ML17262A613

From kanterella
Jump to navigation Jump to search
Auxiliary Feedwater System RISK-BASED Inspection Guide for the Ginna Nuclear Power Plant
ML17262A613
Person / Time
Site: Ginna Constellation icon.png
Issue date: 09/30/1991
From: Gore B, Moffitt N, Pugh R, Vo T
Battelle Memorial Institute, PACIFIC NORTHWEST NATION
To:
Office of Nuclear Reactor Regulation
References
CON-FIN-L-1310 NUREG-CR-5764, PNL-7594, NUDOCS 9110100253
Download: ML17262A613 (35)
v  d  e


Text

NVREG/CR-5764 PNI 7594 93OQy Auxiliaxy Feedwater System Risk-Based Inspection Guide for the Ginna Nuclear Power Plant Prepared by R. Pugh, B. F. Gore, T. V. Vo, N. E. Moffitt Pacific Northwest Laboratory Operated by Battelle Memorial Institute Prepared for U.S. Nuclear Regulatory Commission 9iiOi00253 910930 PDR ADOCK 05000244 8 PDR

AVAILABILITY NOTICE Availability of Reference Materials CIted In NRC Publications Most documents cited In NRC publications will be available from ono of the following sources:

1. The NRC Public Document Room. 2120 L Street, NW., Lower Level Washington, DC 20555

~

2. The Superintendent of Documents, U.S. Government Printing ONce. P.O. Box 37082, Washington, DC 20013-7082
3. The National Technical Information Servlc'e, Springfield, VA 22161 Although the listing that follows represents the maJority of documents cited ln NRC pubHcatlons, It is not intended to bo exhaustive. r Referenced documents available for Inspoctlon and copying for a fee from the NRC Public Document Room Include NRC correspondence and Internal NRC memoranda; NRC bulletins, clrculars, information notices, Inspection and Investigation notices; licensee event reports; vendor reports and correspondence; Commis-sion papers; and applicant and licensee documents and correspondence.

The following documents In the NUREG series are available for purchase from the GPO Sales Program:

formal NRC staff and contractor reports, NRC-sponsored conference proceedings, International agreement reports, grant publications, and NRC booklets and brochures. Also available are regulatory guides, NRC regulations In the Code ol Federal Regulations, and Nuclear Regulatory Commission lssuances.

Documents available from the National Technical Information Service include NUREG-series reports and technical reports prepared by other Federal agencies and reports prepared by the Atomic Energy Comrnis-slon, forerunner agency to the Nuclear Regulatory Commission.

Documents avallablo from public and special technical libraries include all open literature items, such as books, Journal articles, and transactions. Federal Register notices, Federal and State legislation, and con-gressional reports can usually be obtained from these libraries.

Documents such as theses, dlssertations, foreign reports and translations, and non-NRC conference pro-ceedings aro available for purchase from the organization sponsoring the publication cited.

Single copies of NRC draft reports are availablo free, to tho extent of supply, upon written request to the Office of Administration, Distribution and Mall Services Section, U.S. Nuclear Regulatory Commission, Washington, DC 20555.

Copies of Industry codes and standards used In a substantive manner In the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda. Maryland, for use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, If they are American National Standards, from tho American National Standards Institute, 1430 Broadway, New York, 'Y 10018.

DISCLAIMER NOTICE This report was prepared as an account of work sponsored by an agency of the United'States Government.

Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liabilityof responsibility for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights.

NUREG/CR 5764 PNL-7594 Auxiliary Feedwater System Risk-Based Inspection Guide for the Ginna Nuclear Power Plant Manuscript Completed: August 1991 Date Published: September 1991 Prepared by R. Pugh, B. F. Gore, T. V. Vo, N. E. Moffitt Pacific Northwest Laboratory Richland, WA 99352 Prepared for Division of Radiation Protection and Emergency Preparedness Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN L1310

SUMMARY

This document presents a compilation of auxiliary feedwater (AFW) system failure information which has been screened for risk significance in terms of failure frequency and degradation of system performance. It is a risk-prioritized listing of failure events and their causes that are significant enough to warrant consideration in inspection planning at Ginna Nuclear Power Plant. This information is presented to provide inspectors increased resources for inspection planning at Ginna.

The risk importance of various component failure modes was identified by analysis of the results of probabilistic risk assessments (PRAs) for many presssurized water reactors (PWRs). Howevser, the component failure categories identified in PRAs are rather broad, because the failure data used in the PRAs is an aggregate of many individual failures having a variety of root causes. In order to help inspectors to focus on specific aspects of componenet operation, maintenance and design which might cause these failures, an extensive review of component failure information was performed to identify the rank and root causes of these component failures. Both Ginna and industry-wide failure information was analyzed. Failure causes were sorted on the basis of frequency of occurrence and seriousness of consequence, and categorized as common cause failures, human errors, design problems, or component failures.

This information is presented in the body of this document. Section 3.0 provides brief descriptions of these risk-important failure causes, and Section 5.0 presents more extensive discussions, with specific examples and references. The entries in the two sections are cross-referenced. An abbreviated system walkdown table is presented in Section 3.2 which includes only components identified as risk important. This table lists the system lineup for normal, standby system operation.

This information permits an inspector to concentrate on components important to the prevention of core damange. However, it is important to note that inspections should not foucs exclusively on these components. Other components which perform essential functions, but which are not included because of high reliability or redundancy, must also be addressed to ensure that degradation does not increase their failure probabilities, and hence their risk importances.

CONTENTS S UHHARY............................... . ................................ )ii

1.0 INTRODUCTION

t ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

t' o ~ ~ o ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 1 2.0 GINNA AFW SYSTEM.................................................... 2 2.1 AFW SYSTEM DESCRIPTION........................................ 2 2.2 STANDBY AFW SYSTEM DESCRIPTION........................... 4 2.3 SUCCESS CRITERION....... .. . . ............................ 4 2.4 SYSTEM DEPENDENCIES........... . . ............................ 4 2.5 OPERATIONAL CONSTRAINTS.................................... 4 3.0 INSPECTION GUIDANCE FOR THE GINNA AFW SYSTEM........................ 6

3. 1 RISK IMPORTANT AFW COMPONENTS AND FAILURE MODES................ 6
3. 1. 1 Multiple Pump Failures Due to Common Cause.............. 6
3. 1.2 Turbine Driven Pump PFW04 Fails to Start or Run......... 7
3. 1.3 Motor Driven Pump PFW02A or PFW02B Fails to Start or Run.................................................. 8
3. 1.4 Pump PFW02A, PFW02B, or PFW04 Unavailable Due to Maintenance or Surveillance.... . . .. ............. 8
3. 1.5 Motor Operated Flow Control Valves - 3996, 4007, or 4008 F 'il Closedo ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 8
3. 1.6 Manual Suction or Discharge Valves Fail Closed.......... 9
3. 1.7 Air Operated Flow Control Valves Fail Closed............ 9
3. 1.8 Leakage of Hot Feedwater Through Check Valves........... 10 3.2 RISK IMPORTANT AFW SYSTEM WALKDOWN TABLE....................... 10 4.0 GENERIC RISK INSIGHTS FROM PRAs.................................... 15 4.1 RISK IMPORTANT ACCIDENT SEQUENCES INVOLVING AFW SYSTEM FAILURE............. ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 0 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 15 4.2 RISK IMPORTANT COMPONENT FAILURE MODES ...................... 16

CONTENTS (Continued) 5.0 FAILURE MODES'ETERMINED FROM OPERATING EXPERIENCE......... 17 5.1 GINNA EXPERIENCE... ~ ~ ~ ~ ~ ~ t o ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 17 5.2 INDUSTRY WIDE EXPERIENCE......................... ~ ~ ~ ~ ~ ~ 18 5.2. 1 Common Cause Failures................................... 18 5 .2.2 Human Errors............................................ 21 5.2.3 Design/Engineering Problems and Errors................ 21 5.2.4 Component Failures...................................... 23 R EFERENCES ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ o t ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ o 26

I.0 INTRODUCTION This document is the eighth of a series providing plant-specific inspection guidance for auxiliary feedwater (AFW) systems at pressurized water reactors (PWRs). This guidance is based on information from probabilistic risk assessments (PRAs) for similar PWRs, industry-wide operating experience with AFW systems, plant-specific AFW system descriptions, and plant-specific operating experience. It is not a detailed inspection plan, but rather a compilation of AFW system failure information which has been screened for risk significance in terms of failure frequency and degradation of system performance. The result is a risk-prioritized listing of failure events and their causes that are significant enough to warrant consideration in inspection 'planning at Ginna.

This inspection guidance is presented in Section 3.0, following a description of the Ginna AFW system in Section 2.0. Section 3.0 identifies the risk important system components by Ginna identification number, followed by brief descriptions of each of the various fa'ilure causes of that component.

These include specific human errors, design deficiencies, and hardware failures. The discussions also identify where common cause failures have affected multiple, redundant components. These brief discussions identify specific aspects of system or component design, operation, maintenance, or testing for inspection by observation, records review, training observation, procedures review, or by observation of the implementation of procedures. An AFW system walkdown table identifying risk important components and their lineup for normal, standby system operation is also provided.

The remainder of the document describes and discusses the information used in compiling this inspection guidance. Section 4.0 describes the risk importance information which has been derived from PRAs and its sources. As review of that section will show, the failure categories identified in PRAs are rather broad (e.g., pump fails to start or run, valve fails closed).

Section 5.0 addresses the specific failure causes which have been combined under these categories.

AFW system operating history was studied to identify the various specific failures which have been aggregated into the PRA failure mode categories. Section 5. 1 presents a summary of Ginna failure information, and Section 5.2 presents a review of industry-wide failure information. The industry-wide information was compiled from a variety of NRC sources, including AEOD analyses and reports, information notices, inspection and enforcement bulletins, and generic letters, and from a variety of INPO reports as well. Some Licensee Event Reports and NPRDS event descriptions were also reviewed individually. Finally, information was included from reports of NRC-sponsored studies of the effects of plant aging, which include quantitative analyses of reported AFW system failures. This industry-wide information was then combined with the plant-specific failure information to identify the various root causes of the PRA failure categories, which are identified in Section 3.0.

2.0 GINNA AFW SYSTEH This section presents an overview description of the Ginna AFW system, including a simplified schematic system diagram. In addition, the system success criterion, system dependencies, and administrative operational constraints are also presented.

2.1 AFW SYSTEH DESCRIPTION The AFW system provides feedwater to the steam generators (SG) to allow secondary-side heat removal from the primary system when main feedwater is unavailable. The system is capable of functioning for extended periods, which allows time to restore main feedwater flow or to proceed with an orderly cooldown of the plant to where the residual heat removal (RHR) system can remove decay heat. A simplified schematic diagram of the AFW system is shown in Figure 2. 1.

The system is capable of supplying water at a pressure equal to or greater than the lowest main steam safety valve setpoint (plus error accumulation - 1085 psig) within one minute after an automatic start signal is received. All three pumps start on receipt of a steam generator low-low level signal. (The motor driven pumps start on low-low level in one SG, whereas, low-low level signals from both S/Gs are required for a turbine driven pump start.) Both motor driven (HD) pumps start on a trip of both HFW pumps, a safety injection signal or an ATWS Hitigation System Actuation Circuit (AHSAC) actuation. The single turbine driven (TD) pump starts on undervoltage on both 4160 V buses or an AHSAC actuation.

The normal AFW pump suction is from two cross connected 30,000 gallon capacity condensate storage tanks (CSTs). Each pump draws from a common header through a locked-open isolation valve and a check valve. Power, control, and instrumentation associated with each motor-driven pump are independent from one another. Steam for the turbine driven pump is supplied by either or both steam generators lA or 1B from a point upstream of the main steam isolation valves, through valve 3652. Each AFW pump is equipped with a recirculation flow system, which prevents pump deadheading.

Each auxiliary feedwater pump discharge is provided, with a check valve.

This is followed by two flow control valves in parallel (an open HOV and a closed pneumatic valve ), a second check valve, and a manual isolation valve.

Each motor-driven pump normally supplies feedwater to only one steam generator, but the headers may be cross-connected. The turbine-driven pump normally supplies both steam generators through an open HOV, a check valve, and in each train, a manual valve, a pneumatic flow control valve, a second manual valve, a check valve and a manual isolation valve.

The CSTs are the normal source of water for the AFW System and are required to store sufficient demineralized water to remove decay heat from the reactor for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after a reactor scram from full power. AFW suction may also be switched manually to the Station Service Water (SWS) system using alternative suction valves. Because the CST is not seismically qualified, the

FHOtl STATION SEHUICE WATEH 4028 4082 4304 4027 C 8 T C 8 T 4344 4060A 4081 7 4 74 4310 N 1R 1B 4358 4345 4071 4070 A FHP N N 1B 4009 AF P 1A 4018 4481 401S 4291 4080 AFllP 4 4068 401 1 4005 4098 8 J'0 4360 Sgg 1B 1A 4013 8708B 8706A STAT IO 4359 4001 39SS SEHVICE HATEH GOU 3504A 4297 4288 8702A 8518E 3504 3SSS TST 3652 8702B FHOtl 3505 SEHVICE 8704B 4015 STEAN lJA TEA 8703A N 8704A 3505A FHOtl PUNPS N SIOs 4818 9710B 8 10A STANDBY 97018 8702D 8702C A FLIP TANDBY 8701A ~ tC 0 ~

AFWP

~ Do ~

8703B 9629A N

96298 GINNA 97078 AFll AUX FEED ANQ TEST TANK STANDBY AUX FEED FIG. 2.1

seismic Class I SWS is the suction source used by the safety anaylsis to satisfy the General Design Criterion 2.

2.2 STANDBY AFW SYSTEM DESCRIPTION Because all three trains of the AFW system are vulnerable to a high energy pipe break, a Standby AFW system has been provided, also. It provides a reliable means of residual heat removal in the event that all other sources of feedwater are lost. A simplified schematic diagram of the Standby AFW system is also shown in Figure 2.1.

The system consists of two motor-driven pumps with either pump capable of supplying sufficient feedwater to cool the Reactor Coolant System to the temperature at which the Residual Heat Removal (RHR) System can be utilized for heat removal. Each pump takes suction from its respective service water loop and feeds one steam generator. Cross-connecting the system is possible; however, the trains are usually operated independently and supplied by separate ESF buses. A backup suction supply is available from the fire (city) water system. Previously, this supply required manual connection with fire hoses. Permanent piped connections are currently (June 1991) being installed.

The standby system does not start automatically, but is started and operated manually from the main control room. In the event that an AFW pipe breaks outside containment, or all means of feedwater supply are lost, the operator would be alerted by existing control room indication. The operator would manually remove the affected AFW pump from the bus and place the standby pump into operation on the same bus. Flow is controlled by throttling the discharge valve. For operational tests, manually operated valves in the supply line from the standby auxiliary condensate test tank must be opened and adequate tank level verified, before starting either pump.

2.3 SUCCESS CRITERION System success requires the operation of at least one pump supplying rated =

flow to at least one of the two steam generators.

2.4 SYSTEM DEPENDENCIES The AFW system depends on AC power for motor-driven pumps and level control valves, DC power for control power to pumps and valves, and an automatic actuation signal. An adequate air supply is required for the operation of certain bypass and flow control valves. The turbine-driven pump also requires steam availability.

2.5 OPERATIONAL CONSTRAINTS When the reactor is critical the Ginna Technical Specifications Action Statements require the plant to be shutdown for any of the following inoperability/duration conditions:

~ Inoperability of one MDAFW pump or one flowpath from the TDAFW pump to a steam generator exceeding 7 days,

~ Inoperability of the TDAFW pump or the flow paths from the TDAFW pump to both steam generators exceeding 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />,

~ Inoperability of two AFW pumps exceeding 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />,

~ Inoperability of one standby AFW pump or flowpath exceeding 14 days,

~ Inoperability of both standby AFW pumps exceeding 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

In each case when shutdown is required, the plant must be in Hot Shutdown within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and average RCS temperature reduced to below 350 degrees within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The Ginna Technical Specifications require a minimum combined volume of 22,500 gallons of water to be stored in the CSTs. If CST inventory is less than 22,500 for more than four hours, the operability of the service water system as a backup AFW supply must be demonstrated or the plant must be in hot shutdown within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

3.0 INSPECTION GUIDANCE FOR THE GINNA AFW SYSTEM In this section the risk important components of the Ginna AFW system are identified, and the important modes by which they are likely to fail are briefly described. These failure modes include specific human errors, design problems, and types of hardware failures which have been observed to occur for these types of components, both at Ginna and at PWRs throughout the nuclear industry. The discussions also identify where common cause failures have affected multiple, redundant components. These brief discussions identify specific aspects of system or component design, operation, maintenance, or testing for observation, records review, training observation, procedures review or by observation of the implementation of procedures.

Table 3. 1 is an abbreviated AFW system walkdown table which identifies risk important components. This table lists the system lineup for normal, standby system operation. Inspection of the components identified addresses essentially all of the risk associated with AFW system operation.

3. 1 RISK IMPORTANT AFW COMPONENTS AND FAILURE MODES Common cause failures of multiple pumps are the most risk-important failure modes of AFW system components. These are followed in importance by single pump failures, level control valve failures, and individual check valve backleakage failures.

The following sections address each of these failure modes, in decreasing order of importance. They present the important root causes of these component failure modes which have been distilled from historical records.

Each item is keyed to discussions in Section 5.2 which present additional information on historical events.

3. 1. 1 Multi le Pum Failures Due to Common Cause The following listing summarizes the most important multiple-pump failure modes identified in Section 5.2. 1, Common Cause Failures, and each item is keyed to entries in that section..

Incorrect operator intervention into automatic system functioning, including improper manual starting and sec'uring of pumps, has caused failure of all pumps, including overspeed trip on startup, and inability to restart prematurely secured pumps. CCl.

Valve mispositioning has caused failure of all pumps. Pump suction, steam supply, and instrument isolation valves have been involved. CC2.

Steam binding has caused failure of multiple pumps. This resulted from leakage of hot feedwater past check valves into a common discharge header, with several valves involved including a motor-operated discharge valve. (See item 7 below.) CC10. Multiple-pump steam

binding has also resulted from improper valve lineups, and from running a pump deadheaded. CC3.

Pump control circuit deficiencies or design modification errors have caused failures of multiple pumps to auto start, spurious pump trips during operation, and failures to restart after pump shutdown. CC4.

Incorrect setpoints and control circuit calibrations have also prevented proper operation of multiple pumps. CC5.

Loss of a vital power bus has failed both the turbine-driven and one motor-driven pump due to loss of control power to steam admission valves or to turbine controls, and to motor controls powered from the same bus.

CC6.

Simultaneous startup of multiple pumps has caused oscillations of pump suction pressure causing multiple-pump trips on low suction pressure, despite the existence of adequate static net positive suction head (NPSH). CC7. Design reviews have identified inadequately sized suction piping which could have yielded insufficient NPSH to support operation of more than one pump. CC8.

3. 1.2 Turbine Driven Pum PFW04 Fails to Start or Run Improperly adjusted and inadequately maintained turbine governors have caused pump failures. HE2. Problems include worn or loosened nuts, set screws, linkages or cable connections, oil leaks and/or contamination, and electrical failures of resistors, transistors, diodes and circuit cards, and erroneous grounds and connections. CF5.

Terry turbines with Woodward Model EG governors have been found to overspeed trip if full steam flow is allowed on if startup steam bypass valve isstartup.

Sensitivity can be reduced a sequenced to open first. DE1.

Condensate slugs in steam lines have caused turbine overspeed trip on startup. Tests repeated right after such a trip may fail to indicate the problem due to warming and clearing of the steam lines.

Surveillance should exercise all steam supply connections. DE2.

Trip and throttle valve (3652) problems which have failed the turbine driven pump include physically bumping it, failure to reset it following testing, and failures to verify control room indication of reset. HE2.

Whether either the overspeed trip or TTV trip can be reset without resetting the other, indication in the control room of TTV position, and unambiguous local indication of an overspeed trip affect the likelihood of these errors. DE3.

Turbines with Woodward Model PG-PL governors have tripped on overspeed when restarted shortly after shutdown, unless an operator has locally exercised the speed setting knob to drain oil from the governor speed setting cylinder (per procedure). Automatic oil dump valves are now available through Terry. DE4.

3. 1.3 Motor Driven Pum PFW02A or PFW02B Fails to Start or Run Control circuits used for automatic and manual pump starting are an important cause of motor driven pump failures, as are circuit breaker failures. CF7.

Hispositioning of handswitches and procedural deficiencies have prevented automatic pump start. HE3.

Low lubrication oil pressure resulting from heatup due to previous operation has prevented pump restart due to fai,lure to satisfy the protective interlock. DE5.

3. 1.4 Pum PFW02A PFW02B or PFW04 Unavailable Due to Maintenance or Surveillance Both scheduled and unscheduled maintenance remove pumps from operability. Surveillance requires operation with an altered line-up, although a pump train may not be declared inoperable during testing.

Prompt scheduling and performance of maintenance and surveillance minimize this unavailability.

3. 1.5 Motor 0 crated Flow Control Valves 3996 4007 or 4008 Fail Closed These normally open MOVs control flow from the AFW pumps to each of the steam generators. They fail as-is on loss of power.

Common cause failure of HOVs has resulted from failure to use electrical signature tracing equipment to determine proper settings of torque switch and torque switch bypass switches. Failure to calibrate switch settings for high torques necessary under design basis accident conditions has also been involved. CC11.

Valve motors have been failed due to lack of, or improper sizing or use of thermal overload protective devices. Bypassing and oversizing should be based on proper engineering for ~desi n basis conditions. Cfd.

Out-of-adjustment electrical flow controllers have caused improper discharge valve operation, affecting multiple trains of AFW. CC12.

Grease trapped in the torque switch spring pack of Limitorque SHB motor operators has caused motor burnout or thermal overload trip by preventing torque switch actuation. CF8.

Manually reversing the direction of motion of operating HOVs has overloaded the motor circuit. Operating procedures should provide cautions, and circuit designs may prevent reversal before each stroke is finished. DE7.

Space heaters designed for preoperation storage have been found wired in parallel with valve motors which had not been environmentally qualified with them present. DE8.

3. 1.6 Manual Suction or Dischar e Valves Fail Closed AFW Pum PFW02A PFW02B PFW04 Suction Valves: 4019 4018 4015 MD Pum PFW02A Dischar e Valve: 4011 MD Pum PFW02B Dischar e Valve: 4012 TD Pum PFW04 Dischar e to 1A S G: 3999 '001 4005 TD Pum PFW04 Dischar e to 1B S G: 4000 4002 4006 These manual valves are normally locked open. Closure of the suction valves list'ed would block suction from the CSTs to their respective AFW pump.

Closure of the discharge valves listed would'lock pump discharge to their respective S/G but would not block the recirculation flowpath to the CST.

Valve mispositioning has resulted in failures of multiple trains of AFW.

CC2. It has also been the dominant cause of problems identified during operational readiness inspections. HEl. Events have occurred most often during maintenance, calibration, or system modifications.

Important causes of mispositioning include:

Failure to provide complete, clear, and specific procedures for tasks and system restoration Failure to promptly revise and validate procedures, training, and diagrams following system modifications Failure to complete all steps in a procedure Failure to adequately review uncompleted procedural steps after task completion Failure to verify support functions after restoration Failure to adhere scrupulously to administrative procedures regarding tagging, control and tracking of valve operations Failure to log the manipulation of sealed valves Failure to follow good practices of written task assignment and feedback of task completion information Failure to provide easily read system drawings, legible valve labels corresponding to drawings and procedures, and labeled indications of local valve position

3. 1.7 Air 0 crated Flow Control Valves Fail Closed TD Pum Trains: 4297 4298 D Pum Trains: 4480 4481 These normally-open air operated valves (AOVs) in the turbine-driven pump trains control flow to the steam generators. In the motor-driven pump trains these bypass valves are normally closed. They all fail open on loss of Instrument Air.

~ Control Circuit problems have been a primary cause of failures, both at Ginna and elsewhere. CF9. Valve failures have resulted 9

from blown fuses, failure of control components (such as current/pneumatic convertors), broken or dirty contacts, misaligned or broken limit switches, control power loss, and calibration problems. Degraded operation has also resulted from improper air pressure due to air regulator failure or leaking air lines.

~ Out-of-adjustment electrical flow controllers have caused improper valve operation, affecting multiple trains of AFW. CC12.

~ Leakage of hot feedwater through check valves has caused thermal binding of flow control MOVs. AOVs may be similarly susceptible.

CF2.

~ Multiple flow control valves have been plugged by clams when suction switched automatically to an alternate, untreated source.

CC9.

3. 1.8 Leaka e of Hot Feedwater throu h Check Valves:

Between Pum PFW04 and MFW: Valves 4004 4003 Between Pum PFW02A and MFW: Valves 4000C Between Pum PFW02B and MFW: Valves 4000D At Pum Dischar es: Valves 3998 4010 4009

~ Leakage of hot feedwater through several check valves in series has caused steam binding of multiple pumps. Leakage through a closed level control valve in series with check valves has also occurred.

CC10.

~ Slow leakage past the final check valve of a series may not force upstream check valves closed, allowing leakage past each of them in turn. Piping orientation and valve design are important factors in achieving true series protection. CFl.

3.2 RISK IMPORTANT AFW SYSTEM WALKDOWN TABLE Table 3. 1 presents an AFW system walkdown table including only components identified as risk important. This information allows inspectors to concentrate their efforts on components important to prevention of core damage. However, it is essential to note that inspections should not focus exclusively on these components. Other components which perform essential functions, but which are absent from this table because of high reliability or redundancy, must also be addressed to ensure that their risk importances are not increased. Examples include an adequate water level in the CST, and the (closed) valves cross connecting the discharges of the two motor-driven AFW pumps.

10

TABLE 3. 1. Risk Important AFW System Walkdown Table Required Actual Com onent ¹ Com onent Name Location Position Position o mal AFW S stem Electrical PFW02A Motor-Driven Pump Breaker Racked In/

Closed PFW02B Motor-Driven Pump Breaker Racked In/

Closed PFW02A Flow ath 4019 CST to HDP PFW02A Suction Valve Locked Open 4027 HDP PFW02A Service Water Supply Closed 4345 MDP PFW02A Service Water Isolation Locked Closed 4007 AFW HDP PFW02A Discharge Valve Open 4480 HDP PFW02A Flow Control Bypass Closed 4011 HDP S/G 1A Isolation Locked Open PFW028 Flow ath 4018 CST to HDP PFW02B Suction Valve Locked Open 4028 HDP PFW02B Service Water Supply Closed 4344 HDP PFW02B Service Water Isolation Locked Closed 4008 AFW MDP PFW02B Discharge Valve Open 4481 MDP PFW02B Flow Control Bypass Closed 4012 MDP S/G 1B Isolation Locked Open

~PFN4 41 4 4015 CST to TDP PFW04 Suction Valve Locked Open 4013 TDP PFW4 Service Water Supply Closed 4098 TDP PFW4 Service Water Isolation Locked Closed 11

TABLE 3.1. Risk Important AFW System Walkdown Table (Continued)

Com onent ¹ ~N PFW04 L

Flow ath Required Position Actual Position 3996 AFW TDP PFW04 Discharge Valve Open 3999 TDP PFW04 to S/G 1A Isolation Locked Open 4297 TDP PFW04 Discharge to lA S/G Open 4001 TDP PFW04 to S/G 1A Isolation Locked Open 4005 TDP PFW04 to S/G 1A Stop Locked Open 4000 TDP PFW04 to S/G 18 Isolation Locked Open 4298 TDP PFW04 Discharge to 18 S/G Open 4002 TDP PFW04 to S/G 1B Isolation Locked Open 4006 TDP PFW04 to, S/G 1B Stop Locked Open

,PFW04 Steam Su l 3504 S/G 1B Steam Supply Isolation Locked Open 3504A S/G 1B Steam Supply to TFP Closed 3505 S/G lA Steam'upply Isolation Locked Open 3505A S/G 1A Steam Supply to TFP Closed 3652 TFP Trip and Throttle Valve Reset Open Cross-Tie Flow ath 4000A AFWP Cross-Tie Valve Cl osed 40008 AFWP Cross-Tie Valve Cl osed 4359 HDP to TDP Discharge Cross-Tie Cl osed 4360 HDP to TDP Discharge Cross-Tie Cl os ed 12

TABLE 3. 1. Risk Important AFW System Walkdown Table (Continued)

CST Isolation 4070 1B CST Isolation Valve Locked Open 4071 1A CST Isolation Valve Locked Open Standb AFW S stem Electrical C SAFWP Breaker Racked In D SAFWP Breaker Racked In "C" SAFWP Flow ath 4616 Service Water HOV Isolation Open 9629A C SAFWP Service Mater Supply Closed 9701A C SAFWP Discharge Valve Open 9704A C SAFWP Discharge CNHT Isolation Open 9702A C SAFWP Hanual CNHT Isolation Locked Open 9706A C SAFWP to S/G 1A Locked Open 9710A C SAFWP Recirc Valve Closed "D" SAFWP Flow ath 4615 Service Water HOV Isolation Open 9629B D SAFMP Service Water Supply Closed 9701B D SAFWP Discharge Valve Open 9746 D SAFWP Emergency Discharge Open

. 97048 D SAFWP Discharge CNHT Isolation Open 9702B D SAFWP Hanual CNHT Isolation Locked Open 9706B D SAFWP to S/G 1B Locked Open 9710B D SAFWP Recirc Valve Closed 13

TABLE 3. 1. Risk Important AFW System Walkdown Table (Continued)

Required Actual Com onent ¹ Com onent Name Location Position Position Cross-Tie Valves 9702C SAFWP's Cross-Tie Isolation Open 9702D SAFWP's Cross-Tie Isolation Open 9703A SAFWP's HOV Cross-Tie Isolation Closed 9703B SAFWP's HOV Cross-Tie Isolation Closed

4.0 GENERIC RISK INSIGHTS FROM PRAs PRAs for 13 PWRs were analyzed to identify risk-important accident sequences involving loss of AFW, and to identify and risk-prioritize the component failure modes involved. The results of this analysis are described in this section. They are consistent with results reported by INEL and BNL (Gregg et al 1988, and Travis et al, 1988).

4.1 RISK IMPORTANT ACCIDENT SE UENCES INVOLVING AFW SYSTEM FAILURE Loss of Power S stem A loss of offsite ower is followed by failure of AFW. Due to lack of actuating power, the PORVs cannot be opened, preventing adequate feed-and-bleed cooling, and resulting in core damage.

A station blackout fails all AC power except Vital AC from DC invertors, and all decay heat removal systems except the turbine-driven AFW pump. AFW subsequently fails due to battery depletion or hardware failures, resulting in core damage.

~ A DC bus fails, causing a trip and failure of the power conversion system. One AFW motor-driven pump is failed by the bus loss, and the turbine-driven pump fails due to loss of turbine or valve control power. AFW is subsequently lost completely due to other failures.

Feed-and-bleed cooling fails because PORV control is lost, resulting in core damage.

Transient-Caused Reactor or Turbine Tri A transient-caused tri is followed by a loss of PCS and AFW. Feed-and-bleed cooling fails either due to failure of the operator to initiate it, or due to hardware failures, resulting in core damage.

Loss of Main Feedwater

~ A feedwater line break drains the common water source for MFW and AFW. The operators fail to provide feedwater from other sources, and fail to initiate feed-and-bleed cooling, resulting in core damage.

A loss of main feedwater trips the plant, and AFW fails due to operator error and hardware failures.

The operators fail to initiate feed-and-bleed cooling, resulting in core damage.

15

Steam Generator Tube Ru ture A SGTR is followed by failure of AFW. Coolant is lost from the primary until the RWST is- depleted. HPI fails since recirculation cannot be established from the empty sump, and core damage results.

4.2 RISK IMPORTANT COMPONENT FAILURE MODES The generic component failure modes identified from PRA analyses as important to AFW system failure are listed below in decreasing order of risk importance.

1. Turbine-Driven Pump Failure to Start or Run.
2. Motor-Driven Pump Failure to Start or Run.
3. TDP or MDP Unavailable due to Test or Maintenance.
4. AFW System Valve Failures

~ steam admission valves

~ trip and throttle valve

~ flow control valves

~ pump discharge valves

~ pump suction valves

~ valves in testing or maintenance.

5. Supply/Suction Sources

~ condensate storage tank stop valve

~ hot well inventory

~ suction valves.

In addition to individual hardware, circuit, or instrument failures, each of these failure modes may result from common causes and human errors.

Common cause failures of AFW pumps are particularly risk important. Valve failures are somewhat less important due to the multiplicity of steam generators and connection paths. Human errors of greatest risk importance involve: failures to initiate or control system operation when required; failure to restore proper system lineup after maintenance or testing; and failure to switch to alternate sources when required.

16

5.0 FAILURE MODES DETERMINED FROM OPERATING EXPERIENCE This section describes the primary root causes of component failures of the AFW system, as determined from a review of operating histories at Glnna and at other PWRs throughout the nuclear industry. Section 5. 1 describes experience at Ginna. Section 5.2 summarizes information compiled from a variety of NRC sources, including AEOD analyses and reports, information notices, inspection and enforcement bulletins, and generic letters, and from a variety of INPO reports as well. Some Licensee Event Reports (LERs) and NPRDS event descriptions were also revi'ewed individually. Finally, information was included from reports of NRC-sponsored studies of the effects of plant aging, which include quantitative analyses of AFW system failure reports. This information'as used to identify the various root causes expected for the broad PRA-based failure categories identified in Section 4.0, resulting in the inspection guidelines presented in Section 3.0.

5.1 GINNA EXPERIENCE Twenty-five events affecting the operational performance and readiness of the AFW system at Ginna were found in AFW operating history data dating back to 1984. Ginna operating history data indicaties failures of the AFW pumps, the pump discharge flow control valves to steam generators, pump suction and discharge valves and system check valves. Failure modes include electrical, instrumentation, hardware failures, and human errors.

AFW Pum Control Lo ic Instrumentation and Electrical Failures There have been two failures of the AFW or Standby AFW pumps to start or trip experienced since 1984. These have resulted from failure of control power fuses and control bistable operation. The failure causes are improper or inadequate lubrication to a mechanical interlock and improper wiring after system testing.

Failure of AFW Pum Dischar e Flow Control Valve to Steam Generator There have been two failures of the pump discharge flow control valves since 1984. These have resulted from valve control circuit failures caused by circuit breaker operation and improper control bistable operation. The circuit breaker was found .to be missing a fuse, clip. Misadjustment of the control bistable prevented full valve .travel.

AFW MOV and AOV Valve Failures Since 1984 there have been twelve events involving AFW valve failures.

Failures have been caused by control relays, torque switch failure or misadjustment, misadjusted spring packs, misaligned engagement levers and binding resultant from foreign material. Failure causes are improper or inadequate testing and maintenance procedures, mechanical wear, and system design flaws.

17

Human Errors There have been eight significant human errors affecting the AFW system since 1984. Personnel have failed to calibrate equipment or realign equipment in the correct position following maintenance and testing, improperly wired bistables after testing, damaged components during operation or inspection and failed to assemble components correctly or completly after maintenance. Both personnel error and inadequate procedures have been involved.

Misunderstanding of operability requirements'has resulted in equipment exceeding Technical Specifications operability limits.

5.2 INDUSTRY WIDE- EXPERI NC Human errors, design/engineering problems and errors, and component failures are the primary root causes of AFW System failures identified in a review of industry wide system operating history. Common cause failures, which disable more than one train of this operationally redundant system, are highly risk significant, and can result from all of these causes.

This section identifies important common cause failure modes, and then provides a broader discussion of the single failure effects of human errors, design/engineering problems and errors, and component failures. Paragraphs presenting details of these failure modes are coded (e.g., CC1) and cross-referenced by inspection items in Section 3.

5.2.1 Common Cause Fai ures The dominant cause of AFW system multiple-train failures has been human error. Design/engineering errors and component failures have been less frequent, but nevertheless significant, causes of multiple train failures.

CC1. Human error in the form of incorrect operator intervention into automatic AFW system functioning during transients resulted in the temporary loss of all safety-grade AFW pumps during events at Davis Besse (NUREG-1154, 1985) and Trojan (AEOD/T416, 1983). In the Davis Besse event, improper manual initiation of the steam and feedwater rupture control system (SFRCS) led to overspeed tripping of both turbine-driven AFW pumps, probably due to the introduction of condensate into the AFW turbines from the long, unheated steam supply lines. (The system had never been tested with the abnormal, cross-connected steam supply lineup which resulted.) In the Trojan event the operator incorrectly stopped both AFW pumps due to misinterpretation of HFW pump speed indication. The diesel driven pump would not restart due to a protective feature requiring complete shutdown, and the turbine-driven pump tripped on overspeed, requiring local reset of the trip and throttle valve. In cases where manual intervention is required during the early stages of a transient, training should emphasize that actions should be performed methodically and deliber ately to guard against such errors.

CC2. Valve mispositioning has accounted for a significant fraction of the.

human errors failing multiple trains of AFW. This includes closure of normally open suction valves or steam supply valves, and of isolation valves to sensors having control functions. Incorrect handswitch positioning and 18

inadequate temporary wiring changes have also prevented automatic starts of multiple pumps. Factors identified in studies of mispositioning errors include failure to add newly installed valves to valve checklists, weak administrative control of tagging, restoration, independent verification, and locked valve logging, and inadequate adherence to procedures. Illegible or confusing local valve labeling, and insufficient training in the determination of valve position may cause or mask mispositioning, and surveillance which does not exercise complete system functioning may not reveal mispositionings.

CC3. At AN0-2, both AFW pumps lost suction due to steam binding when they were lined up to both the CST and the hot startup/blowdown demineralizer effluent (AEOD/C404, 1984). At Zion-1 steam created by running the turbine-driven pump deadheaded for one minute caused trip of a motor-driven pump sharing the same inlet header, as well as damage to the turbine-driven pump (Region 3 Horning Report, 1/17/90). Both events were caused by procedural inadequacies.

.CC4. Design/engineering errors have accounted for a smaller, but significant fraction of common cause failures. Problems with control circuit design modifications at Farley defeated AFW pump auto-start on loss of main feedwater. At Zion-2, restart of both motor driven pumps was blocked by circuit failure to deenergize when the pumps had been tripped with an automatic start signal present (IN 82-01, 1982). In addition, AFW control circuit design reviews at Salem and Indian Point have identified designs where failures of a single component could have failed all or multiple pumps (IN 87-34, 1987).

CC5. Incorrect setpoints and control circuit settings resulting from analysis errors and failures to update procedures have also prevented pump start and caused pumps to trip spuriously. Errors of this type may remain undetected despite surveillance testing, unless surveillance tests model all types of system initiation and operating conditions. A greater fraction of instrumentation and control circuit problems has been identified during actual system operation (as opposed to surveillance testing) than for other types of failures.

CC6. On two occasions at a foreign plant, failure of a balance-of-plant inverter caused failure of two AFW pumps. In addition to loss of the motor driven pump whose auxiliary start relay was powered by the invertor, the turbine driven pump tripped on overspeed because the governor valve opened, allowing full steam flow to the tur bine. This illustrates the importance of assessing the effects of failures of balance of plant equipment which supports the operation of critical components. The instrument air system is another example of such a system.

CC7. Hultiple AFW pump trips have occurred at Millstone-3, Cook-l, Trojan and Zion-2 (IN 87-53, 1987) caused by brief, low pressure oscillations of suction pressure during pump startup . These oscillations occurred despite the availability of adequate static NPSH. Corrective actions taken include:

extending the time delay associated with the low pressure trip, removing the trip, and replacing the trip with an alarm and operator action.

19

CC8. Design errors discovered during AFW system reanalysis at the Robinson plant (IN 89-30, 1989) and at Millstone-I resulted in the supply header from the CST being too small to provide adequate NPSH to the pumps if more than one of the three pumps were operating at rated flow conditions. This could lead to multiple pump failure due to cavitation. Subsequent reviews at Robinson identified a loss of feedwater transient in which inadequate NPSH and flows less than design values had occurred, but which were not recognized at the time. Event analysis and equipment trending, as well as surveillance testing which duplicates service conditions as much as is practical, can help identify such design errors.

CC9. Asiatic clams caused failure of two AFW flow control valves at Catawba-2 when low suction pressure caused by starting of a'motor-driven pump caused suction source realignment to the Nuclear Service Water system. Pipes had not been routinely treated to inhibit clam growth, nor regularly monitored to detect their presence, and no strainers were installed. The need for surveillance which exercises alternative system operational modes, as well as complete, system functioning, is emphasized by this event. Spurious suction switchover has also occurred at Callaway and at McGuire, although no failures resulted.

CC10. Common cause failures have also been caused by component failures (AEOD/C404, 1984). At Surry-2, both the tur bine driven pump and one motor driven pump were declared inoperable due to steam binding caused by backleakage of hot water through multiple check valves. At Robinson-2 both motor driven pumps were found to be hot, and both motor and steam driven pumps were found to be inoperable at different times. Backleakage at Robinson-2 passed through closed motor-operated isolation valves in addition to multiple check valves. At Farley, both motor and turbine driven pump casings were found hot, although the pumps were not declared inoperable. In addition to multi-train failures, numerous incidents of single train failures have occurred, resulting in the designation of "Steam Binding of Auxiliary Feedwater Pumps" as Generic Issue 93. This generic issue was resolved by Generic Letter 88-03 (Miraglia, 1988), which required licensees to monitor AFW piping temperatures each shift, and to maintain procedures for recognizing steam binding and for restoring system operability.

CCll. Common cause failures have also failed motor operated valves. During the total loss of feedwater event at Davis Besse, the normally-open AFW isolation valves failed to open after they were inadvertently closed. The failure was due to improper setting of the torque switch bypass switch, which prevents motor trip on the high torque required to unseat a closed valve.

Previous problems with these valves had been addressed by increasing the torque switch trip setpoint - a fix which failed during the event due to the higher torque required due to high differential pressure across the valve.

Similar common mode failures of MOVs have also occurred in other systems, resulting in issuance of Generic Letter 89-10, "Safety Related Motor-Operated Valve Testing and Surveillance (Partlow, 1989)." This generic letter requires licensees to develop and implement a program to provide for the testing, inspection and maintenance of all safety-related MOVs to provide assurance that they will function when subjected to design basis conditions.

20

CC12. Other component failures have also resulted in AFW multi-train failures. These include out-of-adjustment electrical flow controllers resulting in improper discharge valve operation, and a failure of oil cooler cooling water supply valves to open due to silt accumulation.

5.2.2 Human Errors HEl. The overwhelmingly dominant cause of problems identified during a series of operational readiness evaluations of AFW systems was human performance. The majority of these human performance problems resulted from incomplete and incorrect procedures, particularly with respect to valve lineup information.

A study of valve mispositioning events involving human error identified failures in administrative control of tagging and logging, procedural compliance and completion of steps, verification of support systems, and inadequate procedures as important. Another study found that valve mispositioning events occurred most often during maintenance, calibration, or modification activities. Insufficient training in determining valve position, and in administrative requirements for controlling valve positioning were important causes, as was oral task assignment without task completion feedback.

HE2. Turbine driven pump failures have been caused by human errors in calibrating or adjusting governor speed control, poor governor maintenance, incorrect adjustment of governor valve and overspeed trip linkages, and errors associated with the trip and throttle valve. TTV-associated errors include physically bumping it, failure to restore it to the correct position after testing, and failures to verify control room indication of TTV position following actuation.

HE3. Motor driven pumps have been failed by human errors in mispositioning handswitches, and by procedure deficiencies.

5.2.3 Desi n En ineerin Problems and Errors DEI. As noted above, the majority of AFW subsystem failures, and the greatest relative system degradation, has been found to result from turbine-driven pump failures. 'Overspeed trips of Terry turbines controlled by Woodward governors have been a significant source of these failures (AEOD/C602, 1986). In many cases these over speed trips have been caused by slow response of a Woodward Hodel EG governor on startup, at plants where full steam flow is allowed immediately. This oversensitivity has been removed by installing a startup steam bypass valve which opens first, allowing a controlled turbine acceleration and buildup of oil pressure to control the governor valve when full steam flow is admitted.

DE2. Overspeed trips of Terry turbines have been caused by condensate in the steam supply lines. Condensate slows down the turbine, causing the governor valve to open farther, and overspeed results before the governor valve can respond, after the water slug clears. This was determined to be the cause of the loss-of-all-AFW event at Davis Besse (AEOD/602, 1986), with condensation enhanced due to the long length of the cross-connected steam lines. Repeated tests following a cold-start trip may be successful due to system heat up.

21

DE3. Turbine trip and throttle valve (TTV) problems are a significant cause of turbine driven pump failures (IN 84-66). In some cases lack of TTV position indication in the control room prevented recognition of a tripped TTV. In other cases it was possible to reset either the overspeed trip or the TTV without reseting the other. This problem is compounded by the fact that the position of the overspeed trip linkage can be misleading, and the mechanism may lack labels indicating when it is in the tripped position (AEOD/C602, 1986).

DE4. Startup of turbines with Woodward Model PG-PL governors within 30 minutes of shutdown has resulted in overspeed trips when the speed setting knob was not exercised locally to drain oil from the speed setting cylinder.

Speed control is based on startup with an empty cylinder. Problems have involved turbine rotation due to both procedure violations and leaking steam.

Terry has marketed two types of dump valves for automatically draining the oil after shutdown (AEOD/C602, 1986).

At Calvert Cliffs, a 1987 loss-of-offsite-power event required a quick, cold startup that resulted in turbine trip due to PG-PL governor stability problems. The short-term corrective action was installation of stiffer buffer springs (IN 88-09, 1988). Surveillance had always been preceded by turbine warmup, which illustrates the importance of testing which duplicates service conditions as much as is practical.

DE5. Reduced viscosity of gear box oil heated by prior operation caused failure of a motor driven pump to start due to insufficient lube oil pressure.

Lowering the pressure switch setpoint solved the problem, which had not been detected during testing.

DE6. Waterhammer at Palisades resulted in AFW line and hanger damage at both steam generators. The AFW spargers are located at the normal steam generator level, and are frequently covered and uncovered during level fluctuations.

Waterhammers in top-feed-ring steam generators resulted in main feedline rupture at Maine Yankee and feedwater pipe cracking at Indian Point-2 (IN 84-32, 1984).

DE7. Manually reversing the direction of motion of an operating valve has resulted in HOV failures where such loading was not considered in the design (AEOD/C603, 1986). Control .circuit design may pr event this, requiring stroke completion before reversal.

DE8. At each of the units of the South Texas Project, space heaters provided by the vendor for use in preinstallation storage of MOVs were found to be wired in parallel to the Class 1E 125 V DC motors for several AFW valves (IR 50-489/89-11; 50-499/89-11, 1989). The valves had been environmentally qualified, but not with the non-safety-related heaters energized.

22

5.2.4 Com onent Failures Generic Issue II.E.6. 1, "In Situ Testing Of Valves" was divided into four sub-issues (Beckjord, 1989), three of which relate directly to prevention of AFW system component failure. At the request of the NRC, in-situ testing of check valves was addressed by the nuclear industry, resulting in the EPRI report, "Application Guidelines for Check Valves in Nuclear Power Plants (Brooks, 1988)." This extensive report provides information on check valve applications, limitations, and inspection techniques. In-situ testing of HOVs was addressed by Generic Letter 89-10, "Safety Related Motor-Operated Valve Testing and Surveillance" (Partlow, 1989) which requires licensees to develop and implement a program for testing, inspection and maintenance of all safety-related HOVs. "Thermal Overload Protection for Electric Motors on Safety-Related Motor-Operated Valves - Generic Issue II.E.6. 1 (Rothberg, 1988)"

concludes that valve motors should be thermally protected, yet in a way which emphasizes system function over protection of the operator.

CF1. The common-cause steam binding effects of check valve leakage were identified in Section 5.2. 1, entry CC10. Numerous single-train events provide additional insights into this problem. In some cases leakage of hot HFW past multiple check valves in series has occurred because adequate valve-seating pressure was limited to the valves closest to the steam generators (AEOD/C404, 1984). At Robinson, the pump shutdown procedure was changed to delay closing the HOVs until after the check valves were seated. At Farley, check valves were changed from swing type to lift type. Check valve rework has been done at a number of plants. Different valve designs and manufacturers are involved in this problem, and recurring leakage has been experienced, even after repair and replacement.

CF2. At Robinson, heating of motor operated valves by check valve leakage has caused thermal binding and failure of AFW discharge valves to open on demand.

At Davis Besse, high differential pressure across AFW injection valves resulting from check valve leakage has prevented HOV operation (AEOD/C603, 1986).

CF3. Gross check valve leakage at HcGuire and Robinson caused overpressurization of the a severe waterhammer event.

AFW suction piping. At a foreign PWR it resulted in At Palo Verde-2 the HFW suction piping was overpressurized by check valve leakage from the AFW system (AEOD/C404, 1984).

Gross check valve leakage through idle pumps represents a potential diversion of AFW pump flow.

CF4. Roughly one third of AFW system failures have been due to valve operator failures, with about equal failures for HOVs and AOVs. Almost half of the HOV failures were due to motor or switch failures (Casada, 1989). An extensive study of MOV events (AEOD/C603, 1986) indicates continuing inoperability problems caused by: torque switch/limit switch settings, adjustments, or failures; motor burnout; improper sizing or use of thermal overload devices; premature degradation related to inadequate use of protective devices; damage due to misuse (valve throttling, valve operator hammering); mechanical problems (loosened parts, improper assembly); or the torque switch bypass circuit improperly installed or adjusted. The study concluded that current 23

methods and procedures at many plants are not adequate to assure that HOVs will operate when needed under credible accident conditions. Specifically, a surveillance test which the valve passed might result in undetected valve inoperability due to component failure (motor burnout, operator parts failure, stem disc separation) or improper positioning of protective devices (thermal overload, torque switch, limit switch). Generic Letter 89-10 (Partlow, 1989) has subsequently required licensees to implement a program ensuring that HOV switch settings are maintained so that the valves will operate under design basis conditions for the life of the plant.

CF5. Component problems have caused a significant number of turbine driven pump trips (AEOD/C602, 1986). One group of events involved worn tappet nut faces, loose cable connections, loosened set screws, improperly latched TTVs, and improper assembly. Another involved oil leaks due to component or seal failures, and oil contamination due to poor maintenance activities. Governor oil may not be shared with turbine lubrication oil, resulting in the need for separate oil changes. Electrical component failures included transistor or resistor failures due to moisture intrusion, erroneous grounds and connections, diode failures, and a faulty circuit card.

CF6. Electrohydraulic-operated discharge valves have performed very poorly, and three of the five units using them have removed them due to recurrent failures. Failures included oil leaks, contaminated oil, and hydraulic pump failures.

CF7. Control circuit failures were the dominant source of motor driven AFW pump failures (Casada, 1989). This includes the controls used for automatic and manual starting of the pumps, as opposed to the instrumentation inputs.

Most of the remaining problems were due to circuit breaker failures.

CF8. "Hydraulic lockup" of Limitorque SHB spring packs has prevented proper spring compression to actuate the HOV torque switch, due to grease trapped in the spring pack. During a surveillance at Trojan, failure of the torque switch to trip the TTV motor resulted in tripping of the thermal overload device, leaving the turbine driven pump inoperable for 40 days until the next surveillance (AEOD/E702, 1987). Problems result from grease changes to EXXON NEBULA EP-0 grease, one of only two greases considered environmentally qualified by Limitorque. Due to lower viscosity, it slowly migrates from the gear case into the spring pack. Grease changeover at Vermont Yankee affected 40 of the older HOVs of which 32 were safety related. Grease relief kits are needed for HOV operators manufactured before 1975. At Limerick, additional grease relief was required for HOVs manufactured since 1975. HOV refurbishment programs may yield other changeovers to EP-0 grease.

CF9. For AFW systems using air operated valves, almost half of the system degradation has resulted from failures of the valve controller circuit 'and its instrument inputs (Casada, 1989). Failures occurred predominantly at a few units using automatic electronic controllers for the flow control valves, with the majority of failures due to electrical hardware. At Turkey Point-3, controller malfunction resulted from water in the Instrument Air system due to maintenance inoperability of the air dryers.

CF10. For systems using diesel driven pumps, most of the failures were due to start control and governor speed control circuitry. Half of these occurred on demand, as opposed to during testing (Casada, 1989).

CF11. For systems using AOVs, operability requires the availability of, Instrument Air, backup air, or backup nitrogen. However, NRC Maintenance Team Inspections have identified inadequate testing of check valves isolating the safety-related portion of the IA system at several utilities (Letter, Roe to Richardson). Generic Letter 88-14 (Hiraglia, 1988), requires licensees to verify by test that air-operated safety-related components will perform as expected in accordance with all design-basis events, including a loss of normal IA.

25'

6.0 REFERENCES

Beckjord, E. S. June 30, 1989. Closeout of Generic Issue II.E.6. 1 "In Situ Testin of Valves". Letter to V. Stello, Jr., U.S. Nuclear Regulatory Commission, Washington, DC.

Brooks, B. P. 1988. A lication Guidelines for Check Valves in Nuclear Power Plants. NP-5479, Electric Power Research Institute, Palo Alto, CA.

Casada, D. A. 1989. Auxiliar Feedwater S stem A in Stud . Volume l.

0 eratin Ex erience and Current Monitorin Practices. NUREG/CR-5404. U.S.

Nuclear Regulatory Commission, Washington, DC.

Gregg, R. E. and R. E. Wright. 1988. A endix Review for Dominant Generic Contributors. BLB-31-88. Idaho National Engineering Laboratory, Idaho Falls, Idaho.

Miraglia, F. J. February 17, 1988. Resolution of Generic Safet Issue 93 "Steam Bindin of Auxiliar Feedwater Pum s" Generic Letter 88-03 . U.S.

Nuclear Regulatory Commission, Washington, DC.

Miraglia, F. J. August 8, 1988. Instrument Air Su l S stem Problems Affectin Safet -Related E ui ment Generic Letter 88-14 . U.S. Nuclear Regulatory Commission, Washington, DC.

Partlow, J. G. June 28, 1989. Safet -Related Motor-0 crated Valve Testin and Surveillance Generic Letter 89-10 . U.S. Nuclear Regulatory Commission, Washington, DC.

Rothberg, 0. June 1988. Thermal Overload Protection for Electric Motors on Safet -Related Motor-0 crated Valves - Generic Issue II.E.6. 1. NUREG-1296.

U.S. Nuclear Regulatory Commission, Washington, DC.

Travis, R. and J. Taylor. 1989. Develo ment of Guidance for Generic Functionall Oriented PRA-Based Team Ins ections for BWR Plants-Identification of Risk-Im ortant S stems Com onents and Human Actions. TLR-A-3874-T6A Brookhaven National Laboratory, Upton, New York.

AEOD Re orts AEOD/C404. W. D. Lanning. July 1984. Steam Bindin of Auxiliar Feedwater

~Pum s. U.S. Nuclear Regulatory Commission, Washington, DC.

AEOD/C602. C. Hsu. August 1986. 0 erational Ex erience Involvin Turbine Overs eed Tri s. U.S. Nuclear Regulatory Commission, Washington, DC.

AEOD/C603. E. J. Brown. December 1986. A Review of Motor-0 crated Valve Performance. U.S. Nuclear Regulatory Commission, Washington, DC.

27

AEOD/E702. E. J. Brown. March 19, 1987. MOV Failure Due to H draulic Locku From Excessive Grease in S rin Pack. U.S. Nuclear Regulatory Commission, Washington, DC.

AEOD/T416. January 22, 1983.

'an on Januar Loss of ESF Auxiliar Feedwater Pum Ca abilit at Tro 22 1983. U.S. Nuclear Regulatory Commission, Washington, DC.

Information Notices IN 82-01. January.22, 1982. Auxiliar Feedwater Pum Lockout Resultin from Westin house W-2 Switch Circuit Modification. U.S. Nuclear Regulatory Commission, Washington, DC.

IN 84-32. E. L. Jordan. April 18, 1984. Auxil r Feedwater S ar er and Pi e Han ar Dama e. U.S. Nuclear Regulatory Commission, Washington, DC.

IN 84-66. August 17, 1984. Undetected Unavailabilit of the Turbine-Driven Auxiliar Feedwater Train. U.S. Nuclear Regulatory Commission, Washington, DC.

IN 87-34. C. E. Rossi. July 24, 1987. Sin le Failures in Auxiliar Feedwater S stems. U.S. Nuclear Regulatory Commission, Washington, DC.

IN 87-53. C. E. Rossi. October 20, 1987. Auxiliar Feedwater Pum Tri s Resultin from Low Suction Pressure. U.S. Nuclear Regulatory Commission, Washington, DC.

IN 88-09. C. E. Rossi. March 18, 1988. Reduced Reliabilit of Steam-Driven Auxiliar Feedwater Pum s Caused b Instabilit of Woodward PG-PL T e Governors. U.S. Nuclear Regulatory Commission, Washington, DC.

IN 89-30. R. A. Azua. August 16, 1989. Robinson Unit 2 Inade uate NPSH of Auxiliar Feedwater Pum s. Also, Event Notification 16375, August 22, 1989.

U.S. Nuclear Regulatory Commission, Washington, DC.

Ins ection Re ort IR 50-489/89-11; 50-499/89-11. Hay 26, 1989. South Texas Pro 'ect Ins ection

~Re ort. U.S. Nuclear Regulatory Commission, Washington, DC.

NUREG Re ort NUREG-1154. 1985. Loss of Hain and Auxiliar Feedwater Event at the Davis Besse Plant on June 9 1985. U.S. Nuclear Regulatory Commission, Washington, DC.

28

NUREG/CR-5764 PNL-7594 DISTRIBUTION No. of No. of

~Co ies ~Co ies OFFSITE U.S. Nuclear Commission Re ulator OFFSITE

~0f Ginna Resident B. K. Grimes J. H. Taylor OWFN 9 A2 Brookhav'en National Laboratory Bldg. 130 F. Congel Upton, NY 11973 OWFN 10 E4 R. Travis A. El Bassioni Brookhaven National Laboratory OWFN 10 A2 Bldg. 130 Upton, NY 11973 A. R. Johnson OWFN 14 D1 R. Gregg EGSG Idaho, Inc.

10 S. M. Long P.O. Box 1625 OHFN 10 A2 Idaho Falls, ID 83415 K. Campe Dr. D. R. Edwards OWFN 1 A2 Prof. of Nuclear Engineering University of Missouri - Rolla J. Chung Rolla, MO 65401 OHFN 10 A2 ONSITE R. H. Wessman 14 D1 'WFN 31 Pacific Northwest Laborator 2 K. S. Hest S. R. Doctor OWFN 12 H26 L. R. Dodd B. F. Gore (10)

U.S. Nuclear Re ulator N. E. Maguire-Moffitt Commission - Re ion 1 R. Pugh (5)

B. D. Shipp E. L. Conner F. A. Simonen C. H. Hehles T. V. Vo (5)

M. W. Hodges Publishing Coordination E. M. Kelly Technical Report File (5)

W. J. Lazarus E. C. McCabe Distr.1

NRC FOAM 335 U t(. NUCLEAR REGULATORY COMMISSION 1. REPORT NUMBER 124191 (Ass(oned by N RC. Add Vol., Supp., Rey.,

NRCM 1102, ~ nd Addendum Numbers. II eny.l 3201. 3202 BIBLIOGRAPHIC DATA SHEET (See inst nrctions on the reverse( NUREG/CR-5764 PNL-7594

2. TITLE AND SUBTITLE Auxiliary Feedwater System Risk-Based Inspection Guide for the 3. DATE REPORT PUBLISHED Ginna Nuclear Power Plant MONTH YEAR September 1991 4, FIN OR GRANT NUMBER L1310
5. AUTHOR(S) 6. TYPE OF REPORT R. Pugh, B. F. Gore, T. V. Vo; N. E. Moffitt Technical
7. PERIOD COVEREO (includve Oitesl 8/90 to 8/91 B. PERFORMING ORGANIZATION name ond maltese eddrettJ

- NAME AND ADDRESS (llHRC Ptovide Oivldon, Ollice or Reeion, MS iyucieir Reeutetoty ComrniuJon ind n>>lline eddreui i( connector Provide Pacific Northwest Laboratory Richland, WA 99352 B. SPONSORING ORGANIZATIONNAME AND ADDRESS ind rne(lute eddretml IllHRC, tyPe "Sen>> es eeove illcontmctor Provide HRC Div(sion, Ollicior Recipe, M*Hue(ear Reeutetoty Commituon, Division of Radiation Protection and Emergency Preparedness Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 IO. SUPPLEMENTARY NOTES

11. ABSTRACT (200 tvords or rett(

In a study sponsored by the'.S. Nuclear Regulator'y Commission tiIRC),

Pacific Northwest Laboratory has developed and applied a methodology for deriving plant-specific risk-based inspection guidance for the auxiliary f'eedwater (AFW) system at pressurized water reactors that have not undergone probabilistic risk assessment (PRA). This methodology uses existing PRA results and plant operating experience information. Existing PRA-based inspection guidance information recently developed for the NRC for various plants was used to identify generic component failure modes. This information was then combined with plant-specific and industry-wide component information and failure data to identify failure modes and failure mechanisms for the AFW system at the selected plants. Ginna was selected as the eighth plant for study. The product of this effort is a prioritized listing of AFW failures which have occurred at the plant and at other PWRs. This listing is intended for use by NRC inspectors in the preparation of inspection plans addressing AFW risk-important components at the Ginna plant.

12. KEY WORDS/DESCRIPTORS (Litt vvords or porose snit vvetesttttreteercners in tocitinp toe>>port I 13. AVAILABILITY STATEMENT Inspection, Risk, PRA, Ginna, Auxiliary Feedwater (AFW) Unl imi ted le SECURITY CLASSIFICATION lThis Pepsi Unclassified (ynb Reponl Unclassified
15. NUMBER OF PAGES
16. PRICE NRC FORM 335 (2419(
Retrieved from "https://kanterella.com/w/index.php?title=ML17262A613&oldid=1997941"