Auxiliary Feedwater System RISK-BASED Inspection Guide for the Turkey Point Nuclear Power Plant

ML17349A213
Person / Time
Site:	Turkey Point
Issue date:	04/30/1992
From:	Gore B, Moffitt N, Vo T Battelle Memorial Institute, PACIFIC NORTHWEST NATION
To:	Office of Nuclear Reactor Regulation
References
CON-FIN-L-1310 NUREG-CR-5633, PNL-7454, NUDOCS 9205140204
Download: ML17349A213 (36)
v • d • e

Text

NUREG/CR 5633 PNL7454 Auxiliary Feedwater System Risk-Based Inspection Guide for the Turkey Point Nuclear Power Plant

-NOTICE-THE ATTACHED FILES ARE OFFICIAL RECORDS OF THE" INFORMATION 8 REPORTS MANAGEMENT BRANCH.

Prepared by THEY HAVE BEEN CHARGED TO YOU N. E. Moffitt, B. F. Gore, T. V. Vo FOR A E.IMITED TIME PERIOD AND RE-MUST BE RETURNED TO THE Pacific Northwest Laboratory CORDS 8 ARCHIVES SERVICES SEC-Operated by TION P1-22 WHITE FLINT. PLEASE DO Bat telle Memorial Institute NOT 'SEND DOCUMENTS CHARGED OUT THROUGH THE MAIL. REMOVAI

,OF ANY PAGE(S) FROM DOCUMENT Prepared for RE-FOR REPRODUCTION MUST BE U.S. Nuclear Regulatory Commission FERRED TO FILE PERSONNEL.

-NOTICE-

~, '7205140204 920430 I PDR ADOCK 05000250 9 PDR

AVAILABILITYNOTICE Availability of Reference Materials Cited In NRC Publications Most documents cited In NRC publications will bo available from one of the following sources:

1. The NRC Public Document Room, 2120 L Street, NW., Lower Level, Washington, DC 20555

2. The Superintendent of Documents, U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20013-7082

3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the maJorlty of documents cited In NRC publications, It Is not Intended to be exhaustive.

Referoncod documents available for Inspection and copying for a foo from the NRC Public Document Room Include NRC correspondence and Internal NRC momoranda; NRC bulletins, circulars, information notices, Inspection and Investigation notices: llconsoo evont reports; vendor reports and correspondonco; Commis-sion papers; and applicant and licensee documents and correspondence.

The following documents In the NUREG series are available for purchase from the GPO Sales Program:

formal NRC staff and contractor reports, NRC-sponsored conference proceedings, international agreement reports, grant publications, and NRC booklets and brochures. Also available aro regulatory guldos, NRC regulations In the Code of Federal Regulations. and Nuclear Regulatory Commission lssuances.

Documents available from tho National Technical Information Service Include NUREG-series reports and technical reports prepared by other Federal agencies and reports prepared by the Atomic Energy Commis-sion, forerunner agency to the Nuclear Regulatory Commission.

Documonts available from public and special technical libraries include all open literature Items, such as books, Journal articles, and transactions. Federal Register notices, Federal and State legislation, and con-gressional reports can usually bo obtained from those libraries.

Documents such as theses, dissertatlons, foreign reports and translations, and non-NRC conference pro-ceedings are available for purchase from tho organization sponsoring the publication cited.

I Single copies of NRC draft reports aro available free, to the extent of supply, upon written roquost to the Office of Administration, Distribution and Mall Servlcos Section. U.S. Nuclear Rogulatory Commission, Washington, DC 20555.

Copies of Industry codes and standards used In a substantive manner In the NRC regulatory process are maintained at the NRC Library;7920 Norfolk Avonuo, Bethesda, Maryland, for use by tho public. Codes and standards are usually copyrighted and may be purchased from tho originating organization or, If they are American National Standards, from the American National Standards Institute, 1430 Broadway, New York, NY 10018.

DISCIAIMER NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government.

Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liabilityof responsibility for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that Its use by such third party would not infringe privately owned rights.

NUREG/CR 5633 PNL-7454 Auxiliary Feedwater System Risk-Based Inspection Guide for the Turkey Point Nuclear Power Plant Manuscript Completed: February 1992 Date Published: April 1992 Prepared by N. E. Moffitt, B. F. Gore, T. V. Vo Pacific Northwest Laboratory Richland, WA 99352 Prepared for Division of Radiation Protection and Emergency Preparedness Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN L1310

Summary This document presents a compilation of auxiliary feedwater (AFW) system failure information which has been screened for risk significance in terms of failure I'rcquency and degradation of system performance. It is a risk-prioritizcd listing of failure events and their causes that are significant enough to warrant consideration in inspection planning at the Turkey Point plant. This information is presented to provide inspectors with increased resources for inspection planning at Turkey Point.

The risk importance of various cotnponcnt failure modes was idcntiTied by analysis of the results of probabilistic risk assessments (PRAs) for many pressurized water reactors (PWRs). However, the component failure categories identified in PRAs are rather broad, because thc failure data used in thc PRAs is an aggregate of many individual failures having a variety of root causes. In order to help inspectors focus on specific aspects of component operation, maintenance and design which might cause thcsc failures, an extensive review of component failure information was perforrncd to identify and rank the root causes of these component failures. Both Turkey Point and industry-wide failure information was analyzed. Failure causes were sorted on the basis of frequency of occurrence and seriousness of conscquencc, and categorized as common cause failures, human errors, design problems, or component failures.

This information is presented in the body of this document. Section 3.0 provide brief descriptions of these risk-irnportant failure causes, and Section 5.0 prcscnts more extensive discussions, with spcciTic examples and references.

The entries in the two sections arc cross-referenced.

An abbreviated system walkdown table is presented in Section 3.2 which includes only components identified as risk important. This table lists thc system lineup for normal, standby system operation.

This information permits an inspector to concentrate on components important to the prevention of core damage.

However, it is important to note that inspections should not focus exclusively on these components. Other components which perform essential functions, but which are not included because of high reliability or redundancy, must also be addrcsscd to ensure that degradation does not increase their failure probabilities, and hence their risk importance.

N 0 REG/CR-SC>33

kl Contents Summary .

1 Introduction 2 lltrkcy Point AFW Systcrn 2.1 2.1 System Description.... 2.1 2.2 Success Criterion . 2.2 2.3 System Dependencies .. 2.2 2.4 Operational Constraints 2.2 3 Inspection Guidance For The Turkey Point AFW Systcrn 3.1 3.1 Risk Important AFW Components and Failure Modes . 3.1 3.1.1 Multiple Pump Failures Due to Common Cause . 3.1 3.1.2 Turbine Driven Pump A, 8, or C Fails to Start or Run . 3.2 3.1.3 Pump Unavailable Due to Maintenance or Surveillance 3.2 3.1.4 Air Operated Control Valves Fail Closed . 3.2 3.1.5 Motor Operated Valves Fail Closed . 3.3 3.1.6 Manual Suction or Discharge Valves Fail Closed 3.3 3.1.7 Lcakagc of Hot Fcedwater Through Check Valves . 3,4 3.2 Risk Important AFW System Walkdown Htble . 3.4 4 Generic Risk Insights From PRAs 4.1 4.1 Risk Important Accident Scquenccs Involving AFW System I=ailurc ......................... 4.1 4.2 Risk Important Component Failure Modes 4.1 5 Failure Modes Determined From Operating Experience 5.1 5.1 'IIIrkcy Point Experience 5.1 5.1.1 11trbine Driven Pump Failures . 5.1 5.1.2 Flow Control and Isolation Valve Failures . 5.1 5.1.3 Turbine Driven Pump Steam Supply, Admission and Control Valves 5.1 5.1.4 Cheek Valves 5.2 5.2 Industry Wide Experience . 5.2 NUREG/CR-5633

5.2.1 Common Cause Failures 5.2 5.2.2 Human Errors . 5.4 5.2.3 Design/Engineering Problems and Errors 5.4 5.2.4 Component Failures . 5.5 6 References 6.1 figure 2.1 Turkey Point AFW System 2.3 Table 3.1 Risk Important Walkdown Table for Turkey Point AFW System Components . 3.5 N UREG/CR.-5633 Vl

1 Introduction This document is one of a series providing plant-specific The rcmaindcr of thc document describes and discusses inspection guidance for auxiliary feedwater (AFW) sys- the information used in compiling this inspection guid-tems at pressurized water reactors (PWRs). This guid- ance. Section 4.0 describes the risk importance informa-ance is based on information from probabilistic risk tion which has been derived from PRAs and its sources.

assessmcnts (PRAs) for similar PWRs, industry-wide As review of that section willshow, the failure events operating experience with AFW systems, plant-spcciTic identified in PRAs are rather broad (e.g., pump fails to AFW system descriptions, and plant-specific operating start or run, valve fails closed). Section 5.0 addresses experience. It is not a detailed inspection plan, but the specific failure causes which have been combined rather a compilation of AFW system failure information under thcsc broad events.

which has been screened for risk significance in terms of failure frequency and degradation of system perform- AFW system operating history was studied to identify

'ance. The result is a risk-prioritizcd listing of failure the various specific failures which have been aggregated events and their causes that are significant enough to into the PRA failure events. Section 5.1 presents a warrant consideration in inspection planning at Turkey summary of Turkey Point failure information, and Sec-Point. tion 5.2 presents a review of industry-wide failure infor-mation. Thc industry-wide information was compiled This inspection guidance is presented in Section 3.0, . from a variety of NRC sources, including AEOD analy-following a description of the Dtrkcy Point AFW system ses and reports, information notices, inspection and in Section 2.0. Section 3.0 identiTics the risk important enforcement bulletins, and generic letters, and from a system components by Turkey Point identification num- variety of INPO reports as well. Some Licensee Event ber, followed by brief descriptions of each of the various Reports and NPRDS event descriptions were also re-failure causes of that component. These include speciTic viewed. Finally, information was included from reports human errors, design deficiencies, and hardware fail- of NRC-sponsored studies of the effects of plant aging, ures. The discussions also identify where common cause which include quantitative analyses of reported AFW failures have affected multiple, redundant components. system failures. This industry-wide information was Thcsc brief discussions identify specific aspects of then combined with the plant-specific failure informa-system or component design, operation, maintenance, tion to identify the various root causes of the broad or testing for inspection by observation, records review, failure events used in PRAs, which are identified in training observation, procedures review, or by obser- Section 3.0.

vation of the implementation of procedures. An AFW system walkdown table identifying risk important com-ponents and their lineup for normal, standby system operation is also provided.

NUREG/CR-5633

2 Xbrkey Point AFW System This section presents an overview of the 11tr'kcy Point (3-1403,1404,1405; 4-1403,1404,1405), located upstream AFW system (Westinghouse 3 loop plant), including a of the main steam isolation valves. Each AFW pump is simpliflicd schematic system diagram. In addition, thc equipped with a continuous recirculation flow system, system success criterion, system dependencies, and which prevents pump deadhcading.

administrative operational constraints are also presented. Each AFW pump discharges through a check valve to one of two redundant discharge headers which are refer-red to as Rain 1 and1lain 2. Each of these trains feeds 2.1 System Description all thrcc S/Gs for both units. Each S/G auxiliary fccd-water linc for both headers is equipped with a flow ele-The AFW system consists of three turbine driven pumps ment, flow transmitter, and flow control valve that con-shared between the two units. It provides fecdwater to trols AFW flow to a predetermined flow rate of the stcam generators (SG) to allow secondary-side heat 130 gpm. The administratively controlled, locked open removal from either unit when main feedwater is un- and locked closed valve configuration, illustrated in available. The system is capable of functioning for Figurc 2.1, aligns the pumps so that pump A receives extended periods, which allows time to restore main stcam from S/G "C" of both units and discharges to thc feedwater flow or to proceed with an orderly cooldown Train 1 fecdwater header. Pumps B and C receive steam of thc plant to the point where thc residual heat removal from S/G "A" and "B" of both units and discharge to the (RHR) system can remove decay heat. Simpltiflied sche- Train 2 feedwater header. In addition to dual, redun-matics of the Turkey Point AFW system is shown in dant steam supply and discharge headers, power, con-Figure 2.1. trol, and instrumentation associated with the two AFW system trains are independent from each other.

The system is designed to start up and establish flow automatically. All three AFW pumps will start upon The two condensate storage tanks are the normal source any of the following conditions: Safety injection, bus of water for the AFW system. Each tank is required to stripping on one or both 4160V busses, low-low level in store a sufficient quantity of demineralized water to any stcam generator, trip of one main fcedwatcr pump maintain one reactor coolant system (RCS) at hot at less than 60% power or both main feedwater pumps standby conditions for 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br /> and then to cool it to under normal operating conditions; and initiate auxil- 350 F, at which point the RHR system is put in service.

iary feedwatcr flow to the unit causing thc initiating All tank connections are located such that a continuous signal. Ifoffsite power is not available, thc two motor- reserve of 185,000 gallons is maintained for thc AFW driven standby steam generator feedwater pumps can be system. When CST level drops by 10%, the water treat-placed in service. These pumps are powered by separate ment plant begins makeup to the CST. Makeup rate is cranking diesels which supply the 4KV "C" busses. 400 gpm with both trains in operation. Backup AFW suction supply is provided by refilling the CST from thc Feedwatcr is supplied to each of the three AFW pumps Demineralized Water Tank or the Primary Water Stor-from either Unit 3 or 4 Condensate Storage Tanks age Tank. In addition, feedwatcr from thc coal fired (CST) through check valves and normally locked open Units (18') can be supplied to Units 3 and 4 through a gate valves. All of the AFW pumps arc turbine driven common header. The non-nuclear feedwater connects (TDAFW) and are capable of supplying thc stcam gene- to thc main feedwater regulating valve bypass line for rators of either unit. Steam is supplied to all three each steam generator, just upstream of thc bypass regu-AFW pump turbines from either unit, through auto- lating valve.

matically controlled motor operated valves 2.1 N UREG/CR-5633

AFW System 2.2 Success Criterion pumps and their associated flowpaths (steam and water) be operable. Ifone train of AFW becomes inoperable, System success requires the operation of at least one it must be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or TDAFW pump supplying rated flow to at least one of the affected unit must be placed in hot standby within thc three stcam generators within three minutes on a the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Ifboth trains of AFW are inoperable loss of normal fecdwatcr. for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> the availability of both standby fcedwa ter pumps must be veriflicd and the affected unit(s) must be placed in hot standby within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

2.3 System Dependencies When both units are operating, 1brkcy Point kchnical Speciflications require an indicated CST water volume of The AFW system depends on AC and DC power at vari- at least 370,000 gallons. Ifonc unit is operating and thc ous voltage levels for motor operated valve control other unit is in MODES 4,5, or 6, then Technical circuits, solenoid valves, and monitor and alarm circuits. Speciiflications require an indicated water volume of Instrument Air is required for several pneumatic control 185,000 gallons in either or both CS'K Ifone CST valves. Instrument Air is backed up by a Nitrogen becomes inoperablc, it must be restored to an operablc Supply System via several banks of accumulators. Stcam status within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or one unit has to be placed in hot availability is required for thc turbine driven AFW standby within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

pumps.

With only one unit operating, 'Ibrkey Point Xchnical Specifications require either CST to bc operable with a 2.4 Operational Constraints contained volume of at least 185,000 gallons. With both water supplies from thc CS'8 inoperable for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, a When both units are operating above 3500F, Turkey water supply from either CST must be restored to Point Technical Specifications require two independent operable status or the unit must bc placed in hot auxiliary fcedwatcr trains including three (3) AFW standby within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

NUREG/CR-5633 2.2

FEEDWATER FROM CST's TO STEAM GENERATORS 3-141 3 139

~

I STEAM SUPPLY FROM 3A STEAM GENERATORS Dc STEAM FROM 250 PSI REDUCING 3-080 ~ T&T 3-14 I

3.2816 3.140 LO 11g 375 M ~

MOTOR STATION 813 3404 348 A 3.08 B VALVE M Dc LO TRAIN 2 3 010 I

I 3 2831 LO ~ 001 3-1403 LO LO LO P83 CST X+A I 241 3 239 z 6459A t > I LC 3B 3406 LO I K 001A 002A G 3 2817 3 240 LO Ac I- 4-142 A

219 376 M MOTOR LC LC 3-007 003A LO I FROM TRAIN 1 I 14I8 A 4.08 B CST'S PUMP 3012 O LO 3.1404 3.2832 LO LO 083 3-144 ~

144 3.341 3 339 34107 LC I 3C Dc 3 2818 3.340 LO 319 377 M MOTOR TRAIN 1 30 A 3084B 3.242 3 006 VALVE LO 3-1405 LC LC p65 M Dc TO LC I CST ~1 002 3.014

~ 3.2833 001 B 002B 64S9B 4-008 I

G LO I

'O 'O ~B 44109 4.2831 243 4 242 44I A 4 084B Dc FROM TRAIN 2 LC 4 141 4-139 LC LC CST'S PUMP <i-119 375 M MOTOR P85 4A 4A 3.244 .244 4.2816 4.140 LO LO 4-1403 38'I 4 006 LO LO

-08 A 3086B

~ 44107 I

T&T I LC 4.P I I O 4 2832 Ac LC 087 VALVE 3-342 21 g 376 M MOTOR M Dc TO 4B 001C 002C 4.241 4 239 LC LO 4-1404 64S9C I 4B 382 LO LO 003 O 4.2817 4 240 LO 003C G 4-007 LC Dc 4.08 A 4 086B LC FROM C

343 TRAIN 2 LO 4.342

~ 4006 I

319 377 M MOTOR P87 I 4C TRAIN 1 CST'S TRAIN 2 O PUMP LC 44113 4.2833 LO 4.1405 383 4.080 STEAM FROM 250 -344 4.341 3.34'SI REDUCING TRAIN I i 4.339 STATION 814 I 4C O 4.2818 4 340 LO Figure 2.1 Turkey Point A&VSystem

3 Inspection Guidance 5'or The Turkey Point AFW System In this section the risk important components of thc 3.1.1 Multiple Pump Failures Due to Turkey Point AFW system are identified, and the impor- Common Cause tant failure modes for these components arc briefly described, Thcsc failure modes include specific human The following listing summarizes the most important errors, design deficiencies, and types of ltardware fail- multiple-pump failure modes identified in Section 5.2.1, ures which have been observed to occur for these com- Common Cause Failures, and each item is keyed to ponents, both at Turkey Point and at P WRs throughout entrics in that section.

the nuclear industry. The discussions also identify where common cause failures have affected multiple, re- Incorrect operator intervention into automatic dundant components. These brief discussions identify system functioning, including improper manual specific aspects of system, or component design, oper- starting and securing of pumps, has caused failure of ation, maintenance, or testing for inspection activities. all pumps, including overspecd trip on startup, and Thcsc activities include: observation, records review, inability to restart prematurely secured pumps.

training observation, proccdurcs review or by observa- CC1.

tion of the impletncntation of procedures.

Valve mispositioning has caused failure of all Table 3.1 is an abbreviated AFW system walkdown table pumps. Pump suction, steam supply, and which identifies risk important components. This table instrument isolation valves have been involved.

lists thc system lineup for normal (standby) system oper- CC2.

ation. Inspection of the components idcntificd in the AFW walkdown table addresses essentially all of the risk Stcam binding has caused failure of multiple pumps.

associated with AFW system operation. This resulted from leakage of hot fecdwater past check valves and a motor-operated valve into a common discltargc header. CC10. Multiple-pump 3.1 Risk Important AFW Components stcam binding has also resulted from improper valve and Failure Modes lineups, and from running a pump deadhcadcd.

CC3.

Common cause failures of multiple pumps are the most risk-important I'ailure modes of AFW system compo- Pump control circuit deficiencies or design modification errors have caused failures of multiple nents. These are followed in importance by single pump l'ailurcs, level control valve failures, and individual check pumps to auto start, spurious pump trips during valve leakage failures. operation, and failures to restart after pump shutdown. CC4. Incorrect setpoints and control The following sections address each of these failure circuit calibrations have also prcvcntcd proper operation of multiple pumps. CC5.

modes, in decreasing order of risk importance. They prcscnt intportant root causes of these component fail-Loss of a vital power bus has failed multiple pumps ure modes which have been distilled from historical duc to loss of control power to stcam admission records. Each item is keyed to discussions in Section 5.2 valves or to turbine controls. CC6.

where, additional information on historical events is presented.

3.1 NUREG/CR-5633

Inspection Guidance

~ Simultaneous startup of multiple pumps has caused resetting the other, indication in the control room oscillations of pump suction pressure causing of ITV position, and unambiguous local indication multiple-pump trips on low suction pressure, of an overspced trip affect thc likelihood of these despite the existence of adequate static net positive errors. DE3.

suction head (NPSH). CC7. Design reviews have idcntiflied inadequately sized suction piping which 3.1.3 Pump Unavailable Due to Maintenance could have yielded insufficient NPSH to support or Surveillance operation of more than one pump. CC8.

~ Both schcdulcd and unscheduled maintenance 3.1.2 'Dirbine Driven Pump A, 8 or C Fails to remove pumps from operability. Surveillance Start or Run requires operation with an altered line-up, although a pump train may not be declared inoperable during Improperly adjusted and inadequately maintained testing. Prompt scheduling and performance of turbine governors have caused pump failures. HE2. maintenance and surveillance minimize this Problems include worn or looscncd nuts, set screws, unavailability.

linkages or cable connections, oil leaks and/or con-tamination, and electrical failures of resistors, tran- 3.1.4 Air Opcratcd Flow Control Valves Fail sistors, diodes and circuit cards, and erroneous Closed grounds and connections. CF5. Similar failures have occurred at Turkey Point. 'I'rain 1: 3-2816, 2817, 2818; 4-2816, 2817, 2818

'I'rain 2 3 2831) 2832'833l 4 2831'832'833 Terry turbines with Woodward Model EG gover-nors have been found to overspeed trip iffull steam These normally closed air operated valves (AOVs) con-flow is allowed on startup. Sensitivity can be . trbl flow to thc steam generators. They fail closed on reduced ifa startup stcam bypass valve is sequenced loss of Instrument Air.

to open first. DE1.

Control circuit problems have been a printary cause lbrbincs with Woodward Model PG-PL governors of failures, both at 11trkey Point and elsewhere.

have tripped on overspecd when restarted shortly CF9. Valve failures have resulted from blown fuses, after shutdown, unless an operator has locally exer- failure of control components (such as current/

cised the speed setting knob to drain oil from the pneumatic convcrtors), broken or dirty contacts, governor spccd setting cylinder (per procedure). rnisaligncd or broken limit switches, control power Automatic oil dump valves are now availablc loss, and calibration problems. Degraded operation through Terry. DE4. has also resulted from irnpropcr air prcssure due to air regulator I'ailurc or leaking air lines.

Condensate slugs in stcam lines have caused turbine ovcrsPced trip on startup. lbsts repeated right after ~ - Out-of-adjustmcnt electrical flow controllers have such a trip may fail to indicate the problem due to caused improper discharge valve operation, affect-warming and clearing of thc stcam lines. Surveil- in'g multiple trains of AFW. CC12. Turkey Point lance should exercise all steam supply connections. has cxpcrienced calibration problems with flow DE2. controllers.

Trip and throttle valve (TI V) problems (MOV- Leakage of hot fcedivatcr through check valves has 6459A,B,C) which have failed the turbine driven caused thermal binding of normally closed flow pump include physically bumping it, failure to rcsct coritrol MOVs. AOVs may bc similarly susccptiblc.

it following testing, and failures to verify control CF2.

room indication of reset. HE2. Whether either the ovcrspeed trip or ITV trip can bc rcsct without N UREG/CR-5633 3.2

Inspection Guidance

~ 'IlirkcyPoint has experienced numerous air oper- 3.1.6 Manual Suction or Discharge Valves Fail ated controller malfunctions which resulted from Closed water in the instrument air system due to main-tenance inoperability of the air dryers. CF9.

CST Discharge Valves: 3-400, 144, 244, 344; 4-400, 144, 244, 344 3.1.5 Motor Operated Valves Fail Closed %min 1 (TD Pump A) 3 142p 141'41'41 4 142'41, 241, 341 TD Pump Stcam Stop: 3-1403, 1404, 1405; 4-1403, 'Pain 2 (TD Pumps II 4 C): 002, 003; 3-006, 007, 1404, 1405 008; 4-006, 007, 008 T A TValvcs: MOV-6459 A, 8, C Isolation Valves: 3-139, 239, 339; 4-139, 239, 339 TD Pump Recirculation Valves: 177, 277, 377 These normally closed MOVs isolate steam flow to the TD AFW pumps. They fail closed on loss of power. Both pairs of CST discharge valves are normally locked open and they supply suction to all three TD

~ Common cause failure of MOVs has resulted from AFW pumps. Pump A is normally aligned to supply failure to use electrical signature tracing equipment train 1 of both units and pumps B and Care normally to determine proper settings of torque switch and aligned to supply train 2 of bo'th units. The capability torque switch bypass switches. Failure to calibrate exists to valve any of thc three TD pumps to either train switch settings for high torques necessary under of either unit. K design basis accident conditions has also been involved. CC11. ~ Valve mispositioning has resulted in failures of multiple trains of AFW. CC2. It has also been the

~ Valve motors have been failed due to lack of, or dominant cause of problems identified during oper-improper sizing or use of thermal overload protec- ational readiness inspections. HE1. Events have tive devices. Bypassing and oversizing should be occurred most often during maintenance, calibra-based on proper engineering for design basis con- tion, or system modifications. Similar events have ditions. CF4. occurred at lhrkcy Point. Important causes of mis-positioning include:

Grcasc trapped in thc torque switch spring pack of Limitorquc SMB motor operators has caused motor Failure to provide complete, clear, and specific burnout or thermal overload trip by prcvcnting proccdurcs for tasks and system restoration torque switch actuation. CF8.

Failure to promptly revise and validate

~

Manually reversing the direction of motion of procedures, training, and diagrams following operating MOVs has overloaded the motor circuit. system Operating procedures should provide cautions, and modifications'ailure circuit designs may prevent reversal before each to complete all steps in a procedure stroke is finished. DE7.

Failure to adequately review uncompleted

~

Space heaters designed for preoperation storage 'procedural steps after task completion have been found wired in parallel with valve motors

,which had not been environmentally qualiTied with Failure to verify support functions atter them present. DE7. restoration 3.3 NUREG/CR-5633

Inspection Guidance Failure to adhere scrupulously to administrative ~ Slow leakage past thc final check valve of a series procedures regarding tagging, control and track- may not force check valves closed. Other check ing of valve operations valves in series may leak'similarly. Piping orien-tation and valve design are important factors in Failure to log the manipulation of sealed valves achieving true series protection. CF1.

Failure to follow good practices of written task assignmcnt and feedback of task completion 3.2 Risk Important AR'W System information Walkdown Table, Failure to provide easily read system drawings, legible valve labels corresponding to drawings Table 3.1 prcscnts an AFW system walkdown table and procedures, and labeled indications of local including only components identified as risk important.

valve position This information allows inspectors to concentrate their efforts on components important to prevention of core damage. However, it is essential to note that inspec-3.1.7 Leakage of Hot Fccdwatcr through tions sltould not focus exclusively on these components.

Check Valves: Other components which perform essential functions, but which are absent from this table because of high

'1'rain 1: 3-140, 240, 340; 4-140, 240, 340 reliability or redundancy, must also be addressed to

'1'rain 2: 3-010, 012, 014; 4-009, 011, 013 ensure that their risk importanccs are not increased.

Discharge TD Pumps: V-143, 243, 343 Examples include thc (locked-open) steam isolation valves upstream of the steam supply headers and an

~

Leakage of hot feedwater through several check adequate water level in the CST.

valves in series has caused steam binding of multiple pumps. Leakage through a closed level control-valve in series with check valves has also occurred, as would be required for leakage to reach any of thc pumps. CC10.

NUREG/CR-5633 3.4

Inspection Guidance Table 3.1 Risk Important Walkdown Table for Turkey I'oint A%V System Components Actual Conlponent A Component Name Required Position Position Electrical MOV 1403 S/G A Stcam Supply Valve Motor Racked In/Closed MOV 1404 S/G B Steam Supply Valve Motor Racked In/Closed MOV 1405 S/G C Steam Supply Valve Motor Racked In/Closed MOV 6459A TD Pump A TAT Valve Motor Racked In/Closed MOV 6459B TD Pump B TENT Valve Motor Racked In/Closed MOV 6459C TD Pump CTScT Valve Motor Racked In/Closed Valves 3-400 Unit 3 CST Outlet Valve Locked Open 4-400 Unit 4 CST Outlet Valve Locked Open 3-144 Unit 3 TD Pump A Suction Locked Open Isolation Valve 3-244 Unit 3 TD Pump B Suction Locked Open Isolation Valve 3-344 Unit 3TD Pump C Suction Locked Open Isolation Valve 4-144 Unit 4 TD Pump A Suction Locked Open Isolation Valve 4-244 Unit 4 TD Pump B Suction Locked Open Isolation Valve 4-344 Unit 4TD Pump CSuction Locked Open Isolation Valve 3-141 Unit 3 Train 1 TD Pump Locked Open Discharge Valve 3.5 NUREG/CR-5633

Inspection Guidance Table 3.1 (Continued)

Actual Component ¹ Component Name Required Position Position 3-142 Unit 3 'Bain 1 TD Pump Locked Open Discharge Valve 3-241 Unit 3 Bain 1 TD Pump Locked Open Discharge Valve 3-341 Unit3 Bain1TDPump Locked Open Discharge Valve 3-139 Unit 3 Train 1 TD Pump Locked Open Discharge Valve 3-239 Unit 3'Bain 1 TD Pump Locked Open Discharge Valve 3-339 Unit 3'Bain 1TD Pump Locked Open Discharge Valve AFPD-002 Unit 3 and 4'Bain 2TD Pump Locked Open Discharge Valve AFPD-003 Unit 3 and 4 Bain 2TD Pump Locked Open Discharge Valve 3-006 Unit 3 Train 2 TD Pump Locked Open Discharge Valve 3-007 Unit 3 Bain 2 TD Pump Locked Open Discharge Valve 3-008 Unit 3'Bain 2TD Pump Locked Open Discharge Valve 4-142 Unit 4 Bain 1 TD Pump Locked Open Discharge Valve 4-141 Unit 4 Bain 1 TD Pump Locked Open Discharge Valve 4-241 Unit 4 Train 1 TD Pump Locked Open Discharge Valve

. NUREG/CR-5633 3.6

Inspection Guidance Table 3.1 (Continued)

Actual Component ¹ Component Name Required Position Position 4-341 Unit 4 Train 1 TD Pump Locked Open Discharge Valve 4-139 Unit 4llain1TD Pump Locked Open Discharge Valve 4-239 Unit 4 Train 1 TD Pump Locked Open Discharge Valve 4-339 Unit 4 Train 1TD Pump Locked Open Discharge Valve 4-006 Unit 4 1lain 2 TD Pump Locked Open Discharge Valve 4-007 Unit 4 1lain 2 TD Pump Locked Open Discharge Valve 4-008 Unit 4 Train 2TD Pump Locked Open Discharge Valve 3-2816 Pain 1 Flow Control Valve Closed 3-2817 Train 1 Flow Control Valve Closed 3-2818 Train 1 Flow Control Valve Closed 4-2816 iiain 1 Flow Control Valve Closed 4-2817 'llain 1 Flow Control Valve Closed 4-2818 'ilain 1 Flow Control Valve Closed 3-2831 Train 2 Flow Control Valve Closed 3-2832 11 ain 2 Flow Control Valve Closed 3-2833 'Iiain 2 Flow Control Valve Closed 4-2831 1lain 2 Flow Control Valve Closed 4-2832 '1lain 2 Flow Control Valve Closed 3.7 NVREG/CR-5633

Inspection Guidance Table 3.1 (Continued)

Actual Conlponcnt ¹ Component Name Required Position Position 4-2833 Train 2 Flow Control Valve Closed 177 TDP A Recirculation Valve Locked Open 277 TDP 8 Recirculation Valve Locked Open 377 TDP C Recirculation Valve Locked Open TDP Steam Su lv Valves 3-319 Unit 3, Train 1 Locked Open 3-082A Unit 3, Train 1 Locked Open 3-0828 Unit 3, Train 1 Locked Open 3-119 Unit 3, Train 2 Locked Open 3-219 Unit 3, 'Ii.ain 2 Locked Open 3-004 Unit 3, liain 2 Locked Open 3-006 Unit 3, Train 2 Locked Open 3-007 Unit 3, Train 1 & 2 Cross-tie Locked Closed 0018 Unit 3 or 4, Train 2 Locked Open 0028 Unit 3 or 4, Train 2 Locked Open 001C Unit 3 or 4, Train 2 Locked Open 002C Unit 3 or 4, liain 2 Locked Open 4-319 Unit 4, Train 1 Locked Open 4-082A Unit 4, llain 1 Locked Open 4-0828 Unit 4, Train 1 Locked Open 4-119 Unit 4, liain 2 Locked Open NUREG/CR-5633 3.8

Inspection Guidance Table 3.1 (Continued) hctual Component Conlponcnt Nilnle Ilcquircd Position Position 0'-219 Unit 4, Tiain 2 Locked Open 4-004 Unit 4, Train 2 Locked Open 4-006 Unit 4, ii'ain 2 Locked Open 4-007 Unit 4, Train I 8 2 Cross-tie Locked Closed TDP Stcam Admission Valves MOV 3-1405 Unit 3, Tiain 1 Closed MOV 3-1403 Unit 3, Train 2 Closed TDP Stcam Admission Valves MOV 3-1404 Unit 3,1lain 2 Closed MOV 4-1405 Unit 4,'li'ain 1 Closed MOV 4-1403 Unit 4, Train 2 Closed MOV 4-1404 Unit 4, iiain 2 Closed MOV-6459A TDP A Throttle Trip Valve Open MOV-64598 TDP 8 Throttle Tiip Valve Open MOV-6459C TDP CThrottlc liip Valve Open Pi in U streamof Check Valves 3-140 'iiain I, 3A S/G Cool 3-240 'n ain 1, 38 S/G Cool 3-340 'iiain I, 3C S/G Cool 4-140 'iiain 1, 4A S/G Cool 4-240 Train 1, 48 S/G Cool 3.9 N UREG/CR-5633

Inspection Guidance Table 3.1 (Continued)

Actual Component 4 Component Name Required Position Position 4-340 Train 1, 4C S/G Cool 3-010 'Ilain 2, 3A S/G Cool 3-012 'Ilain 2, 3B S/G Cool 3-014 Train 2, 3C S/G Cool 4-009 Train 2,4A S/G Cool 4-011 Train 2,48 S/G Cool 4-013 Bain 2, 4C S/G Cool 143 TDP A Discharge Cool 243 TDP B Discharge Cool 343 TOP C Discharge Cool N UREG/CR-5633 3.10

4 Generic Risk Insights Prom PRAs PRAs for 13 PWRs were analyzed to identify risk- Loss of Main Iieedwater important accident sequences involving loss of AFW, and to identify and risk-prioritize the component failure ~ A feedwater line brcak drains the common water modes involved. The results of this analysis are source for MFW and AFW. The operators fail to described in this section. They are consistent with provide feedwater from other sources, and fail to results reported by INEL and BNL (Gregg ct al. 1988, initiate feed-and-bleed cooling, resulting in core and Travis et al. 1988). damage.

~ A loss of main fecdwater trips the plant, and AFW 4.1 Risk Important Accident Sequences fails due to operator error and hardware failures.

The operators fail to initiate feed-and-bleed cooling, Involving AFW System Failure resulting in core damage.

Loss of Power System Steam Generator 'Ibbe Rupture (SGTR)

~ A loss ofoffsite ower is followed by failure of ~

A SGTR is followed by failure of AFW. Coolant is AFW. Due to lack of actuating power, the power lost from the primary until the refueling water operated relief valves (PORVs) cannot be opened storage tank (RWST) is depleted. High pressure preventing adequate feed-and-bleed cooling, injection (HPI) fails since recirculation cannot be resulting in core damage. established from the empty sump, and core damage results.

~ A station blackout fails all AC power except Vital AC from DC invertors, and all decay heat removal systems except the turbine-driven AFW pump.

AFW subsequently fails due to battery depletion or 4.2 Risk Important Component Failure hardware failures, resulting in core damage. Modes

~ A DC bus fails, causing a trip and failure of the The generic component failure modes identiTied from power conversion system. One ~V motor- PRA analyses as important to AFW system failure are drivcn pump is failed by the bus loss, and the listed below in decreasing order of risk importance.

turbine-driven pump fails due to loss of turbine or valve control power. AFW is subsequently 1. 'Ibrbine-Driven Pump Failure to Start or Run.

lost completely due to other failures. Feed-and-:

bleed cooling fails because PORV control is 2. Motor-Driven Pump Failure to Start or Run.

lost, resulting in core damage.

3. TDP or MDP Unavailable due to lbst or

'l&nsient-Caused Reactor or 'lbrbinc Trip Maintenance.

~ A transient-caused tri is followed by a loss of the 4. AFW System Valve Failures power conversion system (PCS) and AFW. Feed-and-bleed cooling fails either due to failure of thc ~ steam admission valves operator to initiate it, or due to hardware failures, ~

trip and throttle valve resulting in core damage. ~ flow control valves

~

pump discharge valves

~

pump suction valves

~ valves in testing or maintenance.

N UREG/CR-5633

Generic Risk Insights

5. Supply/Suction Sources Common cause failures of AFW pumps are particularly risk important. Valve failures are somewhat less

~ condensate storage tank stop valve important due to the multiplicityof steam generators

- hot well inventory and connection paths. Human errors of greatest risk

~ suction valves. importance involve: failures to initiate or control system operation when required; failure to restore In addition to individual hardware, circuit, or proper system lineup after maintenance, or testing; and instrument failures, each of these failure modes may failure to switch to alternate sources when required.

result from common causes and human errors.

N UR EG/CR-5C)33

5 Failure Modes Determined From Operating Experience This section dcscribcs the primary root causes of AFW inadequate maintenance activities have necessitated system component failures, as determined from a review pump shutdown and repair.

of operating histories at 'Ibrkey Point and at other PWRs throughout the nuclear industry. Section 5.1 5.1.2 Flow Control and Isolation Valve describes experience at Turkey Point from 1972 to 1990.

Failures Section 5.2 summarizes information compiled from a variety of NRC sources, including AEOD analyses and More than forty-five events have resulted in impaired reports, information notices', inspection and cnforcc- operational readiness of thc air operated flow control mcnt bulletins, and generic letters, and from a variety of and motor operated isolation valves. Principal failure INPO reports as well. Some Licensee Event Reports causes were equipment wear, instrumentation, and con-and NPRDS event descriptions were also reviewed.

trol circuit failures, valve hardware failures, and human Finally, information was included from reports of NRC- errors. Valves have failed to operate properly due to sponsored studies of thc effects of plant aging, which blown fuses, failure of control components (such as I/P include quantitative analysis of AFW system failure convertors), broken or dirty contacts, misaligned or reports. This information was used to identify thc broken limit switches, control power loss, and operator various root causes expected for the broad PRA-based calibration problems. Poor quality instrument air has failure events identified in Section 4.0, resulting in the caused degraded flow control valve operation in a num-inspection guidelines presented in Section 3.0. ber of events due to failure of valve actuators. In many cases, air in sensing lines for flow transmitters has rcsultcd in erroneous flow indication. Human errors 5.1 Turkey Point Experience have resulted in improper control circuit calibration and limit switch adjustment.

The AFW system at Airkey Point has expcricnccd fail-ures of the AFW pumps, pump discharge flow control 5.1.3 'Ibrbine Driven Pump Steam Supply, valves, the turbine steam pressure control and supply Admission, and Control Valves valves, and turbine trip and throttle valves. Failure modes include electrical, instrumentation and control, ivlore than thirty events have resulted in degraded oper-hardware failures, and human errors.

ation ofsteam isolation or steam pressure control valves. Failure types included failures due to aging.

5.1.1 'Ibrbine Driven Pump Failures Deterioration of system hardware resulted in many occurrcnccs of valve binding, resulting in tripping of More than sixty events have resulted in decreased oper- overload devices. Pressure control and isolation valve ational readiness of thc turbine driven pumps. Failure seats were found to be steam cut. Also, isolation valves modes involved failures in instrumentation and control were found to leak due to cut or worn seats or foreign circuits, electrical faults, system hardware failures, and material under the valve seat. Dirty, worn, or mis-human errors. The turbine driven pump has tripped or aligned limit switch contacts have prevented proper failed to reach proper speed as a result of clogged lube valve operation. Improper air pressure resulting from oil lines, dirty limit switch contacts, water in instrument failed solenoid valves or air line leaks has caused fail-air supplied to valve actuators, misadjusted speed con- ures. Misaligned or out of calibration control circuits trol settings, shorted relays in the speed control circuit, and limit switches have resulted in a degraded opera-and dirty breaker contacts. Pump aging and wear has tional condition. Plugged air exhaust ports have been resulted in high bearing tempcraturcs and on one occa- found preventing full stroking of numerous valves.

sion, pump seizure. Improper part replacement and 5.1 NVREG/CR-5633

Failure Modes 5.1.4 Check Valves diesel driven pump would not restart due to a protective feature requiring complete shutdown, and the turbine-Approximately ten events of check valve failure have driven pump tripped on overspecd, requiring local reset occurred since 1972. In all but a few cases, normal wear of thc trip and throttle valve. In cases where manual and aging was cited as the failure mode, resulting in intervention is required during the early stages of a tran-leakage. sient, training should emphasize that actions should be performed methodically and deliberately to guard against such errors.

5.2 Industry V(ide Experience CC2. Valve mispositioning has accounted for a signifi-cant fraction of the human errors failing multiple trains Human errors, dcsign/enginccring problems and errors, of AFW. This includes closure of normally open suction and component failures arc the primary root causes of valves or steam supply valves, and of is'olation valves to AFW System failures identified in a review of industry sensors having control functions. Incorrect handswitch wide system operating history. Common cause failures, positioning and inadequate temporary wiring changes which disable more than one train of this operationally have also prevented automatic starts of multiple pumps.

redundant'system, are highly risk significant, and can Factors identiflicd in studies of mispositioning errors result from all of these causes. include failure to add newly installed valves to valve checklists, weak administrative control of tagging, resto-This section identifies important common cause failure ration, independent verification, and locked valve log-modes, and then provides a broader discussion of the ging, and inadequate adherence to procedures. Illegible single failure effects of human errors, design/ or confusing local valve labeling, and insufficient train-engineering problems and errors, and component fail- ing in the determination of valve position may cause or ures. Paragraphs presenting details of these failure mask mispositioning, and surveillance which docs not modes are coded (e.g., CC1) and cross-referenced by excrcisc complete system functioning may'ot reveal

'inspection items in Section 3. mispositionings.

5.2.1 Common Cause failures CC3. At ANO-2, both AFW pumps lost suction due to stcam binding when they were lined up to both the CST The dominant cause of AFW system multiple-train fail- and the hot startup/blowdown demincralizcr effluen ures has been human error. Design/engineering errors (AEOD/C404 1984). At Zion-1 steam created by run-and component failures have been less frequent, but ning the turbine-driven pump dcadhcaded for one nevertheless signiTicant, causes of multiple train failures. minute caused trip of a motor-driven pump sharing the same inlet header, as well as damage to the turbinc-CC1. Human error in the form of incorrect operator drivcn pump (Region 3 Morning Report, 1/17/90). Both intervention into automatic AFW system functioning .

events were caused by procedural inadequacies.

during transients resulted in the temporary loss of all safety-grade AFW pumps during events at Davis Besse CC4. Design/engineering errors have accounted for a (NUREG-1154 1985) and Trojan (AEOD/I'416 1983). smaller, but signiTicant fraction ol'common cause fail--

In the Davis Bcsse event, improper manual initiation of ures. Problems with control circuit design modifications the steam and fecdwater rupture control system at Farley defeated AFW pump auto-start on loss of (SFRCS) lcd to ovcrspecd tripping of both turbine- main feedwater. At Zion-2, restart of both motor driven driven AFW pumps, probably due to the introduction of pumps was blocked by circuit failure to deencrgize when condensate into the AFW turbines from the long, the pumps had bccn tripped with an automatic start unheated stcam supply lines. (Thc system had never signal present (IN 82-01 1982). In addition, AFW con-been tested with the abnormal, cross-connected steam trol circuit design reviews at Salem and Indian Point supply lineup which resulted.) In the Trojan event the have identiiflicd designs where failures of a single com-operator incorrectly stopped both AFW pumps due to ponent could have failed all or multiple'pumps misinterpretation of MFW pump speed indication. The (IN 87-34 1987).

NUREG/CR-5633 5.2

Failure Modes CC5. Incorrect setpoints and control circuit settings CC9. Asiatic clams caused failure of two AFW flow resulting from analysis errors and failures to update pro- control valves at Catawba-2 when low suction pressure cedures have also prevented pump start and caused caused by starting of a motor-driven pump caused suc-pumps to trip spuriously. Errors of this type may tion source realignment to the Nuclear Service Water remain undetected despite surveillance testing, unless system. Pipes had not been routinely treated to inhibit surveillance tests model all types of system initiation clam growth, nor regularly monitored to detect their and operating conditions. A greater fraction of instru- presence, and no strainers were installed. The need for mentation and control circuit problems has bccn idcnti- surveillance which exercises alternative system opera-flicd during actual system operation (as opposed to sur- tional modes, as well as complete system functioning, is veillance testing) than for other types of failures. emphasized by this event. Spurious suction switchover has also occurred at Callaway and at McGuire, although CC6. On two occasions at a foreign plant, failure of a no failures rcsul ted.

balance-of-plant inverter caused failure of two AFW pumps. In addition to loss of the motor driven pump CC10. Common cause failures have also been caused by whose auxiliary start relay was powered by thc invcrtor, component failures (AEOD/C404 1984). At Surry-2, thc turbine driven pump tripped on ovcrspecd because both thc turbine driven pump and one motor driven thc governor valve opened, allowing full steam flow to pump were declared inoperable due to stcam binding the turbine. This illustrates thc importance of assessing caused by leakage of hot water through multiple check the effects of failures of balance of plant equipmcnt valves. At Robinson-2 both motor driven pumps were whiclt supports the operation of critical components. found to be hot, and both motor and stcam driven The instrument'air system is another example of such a pumps werc found to be inoperablc at different times.

system. Backleakagc at Robinson-2 passed through closed motor-operated isolation valves in addition to multiple CC7. Multiple AFW pump trips have occurred at check valves. At Farley, both motor and turbine driven Millstone-3, Cook-1, '11ojan and Zion-2 (IN 87-53 1987) pump casings were found hot, although the pumps were caused by brief, low prcssure oscillations of suction pres- not declared inoperable. In addition to multi-train fail-sure during pump startup. These oscillations occurred ures, numerous incidents of single train failures have despite the availability of adequate static NPSH. Cor- occurred, resulting in the designation of "Stcam Binding rective actions taken include: extending the tirnc delay of Auxiliary Feedwater Pumps" as Generic Issue 93.

associated with the low pressure trip, removing the trip, This generic issue was resolved by Generic Letter 88-03

. and replacing the trip with an alarm and operator (Miraglia 1988), which required liccnsecs to monitor action. AFW piping temperatures each shift, and to maintain procedures for recognizing stcam binding and for restor-CC8. Design errors discovered during AFW system ing system operability.

reanalysis at the Robinson plant (IN 89-30 1989) and at Millstone-1 resulted in thc supply header from the CST CC11. Cotnmon cause failures have also failed motor being too small to provide adequate NPSH to the operated valves. During the total loss of fcedwater event

,pumps ifmore than onc of the three pumps werc oper- at Davis Bessc, the normally open AFW isolation valves ating at rated flow conditions. This could lead to rnul- failed to open after they were inadvertently closed. Thc tiple pump failure due to cavitation. Subsequent failure was duc to improper setting of the torque switch reviews at Robinson identiiflied a loss of feedwatcr tran- bypass switch, which prevents motor trip on thc high sient in which inadequate NPSH and flows less than torque rcquircd to unseat a closed valve. Previous prob-design values had occurred, but which were not rccog- lems with these valves had been addressed by increasing nizcd at the time. Event analysis and equipment trend- the torque switch trip sctpoint-a fix which failed during ing, as well as surveillance testing which duplicates ser- the event duc to the higher torque required due to high vice conditions as much as is practical, can help identify differential pressure across the valve. Similar common such design errors. mode failures of MOVs have also occurred in other 5.3 N UREG/CR-5633

Failure Modes systems, resulting in issuance of Generic Letter 89-10, HE3. Motor driven pumps have been failed by human "Safety Related Motor-Operated Valve Gating and errors in mispositioning handswitchcs, and by procedure Surveillance (Partlow 1989)." This generic letter deficiencies.

requires licensees to develop and implement a program to provide for the testing, inspection and maintenance 5.23 Design/Engineering Problems and of all safety-related MOVs to provide assurance that Errors they will function when subjected to design basis conditions. DE1. As noted above, the majority of AFW subsystem failures, and the greatest relative system degradation, CC12. Other component failures have also resulted in has been found to result from turbine-driven pump fail-AFW multi-train failures. These include out-of-adjust- ures. Overspced trips of Terry turbines controlled by ment electrical flow controllers resulting in improper Woodward governors have been a significant source of discharge valve operation, and a failure of oil cooler these failures (AEOD/C602 1986). In many cases these cooling water supply valves to open duc to silt accumu- ovcrspecd trips have been caused by slow response of a lation. Woodward Model EG governor on startup, at plants 1I where full steam flow is allowed immediately. This over-5.2.2 Human Errors sensitivity has been removed by installing a star tup stcam bypass valve which opens first, allowing a control-HE1. The overwhelmingly dominant cause of problems led turbine acceleration and buildup of oil pressure to identified during a series of operational readiness evalu- control thc governor valve when full stcam flow is ations of AFW systems was human performance. The admitted.

majority of these human perlormance problems resulted from incomplete and incorrect procedures, particularly DE2. Overspeed trips of 'Ibrry turbines have been with respect to valve lineup information. A study of caused by condensate in the steam supply lines.

valve mispositioning events involving human error Condensate slows down thc turbine, causing the gover-identiflicd failures in administrative control of tagging norvalve to open farther, and overspced results before and logging, procedural compliance and completion of the governor valve can respond, after the water slug steps, vcriflication of support systems, and inadequate clears. This was dctcrmincd to be the cause of the loss-procedures as important. Another study found that of-all-AFW event at Davis Besse (AEOD/602 1986),

valve mispositioning events occurred most often during with condensation enlranccd duc to the long length of maintenance, calibration, or modification activities. the cross-connected steam lines. Rcpcatcd tests follow-Insufficient training in determining valve position, and ing a cold-start trip may be successful duc to system heat in administrative requirements for controlling valve Up.

positioning were important causes, as was oral task assignment without task completion feedback. DE3. Turbine trip and throttle valve ( ITV) problems are a signiflieant cause of turbine driven pump failures HE2. Turbine driven pump failures have been caused by (IN 84-66). In some cases lack of ITV position indica-human errors in calibrating or adjusting governor speed tion in the control room prcvcnted recognition of a trip-control, poor governor nlaintenancc, incorrect adjust- ped ITV. In other cases it was possible to reset either mcnt of governor valve and ovcrspeed trip linkages, and the ovcrspecd trip or thc ITV without resetting thc errors associated witlt the trip and throttle valve (TI'V). other. This problem is compounded by the fact that the TTV-associated errors include physically bumping it, position of thc overspecd trip linkage can be misleading, failure to restore it to the correct position after testing, and the mechanism may lack labels indicating when it is and failures to verify control room indication of Tl'V in the tripped position (AEOD/C602 1986).

position following actuation.

NUREG/CR-5633 "

Failure Modes DE4. Startup of turbines with Woodward Model PG- 5.2.4 Component I~'nilures PL governors within 30 minutes of shutdown has resulted in overspeed trips when the speed setting knob Generic Issue II.E.6.1, "In Situ lbsting Of Valves" was was not exercised locally to drain oil from the speed divided into four sub-issues (Beckjord 1989), three of setting cylinder. Speed control is based on startup with which relate directly to prevention of AFW system an empty cylinder. Problems have involved turbine rota- component failure. At the request of the NRC, in situ tion due to both procedure violations and leaking stcam'. testing of check valves was addressed by the nuclear

'Ibrry has marketed two types of dump valves for auto- industry, resulting in thc EPRI,rcport, "Application matically draining the oil after shutdown (AEOD/C602 Guidelines for Check Valves in Nuclear Power Plants 1986). (Brooks 1988)." This extensive rcport provides informa-tion on check valve applications, limitations, and inspec-At Calvert Cliffs, a 1987 loss-of-offsite-power event tion techniques. In situ testing of MOVs was addressed required a quick, cold startup that resulted in turbine by Generic Letter 89-10, "Safety Related Motor-trip due to PG-PL governor stability problems. Thc Operated Valve 1bsting and Surveillance" (Partlow short-term corrective action was installation of stiffer 1989) which requires licensees'o develop and imple-buffer springs (IN 88-09 1988). Surveillance had always ment a program for testing, inspection and maintenance been preceded by turbine warmup, which illustrates the of all safety-related MOVs. "Thermal Overload Protec-importance of testing which duplicates service con- tion for Electric Motors on Safety-Related Motor-ditions as much as is practical. Opcrated Valves - Generic Issue II.E.6.1 (Rothberg 1988)" concludes that valve motors should be thermally DE5. Reduced viscosity of gear box oil heated by prior protected, yet in a way which emphasizes system func-operation caused failure of a motor driven pump to start tion over protection of the operator.

due to insufficient lube oil prcssure. Lowering the prcs-sure switch sctpoint solved the problem, which had not CF1. The common-cause steam binding effects of check been detected during testing. valve leakage were identified in Section 5.2.1, entry CC10. Numerous single-train events provide additional DE6. Watcrhammer at Palisades rcsultcd in AFW line insights into this problem. In some cases leakage of hot and hanger damage at both steam generators. The AFW MFW past multiple check valves in series has occurred spargers are located at the normal stcam generator level, because adequate valve-seating prcssure was limited to and are frequently covered and uncovered during level the valves closest to thc stcam generators (AEOD/C404 fluctuations. Waterhammcrs in top-feed-ring steam 1984). At Robinson, thc pump shutdown procedure was generators resulted in main feedline rupture at Maine changed to delay closing the MOVs until after thc check Yankee and feedwatcr pipe cracking at Indian Point-2 valves were seated. At Farley, check valves were (IN 84-32 1984). changed from swing type to lift type. Check valve rework has been done at a number of plants. Different valve DE7. Manually reversing thc direction of motion of an designs and manufacturers arc involved in this problem, operating valve has resulted in MOV failures where and recurring leakage has been cxpcrienced, even after such loading was not considered in thc design repair and replacement.

(AEOD/C603 1986). Control circuit design may prevent this, requiring stroke completion before reversal. CF2. At Robinson, heating of motor operated valves by check valve leakage has caused thermal binding and fail-DE8. At each of the units of the South'kxas Project, ure of AFW discharge valves to open on demand. At space heaters provided by the vendor for use in pre- Davis Bcsse, high difl'ercntial prcssure across AFW installation storage of MOVs were found to be wired in injection valves resulting from check valve leakage has parallel to the Class 1E 125 V DC motors for several prevented MOV operation (AEOD/C603 1986).

AFW valves (IR 50-489/89-11; 50-499/89-11 1989). Thc valves had been environmentally qualiTicd, but not with CF3. Gross check valve leakage at McGuire and the non-safety-related heaters energized. Robinson caused overprcssurimtion of the AFW 5.5 NUREG/CR-5633

Failure Modes suction piping. At a foreign PWR it resulted in a severe CF6. Electrohydraulic-operated discharge valves have waterhammer event. At Palo Verde-2 thc MFW suction performed very poorly, and three of the five units using piping was ovcrpressurizcd by check valve leakage from them have removed them due to recurrent failures.

the AFW system (AEOD/C404 1984). Gross check Failures included oil leaks, contaminated oil, and valve leakage through idle pumps represents a potential hydraulic pump failures.

diversion of AFW pump flow. L CF7. Control circuit failures were thc dominant source CF4. Roughly one third, of AFW system failures have of motor driven AFW pump failures (Casada 1989).

been due to valve operator failures, with about equal This includes the controls used for automatic and failures for MOVs and AOVs. Almost half of the MOV manual starting of the pumps, as opposed to the instru-failures were due to motor or switch failures (Casada mentation inputs. Most of the remaining problems were 1989). An extensive study of MOV events (AEOD/C603 due to circuit breaker failures.

1986) indicates continuing inoperability problems caused by: torque switch/limit switch settings, adjust- CF8. "Hydraulic lockup" of Limitorque SMB spring mcnts, or failures; motor burnout; improper sizing or packs has prevcntcd proper spring compression,to use of thermal overload devices; premature degradation actuate thc MOV torque switch, due to grease trapped related to inadequate use of protective devices; damage in the spring pack. During a surveillance at liojan, fail-due to misuse (valve throttling, valve operator hammer- ure of the torque switch to trip the TTV motor resulted ing); mechanical problems (loosened parts, improper in tripping of the thermal overload device, leaving thc assembly); or the torque switch bypass circuit improp- turbine driven pump inoperable for 40 days until the erly installed or adjusted. The study concluded tltat next surveillance (AEOD/E702 1987). Problems result current methods and procedures at many plants are not from grease changes to EXXON NEBULAEP-0 grease, adequate to assure that MOVs will operate when one of only two greases considered environmentally needed under crcdiblc accident conditions. SpcciTically, qualified by Limitorque. Due to lower viscosity, it a suiveillance test which tlie valve passed might result in slowly migrates from the gear case into the spring pack.

undetected valve inoperability due to component failure Grease changeover at Vermont Yankee affected 40 of (motor burnout, operator parts failure, stem disc sepa- thc older MOVs of which 32 werc safety related. Grease ration) or improper positioning of protective devices relief kits arc needed for MOV operators manufactured (thermal overload, torque switch, limit switch). Gcncric before 1975. At Limerick, additional grease relief was Lcttcr 89-10 (Partlow 1989) has subsequently required required for MOVs manufactured since 1975. MOV licensees to implement a program ensuring that MOV refurbishment programs may yield other changeovers to switch settings are maintained so that the valves will EP-0 grease.

operate under design basis conditions for the life of the plant. CF9. For AFW systems using air operated valves, almost half of the system degradation ltas resulted from CF5. Component problems have caused a significant failures of the valve controller circuit and its instrument number of turbine driven pump trips (AEOD/C602 inputs (Casada 1989). Failures occurred predominantly 1986). One group of cvcnts involved worn tappet nut at a few units using automatic electronic controllers for faces, loose cable connections, loosened set screws, the flow control valves, with the majority of failures due improperly latched ITVs, and improper assembly. to electrical hardware. At Turkey Point-3, controller Another involved oil leaks due to component or seal malfunction resulted from water in the Instrument Air failures, and oil co'ntamination due to poor maintenance system due to maintenance inoperability of the air activities. Governor oil may not bc shared with turbine drycrs.

lubrication oil, resulting in the need for separate oil changes. Electrical component failures included tran- CF10. For systems using diesel driven pumps, most of sistor or resistor failures due to moisture intrusion, the failures were duc to start control and governor speed erroneous grounds hand connections, diode failures, and control circuitry. Half of these occurred on demand, as a faulty circuit card. opposed to during testing (Casada 1989).

N UREG/CR-5633

Failure Modes CF11. For systems using AOVs, operability requires the system at several utilities (Letter, Roe to Richardson).

availability of Instrument Air (IA), backup air, or Generic Letter 88-14 (Miraglia 1988), requires liccnsces backup nitrogen. However, NRC Maintenance'Ram to verify by test that air-operated safety-related com-Inspections have identiTied inadequate testing of check ponents will perform as expected in accordance with all valves isolating the safety-related portion of the IA design-basis events, including a loss of normal IA.

5.7 NUREG/CR-5633

6 References Beckjord, E. S. June 30, 1989. Closeout of Generic Issue AEOD Reports II.E.6.1, "In Situ Testing of Valves". Letter to V. Stello, Jr., U.S. Nuclear Regulatory Commission, Washington, AEOD/C404. W. D. Lanning. July 1984. Steam Binding D.C. ofAuxiliaryFeedwater Pumps. U.S. Nuclear Regulatory Commission, Washington, D.C.

Brooks, B. P. 1988. Application Guidelines for Check Valves in Nuclear Power Plants. NP-5479, Electric AEOD/C602. C. Hsu. August 1986. Operational Power Research Institute, Palo Alto, CA. Experience Involving Turbine Overspeed Trips. U.S.

Nuclear Regulatory Commission, Washington, D.C.

Casada, D. A. 1989. AiixiliaryFeedwater System Aging Study. Volunie 1. Operating Experience and Current AEOD/C603. E. J. Brown. December 1986. A Review Monitoring Practices. NUREG/CR-5404. U.S. Nuclear ofMotor-Operated Valve Performance. U.S. Nuclear Regulatory Commission, Washington, D.C. Regulatory Commission, Washington, D.C.

Gregg, R. E., and R. E. Wright. 1988. Appendix Review AEOD/E702. E.J. Brown. March 19, 1987. MOV for Dominant Generic Contributors. BLB-31-88. Idaho Failure Due to Hydraulic Lockup From Excessive Grease National Engineering Laboratory, Idaho Falls, Idaho. in Spring Pack. U.S. Nuclear Regulatory Commission, Washington, D.C.

Miraglia, F. J. February 17, 1988. Resolution of Generic Safety Issue 93, "Steam Binding ofAuxiliaryFeedwater AEOD/T416. January 22, 1983. Loss ofESF Atixiliaty Pumps" (Generic Letter 88-03). U.S. Nuclear Regulatory Feedwater Pump Capability at Trojan on January 2~,

Commission, Washington, D.C. 1983. U.S. Nuclear Regulatory Commission, Washington, D.C.

Miraglia, F. J. August 8, 1988. Instnirnent AirSupply System Problems Affecting Safety-Related Equipment Information Notices (Generic Letter 88-14). U.S. Nuclear Regulatory Commission, Washington, D.C. IN 82-01. January 22, 1982. AuxiliaryFeedwater Piunp Lockout Resulting from IVestinghouse II'-2 Switch Circuit Partlow, J. G. Junc 28, 1989. Safety-Related Motor- Modification. U.S. Nuclear Regulatory Commission, Operated Valve Testing and Surveillance (Generic Letter Washington, D.C.

89-10). U.S. Nuclear Regulatory Commission, Washington, D.C. L IN 84-32. E. Jordan. April 18,1984. Auxiliary Feedwater Sparger and Pipe Hangar Damage. U.S.

Rothberg, O. Junc 1988. Thermal Overload Protection Nuclear Regulatory Commission, Washington, D.C.

for Electric Motors on Safety-Related Motor-Operated Valves- GenericIssuell.E.6.1. NUREG-1296. U.S. IN 84-66. August 17, 1984. Undetected Unavailability of Nuclear Regulatory Commission, Washington, D.C. the Tiirbine-Driven AuxiliatyFeedwater Train. U.S.

Nuclear Regulatory Commission, Washington, D.C.

Travis, R., and J. Ihylor. 1989. Development of Guidance for Generic, Fiuictionally Oriented PRA-Basetl IN 87-34. C. E. Rossi. July 24, 1987. Single Failures in Team Inspections for BIIrRPlants-Identification ofRisk- AuxiliaryFeedwater Systems. U.S. Nuclear Regulatory Important Systeins, Components and Hunian Actions. Commission, Washington, D.C.

TLR-A-3874-T6A. Brookhaven National Laboratory, Upton, New York.

6.1 NUREG/CR-5633

References IN 87-53. C. E. Rossi. October 20, 1987. Auxiliary Inspection Report Feedwater Pump Trips Resulting from Lotv Suction Pressure. U.S. Nuclear Regulatory Commission, IR 50-489/89-11; 50-499/89-11. May 26, 1989. Soutli Washington, D.C. Texas Proj ect Inspection Report. U.S. Nuclear Regulatory Commission, Washington, D.C.

IN88-09. C. E. Rossi. March 18, 1988. Reduced Reliability ofSteam-Driven AuxiliaryFeedwater Pumps NURHG Report Caused by Instability of Woodward PG-PL Type Governors. U.S. Nuclear Regulatory Commission, NUREG-1154. 1985. Loss ofMain and AuxiliaryFeed-Washington, D.C. water Event at the Davis Besse Plant on June 9, 1985.

U.S. Nuclear Regulatory Commission, Washington, IN 89-30. R. A. Azua. August 16, 1989. Robinson Uiu't D.C.

2 Inadequate NPSH ofAuxiliatyFeedwater Pumps. Also, Event Notification 16375, August 22, 1989. U.S.

Nuclear Regulatory Commission, Washington, D.C.

NUREG/CR-5633

Distribution No. of No. of

~Co ics ~Co ies OFFSITE 4 'Ibrke Point Resident Ins ections Office U.S. Nuclear Re ulato Commission J. H. Taylor Brookhavcn National Laboratory B. K. Grimes Bldg. 130 OWFN 9 A2 Upton, NY 11973 F. Congel R. Travis OWFN 10 E4 Brookhaven National Laboratory Bldg. 130 H. N. Berkow Upton, NY 11973 OWFN 14 H22 J. Bickcl A. El Bassioni EG8cG Idaho, Inc.

OWFN 10 A2 P.O. Box 1625 Idaho Falls, ID 83415 10 J.Chung OWFN 10 E4 Dr. D. R. Edwards Professor of Nuclear Engineering K. Campc University of Missouri - Rolla OWFN 1 A2 Rolla, MO 65401 2 B. Thomas OWFN 12 H26 ONSITE U.S. Nuclear Re ulato Commission - Re ion 2 26 Pacific Northwest Laborato A. F. Gibson S. R. Doctor K. D. Landis L. R. Dodd L. A. Reyes B. F. Gore (10)

N.E. Moffitt(5)

B. D. Shipp F. A. Simonen T. V. Vo Publishing Coordination Technical Report File (5)

Distr.1 NUREG/CR-5633

NRC FOAM 336 U.S. NUCLEAR REGULATORY COMMISSION I, REPORT I<UMBER I24I9< IA<<<e<<<o lrr NRC, Ao<t Vor., S<<oo Ass.,

NRCM 1102. ~ no Aoorno<<m tllrmo<rs, ls sne,l 220 I. 2202 BIB LIOG RAP HIC DATA SHEET

/See rnstnrctrons on the ieeetsej NUREG/CR-5633

2. TITLE AND SUBTITLc PNL-7454 Auxiliary Feedwater System Risk-Based Inspection Guide for the 3. DATE REPORT PUBLISHED Turkey Point Nuclear Power Plant MONT<< YEAR April 1992 4 FIN OR GRANT NUMBER L1310 S. AUTHORISI 6. TYPE OF REPORT N. E. Moffitt, B. F. Gore, T. V. Vo Technical 7, PERIOD COVERED Irncrosrrr Oirrsr 7/90 to 2/92 6, PER FORM ItIG ORGANIZATIONNAME ANO ADDRESS IIINRC prr<<roe Oil<<em, OIIKe or Rreron. US. Iree<err Ree<ruro<Y Comm<urn<<, ino ms<<<<<I ioerru it con<rector pros<or nolle en<r mi rmt i<so<eccl Pacific Northwest Laboratory Richlandl WA 99352 B. SPONSORING ORGANIZATION en<I mrilire noorr<AI

- NAME AND ADDRESS IIINRC. ryoe "Semi is coo~ lrl co succor pn u IIRCO<< ~. OIIKior Reenrn US, Irocltrr Rtpalrsron Commrunm.

Division of Radiation Protection and Emergency Preparedness Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington> DC 20555

10. SUPPLEMENTARY NOTES

11. ABSTRACT l200 <<onls or scut In a study sponsored by the U.S. Nuclear Regulatoiy Commission (NRC)l Pacific Northwest f.aboratory has developed and applied a methodology for deriving plant-specific risk-based inspection guidance for the auxiliary feedwater (AFW) system at pressurized water reactors that have not undergone probabilistic risk assessment (PRA). This methodology uses existing PRA results and plant operating experience information. Existing PRA-based inspection guidance information recently developed for the NRC for various plants was used to identify generic component failure modes. This information was then combined with plant-specific and industry-wide component information and failure data to identify failure modes and failure mechanisms for the AFW system at the selected plants. Turkey Point was selected as one of a .eries of plants for study. The product of this effort is a prioritized listing of AFW failures which have occurred at the Tplant and at other PWRs. This listing is intended for use by NRC inspectors in the preparation of inspection plans addressing AFW risk-important components at the Turkey Point plant.

12. KEY WOROSTDESCRIPTORS ILI<r <<onrs o piro<is rnu <<il iuur msearrruuin rocerrne ms ~oon./ I2. AVASLAI<ILITYSTATEMENT Unlimited tc. sscvR<TY cLAsssr scAT<Qr<

Inspection, Risk, PRAI turkey Points Au<,iliary Feedwater (AFW)

ITn>> Peril Unclassified I Th<s Rrponl Unclassified

15. NUMBER OF PAGES

16. PRICE NRC CORM 'lSA <2JIO<

THIS DOCUMENT WAS PRINTED USING RECYCLED PAPER