 0196

- - , Westinehouse -Technology Advanced Manual W~ater Hammer-at San Onofre Westinzhouse Technolov Advanced Manual Water Hammer at San Onofre conditions (i.e., flow-induced vibration) experi-. This pressure caused a tube failure in the east enced by this valve may also have been a major evaporator condenser. The flash evaporator shell contributor to failure. The failures of FWS-345, was subsequently, overpressurized, resulting in and FWS-398, the A and C feedwater header the failure of the shell.. After the loss of all in check valves, may have been due to similar plant ac power, the remaining (west) main feed service conditions. pump coasted down, and the failed main feedwater regulating valve check valves (FWS The cracks in the seating surface of FWS 345, 346, and 398) allowed backflow from all 378, the four-in, check valve in the B loop steam generators through failed valve FWS-438 bypass line, appear to be service related. How to the failed-tube in the east flash evaporator ever, these cracks may have been caused by the condenser. This backflow continued until the significant forces on the valve from the water .operators closed motor-operated ,feedwater hammer. header isolation valves MOV-20, 21, and 22, and main feedwater regulating valves FCV-456, 457, Failure of the yoke of FCV-457, the loop B and 458.

feedwater regulating valve, was probably due to lack of sufficient support or bracing of the valve Helium leak checks were performed on all operator during the pipe movement caused-by east feedwater heaters, revealing no leakage water hammer loading. beyond that expected from normal operation.

The west feedwater heaters were leak tested 7.3.8 Flash Evaporator Unit before the unit was returned to service. The failure of the flash evaporator had no direct safety During the event, the east condensate header significance. .

was overpressurized, resulting in catastrophic Breakable -Diaphragms failure of the east flash evaporator tubes and -7.3.9 Turbine (Rupture Disks) shell. The evaporator unit is in a shell which also houses two stages of low pressure feedwater heaters and drain coolers. The flash evaporators During the event, steam was observed had not been used for several years, and extrac issuing from the low pressure turbine breakable Each low pressure turbine has four tion steam to them had been isolated. The diaphragms.

evaporator condenser is part of the condensate breakable diaphragms designed to protect the system flowpath. The design pressure of the turbine casing from overpressurization. The flash evaporator condenser and fourth- and fifth diaphragms, made of thin lead, are designed to point low pressure feedwater heater tubes is 350 break if the turbine exhaust pressure, normally psig, while the shell-side design pressure is 15 subatmospheric, reaches 5 psig. The diaphragms psig. The low pressure feedwater heaters were are supported against external atmospheric in service during the water hammer event. pressure and normally seal the turbine casing against air in-leakage. All diaphragms were When bus 2C was de-energized and the east intact prior to the water hammer event.

main feed pump tripped, failed discharge check valve FWS-438 allowed the west main feedwater Four of the diaphragms ruptured during the on low pressure turbine 1 and one on pump to pressurize the east condensate header. event, three Lenter ., I

3 - 7.

Technical Training USNRC Technical Training C~enter I o *# Rev A106

X_

Westinghouse Technology Advanced Manual Water Hammer at San Onofre low pressure turbine 2. Rupture of the dia phragms is not considered unusual for conditions existing after a loss of all ac power with contin ued energy addition into the main condenser, and is of no safety significance.

7.3.10 Summary On November 21, 1985, Southern California Edison's San Onofre Nuclear Generating Station Unit 1, located south of San Clemente, Califor nia, experienced a partial loss of in-plant ac electrical power while the'plant was operating at 60 percent power. Following a'manual reactor trip, the plant lost all in-plant AC power for four minutes and experienced a severe incidence of water hammer in the feedwater system which caused a leak, damaged plant equipment, and challenged the integrity of the plant's heat sink.

The most significant aspect of the event involved the failure of five safety -i'elated check valves in the feedwater system. These failures appeared in less than a year, without detection, and jeopar dized the integrity of safety systems. The event involved a number of equip'ment 'malfunctions, operator error, and proceduial deficiencies.

'2 1Ab R filaIr uD.W J3 -. A1 USNRC Technical Training Center

- .Westing~house"'Teehnology Advanced Manual , - Water Hammer at San Onofre TABLE 7.3-1

-Description of-Feedwater Pipe-Damage Following SONGS-1 Water

"- Hammer Support -Description of Component, Locations - Damage. Motion, Etc.

HOOC',- This snubber station, the closest to the SG B, showed no visible damage or HOOB - pipe movement. The feedwater pipe turns vertically, and at an angle, to rise HOOA approximately 10 feet to mate with the SG feedwater inlet nozzle.

HOOD - - . These support stations were the first that showed damage (or movement)

H005 'caused by water hammer. Dent in pipe that resulted when the pipe hit the H006 concrete comer and then rebounded.

HOOG Movement of approximately 12 inches, slippage of vertical support pads off

- channel beam structures and downward drop of FW pipe.

HOOH, Horizontal and vertical support pads displaced southward approximately 12 inches.

120 Evidence of first lateral motion (eastward); deformed vertical structure, and then axial rebounding which displaced pipe supports approximately 12 inches southward.

HOOK Damage incurred at the support structure downstream of the southeast elbow.

The damage incurred by the structure illustrates the magnitude of pipe motion which occurred during the water hammer pulse.

HOOL Lateral movement (westward) of pipe which resulted in sheared vertical support structure. Concrete and support plate damaged by water hammer, nuts were loosened and bolts were missing in wall plates.

HOOM Piping and support damage just downstream of where FW B line takes a 90 degree bend to exit the containment building.

_. . . . .... .. . ...... . . Rev 0196 USNRC Technical Iraining C.,enter

Water Hammer at San Onofre TABLE 7.3-2 Inspection Findings Valve Description As Found FWS-345 MFW Reg Check Disc separated from hifige arm, SGA disc stud broken (threaded portion).

FWS-346 MFW Reg Check Disc separated from hingearm, SG B disc stud deformed.

FWS-398 MFW Reg Check Disc nut loose. Disc partially SG C open. Disc caught inside of seat ring.

FWS-438 FWP Discharge Check Disc nut loose. Disc partially open. Disc caught inside of seat ring. (Figure 7.3-13)

FWS-439 FWP Discharge Check Disc nut loose. Disc partially open. Anti-rotation lug lodged under hinge arm.

USNR T chiclTrinn Cntr02

/ ...j - 1/- A*.*V UA31*

USNRC Technical Training Cente

0988 CONDENSATION SURI SI E t fl

a. Stop Valve Has Closed and Refill Starts -- W b

b. Cold Water Has Filled Bottom of Pipe AFW FEASW

c. Pipe is Nearly Full and Surface Waves Form SllU V=*

d. Slug Flow Conditions are Established I-.FW Figure 7.3-1 Filling of a Voided Feedwater Line 7.3-13

PHS OUkMO a2LN2 *015 C .0W WIU IS21U C .5W *1LW2 joalso, Solos

=S Sl

isita4d *gMoIst A OiW S1 a

I =i412

.,W3 s

-. 4,,

, -"S ,,

.pon Figure 7.3-2 San Onofre Electrical System 7.3-15

0988 II'11!a 2"=

N N I

2 I

2 S=

ia I

I' If II U

I U' IN$!

C 5

S I I

ii U

a Figure 7.3-3 Condensate System 7.3-17

0988 Figure 7.3-4 Main Feed System 7.3-19

0988 Figure 7.3-5 Auxiliary Feedwater System 7.3-21

-n CY (0

0 z

CD CD CD CO, OL m

-n 0

FWS IM3 0

(D co 01)

0988 La I

L.a E

I I

E Figure 7.3-7 SONGS-1 Loop B Steam Generator Flow Control Station 7.3-25

0988

=L rVlc Figure 7.3-8 SONGS-1 Auxiliary Feedwater System 7.3-27

0988 40 S

4 U 11 :

6 4%

Ira

/ ,.

\Z FLd i1i Fiur .39 WLop ipngad upot ayu 7.3-29

0988 2 3 I £

!=

BE I A' "IL /

I

/

-5

=/= /

IS S!'

ii i Figure 7.3-10 Overview of Feedwater Piping and Support Damage Due to Water Hammer 7.3-31

09BB VALVE SONNET BONNET STUD j

VALVE BODY Figure 7.3-11 Typical Swing Check Valve 7.3-33

0981 i ANTI-ROTATION BARS VALVE FWS- 346 AS ASSEMBLED WORN PIN HOLE PACTED PIN WORN THREADS VALVE FWS-34" AS FOUND Figure 7.3-12 Check Valve FWS-346 7.3-35

0988

.9 - VALVE FWS-438 AS ASSEMBLED S*~ROT*ATE:

VALVE FWS-438 AS FOUND Figure 7.3-13 Check Valve FWS-348 7.3-37

Westinghouse Technology Advanced Manual Section 7.4 Salem Load Reduction

Salem. Load Reduction W

vv

,._ h-..~nuc Tr.ýh~nnl Ad~vanced Manual Sae od euto TABLE ,OF CONTENTS 7.4 SALEM LOAD REDUCTION ........................................... 7.4-1

.7.4.1 Introduction ................... .......................... 7.4-1 7.4.2 Load Reduction ............................................ 7.4-1 7.4.2.1 Feedwater Heater and Moisture Separator Reheater Drain Tank Level Control System Failure ............................... 7.4-1 7.4.2.2 Urgent Failure of the Rod Control System ................... 7.4-1 7.4.2.3 Operation of the Steam Dump System ...................... 7.4-1 7.4.2.4 Main Steam Isolation Valves Knocked off Open Seats ........... 7.4-2 7.4.2.5 Stuck-Open Spray Valve .............................. 7.4-2 7.4.2.6 Stuck-Open Steam Generator Safety Valve .................. 7.4-2 7.4.3 Areas of Concern and Corrective Action Taken ....................... 7.4-2 7.4.3.1 Operation with Elevated Reactor Coolant System Temperature ..... 7.4-2 7.4.3.2 Loss of Feedwater Pump Suction Pressure .................. 7.4-3 7.4.3.3 Resetting of Steam Dumps ............................. 7.4-3 7.4.3.4 Operation with Stuck-Open Steam Generator Safety Valve ........ 7.4-3 7.4-3 7.4.4 Main Steam Isolation Valve Operation .............................

7.4.5 Summ ary ................................................ 7.4-3 7.4-4 7.4.6 References ...............................................

LIST OF TABLES

......... 7.4-5 7.4-1 Sequence of Events: Salem Unit 2 Load Reduction of January 14,1982 USNRC Technical Training Center I - -. ID AlWk 04 k

Westin'ghouse Technology Advanced Manual Salem Load Reduction Westinghouse Technology Advanced Manual Salem Load Reduction LIST OF FIGURES 7.4-1 Simplified Condensate and Feed System .............................. 7.4-7 7.4-2 Primary Parameters during Load Rejection ............................. 7.4-9 7.4-3 Plant Parameters during Load Rejection .............................. 7.4-11 7.4-4 Code Safety Valve ............................................ 7.4-13 7.4-5 Main Steam Isolation Valve ...................................... 7.4-15 USNRC Technical Training Center 7.4-ii Rev 0196

"-Westin-rhousi* 'Technology Advanced Manual -Salem Load -Reduction Westin2house Technolo2v AIvanced Manual Salem Load 'Reduction 7.4 SALEM LOAD .REDUCTION 'resulting transient, and the operator actions.

.,Refer to Figures 7.4-2 and 7.4-3 for graphs of "Learning Objectives: ' various parameters during the load reduction.

11. Briefly discuss the cause of the'load re duc- ,7.4.2.1 Feedwater Heater and Moisture tion at Salem. - - , -: '.,, ' Separator Reheater Drain Tank

-Level Control System Failure

2. Explain the validity of the decision to co ntin- - -- :'

ue operation with a stuck-open steam geinera- The initiating event was a failure of the level "t6isafety valve. ,control.system in the 21,feedwater heater and

- moisture, separator -reheater drain tank. This

3. Discuss the changes in plant procedlures failure resulted in a decrease in .-the suction

" which'resulted from this incident. pressure of the main feedwater pumps. When the temporary alarm was received, the operator

-' ' 7.4.1Intfroduction took action in accordance with the guidelines by' reducing turbine power (by reducing the turbine Salem Unit 2 is a four-loop Westingh ouse 'governor valve position limit setpoint using the "designplant. It is rated at 3411'MWt and 1158 control pushbutton) and by bypassing the con MWe. At thý time of the incident,,Januar y 14, densate polishing system.

- .I .I "

1982, the unit was operating at 97% re actor power with an electrical load of 1060 MWe. The 7.4.2.2 .,Urgent Failure of -the Rod

'condensate polishing system was in service and Control System .

steam generator feed pump suction pressureSwas 330-340 psig. .(Refer to Figure 7.4-1.) Upon the -reduction of secondary load, primary temperature started to increase. The Due to previous problems associated wilth the operator manually inserted control rods to reduce heater drain system and the main feedwater Ipump temperature. When he did, he received an urgent

'suction pressure, a temporary low su ction. failure in the power cabinet, which placed a hold pressure alarm was installed to give the opeirators, signal on all rods, including control bank D rods, a warning of a problem at 300 psig. 'The opera- - controlled by that power cabinet. Since bank D tors w~re'to take action accordifig to establ ished rods are the first to insert into the core, no rod guidelines 'for the low suction'pressure upon .motion other than a trip was available. The receiving the alarm. The feedwater p umps . operator took action to borate at 10 gpm to reduce o tripped if suction pressure reached 215 psig . Tavg in accordance with procedure.

7.4.2.3 Operation of,the Steam Dump 7.4.2 Load Reduction System

,ult The lbad reduction'transient was the res of . - - .. ..

five separate and unrelated failures in the plant. Due to the load decrease on the turbine, the There were two operator actions which wer e also steam dumps were armed. When Tavg increased tofive degrees above Tref, the steam dumps of importance. The following paragraph s will-Tavg. At this time, reactor provide'a brief discussion of the failure s, the- -opened to maintain AIdf

- - £vv ULYIJ USNRC Technical Training Center 1. 7.4-1 7 -* R~ev 019.6

Westin?-house Technology Advanced Manual Salem Load Reduction Westinghouse Technology Advanced Manual Salem Load Reduction power was approximately 89%, turbine load was izer level decrease associated with the dropping 21%,'and the flow to the steam dumps was 53% Tavg and the influence of the spray valves. When of total steam flow. Upon entering the control spray valve demand decreased to zero, only one room, the shift supervisor noticed the primary-to valve indicated shut. The operator took manual turbine load imbalance and ordered the operator control of the second valve and manually shut it.

to increase the turbine load., As turbine load was Pressurizer pressure decreased to a minimum of increased, the dump valves started to modulate 2050 psig. Heaters were used to restore pressure closed, and Tayg became steady. The operator to normal.

believed the plant to be in a stable condition and reset the steam dumps., When the dumps were 7.4.2.6 Stuck-Open Steam Generator reset, primary power was 84%, turbine load was Safety Valve 38%, and the flow to the steam dumps was 20%

of total steam flow (four dumps were full open, Steam pressure increased enough to open the and the other eight duimps- were modulated). steam generator safeties due to the increased Tavg Resetting the steam-dumps removed the loss-of mentioned in section 7.4.2.4. About one hour load arming signal, which caused all steam dump after the transient, the unit was stable except for valves to rapidly shut. Tavg peaked at 592°F, one steam generator safety valve which had stuck which resulted in an increase in pressurizer level open. Attempts were made to reseat the safety by from 54% to 78%, and an increase in pressurizer varying steam pressure. Lowering Tavg below pressure from 2200 psig to 2340 psig. The '.T ref to reduce steam pressure and cycling the pressurizer spray valves opened'to reduce prima atmospheric relief valve to further reduce steam ry pressure. pressure would not cause the safety valve to shut. The plant was kept at power while the 7.4.2.4 Main Steam Isolation Valves supervisors decided what action to take. It was Knocked 'off Open Seats finally decided to try to reseat the partially open safety valve. A visual check of the valve re The increase in primary Tavg which resulted vealed that the lifting disc associated with the from shutting the steam dumps caused an in manual lifting arm had rotated about two full crease in steam temperature and pressure on the turns down the valve stem and prevented the secondary side. This sudden increase in pressure valve from shutting (refer to Figure 7.4-4). The caused two main steam isolation valves (MSIVs) manual lifting arm was removed, and the valve to be knocked 'off their fully open seats. The shut. This action ended the transient.

operator immediately reopened the valves when he noticed the intermediate indication. Refer to 7.4.3 Areas of Concern and Corrective section 7.4.4 and Figure 7.4-5 for details con Action Taken cerning the MSIVs.

7.4.3.1 Operation with Elevated Reac 7.4.2.5 Stuck-Open Spray Valve tor Coolant System Tempera ture The combihed' effects of the increase in turbine'load and boration started to reduce Tavg. The cause of the rod control system urgent Pressurizer pressure dropped due to the pressur- failure was a failed firing card in the power 7.4-Z Rev 0196 USNRC Technical Center Training Center Technical Training 7.4-2 Rev 0196

-Salem Load Reduction WpC'tin husei~ Tpv-hnnloov Advanced Manual SlmLa euto cabinet. The rod control system responded 7.4.4 Main. Steam Isolation Valve Opera tion ,

properly to this failure in that rods were inhibited from moving. When temperature reached its peak of 592°F, the technical specification for Refer to Figure 7.4-5. The valves are 32 x maximum temperature for departure from nucle 24 x 32-in. Hopkinson parallel slide gate valves ate boiling considerations was exceeded. The with double discs. Each is operated by means of action taken was to borate and increase turbine an integral piston and cylinder, utilizing steam power to reduce temperature. Procedures were within the valve and piping. -The piston, attached modified to require a plant trip if the rod control ,to the valve stem, is at the lower.end of the cylinder when the valve is in the open position.

system fails and Tayg exceeds its technical specification limit. It has a small orifice to permit pressure equaliza tion in the open position. A vent line from the 7.4.3.2 Loss of Feedwater Pump Suc upper end of the cylinder branches to two dia tion Pressure phragm-operated dump valves, which are con nected in parallel to provide redundant control of the main valve.

The procedures for the loss of feedwater pump suction pressure were updated to provide Upon receipt of a closure signal, the dump more guidance to the operator. A second pro posed change was to replace the existing conden valves open and release steam from the upper side of the main valve piston, closing the valve.

sate pumps with pumps of higher head to provide The valve is designed to close within five sec better suction pressure to the main feedwater pumps. onds. The movement of the valve is damped at the upper end of its travel by a hydraulic cylinder Resetting of Steam Dumps and piston (snubber) mounted integrally on the 7.4.3.3 valve. The snubber incorporates an integral Procedures for the operation of the steam electric motor-operated hydraulic power unit, which permits remote manual operation of the dump system were not properly reviewed by the main valve at conventional speed.

onsite review committee. Operator training was scheduled to retrain the operators on the proper Each MSIV has detent mechanisms which operation of the steam dump system.

maintain the valve in the closed or open position, Operation with Stuck-Open yet permit operation when a sufficient differential 7.4.3.4 Steam Generator Safety Valve pressure across the steam piston is established (a minimum of 100 psi) or when the valve is operated hydraulically.

The decision to continue operation with a stuck-open steam generator safety valve was a 7.4.5 Summary valid decision. If the plant had been shut down, it would have cooled down in an uncontrollable This transient did not result in any safety manner, since a stuck-open safety valve consti concerns for the NRC. However, it does pro tutes a small, unisolable steam break.

vide a good example of how an operator can act either to solve or to compound a problem.

'I -3 4.4-.5, 'D njog USNRC Technical Training Center

I

..Westinghouse Technology Advanced Manual Salem Load Reduction Resetting the steam dumps caused the transient to last longer, and the decision to operate with the stuck-open steam generator safety valve prevent ed an unnecessary transient on the plant.

7.4.6 References

1. PSEG "Sequefice'of Events Report for Salem Unit 2 Load Reduction," January 14, 1982.

2. Resident inspector report on Salem load reduction.

3. NUREG/BR-0051, "Power Reactor Events,"

May 1984; Vol. 5, No. 6.,

4. NUREG/BR-0051, "Power Reactor Events,"

Sept. 1984, Vol. 6, No. 2.

i(CV UIYO USNRC Technical Center Training Center Technical Training 7.4-4 7.4-4 -' ' Rev Ul96

,- Salem Load Reduction Westin housep Tecthnoloov Advanc~ed Manual Sae od euto TABLE 7.4-1 Sequence of Events:

Salem Unit 2 Load Reduction of January 14, 1982 Time Event -

0104 Slight dip in heater drain pump flow on recorder chart.

0105 Heater drain tank high level alarm.

0106 Intermittent, then steady main feedwater pump low suction pressure alarm (300 psig).

Operator' initiated manual load reduction at EHC panel by intermittently reducing the governor valve position limit.

Bypassed condensate polishers.

Tried to manually insert rods, but received an immediate urgent failure alarm.

This prevented further rod motion in automatic or manual.

Commenced manual boration at 10 gpm.

0107 Low suction pressure alarm cleared when polishers were completely bypassed.

Turbine load reduction stopped at 450 MWe, continued to decrease to 230 MWe.

0108 High steam flow alarms due to steam dumps opening. Four steam dump

'valves were fully open and the remaining eight valves were modulating.

0109 Tavg decreasing from 582"F.

Main feedwater pump low suction pressure alarm (300 psig).

Shift Supervisor entered control room. Ordered turbine load increase to reduce Sprimary-to-secondary load mismatch.

0110 Low suction pressure alarm cleared.

0113 Began turbine load increase.

Steam dumps holding Tavg steady at 574"F.

- A P ' "' D..

- RY A1O OLU USNRC Technical Training Center - - e*v/ LLl

Wpcti*hnn*p Salem Load Reduction W-fitn house Technoloo- Advanc~ed- ManualSamLadRucin.-

TABLE 7.4-1 (CONTINUED) Sequence of Events:

Salem Unit 2 Load Reduction -of January 14, 1982 0117 Operator reset steam dumps. This removes the load rejection arming signal, and all dump valves shut.

MSIV open lights were out for 2 and 4 SGs. Operator tapped the open pushbutton, and the open lights come on.

0118 Primary pressure and Tavg peaked (2340 psig and 592"F). Sprays full open on pressurizer.

0120 Tavg decreasing. Steam generator safety valve lifted.

0123 Stopped boration at 98 gallons.

0135 Spray demand at zero. One spray valve did not indicate shut. Operator took valve to manual, tapped close, and light came on.

0138 Pressurizer pressure at minimum (2050 psig) and increasing. Heaters on.

Sprays shut.

0148 Safety valve still open.

0150 Pressurizer pressure control in automatic.

0210 Conditions stable at 46% power, 480 MWe. Safety valve still open.

0230 Cycled steam generator atmospheric relief valve 3 times to try to seat safety valve. Did not work.

0521 Removed manual operating handle from safety valve. Valve closed.

0730 Restored rod control.

Key ULYD 7.4-0 Rev 0196 USNRC Technical Training Center

0289 Containment Figure 7.4-1 Simplified Condensate and Feed System 7.4-7

PZR T PZR LVL avg PRESS 70 600 2400 60 590 2300 s0 580 2200 (0 40 570 2100 30 560 2000 to , N N N N C)

M C O a T- M a 0 0 0 0 0 o 0 0 0. 0 0 0 o, 0 0 0 0 TIME -- o 0

Figure 7.4-2 Primary Parameters During Load Rejection CO

MWe Pwr, Stm Flow 1000 107.

900 800 700 O00 500 50

-.4 400

-L

-L 300 200 100 0

W o 0 n M t- a 00 CI N0 N ,-

0 10 0 0 o 0 0 0 0 0 0 0 0 0 0 TIME --- O 0

N 0,

Figure 7.4-3 Plant Parameters During Load Rejection WD

"A TRAIN MOTOR HYDRAULIC CYLINDER 3PUMP & NORMALLY U PISTON DE-ENERGIZED AIR TO CLOSE t- VENT TO ATMOS.

MOTOR OPERATED SPEED 3-WAY VALVE VENT VALVE ClD REGULATOR 0 STEAM CYCLINDER C) STEAM PISTON NORMALLY IN MID-POSITION 01 "B" TRAIN 013 CO 0

'BA"IR SUPPLY HEADER 0

NORMALLY z DE-ENERGIZED AIR TO CLOSE VENT TO ATMOS.

VALVE DISCS MSIV NOTE: Schematic shown with the MSIV open, and all vent valves aligned for power operations.

a

0289 Figure 7.4-4 Code Safety Valve 7.4-13

Westinghouse Technology Advanced Manual Section 7.5 Sequoyah Incore Thimble Tube Ejection Event

Secuovah _Incore Thimble Tube Ejection Event Westinphouse Technololpv Advanced Manual SeuvbIceThmlTbeEetnEet TABLE OF CONTENTS 7.5 SEQUOYAH INCORE THIMBLE TUBE EJECTION EVENT ................. 7.5-1 7.5.1 Introduction .............................................. 7.5-1 7.5.2 Incore Neutron Monitoring System Description ....................... 7.5-1 7.5.2.1 Transfer Device Assemblies and Isolation Valves 7.5-2 7.5.2.2 Interconnecting Tubing Runs ............. 7.5-3 7.5.2.3 Detector and Drive Cable Assemblies ........ 7.5-3 7.5.2.4 Leak Detection System .................. 7.5-4 7.5.2.5 System Summary ..................... 7.5-4 7.5-4 7.5.3 Event Background ..........................................

7.5-5 7.5.4 Event Description ...........................................

7.5-7 7.5.5 Event Summary ............................................

7.5-7 7.5.6 Similar Event: Zion Unit 1, January 20,1984 ........................

7.5-7 7.5.7 Seal Table Leaks: Lessons Learned ...............................

LIST OF TABLES 7.5-1 Sequence of events ............................................ 7.5-9 LIST OF FIGURES Incore Instrumentation System .................................... 7.5-11 7.5-1 7.5-13 7.5-2 Typical Incore Drive Unit .......................................

7.5-15 7.5-3 Thimble Tube Cleaning Tool .....................................

7.5-17 7.5-4 Seal Table Design ............................................

7.5-19 7.5-5 Sequoyah Incore Instrument Room .................................

7.5-21 7.5-6 Ejected Thimble Tube D-12 ......................................

D . -". A,109 USNRC Technical Training Center 1.z-I VT

Westinphouse Technoloty Advanced Manual Sequoyah Incore Thimble Tube Ejection Event Westinhoue TechnoIov Advanced Manual Seauoyah Incore Thimble Tube Ejection Event 7.5 , SEQUOYAH INCORE THIMBLE tors required for power distribution measure TUBE EJECTION EVENT ments. The ejection of the D-12 thimble tube, which occurred during -the cleaning activity, "Learning Objectives: caused a significant RCS leak requiring a unit shutdown and cooldown. It also created an I. 'State the purpose of the incore instrumenta intense radiological hazard during the recovery tion system. due to radiation from the 12-ft portion of the thimble tube which had been activated by the

12. Briefly describe how the incore flux detector neutron flux in the core.

system is designed as part of the reactor coolant system (RCS) pressure boundary. This section reviews the design and functions of the incore neutron monitoring system. The

3. Describe the plant response to the ejected tube Sequoyah incore thimble tube ejection event is "event. described so that the consequences of the event, in terms of its effect on the plant and the hazards 4., Describe how the operators responded to the of the cleanup and recovery effort, can be exam event and what was required to stop the RCS ined.

leak.

7.5.2 Incore Neutron Monitoring System

-Description

5. Describe the radiological hazards created by the ejected thimble tube.,

The purpose of the incore neutron monitoring 7.5.1 Introduction system isto provide information on the neutron flux distribution at selected core locations. The Sequoyah Nuclear Plant is a -four-loop incore instrumentation system provides data Westinghouse plant located in eastern Tennessee. --acquisition only, and performs no operational The'plafit was designed and constructed and is plant control functions. The data obtained from operated'by the Tennessee Valley Authority the incore instrumentation system, in conjunction (TVA). Unit I received an operating license in with previously determined analytical informa tion, can be used to determine the three-dimen "February of, 1980. On April 19, 1984, incore instrument thimble D-12 of Unit 1 was forced out sional fission power distribution in the core at any time throughout core life.

of the reactor vessel into the incore instrument room in containment by RCS pressure. Unit 1 The incore neutron monitoring instrumenta was at 30% power, with maintenance in progress tion consists of-movable miniature incore flux for cleaning out the interior of the thimble tube.

detectors with sufficient sensitivity to permit The unit was recovering from a refueling outage measurement of localized,-potentially'significant at the time; and 'personnel were performing neutron flux distribution ,ariations Nfithin the restart testing while the maintenance work was.in reactor core. The movable nminiature fission progress. -Sequoyah,-as well as other Westing chamber detectors contain U 3 0 8 (uranium oxide) house plants, had experienced problems with enriched to greater than 90 percenit in U-235 to internal fouling of the incore thimble tubes provide exceptionally detailed flux mapping of Wlhich blocked insertion of the incore flux detec-

.. . -, I .... Re~vfl19Q USNRC Technical Training Center 1.'11 Rev 0196

We'stinghouse Technology Advanced Manual Sequoyah Incore Thimble Tube Ejection Event Westinghouse Technology Advanced Manual Sequoyah Incore Thimble Tube Ejection Event the reactor core. The fission chamber dimen moved aside when necessary for movement of sions'are 0.199 in. in 'diameter and 2.1 in. in the retractable detector thimbles.

length. A stainless steel detector shell encapsu lates each fission chamber. The stainless steel The drive units push the hollow helical-wrap shell is welded to the leading end'of a helical drive cables, with the miniature fission chamber wrap drive cable. As this drive cable is moved detectors attached, into the core. The helical by the drive unit, the attached incore flux detector wrap cables have small-diameter coaxial cables is positioned to the desired core or storage threaded through their hollow centers for trans location. mitting the current signals produced by the miniature fission chamber detectors.

Figure 7.5-1 shows the basic system for the insertion of the movable miniature fission cham The six detectors, a typical number for a ber detectors into'the core.' Retractable detector Westinghouse four-loop large megawatt unit, are thimbles, into which the miniature detectors are have designations A through F. During normal driven, are positioned as shown. operation each detector is used to measure the relative neutron flux in the detector thimbles Since these retractable detector thimbles are connected to the correspondingly lettered ten-path sealed at the leading (reactor) end, they are dry rotary transfer device; i.e., detector A is normally "inside. The thimbles thus serve as a pressure selected to a core path provided by the A ten-path barrier between the RCS' pressure (2500 psig transfer device. However, by manipulating the design) and the atmosphere. Mechanical high appropriate five-path transfer device, the operator pressure seals between the retractable thimbles can route each detector through several other "andthe conduits are provided at the'seal table. paths. Each detector can be sent into each path of Iýnstruimentation penetrations in the bottom of the the next sequentially lettered ten-path transfer reactor vessel, which are'essentially extensions device to serve as an operational spare detector of the reactor vessel, allow the insertion of the for those thimbles (i.e., the A detector can retractable detector thimbles. -Dhring normal substitute for the B detector, B for C, C for D, plant operation, these thimblek-are stationary. etc.). For detector normalization purposes, each The retractable detector thimbles are retracted detector can be routed separately into a common from the core only' during 'refueling or core calibration path; thus providing direct correlation maintenance periods, during Which the RCS is of the detectors. Each detector can also be routed depressurized. into any path associated with common ten-path transfer device C, or to a shielded area for The drive system for insertion of the minia storage.

ture fission chamber'detectois consists of drive units, limit switch ýssemblies, five-path rotary 7.5.2.1 Transfer Device Assemblies transfer devices, ten-path rotary transfer devices, and Isolation Valves "and is1ltion valves, as shown in Figure 7.5-2.

Thý drive units are'mounted permanently on a Five-Path Rotary Transfer Devices and platform, with the remaining components be Limit Switches tween the drive units and the seal table mounted o a movable support assembly, which can be 1. One five-path rotary transfer device is ev uio USNRC Technical Training Center "I Z - Rev 0196

Senuovah Incore Thimble Tube Ejection Event Westinghouse Technoloffi Advanced Manual SeovbnceThmlTueEctnEet provided with each drive unit for rou ting path transfer devices-send signals to the path the detector into one of the five poss ible display panel on the control console for verifica detector paths. The five-path tran sfer tion of proper core path.

device consists of an S-shaped Iube mounted in a rotating assembly. 'I[his Isolation Valve Assemblies assembly is bearing-mounted at each end and can be aligned with any one of *the Manually operated stainless-steel isolation five outlet paths. When an electirical valves (one for each thimble) are provided for signal is applied to change the dete ctor closing the retractable detector thimble runs after path, the S-shaped tube is moved to the removal of the detector and drive cable. When selected outlet path ,position. Cam- closed, the valve forms a 2500-psig barrier to actuated micro-switches send signalIs to prevent steam leakage from the core in the event the control console for feedback of path of a thimble rupture.

selection.

7.5.2.2 Interconnecting Tubing Runs

2. A °withdrawal limit switch, actuatecI by the detector, is provided near the ink et of Interconnecting tubing runs are supplied for each five-path transfer device. 7rhis connecting all components of the system from the switch prevents operation of the five path drive units to the seal table. The interconnecting rotary transfer device unless the deteSctor tubing runs between the isolation valves and the

-and cable are in the withdrawn posi,tion. seal table have design requirements of 2500 psig The switch also stops automatic vvith- and 650"F.

drawal when the detector reaches the withdrawal limit switch. 7.5.2.3 Detector and Drive Cable As semblies Wye Units The carbon-steel drive cables are 0.199 in. in Wye unit assemblies are mounted as reqiiired diameter with hollow cores and are helically to reduce the amount of interconnecting tu bing wrapped to permit meshing with the detector "betweenthe five-path and ten-path rotary tralnsfer drive wheel. A 0.040-in.-diameter coaxial cable assemblies. Wye units are also installed betN%veen is threaded through the 0.065-in. Inside diameter the five-path transfer devices and the calibrnation of the drive cable and terminates at the trailing path. end, with several feed of slack ending in a "Subminaxplug. The drive ,cables (when new)

Ten-Path Rotary Transfer Devices - are approximately 175 ft long. This length allows one or two subsequent cuts of 12-14 ft Each ten-path rotary transfer device is ca]pable each before they become too short for use. Such replacement of of routing a movable incore detector into ea ch of cuts may be required for factory ten selectable flux thimbles. Cam-actt Lated detectors onto existing drive cables.

microswitches send signals to the control coi for feedback of path selection. Detector-acti path indicator switches near the outlets of th, S.

. .. .. . '7 2* U-Rev 196 USNRC Technical Training C.enter 1 .0**,q Rev 0196

Westinghouse Technology Advanced&Manual c ASequoah Incore Thimble Tube Ejection Event 7.5.2.4 Leak Detection System provided core location. The information obtained is collected by the plant computer, which either The leak detection system consists of a liquid directly analyzes the data obtained or records it level-actuated switch and a 0.25-in. ac solenoid for analysis by more sophisticated computers operated drain valves. Each 10-path transfer offsite.

device enclosure is aligned to the plant drain system via the drain valve. The enclosures 7.5.3 Event Background facilitate drainage into the level switch.

Sequoyah Unit 1 had experienced plugged Water leaking from a transfer device enters incore detector thimble tubes periodically since the leak detection system and causs the level to before initial criticality. The problem had existed rise. The level switch' opens'the solenoid since initial system operability checks conducted operated valve, allowing the leaking water to in about 1978 or 1979. The reason for the drain and at the same time sending an alarm to the blockage had not been conclusively determined control cabinet. Where practical, the level switch by the TVA staff, but it was believed to be related and drain valve are permanently attached to the to dirt or excess lubricant contamination during transfer device enclosures. The drain line is system construction. The Unit 2 incore instru disconnected during refueling. ment'system had not experienced a similar frequency of tube blockage.

7.5.2.5 System Summary Maintenance on the Unit 1 thimble tubes had Miniature fission chamber detectors can be been extensive. Tube cleaning was conducted on remotely positioned withinin retractable guide all 58 tubes at least twice prior to initial criticality, thimbles to provide flux mapping of the core. on nine tubes during a September 1981 outage, Each detector is welded to the leading end of a on nine additional tubes during the cycle 2 helical-wrap drive cable and to a sheathed coaxial refueling outage, and on nine tubes (some were instrumentation cable. The retractable guide being cleaned for the second time) during the thimbles are closed at their leading ends, and cycle 3 refueling outage. Prior to the startup after serve as the pressure, boundary between RCS the latter outage, system testing revealed that 23 pressure and atmosphere. of 58 thimble tubes were blocked. Forty-four tubes are required to be operable to meet opera The drive assemblies are motor operated, bility and surveillance requirements for core flux with hobbed wheels engaging the helical drive mapping, but startup of the unit is permitted with cables, take-up reels and position encoders. The the system inoperable. Operability would have to five-path transfer devices are used to select the be demonstrated before surveillance testing and mode of operation (normal, calibrate, storage, low power physics testing could commence.

etc.). A five-path transfer device is provided for each detector/drive assembly. A ten-path transfer Unit 1 entered mode 1 on April 18, 1984, device is supplied for each detector/drive assem and reached 30% power on the same day.

bly and is used to route a detector into any one of Preparation was in progress to clean the blocked up to ten selectable paths. A "flux mapping" thimble tubes' Startup test procedures required consists of a moving detector scan of each that power be, held at 30% until equilibrium 7.5-4 Rev 0196 USNRC Training Center Technical Training USNRC Technical Center 7.5-4 Rev 0196

Westinghouse Technology -Advanced Manual Sequoyah- Incore Thimble Tube Ejection Event Westinahouse Technolo2y Advanced Manual Sequovah Incore Thimble Tube Ejection Event xenon conditions were reached so that flux device mounting platform was rolled out of the mapping could be conducted. This would way. The hand tool was then attached to the require about two days, and TVA management selected tube at the seal table, and the brush cable intended to have the thimble tubes cleaned during was driven into and retracted from the tube with a this period. -All previous cleaning had been done mechanical hand-crank device.

during .cold shutdown conditions, so additional.

planning and research was required to support 7.5.4 Event Description the work with-the RCS-at normal operating pressure and temperature. The plant engineering Tube cleaning commenced while the unit was supervisor had attended a presentation made by stabilizing at 30% power. After five thimble the staff of the Trojan Nuclear Plant several years tubes were cleaned, the job foreman was unsure earlier which covered dry brush cleaning of if the cleaning brush was being inserted to the blocked thimble tubes with the unit operating. ends of the ,tubes. The maintenance group The Trojan staff was apparently faced with the decided to insert the tool into an unblocked prospect of shutting -down the unit because of thimble tube to determine the number of turns of thimble tube blockage, so it undertook the. the hand crank required to completely insert the cleaning project to restore the minimum number brush. With the cleaning tool attached to the tube of detector paths to an operable status to allow at location D-12, the insertion began during the flux mapping and prevent a shutdown. evening of April 19. The cleaning brush had been inserted approximately 15 ft when the shift The TVA engineering staff obtained addition change took place. The second-shift cleaning al information from several other utilities which crew took over and began inserting the brush. At supported the Trojan information. It also con the 78th turn (one turn = 10 in.), the tool handler tacted a vendor which provided thimble tube noted that more pressure was required to turn the cleaning services, but the vendor used a wet crank. During the 79th turn, when the brush was brushing method which could not be used, about 80 ft into the tube, the personnel perform because the high RCS temperatures would cause ing the work noticed water starting to leak out of the flushing water to flash to steam. The incore the high pressure fitting (see Figure 7.5-4) at the monitoring system vendor was contacted; it* seal table. The cleaning crew immediately indicated that it knew of no restrictions or engi evacuated the incore instrument room, noting that neering reasons why the tubes could not be dry, -,the thimble tube was being forced out of the seal brushed during operation at power. table and that water and steam were spraying into the room. At about 9:00 p.m., the crew foreman Based on the information obtained, plant attempted to contact the control room but was management directed the tube cleaning to be done unable to use the telephone in the personnel air with a special tool (see Figure 7.5-3). The tool lock because of a maintenance problem.

consisted of a cable similar to an incore flux

- detector cable with a brush attached to the end of In the control room, the pressurizer level the cable. In order to access the thimble tubes," --indication was decreasing, and -the operators mechanical joints (referred to as low pressure responded by increasing charging flow from 85 seals) in the tubes were disconnected at the seal to 130 gpm. This action stopped the pressurizer table in containment, and the 10-path transfer level decrease, and the level began to increase.

- - (ttflt

- ziev

- uiyo Rev U0196 USNRC Technical Training Center

. Westinghouse Technology Advanced Manual Sequoyah-Incore Thimble Tube Ejection Event Westinghouse Technology Advanced Manual Sequoyah Incore Thimble Tube Ejection Event This indicated that the leak rate was less than the 300 rem/hr at the end of the tube closest to the 45-gpm increase in charging flow. Later esti seal table, and greater than 1000 rem/hr at the mates showed the leak rate to be approximately center of the ejected tube (see Figures 7.5-5 and 30 gpm. 7.5-6). Pictures were taken to aid in later recov ery planning.- Later, a second entry was made to After frisking out of the contaminated area, take additional pictures. Two individuals were in the foreman went-to the control room and notified the area for only seven minutes and received the shift engineer of what had taken place. Table doses of 1.966 and 1.939 rem.

7.5-1 is a chronology of the event.

Once the unit was placed in cold shutdown A power reduction of one percent/min was (mode 5) and depressurized with the vessel water initiated, and the radiological emergency proce level below the' elevation of the seal table, the dure for an RCS leak rate greater than 10 gpm event was over from an operational standpoint.

was initiated. With steam generator level control An engineered safety features actuation had been in manual at 12% power, the unit tripped on low unnecessary because the rate of inventory loss low level in steam generator 1.. The NRC was from the RCS was small enough to be'overcome notified of the event. During the event, an ice with normal charging flow. Some infstrumenta condenser ice bed temperature recorder, an area tion located in the incore instrument room was radiation monitor, a particulate radiation monitor, lost during the event, apparently due to the high two pressurizer level transmitters, two pressuriz temperatures and humidity. The loss of the er pressure transmitters, and six non-qualified instrumentation was of no consequence during instruments failed, apparently due to high tem the event, but the condition and environmental perature and high humidity in the incore instru qualification of the equipment had to be evaluated ment room. as part of the recovery effort.

On April 20, Unit I entered mode 5, and Because of the extremely hazardous radiation depressurization of the RCS Was initiated. On levels caused by the ejected thimble tube (high

-April 21, the reactor vessel level was lowered to range radiation detection equipment later showed an elevation of 701 ft. Since the elevation of the the actual level to be up to 4000 rem/hr at the end seal table was 702 ft., the only leakage would be of the tube), it was immediately concluded that "dut to the nitrogen c6ver gas in the pressurizer. the recovery had to be well planned and executed Later calculations indicated that about 16,000 gal to ensure that the risk to personnel would be of water were lost from the RCS during this minimized. After evaluating several alternatives, event. TVA decided to cut off the end of the thimble tube that was activated and move it to a location At approximately 9:00 a.m. on April 21, the in the containment 'where it could be cut into first post-event entry was made into the incore pieces by a remotely controlled robot and placed instrument room.' Personnel ieported that the in a shielded container. Once this was accom thimble tube was completely ejected from the plished, the cleanup and recovery of the incore conduit and twisted throughout the room. instrument room could proceed with minimal Radiation surveys indicated levels of two to three radiation exposure to personnel.

rem/hr at the entrance to the seal table area, 200-7.5-6 Rev 0196

'USNRC Technical Training Center USNRC Technical Center 7.5-6 Rey 0196

Westinghouse Technologv, Advanced Manual Sequoyah,Incore Thimble Tube Ejection Event Westinbouse TechnoIoy. Advanced Manual Sequoyah Incore Thimble Tube Ejection Event 7.5.5 Event Summary pressure was reduced to 1000 psig. These efforts reduced but did not stop the-leak. The Subsequent analysis by TVA indicated that system pressure and temperature were reduced to the failure of the high pressure seal (high pres S400 psig and 370'F, and another attempt to repair sure Swagelok/Gyrolok fitting) that allowed the the leak was made. The -repairmen noticed a RCS pressure to eject the D-12 thimble tube was slight bowing between the high pressure-seal and caused by the dry brush cleaning tool. The the thimble isolation valve. It was believed that cleaning tool had been modified from the original this bowing caused the Swagelok fitting to be vendor design with the addition of a rigid base, improperly seated, thus causing the leak. To which caused excessive force from operation of correct the problem, -two bolts holding the the hand crank to be transmitted to the tube and isolation valve to the valve bracket were removed fitting. Repeated stressing of the fitting eventual to allow straightening of the thimble tube.

ly caused it to fail. Subsequent review of the However, the two bolts and bracket were the event by a TVA safety review group and by the ,primary support devices holding the fitting in NRC showed that though the event was not place. When they. were removed, ifie fitting necessarily significant from an operational broke loose, causing an.,unisolable reactor standpoint, it revealed significant breakdowns in coolant leak of approximately, 10 gpm in contain administrative controls in maintenance and ment. The area was immediately evacuated.

procedural areas. The NRC issued Information Later, upon examination of the fittings, it was Notice 84-55: "Seal Table Leaks at PWRs," found that the ferrules of all but seven of the which described the event and a similar event at thimbles had moved 1/32 to 3/8 in. up from their Zion Generating Station Unit 1, and strongly original positions toward the edges of the con recommended that all seal table maintenance take duits.

place only during cold shutdown conditions.

Enforcement action was later taken against TVA A review of the procedure for assembly of because of the breakdowns that led to the occur -the high pressure and low pressure seals within rence of the ejected thimble tube. the Swagelok fittings revealed that the low pressure fittings could pull up the ferrules, 7.5.6 Similar Event: Zion Unit 1, Janu causing -improper fitting of the high pressure ary 20, 1984 seals. This is believed to explain the initial leak.

Overtorquing of the fittings during the initial On January 20, 1984, a reactor coolant leak attempt to correct the leak probably overstressed was observed in the seal table room at Zion ,the ferrule and allowed it to break loose when the Generating Station Unit 1 (reported by LER 50 Srestraint was removed.. ..

29511984-005). The unit was in hot shutdown with a plant heatup in progress. The RCS 7.5.7 Seal Table Leaks:, Lessons temperature and pressure were 445"F and 2235 .Learned psig, respectively. Inspection of the seal table by plant personnel revealed that a leak was located Even though the Sequoyah and Zion inci at a point where the high pressure seal mates to dents appear to have been caused by different the conduit for incore thimble E-1 1. An attempt circumstances, both events point out the need for to repair the leak was made when the system adequate controls and precautions to ensure

- - -- - - - -- - ~-. - - Z~XY ~

1JL7 "USNRC Technical Training Center- - 7'.z - I Rev

ýWestinghouse Technology Advanced' Manual Sequoyah Incore Thimble Tube Ejection Event Westinghouse Technology Advanced Manual Sequoyah Incore Thimble Tube Ejection Event personnel and plant safety while during mainte nance on high pressure systems, especially activities involving the seal table. Each event occurred with the reactor at elevated temperatures and pressures, and, in'the case of Sequoyah, the plant was at 30% reactor power. In both cases maintenance was conducted on a high pressure system with what was equivalent to single-valve protection. For both plant and personnel safety considerations, maintenance should not normally be performed on high 'pressure systems with the RCS at high pressures and temperatures and with only single-valve protecti6n. To preclude the types of events describeed, in this section from occurring, every effo't should be made to sched ule seal table maintenance during cold shutdown conditions. Also, the need for maintenance of any system under hot, pressurized conditions should be thoroughly evaluated before personnel are alloied to perform the wýork. Licensees were urged to review their maintenance procedures to ensure that maintenance under these conditions is minimized.

No one was injured during the Sequoyah and Zion events, and the operators brought the plants to a cold shutdown condition without undue problems. However, both of these events caused problems associated with theidiological cleanup efforts. In th6 case of Seqiibyah, a highly radioactive component was ejected from the core.

This required that extra6rdinary -measures be taken'during the decontamination of the room.

Increased personnel exp~osure and downtime of the plant due to the cleanup and repair efforts provide'additiohal incentives for precautions against maintenance under iimilar conditions.

"USNRC Technical Training Center 7. 5-8 Rev 0196

Westinahouse Techno.. v Advanced Manual Senuovah Incore Thimble Tube Ejection Event TABLE 7.5-1 Sequence of Events April 19, 1984 2110 Pressurizer level was decreasing and charging flow was increased by 45 gpm (from 85 gpm to 130 gpm).

2116 Pressurizer level stopped decreasing, indicating that the leak rate was less than 45 gpm (later estimates showed leakage to be approximately 30 gpm).

2117 Reactor power reduction began at 1%/min 2120 Radiological Emergency Plan initiated 2125 Reactor power at 18% (Tavg at 525"F and pressure at 2235 psig) 2133 Unit tripped on low-low level in steam generator 1 (feedwater control in manual) 2152 NRC notified of event as required by 10 CFR 50.72 2205 Controlled cooldown and depressurization of plant begun (Tavg at 500"F and pressure at 1900 psig)

April 20. 1984 0932 Unit entered mode 5 and depressurization of RCS initiated 1114 RCS pressure at 250 psig - leak rate estimated to be 18 gpm 1400 RCS pressure at 40 psig - leak rate estimated to be 5.4 gpm April 21. 1984 0715 Vessel water level lowered to about 1 foot below elevation of seal table (only leakage was due to N2 blanket in the pressurizer). Total leakage later estimated to be 16,000 gallons.

In ID, Al of

/ .a- VýK; T k I.

USNRC Technical Training Center

0199-3 "THIMBLE GUIDE TUBE WELD UNION Figure 7.5-1 In-Core Instrumentation

0199-3

-STORAGE REEL HELICAL WRAP DRIVE CABLE

-DRIVE WHEEL 5-PATH ROTARY TRANSFER "INTERCONNECTING TUBING WYE UNIT ISOLATION VALVE HIGH PRESSURE SEAL SEAL TABLE "MINIATURE NEUTRON DETECTION Figure 7.5-2 Drive System for In-Core Instrumentation

('bIb LOW PRESSURE SEAL r//////,,o HIGH PRESSURE S Figure 7.5-3 Thimble Tube Cleaning Tool 7.5-15

LOW PRESSURE SEAL THIMBLE TUBE HIGH PRESSURE SEAL s -- FULL RCS PRESSURE THIMBLE GUIDE 1,11 III lIl Eli I:

Fm S7~ SEAL TABILE

'II Figure 7.5-4 Seal Table Design 7.5-17

'1 CD

-4 a;...,

CiD CD

-.4

0 (D

0 0

CD

iTi i I

I i i I

I LLLLL*

i

i - r

_! I i 4IN -I

-I _

4-__ -!14

-.it II I -

1 it71 II I ' ° ' I I I I I

I I I .* - j I 'i

.1 I I'I i . " \

I I

, S..

1 t

- i. I

!',*. E1T F7I TPT+/-

I

, ) '

I -; I I i i*,i at I I I I ~ ~- I

i

' i i I I ! .

Figure 7.5-6 Ejected Thimble Tube D-12 7.5-21

ML023030334

Contents

Text

SUBJECT:

Dear Mr. Cross:

Enclosures:

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML023030334

Text

SUBJECT:

Dear Mr. Cross:

Enclosures:

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search