ML17349A213
| ML17349A213 | |
| Person / Time | |
|---|---|
| Site: | Turkey Point  |
| Issue date: | 04/30/1992 |
| From: | Gore B, Moffitt N, Vo T Battelle Memorial Institute, PACIFIC NORTHWEST NATION |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| CON-FIN-L-1310 NUREG-CR-5633, PNL-7454, NUDOCS 9205140204 | |
| Download: ML17349A213 (36) | |
Text
NUREG/CR5633 PNL7454 AuxiliaryFeedwater System Risk-Based Inspection Guide for the Turkey Point Nuclear Power Plant
-NOTICE-Prepared by N. E. Moffitt,B. F. Gore, T. V. Vo Pacific Northwest Laboratory Operated by Battelle Memorial Institute Prepared for U.S. Nuclear Regulatory Commission THE ATTACHED FILES ARE OFFICIAL RECORDS OF THE"INFORMATION 8 REPORTS MANAGEMENT BRANCH.
THEY HAVEBEEN CHARGED TO YOU FOR A E.IMITED TIME PERIOD AND MUST BE RETURNED TO THE RE-CORDS 8 ARCHIVES SERVICES SEC-TION P1-22 WHITE FLINT. PLEASE DO NOT 'SEND DOCUMENTS CHARGED OUT THROUGH THE MAIL.REMOVAI
,OF ANY PAGE(S) FROM DOCUMENT FOR REPRODUCTION MUST BE RE-FERRED TO FILE PERSONNEL.
-NOTICE-
~,
'7205140204 920430 I
PDR ADOCK 05000250 9
AVAILABILITYNOTICE Availabilityof Reference Materials Cited In NRC Publications Most documents cited In NRC publications will bo available from one of the following sources:
1.
The NRC Public Document Room, 2120 L Street, NW., Lower Level, Washington, DC 20555 2.
The Superintendent of Documents, U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20013-7082 3.
The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the maJorlty of documents cited In NRC publications, It Is not Intended to be exhaustive.
Referoncod documents available for Inspection and copying for a foo from the NRC Public Document Room Include NRC correspondence and Internal NRC momoranda; NRC bulletins, circulars, information notices, Inspection and Investigation notices: llconsoo evont reports; vendor reports and correspondonco; Commis-sion papers; and applicant and licensee documents and correspondence.
The following documents In the NUREG series are available for purchase from the GPO Sales Program:
formal NRC staff and contractor reports, NRC-sponsored conference proceedings, international agreement reports, grant publications, and NRC booklets and brochures.
Also available aro regulatory guldos, NRC regulations In the Code of Federal Regulations.
and Nuclear Regulatory Commission lssuances.
Documents available from tho National Technical Information Service Include NUREG-series reports and technical reports prepared by other Federal agencies and reports prepared by the Atomic Energy Commis-sion, forerunner agency to the Nuclear Regulatory Commission.
Documonts available from public and special technical libraries include all open literature Items, such as books, Journal articles, and transactions.
Federal Register notices, Federal and State legislation, and con-gressional reports can usually bo obtained from those libraries.
Documents such as theses, dissertatlons, foreign reports and translations, and non-NRC conference pro-ceedings are available for purchase from tho organization sponsoring the publication cited.
I Single copies of NRC draft reports aro available free, to the extent of supply, upon written roquost to the Office of Administration, Distribution and Mall Servlcos Section.
U.S. Nuclear Rogulatory Commission, Washington, DC 20555.
Copies of Industry codes and standards used In a substantive manner In the NRC regulatory process are maintained at the NRC Library;7920 Norfolk Avonuo, Bethesda, Maryland, for use by tho public. Codes and standards are usually copyrighted and may be purchased from tho originating organization or, If they are American National Standards, from the American National Standards Institute, 1430 Broadway, New York, NY 10018.
DISCIAIMERNOTICE This report was prepared as an account of work sponsored by an agency of the United States Government.
Neither the United States Government nor any agency thereof, orany oftheir employees, makes any warranty, expressed or implied, or assumes any legal liabilityof responsibility for any third party's use, or the results of such use, ofany information, apparatus, product or process disclosed in this report, or represents that Its use by such third party would not infringe privately owned rights.
NUREG/CR5633 PNL-7454 AuxiliaryFeedwater System Risk-Based Inspection Guide for the Turkey Point Nuclear Power Plant Manuscript Completed: February 1992 Date Published: April 1992 Prepared by N. E. Moffitt,B. F. Gore, T. V. Vo Pacific Northwest Laboratory Richland, WA 99352 Prepared for Division of Radiation Protection and Emergency Preparedness Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN L1310
Summary This document presents a compilation ofauxiliary feedwater (AFW)system failure information which has been screened for risk significance in terms offailure I'rcquency and degradation ofsystem performance.
It is a risk-prioritizcd listing offailure events and their causes that are significant enough to warrant consideration in inspection planning at the Turkey Point plant. This information is presented to provide inspectors with increased resources for inspection planning at Turkey Point.
The risk importance ofvarious cotnponcnt failure modes was idcntiTied by analysis of the results ofprobabilistic risk assessments (PRAs) for many pressurized water reactors (PWRs). However, the component failure categories identified in PRAs are rather broad, because thc failure data used in thc PRAs is an aggregate of many individual failures having a variety ofroot causes.
In order to help inspectors focus on specific aspects ofcomponent operation, maintenance and design which might cause thcsc failures, an extensive review ofcomponent failure information was perforrncd to identify and rank the root causes of these component failures. Both Turkey Point and industry-wide failure information was analyzed.
Failure causes were sorted on the basis of frequency ofoccurrence and seriousness ofconscquencc, and categorized as common cause failures, human errors, design problems, or component failures.
This information is presented in the body of this document.
Section 3.0 provide brief descriptions of these risk-irnportant failure causes, and Section 5.0 prcscnts more extensive discussions, with spcciTic examples and references.
The entries in the two sections arc cross-referenced.
An abbreviated system walkdown table is presented in Section 3.2 which includes only components identified as risk important. This table lists thc system lineup for normal, standby system operation.
This information permits an inspector to concentrate on components important to the prevention ofcore damage.
However, it is important to note that inspections should not focus exclusively on these components.
Other components which perform essential functions, but which are not included because of high reliabilityor redundancy, must also be addrcsscd to ensure that degradation does not increase their failure probabilities, and hence their risk importance.
N0 REG/CR-SC>33
kl
Contents Summary 1
Introduction 2
lltrkcyPoint AFWSystcrn 2.1 2.1 System Description....
2.2 Success Criterion 2.3 System Dependencies 2.4 Operational Constraints 2.1 2.2 2.2 2.2 3
Inspection Guidance For The Turkey Point AFW Systcrn 3.1 3.1 Risk Important AFW Components and Failure Modes 3.1.1 MultiplePump Failures Due to Common Cause 3.1.2 Turbine Driven Pump A, 8, or C Fails to Start or Run 3.1.3 Pump Unavailable Due to Maintenance or Surveillance 3.1.4 AirOperated Control Valves Fail Closed 3.1.5 Motor Operated Valves Fail Closed 3.1.6 Manual Suction or Discharge Valves Fail Closed 3.1.7 Lcakagc ofHot Fcedwater Through Check Valves.
3.1 3.1 3.2 3.2 3.2 3.3 3.3 3,4 3.2 Risk Important AFW System Walkdown Htble.
3.4 4
Generic Risk Insights From PRAs 4.1 4.1 Risk Important Accident Scquenccs Involving AFW System I=ailurc.........................
4.2 Risk Important Component Failure Modes 4.1 4.1 5
Failure Modes Determined From Operating Experience 5.1 5.1 'IIIrkcyPoint Experience 5.1 5.1.1 11trbine Driven Pump Failures 5.1.2 Flow Control and Isolation Valve Failures 5.1.3 Turbine Driven Pump Steam Supply, Admission and Control Valves 5.1.4 Cheek Valves 5.1 5.1 5.1 5.2 5.2 Industry Wide Experience 5.2 NUREG/CR-5633
5.2.1 Common Cause Failures 5.2.2 Human Errors.
5.2.3 Design/Engineering Problems and Errors 5.2.4 Component Failures 6
References 5.2 5.4 5.4 5.5 6.1 figure 2.1 Turkey Point AFW System 2.3 Table 3.1 Risk Important Walkdown Table forTurkey Point AFW System Components 3.5 NUREG/CR.-5633 Vl
1 Introduction This document is one ofa series providing plant-specific inspection guidance forauxiliary feedwater (AFW) sys-tems at pressurized water reactors (PWRs). This guid-ance is based on information from probabilistic risk assessmcnts (PRAs) forsimilar PWRs, industry-wide operating experience with AFWsystems, plant-spcciTic AFWsystem descriptions, and plant-specific operating experience. It is not a detailed inspection plan, but rather a compilation ofAFWsystem failure information which has been screened for risk significance in terms of failure frequency and degradation ofsystem perform-
'ance. The result is a risk-prioritizcd listing offailure events and their causes that are significant enough to warrant consideration in inspection planning at Turkey Point.
This inspection guidance is presented in Section 3.0, followinga description of the Dtrkcy Point AFWsystem in Section 2.0. Section 3.0 identiTics the risk important system components by Turkey Point identification num-ber, followed by briefdescriptions ofeach of the various failure causes ofthat component.
These include speciTic human errors, design deficiencies, and hardware fail-ures. The discussions also identify where common cause failures have affected multiple, redundant components.
Thcsc brief discussions identify specific aspects of system or component design, operation, maintenance, or testing for inspection by observation, records review, training observation, procedures review, or by obser-vation ofthe implementation of procedures.
An AFW system walkdown table identifying risk important com-ponents and their lineup for normal, standby system operation is also provided.
The rcmaindcr ofthc document describes and discusses the information used in compiling this inspection guid-ance. Section 4.0 describes the risk importance informa-tion which has been derived from PRAs and its sources.
As review ofthat section willshow, the failure events identified in PRAs are rather broad (e.g., pump fails to start or run, valve fails closed). Section 5.0 addresses the specific failure causes which have been combined under thcsc broad events.
AFWsystem operating history was studied to identify the various specific failures which have been aggregated into the PRA failure events. Section 5.1 presents a
summary ofTurkey Point failure information, and Sec-tion 5.2 presents a review ofindustry-wide failure infor-mation. Thc industry-wide information was compiled
. from a variety ofNRC sources, including AEOD analy-ses and reports, information notices, inspection and enforcement bulletins, and generic letters, and from a variety ofINPO reports as well. Some Licensee Event Reports and NPRDS event descriptions were also re-viewed. Finally, information was included from reports ofNRC-sponsored studies of the effects of plant aging, which include quantitative analyses ofreported AFW system failures. This industry-wide information was then combined with the plant-specific failure informa-tion to identify the various root causes of the broad failure events used in PRAs, which are identified in Section 3.0.
2 Xbrkey Point AFW System This section presents an overview of the 11tr'kcy Point AFWsystem (Westinghouse 3 loop plant), including a simpliflicdschematic system diagram. In addition, thc system success criterion, system dependencies, and administrative operational constraints are also presented.
2.1 System Description
The AFWsystem consists of three turbine driven pumps shared between the two units. It provides fecdwater to the stcam generators (SG) to allow secondary-side heat removal from either unit when main feedwater is un-available. The system is capable offunctioning for extended periods, which allows time to restore main feedwater flowor to proceed with an orderly cooldown of thc plant to the point where thc residual heat removal (RHR) system can remove decay heat. Simpltiflied sche-matics of the Turkey Point AFWsystem is shown in Figure 2.1.
The system is designed to start up and establish flow automatically. Allthree AFWpumps willstart upon any of the followingconditions: Safety injection, bus stripping on one or both 4160V busses, low-low level in any stcam generator, trip ofone main fcedwatcr pump at less than 60% power or both main feedwater pumps under normal operating conditions; and initiate auxil-iary feedwatcr flowto the unit causing thc initiating signal. Ifoffsite power is not available, thc two motor-driven standby steam generator feedwater pumps can be placed in service. These pumps are powered by separate cranking diesels which supply the 4KV"C" busses.
Feedwatcr is supplied to each of the three AFW pumps from either Unit 3 or 4 Condensate Storage Tanks (CST) through check valves and normally locked open gate valves. Allof the AFW pumps arc turbine driven (TDAFW)and are capable ofsupplying thc stcam gene-rators ofeither unit. Steam is supplied to all three AFW pump turbines from either unit, through auto-matically controlled motor operated valves (3-1403,1404,1405; 4-1403,1404,1405), located upstream of the main steam isolation valves. Each AFW pump is equipped with a continuous recirculation flowsystem, which prevents pump deadhcading.
Each AFW pump discharges through a check valve to one of two redundant discharge headers which are refer-red to as Rain 1 and1lain 2. Each of these trains feeds all thrcc S/Gs for both units. Each S/G auxiliary fccd-water linc for both headers is equipped with a flowele-ment, flowtransmitter, and flowcontrol valve that con-trols AFW flowto a predetermined flowrate of 130 gpm. The administratively controlled, locked open and locked closed valve configuration, illustrated in Figurc 2.1, aligns the pumps so that pump Areceives stcam from S/G "C"of both units and discharges to thc Train 1 fecdwater header.
Pumps B and C receive steam from S/G "A"and "B"ofboth units and discharge to the Train 2 feedwater header.
In addition to dual, redun-dant steam supply and discharge headers, power, con-trol, and instrumentation associated with the two AFW system trains are independent from each other.
The two condensate storage tanks are the normal source ofwater for the AFWsystem.
Each tank is required to store a sufficient quantity ofdemineralized water to maintain one reactor coolant system (RCS) at hot standby conditions for 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br /> and then to cool it to 350 F, at which point the RHR system is put in service.
Alltank connections are located such that a continuous reserve of 185,000 gallons is maintained for thc AFW system.
When CST level drops by 10%, the water treat-ment plant begins makeup to the CST. Makeup rate is 400 gpm with both trains in operation.
Backup AFW suction supply is provided by refillingthe CST from thc Demineralized Water Tank or the Primary Water Stor-age Tank. In addition, feedwatcr from thc coal fired Units (18') can be supplied to Units 3 and 4 through a common header.
The non-nuclear feedwater connects to thc main feedwater regulating valve bypass line for each steam generator, just upstream ofthc bypass regu-lating valve.
2.1 NUREG/CR-5633
AFW System 2.2 Success Criterion System success requires the operation ofat least one TDAFWpump supplying rated flowto at least one of thc three stcam generators within three minutes on a loss ofnormal fecdwatcr.
2.3 System Dependencies The AFWsystem depends on ACand DC power at vari-ous voltage levels for motor operated valve control circuits, solenoid valves, and monitor and alarm circuits.
Instrument Airis required for several pneumatic control valves. Instrument Airis backed up by a Nitrogen Supply System via several banks ofaccumulators.
Stcam availability is required for thc turbine driven AFW pumps.
2.4 Operational Constraints When both units are operating above 3500F, Turkey Point Technical Specifications require two independent auxiliary fcedwatcr trains including three (3) AFW pumps and their associated flowpaths (steam and water) be operable. Ifone train ofAFW becomes inoperable, it must be restored to operable status within72 hours or the affected unit must be placed in hot standby within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Ifboth trains ofAFWare inoperable for2 hours the availabilityofboth standby fcedwa ter pumps must be veriflicd and the affected unit(s) must be placed in hot standby within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
When both units are operating, 1brkcy Point kchnical Speciflications require an indicated CST water volume of at least 370,000 gallons. Ifonc unit is operating and thc other unit is in MODES 4,5, or 6, then Technical Speciiflications require an indicated water volume of 185,000 gallons in either or both CS'K Ifone CST becomes inoperablc, it must be restored to an operablc status within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or one unit has to be placed in hot standby within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
With only one unit operating, 'Ibrkey Point Xchnical Specifications require either CST to bc operable with a contained volume ofat least 185,000 gallons. With both water supplies from thc CS'8 inoperable for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, a water supply from either CST must be restored to operable status or the unit must bc placed in hot standby within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
NUREG/CR-5633 2.2
STEAM SUPPLY FROM STEAM GENERATORS 11g 375 LO 219 376 LO STEAM FROM 250 Dc PSI REDUCING 3-080 ~
MOTOR STATION 813 M
~ 3404 3-1403 3406 Ac M MOTOR LO ~z LO KI-3.1404 34107 LC 319 377 LO Dc M MOTOR 3-1405 TRAIN 1 Ac 4B 21 g 376 M MOTOR LO 4-1404 382 4-007 LC Dc 119 375 M MOTOR 4A LO 4-1403 38'I LO 4 006 LO LO LO P83 001A 002A CST X+AI 6459A t
> I G
3-14 LO 001 LC 4-142 LC LC 003A 14I8 A 4.08 B LO LO 083 FROM CST'S 3-144 A
TRAIN 1 PUMP
~ 144 LO 30 A 3084B VALVE 3.242 LC LC p65 001 B 002B
'O
'O
~B 44I A 4 084B LC LC P85 M Dc TO CST ~1 64S9B G
FROM CST'S 3.244 243 TRAIN2 PUMP
-08 A 3086B LC LC 087 001C 002C LO LO 003C 4.08 A 4 086B T&T VALVE M Dc TO 64S9C G
C 343 3-342 LC 003 LO 4.342 T&T VALVE 348 A 3.08 B
M Dc FEEDWATER FROM CST's TO STEAM GENERATORS 3-141 I
I 3.2816 3.140 3 ~ 139 LO 3A I
I 3 2831 3 010 241 I
3 2817 3 240 3-007 I
I 3012 O
3.2832 3.341 I
3 2818 3.340 TRAIN2 3 239 LO 3B 3 339 LO 3C 3 006 3.014~ 4-008 44109 I
3.2833 I
I 4.2831 LO 4 141
<i-4.2816 4.140 4-139
~
44107 I
I 4.P I I O
4 2832 4 239 LO 4.241 I
O 4.2817 4 240
~ 4006 I
4A 4B 4C Dc 319 377 M MOTOR LO 4.1405 383 TRAIN 1 LC P87 FROM CST'S 4.080 STEAM FROM 250 3.34'SI REDUCING STATION 814 TRAIN2 PUMP
-344 LC TRAIN2 I
44113 O
4.2833 TRAIN I 4.341 i
I O
4.2818 4 340 4.339 LO 4C Figure 2.1 Turkey Point A&VSystem
3 Inspection Guidance 5'or The Turkey Point AFW System In this section the risk important components of thc Turkey Point AFW system are identified, and the impor-tant failure modes for these components arc briefly described, Thcsc failure modes include specific human errors, design deficiencies, and types of ltardware fail-ures which have been observed to occur for these com-ponents, both at Turkey Point and at P WRs throughout the nuclear industry. The discussions also identify where common cause failures have affected multiple, re-dundant components.
These brief discussions identify specific aspects ofsystem, or component design, oper-ation, maintenance, or testing for inspection activities.
Thcsc activities include: observation, records review, training observation, proccdurcs review or by observa-tion of the impletncntation of procedures.
Table 3.1 is an abbreviated AFW system walkdown table which identifies risk important components.
This table lists thc system lineup for normal (standby) system oper-ation. Inspection of the components idcntificd in the AFWwalkdown table addresses essentially all of the risk associated with AFWsystem operation.
3.1 Risk Important AFW Components and Failure Modes Common cause failures ofmultiple pumps are the most risk-important I'ailure modes ofAFWsystem compo-nents. These are followed in importance by single pump l'ailurcs, level control valve failures, and individual check valve leakage failures.
The followingsections address each of these failure modes, in decreasing order of risk importance. They prcscnt intportant root causes of these component fail-ure modes which have been distilled from historical records.
Each item is keyed to discussions in Section 5.2 where, additional information on historical events is presented.
3.1.1 MultiplePump Failures Due to Common Cause The followinglisting summarizes the most important multiple-pump failure modes identified in Section 5.2.1, Common Cause Failures, and each item is keyed to entrics in that section.
Incorrect operator intervention into automatic system functioning, including improper manual starting and securing ofpumps, has caused failure of all pumps, including overspecd trip on startup, and inability to restart prematurely secured pumps.
CC1.
Valve mispositioning has caused failure of all pumps. Pump suction, steam supply, and instrument isolation valves have been involved.
CC2.
Stcam binding has caused failure ofmultiple pumps.
This resulted from leakage of hot fecdwater past check valves and a motor-operated valve into a common discltargc header. CC10. Multiple-pump stcam binding has also resulted from improper valve lineups, and from running a pump deadhcadcd.
CC3.
Pump control circuit deficiencies or design modification errors have caused failures ofmultiple pumps to auto start, spurious pump trips during operation, and failures to restart after pump shutdown.
CC4. Incorrect setpoints and control circuit calibrations have also prcvcntcd proper operation of multiple pumps.
CC5.
Loss ofa vital power bus has failed multiple pumps duc to loss of control power to stcam admission valves or to turbine controls. CC6.
3.1 NUREG/CR-5633
Inspection Guidance
~
Simultaneous startup ofmultiple pumps has caused oscillations of pump suction pressure causing multiple-pump trips on low suction pressure, despite the existence ofadequate static net positive suction head (NPSH). CC7. Design reviews have idcntiflied inadequately sized suction piping which could have yielded insufficient NPSH to support operation of more than one pump. CC8.
3.1.2 'Dirbine Driven Pump A, 8 or C Fails to Start or Run Improperly adjusted and inadequately maintained turbine governors have caused pump failures. HE2.
Problems include worn or looscncd nuts, set screws, linkages or cable connections, oil leaks and/or con-tamination, and electrical failures of resistors, tran-sistors, diodes and circuit cards, and erroneous grounds and connections.
CF5. Similar failures have occurred at Turkey Point.
Terry turbines with Woodward Model EG gover-nors have been found to overspeed trip iffullsteam flow is allowed on startup. Sensitivity can be reduced ifa startup stcam bypass valve is sequenced to open first. DE1.
lbrbincs with Woodward Model PG-PL governors have tripped on overspecd when restarted shortly after shutdown, unless an operator has locally exer-cised the speed setting knob to drain oil from the governor spccd setting cylinder (per procedure).
Automatic oil dump valves are now availablc through Terry. DE4.
Condensate slugs in stcam lines have caused turbine ovcrsPced trip on startup. lbsts repeated right after such a trip may fail to indicate the problem due to warming and clearing of thc stcam lines. Surveil-lance should exercise all steam supply connections.
DE2.
Trip and throttle valve (TIV) problems (MOV-6459A,B,C) which have failed the turbine driven pump include physically bumping it, failure to rcsct it followingtesting, and failures to verifycontrol room indication of reset. HE2. Whether either the ovcrspeed trip or ITVtrip can bc rcsct without resetting the other, indication in the control room of ITVposition, and unambiguous local indication ofan overspced trip affect thc likelihood of these errors. DE3.
3.1.3 Pump Unavailable Due to Maintenance or Surveillance
~
Both schcdulcd and unscheduled maintenance remove pumps from operability. Surveillance requires operation with an altered line-up, although a pump train may not be declared inoperable during testing. Prompt scheduling and performance of maintenance and surveillance minimize this unavailability.
3.1.4 AirOpcratcd Flow Control Valves Fail Closed
'I'rain 1: 3-2816, 2817, 2818; 4-2816, 2817, 2818
'I'rain 2 3 2831) 2832'833l 4 2831'832'833 These normally closed air operated valves (AOVs) con-trbl flow to thc steam generators.
They fail closed on loss of Instrument Air.
Control circuit problems have been a printary cause of failures, both at 11trkey Point and elsewhere.
CF9. Valve failures have resulted from blown fuses, failure of control components (such as current/
pneumatic convcrtors), broken or dirty contacts, rnisaligncd or broken limitswitches, control power loss, and calibration problems.
Degraded operation has also resulted from irnpropcr air prcssure due to air regulator I'ailurc or leaking air lines.
~ - Out-of-adjustmcnt electrical flowcontrollers have caused improper discharge valve operation, affect-in'g multiple trains ofAFW. CC12. Turkey Point has cxpcrienced calibration problems with flow controllers.
Leakage of hot fcedivatcr through check valves has caused thermal binding of normally closed flow coritrol MOVs. AOVs may bc similarlysusccptiblc.
CF2.
NUREG/CR-5633 3.2
Inspection Guidance
~
'IlirkcyPoint has experienced numerous air oper-ated controller malfunctions which resulted from water in the instrument air system due to main-tenance inoperability ofthe air dryers. CF9.
3.1.5 Motor Operated Valves Fail Closed TD Pump Stcam Stop: 3-1403, 1404, 1405; 4-1403, 1404, 1405 T ATValvcs: MOV-6459 A, 8, C These normally closed MOVs isolate steam flow to the TD AFW pumps. They fail closed on loss of power.
~
Common cause failure ofMOVs has resulted from failure to use electrical signature tracing equipment to determine proper settings oftorque switch and torque switch bypass switches. Failure to calibrate switch settings for high torques necessary under design basis accident conditions has also been involved. CC11.
~
Valve motors have been failed due to lack of, or improper sizing or use of thermal overload protec-tive devices.
Bypassing and oversizing should be based on proper engineering for design basis con-ditions. CF4.
Grcasc trapped in thc torque switch spring pack of Limitorquc SMB motor operators has caused motor burnout or thermal overload trip by prcvcnting torque switch actuation.
CF8.
~
Manually reversing the direction of motion of operating MOVs has overloaded the motor circuit.
Operating procedures should provide cautions, and circuit designs may prevent reversal before each stroke is finished. DE7.
~
Space heaters designed for preoperation storage have been found wired in parallel with valve motors
,which had not been environmentally qualiTied with them present.
DE7.
3.1.6 Manual Suction or Discharge Valves Fail Closed CST Discharge Valves: 3-400, 144, 244, 344; 4-400, 144, 244, 344
%min 1 (TD Pump A) 3 142p 141'41'41 4
142'41, 241, 341
'Pain 2 (TD Pumps II4 C): 002, 003; 3-006, 007, 008; 4-006, 007, 008 Isolation Valves: 3-139, 239, 339; 4-139, 239, 339 TD Pump Recirculation Valves: 177, 277, 377 Both pairs of CST discharge valves are normally locked open and they supply suction to all three TD AFW pumps. Pump A is normally aligned to supply train 1 ofboth units and pumps B and Care normally aligned to supply train 2 ofbo'th units. The capability exists to valve any ofthc three TD pumps to either train ofeither unit.
K
~
Valve mispositioning has resulted in failures of multiple trains ofAFW. CC2. It has also been the dominant cause ofproblems identified during oper-ational readiness inspections.
HE1. Events have occurred most often during maintenance, calibra-tion, or system modifications. Similar events have occurred at lhrkcy Point. Important causes of mis-positioning include:
Failure to provide complete, clear, and specific proccdurcs for tasks and system restoration Failure to promptly revise and validate procedures, training, and diagrams following system modifications'ailure to complete all steps in a procedure Failure to adequately review uncompleted
'procedural steps after task completion Failure to verifysupport functions atter restoration 3.3 NUREG/CR-5633
Inspection Guidance Failure to adhere scrupulously to administrative procedures regarding tagging, control and track-ing ofvalve operations Failure to log the manipulation ofsealed valves
~
Slow leakage past thc final check valve ofa series may not force check valves closed. Other check valves in series may leak'similarly. Piping orien-tation and valve design are important factors in achieving true series protection.
CF1.
Failure to followgood practices ofwritten task assignmcnt and feedback of task completion information Failure to provide easily read system drawings, legible valve labels corresponding to drawings and procedures, and labeled indications oflocal valve position 3.1.7 Leakage ofHot Fccdwatcr through Check Valves:
'1'rain 1: 3-140, 240, 340; 4-140, 240, 340
'1'rain 2: 3-010, 012, 014; 4-009, 011, 013 Discharge TD Pumps: V-143, 243, 343
~
Leakage of hot feedwater through several check valves in series has caused steam binding ofmultiple pumps.
Leakage through a closed level control-valve in series with check valves has also occurred, as would be required for leakage to reach any of thc pumps.
CC10.
3.2 Risk Important AR'W System Walkdown Table, Table 3.1 prcscnts an AFWsystem walkdown table including only components identified as risk important.
This information allows inspectors to concentrate their efforts on components important to prevention of core damage.
However, it is essential to note that inspec-tions sltould not focus exclusively on these components.
Other components which perform essential functions, but which are absent from this table because of high reliabilityor redundancy, must also be addressed to ensure that their risk importanccs are not increased.
Examples include thc (locked-open) steam isolation valves upstream of the steam supply headers and an adequate water level in the CST.
NUREG/CR-5633 3.4
Inspection Guidance Table 3.1 Risk Important Walkdown Table forTurkey I'ointA%VSystem Components Conlponent A Component Name Electrical Required Position Actual Position MOV 1403 MOV 1404 MOV 1405 MOV6459A MOV6459B MOV6459C 3-400 4-400 3-144 S/G AStcam Supply Valve Motor S/G B Steam Supply Valve Motor S/G C Steam Supply Valve Motor TD Pump ATATValve Motor TD Pump B TENT Valve Motor TD Pump CTScT Valve Motor Valves Unit 3 CST Outlet Valve Unit 4 CST Outlet Valve Unit 3 TD Pump ASuction Isolation Valve Racked In/Closed Racked In/Closed Racked In/Closed Racked In/Closed Racked In/Closed Racked In/Closed Locked Open Locked Open Locked Open 3-244 Unit 3 TD Pump B Suction Isolation Valve Locked Open 3-344 Unit 3TD Pump C Suction Isolation Valve Locked Open 4-144 Unit 4 TD Pump ASuction Isolation Valve Locked Open 4-244 Unit 4 TD Pump B Suction Isolation Valve Locked Open 4-344 Unit 4TD Pump CSuction Isolation Valve Locked Open 3-141 Unit 3 Train 1 TD Pump Discharge Valve Locked Open 3.5 NUREG/CR-5633
Inspection Guidance Table 3.1 (Continued)
Component ¹ 3-142 3-241 3-341 3-139 3-239 3-339 AFPD-002 AFPD-003 3-006 3-007 3-008 4-142 4-141 4-241 Component Name Unit 3 'Bain 1 TD Pump Discharge Valve Unit 3 Bain 1 TD Pump Discharge Valve Unit3 Bain1TDPump Discharge Valve Unit 3 Train 1 TD Pump Discharge Valve Unit 3'Bain 1 TD Pump Discharge Valve Unit 3'Bain 1TD Pump Discharge Valve Unit 3 and 4'Bain 2TD Pump Discharge Valve Unit 3 and 4 Bain 2TD Pump Discharge Valve Unit 3 Train 2 TD Pump Discharge Valve Unit 3 Bain 2 TD Pump Discharge Valve Unit 3'Bain 2TD Pump Discharge Valve Unit 4 Bain 1 TD Pump Discharge Valve Unit 4 Bain 1 TD Pump Discharge Valve Unit 4 Train 1 TD Pump Discharge Valve Required Position Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Actual Position
. NUREG/CR-5633 3.6
Inspection Guidance Table 3.1 (Continued)
Component ¹ Component Name Required Position Actual Position 4-341 4-139 4-239 4-339 4-006 4-007 4-008 3-2816 3-2817 3-2818 4-2816 4-2817 4-2818 3-2831 3-2832 3-2833 4-2831 4-2832 Unit 4 Train 1 TD Pump Discharge Valve Unit4llain1TD Pump Discharge Valve Unit 4 Train 1 TD Pump Discharge Valve Unit 4 Train 1TD Pump Discharge Valve Unit 4 1lain 2 TD Pump Discharge Valve Unit 4 1lain 2 TD Pump Discharge Valve Unit 4 Train 2TD Pump Discharge Valve Pain 1 Flow Control Valve Train 1 Flow Control Valve Train 1 Flow Control Valve iiain 1 Flow Control Valve
'llain 1 Flow Control Valve
'ilain 1 Flow Control Valve Train 2 Flow Control Valve 11 ain 2 Flow Control Valve
'Iiain 2 Flow Control Valve 1lain 2 Flow Control Valve
'1lain 2 Flow Control Valve Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Closed Closed Closed Closed Closed Closed Closed Closed Closed Closed Closed 3.7 NVREG/CR-5633
Inspection Guidance Table 3.1 (Continued)
Conlponcnt ¹ Component Name Actual Required Position Position 4-2833 177 277 377 Train 2 Flow Control Valve TDP ARecirculation Valve TDP 8 Recirculation Valve TDP C Recirculation Valve TDP Steam Su lv Valves Closed Locked Open Locked Open Locked Open 3-319 3-082A 3-0828 3-119 3-219 3-004 3-006 3-007 0018 0028 001C 002C 4-319 4-082A 4-0828 4-119 Unit 3, Train 1 Unit 3, Train 1 Unit 3, Train 1 Unit 3, Train 2 Unit 3, 'Ii.ain 2 Unit 3, liain2 Unit 3, Train 2 Unit 3, Train 1 &2 Cross-tie Unit 3 or 4, Train 2 Unit 3 or 4, Train 2 Unit 3 or 4, Train 2 Unit 3 or 4, liain 2 Unit 4, Train 1 Unit 4, llain 1 Unit 4, Train 1 Unit 4, liain 2 Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Locked Closed Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open Locked Open NUREG/CR-5633 3.8
Inspection Guidance Table 3.1 (Continued)
Component 0'-219 4-004 4-006 4-007 MOV3-1405 MOV3-1403 Conlponcnt Nilnle Unit 4, Tiain 2 Unit 4, Train 2 Unit 4, ii'ain 2 Unit 4, Train I 8 2 Cross-tie TDP Stcam Admission Valves Unit 3, Tiain 1 Unit 3, Train 2 TDP Stcam Admission Valves Ilcquircd Position Locked Open Locked Open Locked Open Locked Closed Closed Closed hctual Position MOV3-1404 MOV4-1405 MOV4-1403 MOV4-1404 MOV-6459A MOV-64598 MOV-6459C 3-140 3-240 3-340 4-140 4-240 Unit 3,1lain 2 Unit 4,'li'ain 1 Unit 4, Train 2 Unit 4, iiain 2 TDP AThrottle Trip Valve TDP 8 Throttle Tiip Valve TDP CThrottlc liipValve Pi in U streamof Check Valves
'iiain I, 3A S/G
'n ain 1, 38 S/G
'iiain I, 3C S/G
'iiain 1, 4A S/G Train 1, 48 S/G Closed Closed Closed Closed Open Open Open Cool Cool Cool Cool Cool 3.9 NUREG/CR-5633
Inspection Guidance Table 3.1 (Continued)
Component 4 4-340 3-010 3-012 3-014 4-009 4-011 4-013 143 243 343 Component Name Train 1, 4C S/G
'Ilain 2, 3A S/G
'Ilain 2, 3B S/G Train 2, 3C S/G Train 2,4A S/G Train 2,48 S/G Bain 2, 4C S/G TDP ADischarge TDP B Discharge TOP C Discharge Required Position Cool Cool Cool Cool Cool Cool Cool Cool Cool Cool Actual Position NUREG/CR-5633 3.10
4 Generic Risk Insights Prom PRAs PRAs for 13 PWRs were analyzed to identify risk-important accident sequences involving loss ofAFW, and to identify and risk-prioritize the component failure modes involved. The results ofthis analysis are described in this section. They are consistent with results reported by INELand BNL(Gregg ct al. 1988, and Travis et al. 1988).
Loss ofMain Iieedwater
~
A feedwater line brcak drains the common water source for MFWand AFW. The operators fail to provide feedwater from other sources, and fail to initiate feed-and-bleed cooling, resulting in core damage.
4.1 Risk Important Accident Sequences Involving AFW System Failure Loss ofPower System
~
A loss ofoffsite ower is followed by failure of AFW. Due to lack ofactuating power, the power operated reliefvalves (PORVs) cannot be opened preventing adequate feed-and-bleed cooling, resulting in core damage.
~
Astation blackout fails all AC power except Vital AC from DC invertors, and all decay heat removal systems except the turbine-driven AFW pump.
AFWsubsequently fails due to battery depletion or hardware failures, resulting in core damage.
~
A loss ofmain fecdwater trips the plant, and AFW fails due to operator error and hardware failures.
The operators fail to initiate feed-and-bleed cooling, resulting in core damage.
Steam Generator 'Ibbe Rupture (SGTR)
~
ASGTR is followed by failure ofAFW. Coolant is lost from the primary until the refueling water storage tank (RWST) is depleted.
High pressure injection (HPI) fails since recirculation cannot be established from the empty sump, and core damage results.
4.2 Risk Important Component Failure Modes
~
ADC bus fails, causing a trip and failure of the power conversion system.
One ~Vmotor-drivcn pump is failed by the bus loss, and the turbine-driven pump fails due to loss of turbine or valve control power. AFW is subsequently lost completely due to other failures. Feed-and-:
bleed cooling fails because PORV control is lost, resulting in core damage.
'l&nsient-Caused Reactor or 'lbrbinc Trip The generic component failure modes identiTied from PRA analyses as important to AFWsystem failure are listed below in decreasing order ofrisk importance.
1.
'Ibrbine-Driven Pump Failure to Start or Run.
2.
Motor-Driven Pump Failure to Start or Run.
3.
TDP or MDP Unavailable due to lbst or Maintenance.
~
A transient-caused tri is followed by a loss of the power conversion system (PCS) and AFW. Feed-and-bleed cooling fails either due to failure of thc operator to initiate it, or due to hardware failures, resulting in core damage.
4.
AFW System Valve Failures
~ steam admission valves
~ trip and throttle valve
~ flowcontrol valves
~ pump discharge valves
~ pump suction valves
~ valves in testing or maintenance.
Generic Risk Insights 5.
Supply/Suction Sources
~ condensate storage tank stop valve
- hot well inventory
~ suction valves.
In addition to individual hardware, circuit, or instrument failures, each of these failure modes may result from common causes and human errors.
Common cause failures ofAFW pumps are particularly risk important. Valve failures are somewhat less important due to the multiplicityofsteam generators and connection paths. Human errors ofgreatest risk importance involve: failures to initiate or control system operation when required; failure to restore proper system lineup after maintenance, or testing; and failure to switch to alternate sources when required.
NUR EG/CR-5C)33
5 Failure Modes Determined From Operating Experience This section dcscribcs the primary root causes ofAFW system component failures, as determined from a review ofoperating histories at 'Ibrkey Point and at other PWRs throughout the nuclear industry. Section 5.1 describes experience at Turkey Point from 1972 to 1990.
Section 5.2 summarizes information compiled from a variety ofNRC sources, including AEOD analyses and reports, information notices', inspection and cnforcc-mcnt bulletins, and generic letters, and from a variety of INPO reports as well. Some Licensee Event Reports and NPRDS event descriptions were also reviewed.
Finally, information was included from reports ofNRC-sponsored studies ofthc effects ofplant aging, which include quantitative analysis ofAFW system failure reports. This information was used to identify thc various root causes expected for the broad PRA-based failure events identified in Section 4.0, resulting in the inspection guidelines presented in Section 3.0.
5.1 Turkey Point Experience The AFWsystem at AirkeyPoint has expcricnccd fail-ures of the AFW pumps, pump discharge flowcontrol valves, the turbine steam pressure control and supply valves, and turbine trip and throttle valves. Failure modes include electrical, instrumentation and control, hardware failures, and human errors.
5.1.1 'Ibrbine Driven Pump Failures More than sixty events have resulted in decreased oper-ational readiness of thc turbine driven pumps. Failure modes involved failures in instrumentation and control circuits, electrical faults, system hardware failures, and human errors. The turbine driven pump has tripped or failed to reach proper speed as a result ofclogged lube oil lines, dirty limitswitch contacts, water in instrument air supplied to valve actuators, misadjusted speed con-trol settings, shorted relays in the speed control circuit, and dirty breaker contacts.
Pump aging and wear has resulted in high bearing tempcraturcs and on one occa-sion, pump seizure.
Improper part replacement and inadequate maintenance activities have necessitated pump shutdown and repair.
5.1.2 Flow Control and Isolation Valve Failures More than forty-fiveevents have resulted in impaired operational readiness of thc air operated flowcontrol and motor operated isolation valves. Principal failure causes were equipment wear, instrumentation, and con-trol circuit failures, valve hardware failures, and human errors.
Valves have failed to operate properly due to blown fuses, failure ofcontrol components (such as I/P convertors), broken or dirtycontacts, misaligned or broken limitswitches, control power loss, and operator calibration problems. Poor quality instrument air has caused degraded flowcontrol valve operation in a num-ber ofevents due to failure ofvalve actuators.
In many cases, air in sensing lines for flowtransmitters has rcsultcd in erroneous flowindication. Human errors have resulted in improper control circuit calibration and limitswitch adjustment.
5.1.3 'Ibrbine Driven Pump Steam Supply, Admission, and Control Valves ivlore than thirtyevents have resulted in degraded oper-ation ofsteam isolation or steam pressure control valves. Failure types included failures due to aging.
Deterioration ofsystem hardware resulted in many occurrcnccs ofvalve binding, resulting in tripping of overload devices.
Pressure control and isolation valve seats were found to be steam cut. Also, isolation valves were found to leak due to cut or worn seats or foreign material under the valve seat. Dirty,worn, or mis-aligned limitswitch contacts have prevented proper valve operation. Improper air pressure resulting from failed solenoid valves or air line leaks has caused fail-ures. Misaligned or out ofcalibration control circuits and limitswitches have resulted in a degraded opera-tional condition. Plugged air exhaust ports have been found preventing fullstroking of numerous valves.
5.1 NVREG/CR-5633
Failure Modes 5.1.4 Check Valves Approximately ten events ofcheck valve failure have occurred since 1972. In all but a few cases, normal wear and aging was cited as the failure mode, resulting in leakage.
5.2 Industry V(ide Experience Human errors, dcsign/enginccring problems and errors, and component failures arc the primary root causes of AFWSystem failures identified in a review ofindustry wide system operating history. Common cause failures, which disable more than one train of this operationally redundant'system, are highly risk significant, and can result from all of these causes.
This section identifies important common cause failure modes, and then provides a broader discussion of the single failure effects of human errors, design/
engineering problems and errors, and component fail-ures. Paragraphs presenting details of these failure modes are coded (e.g., CC1) and cross-referenced by
'inspection items in Section 3.
5.2.1 Common Cause failures The dominant cause ofAFWsystem multiple-train fail-ures has been human error. Design/engineering errors and component failures have been less frequent, but nevertheless signiTicant, causes of multiple train failures.
CC1. Human error in the form of incorrect operator intervention into automatic AFWsystem functioning during transients resulted in the temporary loss ofall safety-grade AFW pumps during events at Davis Besse (NUREG-1154 1985) and Trojan (AEOD/I'416 1983).
In the Davis Bcsse event, improper manual initiation of the steam and fecdwater rupture control system (SFRCS) lcd to ovcrspecd tripping of both turbine-driven AFW pumps, probably due to the introduction of condensate into the AFW turbines from the long, unheated stcam supply lines. (Thc system had never been tested with the abnormal, cross-connected steam supply lineup which resulted.)
In the Trojan event the operator incorrectly stopped both AFW pumps due to misinterpretation ofMFW pump speed indication. The diesel driven pump would not restart due to a protective feature requiring complete shutdown, and the turbine-driven pump tripped on overspecd, requiring local reset ofthc trip and throttle valve. In cases where manual intervention is required during the early stages ofa tran-sient, training should emphasize that actions should be performed methodically and deliberately to guard against such errors.
CC2. Valve mispositioning has accounted for a signifi-cant fraction of the human errors failingmultiple trains ofAFW. This includes closure ofnormally open suction valves or steam supply valves, and of is'olation valves to sensors having control functions. Incorrect handswitch positioning and inadequate temporary wiring changes have also prevented automatic starts ofmultiple pumps.
Factors identiflicd in studies ofmispositioning errors include failure to add newly installed valves to valve checklists, weak administrative control oftagging, resto-ration, independent verification, and locked valve log-ging, and inadequate adherence to procedures.
Illegible or confusing local valve labeling, and insufficient train-ing in the determination ofvalve position may cause or mask mispositioning, and surveillance which docs not excrcisc complete system functioning may'ot reveal mispositionings.
CC3. At ANO-2, both AFW pumps lost suction due to stcam binding when they were lined up to both the CST and the hot startup/blowdown demincralizcr effluen (AEOD/C404 1984). At Zion-1 steam created by run-ning the turbine-driven pump dcadhcaded for one minute caused trip of a motor-driven pump sharing the same inlet header, as well as damage to the turbinc-drivcn pump (Region 3 Morning Report, 1/17/90). Both events were caused by procedural inadequacies.
CC4. Design/engineering errors have accounted for a smaller, but signiTicant fraction ol'common cause fail--
ures. Problems with control circuit design modifications at Farley defeated AFW pump auto-start on loss of main feedwater. At Zion-2, restart ofboth motor driven pumps was blocked by circuit failure to deencrgize when the pumps had bccn tripped with an automatic start signal present (IN 82-01 1982). In addition, AFW con-trol circuit design reviews at Salem and Indian Point have identiiflicddesigns where failures of a single com-ponent could have failed all or multiple'pumps (IN 87-34 1987).
NUREG/CR-5633 5.2
Failure Modes CC5. Incorrect setpoints and control circuit settings resulting from analysis errors and failures to update pro-cedures have also prevented pump start and caused pumps to trip spuriously. Errors of this type may remain undetected despite surveillance testing, unless surveillance tests model all types ofsystem initiation and operating conditions. Agreater fraction of instru-mentation and control circuit problems has bccn idcnti-flicd during actual system operation (as opposed to sur-veillance testing) than for other types of failures.
CC6. On two occasions at a foreign plant, failure of a balance-of-plant inverter caused failure of two AFW pumps. In addition to loss of the motor driven pump whose auxiliary start relay was powered by thc invcrtor, thc turbine driven pump tripped on ovcrspecd because thc governor valve opened, allowing fullsteam flowto the turbine. This illustrates thc importance ofassessing the effects of failures of balance ofplant equipmcnt whiclt supports the operation ofcritical components.
The instrument'air system is another example ofsuch a system.
CC7. MultipleAFWpump trips have occurred at Millstone-3, Cook-1, '11ojan and Zion-2 (IN 87-53 1987) caused by brief, low prcssure oscillations ofsuction pres-sure during pump startup. These oscillations occurred despite the availabilityofadequate static NPSH. Cor-rective actions taken include: extending the tirnc delay associated with the low pressure trip, removing the trip,
. and replacing the trip with an alarm and operator action.
CC8. Design errors discovered during AFWsystem reanalysis at the Robinson plant (IN 89-30 1989) and at Millstone-1 resulted in thc supply header from the CST being too small to provide adequate NPSH to the
,pumps ifmore than onc of the three pumps werc oper-ating at rated flowconditions. This could lead to rnul-tiple pump failure due to cavitation. Subsequent reviews at Robinson identiiflied a loss of feedwatcr tran-sient in which inadequate NPSH and flows less than design values had occurred, but which were not rccog-nizcd at the time. Event analysis and equipment trend-ing, as well as surveillance testing which duplicates ser-vice conditions as much as is practical, can help identify such design errors.
CC9. Asiatic clams caused failure of two AFWflow control valves at Catawba-2 when lowsuction pressure caused by starting of a motor-driven pump caused suc-tion source realignment to the Nuclear Service Water system.
Pipes had not been routinely treated to inhibit clam growth, nor regularly monitored to detect their presence, and no strainers were installed. The need for surveillance which exercises alternative system opera-tional modes, as well as complete system functioning, is emphasized by this event. Spurious suction switchover has also occurred at Callaway and at McGuire, although no failures rcsul ted.
CC10. Common cause failures have also been caused by component failures (AEOD/C404 1984). At Surry-2, both thc turbine driven pump and one motor driven pump were declared inoperable due to stcam binding caused by leakage ofhot water through multiple check valves. At Robinson-2 both motor driven pumps were found to be hot, and both motor and stcam driven pumps werc found to be inoperablc at different times.
Backleakagc at Robinson-2 passed through closed motor-operated isolation valves in addition to multiple check valves. At Farley, both motor and turbine driven pump casings were found hot, although the pumps were not declared inoperable. In addition to multi-train fail-ures, numerous incidents ofsingle train failures have occurred, resulting in the designation of "Stcam Binding ofAuxiliaryFeedwater Pumps" as Generic Issue 93.
This generic issue was resolved by Generic Letter 88-03 (Miraglia 1988), which required liccnsecs to monitor AFW piping temperatures each shift, and to maintain procedures for recognizing stcam binding and for restor-ing system operability.
CC11. Cotnmon cause failures have also failed motor operated valves. During the total loss of fcedwater event at Davis Bessc, the normally open AFWisolation valves failed to open after they were inadvertently closed. Thc failure was duc to improper setting of the torque switch bypass switch, which prevents motor trip on thc high torque rcquircd to unseat a closed valve. Previous prob-lems with these valves had been addressed by increasing the torque switch trip sctpoint-a fixwhich failed during the event duc to the higher torque required due to high differential pressure across the valve. Similar common mode failures ofMOVs have also occurred in other 5.3 NUREG/CR-5633
Failure Modes systems, resulting in issuance of Generic Letter 89-10, "Safety Related Motor-Operated Valve Gating and Surveillance (Partlow 1989)." This generic letter requires licensees to develop and implement a program to provide for the testing, inspection and maintenance ofall safety-related MOVs to provide assurance that they willfunction when subjected to design basis conditions.
CC12. Other component failures have also resulted in AFW multi-train failures. These include out-of-adjust-ment electrical flowcontrollers resulting in improper discharge valve operation, and a failure ofoil cooler cooling water supply valves to open duc to silt accumu-lation.
1I 5.2.2 Human Errors HE1. The overwhelmingly dominant cause of problems identified during a series ofoperational readiness evalu-ations ofAFWsystems was human performance. The majority of these human perlormance problems resulted from incomplete and incorrect procedures, particularly with respect to valve lineup information. Astudy of valve mispositioning events involving human error identiflicd failures in administrative control of tagging and logging, procedural compliance and completion of steps, vcriflicationofsupport systems, and inadequate procedures as important. Another study found that valve mispositioning events occurred most often during maintenance, calibration, or modification activities.
Insufficient training in determining valve position, and in administrative requirements for controlling valve positioning were important causes, as was oral task assignment without task completion feedback.
HE2. Turbine driven pump failures have been caused by human errors in calibrating or adjusting governor speed control, poor governor nlaintenancc, incorrect adjust-mcnt of governor valve and ovcrspeed trip linkages, and errors associated witltthe trip and throttle valve (TI'V).
TTV-associated errors include physically bumping it, failure to restore it to the correct position after testing, and failures to verify control room indication ofTl'V position followingactuation.
HE3. Motor driven pumps have been failed by human errors in mispositioning handswitchcs, and by procedure deficiencies.
5.23 Design/Engineering Problems and Errors DE1. As noted above, the majority ofAFW subsystem failures, and the greatest relative system degradation, has been found to result from turbine-driven pump fail-ures. Overspced trips ofTerry turbines controlled by Woodward governors have been a significant source of these failures (AEOD/C602 1986). In many cases these ovcrspecd trips have been caused by slow response of a Woodward Model EG governor on startup, at plants where fullsteam flow is allowed immediately. This over-sensitivity has been removed by installing a star tup stcam bypass valve which opens first, allowing a control-led turbine acceleration and buildup ofoil pressure to control thc governor valve when fullstcam flow is admitted.
DE2. Overspeed trips of'Ibrry turbines have been caused by condensate in the steam supply lines.
Condensate slows down thc turbine, causing the gover-norvalve to open farther, and overspced results before the governor valve can respond, after the water slug clears. This was dctcrmincd to be the cause of the loss-of-all-AFWevent at Davis Besse (AEOD/602 1986),
with condensation enlranccd duc to the long length of the cross-connected steam lines. Rcpcatcd tests follow-ing a cold-start trip may be successful duc to system heat Up.
DE3. Turbine trip and throttle valve ( ITV)problems are a signiflieant cause of turbine driven pump failures (IN 84-66). In some cases lack of ITVposition indica-tion in the control room prcvcnted recognition of a trip-ped ITV. In other cases it was possible to reset either the ovcrspecd trip or thc ITVwithout resetting thc other. This problem is compounded by the fact that the position ofthc overspecd trip linkage can be misleading, and the mechanism may lack labels indicating when it is in the tripped position (AEOD/C602 1986).
Failure Modes DE4. Startup of turbines with Woodward Model PG-PL governors within 30 minutes ofshutdown has resulted in overspeed trips when the speed setting knob was not exercised locally to drain oil from the speed setting cylinder. Speed control is based on startup with an empty cylinder. Problems have involved turbine rota-tion due to both procedure violations and leaking stcam'.
'Ibrry has marketed two types ofdump valves for auto-matically draining the oil after shutdown (AEOD/C602 1986).
At Calvert Cliffs, a 1987 loss-of-offsite-power event required a quick, cold startup that resulted in turbine trip due to PG-PL governor stability problems. Thc short-term corrective action was installation ofstiffer buffer springs (IN 88-09 1988). Surveillance had always been preceded by turbine warmup, which illustrates the importance of testing which duplicates service con-ditions as much as is practical.
DE5. Reduced viscosity of gear box oil heated by prior operation caused failure of a motor driven pump to start due to insufficient lube oil prcssure. Lowering the prcs-sure switch sctpoint solved the problem, which had not been detected during testing.
DE6. Watcrhammer at Palisades rcsultcd in AFW line and hanger damage at both steam generators.
The AFW spargers are located at the normal stcam generator level, and are frequently covered and uncovered during level fluctuations. Waterhammcrs in top-feed-ring steam generators resulted in main feedline rupture at Maine Yankee and feedwatcr pipe cracking at Indian Point-2 (IN84-32 1984).
DE7. Manually reversing thc direction ofmotion ofan operating valve has resulted in MOVfailures where such loading was not considered in thc design (AEOD/C603 1986). Control circuit design may prevent this, requiring stroke completion before reversal.
DE8. At each of the units of the South'kxas Project, space heaters provided by the vendor for use in pre-installation storage ofMOVs were found to be wired in parallel to the Class 1E 125 V DC motors for several AFW valves (IR 50-489/89-11; 50-499/89-11 1989). Thc valves had been environmentally qualiTicd, but not with the non-safety-related heaters energized.
5.2.4 Component I~'nilures Generic Issue II.E.6.1, "In Situ lbsting Of Valves" was divided into four sub-issues (Beckjord 1989), three of which relate directly to prevention ofAFW system component failure. At the request of the NRC, in situ testing ofcheck valves was addressed by the nuclear industry, resulting in thc EPRI,rcport, "Application Guidelines for Check Valves in Nuclear Power Plants (Brooks 1988)." This extensive rcport provides informa-tion on check valve applications, limitations, and inspec-tion techniques.
In situ testing ofMOVs was addressed by Generic Letter 89-10, "Safety Related Motor-Operated Valve 1bsting and Surveillance" (Partlow 1989) which requires licensees'o develop and imple-ment a program for testing, inspection and maintenance ofall safety-related MOVs. "Thermal Overload Protec-tion for Electric Motors on Safety-Related Motor-Opcrated Valves - Generic Issue II.E.6.1 (Rothberg 1988)" concludes that valve motors should be thermally protected, yet in a way which emphasizes system func-tion over protection of the operator.
CF1. The common-cause steam binding effects ofcheck valve leakage were identified in Section 5.2.1, entry CC10. Numerous single-train events provide additional insights into this problem. In some cases leakage of hot MFWpast multiple check valves in series has occurred because adequate valve-seating prcssure was limited to the valves closest to thc stcam generators (AEOD/C404 1984). At Robinson, thc pump shutdown procedure was changed to delay closing the MOVs until after thc check valves were seated.
At Farley, check valves were changed from swing type to lifttype. Check valve rework has been done at a number of plants. Different valve designs and manufacturers arc involved in this problem, and recurring leakage has been cxpcrienced, even after repair and replacement.
CF2. At Robinson, heating ofmotor operated valves by check valve leakage has caused thermal binding and fail-ure ofAFWdischarge valves to open on demand. At Davis Bcsse, high difl'ercntial prcssure across AFW injection valves resulting from check valve leakage has prevented MOVoperation (AEOD/C603 1986).
CF3. Gross check valve leakage at McGuire and Robinson caused overprcssurimtion of the AFW 5.5 NUREG/CR-5633
Failure Modes suction piping. Ata foreign PWR it resulted in a severe waterhammer event. At Palo Verde-2 thc MFWsuction piping was ovcrpressurizcd by check valve leakage from the AFWsystem (AEOD/C404 1984). Gross check valve leakage through idle pumps represents a potential diversion ofAFW pump flow.
CF4. Roughly one third,ofAFWsystem failures have been due to valve operator failures, with about equal failures for MOVs and AOVs. Almost half of the MOV failures were due to motor or switch failures (Casada 1989). An extensive study ofMOVevents (AEOD/C603 1986) indicates continuing inoperability problems caused by: torque switch/limitswitch settings, adjust-mcnts, or failures; motor burnout; improper sizing or use of thermal overload devices; premature degradation related to inadequate use of protective devices; damage due to misuse (valve throttling, valve operator hammer-ing); mechanical problems (loosened parts, improper assembly); or the torque switch bypass circuit improp-erly installed or adjusted. The study concluded tltat current methods and procedures at many plants are not adequate to assure that MOVs willoperate when needed under crcdiblc accident conditions. SpcciTically, a suiveillance test which tlie valve passed might result in undetected valve inoperability due to component failure (motor burnout, operator parts failure, stem disc sepa-ration) or improper positioning of protective devices (thermal overload, torque switch, limitswitch). Gcncric Lcttcr 89-10 (Partlow 1989) has subsequently required licensees to implement a program ensuring that MOV switch settings are maintained so that the valves will operate under design basis conditions for the lifeof the plant.
CF5. Component problems have caused a significant number of turbine driven pump trips (AEOD/C602 1986). One group ofcvcnts involved worn tappet nut faces, loose cable connections, loosened set screws, improperly latched ITVs, and improper assembly.
Another involved oil leaks due to component or seal failures, and oil co'ntamination due to poor maintenance activities. Governor oil may not bc shared with turbine lubrication oil, resulting in the need for separate oil changes.
Electrical component failures included tran-sistor or resistor failures due to moisture intrusion, erroneous grounds hand connections, diode failures, and a faulty circuit card.
CF6. Electrohydraulic-operated discharge valves have performed very poorly, and three of the five units using them have removed them due to recurrent failures.
Failures included oil leaks, contaminated oil, and hydraulic pump failures.
L CF7. Control circuit failures were thc dominant source ofmotor driven AFWpump failures (Casada 1989).
This includes the controls used for automatic and manual starting of the pumps, as opposed to the instru-mentation inputs. Most ofthe remaining problems were due to circuit breaker failures.
CF8. "Hydraulic lockup" ofLimitorque SMB spring packs has prevcntcd proper spring compression,to actuate thc MOVtorque switch, due to grease trapped in the spring pack. During a surveillance at liojan, fail-ure of the torque switch to trip the TTVmotor resulted in tripping of the thermal overload device, leaving thc turbine driven pump inoperable for 40 days until the next surveillance (AEOD/E702 1987). Problems result from grease changes to EXXONNEBULAEP-0 grease, one of only two greases considered environmentally qualified by Limitorque. Due to lower viscosity, it slowly migrates from the gear case into the spring pack.
Grease changeover at Vermont Yankee affected 40 of thc older MOVs ofwhich 32 werc safety related.
Grease relief kits arc needed for MOVoperators manufactured before 1975. At Limerick, additional grease reliefwas required for MOVs manufactured since 1975. MOV refurbishment programs may yield other changeovers to EP-0 grease.
CF9. For AFWsystems using air operated valves, almost halfof the system degradation ltas resulted from failures of the valve controller circuit and its instrument inputs (Casada 1989). Failures occurred predominantly at a few units using automatic electronic controllers for the flowcontrol valves, with the majority of failures due to electrical hardware. AtTurkey Point-3, controller malfunction resulted from water in the Instrument Air system due to maintenance inoperability of the air drycrs.
CF10. For systems using diesel driven pumps, most of the failures were duc to start control and governor speed control circuitry. Halfof these occurred on demand, as opposed to during testing (Casada 1989).
Failure Modes CF11. For systems using AOVs, operability requires the availabilityofInstrument Air(IA),backup air, or backup nitrogen. However, NRC Maintenance'Ram Inspections have identiTied inadequate testing ofcheck valves isolating the safety-related portion of the IA system at several utilities (Letter, Roe to Richardson).
Generic Letter 88-14 (Miraglia 1988), requires liccnsces to verify by test that air-operated safety-related com-ponents willperform as expected in accordance with all design-basis events, including a loss of normal IA.
5.7 NUREG/CR-5633
6 References Beckjord, E. S. June 30, 1989. Closeout ofGeneric Issue II.E.6.1, "In Situ Testing ofValves". Letter to V. Stello, Jr., U.S. Nuclear Regulatory Commission, Washington, D.C.
Brooks, B. P. 1988. Application Guidelines for Check Valves in Nuclear Power Plants.
NP-5479, Electric Power Research Institute, Palo Alto, CA.
Casada, D. A. 1989. AiixiliaryFeedwater System Aging Study. Volunie 1. Operating Experience and Current MonitoringPractices.
U.S. Nuclear Regulatory Commission, Washington, D.C.
AEOD Reports AEOD/C404. W. D. Lanning. July 1984. Steam Binding ofAuxiliaryFeedwater Pumps.
U.S. Nuclear Regulatory Commission, Washington, D.C.
AEOD/C602. C. Hsu. August 1986. Operational Experience Involving Turbine Overspeed Trips. U.S.
Nuclear Regulatory Commission, Washington, D.C.
AEOD/C603. E. J. Brown. December 1986. A Review ofMotor-Operated Valve Performance.
U.S. Nuclear Regulatory Commission, Washington, D.C.
Gregg, R. E., and R. E. Wright. 1988. Appendix Review forDominant Generic Contributors. BLB-31-88. Idaho National Engineering Laboratory, Idaho Falls, Idaho.
Miraglia, F. J. February 17, 1988. Resolution ofGeneric Safety Issue 93, "Steam BindingofAuxiliaryFeedwater Pumps" (Generic Letter 88-03). U.S. Nuclear Regulatory Commission, Washington, D.C.
Miraglia, F. J. August 8, 1988. Instnirnent AirSupply System Problems AffectingSafety-Related Equipment (Generic Letter 88-14). U.S. Nuclear Regulatory Commission, Washington, D.C.
Partlow, J. G. Junc 28, 1989. Safety-Related Motor-Operated Valve Testing and Surveillance (Generic Letter 89-10). U.S. Nuclear Regulatory Commission, Washington, D.C.
Rothberg, O. Junc 1988. Thermal Overload Protection forElectric Motors on Safety-Related Motor-Operated Valves-GenericIssuell.E.6.1.
NUREG-1296. U.S.
Nuclear Regulatory Commission, Washington, D.C.
Travis, R., and J. Ihylor. 1989. Development of Guidance for Generic, Fiuictionally Oriented PRA-Basetl Team Inspections forBIIrRPlants-Identification ofRisk-Important Systeins, Components and Hunian Actions.
TLR-A-3874-T6A. Brookhaven National Laboratory, Upton, New York.
AEOD/E702. E.J. Brown. March 19, 1987. MOV Failure Due to Hydraulic Lockup From Excessive Grease in Spring Pack.
U.S. Nuclear Regulatory Commission, Washington, D.C.
AEOD/T416. January 22, 1983. Loss ofESF Atixiliaty Feedwater Pump Capability at Trojan on January 2~,
1983. U.S. Nuclear Regulatory Commission, Washington, D.C.
Information Notices IN 82-01. January 22, 1982. AuxiliaryFeedwater Piunp Lockout Resulting from IVestinghouse II'-2Switch Circuit Modification. U.S. Nuclear Regulatory Commission, Washington, D.C.
IN 84-32. E. L Jordan. April 18,1984. Auxiliary Feedwater Sparger and Pipe Hangar Damage.
U.S.
Nuclear Regulatory Commission, Washington, D.C.
IN 84-66. August 17, 1984. Undetected Unavailabilityof the Tiirbine-DrivenAuxiliatyFeedwater Train. U.S.
Nuclear Regulatory Commission, Washington, D.C.
IN 87-34. C. E. Rossi. July 24, 1987. Single Failures in AuxiliaryFeedwater Systems.
U.S. Nuclear Regulatory Commission, Washington, D.C.
6.1 NUREG/CR-5633
References IN 87-53. C. E. Rossi. October 20, 1987. Auxiliary Feedwater Pump Trips Resulting from Lotv Suction Pressure.
U.S. Nuclear Regulatory Commission, Washington, D.C.
IN88-09. C. E. Rossi. March 18, 1988. Reduced ReliabilityofSteam-Driven AuxiliaryFeedwater Pumps Caused by InstabilityofWoodward PG-PL Type Governors.
U.S. Nuclear Regulatory Commission, Washington, D.C.
IN 89-30. R. A. Azua. August 16, 1989. Robinson Uiu't 2 Inadequate NPSH ofAuxiliatyFeedwater Pumps. Also, Event Notification 16375, August 22, 1989. U.S.
Nuclear Regulatory Commission, Washington, D.C.
Inspection Report IR 50-489/89-11; 50-499/89-11.
May 26, 1989. Soutli Texas Proj ect Inspection Report. U.S. Nuclear Regulatory Commission, Washington, D.C.
NURHG Report NUREG-1154.
1985. Loss ofMain and AuxiliaryFeed-water Event at the Davis Besse Plant on June 9, 1985.
U.S. Nuclear Regulatory Commission, Washington, D.C.
Distribution No. of
~Co ics OFFSITE No. of
~Co ies 4
'Ibrke Point Resident Ins ections Office U.S. Nuclear Re ulato Commission B. K. Grimes OWFN 9 A2 F. Congel OWFN 10 E4 H. N. Berkow OWFN 14 H22 A. El Bassioni OWFN 10 A2 10 J.Chung OWFN 10 E4 K. Campc OWFN 1 A2 2
B. Thomas OWFN 12 H26 U.S. Nuclear Re ulato Commission - Re ion 2 J. H. Taylor Brookhavcn National Laboratory Bldg. 130 Upton, NY 11973 R. Travis Brookhaven National Laboratory Bldg. 130 Upton, NY 11973 J. Bickcl EG8cG Idaho, Inc.
P.O. Box 1625 Idaho Falls, ID 83415 Dr. D. R. Edwards Professor ofNuclear Engineering University ofMissouri - Rolla Rolla, MO 65401 ONSITE 26 Pacific Northwest Laborato A. F. Gibson K. D. Landis L. A. Reyes S. R. Doctor L. R. Dodd B. F. Gore (10)
N.E. Moffitt(5)
B. D. Shipp F. A. Simonen T. V. Vo Publishing Coordination Technical Report File (5)
Distr.1 NUREG/CR-5633
NRC FOAM 336 I24I9<
NRCM 1102.
220 I. 2202
- 2. TITLE AND SUBTITLc U.S. NUCLEAR REGULATORY COMMISSION BIBLIOGRAP HIC DATA SHEET
/See rnstnrctrons on the ieeetsej I, REPORT I<UMBER IA<<<e<<<o lrr NRC, Ao<t Vor., S<<oo Ass.,
~no Aoorno<<m tllrmo<rs, ls sne,l NUREG/CR-5633 PNL-7454 Auxiliary Feedwater System Risk-Based Inspection Guide for the Turkey Point Nuclear Power Plant 3.
DATE REPORT PUBLISHED MONT<<
YEAR 1992 April 4 FIN OR GRANT NUMBER S. AUTHORISI N.
E. Moffitt, B.
F.
- Gore, T.
V.
Vo L1310
- 6. TYPE OF REPORT Technical 7, PERIOD COVERED Irncrosrrr Oirrsr 7/90 to 2/92 6, PER FORM ItIG ORGANIZATIONNAME ANO ADDRESS IIINRC prr<<roe Oil<<em, OIIKeor Rreron. US. Iree<err Ree<ruro<Y Comm<urn<<, ino ms<<<<<I ioerru it con<rector pros<or nolle en<r mi rmt i<so<eccl Pacific Northwest Laboratory Richlandl WA 99352 B. SPONSORING ORGANIZATION-NAME AND ADDRESS IIINRC. ryoe "Semi is coo~ lrlco succor pn u IIRCO<<~. OIIKior Reenrn US, IrocltrrRtpalrsron Commrunm.
en<I mrilirenoorr<AI Division of Radiation Protection and Emergency Preparedness Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington>
DC 20555
- 10. SUPPLEMENTARY NOTES
- 11. ABSTRACT l200 <<onls or scut In a study sponsored by the U.S. Nuclear Regulatoiy Commission (NRC)l Pacific Northwest f.aboratory has developed and applied a methodology for deriving plant-specific risk-based inspection guidance for the auxiliary feedwater (AFW) system at pressurized water reactors that have not undergone probabilistic risk assessment (PRA).
This methodology uses existing PRA results and plant operating experience information.
Existing PRA-based inspection guidance information recently developed for the NRC for various plants was used to identify generic component failure modes.
This information was then combined with plant-specific and industry-wide component information and failure data to identify failure modes and failure mechanisms for the AFW system at the selected plants.
Turkey Point was selected as one of a.eries of plants for study.
The product of this effort is a prioritized listing of AFW failures which have occurred at the Tplant and at other PWRs.
This listing is intended for use by NRC inspectors in the preparation of inspection plans addressing AFW risk-important components at the Turkey Point plant.
- 12. KEY WOROSTDESCRIPTORS ILI<r<<onrs o piro<is rnu <<iliuur msearrruuin rocerrne ms ~oon./
Inspection,
I2. AVASLAI<ILITYSTATEMENT Unlimited tc. sscvR<TY cLAsssr scAT<Qr<
ITn>> Peril Unclassified ITh<s Rrponl Unclassified
- 15. NUMBER OF PAGES
- 16. PRICE NRC CORM 'lSA <2JIO<
THIS DOCUMENT WAS PRINTED USING RECYCLED PAPER