Auxiliary Feedwater System RISK-BASED Inspection Guide for the Fort Calhoun Nuclear Power Plant

ML20034G849
Person / Time
Site:	Fort Calhoun
Issue date:	02/28/1993
From:	Gore B, Moffitt N, Vehec T, Vo T Battelle Memorial Institute, PACIFIC NORTHWEST NATION
To:	Office of Nuclear Reactor Regulation
References
CON-FIN-L-1310 NUREG-CR-5834, PNL-7906, NUDOCS 9303120001
Download: ML20034G849 (34)
v • d • e

Text

aM-:

w I

NUREG/CR-5834 PNL-7906 l

l Auxiliary Feedwater System Risk-Based Inspection Guide lfor the Fort Calhoun i

Nuclear Power Plant

[

Prepared by

- N. E. Moffitt, B. F. Gore, T. A. Vehec, T. V. Vo

[

' Pacific Northwest Laboratog

. Operated by

Battelle Memorial Institute

Prepared for U.S. Nuclear Regulatory Commission i

+

D 85 l

G PDR i

,_,.,-,-x.,

.,,. ~,.

l i

1 AVAILABILITY NOTICE Availability of Reference Matenais Cited in NRC Publi ations Most documents cited in NRC publications will be available from one of the following sources:

1.

The NRC Public Document Room. 2120 L Street, NW., Lower Level, Washington, DC 20555 2.

The Superintendent of Documents, U.S. Government Printlng Office, P.O. Box 37082. Washington, j

DC 200t3-7082 3.

The National Technical information Service, Springfield, VA 22161 i

Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.

Referenced documents available for inspection arid copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda: NRC bulletins, circulars, information notices, inspection and investigation notices; licensee event reports: vendor reports and correspondence; Commis-slon papers; and applicant and licensee documents and correspondence.

The following documents in the NUREG series are available for purchase from the GPO Sales Program:

formal NRC staff and contractor reports, NRC-sponsored conference proceedings, lnternational agreement t

reports, grant publications, and NRC booklets and brochures, Also available are regulatory guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances.

I Documents available from the National Techn! cal Information Serv!ce include NUREG-series reports and l

technical reports prepared by other Federal agencies and reports prepared by the Atomic Energy Commis-sion, forerunner agency to the Nuclear Regulatory Commission.

Documents available from public and special technical libraries include all open literature items, such as books, journal articles, and transactions. Federal Register notices, Federal and State legislation, and con-i gressional reports can usually be obtained from these libraries, i

Documents such as thesofi, dissertations, foreign teports and translations, and non-NRC conference pro-ceedings are available for purchase from the organ!zation sponsoring the publication cited, Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Office of Administration, Distribution and Mail Services Section, U.S. Nuclear Regulatory Commission.

Washington, DC 20555.

i Copies of indLstry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library,7920 Norfolk Avenue, Bethesda, Maryland, for use by the public, Codes and strandards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.

DISCLAIMER NOTICE This report was prepared as an account of work sponsored by an agency of the United States Govemment.

Neither the United States Govemment nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liability of responsibility for any third par *y's use, or the results of such use, of any ir. formation, apparatus, product or process disclosed in this report, or represents tha11ts use by such third party woulc not infringe privately owned rights.

NUREG/CR-5834 PNL-7906 1

Auxiliary Feedwater System Risk-Based Inspection Guide for the Fort Calhoun

~ Nuclear Power Plant i

Manuscript Completed: December 1992 Date Published: February 1993 t

Prepared ly N. E. Moffitt, B. F. Gore, T. A. Vehec, T. V. Vo i

Pacific Northwest Laboratory Richland, WA 99352 Prepared for Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission l

Washington, DC 20555 NRC FIN L1310 I

B t

v v - -

ee--+

r w,

n ww-w w ~ ww,~w--

s w'=

"-r-~ " *

• * -w---

• ~ww'w~

• * ~ ' * - ~ ~~ ' ~ ~ ~~ * -

Abstract In a study sponsored by the U.S. Nuclear Regulatory Commission (NRC), Pacific Northwest Laboratory has developed and applied a methodology for deriving plant-specific risk-based inspection guidance for the auxiliary feedwater (ARV) system at pressurized watcr reactors that have not undergone probabilistic risk assessment (PRA). This meth-odology uses existing PRA results and plant operating experience information. Existing PRA-based inspection guid-ance information recently developed for the NRC for various plants was used to identify generic component failure modes. This information was then combined with plant-specific and industry-wide component information and failure data to identify failure modes and failure mechanisms for the AFW system at the selected plants. Fort Calhoun was selected as the sixth plant for study. The product of this effort is a prioritized listing of ARV failures which have occurred at the plant and at other PWRs. This listing is intended for use by NRC inspectors in the preparation of l

inspection plans addressing AFW risk-important components at the Fort Calhoun plant.

i i

i i

iii NUREG/CR-5834 t

+y-e 4w~,

v g,.

-e-,,w-,

.w

I Contents iii Abstract.....................................................................................

ix S ummary...........................

1.1 1 Introduction....

2.1 2 Fort Calhoun AFW System...............................................................

2.1 2.1 Syst em Descriptio n......................................................................

2.1 2.2 Success Crit erion................................................................

2.2 2.3 System Dependencies....................

2.2 2.4 Operational Constraints.......................................................

3.1 3 Inspection Guidance for the Fort Calhoun AF'W System.................

3.1 3.1 Risk Important AFW Components and Failure Modes........................................

3.1 3.1.1 Multiple Pump Failures due to Common Cause...............

3.1.2 ~Ihrbine Driven Pump Fails to Start or Run...................

3.2 3.3 3.1.3 Motor Driven Pump A or B Fails to Start or Run..................

3.3 3.1.4 Pump Unavailable Due to Maintenance or Surveillance.................................

3.4 3.1.5 Air Operated Isolation and Flow Control Valve Pailure 3.4 3.1.6 Motor Operated Valve Failure.....................................................

3.1.7 Manual Suction or Discharge Valves Fail Closed....................................

3.5 3.1.8 Leakage of Hot Feedwater through Check Valves.......................................

3.6 3.2 Risk Important AFW System Walkdown 'Ihble........................................

3.6 4 Generic Risk Insights from PRAs............................................................

4.1 I

4.1 Aisk Important Accident Sequences Involving AFW System Pailure...........................

4.1 4.1 4

4.2 Risk Importhnt Component Failure Modes 5 Pailure Modes Determined From Operating Experience..........................................

5.1 5.1 i

l 5.1 Fort Calhoun Experience.

l 5.1.1 AFW Pump Control Logic, Instrumentation and Electrical Failures.......................

5.1 5.1.2 Failure of AFW Pump Discharge Flow Control Valve to Steam Generator.................

5.1 5.1.3 AFW Valve Fail ures................................................................

5.1 5.1.4 H uman Errors........................................

5.1 9

v NUREG/CR.5834

l r

t I

t i

i

+

1 i

i I

?

5.2 Industry Wide Experience 5.1 I

.1 5.2.1 Common Cause Pailures 5.2 5.2.2 Human Errors 5.3 1

5.2.3 Design / Engineering Problems and Errors.........................................

5.4 5.2.4 Compon en t Fail u res..............................................................

5.5 i

1 6 References 6.1 I

i 1

i I

1 l

l I

i 1

i 1

i 1

NUREG/CR-5834 vi

1 l

[

Figure 2.3 2.1 Fort Calhoun AFW system 1

1 l

l Table 3.7 3.1 Risk important walkdown table for Fort Calhoun AFW system components.

i l

l l

e v

I l

i vii NUREG/CR-5834 1

Summary I

This document presents a compilation of auxiliary / emergency feedwater (AFW/EFW) system failure information which has been screened for risk significance in terms of failure frequency and degradation of system performance. It is a risk-prioritized listing of failure events and their causes that are significant enough to warrant consideration in inspection planning at the Fort Calhoun plant. This information is presented to provide inspectors with increased resources for inspection planning at Fort Calhoun.

The risk importance of various component failure modes was identified by analysis of the results of probabilistic risk assessments (PRAs) for many pressurized water reactors (PWRs). However, the component failure categories identi-fied in PRAs are rather broad, because the failure data used in the PRAs is an aggregate of many individual failures having a variety of root causes. In order to help inspectors focus on specific aspects of component operation, main-tenance and design which might cause these failures, an extensive review of component failure information was performed to identify and rank the root causes of these component failures. Both Fort Calhoun and industry-wide fail-ure information was analyzed. Failure causes were sorted on the basis of frequency of occurrence and seriousness of consequence, and categorized as common cause failures, human errors, design problems, or component failures.

This information is presented in the body of this document. Section 3.0 provide brief descriptions of these risk-important failure causes, and Section 5.0 presents more extensive discussions,with specific examples and references.

The entries in the two sections are cross-referenced.

An abbreviated system walkdown table is presented in Section 3.2 which includes only components identified as risk important. This table lists the system lineup for normal, standby system operation.

l This information permits an inspector to concentrate on components important to the prevention of core damage.

However,it is important to note that inspections should not focus exclusively on these components. Other compo-l F

nents which perform essential functions, but which are not included because of high reliability or redundancy, must also be addressed to ensure that degradation does not increase their failure probabilities, and hence their risk importance.

4 ix NUREG/CR-5834

-iv,-v-

.r w -w w n---=-,c--.-

--_m,

1 Introduction This document is one of a series providing plant-specific The remainder of the document describes and discusses inspection guidance for auxiliary /cmcrgency feedwater the information used in compiling this inspection guid-(AFW/EFW) systems at pressurized water reactors ance. Section 4.0 describes the risk important informa-(PWRs). This guidance is based on information from tion which has been derived from PRAs and its sources.

probabilistic risk assessments (PRAs) for similar PWRs, As review of that section will show, the failure events industry-wide operating experience with AFW systems, identified in PRAs are rather broad (e.g., pump fails to plant-specific AFW system descriptions, and plant-start or run, valve fails closed). Section 5.0 addresses specific operating experience. It is not a detailed inspec-the specific failure causes which have been combined tion plan, but rather a compilation of AFW system fail-under these broad events.

ure information which has been screened for risk significance in terms of failure frequency and degrada-AFW system operating history was studied to identify tion of system performance. The result is a risk-the various specific failures which have been aggregated prioritized listing of failure events and the causes that into the PRA failure events. Section 5.1 presents a sum-are significant enough to warrant consideration in in-mary of Fort Calhoun failure information, and Sec-spection planning at Fort Calhoun.

tion 5.2 presents a review of industry-wide failure in-formation. The industry-wide information was compiled This inspection guidance is presented in Section 3.0, fol-from a variety of NRC sources, including AEOD lowing a description of the Fort Calhoun AFW system analyses and reports,information notices, inspection in Section 2.0. Section 3.0 identifies the risk important and enforcement bulletins, and generic letters, and from system components by Fort Calhoun identification num-a variety of INPO reports as well. Some Licensee Event ber, followed by brief descriptions of each of the various Reports and NPRDS event descriptions were also re-failure causes of that component. These include specific viewed. Finally, information was included from reports human errors, design deficiencies, and hardware fail-of NRC-sponsored studies of the effects of plant aging, ures. The discussions also identify where common cause which include quantitative analyses of reported AFW failures have affected multiple, redundant components.

system failures. This industry-wide information was These brief discussions identify specific aspects of sys-then combined with the plant-specific failure informa-tem or component design, operation, maintenance, or tion to identify the various root causes of the broad testing for inspection by observation, records review, failure events used in PRAs,which are identified in training observation, procedures review, or by observa-Section 3.0.

tion of the implementation of procedures. An AFW sys-tem walkdown table identifying risk important compo-nents and their lineup for normal, standby system operation is also provided.

1.1 NUREG/CR-5834

2 Fort Calhoun AFW System This section presents an overview description of the pump is equipped with a continuous recirculation flow Fort Calhoun ARV system (Combustion Engineering system, which prevents pump deadheading.

plant), including a simplified schematic system diagram.

l In addition, the system success criterion, system depen-Auxiliary feedwater is supplied by the motor driven i

dencies, and adtninistrative operational constraints are pump to each steam generator through one of three j

also presented.

flowpaths depending on the mode of plant operation.

TWo of the flow paths, used primarily during start-up j

and shutdown, connect the ARV piping to the MFW

2.1 System Description

Piping upstream of main feedwater regulating valves.

One flowpath is through HCV-1384 and a backup flow-Path is via cross connect valves FW-744 or FW-745 and The AFW system provides feedwater to the steam gen-FW-746. The third emergency feedwater ARV flowpath l

erators (SG) to alk)w secondary-side heat removal from connects the AFW pumps discharge to the auxiliary feed the primary system when main feedwater is unavailable.

The system is' capable of functioning for extended per-n zzles through locked open manual valves FW-171, FW-172, and air operated containment isolation /Ilow iods, which allows time to restore main feedwater ' low control valves HCV-1107A/B and HCV-1108A/B. The I

or to proceed with an orderly cooldown of the plant to

• B" valves can be throttled to control flow and also where the Shutdown Cooling System can remove decay function as backup containment isolation valves. Each heat. A simplified schematic diagram of the Fort line contains check valves to prevent leakage from the j

Calhoun AFW system is shown in Figure 2.1.

feedwater lines. The turbine driven pump is not norm-ally used for such evolutions. Ft. Calhoun has recently The AFW system consists of one motor-driven (MD) installed a dicsci driven start-up feed pump, FW-54, pump and one steam-driven (TD) pump along with the which is designed to be used during start-up and shut-associated piping, valves and instrumentation normally down, relieving the motor driven ARV pump of this connected to the Emergency Feedwater Tank (ERVT).

it is designed to start up and establish flow automatic-duty.

l ally. Both pumps start on receipt of a steam generator The (EFWT)is the normal source of water for the ARV i

low-low level signal to feed an intact steam generator.

System and is required to store sufficient demineralized The turbine driven and motor driven pumps will also water (55,000 gallons), to maintain the reactor coolant start automatically on a blackout signal when the En.

gineered Safety Feature sequencer re-energizes buses system (RCS) at hot standby conditions for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> with steam discharge to atmosphere. All tank c(mnections f

1 A4 and 1 A3 respectively.

except those required for instrumentation, auxiliary A common suction line from the ERVT supplies water feedwater pump suction, chemical analysis, and tank drainage are located above this minimum level. Backup through two parallel locked open valves to the suction AFW water supplies for the ARV system are from the headers of the turbine-driven pump and the motor.

CSTvia the Diesel driven Start-Up Feedwater pump driven pump. Isolation valves in these lines are locked nd from the Missouri River through a fire water open. Power, control, and instrumentation associated with each pump is independent from the other. Steam hookup.

for the turbine-driven pump is supplied by either or both steam generators, from a point upstream of the main steam isolation valves, through valves YCV-1045A 2.2 Success Criterion and YCV-1045B. The steam supply lines then join up-stream of the ARV steam stop valve YCV-1045, before System success requires the operation of at least one steam enters the turbine driven pump. Each AFW pump supplying rated flow to at least one of the two steam generators.

2.1 NUREG/CR-5834

i 4

Fort Calhoun 4

2.3 System Dependencies 2.4 Operational Constraints The AFW system depends on AC power for the motor The Fort Calhoun Tbchnical Specifications require that driven pump and AFW system instrumentation DC both ARV pumps and their associated flow paths are power at various voltage levels for control power to operable with the RCS temperature above 300 degrees pumps and valves anc c automatic actuation signal, fahrenheit. One ARV pump may be inoperable in The Condensate and Fire Systems provide emergency Mode 1 or 2 for up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> prosided that the other i

makeup to the EFWT. Instrument Air is required to AFW pump is tested to demonstrate operability.

operate the feed supply valves to the steam generators, the steam supply valves to the turbine driven pump, the The Fort Calhoun Tbchnical Specifications require a turbine governor speed control, and the recirculation minimum supply of 55,000 gallons of water to be stored control, and the recirculation control valves. The Main in the EFWT during plant operation and a backup sup-Feedwater System provides a flow path for normal reac-ply to the ERVT be available from the Missouri River tot startup and shutdown operation of the AFW System via the fire water system.

through the main feedwater regulating bypass valves.

i Steam availability is required for the turbine-driven j

pump.

l a

NUREG/CR-5834 2.2

FW pw 1317 663 NN N COND TANK FILL h

662 1173 661 HCV 1040 Op e

d FCV HCV FCV 8

$ 1101 1103 1386 FW 654

'q M

b N

DEMIN HCV 1041 A/B g

q WTR SYS u

O M LC FW N

f PYCV 1045A 653 1189 652 FW HCV FW e

J L 150 1105 151 e

Y,

FIRE MAIN HOOKUP FW 1334 10 B #110 A RC 2A FCV OO k

/

N2 1368 FW FW T

M FW 170 FE

" ' ' " ' pw k

173 171 s

164 O HCV 1384 g,FWy(

V g

FW 169 FW 6 4

(YCV 1045B 174 J k 744 s

FW 3

3 FW i

FE o

i g

M W

1110 9

316 172 HCV 'HCV isT T T T T HCV

/

FW 1106 FW 11088,1108A HCV hg pw 1

i 1017 N

Diesef Driven Mk M

C 2B 190 1102 1104 1385 m

AFW Pump O

161 hn k

/

v yg Feed s

T FCV Cmkrs @FW 0](YCV 1045 1253 6 FW FW 54 1151 1191 V

k To FW10 Turbine Driven AFW Purnp m

O n

'6 p

n Figure 2.1 Ft. Calhoun AMV system

r l

3 Inspection Guidance for the Fort Calhoun AFW System l

In this section the risk important components of the 3.1.1 Multiple Pump Failures due to Common Fort Calhoun AFW system are identified, and the im-Cause portant failure modes for these components are brictly described. These failure modes include specific human The following listing summarires the most important errors, design deficiencies, and types of hardware fail-multiple-pump failure modes identified in Section 5.2.1, urcs which have been observed to occur for these Common Cause Failures, and each item is keyed with a components,both at Fort Calhoun and at PWRs 3 digit code to entries in that section.

throughout the nuclear industry. The discussions also Incorrect operator intervention into automatic sys-identify where common cause failures have affected multiple, redundant components. These brief discus.

tem functioning, including improper manual start-sions identify specific aspects of system or component ing and securing of pumps, has caind failure of all design, operation, maintenance, or testing for inspection pumps, including overspeed trip cu startup, and in-activities. These activities include; observation, records ability to restart prematurely secured pumps. CC1, review, training observation, procedures review, or by observation of the implementation of procedures.

Inspection Suggestion - Observe Abnormal and Emergency Operating Procedure (AOP/EOP)

Table 3.1 is an abbreviated AFW system walkdown table s mulator training exercises to verify that the which identifies risk-important components. This table operators comply with pi cedures during ob-lists the system lineup for normal (standby) system op-served evolutions. Observe surveillance testing cration. Inspection of the components identified in the on 1he AFW system to verify it is in strict com-AFW walkdown table addresses essentially all of the risk pliance with the surveillance test procedure.

associated with AFW system operation.

Valve mispositioning has caused failure of all

+

pumps. Pump suction, steam supply, and instru-3.1 Risk Important AFW Components ment isolation valves have been involved. CC2.

and Failure Modes Inspection Suggestion Verify that the system valve alignment, air operated valve control and Common cause failures of multiple pumps are the most valve actuatmg air pressures are correct usmg risk-important failure modes of AFW system compo-3.1 Walkdown Table, the sptem operating nents. These are followed in importance by single pump procedures, and operator rounds logsheet. Re-failures, level ccmtrol valve failures, and individ ual check view surveillance procedures that alter the valve leakage failures.

standby alignment of the AFW system. Ensure that an adequate return to normal section exists.

The following sections address cach of these failure modes,in decreasing order of risk-importance. They Steam binding has caused failure of multiple pumps.

+

present the important root causes of these component This resulted from leakage of hot feedwater past failure modes which have been distilled from historical check valves and a motor-operated valve into a com-records. Each item is keyed with a three digit code to mon discharge header. CC10. Multiple-pump steam discussions in Section 5.2 where additional information binding has also resulted from improper valve on historical events is presented.

lineups, and from running a pump deadheaded.

CC3.

l 3.1 NUREG/CR-5834

i i

i Inspcction i

inspection Suggestica. Verify that the puty multiple. pump trips on low suction pressure, discharge temperature is within the limits spec-despite the existence of adequate static net positive ified on the operator rounds logsheet (<260 F) suction head (NPSH). CC7. At H. B. Robinso.,,

Assure any instruments used to verify the tem-design rcriews have identified inadequately sized perature by the utility are of an appropriate suction piping which could have yielded insufficient range and included in a calibration program.

NPSH to suppo t operation of more than one Verify affected pumps have been vented in ac-pump. CC8.

cordance with procedurc OI-AFW-3 to ensure l

steam binding has not occurred. Verify that a Inspection Suggestion - Assure that plant en-maintenance work request has been written to ditions which could result in the blockage or repair leaking check valves.

degradation of the suction flow path are addressed by system maintenance and test Pump control circuit deficiencies or design mod-procedures. Examplesinclude,if the AFWsys-ification errors have c%ed failures of multiple tem has an emergency source from a water pumps to auto start, spurious pump trips during system with the potential for bio. fouling, then operation, and failures to restart after pump shut-the_ system should be periodically treated to down. CC4. Incorrect setpoints and control circuit prevent buildup and routinely tested to assure calibrations have also prevented proper operation an adequate flow can be achieved to support of multiple pumps. CC5.

operation of all pumps, or inspected to assure that bio-foulingis not occurring. Design inspection Suggestion - Review design change changes that affect the suction flow path should I

implementation documents for the post main-repeat testing that verified an adequate suction tenance testing required prior to returning the source for simultaneous operation of all pumps.

equipment to service. Assure the testing ver-Verify that testing has, at sometime, i'

that all potentially impacted functions demonstrated simultaneous operation of all operate correctly, and includes repeating any pumps. Verify that sutveillances adequately test plant start-up or hot functional testing that may all aspects of the system design functions, for be affected by the design change.

example, demonstrate that the AFW pumps will trip on low suction pressure.

Loss of a vital power bus has failed both the turbine-driven and one motor-driven pump due te loss of 3.1.2 hrbine Driven Pump Falls to Start or control power to steam admission valves or to tur-Run bine controls, and to motor controls powered from the same bus. CC6.

improperly adjusted and inadequately maintained Inspection Suggestion - The material condition turbine governors have caused pump failures. HE2.

of the electrical equipment is an indicator of Problems include worn or loosened nuts, set screws, probable reliability. Review the Preventative linkages or cable connections, oil leaks and/or con-I Maintenance (PM) records to assure the equip-tamination, and electrical failures of resistors, transistors, diodes and ci ruit cards, and erroneous ment is maintamed on an appropriate frequency for the emironment it is in and that the PM's grounds and connections. CF5. Fon Calhoun has are actually being performed as required by the experienced similar type failures, program. Review the outstandirig Corrective Maintenance records to assure the deliciencies Inspection Suggestion - Review PM records to found on the equipment are promptly corrected, asture the governor oil is being replaced within the designated frequency. During plant walk-Simuhancous startup of multiple pumps has caused downs carefully inspect the governor and link-oscillations of pump suction pressure causing ages for loose last 4 ers, leaks, and unsecured or degraded conduit. Review vendor manuals to i

NUREG/CR-5834 J.2 l

l

l l

1 l

Inspectic ensure PM procedures are performed according temperature can result in degradation of the oil to manufacturer's recommendations and good in the turbine, interfering with proper over-1 maintenance practices. Observe the operation speed trip operaNn. Review training proce-of the turbine driven Aux Feed pump and as-dures to ensure operator training on resetting sure that the backpressure trip is reset as the TTV is current.

directed in OI-AFW-3.

3.1.3 Motor Driven Purnp A or B Fails to Start 1

i Condensate slugs in steam lines have caused turbine or Run speed control problems. 'Ibsts repeated right after Control circuits used for automatic and manual

[

such a occurrences may fail to indicate the problem due to warming and clearing of the steam lines

• pump starting are an important cause of motor l

Surveillances should exercise all steam supply driven pump failures, as are circuit breaker failures.

connections. DE2.

CF7.

Inspection Suggestion - Verify that the steam inspection Suggestion - Review corrective traps are valved in on the steam supply line.

maintenance records when control circuit prob-For ceam traps that are on a pressurized por*

lems occur to determine if a trend exists. Every l

tion of the stcam line, check the steam trap tem-time a breaker is racked in a PMTshould be perature (if unlagged) to assure it is warmer performed to start the pump, assuring no than ambiert (otherwise it may be stuck or have control circuit problems have occurred as a a plugged linQ. If the steam trap discharge is restJ sf the manipulation of the breaker.

visible, assure there is evidence ofliquid (Control circuit stabs have to make up upon discharge.

racking the breaker, as well as cell switch damage can occur upon removal and reinstalla-

'Ilrip and throttle valve (TfV) problems which have tion of the breaker.)

l failed the turbine driven pump include physically bumping it, failure to reset it following testing, and Mispositioning of handswitches and procedural failures to verify control room indication of reset.

deficiencies have prevented automatic pump start.

i HE2. Whether either the backpressure trip or TTV HE3.

trip can be reset without resetting the other, and unambiguity of control room and local indication of Inspection Suggestion - Confirm switch TTV position and backpressure trip linkage reset position using Table 3.1. Review administrative status, all affect the likelihood of these errors. DE3.

procedures concerning documentaticn of j

At Fort Calhoun, the turbine driven pump has procedural deficiencies. Ensure operator failed to start on demand due to the backpressure training on procedural changes is current.

trip level not being reset. 'Ihere is no direct indica-tion for the trip lever position in the control room.

3.1.4 Purnp Unavailable Due to Maintenance A common alarm,"FW-10 TURBINE DRIVEN F

or Surved. lance FEEDWATER PUMP TROUBLE", Annunciator A-56B window 18 in the control room could indi-Both scheduled and unscheduled maintenance re-cate this trip along with three other abnormal conditions.

m ve pumps from operai,ility. Surveillance requires operation with an altered line-up. A pump train is Inspection Suggestion - Carefully inspect the declared inoperable during testing. Prompt sched-TTV backpressure trip linkage and assure it is uling and performance of maintenance and t

reset and in good physical condition. Assure surveillance minimize this unavailability.

that there is a good steam isolation to the l

turbine, otherwise continued turbine high Inspection suggestion - Resiew the time the l

AFW system and components are inoperable.

3.3 NUREG/CR-5834 i

i

i Inspection l

l i

Assure all maintenance is being performed that Leakage of hot feedwater through check valves has

+

can be performed wrug a single outage time caused thermal binding of flow control MOVs.

frame, avoiding multiple equipment outages.

AOVs may be similarly susceptible. CF2.

The maintenance should be scheduled before the routine surveillance test, so credit can be inspection Suggestion - Covered by 3.1.1 taken for both post maintenance testing and bullet 3.

surveillance testing, avoiding excessive testing.

Review surveillance schedule for frequency and Multiple flow control valves have been plugged by adequacy to verify system operability require-clams when suction switched automatically to an ments per Technical Specifications.

alternate, untreated source. CC9.

3.1.5 Air Operated Isolation and Flow Control Inspection Suggestion - Covered by 3.1.1 Valve Failure bullet 6.

Emerrency AFW feed to S/G A: HCV.1107NB 3.1.6 Motor Operated Valve Failure Emerremy AFW feed to S/G B: HCV-1108NB Recirculation Flow Control MD: TD FCV-1368.

AFW to Main Feedwater Line: HCV-1384 FCV-1369 This normally closed MOV supplies AFW Flow to the i

The emergency AFW feedwater control valves to S/G A steam generators through the main feed lines during sys-and B are normally closed valves. AFW recirculation tem startup or shutdown. It would also be required to flow valves are normally open and they control recirc-be used in the event the diesel driven startup feed pump

{

ulation flow to the EFWT. All of these valves aic was required to supplement AFW system flow in an designed to fail open on loss of Instrument Air or loss of emergency condition. It fails as-is on a loss of power control power.

and can be manually operated using a local ha.1 wheel.

Control circuit problems have been a primary cause Common cause failure of MOVs has resulted ym

+

of failures, both at Fort Calhoun and elsewhere.

failure to use electrical signature tracing equipn. nt CF9. Valve failures have resulted from blown fuses, to determine proper settings of torque switch and failure of control components (such as current /

torque switch bypass switches. Failure to calibrate pneumatic convertors), diaphragm failures, broken switch settings for high torques necessary under de-and dirty contacts, misaligned or broken limit sign basis accident conditions has also been in-i switches, control power loss, and calibration prob-volved. CCll. Fort Calhoun has experienced valve I

lems. Degraded operation has also resulted from failure due to improper torque switch settings.

improper air pressure due to air regulator failure or leaking air lines.

Inspection Suggestion - Review the MOV test l

records to assure the testing and settings are l

Inspection Suggestion - Check for ccmtrol air based on dynamic system mnditions. Over-system alignment and air leaks during plant torquing of the valve operator can result in i

ulkdowns. (Regulators may have a small valve damage such as cracking of the seat or amount of external bleed to maintain down.

disc. Resiew the program to assure over-stream pressure.) Check for cleanliness and tos quing is identified and corrective actions are physical condition of visible circuit elements.

taken to assure valve operat)ility following an Resiew valve stroke time surveillance for ad-overtorque condition. Resiew the program to verse trends, especially those valves on reduced assure EQ seals are renewed as required during

[

testing frequency. Review air sysicm surveil-the restoration from testing to maintain the EQ lances to ensure that moisture content of air is rating of the MOV.

i within estaFished limits.

NUREG/CR-5834 3.4

Inspection Valve motors have been failed d ue to lack of, or im-dominant cause of problems identified during op-a proper sizing or use of thermal overload protective crational readiness inspections. HE1. Events have devices. Bypassing and oversizing should be based occurred most often during maintenance,-

on proper engineering for design basis conditions.

calibration,or system modifications. Important CF4.

causes of mispositioninginclude:

Inspection Suggestion - Review the administra.

Failure to provide complete, clear, and tive controls for documenting and changing the specific procedures for tasks and system l

settings of thermal overload protective devices.

restoration i

Assure the information is available to the main-tenance planners.

Failure to promptly revise and validate j

procedures, training, and diagrams Grease trapped in the torque switch,.ing pack of following system modifications f

Limitorque SMB motor operators has caused motor burnout or thermal overload trip by preventing Failure to complete all steps in a procedure torque switch actuation. CF8.

Failure to adequately review uncompleted f

Inspection Suggestion - Review this only if the procedural steps after task completion MOV testing program reveals deficiencies in this area.

Failure to verify support functions after restoration i

Manually reversing the direction of motion of op-erating MOVs has overloaded the motor circuit.

Failure to adhere scrupulously to admini-Operating procedures should provide cautions, and strative procedures regarding tagging, circuit designs may prevent reversal before each control and tracking of valve operations strokeis finished. DE7.

Failure to log the manipulation of scaled Inspection Suggestion - None. Circuit design valves prevents this problem at Ft Calhoun.

Failure to follow good prsctices of written 3.1.7 Manual Suction or Discharge Valves Fail task assignment and feedback of task com-Closed pletion information TD Pump FW-10: FW-349 or FW-172 Failure to provide easily read system draw-ings, Icgible valve labels corresponding to MD Pump FW-6: FW-350 or FW-171 drawings and procedures, and labeled in-EFWT Discharre: FW-339 or FW-1316 dications oflocal valve position These manu:1 valves are all normally locked open. For Inspection Suggestion - Review the administra-each pump, closure of the first vah '.isted would block tive controls that relate to valve positioning and pump suction and closure of the second valves would scaling, system restoration following main-block pump discharge except recirculation to the tenance, valve labeling, system drawing updat-EFWT ing, and procedure revision, for proper implementation.

Valve mispositioning has resulted in failures of mul-tiple trains of AFW. CC2. It has also been the 3.5 NUREG/CR-5834

Inspection 3.1.8 Leakage ofIlot Feedwater through 3.2 Risk Important AFW System Check Valves Walkdown 'Ihble At MFW connections: Valves FW-161,162.163.164 Table 3.1 presents an AFW system walkdown table in-I334 cluding only components identified as risk important.

At pump discharces: Valves FW-173.12 This information allows inspectors to concentrate their efforts on components important to prevention of core Leakage of hot feedwater through several check damage. However,it is essential to note that inspec-salves in series has caused steam binding of multiple tions should not focus exclusively on these components.

pumps. leakage through a closed level control Other components which perform essential functions, valve in series with check valves has also occurred at but which are absent from this table because of high Fort Calhoun, as would be required for leakage to reliability or redundancy, must also be addressed to en-reach the motor driven pumps A and B. CC10.

sure that their risk importar, are not increased. An ex-ample would include ent. an adequate water levelin Inspection Suggestion - Covered by 3.1.1 the EFWT exists.

bullet 3.

Slow leakage past the final check vahc of a series

=

may not force the check valve closed. Other check valves in series may leak similarly. Piping orienta-tion and valve design are important factors in achieving true series protection. CFl. Check valve Icakage has occurred at Ft. Calhoun. \\Whl instru-r ments contact thermometers are installed on the discharge piping of both AFW pumps. T1-1383 on the TD AFWP and TI-1382 on the MD AFWP. The range of these instruments is 0-500 degrees. The steam binding procedure is entered at an indicated temperature of 260 degrees fahrenheit.

i Inspection Suggestion - Covered by 3.1.1 bullet 3.

1 l

NUREG/CR-5834 3.6

inspection Table 3.1 Risk important walkdown table for Fort Calhoun AITV system components Required Actual Component #

Component Name Position Position Electrical R V-6 Motor-Driven Pump Racked In/

Closed e

Diesel FW-54 Diesel-Driven Pump Racked In/

Closed Valves i

FW-339 EFWT Outlet Valve Locked Open j

r FW-1316 EFWT Outlet Valve Locked Open FW-684 CST Outlet Valve Locked Open RV-349 TDAFW Pump FW-10 Suction Imcked Open FW-350 MDAFW Pump FW-6 Suction locked Open FW-1016 Diesel Pump FW-54 Suction Open R V-172 TDAFW Pump Discharge locked Open FW-171 MDAFW Pump Discharge Locked Open FW-1017 Diesel AFW Pump Discharge Open FW-900 TDAFW Pump Recirculation Open isolation FCV-1368 MDAFW Pump Recirculation Auto /Open*

FCV-1369 TDAFW Pump'tecirculation Auto /Open FW-1029 Diesel AFW Pump Recirculation Ixcked Open isolation FW-1151 Diesel ARV Pump Cooling Water Throttled Flow Valve

{

3.7 '

NUREG/CR-5834

= - -

, - - =

Inspection Table 3.1 (Cm tinued)

Required Actual f

Component #

Comp (ment Name Position Position RV-1513 Diesel ARV Pump Excess Flow Closed Recirculation Valve l

I FW-1253 Diesel AFW Pump Recirculation 0 perable Flow Control Wlve HCV-2119 Fuel Oil Day Tank Inlet isolation Operable FW-744 TDAFW Alternate Discharge Closed l

Isolation I

FW-745 MDAFW Alternate Discharge Closed Isolation 7

FW-746 AFW Pumps Combined Alternate locked Open Discharge Isolation FW-149 FC%1101 Inlet Isolation Locked Open i

FW-150 HCV-1105 Inlet Isolation locked Open l

FW-151 HC%1105 Outlet Isolation Locked Open FW-169 HC%1384 Inlet Isolation locked Open HC%1384 AFW/MFW Cross Connect Valve N' rmal/ Closed FW-170 HC%1384 Outlet Isolation Locked Open i

FW-190 FC%1102 Inlet Isolation locked Open

~

FW-191 HC%1106 Inlet Isolation locked Open l

FW-192 HC%1106 Outlet Isolation Locked Open l

HC%1107A AFW to S/G A Isolation Auto / Closed HC%1107B AFW to S/G A Isolation Auto / Closed HCV-1108A AFW to S/G B Isolation Auto / Closed NUREG/CR-5834 3.8

Inspection Table.',1 (Continued) i Required Actual Component #

Component Name Position Position HCV-1108B AFW to S/G B Isolation Auto / Closed FW-1275 Emergency Makeup to EFWT Open frcm Fire System FW-661 LCV-1173 Inlet Isolation Open FW 662 LCV-1173 Outlet 1sciation Open f

Closed FW-663 LCV-1173 Bypass Isolation BV-1317 LCV-1173 Bypass Isolation Closed FW-652 LCV-1189 Inlet Isolation Open B V-653 LCV-1189 Outlet 1 solation Closed i

FW-654 LCV-1189 Bypass Isolation Closed l

YCV-1045A TDAFW Pump Steam Supply Normal / Closed YCV-1045B TDAFW Pump Steam Supply Normal / Closed 5

YCV-1045 TDAFW Pump Steam Stop Valve After Stop/

i Closed FW-161 Piping Upstream of Check Valve

< 260 F l

FW-162 Piping Upstream of Check Valve

< 260 F BV-163 Piping Upstream of Check Valve

< 260 F BV-164 Piping Upstream of Check Valve

< 260 F FW-1334 Piping Upstream of Check Valve

< 260*F FW-173 Piping Upstream of Check Valve

< 260 F BV-174 Piping Upstream of Check Valve

< 260 F

• Wlve may be closed if MDAFW Pump is feeding S/Gs.

3.9 NUREG/CR-5834 i

i

4 Generic Risk Insights from PRAs A loss of main feedwater trips the plant, and AFW PRAs for 13 PWRs were analyzed to identify risk-important accident sequences im'olving loss of AFW, fails due to operator error and hardware failures.

and to identify and risk-prioritize the component failure The operators fail to initiate feed-and-bleed cooling, modes involved. The results of this analysis are resulting in core damage.

described in this section. They are consistent with results reported by INEL and BNL (Gregg et al 1988, Steam Generator Tube Rupture (SGTR) and 'Itavis et al,1988).

ASGTR is followed by failure of AFW. Coolant is lost from the primary until the refueling water stor-4.1 RiskImportant Accident Sequences age tank (RWST) is depleted. High presu.re injec-l ti n (HPI) fails since recirculation cannot be estab-Involving AFW System Failure lished from the empty su'np, and core damage results.

t l>>ss of Power System A loss of offsite power is followed by failure of 4.2 Risk ImPortant Component Failure i

AFW and failure of feed and bleed, resulting in core Modes damage.

l A station blackout fails all AC power except Vital The generic mmponent failure modes identified from AC from DC invertors, and all decay heat removal PRA analyses as important to AFW system failure are

[

systems except the turbine-driven AFW pump.

listed below in decreasing order of risk importance.

AFW system operatien is subsequently impacted by loss ofinstrumentation or hardware failures, (1) Thrbine-Driven Pump Failure to Start or Run.

resulting in core damage.

(2) Motor-Driven Pump Eailure to Start or Run.

A DC bus fails, causing a trip and failure of the i

power comtrsion system. One AFW motor-driven (3) TDP or MDP Unavailable due to Tbst or l

pump is failed by the bus loss, AFW is subsequently Maintenance.

lost completely due to other failures. Feed-and-bleed cooling fails, resulting in core damage.

(4) AFW System Valve Failures j

f Transient-Caused Reactor or Turbine Trip

- steam admission valves I

A transient. caused trip is followed by a loss of

- trip and throttle valve l

MFW and AFW. Feed-and-bleed cooling fails i

either due to failure of the operator to initiate it, or

- flow controlvalves due to hardware failures, resulting in core dam:'ge.

- pump discharge valves l>>ss of Main Feedwater

- pump suction valves

{

A feedwater line break drains the common water c

source for MFW and AFW The operators fail to

- valves in testing or maintenance.

provide feedwater from other souras, and fail to initiate feed-and-bleed cooling, resulting in core (5) Supply / Suction Sources damage.

i 4.1 NUREG/CR-5834 i

i i

I l

l l

Generic Risk i

- condensate storage tank stop valves from common causes and human errors. Common cause failures of AFW pumps are particularly risk im-

- hot wellinventony portant. Valve failures are somewhat less important due i

to the multiplicity of steam generators and connection

- suction valves paths. Human errors of greatest risk importance in-volve: failures to initiate or control system operation i

- Senice Water System when required; failure to restore proper system lineup

]

after maintenance or testing; and failure to switch to In addition to individual hardware, circuit, or instru-alternate sources when required.

ment failures, each of these failure modes may result l

i l

l t

l

}

}

i NUREG/CR-5834 4.2

l 5 Failure Modes Determined From Operating Experience This section describes the primary root causes of AFW 5.1.2 Failure of AFW Pump Discharge Flow system component failures, as determined from a revie*'

Control Valve to Steam Generator of operating histories at Fort Calhoun and at other PWRs throughout the nuclear industry. Section 5.1 There have been two failures of the pump discharge flow describes experience at Fort Calhoun, from 19741 control valves since 1974. These have resulted from 1991, Section 5.2 summarizes information compiled normal wear of valve internals allowing excessive from a variety of NRC sources, including AEOD

leakage, analyses and reports,information notices, inspection and enforcement bulletins, and generic letters, and from 5.1.3 AFW Valve Failures a variety ofINPO reports as well. Some LERs and NPRDS event descriptions were also reviewed. Finally' Since 1974 there have been four events irrvohing AFW information was included from reports of NRC-valve failures resulting in excessive leakage. Included in sponsored studies of the effects of plant aging,which in-this category are a check valve, a manual gate valve, and clude quantitative analysis of AFW system failure re-air operated globe valves. The failure cause in all cases ports. This mformation w s used to identify the various as normal wear of valve internals.

root causes expected for the bioad PRA-based failure events identified in Section 4.0, resulting in the inspec-5.1.4 Iluman Errors tion guidelines presented in Section 3.0.

'lho cases relating directly to human error affecting the AFW system were found in the events examined. One 5.1 Fort Calhoun Experience case involved inadvertent actuation of the AFW system during operation when an operator mispositioned a The AFW system at Fort Calhoun has experienced ap-control switch during the performance of a surveillance.

proximately 20 significant equipment failures in the The other case involved improperly setting a torque events examined. These include failures of the AFW switch which caused improper valve operation. Contrib.

pumps, the pump discharge level control valves to steam uting factors leading to the human error were identified generators, and system check valves. Failure modes in~

as inadequate control switch labeling and improper test clude electrical, instrumentation, hardware failures, and conditions for setting the torque switch.

human errors.

5.1.1 AFW Pump Control Logic,Instrumenta-5.2 IndustryWide Experience tion aml F!ectrical Failures Human errors, design / engineering problems and errors, There have been eight failures of the AFW pumps to and component failures are the primary root causes of start and/or run properly experienced since 1974. These AFW System failures identified in a review of industry have resulted from failures of governor speed control wide system operating history. Common cause failures, linkages, flow transmitters or other pump related fail-which disable more than one train of this operationally utes. The failure causes are mechanical wear, corrosion, redundant system, are highly risk significant, and can or inadequate preventative maintenance procedures.

result from all of these causes.

Failure of the turbine-driven pump to stop following a surveillance was caused by a blowri fuse which stopped This section identifies important common cause failure the steam admission valve from closing.

modes, and then provides a broader discussion of the 5.1 NUREG/CR-5834

Failure Modes single failure effects of human errors, design /

logging, and inadequate adherence to procedures. lileg-engineering problems and errors, and component fail.

ible or confusing local valve labeling, and insufficient ures. Paragraphs presenting details of these failure training in the determination of valve positior, may modes are ceded (e.g., CC1) and cross-referenced by cause or mask mispositioning, and surveillance which i

inspection items in Section 3.0.

does not caercise complete system functioning may not reveal mispositionings.

5.2.1 Common Cause Failures i

CC3. At ANO.2,both AFW pumps lost suction due to l

The dominant cause of AFW system multiple-train fail.

steam binding when they were lined up to both the ures has been human error. Design / engineering errors EFWT and the hot startup/ blowdown demineralizer ef-and component failures have been less frequent, but fluent (AEOD/C404,1984). At Zion-1 steam created by nevertheless significant, causes of multiple train failures.

running the turbine-driven pump deadheaded for one minute causet trip of a motor-driven pump sharing the CCl. Human error in the form ofincorrect operator in.

same inlet hear er, as well as damage to the turbine-tervention into automatic AFW system functioning dur-driven pump (Region 3 Morning Report,1/17/90). Both ing transients resulted in the tempora y loss of all safety _

events were caused by procedural inadequacies.

grade AFW pumps during events at Da.is Besse (NUREG-1154,1985) and Rojan (AEO 3/T416,1983).

CC4. Design / engineering errors have accounted for a In the Davis Besse event, improper manual initiation of smaller, but significant fraction of common cause fail-the steam and feedwater rupture control system ures. Problems with control circuit design modifications (SFRCS) led to overspeed tripping of both turbine.

at Farley defeated AFW pump auto-start on loss of driven AFW pumps, probably due to the introduction of main feedwater. At Zion-2, restart of both motor driven l

condensate into the AFW turbius from the long, un-pumps was blocked by circuit failure to de-energize heated steam soply lines. (The system had never been when the pumps had been tripped with an automatic tested with the aucrmal, cross-connected steam supply start signal present (IN 82-01,1982). In addition, AFW lineup which resulted.) In the Rojan event the operator control circuit design reviews at Salem and Indian Point incorrectly stopped both AFW pumps due to misinter.

have identified designs where failures of a single compo-pretation of MFW pump speed indication. The dicsci nent could have failed all or multiple pumps (IN 87-34, driven pump would not restart due to a protective fea-1987).

ture requiring complete shutdown, and the turbine-driven pump tripped on overspeed, requiring local reset FC1 Incorrect setpoints and control circuit settings re-of the trip and throttle valve. In cases where manual ilting from analysis errors and failures to update proce-intervention is required during the early stages of a dures have also prevented pump start and caused pumps transient, training should emphasize that actions should to trip spuriously. Errors of this type may remain unde-be performed methodically and deliberately to guard tected despite surveillance testing, unless surveillance against such errors, tests nndel all types of system initiation and operating conditions. A greater fraction ofinstrumentation and cc2. Valve mispositioning has accounted for a signif-control circuit problems has been identified during icant fraction of the human errors failing multiple trains actual system operation (as opposed to surveillance test-of AFW. This includes closure of normally open suction ing) than for other types of failures.

valves or steam supply valves, and ofisolation valves to sensors having control ft. actions. Incorrect handswitch CC6. On two occasions at a foreign plant, failure of a positioning and inadequate ten grary wiring changes balance-of-plant inverter caused failure of two AFW have also prevented automatic starts of multiple pumps.

pumps. In addition to loss of the motor driven pump Pactors identified in studies of mispositioning errors whose auxiliary start relay was powered by the invertor, include failure to add newly installed valves to valve the turbine driven pump tripped on overspeed because checklists, weak administrative control of tagging, the governor valve opened, allowing full steam flow to restoration, independent verification, and locked valve the turbine. This illustrates the importance of assessing NUREG/CR-5834 5.2

=

Failure Modes the effects of failures of balance of plant equipment found to be hot, and both motor and steam driven which supports the operation of critical components.

pamps were found to be inoperable at different times.

The instrument air system is another example of such a Backleakage at Robinson-2 passed through closed system.

motor-operated isolation valves in addition to multiple check valves. At Farley, both motor and turbine driven CC7. Multiple AFW pump trips have occurred at pump casings were found hot, although the pumps were Millstone-3, Cook-1, Trojan and Zion-2 (IN 87-53, not declared inoperable. In addition to multi-train 1987) caused by brief, low pressure oscillations of failures, numerous incidents of single train failures have suction pressure during pump startup. These oscilla-occurred, resulting in the designation of " Steam Binding i

tions occurred despite the availability of adequate static of Auxiliary Feedwater Pumps" as Generic issue 93.

NPSH. Corrective actions taken include: estending the This generic issue was resolved by Generic Letter 88-03 time delay associated with the low pressure trip, re-(Miraglia,1988), which required licensees to monitor moving the trip, and replacing the trip with an alarm AFW piping temperatures each shift, and to maintain and operator action.

procedures for recognizing steam binding and for restor-ing system operability.

CC8. Design errors discovered during AFW system re-analysis at the Robinson plant (IN 89-30,1989) and at CCl1. Common cause failures have also failed motor Millstone-1 resulted in the supply header from the operate 1 valves. During the totalloss of feedwater EFWT being too small to provide adequate NPSH to event at Davis Besse,the normally-open AFWisolation the pumps if more than one of the three pumps were op-valves failed to open af ter they were inadvertently crating at rated flow conditions. This could lead to closed. The failure was due to improper setting of the multiple pump failure due to cavitation. Subsequent torque switch bypass switch, which prevents motor trip reviews at Robinson identified a loss of feedwater on the high torque required to unscat a closed valve.

transient in which inadequate NPSH and flows less than Previous problems with these valves had been addressed design values had occurred, but which were not recog-by increasing the torque switch trip setpoint - a fix which nized at the time. Event analysis and equipment trend-failed during the event due to the higher torque required ing, as well as surveillance testing which duplicates due to high differential pressure across the valve. Sim-senice conditions as much as is practical, can help iden-ilar common mode failures of MOVs have also occurred tify such design errors.

in other systems, resulting in issuance of Generic letter 89-10,

• Safety Related Motor-Operated Valve Testing CC9. Asiatic clams caused failure of two AFW flow and Surveillance (Partlow,1989)." This genetic letter control valves at Catawba-2 when low suction pressure requires licensees to develop and implement a program caused by starting of a motor-driven pump caused suc-to provide for the testing, inspection and maintenance tion source realignment to the Nuclear Senice Water of all safety-related MOVs to provide assurance that system. Pipes had not been routinely treated to inhibit they will function when subjected to design basis clam growth, nor regularly monitored to detect their conditions.

presence, and no strainers were installed. The need for surveillance which exercises alternative system opera-CCl2. Other component failures have also resulted in tional modes, as well as complete sys em functioning,is AFW multi-train failures. These include out-of-emphasized by this event. Spurious suction switchover adjustment electrical flow controllers resulting in im-has also occurred at Callaway and at McGuire, although proper discharge valve operation, and a failure of oil no failures resulted.

cooler cooling water supply valves to open due to silt accumulation.

CC10. Common cause failures have also been caused by component failures (AEOD/C404,1984). At Surry-2, 5.2.2 Human Errors both the turbine driven pump and one motor driven pump were declared inoperable due to steam binding HEl. The overwheltningly dominant cause of problems caused by leakage of hot water through multiple check identified during a series of operational readiness valves. At Robinson-2 both motor driven pumps were 5.3 NUREG/CR-5834

1 Pailure Modes 6

evaluations of AFW systems was human performance.

DE2. Overspeed trips of'Ibtry turbines have been The majority of these human performance problems re-caused by condensate in the steam supply lines.

sulted from incomplete and incorrect procedures, Condensate slows down the turbine, causing the particularly with respect to valve lineup information. A governor valve to open farther, and overspeed results study of valve mispositioning events im>olving human before the governor valve can respond, after the water error identified iailures in administrative control of tag-slug clears. This was determined to be the cause of the ging and logging, procedural compliance and comple-loss-of-all-AFW event at Davis Besse (AEOD/602, tion of steps, verification of support systems, and in-1986),with condensation enhanced due to the long adequate procedures as important. Another study length of the cross-connected steam lines. Repeated found that valve mispositioning events occurred most tests following a cold-start trip may be successful due to often during maintenance, calibration, or modification system heat up.

activities. Insufficient training in determining valve position, and in administrative requirements for con-DE3. %rbine trip and throttle valve (TTV) problems trolling valve positioning were important causes, as was are a significant cause of turbine driven pump failures oral task assignment without task completion feedback.

(IN P-66). In some cases lack of TfV position indica-tion in the control room prevented recognition of a l

HE2. Arbine driven pump failures have been caused by tripped TfV. In other cases it was possible to reset human errors in calibrating or adjusting governor speed either the overspeed trip or the TfV without resetting control, poor governor maintenance, incorrect adjust-the other. This problem is compounded by the fact that ment of governor valve and overspeed trip linkages, and the position of the overspeed trip linkage can be mis-errors associated with the trip and throttle valve. TTV-leading, and the mechanism may lack labels indicating associated errors include physically bumping it, failuie when it is in the tripped position (AEOD/C602,1986).

j to restore it to the correct position after testing, and failures to verify control room indication of TTV posi-M Startup of turbines with Woodward Model PG-tion following actuation.

FL governors withiri J minutes of shutdown has resulted in overspeed trips when the speed setting knob HE3. Motor driven pumps have been failed by human was not exercised locally to drain oil from the speed errors in mispositioning handswitches, and by procedure setting cylinder. Speed controlis based on startup with deficiencies.

an empty cylinder. Problems have involved turbine rotation due to both procedure violations and leaking 5.2.3 Design / Engineering Problerns and steam. "Ibtry has marketed two types of dump valves for Errors automatically draining the oil after shutdown (AEOD/C602,1986).

del. As noted above, the majority of AFW subsystem faiEres, and the greatest relative system degradation, At Calvert Cliffs, a 1987 loss-of-offsite-power event has been found to result from turbine-driven pump required a quick, cold startup that resulted in turbine l

failures. Overspeed trips of'Ibrry turbines controlled by trip due to PG-PL governor stability problems. The short. term corrective action was installation of stiffer j

Woodward governors have been a significant source of these failures (AEOD/C602,1926). In many cases these buffer springs (IN 88-09,1988). Surveillance had always overspeed trips have been caused by slow response of a been preceded by turbine warmup,which illustrates the Woodward Model EG governor on startup, at plants importance of testing which duplicates service where full steam flow is allowed immediately. This conditions as much as is practical.

oversensitivity has been removed by installing a startup steam bypass valve which opens first, allowing a DE5. Reduced viscosity of gear box oil heated by prior controlled turbine acceleration and buildup of oil operation caused fa" e of a motor driven pump to start due to insufficient lu, oil pressure. Lowering the pressure to control the governor valve when full steam flow is admitted.

pressure switch setpoint solved the problem, which had not been detected during testing.

NUREG/CR-5834 5.4

1 i

J 1

4 Failure Modes DE6. Waterhammer at Palisades resulted in AFWline CFl. The common-cause steam binding effects of check and hanger damage at both steam generators. The AFW valve leakage were identified in Section 5.2.1, entry spargers are located at the normal steam generator level, CC10. Numerous single-train events provide additional and are frequently covered and uncovered during level insights into this problem. In some cases leakage of hot fluctuations. Waterhammers in top-feed-ring steam MFW past multiple check valves in series has occurred j

generators resulted in main feedline rupture at Maine because adequate valve-seating pressure was limited to Yankee and feedwater pipe cracking at Indian Point-2 the valves closest to the steam generators (AEOD/C404, (IN 84-32,1984).

1984). At Robinson, the pump shutdown procedure was i

changed to delay closing the MOVs until after the check j

DE7. Manually reversing the direction of motion of an valves were seated. At Farley, check valves were operating valve has resulted in MOV failures where changed from swing type to lift type. Check valve f

such loading was not considered in the design rework has been done at a number of plants. Different (AEOD/C603,1986). Controlcircuit design may valve designs and manufacturers are involved in this prevent this, requiring stroke completion before problem, and recurring leakage has been experienced, reversal.

even after repair and replacement.

DE8. At each of the units of the South 'Ibxas Project, CF2. At Robinson, heating of motor operated valves by.

space heaters provided by the vendor for use in pre-check valve leakage has caused thermal binding and fail-

)

installation storage of MOVs were found to be wired in ure of AFW discharge valves to open on demand. At j

parallel to the Class 1E 125 V DC motors for several Davis Besse, high differential pressure across AFW in-i AFW valves (IR 50-489/89-11; 50-499/89-11,1989). The jection valves resulting from check valve Icakage has j

valves had been environmentally qualified, but not with prevented MOV operation (AEOD/C603,1986).

the non-safety-related heaters energized, j

CF3. Gross check valve leakage at McGuire and

~

5.2.4 Component Failures Robinson caused overpressurization of the AFW suc-tion piping. At a foreign PWR it resulted in a severe Generic Issue II.E.6.1,"In Situ'Ibsting Of Valves"was waterhammer event. At Palo Verde-2 the MFW suction divided into four sub-issues (Beckjord,1989), three of piping was overpressurized by check valve leakage from l

which relate directly to prevention of AFW system the AFW system (AEOD/C404 1984). Gross check j

component failure. At the request of the NRC,in-situ valve leakage through idle pumps represents a potential testing of check valves was addressed by the nuclear in-diversion of AFW pump flow.

7 dustry, resulting in the EPRI report, " Application Guidelines for Check Valves in Nuclear Power Plants CF4. Roughly one third of AFW system failures have (Brooks,1988)." This extensive report provides been due to valve operator failm s, with about equal information on check valve applications, limitations, failures for MOVs and AOVs. Almost half of the MOV and inspection techniques. In-situ testing of MOVs was failures were due to motor or switch failures (Casada, addressed by Generic letter 89-10, " Safety Related 1989). An extensive study of MOV events (AEOD/

Motor-Operated Valve Testing and Surveillance" C603,1986) indicates continuing inoperability problems (Partlow,1989) which requires licensees to develop and caused by: torque switch / limit switch settings, adjust-implement a program for testing, inspection and main-ments, or failures; motor burnout; improper sizing or tenance of all safety-related MOVs. " Thermal Overload use of thermal overload devices; premature degradation Protection for Electric Motors on Safety-Related related to inadequate use of protective devices; damage Moter-Operated Valves - Generic issue II.E.6.1 due to misuse (valve throttling, valve operator hammer-(Rothberg,1988)" concludes that valve motors should ing); mechanical problems (loosened parts, improper as-be thermally protected, yet in a way which elaphasizes sembly); or the torque switch bypass circuit improperly system function over protection of the operator.

installed or artjusted. The study concluded that current 5.5 NUREG/CR-5834

f a

1

(

Failure Modes 1

4 I

j methods and procedures at many plants are not ade-in the spring pack. During a surveillance at Trojan, j

quate to assure that MOVs will operate when needed failure of the torque switch to trip the TTV motor g

under credible accident conditions. Spedfically,a resulted in tripping of the thermal overload device, surveillance test which the valve passed might result in leaving the turbine driven pump inoperable for 40 days undetected valve inoperability due to component failure until the next surveillance (AEOD/E702,1987).

(motor burnout, operator parts failure, stem disc sep-Problems result from grease changes to EXXON

(

aration) or improper positioning of protective devices NEBULA EP-0 grease, one of only two greases consid-(thermal overload, torque switch, limit switch). Generic cred emironmentally qualified by Limitorque. Due to 4

Letter 89-10 (Partlow,1989) has subsequently required lower viscosity,it slowly migrates from the gear case into licensees to implement a program ensuring that MOV the spring pack. Grease changeover at Vermont switch settings are maintained so that the valves will -

Yankee affected 40 of the older MOVs of which 32 were operate under design basis conditions for the life of the safety related. Grease relief kits are needed for MOV plant.

operators manufactured before 1975. At Limerick, ad-ditional grease relief was required for MOVs manufac-l CF5. Component proble.ms have caused a significant tured since 1975. MOV refurbishment programs may number of turbine driven pump trips (AEOD/C602, yield other changeovers to EP-0 grease.

19S6). One group of events involved worn tappet nut faces, loose cabic connections, loosened set screws, im.

CF9. For AFW systems using air operated valves, properly latched TTVs, and improper assembly.

almost half of the system degradation has resulted from Another involved oilleaks due to component or sd failures of the valve controller circuit and its instrument failures, and oil contamination due to poor maintenance inputs (Casada,1989). Failures occurred predominantly activities. Governor oil may not be shared with turbine at a few units using automatic electronic cot. trollers for lubrication oil, resulting in the need for separate oil the flow control valves,with the majority of tilures due changes Electrical component failures included tran-to electrical hardware. At 'Ibrkey Point-3, comroller sistor or resistor failures due to moisture intrusion, malfunction resulted from water in the Instrument Air erroneous grounds and connections, diode failures, and system due to maintenance inoperability of the tir j

a faulty circuit card.

dtyers.

CF6. Electrohydraulic-operated discharge valves have CF10. For systems using diesel driven pumps, most of performed very poorly, and three of the five units using the failures were due to start c(mtrol and governor speed them have removed them due to recurrent failures.

control circuitry. Half of these occurred on demand, as Failures included oil leaks, contaminated oil, and opposed to during testing (Casada,1989).

hydraulic pump failures.

CFI1. For systems using AOVs, operability requires the CF7. Control circuit failures were the dominant source availability of Instrument Air (IA), backup air, or of motor driven AFW pump failures (Casada,1989).

backup nitrogen. However, NRC Maintenance Team This includes the controls used for automatic and Inspections have identified inadequate testing of check manual starting of the pumps, as opposed to *he in 2 valves isolating the safety-related portion of the IA sys-mentation inputs. Most of the remaining problems s.cre tem at several utilities (Letter, Roe to Richardson).

due to circuit breaker failures.

Generic Letter 88-14 (Miraglia,1988), requires licen-tecs to verify by test that air-operated safety-related CF8. Hydraulic lockup" of Limitorque SMB spring components will perform as expected in accordance with packs has prevented proper spring compression to all design-basis events, including a loss of normal IA.

actuate the MOV torque switch, due to grease trapped 1

NUREG/CR-5834 5.6

6 References Beckjord, E. S. June 30,1989. Closcout ofGeneric Issue AEOD Reports ll.E.61, *In Situ Testing of Valves

• Letter to V. Stello, Jr., U.S. Nuclear Regulatory Commission, Washington, AEOD/C404. W. D. Lanning. July 1984. Steam Binding D.C ofAuriliary Feedwater Pumps. U.S. Nuclear Regulatory Commission, Washington, D.C Brooks, B. P.1988. Application Guidelinesfor Check Valves in Nuclear Power Plants. NP-5479, Electric AEOD/C602. C Hsu. August 1986. OperationalErper-Power Research Institute, Palo Alto, California.

ience Involving Turbine Overspeed Trips. U.S. Nuclear Regulatory Commission, Washington, D.C Casada,D. A.1989. AuriliaryFeedwaterSystem Aging Study: Volume 1. Operating Erperience and Current Afon.

AEODlC603. E.J. Brown. December 1986. A Review itoringPractices. NUREGICR-5404. U.S. Nucicar Reg-ofAfotor-Operated Valve Performance. U.S. Nuclear ulatory Commission, Washingon, D.C Regulatory Commission, Washington, D.C Gregg, R. E. and R. E. Wright.1988. Appendir Review AEOD!E702. E.J. Brown. March 19,1987. Af0VFail-forDominant Generic Contnbutors. BLB-31-88. Idaho ure Due to Hydraulic Lockup From Ercessive Grease in National Engineering Laboratory, Idaho Palls, Idaho.

SpringPack. U.S. Nuclear Regulatory Commission, Washington, D.C Miraglia, E J. February I'i,1988. Resolution ofGeneric Safety Issue 93,

• Steam Binding ofAuriliary Feedwater AEODfT416.1anuary 22,1983. Loss ofESFAuriliary Pumps * (Generic Letter 88-03). U.S. Nuclcar Regulatosy Feedwater Pump Capability at Trojan on January 22, Commission, Washington, D.C.

1983. U.S. Nuclear Regulatory Commission, Wash.

ington, D.C Miraglia, E J. August 8,1988. InstrumentAirSupply System Problem

• Affecting Safety-Related Equipment Information Notices (Generic Letter 8814). U.S. Nuclcar Regulatory Commission, whshington, D.C IN 82-01. January 22,1982. Auriliary feedwater Pump Lockout Resultingfrom Westinghouse W2 Switch Circuit Partlow, J. G. June 28,1989. Safety-Related Alotor-Afodification. U.S. Nuclear Regulatory Commission, Operated Valve Testing and Surveillance (Generic Letter Washington, D.C 89-10). U.S. Nuclear Regulatory Commission, Washington, D.C IN 84-32. E. L Jordan. April 10,1984. Auriliary Feedwater Sparger and Pipe Hangar Damage. U.S. Nu-Rothberg, O. June 1988. ThermalOverload Protection clear Regulatory Commission, Washington, D.C for Electric Afotors on Safety-Related Afotor-Operated Valves - Generic Issue ll.E.61. NUREG-1296. U.S.

IN 84-66. August 17,1984. Undetected Unavailability of Nuclcar Regulatrty Commission, Washington, D.C the Turbine-Driven Auriliaq Feedwater Tra:n. U.S. Nu-clear Regulatory Commission, Washington, D.C Travis, R. and J. Taylor. 1989. Development of Guid-ancefor Generic, Functionatly Oriented PRA-Based Team IN 87-34. C E. Rossi. July 24,1987. Single Failures in inspectionsfor BHR Plants-Mentification ofRisk-Auriliary Feedwater Systems. U.S. Nuclcar Regulatosy important Systems, Componen:s and Human Actions.

Commission, Washington, D.C TLR-A-3874-TGA Brookhaven Ib69nal Laboratory, Upton, New York.

l 6.1 NUREG/CR-5834

P f

i References IN 87-53. C E. Rossi. October 20,1987. Auriliary inspection Report t

l Feedwater Pump Trips Resultingfrom Low Suction Pres-sure. U.S. Nuclear Regulatory Commission, IR 50-489/89-11; 50-499/89-11. May 26,1989. South Washington, D.C Teras ProjectInspection Report. U.S. Nuclear Regula-tory Commission, Washington, D.C IN 88-09. C E. Rossi. March 18,1988. Reduced Reliability ofSteam. Driven Auxiliary Feedwater Pumps NUREG Report Caused by Instability.,fIVoodward PG-PL Type Gover-nors. U.S. Nuclear Regulatory Commission, NUREG-1154.1985. Loss ofMain and 4untiaryFeed-Washington, D.C water Event at the Davis Besse Plant on Jura 9,1985.

i U.S. Nuclear Regulatory Commission, Washington, IN 89-30. R. A. Azua. August 16,1989. Robinson Unit D.C 2 Inadequate NPSH ofAuri!!ary Feedwater Pumps. Also, j

Event Notification 16375, August 22,1989. U.S. Nu-j clear Regulatory Commission, Washington, D.C f

NUREG/CR-5834 6.2

NUREG/CR-5834 PNL-7906 Distribution No. of No. of Copies Copies OFFSITE 4

Fort Calhoun Resident Inspector Omce U.S. Nuclear Regulatory Commission J. H. Taylor Brookhaven National Laboratory B. K. Grimes Bldg.130 OWFN 9 A2 Upton, NY 11973 i

E Congel R. Travis OWFN 10 E2 Brookhaven National Laboratory Bldg.130 A C. Thadani Upton, NY 11973 OWFN 8 E2 1

R. Gregg S. D. Bloom EG&G Idaho, Inc.

OWFN 13 H3 P.O. Box 1625 Idaho Falls,ID 83415 S. M. Long OWFN 10 E4 Dr. D. R. Edwards Prof. of Nuclear Engineering G. M. Holahan University of Missouri. Rolla OWFN 8 E2 Rolla, MO 65401 J.Chung ONSITE OWFN 10 E4 23 Pacific Northwest Laboratory M. J. Virgilo OWFN 13 E4 S. R. Doctor L R. Dodd 2

B. Thomas B. E Gore (10)

OWFN 12 H26 N. E. Maguire-Moffitt B. D. Shipp U.S. Nuclear Reculatory Commission -

E A. Simonen Recion 4 T A. Vehec T V.Vo A. B. Beach Publishing Coordination L. J. Callan Tbchnical Repo;t File (5)

S. J. Collins T. E Westerman Distr.1

NRC FORu 335 U.S. NUCLE AR R EGULATORY COMMISSION

1. REPOR I NUMBE R

1. s'. nc2 L' M "i,C;,^%'Tl M ""-

m.2202 BIBLIOGRAPHIC DATA SHEET NUREG/CR-5834 isee anstnscesons on et,e re.asci

2. TITLT AND SUBTITLE Auxiliary Feedwater System Risk-Based Inspection Guide for the 3

DATE REPORWBLISHED Fort Calhoun Nuclear Power Plant j

wo,a u.R February 1993

4. FIN OR GR ANT NUMBER L1310

5. AUTHOR (S)

6. TYPE OF REPORT N. E. Moffitt, B. F. Gore, T. E. Vehec, T. V. Vo Technical

7. PE R IOD COVE R EQ tsacsus,re Deress 9/91 to 12/92

8. PER FORMING ORGANIZ ATION - N AME AND ADOR ESS tit mac, prove onesen. Otrace or menson, u.3 murw Napuerory Comenmesa, one - _ eddren stamrterfer perece none one meanns adoome Pacific Northwest Laboratory Richland, k'A 99_D _

9. SPONSORING ORG ANIZ ATION - N AME AND ADOR ESS tif smC. erae ~3eme es eaove". it contrerer. Omrme WAC Oersen. Ofrece or Aseen u.1 weew Aspeerary Commasama, ennt meit.n, ege,eni Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation U.S. Nuclear 1.egulatory 'ommission Washington, D.C. 20555

10. SUPPLEMENTARY NOTES

11. A85TR ACT (200 wonn er nus In a study sponsored by the U.S. Nuclear Regul6 tory Commission (NRC), Pacific Northwest I

Laboratory has developed and applied a methodology for deriving plant-specific risk-i based inspection guidance for the auxiliary feedwater (AFW) system at pressurized water reactors that have not undergone probabilistic risk assessment (PRA). This methodology uses existing PRA results and plant operating experience information. Existing PRA-based inspection guidance inforTnation recently developed for the NRC for various plants was used to identify generic component failure modes. This information was then combine 3 with plant-specific and industry-wide component information and failure data to identify failure modes and failure mechanisms for the AFW system at the selected plants. Fort Calhoun was selected as the sixth plant for study. The product of this effort is a prioritized listing of AFW failures which have occurred at the plant and at other PWRs.

This listing is intended for use by NRC inspectors in the preparation of inspection plans addressing AFW risk-important components at the Fort Calhoun plant.

1 1

12. CLE Y WORDS/DESCR:PT OR S (tser woms er pareses ener.as ses,,r,s e,eners m aover,n, en,,.sorr.s

12. av AsLAasui v st ATt utNT Inspection, Risk, PRA, Ft. Calhoun, Auxiliary Feedwater (AFW)

Unlimited

14. SE CURE T v CLAnd sLallON f rng Pages Unclassified o rn. an, Unclassified Ib. NUMBER OF PAGES

16. PRICE NRC FORM 325 (249)

4 1

l i

j i

i i

i i

i i

N l

1 i

I i;

k i

i Printed l

on recycled l

paper i

4 Federal Recycling Program i

1

7 NUREG/CR-5834 AUXILIARY FEEDWATER SYSTEM RISK-BASED INSPECTION GUIDE FEBRUARY 1993 l

FOR TIIE FORT CALIIOUN NUCLEAR POWER PLANT UNITED STATES FIRST CLASS MAIL NUCLEAR REGULATORY COMMISSION POSTAGE AND FEES PAID WASHINGTON, D.C. 20555-0001 USNRC PERMiv NO. G 67 OFFICIAL BUSINESS PENALTY FOR PRIVATE USE, $300

,,-c_7i;r_'

. > *r5

(-

4

\\'l p.-

~..', 1 O '>

r' L i r

• T i. i

,,,, ;,, 3 2 e b.f

'LI ' '

.c,r y

" P s' r 7

,n9 g

r. r

[. 7 a. r. 'r*.

...