ML20009A086

From kanterella
Jump to navigation Jump to search
V.C. Summer Nuclear Station Unit 1 Emergency Feedwater System Reliability Study Evaluation
ML20009A086
Person / Time
Site: Summer South Carolina Electric & Gas Company icon.png
Issue date: 06/30/1981
From: Bradley G
SANDIA NATIONAL LABORATORIES
To:
Office of Nuclear Reactor Regulation
References
CON-FIN-A-1121 NUREG-CR-1870, SAND80-2896, NUDOCS 8107080026
Download: ML20009A086 (64)
v  d  e


Text

_ ..

j i

gbY.,,--s_k i i NUREG/CR-1870 i pff:t[,Leiy #c jc{:

g- JLLUt

" h~h SAND 80-2869 l \,'- \ u.s. wggl;g',*" l<

sx 4 m%:' %m- c c,

l 4 _ _

! V. C. Summer Nuclear Station Unit 1 l Emergency Feedwater System l Reliability Study Evaluation I

l l Prepared by G. H. Bradley, Jr.

I Sandia National Laboratories i

l

, Prepared for r

U.S. Nuclear Regulatory l Commission i

{

t I

l i 8107090026 810630 2't i PDR ADOCK 05000395-9 A PDR;j

NOTICE This report was prepared as an account of work sponsored by an agency of the United S'=tes Government. Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legalliability or responsibility for any third party's use, or the results of such use, of any information, apparatus product or process disclosed in this report, or represents that 4 its use by such third party would not infringe privately owned rights.

Available from GPO Sales Program Division of Technical Information and Document Control U. S. Nuclear Regulatory Commission Washington, D. C. 20555 Printed copy price: $4.25 and National Technical Information Service Springfield, Virginia 22161 (4 s

i L -

NUREG/CR-1870 SAND 80-2869 V. C. Summer Nuclear Station Unit 1 Emergency Feedwater System Reliability Study Evaluation Manuscript Completed: December 1980 Date Published: June 1981 Prepared by G. H. Bradley, Jr.

Sandia National Laboratories Albuquerque, New Mexico 87185 Prepared for Division of Safety Technology Office of N:iclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C. 20555 NRC FIN A1121 l

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _J

ABSTRACT The purpose of this report is to present the results of the review of the Emergency Feedwater System Reliability Analysis for the V. C.

Summer Nuclear Station Unit 1.

iii

Table of Contents Page Abstract 111 List of , ares vii 1

Summary and Conclusions

1. Introduction 2 1.1 Background 2 1.2 Review Activities 2 1.3 Content and Results of the Reliability Analysis 3 1.4 Scope and Level of SNL Effort 3 4
2. AFWS Configuration 2.1 General description and function of the EFS 4 2.2 Fluid System 6 2.2.1 Suction 6 Pumps and Discharge Headers 7 2.2.2 2.2.3 Flow Control Valves 8 2.2.4 Steam Supply for the TDP Turbine 8 2.2.5 Valve Operation and Indication 9 2.3 Support Systems and Backup Water Source 10 Electrical Power Sources 11 2.4 Instrumentation and Control 13 2.5 2.5.1 Initiation Logic 13 2.5.2 EFS Flow Control 13 2.5.3 Information Available to Operator 15 v

4

.i Page i

2.6 Operator Actions 15 4

2.7 Testing 16 2.8 Technical Specifications 16 1

3. Discussion 17 3.i -Mode of AFWS Initiation 17 i

3.2 System Control Following Initiation- 18 l

3.3 Test and Maintenance Procedures and Unavailbility 18 i

3.4 Adequacy of Emergency Procedures 19 3.5 Adequacy of Power Sources and Separation of Power Sources 20 s

j 3.6. Availability of Alternate Water Sources 21 3.7 Potential Common Mode Failure 21 t  !

I- 3.8 Applicatioq,of Data Presented in NUREG-0611 24 3.9 Search for Single Failure Points 24 i

{ ' 3.10 Human Factors / Errors 24 1-

. 3.11 NUREG-0611 Recommendations, Long-and Short-Term 25 3.11.1 Short-Term Generic Recommendations 25 1

3.11.2 Additional Short-Term Recommendations 38 I

3.11.3 Long-Term Generic Recommendations 44 i 4. Major Contributors to Unreliability 50

5. Concern 55
~
6. Conclusions 56
7. Glossary of Terms 57

? 8. References 59 f

I vi i

. . - ~ . . - . . . - --,_.,_,,.,,,,_,.,_,.,-,-..,_,,,,_.,......-.-,,,,_.._.....___-~,,.,m. --_~,,,,-.m.._,, _ _ , _ , , , , , . . ,

List of Figures Figure Page 1 EFS Flow Schematic 5 2 AC Power Distribution to EFS Components 12 3 EFS Initiati<an Logic 14 4 Comparison of V.C. Summer Unit i EFS 54 Reliability with that of operating Westinghouse Plants.

vii

Summary and Conclusions The accident at Three Mile Island resulted in many studies which outlined the events leading to the accident as well as those following. One of the important safety systems involved in the mitigation of such accidents was determined to oe the Emergency Feedwater System (EFS). Each op rating plant's EFS was studied and analyzed. The results were repo.ced in NUREG-0611. The licensee of each nonoperating plant was insr. acted to perform a reliability analysis of his EFS for three transient conditions involving loss of main feedwater in a manner similar to the study made by NUREG-0611 prior to their obtaining an operating license. South Carolina Electric and Gas Company, the licensee for V. C. Summer Nuclear Station, submitted a reliability report to NRC in August 1980. This report was reviewed by 4 Sandia National Laboratories, which resulted in the following conclusions:

1. South Carolina Gas and Electric has satisf actorily complied with the requirement to make a reliability study of their EFS.
2. The comparison of the reported reliability of Summer'r. EFS to those of operating plants shows that Summer's reliability is at the high end of the range of EFS reliability for operating plants. Sandia is not in agreement with this assessment because of the ' x 10-5 reliability allo-cation for the valve in the single line from the condensate storage f tank to the EFS pump header. A higher value of 1 x 10-4 as was used in NUREG-0611 is recommended to achieve a more valid comparison.
1. Introduction

1.1 Background

The results of many studies pert tinir.g to the Three Mile Island Nuclear Power Plant accident conclude that a proper functioning Auxiliary Feedwater System (AFWS) is of prime importance in the mitigation of such accidents. Therefo.e. a letter dated March 10, 1980(1) stating NRC's requirements regarding the AFWS was sent to all operating license applicaats with Nuclear Steam Supply Systems desigaed by Westinghouse and Combustion Engineering.

The Sm:th Carolina Electric and Gas Company (SCE6G) Columbia, South Carolina, the applicant for an operating license for the Virgil C.

Summer Nuclear Station Unit I which has a Westinghouse designed Nuclear Steam Supply System, provided a respanse in ti e form of a reliability analysis (2) which was prepared f or them by Gilbert /

Commonwealth Inc. The analysis addressed all requirements stated in the letter.

1.2 Review Activities This project undertakes a review of those portions of the reliability  !

analysis which (1) satisf y requirement (b) of the letter which states,

" perform a reliability evaluation similar in method to that described in Enclosure 1 (NUREG-0611) that was performed for operating plants and submit it for staff review," and (2) provide answers to the short I 1

and long term recommendations of NUREG-0611 in response to require-ment (c) in the letter. The review was conducted according to Schedule

I I

189(4) which was submitted by Sandia National Labortiories (SNL) to NRC.

1.3 Content and Results of the Reliability Analysis The reliability analysis (2) was submitted to NRC in August 1980 and was received by SNL on September 15, 1980. Revision 1(5) was submitted to NRC in October 1980 and was received by SNL on November 10, 1980. The analysis makes a detailed study of the f ailure of the Emergency Feedwater System (EFS) to provide suf ficient Emergency Feedwater (EF) flow to at least two steam generators and compares the results obtained with those obtained for the operating plants studied in NUREG-0611. EFS is another designation for_the AFWS. The analysis places the Virgil C.

Summer Nuclear Station Unit 1 with those operating plants having the highest AFWS reliability.

1.4 Scope and Level of SNL Effort SNL reviewed the reliability analysis (2) submitted by SCE6G.

Particular attention was directed teward determining that the analysis addressed in depth the reliability of the EFS when subjected to three transient cases (1) LMFW, Loss of Main Feedwater, (2) LMFW/ LOOP, Loss of Main Feedwater/ Loss of Offsite Power and Also (3) LMFW/ LAC Loss of Main Feedwater/ Loss of all AC Power.

the methods used in NUREG-0611(3) were compared to those used in the the analysis. The specific findings are presented below in Sections 3, 4 and 5.

.. . , , , , , , , . . , , ________J

Comments and questions were recorded during the review and submitted to NRC on the 26th of September. These questions were forwarded to l SCE&G by NRC. SCE6G and its cc.itractor Gilbert / Commonwealth Inc.

met with representatives from NRC and SNL on the 6th and 7th of October at the V. C. Summer Nuclear Static.t Unit 1. At this meeting a review of the Summer EFS and the EFS reliability analysis was given by Gilbert / Commonwealth and a tour of the EFS was conduct-ed by SCE&G. During the tour, observations were made to facilitate i

the discussion period which followed. In the discussion period each of the 51 questions asked was answered and discussed in detail.

As a result of'these questions a prompt and extensive revision (5) was made to the original reliability analysis. The official responses were published by Gilbert / Commonwealth as Appendix E to Reference (5). In addition to incorporating the responses, the the revision contained a listing of the basic events and the failure allocations associated with each event.

2. AFWS Configuration 2.1 General Description and Fenetion of the EPS j A diagram of the V. C. Summer EFS is shown in Figure 1. The system consists of two Emergency Feedwater trains, one supplied by two motor-driven pumps (MDP) and one by a steam turbine-driven pump (TDP), all with a common suction source. Either of the trains can supply emergency feedwater to any of the three stean generators.

a g we r---<>-------

L,o,,, _<_o-_;--- gr----9 gaita l Tutt

-a= $tta.s

! l (fop APP.S.tF P 0. . F ArL OPEm 0g l FC =FMLCLCS(0 gg i LO . LOC 11ED OPEM l

ann .esCT04CPttAT(OWALTf == me e. .- - _$

NC .NCtmALLT CLOLEO

. _ STAfus aeceCAT@e CDs Adle CRf

,Ao-in

,0 ...

,0.. .. . I, ,0.,..

. . . - , . e l w l :Ho c l l 1-o e

.. 4c p. ...i-oi. l ..CtajC i_'s-.

.;_t j..*_ J l i >= = 8

, i 2-y_i c

, -.- a w =V. a e i

i i . .

_____!___________!______._________._l_____

lm

10. . l l m ... ore. . l m ... .. .

,,,,,C Ct>s,Ap Det

. .C 11108A PC IONG PC laceC PC

. Lo .h L.O -

LO m . Le .

L..O C .

LO.C PA FA f FA FA

, PA

' PA 3

LO 'O LO LO LO LO

  • * * *
  • utg
  • WitA ' 187 4 101st setFS 40)ec

) ) 1 LO Le Lo 1821 & mas 10218 ISA W14 12

==== cmc 'M Lo . La w: ,es,P icer. '*:2^ 1er,.

' RPP3t g 1'P28A et 1PP6

.v u 1834A 50taa Y ,

18138

- .5 "

.o,, ov ,. e. g . to . - - '

=

ii LOx 7- o< =r' cv m gens 6a -gg, im/e asovoso 1002

. LO 1011 r Opec 3 . LO ,, i,W test  ; 6isps

<6 MNa gg

/N /N u v. L .. .

ETE.4 C0 FIC'JRE 1 EF3 FLCR SCMEN ATIC 1

_j

Any one of the three Emergency Feedwater pumps can supply suf ficient emergency feedwater to at Icast two of the three steam generators.

The primary function of the system is to provide feedwater to the steam generat3rs when the main feedwater system is lost.

2.2 Fluid System 2.2.1 Suction The primary water source for the EFS is the condensate storage tank (CST). Of the tank's 500,000 gallon storage capacity, 150,000 gallons are available exclusively to the EFS.

A common suction header for all three EFS pumps is supplied through a 10 inch diameter line from the CST. This line contains a manual valve

  • which has its handwhee; removed and is locked open. The lines from the suction header to each EF pump have a check valve and a manual locked-open valve.*

The backup supply is the Service Water System (SUS) which is manually actuated or automatically actuated by pressure sensors (two-out-of-four logic) in the common c.ction line downstream of the locked-open menual valve from the CST. Service Water Loop A can supply the MDP "A" and the TDP. Service Water Loop B can

  • Status of this valve indicated in Control Room (CR) and Techn'.ca:t Support Center (TSC) as part of By-Pass and lu,perable Status s

Indication (BISI).

p. l supply the MDP "B" and the TDP. There is a normally closed motor-operated valve in each loop before the EF pump suction lines as well as a normally closed motor-operated valve and a check valve in the suction line of each pump. The motor-operated valves are isolation valves capable of both manual (local and recote) and automatic operation.

2.2 2 Pumps and Discharge Headers There are two discharge headers, one connected to the TDP and the other to the MDP's. The discharge line from each pump to the header has a check valve and a locked-open, manually operated isolation valve.* The TDP delivers 570 gpm including recirculation at a steam generator pressure of 1211 psig and each MDP delivers 440 gpm including recirculation at a steam generator pressure of 1211 psig.

4 Each pump is provided with a recirculation path. This path consists of a check valve, a breakdown orifice and a locked-open manual valve.*

The recirculation line is siz

  • 2 in. for each MDP and 3 in. for the TDP. Each recirculation line can pass the required pump minimum flow of 100 gpm. The recirculation lines discharge to a 4 in, recircula-tion header which returns the recirculation flow to the CST through a check valve.

The TDP and MDP discharge headers each split into three flow paths, one for each steam generator. Each flow path has a locked-open

  • Status of this valve indicatedtin the CR and TSC as par *. of BISI.

w . . . _ . . . . . . . . . . . . . . _ _J

manual valve,* a flow control valve ** and a locked-open stop check valve.* Downstream of the stop check valve, the flow paths from the TDP and MDP discharge headers combine to form one EF line to each steam generator. The common line to each steam generator contains a pneumatically operated, spring-assisted check valve which serves as a containment isolation valve but will be held open by discharge pressure f rom the EF pumps and two check valves near each steam generator nozzle which limit the effects of a pipe break.

2.2.3 Flow Control Valves Two normally open pneumatically operated flow control valves are provided for each steam generator; one valve controls flow from the MDP's, the other controls TDP flow. Remote manual / automatic control of the flow control valves is from the CR with provision for local manual operation. Safety class air accumulators with sufficient capacity to ensure valve closure for approximately three hours, in the case of a secondary line break, are provided for the valves. The flow control valves fail "open" on loss of electric power or control air.

2.2.4 Steam Supply for the TDP Turbine The steam supply to the TDP consists of a connection taken from the safet} class sections of each of two Main Steam (MS) lines (from

  • Status of this valve indicated in CR and TSC as part of BISI.
    • For status indication of flow control valve, see 2.2.5.

+

, _9_

L

steam generators B and C) upstream of.the MS isolation valves. Two e

connections are provided to obtain redundancy of supply in the event i of a MS line break. Each connection'has a check valve and a ns;or-

- operated gate valve
  • for positive isolation in the event of MS line break. A normally closed, pneumatically operated steam inlet valve
  • which. fails "or n' upon loss of air or control signal is opened i

automatically on EFS demand by two logic trains. The steam inlet--

valve is located in the common line to the turbine, which then connects to a turbine _ trip and throttle valve.

2.2.5 Valve Operation and Indication All motor-operated valves (MOV's) are ac powered from Class 1E buses, are controllable from and have their position indicated in the Control Room. Positibnindicationandcontrolforeachvalveisfromthe valve motor power source. Additionally, all MOV'a can be manually opened or closed locally with position indicaticn in the Control Room.

The pneumatically operated flow control valve can be manually contcolled from the control room or the control room evacuation panel.

Audible and visual alarms will be activated and repeated at sixty-minute intervals whenever an emergency feedwater flow control valve r

control switch is not in the auto position (valve is open when control l switch is in the auto position). Flow control in manual control (e.g.,

i

closed during EF pump test) will go to the full, wide-open position +

+

  • Status of this valve indicated in the CR and TSC as part of BISI.

1 t#

l

, 'n ~~c w" s ev = w,w- - ~*--se=vm-r-sw,+

upon automatic initiation (excluding main feedwater pump trip) of the EFS.

Locked-open valves critical to successful system functioning and several normally closed valves are monitored on the Bypass and Inoperable Status Indication (BISI) system. An inptt entry to the BISI computer is made whenever a valve is placed into a position contrary to successful system function. This record is displayed in the Control Room (CR) and Technical Support Center (TSC) CRT's.

2.3 Support Systems and Backup Water Source The EFS pumps, pump motors, and turbine are all independent of support systems such as plant cooling systems. The turbine can operate without air or electrical power. Motor cooling and turbine lubrication oil cooling are acconplished using EF flow.

In addition to the mininum of 150,000 gallons reserve in the CST, any extra inventory of water in the CST is available to the EFS. Makeup from the 500,000 gallon Demineralized Water Storage Tank (DWST) can also be made available to the EFS. The backup water source for the EFS is the Service Water System. In the present design, the manual action required to connect the backup water source, i.e., Service Water to the EF suction, is the remote manuel opening of six MOV's.

The operator has 20 minutes after the sounding of the CST low-low level alarm to accomplish this switchover. If this is not accomplish-

ed, automatic swit.chover to the SW is initiated- by low pressure s

j sensing in the conmon suction header from the CST downstream of the locked-open uanual valve. This signal automatically activates the MOV's !n the SW supply lines to the MDP's and the TDP using I two-of-foer sensor logic to the two separate SW trains.

2.4 Electrical Power Sources A simplified disgram showing electrical power distribution to major

EFS components is shown in Figure 2. Each pump motor is supplied from a separate,. independent Class lE electric' system bus. Complete t

physical separation is followed throughout for control and instru-2 mentation systems. -The required instrumentation and control are i

posered from separate and independent vital buses. Power for EFS 1

i components necessary to establish emergency feedwater flow is 1

7 derived from diesel generator backed 7200 V buses IDA and IDB.

f Normally (Case 1), these buses are supplied from offsite power through the switchyard. However, in the event of LMF/LOSP (Case 2),

i the diesel generators start automatically and ESF loads are connected

! in Engineered Safety Features Loading Sequence (ESFLS) Step 5.

I Service Water also remains available in this case if the CST source is unavailable. Service Water is connected in ESFLS Step 3 ten

+ seconds before initiation of the EFS pumps. At a predetermined i

i pressure, the decreasing pressure in the EFS header initiates the i

transfer of EF source from the CST to the SWS with approximately J,

f I

Dtf5EL AA 1n.*TF4 t5 ** Yn. xTr ai.r5 DIE 5fL GENE RATOR 'A' ^A

^t^ W GENERATOR D' HO l l l F.2 KV PU5 X5w1DA.E5 ttO l l Q

l T.2 KV BUS x5wlD8.E5 O

MDEFP O

MDEFP R P P 214. E5 RPP2tG.EF F.2KVGUSM5wlEA.E5 2.2 KV BUS X5w1ED.E5 5

gg O

5.w.P.

O 5.w.P.

T R. IDA2 gp g AA g pp 3945w pp XPP390 5w 10. IDB.'

)

- 1) I I I l uCC RMC 10 A2K-E 5 '

uCC xuc 3DB2x.E5 l WCC IDB2Y.E5 uov's MDV'1 MDv IO??A.EF 1037 D.E F 28028.k1 100 t A.E F 600 lB.E F 1008.E F 1002.[F 2802A.M5 FIGURE 2 AC POWER Dl5TR:8UT10N TO EF5 COMP 0HENTS

.. . .. _ . . .- . , - . ~ . - - - - _. _ . __- . . ___ _ , - - -

f 13 - ,

}

~

1 tvtaty seconds of water remaining in the header.

In the event of LMF/ LAC (Case 3), EFS is still adequately operable I because startup and operation of the TDP is not ac dependent.

2.5 Instrumentation and Control 2.5.1 Initiation Logic 4 A functional diagram for EFS initiation logic is shown in Figure 3.

The diagram is simplified and does not show the redundancy, independence,-and divisional separation of the hardware. .The i control logic is powered from battery-backed buses.

?

The MDP's will start on low-low level in any one steam generator, j Safety Injection Signal, or undervoltage on either ESF bus or loss of all t'ree main feedwater pumps. The main feedwater pump trip .;

signal is a non Class 1E olectrical anticipatory start signal.

The TDP starts on low-low level in any two steam generators or i

undervoltage on both ESF buses.

j

! 2.5.2 EFS Flow Control

' The flow of emergency feedwater to each steam generator f rom the MDP's or the TDP can be controlled by air-operated Flow Control Valves (FCV's). Flow rates through the valves to the steam i

.s .

l 1

w . , . . - . - . . . - . - . - - , _ m-..-%* - - - , , _ + . - ---

3 - - - -

e--w- -

-es-- ,>-- - r-m+- * <-- ,.--r .,- . - , ,. , , , . .

1

  • "c '

L L L E E E D D D V V V E E E E E E 5 5 P P P L L L P O O P P P P E O E RI RI RI T L L L T

T T T $ - $

O O O A B C' L L L B'

  • " ' A
  • P. P P 5 'A

' *B' C' 5

w w L L w F G G G F F F F 5 / /

/ 5 M M M E 5 5 5 E 4 * -'

3

_ /

^I 2

DU C

4 I G

rl

' O L

N O

I T

I A

  • T I

IN 5

F E

N N 3 O  : 1 _ O  ; m'  :

I E

TI T t R U

I S 5 O

P O E G

E G

O P

T OV G I

F T A A U U T T O L L O

K K O O C C V V O R R O L E E L

H D D N N

I l

N .

U U S.

S. A C B C D D 1 I S S U U B B L @ L L

A A U A N

U N 4
U 4 A A N M

-r L M pL A M

4 p' . 4 p

5

4 pQ b

' ' EV ,'

L , '

'A A S. S

'B .

V M M )5 T P T P - - M T P R F R F EN A 8 - R F A E A E P 02 32 30 A E T D T D O 8 3 0 T D S M S T ( 2 2 2 $ M .

t 1 4 ,.!  !

l generators can be manually adjusted individually by hand controllers at either the main control board or the Control Room Evacuation Panel (CREP). On EFS initiation logic that starts either the MDP's (except the feedwater pump trip) or the TDP, the corresponding flow control valve for each steam generator will receive a signal to open regard-less of its position. Upon reset at the valve control switch, the operator can regain flow control.

A high flow signal, such as in the event of a secondary line break, automatically closes the respective flow control valve.

  • 2.5.3 Information Available to Operator In addition to the valve position indication previously described, the following EFS parameters are indicated in the Control Room:

. Pressure in the common feed line to each steam generator

. Suction pre (ure at each rump

. Level in the CST

. Flow in the common feed line to each steam generator 2.6 Operator Actions Assuming the CST is available, no operator actions are required to establish EFS flow in Cases 1, 2, or 3. If the CST is not available initially, or if the CST level has been depleted af ter EFS operation for several hours, operator action, backed up by automatic switch-over establishes Service Water supply to the EFS.

2.7 Testing Each EF Pump is tested once a month to demonstrate operability.

Pump testing involves closing the appropriate FCV's from the TDP or MDP headers. If the EFS is initiated, the FCV's will open; therefore, no EF pump is unavailable due to testing. When this test is performed it is also verified that each non-automatic valve in the flow path that is not locked, sealed or otherwise j

secured in position, is in its correct position and that each auto-matic valve in the flow path is in the fully open position whenever 4

- the EFS is placed in automatic control.

i I . .

At least once every 18 months during shutdown, the EFS is tested j to verif y that each pump starts automatically and upon receipt of each EP actuation test signal.

i 2.8 Technical Specifications P

, Technical specifications require:

i 1. All three EF pumps 'and associated flow paths to be operable 7

whenever the reactor is in Mode 1, 2, or 3. With one pump

, 1

( inoperable, three pumps shall be made operable within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> ,

I l- er the reactor should be brought to at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to HOT SHUTDOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

2. Both independent service water loops be operable whenever the f

reactor is in Mode 1, 2, 3, or 4. With only one service water i

T

  • m..w.-e.%.w.- y ,y,, v-- ,w v--.,-, ,- .--- n , , - - - --

, - - - . - - - . - - - - , , . . - - ,r. - - -,- ,, _ , , . . . _ , _ _ _ _.

- - - ~. . , - _ . . _- .. _ _ . . --. -

4 loop operable, restore at least two loops to operable status

- within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

i

3. The condensate storage tank shall be operable containing a minimum volume of 150,000 gallors of water. -With the condensate 2 - storage tank inoperable, within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> either:

1 1

1 a. Restore the CST to OPERABLE status or be in at least HOT j STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in HOT SHUTDOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, or

b. Demonstrate the OPERABILITY of the service water system as a backup supply to the emergency feedwater pumps and restore the condensate storage tank to OPERABLE status within 7 days or'be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in HOT SHUTDOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

, 3. Discussion 3.1 Mode of EFS Initiation

.i The EFS is initiated automatically. The MDP's will start on low-low L

j level in any one steam generator, Safety Injection Signal, or under-t

! voltage on either Engineered Safety Features (ESP) Bus or loss of all three main feedw.ter pumps. The main feedwater pump trip 3

signal is a' non Class 1E electrical anticipatory start signal.

The TDP starts on low-low level in any two s team generators or i

\

1 4

r.,. . ,__-fr,,._., , _ , . - -. . , , . . . , . -~.__.,.,y..,w., . . . , . - - .- ,,e . . -- em . .- -,

undervoltage on both ESF buses. In the event of low suction pressure the service water motor operated valves will 3 pen.

SCE&G has adequately described the system. Automatic initiation of the system is of prime importance because it e'*minates human error events 'and thereby increases overall system re'iability.

The major concern is the fact that the SWS backup is not automa-tically available in suf ficient time to prevent pump failure in the event the primary source of water, the CST, is unavailable.

3.2 ' system Control Following Initiation Af ter initiation flow control can b' established by the operator through the Flow Control valves. By observing the water level indicators for the CST the operator can open the service water motor operated valves at the appropriate time to prevent loss of feedwater suction pressure.

3.3 Test and Maintenance Procedures and Unavailability SNL questioned the policies of SCt G concerning Test and Maintenance.

SNL was informed that Test and Maintenance programs for the Emergency Feedwater System components are in compliance with ASME Section XI, Technical Specifications, and ANSI 18.7 criteria. System unavail-ability during operation is kept to a mininum by planning all corrective maintenance for times when the plant is in a cold shut-down status. Redundant train operability is verified prior to removal of an alternate train from service. Maintenance and test

4

^

results are reviewed for problem areas and any trends that may be developing. At present, most preventive and corrective mainten-i ance procederes for the system have been written. Test procedures for the system and components are being prepared at this time with a j

scheduled completion date of January 1, 1981. SCE&G conforms with a 4

j minimum downtime during operation p'olicy which increases the avail-ability of emergency equipment during operation and thus increases the reliability (availability on demand) ot the EFS.

3.4 Adequacy of Emergency Procedures SNL was informed that Emergency Feedwater is addressed in Station Emergency Operating Procedures E0P-1, " Safety Injection," E0P-5, i

" Reactor Trip," and E0P-13, " Natural Circulation." In all cases, 1 steps are provided to:

2

1) verif y emergency feedwater pump operation,
2) verify flow to steam generators,
3) describe the nethod for and criteria for an operator assuming control of emergency feedwater flow,
4) verif y Condensate Storage Tank level, and I 5) describe how to transfer to Service Water backup on loss of cor.densate water.

These procedures are under review by the resident NRC inspectors for adequacy. They eeem to have covered the emergency operations i

t

necessary for the EFS. Emergency Procedures are very necessary as a backup for automatic operations and for surveillance and control of the EFS operation af ter system initiation. This af fects system reliability by allowing, in the case of an automatic system like Summer, a human action backup if suf ficient time is available. This ba'ckup increases EFS reliability; however, extreme care on the part of the operators coupled with a detailed knowledge of system interactions is required to keep from defeating'necessary functioning safety systems.

3.5 Adequacy of Power Sources and Separation of Power Sources At Summer the motor driven EF pumps are supplied with power from different buses which are, under a Loss of Offsite Power condition, powered from the diesel generators. This arrangement is shown in Figure 2. This figure also shows which motor operated valves are powered from these buses. A description of the separation criteria for redundant electrical systems is contained in FSAR Section 8.3.1.4. Separation of power systems is necessary to eliminate couron cause f ailure events f rom reliability considerations. In doir.g so EFS reliability is increased. The Summer system is considered adequate.

l 3.6 Availability of Alternate Wai 3r Sources l

SCE&G does not take credit for an alternate source of EF in 1

the event suction pressure is lost. All losses in suction pressure must be anticipated and action taken by the operator prior to the loss. This defeats the purpose for the automatic valves on the Service Water supply to the EF pumps and causes SCE&G not to comply with the intent of Recommendation CL-2(3),

In response to SNL questions on this subject SCE6C replied that:

(1) If the EF System supply line maintenance valve 1010 is in the closed position, pump f ailure may occur because a vacuum and no flow iondition will develop very rapidly. The automatic switchover to the SW System is not quick enough to definitely state that damage to the EF pumns would not occur, and (2) Credit was not taken for automatic initiation of the Service Water System backup. Credit is taken for automatic initiation in the event of a catastrophic loss of CST inventory provided that demand for EF does not occur at the same time.

l

! 3.7 Potential Common Mode Failure i

l A common mode, or more gr 'erally, common cause f ailure "is a group of component failures, with or without the same failure mode, that are the direct result of the same event, cause or condition, and that leads directly to a specific system f ailure." Design considera-i tions, both plant-specific and generic, external phenomena (environment) l l

1 l

l l

and maintenance / test actions are potential pathways for the occurrence of common cause failures. The features of V. C.

Summer Nuclear Station that mitigate common cause failures due to each of the above pathways are listed below:

~

Plant Specific Design Related Features (a) Redundant, safety grade instrumentation and control for EFS flow, pump startup, and automatic EFS initiation.

(b) Diversity of EF pump power sources - ac and steam.

(c) Diversity of MDP ac sources - of f site power and onsite diesel generators.

(d) Independence of the TOP, its auxiliaries and controls from ac power.

(e) Diversity of EFS actuation input signals.

(f) Flexibility of supplying EF to any combination of steam generators from the TDP and MDP headers.

(g) Automatic isolation of depressurized steam generators.

(h) Independent fl_, control to each steaa generator.

(1) Ability to isolate essential portions of the EFS from f ailed compoaents while accomplishing the safety objective.

(j) Use of flow control valves with fa'l safe modes.

(k) Flexibility to perform over a wide range of operating and accident conditions.

(1) Capability for automatic startup and run without operator intervention for a minimum of ten minutes; flexibility of operator intervention at startup or manual start of the EFS A

23 -

from the Control Room.

1 (m) Availability of a backup EF source f rom the SWS. .

t I

i Generic Design Related Featurea '

j (n) An applicable industry-wide t *.perience history for AFWS design and equipment.

l (o) EFS equipment procurement (under 10CFR50, Appendix B, QA 1

, programs) which includes design control.

1 (p) Conformance to recognized industry standards and criteria.

i External Phenomena

(q) Location of the EFS in Seismic Category 1 structures.

(r) llousing of the EFS in structures designed to withstand the l

effects of tornados and floods. *

(s) Protection from flooding from feedwater and EF line breaks.

(t) Design to withstand pipe whi,p and impingement effects

, resulting from high and moderate energy line breaks.

(u) Physical separation of the TDP from the !IDP's which includes a fire barrier.

i-(v) Qualification of equipment to withstand high temperature and humidity resulting from Intermediate Building steam line breaks.

i.

Maintenance / Test Related Features (w) Test and maintenance programs in compliance with ASME Section XI, Technical Specifications and ANSI 18.7 criteria.

) (x) Ifonthly MDP and TDP testing not requiring closing of manual isolation valves.

i

& ,.. . . ,.+ s. , , r. - . . , . . ., . - ~ - , , w --- - - , , - ie-= * --= ~-w --- --- v-- -

vr--"w-

(y) Monthly position verification of all EFS valves including locked valves.

(z) Test, maintenance and functional verification procedures.

  • 8

. Application of Data Presented in NUREC-0611 The basic report (2)did not contain a table which included all fault tree events. The revision (5)to the report did and nost data was taken from NUREG-0611. The first order event data deviated from that presented in NUREG-0611 and the reasons for such deviations were explained. The first order event contributed a major portion to the overal2 system reliability at.d therefore changing its assess-ment made comparison to other similar operating plants as shown on Figure 4 less meaningful.

3.9 Search for Single Failure Points The only single failure point (SFP) associated with this design is the Valve 1010 on the suction line at the CST and the associated piping.

This would not be an SFP if the conditions for automatic functioning of the SW backup in time to prevent pump starvation and damage were

! established and met. Any SFP has a major ef fect on the reliability l

of an essentially redundant system and should be thoroughly reviewed.

l l

3.10 Human Factors / Errors lluman Factors / Errors were considered by SCE&G where appropriate in the fault tree. Automation is a major factor in decreasing the effect on reliability of these types of events.

3.11 NUREC-0611 Recommendations, Long and Short Tera 3.11.1 Short-Tern Generic Recommendations

1. Technical Specification Time Limit on AFW System Train Outage Concern f

Several of the plants reviewed have Technical Specificati ns that permit one of the AFW system trains to be out of service for an indefinite time period. Indefinite outage of one train reduces the defense-in-depth provided by multiple AFW system trains.

Recommendation GS-1 The licensee should propose modifications to the Technical l Specifications to limit the time that one AFW system pump and l its associated flow train and essential instrumentation can be inoperable. The outage time limit and subsequent action time should be as required in current Standard Technical Specifica-tions; i.e., 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, repectively.

Response

V. C. Summer Technical Specification 3.7.1.2 complies.

I 1

- - - - - - = -

l

)

II. Technical Specification Administrative Controls on Manual Valves-Lock and Verif y Position Concern Several of the plants reviewed use a single manual valve or multiple valves in series in the common suction piping between the primary water source and the AFW system pump suction. At some plants, the valves are locked open, while at others, they are not locked in position. If the valves are inadvertently lef t closed, the AFW system would be inoperable, because the water supply to the pumps would be isolated. Since there is no remote valve position indication for these valves, the operator has no immediate means of determining valve position.

Further, the Technical Specifications for plants with locked-open manual valves do not require periodic inspection to verify that the valves are locked and in the correct position. For most j plants where the valves are not locked open, valve position is verified on some periodic basis.

Recommendation GS-2 The licensee should lock open single valves or multiple valves

-in series in the AFW system pump suction piping and lock open other single valves or multiple valves in series that could interrupt all APW flow. Monthly inspections should be performed to verif y that these valves are locked and in the open position.

These inspections should be proposed for incorporation into the surveillance requirements of the plant Technical Specifica-tions. See Recommendation CL-2 for the longer-term resolution of this concern.

Response

See long-term item (CL-2).

III. AFW System Flow Throttling-Water Hammer Concern Several of the plants reviewed apparently throttle down the AFW system initial flow to eliminate or reduce the potential for water hammer. In such cases, the overall reliability of the AFW system can be adversely af fected.

Recommendation GS-3 The licensee has stated that it throttles AFW system flow to avoid water hammer. The licensee should reeramine the practice of throttling AFW system flow to avoid water hammer.

The licensee should verify that the AFW system will suppply on demand sufficient initial flow to the necessary steam generators to assure adequate decay heat removal following loss of main

feedwater flow and a reactor trip from 100 percent power.

In cases where this reevaluation results in an increase in initial AFW system flow, the licensee should provide sufficient information to demonstrate that the required initial 1FW system flow will not result in plant damage due to water hammer.

Response

The EF system is not throttled to avoid water hammer. Extensive teTting was performed during Hot Functional Testing on the Emergenef Feedwater System c0ncerning water hammer. With at least one motor driven pump running on mini-flow, full flow was introduced to each steam generator separately at several different initial steam generator icvels. For each of these conditions on each steam generator, the applicable system piping was observed to verify that no abnormal vibration or noise occurred. Also, all three Emergency Feedwater Pumps were individually started and individually aligned to deliver flow to all three steam generators and then the pump stopped. Under these conditions for each pump, the pump and associated piping was observed to verify that no abnormal vibration existed.

IV. Emergency Procedures for Initiating Backup Water Supplies Concern Most of the plants do not have written procedures for trans-ferring to alternate sources of AFW supply if the primary supply is unavailable or exhausted. Without specific criteria and procedures for an operator to follow to transfer to alternate water sources, the primary supply could he exhausted and result in pump damage or a long interruption of AFW flow.

Recommendation GS-4 Energency procedurer for transferring to alternate sources of AFW supply should be available to the plant operators. These proce-dures should include crfteria to inform the operators when, and l

in what order, the transfer to alternate water sources should take place. The following cases should be covered by the procedures:

l l

(1) The case in which the primary water supply is not initially available. The procedures for this case should include any operator actions required to protect the AFW system pumps i against self-damage before water flow ia initiated.

l l

(2) The case in which the primary water supply is being depleted.

f The procedure for this case should provide for transfer to the alternate water sources prior to draining of the primary water supply.

Respons,e The Emergency Feedwater System procedure is being modified to incorporate automatic transfer to Service Water on Low Emergency Feedwater Pump Suction Pressure. Emergency Operating Procedures E0P-1, " Safety Injection," E0P-5,

" Reactor Trip," and E0P-13. " Natural Circulation," require verification of Automatic Transfer when required' . System Operating Procedure SOP-211, " Emergency Feedwater System" details how the operator can transfer to Service Water and what action to take if the Condensate Storage Tank is not available.

V. Emergency Procedures for Initiating AFW Flow Following a Complete Loss of Alternating Current Power Concern Some operating plants depend on ac power for all sources of AFW system supply, including the turbine-driven pump train.

In the event of loss of offsite and onsite ac power, ac-dependent lube oil supply or lube oil coolinr for the pump will stop, and/or manual actions are requir d to initiate the AFW flow f rom the turbine-driven pump by nar.ually opening the turbine steam admission valve and 'or AFW system flow control valves. There are no procedures available to the plant ore.stors for AFW system initiation and control under these conditions.

This could result in a considerable time delay for AFW system

' initiation, since the operators would not be guided by ocedures dealing with this event.

Recommendation GS-5 The as-built plant should be capable of providing the required AFW flow for at least two hours from one AFW pump train, independent of any ac power source. If manual AFW system initiation or flow control is required following a complete loss of ac power, emergency procedures should be established for manually initiating and controlling the system under these conditions. Since the water for cooling of the lube oil from the turbine-driven pump bearings may be dependent on ac power, design or procedural changes shall be made to eliminate this dependency as soon as practicable. Until this is done, the emergency procedures should provide for an individual to be stationed at the turbine-driven pump in the event of the loss of all ac power to monitor pump bearing and/or lube oil temperatures. If necessary, this operator would operate the turbine-driven pump in an on-off mode until ac power is restored. Adequate lighting powered by direct current (de) pcwer sources and communications at local stations should also be provided if manual initiation and control of the AFW system is needed. (See Recommendation GL-3 for the longer-term resolution of this concern).

u

Response

See long-term item (CL-3).

VI. AFW System Flow Path Verification Conce rn Periodic testing of the AFW system is accomplished by testing

! individual components of one flow train (periodic pump recirculation flow test or automatic valve actuation), thus-altering the normal AFW system flow path (s). The flow ta7shility of the entire AFW system, or at least one integral AFW system train, is only demonstrated on system demand following a transient, or if the AFW system is used for. normal plant startup or shutdown.

Recent Licensee Event Reports indicate a .eed to improve t he quality of system testing and maintenance. Specif*cally, periodic testing and maintenance procedures inadvertently result in (1) more than one AFW system flow train being unavailable during the test, or (2) the AFW system flow train under test not being properly restored to its operable condition following the

' test or maintenance work. The Office of Inspection and 5nforce-ment has taken action to correct Item (1); the recommendation t

, below is made to correct Item (2).

4 I

i 6

_ _ _ _ _ _ _ _ _ _ _ - , - - , _ . - - w -, , ,, -- . - - = ,, - . , , , - - -----w- __ ,,w.- .,,y ,, , , ,,y, -

P l

3 Recommendation GS-6

! The licensee should confirm flow path availability of an AFW system flow train that has been out of service to perform periodic testing or maintenance as follows:

d (1) Procedures should be impleaented to require an operator to determine that the AFW system valves are properly I aligned and a second operator to independently,verif y 4

that the valves are properly aligned.

(2) The licensee should propose Technical Specifications to i

assure that, prior to plant startup following an extended cold shutdown, a flow test would be performed to verif y

~

l the normal flow path f rom the primary AFW system water source to the steam generators. The flow test should i

4 be conducted with AFW system valves in their normal l I alignment.

i i Response Station Surveillance Test Procedures STP-120.001, " Surveillance

' Testing of Motor Driven Emergency Feedwater Pump (s)," STP-120-002, ,

i

" Surveillance Testing of Turbine Driven Emergency Feedwater Pump,"

and STP-120.003, " Surveillance Testing Emergency Feedwater Monthly Valve Alignment Verification," are the applicable Surveillance l Test Procedures. These procedures address the requirements of

Technical Specification Limiting Condition for Operating 3.7.1.2 and 3.7.1.3. The last step of STP-120.001 and STP-120.002 requires independent verification that the Emergency Feedwater System has been returned to procedure designated status at the completion of the test STP-120.003 relates to verification that the valves are in procedure designated status. These procedures insure that the system is returned to the proper configuration after maintenance and testing. A:tual flow to the steam generators is verified every startup and shutdown by using the Emergency Feedwater System to supply flow to the steam generators.

VII. Non-Safety Grade, Non-Redundant AFW System Automatic Initiation Signals Concern Some plants with an automatically initiated AFW system utilize some initiation signals that are not safety grade, do not meet the single failure criterion, and are not required 1 y the Technical Specifications to be tested periodically. This can result in reduced reliability of the AFW system.

Recommendation GS-7 The licensee should verify that the automatic start AFW system signals and associated circuitry are safety grade. If this cannot be verified, the AFW system automatic initiation system

l should be modified in the short-term to meet the functional requirements listed below. For the longer-term, the automa-

} tic initiation signals and circuits should be upgraded to meet safety grade requirements, as indicated in Recommendation CL-5.

(1) The design should provide for the automatic initiatior.

of the AFW system flow.

(2) The automatic initiation signals and circuits should be designed so that a single failure will not result in the loss of AFW system function.

(3) Testabilit y of the initiation signals and circuits shall be a feature of the design.

(4) The initiation signals and circuits should be powered from the emergency buses.

(5) Manual capability to initiate the AFW system f rom the control room should be retained and should be implemented so that a single failure in the manual circuits will not result in the loss of system function.

(o) The ac motor-driven pumps and valves in the AFW system should be included in the automatic actuation (simultaneous and/or sequential) of the loads to the emergency buses.

(7) The automatic initiation signals and circuits shall be designed so that their failure will not result in the loss of manual capability to initiate the AFW system f rom the control room.

Response

See long-term item (GL-5).

VIII. Automatic Initiation of AFW Systems Concern For plants with a manually initisted AFW system, there is the potential for f ailure of the operator to manually. actuate the system following a transient in time to maintain the steam generator water level high enough to assure reactor decay heat removal via the steam generator (s). While lE Bulletin 79-06A requires a dedicated individual for W-designed operating plants with a manually initiated AFW system, further action should be taken in the short-term. This concern is identical to Item 2.1.7a of NUREG-0578. .

Recommendation GS-8 The licensee should install a systee to automatted11 initiate AFW system flow. This system need not be saf et y grade; however, in the short-term, it should meet the criteria listed below, which are similar to item 2.1.7a of NUkEG-0578. For the longer-term, the automatic initiation signals and circuits should be upgraded to meet safety grade requirements, as indicated in Recommendation GL-2.

1 (1) The.. design should provide for the automatic initiation of the AFW system flow.

(2) The automatic initiation signals and circuits should be designed so that a single failure will not result in the loss of AFW system function.

(3) Testability of the initiation signals and circuits should be a feature of the design.

(4) The initiating signals and circuits should be powered from the emergency buses.

(5) .lanual capability to initiate the AFW system from the control room should be retained and should be implemented so that a single failure in the manual circuits will not result in the loss of system function.

(6) The ac motor-driven pumps and valves in the AFW system should be included in the automatic actuation (simultaneous and/or sequential) of the loads to the emergency buses.

(7) The automatic initiation signals and circuits should be designed so that their failure will not result in the loss of manual capability to initiate the AFW system from the Control room.

Response

See long-term item (GL-1).

i l l

l 3.11.2 Additional Short-Term Recommendations I. Primary AFW Water Source Low Level Alarm Concern Plants which do not have level indication and alarm for the primary water source may not provide the operator with sufficient information to properly operate the AFW system.

Recommendation The licetace should provide redundant level indication and low level alarms in the control room for the AFW system primary water supply, to allow the operator to anticipate the need to make up water or transfer to an alternate water supply and prevent a low pump suction pressure condition from occurring.

~

The low level alarm setpoint should allow at 1 cast 20 minutes "

for operator action, assuming that the largest capacity AFW pump is operating.

Response

V. C. Summer has redundant level indication and low 1cyc1 alarms in the control room for the Condensate Storage Tank, the EFS Y primary water supply, as shown on FSAR Figure 10.4-16. The low level alarm setpoint allows at least 20 minutes for operator action, assuming that the largest capacity EF pump is operating.

II. AFW Pump Endurance Test Concern Since it may be necessary to rely on the AFW system to remove decay heat for extended periods of time, it should be demon-strated that the AFW pumps have the capability for continuous operation over an extended period without failure.

Recommendation The licensee should perform a 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> endurance test on all AFW system pumps, if such a test or continuous period of operation has not been accomplished to date. Following the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> pump run, the pumps should be shut down and cooled down and then restarted and run for one hour. Test acceptance criteria should include demonstrating that the pumps remain within design limits with respect to bearing / bearing oil temperatures and vibration and that pump room ambient conditions (temperature, humidity) do not exceed environmental qualification limits for safety-related equipment in the room.

Response

A seventy-three (73) hour endurance test was performed on all three Emergency Feedwater Pumps at conditions which reflect the normal operating conditions for pump flow, head, speed and steam

. . . . . . )

l temperature. The test results demonstrate that acceptable .

performance was achieved for the three Emergency Feedwater Pumps.

These tests were performed by running primarily on recircula-tion flow. The Motor Driven Pumps were run for the entire 73 hours8.449074e-4 days <br />0.0203 hours <br />1.207011e-4 weeks <br />2.77765e-5 months <br />, but the Turbine-Driven Pump was run for a total of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and 40 minutes. Approximately 37 1/2 hours into the run, the flow control valves associated with the Turbine Driven Puip inadvertently went to the full open position due to testing of the flow control valve cards by 1&C technicians in the Relay Room. Operator action was to secure valve 2030-MS which cut off steam to the turbine. The Turbine Driven Pump was restarted after a 20 minute shutdown and run for an additional 35 1/2 hours. Note that the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requirement has been reduced by the NRC to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. This short interruption is not significant for three reasons. The first is that the shutdown was not due to a problem related to the pump. The second is that the test was continued before the system had cooled down significantly.

The third reason is that the test was performed for a total of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and 40 minutes, which greatly exceeds the 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> requirement.

Bearing / bearing oil temperatures were monitored on all the pumps over the duration of the testing. The temperatures did not exceed the design limits and were therefore acceptable. For the

Turbine Driven Pump, the steam temperature was above 4000F for approxinately 65 hours7.523148e-4 days <br />0.0181 hours <br />1.074735e-4 weeks <br />2.47325e-5 months <br /> (the last 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> was performed at steam temp' res less than 4000F). The 65 hour7.523148e-4 days <br />0.0181 hours <br />1.074735e-4 weeks <br />2.47325e-5 months <br /> test exceeds the current requirement for a 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> endurance test.

Pump Room and area ambient conditions were observed to be within acceptable limits during the testing.

The vibration parameters measured during the testing are not considered to be outside allowable limits. Ilowever, prior to the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> run, a detailed analysis of the "A" pump motor indicated that the motor horizontal readings were in the "slightly rough" region. Additional bracing will be added to both the "A" and "B" pump motors to correct this problem. Also, on the "B" pump, at the beginning of the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> run, vibration data was taken and analysis indicated that the readings were marginal (slightly rough). A new thrust bearing will be installed to correct this problem.

t Upon completion of these modifications, new vibration measurements will be taken to insure that vibration conditions have been improved.

Cooling of the EF pump rooms is not required for the accident condition as these pumps are qualified for steam line break conditions. Safety related cooling to these areas is provided

as an additional level of protection. Section 3.11 of the PSAR discusses the environmental qualification of thir ;quipment.

III. Indication of AFW Flow to the Steam Generators

',ncern Indication of AFW flow to the steam generators is considered important to the manual regulation of AFW flow to maintain the required steam generator water level. This concern is identical to item 2.1.7b of NUREG-0578.

t Recommendation The licensee should implement the following requirements as specified by Item 2.1.7b on page A-32 of NUREG-0578.

(1) Safety grade indication of AFW flow to each steam generat r should be provided in the control room.

(2) The AFW flow instrument channels should be powered from the energency buses consistent with satisfying the emergency power diversity requitements for the AFW system set forth in Auxiliary Systems Branch Technical Position 10-1 of the Standard Review Plan, Section 10.4.9.

l

Response

Saf et y grade, redundant indication of EF flow to each steam generator is provided in the control room. The EF flow instrument channels are powered from the emergency buses.

IV. AFU System Availability During Periodic Surveillance Testing Concern Some plants require local manual realignment of valves to conduct periodic pump surveillance tests on one AFW system train. When such plants are in this test mode and there is only one remaining AFW system train available to respond to a

' demand for initiation of AFW system operation, the AFW system redundancy and ability to withstand a single f ailure are lost.

Recossendation

+

F Licensees with plants which require local manual realignment of valves to conduct periodic tests on one AFW system train and which have only one remaining AFW train available for operation, should propose Technical Specifications to provide that a dedicated individual who is in communication with the control room be stationed at the mani: 1 valves. Upon instruction from the control room, this operator would re-align the valves in the AFW system from the test mode to its operational alignment.

Response

The V. C. Summer Nuclear Station does not require the realign-ment of local manual valves to conduct periodic tests on one EFS.

The EP control valves may be operted from the control room to isolate the EF pumps for periodic testing.

3.11.3 Long-Term Generic Recormendations

1. Automatic Initiation of AFW Systems Concern This concern is the same as short-term generic Recommendation GS-8; namely, failure of an operator to actuate a manual start i

AFW system in time to maintain steam generator water level high l

enough to assure reactor decay heat removal via the steam generator (s).

Recommendation GL-1 For plants with a manual starting AFW system, the licensee should install a system to automatically initiate the AFW a.ystem flow.

This system and associated automatic initiation signals should be designed and Installed to meet safet y grade requirments.

Manual AFW system start and control capability should be retained with nanual start serving as f ackup to automatic AFW system initiation.

I

Response

The V. C. Sumner Nuclear Station EFS is automatically initiated.

II. Single Valves in ti e AFW System Flow Path Concern This concern is the same as short-term generic Recommendation GS-2; namely, AFW system inoperability due to an inadvertently closed manual valve that could interrupt all AFW system flow.

Recommendation GL-2 Licensees with plant design in which all (primary and alternte) water supplies to the AFW systems pass through valves in a single flow path, should install redundant parallel flow paths (piping and valves).

Licensees with plant designs in which the primary AFW system water supply passes through valves in a single flow path, but the alternate AFW system water supplies connect to the AFW system pump suction piping downstream of the above valve (s),

should install redundant valves parallel to the above valve (s) or provide automatic opening of the valve (s) from the alternate water supply upon low pump suction pressure.

The licensee should propose Technical Specifications to incor-porate appropriate periodic inspections to verif y the valve positions into the surveillance requirements.

Response

In the EFS design, the primary EFS water supply passes through l

a valve, 1010-EF, in a single flow path, but the alternate EFS water supply connects to the EF pump suction piping dcwnstream of the above valve. Automatic opening of the valves from the alternate water supply, Service Water System, upon low pump suction pressure is provided. Also, valve 1010-EF has a limit a switch which, through the BlSI system, is alarmed in the control room when it is not in the full open position.

Tech (ical Specification Surveillance Requirment 4.7.1.2(3) requires at least once per 33 days a verification that each non-automatic valve in the flow path that is not locked, sealed, or otherwise secured in position, is in its correct position.

Also Surveillance Requirement 4.7.1.2(4) requires a verification that each automatic valve in the flow path is in the fully open )

position whenever the Emergency Feedwater System le placed in automatic control or when above 107. nated Thermal Power.

s i

III. Elimination of AFW System Dependency on Alternating Current Power Following a Complete Loss of Alternating Current Power Concern This concern is the same as short-term generic Recommendation GS-5; namely, delay in initiation of AFW system operation t i maintaining AFW system operation following a postulated loss of onsite and offsite ac power; i.e., ac poder blackout.

Recommendation GL-3 At least one AFW system pump and its associated flow path and essential instrumentation should automatically initiate AFW system flow and be capable of being operated independently of any ac power source for at least two hours. Conversion of de power to ac power is acceptable.

Response

The turbine driven EF pump and its associated flow path and essential instrumentation automatically initiate EFS flow and are capable of being operated independent of any ac power source for at least two hours.

IV. Prevention of Multiple Pump Damage Due to Loss of Suction Resulting from Natural Phenomena Concern in many of the operating plants, the normal water supply to the AFW system pumps (includlag the interconnected piping) is not protected from earthquakes or tornadoes. Any natural phenomenon severe enough to result in a loss of the water supply could also be severe enough to cause a loss of of fsite power with loss of main feedwater, resulting in an automatic initiation sigaal to riart the AFW system pumps. The pumps would start without any suction head, leading to cavitation and multiple pump damage in a short period of time, possibly too short for tha operators to take action that would protect l the pumps. This may lead to unacceptable consequences for some plants, due to the complete loss of feedwater (main and auxiliar y) .

Recommendation GL-4 Licensees having plants with unprotected normal AFW system water supplies should evaluate the design of their AFW systems to determine if automatic protection of the pumps is necessary following a seismic event or a tornado. The time available before pump damage, the alarms and indications available to the control room operator, and the time necessary for assessing

the problem and taking action shoul.1 he considered in determining whether operator action can be relied on to prevent pump damage. Consideration should be given to providing pump protection by means such as automatic switch-over of the pump suctions to the alternate safety grade source of water, automatic pump trips on low suction pressure, or upgrading the normal source of water to meet Seismic Category I and tornado protection requirements.

Response

Automatic switchover of the pump suction to the alternate safety grade source of water is being provided to af ford protection for the EF pumps. There is no Automatic pump trip.

The Service Water System is a saf ety grade source of water' .

The Service Water Pumps take suction from the service water pond, a Seismic Category 1 impoundment adjacent to Monticello Reservoir.

V. Non-Safety Grade, Non-Redundant AFW System Automatic Initiation Signals Concern This concern is the same as short-term generic Recommendation GS-7; namely, reduced AFW system reliability as a result of use of non-safety grade, non-redundant signals, which are not

periodically tested, to automatically initiate the AFW system.

Recommendation GL-5 The licensee should upgrade the AFW system automatic initiation signals and circuits to_ meet safety grade requirements.

Response

The EFS automatic initiation signals and circuits are redundant and meet safety grade requirements. In addition, a non-safety-grade, anticipatory signal, from a trip of all main feedwater pumps, i. used to start the,two motor driven emergency feed-water pumps.

4. Major Contributors to Unreliability SCE&G lists.the.following major contributors for each case:

Case 1 - LMFW

l. The single most important contributor to EFS unavailability results from the EF supply line maintenance valve.(1010) being plugged at EFS startup. System failure results because all pumps are postulated to fail if started in a starved condition.

SCG&E assigns a value of lx10-5 to valve 1010 plugged. The total demand unavailability for case 1 is 1.2 x 10-5 Since valve 1010 in a plugged state is a first order term, it accounts

3 for approximately 80% of the EFS demand-unavailability.

4

2. Preventive maintenance outages on an EF pump combined with other i

active failures account for the next greatest contribution to system unavailability. The TDP in maintenance presents a greater restriction on EF availability than an MDP in maintenance.

3. Motor circuit start failures dominate individual MDP failure.
4. Mispositioned pump suction isolation valves can lead to pump damage at startup.

Mispositioned pump discharge valves will result in no flow to 4

I the MDP or TDP header, respectively. Pump recirculation and I flow instrumentation are available allowing control room diagnosis of the problem without pump destruction occurring.

f Operator correction of closed discharge valves was not considered I

in this analysis.

l Header discharge valves and EF flow p shs to the steam generators had no substantial effect on EFS unavailability. This is due to the normally open EF flow control valves and automatic opening whenever the valves are in manual control including pump test.

i l

l l~

i l

_ -. __ .. .._m _ __ _ . . .- _ _ _ _ _

1 1

Case 2 - LMFW/ LOOP The failure contributors for this case are similar to those in Case 1.

Loss of offsite power has no effect on the system availability when both diesel generators are available because all ac dependencies are are supplied by the ESF buses IDA and 1DB.

1 Loss of one diesel generator reduces system availability because of

~

the loss of an MDP. All other contributors remained unaffected. i i-4 Case 3 - LMFW/ LAC r

The TDP train of the EFS is independent of all ac and air supe les.

! For this case the Service Water System is unavailable as a backup source of water to the EFS because of ac operated components in the SWS. The TDP train and flow path through flow control valves FCV 3536/3546/3556 is the only means of providing EF to the steam

. generators. Unlike Case 1 and Case 2 above, very little EFS redun-dancy exists.

i i

Contributors limiting EFS availability at demand for the LMF/ LAC case

[

include:

l 1. -Outages of'the TDP for unscheduled maintenance.

2. Failure of the TDP steam isolation valve 2030 to open.
3. Mechanical failure of-the TDP.

i

l

4. Failure of the turbine drain system due to plugging and/or human error.
5. Pump discharge manual valve 1036 closed due to human error (resulting from TDP maintenance).
6. Loss of CST inventory.

TDP unscheduled mafntenance outages are responsible for approximately l 50% of the LMF/ LAC unavailability. Items 2 through 6 contribute approximately equally to the remaining 50%.

SNL agrees with the above listing. No quantification of results was made by SCE6G nor were results quantified in NUREG-0611.

A very rough numerical estimate of the reliability reported by Summer is derived from Figure 4. For Case 1 the failure prabability is 1.2 x 10-5; for Case 2 1.2 x 10-5, and for Case 3 ix 10-2, The events describing valve 1010 are assessed by SCE&G to be 1 x 10-5,*

Therefore for Case 1 and 2 the remainder of the system contributes a small amount in comparison. Extracting values for the individual contributors for Case 3 as listed above was not attempted.

  • SNL does not agree with this assessment since NUREG-0611 gives a value of 1x10-4 for valves being plugged. If 1x10-4 were used this would shift the Summer rating on Figure 4 from the high to melium range for Case 1 and 2.

l l

Tsenstems Eveats LMFW t.Mtw/toor Lurw/te,s of Att AC*

Nats Low Med l High Low l Med l lfish low l Med ICsh

._ __ _ _ _. _ _ _ _ mas -

Westinghouse y

_=_-

lia#dem Neck 9 _b__ dD

$sn Onefee O O <>-Hi Pe elete Island 4> d> di S tem 4P-= 0 4HD Ei Y en & 9 4>

Yeakes newe O O o Teolen Ci 9 (>

Irdie1 Point 4i 9 4>

Ke. nes 9 3 0

= ---- - _._ - _ -

g 6L D. Robinson 1> 9 1>

Dee.or Valley Cinna G '

9 O

9 4>

E

'__ s ft Death 9 G 4>

Caoh 9 9 4>

Twhey Pt. 9 9 tb To ter C e 0 Swry 9 9 4  :;

No. Anna 9 9 9 V.C. SUMMER i X G ( X. 9 l kO _

-l l*-- 0, der of FAssaisude la Une.eitatstisy flopesie : d.

X - SNL detemined comparison ' Note: The scale for this event is not the same as that for the LMFW and LMFW/ LOOP.

FIGURE 4 COMPARISON OF Y.C. SUMMER UNIT 1 EFS RELIABILITY WITH THAT OF OPERATING \fESTINGHOUSE PLANTS

h 1 l t

5. . Concern Although SCE&G reported that automatic opening of the valves from the alternate water supply, service water system, upon 4

low pump suction pressure is provided, no credit is taken for it in the reliability analysis. It was r,tated that the 7

automatic system may not function fast enough to prevent pump damage.

3 Some Nuclear Power Plants report that pumps can run as long as five minutes with no Net Positive Suction Head (NPSH).

A more realistic value is thought to be one minute which allows ample time for automatic valves to function. Some engineers questioned felt that the remaining water-in the

-line af ter a low NPSH signal would be sufficient to provide i

some water to the pump and that the header would not run dry in the time required for valve opening. If this is true, the service water system is a system that can be considered in parallel to the CST supply and valve 1010 failure is no longer a first order event. The probability of valve 1010 failure can then be "AND"ed with the SW system failure and at least an order of magnitude improvement (decrease) in the failure probability realized. This would eliminate the necessity for using a value l

of 1 x 10-5 for valve 1010 failure when NUREG-0611 states that 1 x 10-4 is the value to use for a manual valve (plugged) for l

comparison purposes.

1 i

6. Conclusions The comparison of the reliability of the V. C. Summer Nuclear  !

Station Unit 1 Emergency Feedwater System with the reliability l

for similar systems of operating Westinghouse Plants shows that the V. C. Summer reliability is at the high end of the range for operating plants. We are not in agreement with this assessment for case 1 and 2 because NUREG-0611 values for valves plugged were not used. Were the values in NUREG-0611 used the assessment would be in the medium range.

SCE&G has complied with requirement (b) of the letter which states, i

1

"(b) perform a reliability evaluation similar in method to that i i

j described in Enclosure 1 that was performed for operating plants

! and submit it for staff review." Enclosure 1 to the letter of l

l March 10 provides the applicable portions of NUREG-0611 which i deal with the Auxiliary Feedwater Systems.

l I

i

e Glossary of Terms

~

AC. Alternating Current

ac alternating current f

AFW Auxiliary Feedwater AFWS Auxiliary Feedwater System ANSI American National Standards Institute ASME American Society of Mechanical Engineers

.BISI By-Pass and Inoperable Status Indication CFR Code of Federal Regulations CR Control Room Control Room Evacuation Panel CREP C.S. - Control Switch for the Steam Admission Valve i

CST Condensate Storage Tank EDC Direct Current de direct current i DWST Demineralized Water Storage Tank i

I EF Emergency Feedwater EOP Emergency Operating Procedures l

l EFS Emergency Feedwater Systet*

l

-ESF Engineered Safety Feature s ESFLS Engineered Safety Features Loading Sequence FCV Flow Control Valve f Final Safety Analysis Report ESAR gpm gallons per minute l

I&C Instrument and Control

  • ~The EFS is the same system as the AFWS. EFS is the term used for the j V.C. Summer Nuclear Station.

i i

f

- . - . . _ __ _ ___ _ _ ._ _ _ __ _. -- _- - - = _ . . _. - _-

i Glossary of Terms (Cont'd)

LAC Loss of all AC power LMFW Loss of Main Feedwater LOOP Loss of Offsite Power MDEFP Motor Driven Emergency Feedwater Pump MDP Motor Driven Pudp MFWP Main Feedwater Pump MOV Motor Operated Valve MS Main Eteam NPSH Net >f31tive Suction Head NRC Nuclear Regulatory Commission psig pounds per square inch gage SCE&G South Carolina Electric and Gas SFP Single Failure Point S/G Steam Generator SNL Sandia National Laboratories STP Station Test Procedure SW Service Water 1 S.W.P. Service Water Pump SWS Service Water System TDEPP Turbine Driven Emergency Feedwater Pump TDP Turbine Driven Pump TR Transformer TSC Technical Support Center

8. References
1. Letter to all Pending Operating License Applicants of Nuclear Steam Supply Systems Designed by Westinghouse and Combustion Engineering from D. F. Ross. Jr., Acting Director Division of Project Management Office of Nuclear Reactor Regulation, Subject, Actions Required from Operating License Applicants l of Nuclear Supply Systems Designed by Westinghouse and Combustion Engineering Resulting from the NRC Bulletins and Orders Task Force Review Regarding the Three Mile Island Unit 2 Accident, dated March 10, 1960.
2. " Emergency Feedwater System Reliability Analysis for the Virgil ,

C. Summer Nuclear Station Unit 1" by Gilbert / Commonwealth Inc.

dated August 1980.

3. NUREG-0611 " Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant Accidents in Westinghouse-Designed Operating Plants" dated January 1980. *
4. Schedule 189 No All21-0 Title, " Review of Auxiliary Feedwater System Reliability Evaluation Studies for Diablo Canyon I, McGuire 1, Summer 1, San Onofre 2, and Palo Verde" dated August 6, 1980.

, 5. " Emergency Feedwater System Reliability Assesement Virgil C.

Summer Nuclear Station Unit 1" GAI Report 2203 by Gilbert /

Commonwealth Inc. Revision 1 dated October 1980.

l

[

i e

l l

l

  • Available for purchase from the NRC/GPO Sales Program, U.S. Nuclear Regulatory Commission, Washington, DC 20555, and/or the National Technical Information Service, Springfield, VA 22161.

i i

2

. . ... .. . ._ . _ _ . -~ - - - . -- .

4 i

-Distribution:

U. S. - Nuclear Regulatory Commission (130 copies for AN)

Distribution Contractor (CDSI) 7300 Pearl Street Bethesda,-MD. 20014 Armand Lakner U.S. Nuclear Regulatory Commission l

Washington, DC 20555-1222 G. U. Bradley l 3141 L. J. Erickson (5) 3151 W. L.' Garner (3) (for DOE / TIC) 3154-3 C. H. Dalin (25) (for NRC distribution to NTIS)

- 4400 A. W. Snyder 4414- J. W. Hickman 8214 M. A. Pound J

P 4

l f

1 a.

s d

i i a:

8 i

i I

4 I

a r --, - . . , , .- ----,---,------.,.--._m~_. - - - ,,--or-- , . - _ c,- , , . . . . , _.-_,. . ,

Nuc s v33s i at m t N ovet a ***" or Doc' o $ NUCLE AR REGUL ATORY COMMISSION NUREG/CR-1870 BIBLIOGRAPHIC DATA SHEET SAND 80-2896 e TsTL E A%D SUBTtT LE IAdd Vorume No. d worcerestrl 2 ILeave b?v'h l V.C. Summer Nuclear Station Unit 1 Emergency Feedwater System Reliability Study Evaluation 3 ,,c,P,E N T S ACCE SSioN No 7 AUTHORlSi 5 D ATE REPORT COMPLE TE D George H. Bradley, Jr. " {"cember l" "1980 9 PE RF ORMING ORGANIZ AT+0N N AME AND M AILING ADDRESS (/ncrucn* I,a code / DATE RE PORT ISSUED Sandia National Labor atories " j'un"e l"^"1981 Albuquerque, NM 87185 6 tLeove bransI 8 ILeave Orank)

SN 3ke Ie noYo 10 PROJE CT'T ASK/ WORK UNIT NO.

ONiceofNuclearReactorRegulation U.S. Hud ear Regulatory Commission ti CONTRACT NO Washingtcn, D.C. 20555 FIN A1121 13 T y PE OF REPORT PE p'OD Cov E RE D //nclus er dairst

~

Reliability Study Evaluation July 1980 - December 1980 6 SUPPLEVENT ARY NOTES 14 (Leave as'a s 16 *BSTR AC T (200.wo<as or sessJ One of the important safety systems involved in the mitigation of the Three Mile Island accident was determined to be the Emergency Feedwater System (EFS); each operating plant's AFWS was studied and analyzed. The results for Westinghouse designed plants were reported in NURE3-0611; the applicants were instructed to perform a reliability analysis of his AFWS for three transient conditions involving loss of main feedwater in a manner similar to the study made by NUREG-0611 prior to their obtaining an operating license.

Conclusions

1. South Carolina Gas and Electric has satisfactorily complied with the requirement to perform a reliability study of their AFWS.
2. The comparison of the reported reliability of Summer's AFWS to those of operating plants shows that Sumer's reliability is at the high end of the range of AFWS l reliability for operating reactors. However, the reviewer is not in agreement with this assessment because of the 1 x 10-5 reliability allocation for the valve in the single line from the condensate storage tank to the ATWS pump haader. A higher value of 1 x 10-4 as was used in NURFG-0611 is recommended to acnieve a more valid comparison.

~

l 17 KE Y V.OR DS AND DOCU'.*E NT AN A LYSIS 4 74 DE SC RIPT ORS Reliability Auxiliary Feedwater System (AFWS)

Valve l

Pump 17o IDE NTiflE RS OPE N E N DE D TEEMS 1R SE CURiTY CL AS$ f Tn,s reporrf 21 NO OF P AGE S 18 AV AIL ABILIT Y ST ATE ME NT Unclassified Unlimited nsg g sf'""' e " s" "

j

%nc e oav ass .7 77

.

Retrieved from "https://kanterella.com/w/index.php?title=ML20009A086&oldid=2475048"