ML20045A521
| ML20045A521 | |
| Person / Time | |
|---|---|
| Site: | Hatch  |
| Issue date: | 05/31/1993 |
| From: | Dibiasio A BROOKHAVEN NATIONAL LABORATORY |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| CON-FIN-A-3875 BNL-NUREG-52367, NUREG-CR-6014, NUDOCS 9306110025 | |
| Download: ML20045A521 (57) | |
Text
_ _ - . .. .-
NUREG/CR-6014 l BNL-NUREG-52367 l
I High Pressure Coolant Inlection System Risk-Basec Insaection Guide for Hatch Nuclear Power Station
.h I) i i Sio 1 Ilrookhaven National Laboratory Prepared for U.S. Nuclear Regulatory Commission DR DO OO b21 G PDR
i AVAILABILITY NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:
- 1. The NRC Public Document Room, 2120 L Street, NW., Lower Level, Washington DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20013-7082
- 3. The National Technical information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda: NRC bulletins, crculars, information notices, inspection and investigation notices; licensee event reports; vendor reports and correspondence; Commis-sion papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program:
formal NRC staff and contractor reports, NRC-sponsored conference proceedings, international agreement reports, grant publications, and NRC booklets and brochures. Also available are regulatory guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances.
Documents available from the National Technical Information Service include NUREG-series reports and technical reports prepared by other Federal agencies and reports prepared by the Atomic Energy Commis-sion, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, jou nal articles, and transactions. Federal Register notices, Federal and State legislation, and con-
- gressional re.norts can usually be obtained from these librarles.
Documents such as the.M. dissertations, foreign reports and translations, and non-NRC conference pro-ceedings are avaliable for purdse from the organization sponsoring the publication cited.
Single copies of NRC draft reports are ava,0ble tree, to the extent of supply, upon written request to the ,
Office of Administration, Distribution and Mail Services Section, U.S. Nuclear Regulatory Commission, Washington, DC R555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are l maintained at the NRC Library,7920 Norfolk Avenue, Bethesda, Maryland, for use by the public. Codes and '
standards are usually copyrighted and may be purchased from the originating organl2ation or, if they are 1 American National Standards, from the American National Standards institute.1430 Broadway, New York, NY 10018.
{
]
DISCLAIMER NOTICE This report was prepared as an account of work sponsored by an agency of the United States Govemment. l Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liability of responsibility for any third party's use, or the results of such use, of any Information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights.
NUREG/CR-6014 13NL-NUREG-52367 High Pressure Coolant Injection System Risi-Based Inspection Guide for Hatch Nuclear Power Station 1
Manuscript Completed: March 1993 l Date Published: May 1993 ;
Prepared by A. M. DiBiasio J. W. Chung. NRC Program Manager Brookhaven National Laboratory Upton, NY 11973 Prepared for Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN A3875
i i ABSTRACT A review of the operating experience for the High Pressure Coolant Injection (HPCI) j system at the Hatch Nuclear Power Station, Units 1 and 2, is described in this report. The l information for this review was obtained from Hatch Licensee Event Reports (LERs) that were generated between 1980 and 1992. These LERs have been categorized into 23 failure modes that have been prioritized based on probabilistic risk assessment considerations. In addition, the results of the Hatch operating experience review have been compared with the results of a similar, industry )
wide operating experience review. This comparison provides an indication of areas in the Hatch )
HPCI system that should be given increased attention in the prioritization ofinspection resources.
l i
i i
iii
l CONTENTS Page ABSTRACT ...
........ ........ ....................... iii
SUMMARY
... ............ . .............. . . . . . . . . . ix ACKNOWLEDGEMENTS .... ......... ........................ x
- 1. INTRODUCTION . . . . . . . . . ........................... 1-1 1.1 Background ... .. .... . .... .................. 1-1 1.2 Purpose ............................... ......... 1-1 1.3 Application to Inspections . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
- 2. HPCI SYSTEM DESCRIPTION . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
- 3. ACCIDENT SEQUENCE DISCUSSION .................... 3-1 3.1 Loss of High Pressure Injection and Failure t o Depressu rize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.2 Station Blackout (SBO) With Intermediate Term Failure of High Pressure Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.3 Station Blackout with Short Term Failure of High Pressure Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 3.4 ATWS With Failure of RPV Water Ixvel Control at High Pressure . . . . . . . . . . . . . . ........ ........... . 3-2 3.5 Unisolated LOCA Outside Containment ................. 3-3 3.6 Overall Assessment of HPCI Importance in the Prevention of Co re Da m a ge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 4.
PRA-BASED HPCI FAILURE MODES . . . . . . . . . . . . . . . . . . . . . 41 5.
HPCI SYSTEM WALKDOWN CHECKLIST BY RISK IMPORTANCE . . . . 5-1 6.
OPERATING EXPERIENCE REVIEW . . . . . . . . . . . . . . . . . . . . . 6-1 6.1 HPCI Failure No.1 - Pump or Turbine Fails to Start or Run ....................................,.... 6-1 6.2 HPCI Failure No. 2 - System Unavailable Due to Test or Maintenance Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 6.3 HPCI Failure No. 3 - False High Steam Line Differential Pressure Isolation Signal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6 6.4 HPCI Failure No. 4 - Turbine Steam Inlet Valve F001 Fails to Open . . ...................................... 6-7 6.5 HPCI Failure No. 5 - Pump Discharge Valve F006 Fails to Open . ....................................... 6-7 6.6 HPCI Failure No. 6-HPCI System Interactions ............ 6-7 6.7 HPCI Failure No. 7 - System Actuation legie Fails . . . . . . . . . 6-8 6.8 HPCI Failure No. 8 -False High Area Temperature Isolation Signal........................................... 6-8 v
I s .
CONTENTS (Cont'd) 6.9 HPCI Failure No. 9 -False lew Suetion Pressure 6-8 Trips ........ .. ......... ............ .....
6.10 HPCI Failure No.10 - False High Turbine Exhaust Pressure 6-8 Signal . . .. . . . ... ................ .....
6.11 HPCI Failure No.11 -Normally Open Turbine Exhaust Valve 6-8 Fails Closed . . . ................................ . /
6.12 HPCI Failure No.12 -Condensate Storage Tank /rorus Switchover 6-8 logic Fail . . . . . . . . . ... ............ .............
6.13 HPCI Failure No.13 - Torus Suetion Line Valves Fails to Open 6-8 6.14 Minimum Flow Valve Fails to Open . . . . ......... .... 6-10 6.15 Other Failures .................. . . . .......... 6-10 6-11 6.16 Human Errors ... ..... ...... . .......... .
6.17 Additional System Considerations . . . . . . . . . . . . . . . . . . . . . . 6-11 7-1
- 7.
SUMMARY
REFERENCES ........ ............ ......... 8-1
- 8. . ...
APPENDICES A-1
SUMMARY
OF INDUSTRY SURVEY OF HPCI OPERATING EXPERIENCE HPCI PUMP OR TURBINE FAILS TO START O R R U N . . . . . . . . . . . . . . . ................. .. .. A-1 A.2 SELECTED EXAMPLES OF ADDITIONAL HPCI FAILURE MODES IDENTIFIED DURING INDUSTRY SURVEY . . . . . . . . . . . . . . . A-9 vi
}
FIGURES Ficure No. Pace 2-1 Simplified HPCI Flow Diagram . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 TABLES Table No. Page 4-1 HPCI PRA-Based Failure Summary . . . . . . . . . . . . . . . . . . . . . . . 4-3 4-2 Hatch HPCI System LER Survey Compared with Industry Survey . 4-4 5-1 Hatch HPCI System Walkdown Checklist . . . . . . . . . . . . . . . . . . . . 5-2 A-1 HPCI Pump or Turbine Fails to Start -Industry Survey Results . . . . . . ..... ..... ....... ................. A A-2 Summary of Illustrative Examples oi Additional HPCI Failure Modes ...... ........................ ...... A-11 vii
1
SUMMARY
This System Risk-Based Inspection Guide has been developed as an aid to HPCI system l inspections at Plant Hatch. The document presents a risk-based discussion of the role of HPCI in accident mitigation and provides PRA-based HPCI failure modes (Sections 3 and 4). Most PRA oriented inspection plans end here and require the inspector to rely on his experience and knowledge of plant specific and BWR operating history.
However, the system RIG uses industry operating experience, including illustrative examples, to augment the basic PRA failure modes. The risk-based input and the operating experience have been combined in Table 4-2 to develop a composite BWR HPCI failure ranking. This information can be used to optimize NRC resources by allocating proactive inspection effort based on risk and industry experience. In conjunction, the more important or unusual component faults are reflected in the walkdown checklist in Section 5. This, along with an assessment of the operating experience found in Section 6, provides potential areas of NRC oversight both for routine inspections and the
" post mortems" conducted after significant failures.
A comparison of Plant Hatch and the industry-wide BWR, HPCI failure distributions is presented in Table 4-2. Although the plant specific data are limited, certain Plant Hatch components exhibit a proportionally higher than expected contribution to total HPCI failures.
These components are candidates for greater inspection activity and the generic prioritization should be adjusted accordingly.
This generic ranking of HPCI failures has not been revised to reflect the presently available Plant Hatch LER data, because the plant specific distribution of HPCI failures is expected to change with time. Also, as was determined during a recent visit to the site, modifications have been performed which may reduce the likelihood of certain failure modes. The insights gained as a result of the site visit are also contained in this document.
As the plant matures, operational experience is assimilated by the utility's staff and reflected in the plant procedures. For example, the incidence of inadvertent HPCI isolations due to surveillance and calibration activities is expected to decrease. Conversely, aging related faults are expected to become a more dominant contributor to the Plant Hatch HPCI failure distribution.
The operating experience section, identifies several aging related failures which occurred at Duane !
Arnold, Hatch, Cooper and Brunswick, generally in the pump and turbine electronics.
This report includes all HPCI LERs up to 1992. Subsequent LERs can be correlated with the PRA failure categories, used to update the plant specific HPCI failure contribution, and compared with the more static HPCI BWR failure distribution. The industry operating experience is developed from a variety of BWR plants and is expected to exhibit less fluctuation with time than a single plant. This information can be trended to predict where additional inspection oversight is warranted as the plant matures.
Recommendations are made throughout this document regarding the inspection activities for the HPCI System at Plant Hatch. Some are of a generic nature, but some relate to specific maintenance, testing or operational activities at Plant Hatch.
ix
ACKNOWLEDGEMENT The author wishes to acknowledge the technical assistance of the NRC Program Manager, Dr. J. W. Chung, as well as Dr. John Schiffgens of the Probabilistic Safety Assessment Branch (NRR/SPSB), and the NRC Project Manager Kahtan Jabbour (NRR/PD11-3).
Gratitude is extended to Mr. Len Wert, the Senior Resident Inspector at Hatch, who participated in a thorough walkdown of the system and provided constructive comments on the draft document.
Representatives from Georgia Power Co. were very co-operative and provided useful information which was incorporated into this report. Particular thanks goes to Robin Pooni, Tom Metzler, and Sharon Mahler.
- Finally, we wish to thank the members of the Engineering Technology Division of BNL for their review of this report and, Ms. Ann Fort for her efforts in the preparation of this manuscript.
1 W
l l
l X
- 1. INTRODUCTION 1.1 Background Probabilistic risk assessment (PRA) is a comprehensive, integrated analysis of the diverse aspects of design, operation and maintenance of a plant to provide a snapshot of risks. A probabilistic risk analysis may reveal the features of the plant design that merit further attention, and thus, a focus for improving safety. In a study sponsored by the U.S. Nuclear Regulatory Commission, BNL has developed and applied a methodology for providing plant specific risk-based inspection guidance for the High Pressure Coolant Injection (HPCI) system in boiling water reactor plants that do not have a PRA study. This methodology uses insights from existing PRA studies and plant-specific operating experience for consideration in inspection planning at the plant selected for study.
1.2 Purpose This HPCI System Risk-Based Inspection Guide (S-RIG) has been developed as an aid to NRC inspection activities at the Hatch Nuclear Power Station. The High Pressure Coolant Injection (HPCI) system has been examined from a risk perspective. Common BWR accident sequences that involve HPCI are described in Section 3 for the purpose of reviewing the system's accident mitigation function and to identify system unavailability combinations that can greatly increase risk exposure. Section 4 describes and prioritizes the PRA-based HPCI failure modes for inspection purposes. A review of BWR operating experience review is presented in Sections 4 and 6 to illustrate these failure modes. This inspection guide also provides additional information in related areas such as HPCI support systems, human errors, and system interactions (Section 6).
, A summary and list of references are provided.
I 1.3 Application to inspections This inspection guide can be used as a reference for routine inspections and for identifying the significance of component failures that occur at Hatch. The risk-based information presented l l in Sections 4 and 5 can be used to prioritize day-to-day inspection activities. This S-RIG is also l l
useful for NRC inspection activities in response to system failures. The accident sequence ;
descriptions of Section 3 in conjunction with the discussion of multiple systems unavailability (Section 6.17), provide some insight into the combinations of system outages that can greatly increase risk. The historical operating experience review provides some of the more important failure mechanisms (including corrective actions) that are useful for the review of the licensee's response to a system failure. This system RIG can also be used for trending purposes. Table 4-2 provides a summary of the industry wide distribution of HPCI failure contributions, and presents a comparison of the Hatch HPCI failure distribution with industry experience. Certain HPCI failure modes (e.g., turbine control valve faults, false high turbine exhaust signal, and lube oil supply faults) appear to account for a disproportionate fraction of the Hatch HPCI system failures and are candidates for increased inspection activity. These areas should be reviewed periodically as additional plant operating experience is compiled.
l 1-1
i
- 2. 11PCI SYSTEM DESCRIPTION l The Hatch High Pressure Coolant Injection (HPCI) system is a single train system onsisting of steam turbine-driven injection and booster pumps, a barometric condenser, piping, supports, valves, controls, and instrumentation. A simplified flow diagram is shown in Figure 2-1. The system is designed to pump a minimum of 4250 gpm into the reactor vessel over a range of reactor j pressures from 150 to 1120 psig when automatically activated on a reactor water level low (-47 l inches) or drywell high pressure (1.9 psig) signal, or manually initiated from the control room. !
Each automatic initiation signal is "one-out-of-two-twice" logic. Two sources of injection water are I available. Initially, the HPCI pump takes suction from the condensate storage tank (CST) through a normally open motor-operated valve E41-F004. The pump suction automatically transfers to the j torus on low CST level or high torus level. This transfer is accomplished by a signal that opens the torus suction valves E41-F041 and F042. Once these valves are fully open, valve-position-limit switch contacts automatically close the CST suction valve. Events that raise the torus temperature above the HPCI system design limit for suction source temperature may require a manual suction transfer back to the CST.
Upon HPCI initiation, the normally closed injection valve E41-F006, automatically opens, allowing water to be pumped into the reactor vessel through the main feedwater header. A minimum-flow bypass is provided for pump protection. When the bypass valve E41-F012 is open, flow is directed to the torus. A full-flow test line is also provided to recirculate water back to the CST. The two isolation valves, E41-F008 and F011, are equipped with interlocks to automatically close the test line (if open) upon generation of an HPCI initiation signal.
The HPCI turbine is driven by reactor steam. The inboard and outboard HPCI isolation valves in the steam line to the HPCI turbine (E41-F002 and F003) are normally open to keep the piping to the turbine at an elevated temperature, permitting rapid startup. Upon receiving a signal from the HPCI isolation logic, these valves will close and cannot be reopened until the isolation i signal is cleared and the logic is reset. Inboard isolation valve E41-F002 is powered from 600/208 )
l VAC R24-S011 and controlled by isolation logic system A: outboard isolation valve E41-F003 is j
- powered from 125/250 VDC R24-S022 and controlled by isolation logic system B.
l Steam is admitted to the HPCI turbine through supply valve E41-F001, a turbine stop valve, i and a turbine control valve, all of which are normally closed and are opened by an HPCI initiation signal. Exhaust steam from the turbine is discharged to the torus, while condensed steam from the steam lines and leakage from the turbine gland seals are routed to a barometric condenser.
i l
i 2-1
if 4---
Reactor !
Main l
.ACondensate Steam Storage Tank u
F002X Feedwater
_F111 F102 F103 m From RHR v I.
)l FIN v
Suppression F021 F049 F006],,
- , , Pool - ,.
L.O.
" " o Stm. Supply
}lF004 " F001 Q.0 5F019 ll Turb. Stop FM5 FM
- / :: :
F042 Main ll Turb. Cntri.
Booster g
Pomp N r
- 5 C Turbine 1 Totalleakoff To Stand-by l ,
y F059] ' rmu ne Gas Treatment PVC RO " System I Condenser ^
--b< _
' GM' F035 R0 A.
g tube Oil nF012 RO Cooler y
- F.0,46
)lF007 SystemTestLine F009 v
- :: y n -
F011 l F00s K From RCIC r
Figure 2-1 Simplified IIPCI Flow Diagram I 2-2 i
l
l l
l l
t
! 3. ACCIDENT SEQUENCE DISCUSSION I
! The role of the HPCI system in the prevention of reactor core damage is valuable information that can be applied in the normal day-to-day inspection activities. If a plant has its own Probabilistic Risk Assessment (PRA), this information is usually available. However, not all plants have PRAs. Thus, eight representative BWR accident sequences based on a review of the available PRAs have been developed based on design and operational similarities that can be applied to other BWRs for risk based inspections'. These representative sequences comprise an average of 87% of the dominant core damage frequency for seven plants. This information can be used to allocate inspection resources commensurate with risk importance and allow the inspector to focus on the important systems / components. The HPCI system contributes to five of the eight representative sequences. These five sequences are discussed below.
3.1 less of Hich Pressure Iniection ani Failure to Depressurize This sequence is initiated by a general transient (such as MSIV closure, loss of feedwater, or I loss of DC power), a loss of offsite power, or a small break LOCA. The reactor successfully scrams. The power conversion system, including the main condenser, is unavailable either as a direct result of the initiator or due to subsequent MSIV closure. The high pressure injection i systems (HPCI/RCIC) fail to inject into the vessel. The major sources of HPCI/RCIC unavailability include one system disabled due to test or maintenance and system failures such as turbine / pump faults, pump discharge valve or steam turbine inlet valve failure to open. The CRD hydraulic system can also be used as a source of high pressure injection (HPI), but the failure of the second CRD pump or unsuccessful flow control station valving prevents sufficient reactor pressure vessel (RPV) injection. The operator attempts to manually depressurize the RPV, but a ;
common cause failure of the safety relief valves (SRVs) defeats both manual and automatic l depressurization of the reactor vessel. The failure to depressurize the vessel after HPI failure results in core damage due to a lack of vessel makeup.
l 3.2 Station Blackout (SBO) with Intermediate Term Failure of Hich Pressure Injection l
This sequence is initiated by a loss of offsite power (LOOP). The emergency diesel l generators (EDGs) are unavailable, primarily due to hardware faults. Maintenance unavailability is a secondary contributor. Support system malfunctions include EDG room or battery /switchgear room HVAC failures, service water pump, or EDG jacket cooler hardware failures. HPCI and RCIC, which are independent of AC power, are initially available and provide vessel makeup.
The high pressure injection systems can provide makeup until:
the station batteries are depleted, or
=
the system fails due to environmental conditions, i.e., high lube oil temperatures or high turbine exhaust pressure due to the high torus temperature and pressure, or the RPV is depressurized and can no longer support HPCI or RCIC operation, or the HPCI high area temperature logic isolates the system or long term exposure to high temperatures disables the turbine driven pump.
3-1 l
i
Generally, plant procedures address means to maintain DC power for as long as possible to assure a continued source of water to the IIPCI or RCIC. These procedures also provide contingency measures (such as supplying fire water to the RPV via the RHR system) if the SBO progresses until reactor pressure (decay heat) can no longer support HPCI or RCIC. The plant 3 procedures should be consistent with the BWR Owner's Group Emergency Procedure Guidelines. l The reactor building environmental conditions can also impact long term HPCI system operation. The reactor building HVAC and HPCI room cooling are dependent on AC power.
There is the possibility of spurious activation of the steam line break detection logic, and although the high area temperature isolation logic may be inactive during SBO conditions, there are potential environmental qualification concerns at elevated temperatures. The plant actions to monitor and control high area temperature, during an SBO, should be reviewed including any calculations necessanj to establish a time frame for the implementation of these actions.
33 Station Blackout with Short Term Failure of High Pressure inicetion This SBO sequence is similar to the previous sequence except the high pressure injection ;
systems fail early. The sources of emergency AC power, i.e., the emergency diesel generators (EDGs) fail primarily due to hardware failures. Secondary contributors are: output breaker failures and EDG unavailability due to test or maintenance activities. Support system malfunctions, such as service water failures in the EDG jacket cooling water train, battery /switchgear room HVAC failures, or test and maintenance unavailability are significant contributors to the loss of emergency on-site AC power.
Station battery failures (including common mode) are an important contributor to this sequence, because HPI systems and the EDGs are DC power dependent. In the SBO sequence, i HPCI unavailability is dominated by turbine / pump failures and maintenance unavailability. Core damage occurs shortly after the failure of allinjection systems.
3.4 ATWS with Failure of RPV Water Level Control at Hich Pressure This sequence is initiated by an anticipated transient with initial or subsequent MSIV closure and a failure of the reactor protection system to scram. Attempts to manually scram are not successful; however the Standby Liquid Control System (SLCS) is initiated. The condenser and the feedwater system are unavailable. The BWR Owner's Group Emergency Procedure Guidelines (EPGs) recommend RPV water level reductions for control of reactor power below 5% and the BWR representative sequence was based on that philosophy.
This sequence rostulates a failure to ensure sufficient RPV makeup at high pressure to prevent core damage. There are two failure modes:
- 1. The operator faits to control water level at high RPV pressure. This results in high core power levels, continuous SRV discharges and torus heatup. After the torus ;
reaches saturation, containment pressurization begins. High pressure injection fails due to high torus temperature prior to containment failure.
3-2
- 2. The high pressure injection (HPCI) system fails, primarily due to pump failure to start I or testing and maintenance (T&M) unavailability. Injection or inflow valves, suction l switchover, or loss of DC power are other potential system failures. HPCI pump )
failure to start or run, pump unavailability due to testing and maintenance activities, and Service Water EDG jacket cooler inlet or return valve failures are the major l system failures.
l The inability to maintain RPV water level above the top of the active fuel (TAF) requires ;
manual emergency depressurization that is expected to result in core damage before the low !
pressure ECCS can inject.
The continued operability of HPCI during an ATWS event is critical. Within the context of this accident sequence, (i.e., time available for success) the licensee's capability to perform the HPCI suction transfer and high turbine exhaust pressure trip logic bypasses should be evaluated periodically. With regard to HPCI system availability, the remaining sections of this RIG will discuss system failures and availability evaluation.
3.5 Unisolated LOCA Outside Containment 3 The initiator is a large pressure boundary failure outside containment with a failure to isolate the rupture. The piping failure is postulated in the following systems: main steam (50%), !
feedwater (10%), high pressure injection (33%), and interfacing LOCA (7%). The percentages indicate the estimated relative core damage contribution of each system'.
An interfacing LOCA initiator is defined as the initial pressurization of a low pressure line which results in a pressure boundary failure, compounded by the failure to isolate the failed line.
The failure is typically postulated in a low pressure portion of the core spray (CS) system, the ,
LPCI, shutdown cooling and (to a lesser extent), the HPCI or RCIC pump suction or the head l spray line of RHR system. l The unisolated LOCA outside containment results in a rapid loss of the reactor coolant system (RCS) inventory, eliminating the torus as a long term source of RPV injection. These piping failures in the reactor building can also result in unfavorable environmental conditions for the ECCS. Unless the unaffected ECCS systems or the condensate system are available,long term RPV injection is suspect and core damage is likely.
There have been several HPCI pump suction overpressurization events, primarily during surveillance testing of the normally closed pump discharge motor-operated valve E41-F006' . This is of particular concern for the discharge configuration with a testable air-operated check valve in addition to the normally closed MOV because of the valve's history of back leakage. The HPCI interfacing LOCA initiator seems to be less of a problem with the configuration of a normally closed valve E41-F006, such as exists at Hatch, primarily because another normally open E41-F007 )
is closed prior to the E41-F006 surveillance. However, the concerns of the previous configuration are also valid here. There must be reasonable assurance that the normally closed E41-F006 valve is leak tight during plant operation and, prior to stroke testing. Confirmation is necessary to assure that it is fully closed and will provide the necenary protection for the upstream piping. At Hatch, the licensee has prepared a design change (DCR 92-164) to relocate 2E41-F006 away from the feedwater line in order to reduce the potential of seat leakage.
3-3
3.6 Overall Assessment of HPCI importance in the Prevention of Core Damace As previously stated, the high pressure injection function (llPCI/RCIC/CRD) contributes to five of the eight representative BWR accident sequences. The system failures for all eight BWR sequences were prioritized by their contribution to core damage (using a normalized Fussell-Vesely importance measure). Based on the combined plant's PRAs, the HPI function in aggregate was in the high importance category. Other high risk important systems are Emergency AC Power and the Reactor Protection System. The HPCI system itselfis of medium risk importance, because of the multiple systems (e.g., RCIC and CRD) that can successfully provide vessel makeup at high pressure. For comparison, other systems with a medium risk importance are: Standby Liquid Control, Automatic / Manual Denressurization, Service Water, and DC Power.
The Plant Hatch IPE identifies "HPCI fails" as the highest probabilistic important top event for all accident classes, based on the percentage of core damage frequency involving the top event (i.e., system failure or human error). Other high importance top events at Hatch include " operator fails to perform emergency depressurization", and "RCIC fails".
3-4
- 4. PRA BASED IIPCI FAILURE MODES PRA models are often used for inspection purposes to prioritize systems, components and human actions from a risk perspective. This enables the inspection effort to be apportioned based on a core damage prevention measure called risk importance. The HPCI failure modes for this system Risk-Based Inspection Guide (System RIG) were developed from a review of BWR plant specific RIGS", and the PRA-Based Team Inspection Methodology' . The component failure modes are presented in Table 4-1 and are grouped by risk significance. There are four failure modes of high risk importance, four of medium risk importance and 15 of lower risk importance, for a total of 23 failure modes. The Fussell-Vesely Importance Measure has been used to determine these rankings. This measure combines the risk significance of a failure or unavailability with the likelihood that the failure / unavailability will occur.
PRAs are less helpful in the determination of specific failure modes or root causes and do not generally provide detailed inspection guidance. This makes it necessary for an inspector to draw on his experience, plant operating history, Licensee Event Reports (LERs), NRC Bulletins, Information Notices and Generic Letters, INPO documents, vendor information and similar sources to conduct an inspection of the PRA-prioritized items. Information useful for prioritization of inspection resources has been obtained by performing an operating experience review of industry experience related to PRA derived failure modes for the HPCI system.
Licensee Event Reports (LERs) generated by the industry between 1985 and mid-1989 were surveyed for HPCI related failures and approximately 200 were identified. Sixty-two LERs did not have a PRA-based failure mode; these LERs generally documented system challenges, administrative deviations, and seismic / equipment qualification concerns. The remaining 140 LERs documented 159 HPCI faults or degradations. As presented in Table 4-2, the LER failure modes have been categorized by PRA failure mode to provide a relative indication of the contribution to all HPCI faults.
The failure rankings documented in Table 4-2 were subjectively estimated based on PRA-based risk importances, operational input, recovery potential, current accident management philosophy and conditional failures. The failure mode identified as HPCI pump or turbine fails to l
start or run was ranked as "high risk importance" in Table 4-1 and also accounted for the largest I number of LERs related to the HPCI system identified in the industry survey. Thus, as shown in Table 4-2, this failure mode was ranked as number one and was analyzed in greater detail to identify the various causes. A summary of the significant causes of this failure mode are provided l in Appendix A-1. In addition, selected examples of all other PRA-based HPCI failure modes are provided in Appendix A-2.
A more extensive .LER analysis has been completed for the Hatch Plant. For Hatch, all LERs documented between 1980 and 1992 were reviewed to identify failures applicable to HPCI.
The results of this review, tabulated in Table 4-2, indicate that several failure modes show a higher percentage of occurrence than the industry survey results. These failure modes are:
4 - 1.
HPCI Pump or Turbine Fails to Start or Run due to:
-Turbine speed control faults !
-Lube oil supply faults
-Turbine overspeed and reset problems
-Flow controller failures
-Turbine control valve faults.
False high turbine exhaust pressure signal.
Pump discherge valve (F006) fails to open.
+ False high steam line differential pressure signal.
The survey of Hatch operating experience is discussed in Section 6.
l l
l l
I e
4-2
i l
l Table 4-1 IIPCI PRA-based Failure Summary Hich Risk Importance Pump or Turbine Fails to Start or Run*
System Unavailable Due to Test or Maintenance Activities
- Turbine Steam Inlet Valve (F001) Fails to Open Pump Discharge Valve (F006) Fails to Open*
Medium Risk Importance CST / Torus Switchover Logic Fails !
l Torus Suction Valves (F042 or F041) Fail to Open*
Normally Open Pump Discharge Valve (F007) Fails Closed or is Plugged Minimum Flow Valve (F012) Fails to Open, Given Delayed Activation of Pump Discharge Valve (F006).*
Lower Risk Imnortance CST Suction Line Check Valve (F019) Fails to Open CST Suction Line Manual Valve (F010) Plugged Normally Open CST Pump Suction Valve (F004)
Fails Closed or is Plugged Pump Discharge Check Valve (F005) Fails to Open Torus Suction Line Check Valve (F045) Fails to Open l Normally Open Steam Line Containment Isolation Valve (F002 or F003) Fail Closed * ,
l Steam Line Drain Pot Malfunctions I Turbine Exhaust Line Faults, including: l Normally Open Turbine Exhaust Valve (F021) is Plugged
- Turbine Exhaust Check Valve (F049) Fails to Open Turbine Exhaust Line Vacuum Breaker (F102,103) Fails to Operate !
False High Steam Line Differential Pressure Signal
- False High Area Temperature Isolation Signal
- False Low Suction Pressure Trip False High Turbine Exhaust Pressure Signal
- System Actuation logic Fails Suction Strainer Fails to Pass Flow
' Indicates a failure mode found in the Hatch operating experience review discussed in Section 6.
j l
4-3
Table 4-2 Hatch HPCI System LER Survey Compared with Industry Survey All llWRs Ifatch Failure Description Failure Ranking 2 Oxuments IIPCI Pump or Turbine Fails to Start or Run Turbine speed control faults 16 11 8 12 Lube oil supply faults 11 7 11 16 4 Turbine overspeed and reset problem 8 5 5 7 4 Inverter trips or
- failures 7 4 2 3 Turbine stop valve failures 5 3 1 2
, Turbine exhaust 2 3 p rupture disk 5 3 failures Flow controller failures 5 3 4 6 4 Turbine control valve faults 3 2 4 6 4
. less oflube oil cooling 2 1 0 0 Misc-valid high l
flow during testing 2 1 0 0 Fails to start or
, run - SUBTOTAL 64 40 1 37 55 l
i i
l l
Table 4-2 (Cont'd)
All BWRs Ifatch
- of Failures Failure Contr.' (%) # of Failures
- Failure Contr. (%)
System unavailable due to TAM 43 27 2 10 15 activities False high steam line difTerential 10 6 3 5 7 5.7 pressure signal Turbine-steam inlet valve (F001) 8 5 4 0 0 fails to open Pump discharge valve (I006) fails 8 5 5 5 7 4 to open v
4 Systems interactions fail 3 2 6 2 3 11 IIPCI System actuation logic fails 4 3 7 1 2 8 False high area temperature 3 2 8 1 2 5.7 isolation signal False low suction pressure trip 2 1 9 0 0 5.7 False high turbine exhaust signal 1 <1 10 3 4 4.5.7 Normal open turbine exhaust I <1 11 0 0 valve fails closed
_ _ _ . _ . . _ _ _ . . - _ _ - _ _ _ _ . _ . . - _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ ___ ____a _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _._ _ _ _ _ _ _ _ _ _
11l<
s t
n e 0 9
m 9 6 1
n r 6 o
C
)
(
t r
n o 0 3 2 C
er l
u i
a h F t
c I
a I _
8 -
s e
r l
u i
a 0 2 1 F
f o
g i
n k
n a 2 3 4 R 1 1 1 er l
u ~
i a
F
)
fr
(
'r.t n 1 o < 4 3 C
e r
u s l i
R F a
W l
I
!A s
e r
u li a 1 6 5 F
f o
n o n l o
i
) t o ls d ip r o i
't r iss e v p o wfa n c e r o o) o s e ph nvets l f 2 C D c s iolai la 1
( pt l s vf m0 2- e Sui swi a s e
r n) u1 n 4
r u /
Tl oi c f
pi4o2n im (e ep le l
ptc0 e o i
a Sovg u uF p invlao b
a F C pk S s( o Mvt T
e
f i
i I i
l
\
! Table 4-2 Notes
- 1. Failure contribution is expressed as a percentage of all significant HPCI failures as developed by the Operating Experience Review.
- 2. Failure ranking is a subjective prioritization based on PRA and operational input, recovery potential, current accident management philosophy and conditional failures, as applicable.
- 3. Hatch significant HPCI failures are based on a review of all available LERs (1980 to 1992).
- 4. Although some caution is warranted due to the limited plant specific data, this failure mode seems to comprise a disproportionate fraction of the Hatch HPCI unavailability. This area is a candidate for enhanced inspection attention.
- 5. Failure importance was upgraded from the PRA-based ranking of Table 4-1.
i
- 6. Failure importance was downgraded from the PRA-based ranking of Table 4-1,
- 7. HPCI isolation and trip logic are significant contributors to unavailability. The system can be isolated by a single malfunction, yet instrument surveillance intervals can be greater than the more reliable actuation logic surveillance intervals.
l 8. Unlike the system trip and isolation logic, the actuation logic arrangement (one out-of-two l twice) diminishes the importance of a single instrument to reliable system operation. At least two low RPV level or two high drywell pressure sensors must fail. !
l
- 9. The latest BWROG Emergency Procedure Guidelines deemphasize the torus as an injection source.
- 10. Conditional on the delayed opening of the pump discharge line valve, F006.
- 11. Unlike the rest of the failure modes listed herein, " Systems Interactions" is not PRA-based.
It was identified as a significant failure mechanism during the operating experience review and is discussed in Section 6.
4-7
- 5. IIPCI SYSTEM WALKDOWN CllECKLIST BY RISK IMPORTANCE Table 5.1 presents the HPCI system walkdown checklist for use by the inspector. This information permits inspectors to focus their efforts on components important to system availability and operability. Equipment locations and power sources are provided to assist in the review of this system. This checklist may be used in conjunction with other NRC inspectin procedures, or as a guide to determine licensee and NRC resources to be applied to maintenance and test activities associated with IIPCI system components.
5-1
Table 5-1 IIatch IIPCI System Walkdown Checklist ID No. location Power Source & location Standby Position Actual Position Description A. Counponents of liigh Rink Significance R101 IIPCI Room Reactor Bldg. Elev. 87* R24-S022 Frame 2A, Rx. Bldg. Closed hrbine Steam Isolation Valve IU)6 Torus Room-114' Elev., Ar.170 Unit R24 5022 I'rame 3AL, Ms. Ilidg. Closed Pump inboard Discharge Valve 1-Bay 2 Unit 2. Bay 8 Control Room R24-S022. Panel 601. Rx Illdg. On IIPCI inverter Auxiliary Oil Pump C002-3 IIPCI Room R24.S022. Rx. Bldg. Frame 78 Auto R612 Control Room. Panel 601 R24-SO22, Via Inverter Auto IIPCI System Flow Controller B. Components of Medium Risk Significance Pump Outboard Discharge Valve IU17 IIPCI Room R24-SO22, Frame 6Al, Rx. Bldg. Open Pump Minimum Flow Valve F012 IIPCI Room R24-S022, Frame 6C, Rx. Bldg. Closed Pump Suction From Torus (2 Valves) F041, llPCI Room R24-5022, Frame 8A and B. Rx. Closed F042 Bldg.
C. Components of fewer Risk Significance .
Inboard Steam Isolation Valve FOO2 Daywell R24-5011A Frame 4A, Rx. Bldg. Open Outboard Steam Isolation Valve F003 Drywell Personnel R24-5022, Frame 2B, Rx. Bldg. Open Access Area CSF Suction Isolation Valve F004 IIPCI Room R24-S022, Frame 3B, Rx. Bldg. Open hrbine Exhaust to Torus F021 Torus Room-114' Elev. Ax.90, Bay 5 NA Open Full Flow Test Valve to CSF R108 IIPCI Room R24 5022. Frame 3AR, Rx. Bldg. Cksed Notes: 1. All circuit breakers should be closed (ON).
- 2. Valve operability is verified by the licensee with procedure 34SDV-E41-001-2/1S, *IIPCI Valve Operability.' hese valves are included in the ASME Inservice Testing (IS1) Program. Additionally, some of these valves are required to be tested under Generic Irtter 89-10. ISTand Generic Irtter 89-10 testing results may be reviewed to confirm the valves' operational readiness.
3- Routine observation of the control room annunciator panel for the llPCI system, and valve indicating lights is recommended as a starting point for a llPCI system walkdown.
- 6. INDUSTRY AND HATCII OPERATING EXPERIENCE REVIEW An operating experience review was conducted to integrate the recent industry experience of all operating BWRs with PRA derived failere modes for the HPCI system. The period 1985 to mid 1989 was searched for HPCI LERs and approximately 200 were identified. Sixty-two LERs did not have a corresponding failure mode. These LERs generally documented successful system challenges, administrative deviations, or seismic / equipment qualification concerns. The remaining 140 LERs documented 159 HPCI faults or degradations. As presented in Tables A-1 and A-2, these failures have been categorized by PRA fai!ure mode to provide a relative indication of their contribution to all HPCI faults. Thirteen PRA failure modes that had corresponding failures in the data were examined. Each of these PRA-based failure modes is discussed below.
In addition to the industry operating experience review, the failure experience of the Hatch Plant Units 1 (Docket Number 50-321) and 2 (Docket Number 50-366) was surveyed over the period 1980 to 1992. One hundred and fifty-eight HPCI related LERs were reviewed. Sixty-seven failures were attributed to the thirteen PRA failure modes. Forty-five percent of these failures occurred in 1980 and 1981, and 22 percent occurred in the past five years (1988-1992). This information is integrated into the discussion of each HPCI failure mode provided in the following paragraphs. The licensee has recently (1992) performed an assessment of the HPCI system and has performed a number of system upgrades, including replacing / upgrading control equipment (e.g., EG-M, EG-R, resistors), using a performance monitoring system to tuneup the control system, and general housekeeping upgrades (e.g., equipment tagging and repair system leaks).
These actions should improve system reliability.
6.1 HPCI Failure No.1 - Pumo or Turbine Fails to Start or Run The major contributor to HPCI system unavailability, both from a risk and operational viewpoint, is the failure of the turbine driven pump to start or continue running. This failure mode includes many interactive subsystems and components that can make root cause analysis and component repair a complex task. For the purposes of this study, this failure has been defined as those components or functions that directly support the operation of the pump or turbine. The "HPCI Pump or Turbine Fails to Start or Run" basic event accounted for 64 failures or 40% of the HPCI faults in the industry operating experience review.
Thus, this failure mode has been broken down in the subcategories summarized in Table 4-2.
Representative LERs for each of these subcategories are summarized in Appendix A-1 along with the most likely root cause, the corrective action taken in each case, and any applicable comments.
This information should provide the inspector with additional insight into the particulars of each subcategory.
6.1.1 Turbine Sneed Control Faults The turbine speed is controlled automatically by a control system consisting of a flow controller and an electro-hydraulic turbine governor. The turbine governor system receives the flow controller signal input and converts it into hydraulic-mechanical motion to position the governor (control) valve. The system has a " ramp" generator which upon turbine start, will control the acceleration rate up to a speed relative to the flow controller output signal. The " ramp" rate is adjustable. The turbine speed control is a very complex area that requires specialized attention.
6-1 l
1 l
The inspector should confirm that the licensee acknowledges the complexity of the turbine speed control. (For example,it may be appropriate to have a trained specialist on staff, a good working relationship with the appropriate vendors, and vendor participation in proposed modifications or major repairs.)
Eight events related to turbine speed control faults were identified in the expanded LER search for Hatch, which included EGM controller and ramp generator signal converter module out of calibration (83-069-321) and failed resistor r- sulting in loss of power to the electronic governor controlling turbine speed (90-001-321). Adddonally, two LERs (80-049 and 069-321) were attributed to the turbine speed control being out of calibration. IIPCI failed to automatically inject after receiving an automatic signal following a scram. During the event described in LER 80-069-321, RCIC was inoperable. HPCI was manually started after resetting the isolation signal.
I Two LERs (80-122 and 80-52-321) were attributed to defective ramp generators. LER 88-022 366 reported that HPCI tripped due to the magnetic speed pickup cable having been damaged during maintenance. LER 87-017-366 reported a defective controller amplifier card due to " normal aging."
6.1.2 Lube Oil Supply Faults This subcategory consists of eleven industry failures to provide sufficient lubricating oil to various turbine components and control oil pressure to operate the turbine stop and control valves.
As presented in Table A-1, most of the failures are related to the auxiliary oil pump (AOP) and include two bearing failures and five auxiliary oil pump pressure switch faults. Three other events involving low bearing oil pressure events were attributed to valve mispositions and oil contamination.
Hatch had eleven lube oil supply faults. Two failures were due to water contamination in the oil (LER 84-011-321 and 83-106-321). Two failures were due to a failed coil in the AOP's MCC time delay relay (LER 80-016-366 and 81-032-366). Two were due to personnel errors: a rag was left in the oil sump (LER 86-014-366) and the bearing . oil supply valve was mispositioned (LER 83-093-321). The other events involved a separated wire that connected to the shunt coil of
e a failed oil line with RCIC inoperable (LER 81-013-321), and AOP cycling on and off once due to I
dirty contacts in the AOP MCC scal-in relay (LER 81-138-321) and another time with the cause i
unknown (LER 82-012-321).
t l 6.1.3 Turbine Overspeed and Auto Reset Problems The mechanical overspeed trip function is set at 125 percent of the card turbine speed. At most facilities, the displacement of the emergency governor weight lifts a bal! tappet that displaces a piston, allowing oil to be dumped through a port from the oil operateo turbine stop valve. This action allows the spring force acting on the piston inside the stop valve oil cylinder to close the stop valve. The overspeed hydraulic device is capable of automatic reset Efter a preset time delay.
Hatch LER 81-068-321 documented an event where HPCI failed to restart due to a malfunction of the overspeed trip caused by excessive clearances between the piston and cylinder bore and oil leakage through the diaphragm control valve seat. Hatch also had four turbine overspeed faults where the turbine failed to trip. These events were attributed to damaged balls 6-2
in the ball-tappet assembly (81-051-321,83-007-321,84-011-321), setpoint drift due to internal wear of the trip device (80-088-321), and a scored trip piston (81-051-321). GE SIL No. 392, Revision 1 was issued November 1990 and recommended that GE owners with Terry HPCI Turbines install a redesigned mechanical overspeed trip assembly to avoid tappet assembly binding. Hatch's implementation of this SIL should be verified. The licensee has scheduled this modification for Unit 1 in 1993.
6.1.4 HPCI Inverter Trins or Failures The HPCI inverter is powered from a 125V DC bus and ultimately powers the turbine flow control circuit. Two inverter trips were identified during the review of Hatch LERs. One trip was due to a failed diode in the inverter (89-006-321) and the other was due to the high voltage trip setpoint drifting low (80-003-366). The manual mode of HPCI was still operable.
6.1.5 Turbine Ston Valve Failures The turbine stop valve is located in the steam supply line close to the inlet connection of the turbine. The primary function of the valve is to close quickly and stop the flow of steam to the turbine when so signaled. A secondary function of this hydraulically operated valve is to open slowly to provide a controlled rate of admission of steam to the turbine and its governing valve.
The following reportable event involving a HPCI turbine stop valve failure took place at Hatch: LER 88-001 describes galling of the turbine stop valve at Unit 2 due to inadequate maintenance procedures. The procedures did not provide adequate guidance to ensure that proper clearances were maintained.
6.1.6 Turbine Exhaust Runture Disk Failures The HPCI turbine has a set of two mechanical rupture diaphragms in series which protect the exhaust piping and turbine casing from overpressure conditions. When the inner disk ruptures, pressure switches cause HPCI isolation signals and turbine trip. Low pressure steam flows past the ruptured diaphragm through a restriction orifice directly into the HPCI room. Rupture of the second disk would vent the turbine exhaust into the torus room without flow restriction. The nominal rupture pressure is approximately 175 psig.
One failure that occurred at Hatch (LER 85-005-321), was attributed to water carryover from the exhaust line drain pot causing the exhaust diaphragm to rupture. The blocked drain line was cleared. Another event at Hatch involved an exhaust diaphragm leaking around the outer edge (LER 85-035-321). Additionally, nine LERs reported the exhaust diaphragm pressure switches being out of calibration due to setpoint drift and corroded switches. The switches actuated at pressures higher than the Technical Specification requirement; allowing the system to operate longer with a ruptured diaphragm. These .LERs were not considered failures. AEOD Report E402" provides additional, earlier examples of turbine exhaust rupture disk failures.
6-3
6.1.7 Flow Controller Failures The flow controller in conjunction with the electro-hydraulic turbine governor controls turbine speed and pump flow. The flow controller senses pump discharge flow and outputs an electrical signal to the turbine governor to maintain a constant pump discharge flow rate over the pressure range of operation.
The expanded LER search for Hatch identitied four events in this category including flow controller malfunction due to loose fasteners in the controller's internal gear (LER 88-012-321) and a defective controller amplifier (LER 86-014-366). The other events involved incorrect controller null voltage settings due to personnel error (LER 81-003 321) and intermittent failure of an internal transfer relay (91-33-321).
6.1.8 Turbine Control Valve Faults Hatch reported four events involving the turbine control valve. Two events involved an oil leak due to a ruptured diaphragm in the control valve (LER 81-088-321 and 81-102-321). LER 86-014-366 reported the failure of the control valve to fully open due to a rag left in after maintenance blocking the shaft driven oil pump. The other LER (81-003-321) reported the control valve stuck open due to two bent lift rods and galling.
6.1.9 Imss of Lube Oil Cooline The loss of tube oil cooling can be caused by faults in the cooling water lines to and from the cooler, cooler leakage, or flow blockage. A prolonged loss of lube oil cooling can lead to turbine bearing failure. The lube oil temperature is monitored by a temperature indicating switch with control room annunciation (on Panel P614). A summary of the industry survey oflube oil cooling failures is provided in Appendix A-1.
The expanded LER search for Hatch did not identify any additional events in this category.
6.1.10 Miscellaneous I
Another potential system failure involves the practice of running the auxiliary oil pump to lubricate the turbine bearings or to clear a system ground. Monticello used this practice to attempt to clear a ground in the electro-hydraulic governor. When the fault did not clear, a system test was initiated to confirm HPCI operability. When the operator opened the turbine control valve to simulate a cold quick start, the system isolated on high steam flow. The operation of the auxiliary oil pump caused the hydraulically operated turbine stop valve to move from its full closed to its full open position. When the stop valve leaves the fully closed position it initiates a ramp l generator that provides the flow control signal to the turbine control valve, allowing it to move to the open position. Since the auxiliary oil pump had been running for some time the ramp generator had timed out and a maximum steam flow demand signal was sent to the control valve.
This prevented the turbine control valve from restricting steam flow as it normally would during a turbine start resulting in high steam flow and a valid system isolation.
6-4
Some plant procedures address running the auxiliary pump periodically to keep the turbine bearings lubricated. When the auxiliary oil pump is running, the high presst : coolant injection system willisolate if an automatic initiation signalis received at any time after tne ramp generator has timed out, which occurs after approximately 10 to 15 seconds. Monticello has taken the following corrective actions to address the problem:
A modification has been approved that will eliminate ramp generator initiation while the auxiliary oil pump is running unless a valid initiation signal occurs.
The high pressure coolant injection system operating procedures have been revised to ,
include cautions addressing system inoperability when the auxiliary oil pump is running.
The operating procedures that verify system operability have been revised to include precautions about system status before and during the test. The control system ramp generator function during the opening of the control valve is described in these procedures.
In summary, this is a significant concern because a common plant practice has the potential to disable the HPCI system. Hatch operating procedures should be reviewed to assure that this potential problem is addressed.
6.2 HPCI Failure No. 2 - System Unavailable Due to Test or Maintenance Activities A probabilistic risk assessment develops estimates of sys+em unavailability generally using a .
fault tree. The fault tree is a diagrammatic representation of the known contributors to system unavailability. In addition to component failures, the system may not be functional due to testing or maintenance (T&M) activities. In a single train system, like HPCI, test and maintenance activities on one component usually disable the entire system. It is important to keep the HPCI T&M con:ribution as low as possible because it is so important to system unavailability.
The root sources of excessive HPCI unavailability due to T&M induced failures were examined as part of this operating experience review. Forty-three examples of industry test or maintenance errors (27% of all HPCI failures) were divided into three categories.
Inadequate maintenance or inadequate post maintenance testing accounted for 22 HPCI industry failures. A second T&M category, consisting of 4 industry events,is attributable to human error that inadvertently or incorrectly disables the HPCI system. Pertinent examples include the disabling of the wrong HPCI system at a two unit site, mistakenly disabling the auxiliary oil pump due to a smoke odor in the HPCI room, and valving errors which later caused a low pump suction trip or inadequate lube oil pressure.
The final category, " system inadvertently disabled during testing," consists of thirteen industry personnel errors that temporarily disabled the HPCI system. These incidents include steam line containment isolation valve closure due to testing errors during isolation logic testing, one valve motor failure due to overheating caused by excessive stroking during a surveillance test, and an inverter trip caused by personnel error which resulted in a high voltage condition affecting both Channel C battery chargers. Unlike the first two categories, the majority of these failures have a high probability of recovery.
6-5
l The expanded LER search at Hatch identified numerous events where HPCI was unavailable due to maintenance and testing activities. LER 86-007-366 reported that the steam line containment isolation valve F003 isolated due to a defective steam line differential pressure transmitter calibration procedure. Additionally, HPCI unavailability due to inadequate testing or maintenance procedures was reported in LER 89-004-366, 88-001-366, 87-007-321, 87-004-366, 92-003-366,92-6-321, and 92-007-321. LER 86-014-365 discusses an event where the HPCI turbine failed to achieve rated speed due to a rag, that was left in after maintenance, blocking the shaft driven oil pump. At Unit 2, during post-maintenance testing, the HPCI turbine tripped due to a damaged electrical cable to the turbine magnetic speed pickup (LER 88-022). The damage was caused during maintenance.
In summary, the T&M component of system unavailability must be continuously monitored by the inspector to assure it is as low as possible. The licensee should be administratively limiting the time that the HPCI system is in test or maintenance during operation. System restoration
, should be vigorously pursued; HPCI should not be down for days,ifit can reasonably be repaired l in hours. If feasible, portions of the system should be tested during outages. In addition, HPCI unavailability can also be minimized by adequate root cause analysis and effective corrective action to avoid multiple system outages to address the same failure. Other, less frequent, contributors l include inadvertent or unnecessary removal from service and system isolations during calibration or surveillances.
6.3 HPCI Failure No. 3 - False Hich Steam Line Differential Pressure Isolation Sicnal The HPCI system is constantly monitored for leakage by sensing steam flow rate, steam pressure, area temperatures adjacent to HPCI steam lines and equipment, and high HPCI turbine exhaust pressure. If a leak is detected, the system responds with an alarm and an automatic HPCI isolation. The steam flow rate is monitored by two differential pressure switches located across two different elbows in the steam piping inside the primary containment. The flow measurement is derived by measuring differential pressure across the inside and outside radius of each elbow.
If a leak is detected, the system isolates the HPCI steam line and actuates a control room annunciator.
A summary of failures identified during the industry survey for this mode is provided in Appendix A-2. The expanded LER search for Hatch identified 16 LERs related to the steam line differential pressure instruments. Eleven LERs reported the flow switch setpoints outside the Technical Specification limits due to instrument setpoint drift. The setpoints were found higher than the Technical Specification limits and are not considered failures. Nine of the eleven events occurred at Unit 2 between 1980 and 1983. LER 81-121-366 stated that "An engineering study to find a means of preventing or reducing the frequency of recurrence has recommended a design change. Recommended corrective actions are being evaluated." LER 82-043-366 concerning the same issue states that " Design changes will be implemented as necessary." A review of Unit 1 and 2's design should be performed to ensure that this problem has been addressed.
Additionally, one LER reported that HPCI isolated on a high differential pressure (LER 80-108-321). The cause was unknown. During another event, HPCI isolated due to a failed differential pressure instrument which was caused by a loss ofinternal damping in the instrument's bellows (LER 81-048-321). Two other events involved failed switches, caused by an inoperable 6-6
micro-switch (LER 80-112-366)and a short to ground (LER 80-072-366). The remaining event involved a failure of the instrument to actuate given a stimulated high flow due to setpoint drift (LER 81-082-321).
6.4 HPCI Failure No. 4 - Turbine Steam Inlet Valve (F001) Fails to Open Motor operated valve E41-F001 is a normally closed, DC powered gate valve. This valve opens on automatic or manual initiation signal to admit reactor steam up to the turbine stop valve.
The expanded LER search for Hatch did not identify any additional events in this category.
6.5 HPCI Failure No. 5 - Pumo Discharce Valve (F006) Fails to Open Motor operated valve E41-F006 is a normally closed, DC powered gate valve that is automatically opened upon system initiation. The failure of this valve to open disables HPCI injection into the reactor vessel. There have been 8 pump discharge failures documented in the industry operating experience review, accounting for 5% of all system failures.
At Hatch, the expanded LER search identified five failures of the HPCI pump discharge valve to open. LERs 82-088-321,80-101-366, and 81-088-366 describe the failure of F006 to open during manual initiation or testing of HPCI. The reasons for the failures was failed motor windings due to its limited duty cycle and environment. A design change to replace the valve actuator with an environmentally qualified motor was reported in LER 82-088 321. Unit 2 is also now supplied with an environmentally qualified valve. Another failure was due to loose wire connections on the motor terminal block inside the valve operator (LER 83-17-366). The last event's failure cause was reported as " component failure" (LER 90-001-366). Additionally, there was an event where the valve opened but failed to close due to a steam leak causing the motor windings to short out (LER 80-79-366).
6.6 HPCI Failure No. 6-HPCI Systems Interactions Systems interactions refer to unrelated system failures that can disable HPCI. Although there is no associated PRA category, the industry operating experience review identified the following system interactions that disabled the HPCI system:
- 1. During a fire protection system surveillance test, approximately one gallon of water drained onto a battery motor control center (MCC) causing a circuit breaker overload trip and valve inoperability.
- 2. A cracked flow control valve test coupling sprayed water on a battery MCC and disabled a main steam line drain loss of power monitor. HPCI was disabled when the MCC was deenergized to inspect and dry the components.
- 3. An automatic sprinkler system in the HPCI room activated after a system test. The probable cause was vapor buildup from the leakoff drain system that activated on ionization detector.
6-7
- 4. Setpoint drift in a Fenwal temperature switch caused activation of a deluge system during a HPCI turbine overspeed test.
Additionally at Hatch, during RCIC pump surveillance, the RCIC valve F045 was operated and caused a spurious HPCI automatic isolation due to grounds found in the station battery (LER 80-066-366) and activation of the fire protection deluge system in the control room HVAC system caused the HPCI trip solenoid to energize and disable the system. Other systems were disabled as an analog trip system panel was effected by the moisture (LER 85-018-321).
6.7 HPCI Failure No. 7 - System Actuation Locic Fails i
Startup and operation of the HPCI system is automatically initiated upon detection of either l low reactor vessel water level (-47 inches decreasing) in the reactor vessel or high drywell pressure l (1.92 psig, increasing). The HPCI system can also be manually initiated from the control room.
Hatch reported one LER involving failure of system actuation logic since 1980. LER 92-003-366 i describes two failures of the low reactor vessel level transmitter due to an oil leak and due to i inadequate procedures that incorrectly specified the heat shrink size. )
6.8 HPCI Failure No. 8 - False Hich Area Temperature Isolation Sicnal l
The HPCI system is constantly monitored for leakage by sensing steam flow rate, steam pressure, and area temperatures adjacent to the steam line and equipment. If a leak is detected, ,
the system is automatically isolated and alarmed in the control room. This category accounted for j three industry HPCI failures (2% of all failures). One event involving false high area temperature isolation signal was reported by Hatch. The false signal was due to loose terminals on the terminal connection block of the temperature element. The terminals were tightened and the system was returned to service (LER 83-068-321).
6.9 HPCI Failure No. 9 - False low Suction Pressure Trins The purpose of the low pump suction pressure trip is to prevent damage to the HPCI pumps due to loss of suction. Pressure switch PS-N653 actuates to cause the turbine stop valve to close.
There have been two turbine trips attributed to false low suction pressure signals identified in the ,
industry survey. Hatch did not report any LERs involving false low suction pressure trips back through 1980.
6.10 HPCI Failure No.10 - False Hich Turbine Exhaust Pressure Sicnal The high turbine exhaust pressure signal is one of several protective turbine trip circuits that close the turbine stop valve and isolate the HPCI system (at 146 psig at Unit 1 and 150 psig at Unit 2). The high turbine exhaust pressure signalis generated by pressure switches PS-N656A and B, and is indicative of a turbine or a control system malfunction. The industry operating experience review found only one LER. Hatch reported three events related to a false high turbine exhaust pressure signal. One LER reported that HPCI tripped due to a shorted pressure micro-switch (LER 81-086-366). The other two LERs reported false alarms due to fouled pressure switch contacts (LER 82-058-366) and interference of a bourdon tube (LER 81-132-366).
6-8
6.11 HPCI Failure No.11 - Normally Open Turbine Exhaust Valve Fails Closed The failure of any of the turbine exhaust valves to open results in a turbine trip due to a valid high turbine exhaust pressure signal. Hatch did not report any LERs involving failure of normally open turbine exhaust valves to close back through 1980.
6.12 HPCI Failure No.12 - Condensate Storace Tank /rorus Switchover Lonic Fails In the standby mode, the HPCI pump suction is normally aligned to the condensate storage tank (CST). Upon a low CST level signal via level switch LS-N003, or a high torus l- ; signal via level switch LIS-N662B or D, the torus suction valves E41-F041 and F042 automatically open with subsequent closure of the CST suction valve F004. System operation continues with the HPCI booster pump suction from the torus.
This PRA-based HPCI failure mode has become less important due to changes in the BWR Emergency Procedure which generally advocate the continued use of water sources that are external to the containment. This avoids potential ECCS degradation due to high torus temperature (HPCI high lube oil temperature) while simultaneously increasing torus mass. The end result is that an HPCI pump suction transfer to the torus is no longer that desirable and the operator, especially in decay heat accident sequences, is likely to bypass the switchover logic to maintain the CST suction source, or to realign if a switchover to the pool has occurred. Therefore, the inspection focus should be on the continued viability of the CST as an injection source during an accident sequence.
There were no failures in this category reported at Hatch.
6.13 HPCI Failure No.13 - Torus Suction Line Valves (F041 and FD42) Fails to Onen At Hatch, there are two 250 VDC powered HPCI pump torus suction valves, F041 and F042, in series with a check valve and a normally open air-operated butterfly valve. The HPCI system is initially aligned to the condensate storage tank. The torus suction valves are opened and the CST suction valve is closed on a CST low water level or a high torus level signal. The importance of this failure mode has been diminished by the current emergency procedure guidelines which emphasize the continued use of outside injection sources. This requires operator action to bypass the HPCI torus switchover logic to prevent the opening of the torus suction valves F041 and F042. This is especially true for the decay heat removal (non-ATWS) sequence where it is likely that the CST makeup can be maintained.
At Hatch Unit 2, LERs80-089 and 109 reported the failure of a torus suction valve to operate during a surveillance. The valve motors had failed due to room high temperature and humidity, and for LER 80-109 the valve duty cycle was exceeded. LER 80 089 stated that a steam leak from a defective pressure seal on valve F009 caused the adverse environment. Both the seal and the motor were repaired. The licensee stated in LER 80-109 that a follow up investigation would be performed.
6-9
l 6.14 HPCI Failure No.14 - Minimum Flow Valve (F0121 Fails to Onen The minimum flow bypass line is provided for pump protection. The by;- v2!ve, E41-F012, automatically opens on a low fim signal of 605 gpm for Unit 1 and 500 gpm for Unit 2, ,
when the pump discharge pressure is greater than 125 psig. When the bypass is open, flow is directed to the torus. The valve automatically closes on a high flow signal. During an actual ;
~
system demand, the failure of the minimum flow valve to open is important only if the opening of the pump discharge valve (F006) is significantly delayed. In general, this combination of events is not probabilistically significant. With regard to system operation and testing in the minimum flow ,
i mode, the licensee response to Bulletin 88-04" should be reviewed to determine if the design of the minimum flow bypass line is adequate. Unless there is a design concern or a recurring problem with either component, inspection effort should be minimized in this area.
At Hatch one LER reported the failure of the minimum flow valve to operate after being closed with the control switch (LER 81-044-366). A failed HPCI pump discharge pressure switch was identified as the cause and the switch was replaced. Additionally, there were also three LERs which describe events were the minimum flow valve failed to close due to mechanical interlock binding and sticking flow switch contacts. The valve is set to automatically close on a signal of 870 gpm for Unit 1 and 800 gpm for Unit 2. Although these events are not included as failures to open, they are significant in that HPCI flow would be diverted to the torus instead of to the reactor.
6.15 Other Failures The industry Operating Experience Review did not identify any HPCI failures for the following ten PRA-based failure modes:
Normall:- Open Pump Discharge Valve (F007) Fails Closed or is Plugged Pump Discharge Check Valve (F005) Fails to Open CST Suction Line Check Valve (F019) Fails to Open
=
CST Suction Line Manual Valve (F010) Plugged Normally open CST Punsp Suction Valve (F004) fails closed or is plugged.
Torus Suction Line Check Valve (F045) Fails to Opeu l Normally Opn Steam Line Containment Isolation Valve (F002 or 003) Fails Closed Steam Line Drain Pot Malfunctions 1
Turbine Exhaust Line Vacuum Breaker (F102,103) Fails to Operate 1 Suction Strainer Pluged
)
6-10 I
l The PRA-based prioritization of HPCI failures correlates well with the actual industry failure experience. With the exception of the first failure mode listed above for the pump discharge valve (F007), all of the faults listed above have been designated as " low importance" in the PRA-based ranking of Section 4.
The expanded LER search for Hatch (1980-1992) did identify one failure associated with the steamline containment isolation valves. LER 80-090-366 reported that valve F003 failed to i
i l open due to the reactor pressure isolation setpoint being set too high. The licensee revised the l setpoint. '
6.16 Human Errors l An additional category of HPCI failure modes that was not specifically identified in the l prioritization of failures involved human errors. Two specific examples can occur during normal l operation:
Miscalibration oi HPCI sensors that can disable system actuation or result in l false system isolation signals; I -
Failure to reset the HPCI system for operation after testing or maintenance.
l At Hatch, the HPCI pump room cooler was found with its power circuit breaker in the off position (LER 83-82-321). Room cooling is required for extended HPCI operation. Personnel error was also responsible for a turbine low bearing oil pressure alarm. T... bearing oil supply valves were mispositioned (LER 83-093-321). Additionally, the HPCI pump did not deliver rated flow due to personnel error as reported in LER 88-017-321. The null voltage settings were incorrectly calibrated. As discussed in Section 6.2, a rag left in the oil sump during maintenance l caused a failure of the HPCI turbine. LER 89-002-366 reported that the steam line containment l isolation valve isolated due to personnel bumping a instrument panel. Another HPCI failure was l a result of personnel not verifying the correct replacement parts were issued (87-004-366). These j human errors can occer during normal operation and thus, are inspectable through the review of surveillance, calibration and maintenance practices and procedures.
6.17 Additional System Considerations The industry LER survey has identified several other HPCI system considerations that could impact the overall risk of a plant. These considerations are discussed in the following sub-j sections with any applicable Hatch experience.
t 6.17.1 LOCAs Outside Containment Unlike the HPCI component failure modes discussed previously, that involve the unavailability of the system, the HPCI system can be involved in potential LOCAs outside l containment (Section 3.5). The industry survey identified degradations of the steamline isolation 6,uction and pump suction line overpressurizations as potential causes. Identified isolation system moblems include:
6-11 i
i r
i
- a steamline differential pressure transmitter with a non-conservative setting; and
- an inboard containment isolation valve that failed to close.
Examples of pump suction overpressurizations include:
)
- a slow closing pump discharge check valve that caused a pressure surge after a turbine j trip; and
}
- water hammer caused by void collapse following system initiation after feedwater back leakage elevated the temperature in the pump discharge line.
At Hatch, the outboard steam line containment isolation valve failed to close due to mechanical binding in the MOV's close torque switch (LER 81-111-366). In general, the HPCI LOCA outside containment event is a small contributor to the total core damage potential. The examples presented above indicate possible areas for inspection to assure that this core damage potential remains low.
6.17.2 HPCI Support Systems The high pressure coolant injection system is dependent on the following systems for successful operation:
DC Power For system control (125 V DC) and valve movement (250 V DC).
Room Cooling For HPCI pump room cooling to support long term operations. This function requires service water (for cooling) and AC power for the fan motor.
IIPCI Actuation RPV level and primary containment pressure instrumentation for system initiation and shutdown.
Although the normally open torus suction valve F051 is an air operated valve, it will fail open on the loss of air. Valves F041 and 42 are available for isolation. Additionally, the inboard steam l isolation valve F002 and the vacuum breaker isolation valves F104 and F111 are AC powered. l However, these normally open valves are not required to change position for HPCI injection. i l
During the HPCI operational experience review the influence of support systems on HPCI l availability was apparent. The loss or degradation of the DC battery or bus that powers HPCI has i a straightforward effect. Besides the battery charger problems or fuse openings, the more unusual DC system problems included a battery degradation due to corrosion of the plates. The suspected l cause was a galvanic reaction due to plate weld metal impurities. Another concern is insufficient i voltage at the load during transients which could trip the station inverters or fail MOVs. This would be of particular concern during a loss of offsite power or a station blackout event.
6-12
The room cooling system is typically required to support long term HPCI operation. Besides the random failures that can occur at any time, there is one sequence specilic effect that should be examined. During station blackout, the AC-powered room cooling is lost when continued HPCI operation is critical. The licensee should have pump room and steam line temperature calculations or have other procedure provisions (bypass high temperature isolation or portable DC-powered fans) to assure long term HPCI operability.
The RPV level or high drywell pressure instrumentation is required for multiple ECCS systems including HPCI. The operating experience review did not have any pertinent examples of failures.
6.17.3 Simultaneous Unavailability of Multiple Systems Multiple system unavailability of certain functionally related systems is of concern because of the increased risk associated with continued operation. Although Technical Specification 3.0.3 tends to limit the risk exposure somewhat, the licensee should, to the exte-t possible, avoid planned multiple system outages.
Within the context of the accident sequences disc.nsed previously (Section 3), certain combinations of system unavailability result in a relatively large risk of core damage. For example, the HPCI industry operating experience review had nine LERs that documented simultaneous HPCI and RCIC unavailability. During this period, the probability of core damage is greatly increased for accident sequences that require HPCI and RCIC for mitigation. This would include all the sequences described in the Accident Sequence Description except "Unisolated LOCA Outside Containment." At Hatch, the expanded LER search identified nine LERs which reported the occurrence of HPCI and RCIC system unavailability. The unavailability of HPCI and an emergency diesel generator would have similar impact on plant risk.
6-13
! 1 1
- 7.
SUMMARY
This System Risk-Based Inspection Guide (System RIG) has been developed as an aid to HPCI system inspections at Hatch. The document presents a risk-based discussion of the HPCI role in accident mitigation and provides PRA-based HPCI failure modes. In addition, the System RIG uses historic industry operating experience, including illustrative examples, to augment the j basic PRA failure modes. The risk-based input and the operating experience have been combined i in Table 4-2 to develop a composite BWR HPCI failure ranking. This information can be used to j optimize NRC resources by allocating proactive inspection effort based on risk and industry l experience. In addition, an assessment of the Hatch operating experience related to the failures is summarized in Section 6, and provides potential insights both for routine inspections and the
" post mortem" conducted after significant failures. A comparison of the Hatch and industry-wide BWR HPCI failure distributions is also presented in Table 4-2. The two tables contained in the Appendices to this report, A-1 and A-2, contain detailed information on selected industry failures.
This should be used by the inspector to gain additional insights into a particular failure mode.
The Hatch operating experience review has identified the following component failure modes that have shown a higher percentage of occurrence:
- Lube oil supply faults Turbine control valve faults False high turbine exhaust pressure signal
- Flow controller failures Turbine overspeed and reset problems These components should be given additional attention during future routine and specialized inspection activities.
This report contains all the Hatch HPCI LERs from 1980 up to 1992. Subsequent LERs can be correlated with the PRA failure categories and used to update the plant specific HPCI failure contributions, and then compared with the more static industry BWR HPCI failure distribution.
The industry operating experience is developed from a variety of BWR plants and is expected to l exhibit less variance with time than a single plant. This failure information can be trended to l predict where additional inspection oversight is warranted as the plant matures. As the plant ;
matures, the incidence ofinadvertent HPCI isolations due to surveillance and calibration activities i is expected to decrease. Conversely, in time, aging related faults are expected to become a more significant contributor to the Hatch failure distribution. The review of industry operating experience has identified several aging related failures at Arnold, Cooper, and Brunswick, in addition to Hatch, generally in the pump and turbine electronics.
Recommendations are made throughout this document regarding the inspection activities for the HPCI system at Hatch. Some are of a generic nature, but some relate to specific maintenance, testing, or operational activities at Hatch.
7-1 L.
For example:
In addition, the training program should be periodically reviewed (Section 3.2).
- 2. The plant actions to monitor and control the temperature in the HPCI room should be reviewed and the effect of the loss of room cooling on continued HPCI operation should be evaluated (Sections 3.2 and 6.17.2).
- 3. Within the context of the use of HPCI in a ATWS or loss of decay heat removal events, the capability of the licensee to perform the necessary bypasses of the system logic should be evaluated periodically (Sections 3.4 and 6.12).
- 4. The turbine rupture disks should be installed with a structural backing to prevent cyclic fatigue !
failures (Sections 6.1.6 and Appendix A-1). I
- 5. The inspector should confirm that the licensee acknowledges the complexity of the turbine speed control (Section 6.1.1).
- 6. Ucensee responses to NRC Bulletin 88-04 should be reviewed to determine if the design of the minimum flow bypass line is adequate (Section 6.14).
- 7. The inspector should. monitor the time HPCI is removed from service for testing and maintenance activities (Sections 6.2 and 6.17.3).
i
- 8. The inspector should review the results ofleak testing the pump discharge valve (E41-F006)
(Section 3.5). ;
- 9. The Hatch auxiliary oil pump procedures should be reviewed to ensure they address the potential problem with system isolation (Section 6.1.10).
7-2
?
- 8. REFERENCES t
- 1. Brookhaven National 1.aboratory (BNL) Technical Letter Report, TLR-A-3874-T6a,
" Identification of Risk Important Systems Components and Human Actions for BWRs,"
August 1989.
- 2. Shoreham Nuclear Power Station Probabilistic Risk Assessment, Docket No. 50-322, long Island Lighting Co., June,1983. ,
- 3. NRC Case Study Report, AEOD/C502, "Overpressurization of Emergency Core Cooling Systems in Boiling Water Reactors," Peter Lam, September,1985.
- 4. Brookhaven National Laboratory (BNL) Technical Report A-3453-87-5 " Grand Gulf Nuclear Station Unit 1, PRA-Based System Inspection Plans " J. Usher, et al., September, 1987.
- 5. BNL Technical Report A-3453-87-2, " Limerick Generating Station, Unit 1, PRA-Based System Inspection Plans," A. Fresco, et al., May,1987.
- 6. BNL Technical Report A-3453-87-3, "Shoreham Nuclear Power Station, PRA-Based System Inspection Plans," A. Fresco, et al., May,1987.
- 7. BNL Technical Report A-3864-2," Peach Bottom Atomic Power Station, Unit 2, PRA-Based System Inspection Plan," J. Usher, et al., April,1988.
8 BNL Technical Report A-3872-T4, " Brunswick Steam Electric Plant, Unit 2, Risk-Based Inspection Guide," A. Fresco, et al., November,1989.
- 9. NUREG/CR 5051, " Detecting and Mitigating Battery Charger and Inverter Aging," W.E.
Gunther, et al., August,1988.
- 10. NRC Circular 80-07, " Problems with HPCI Turbine Oil System," April 3,1980.
- 11. NRC AEOD Report E402, " Water Hammer in BWR High Pressure Coolant Injection Systems," January,1984.
- 12. NRC AEOD Technical Review Report T906, " Broken Limiting Bearn Bolts in HPCI Terry Turbine," April 18,1989,
- 13. NRC Bulletin 88-04, " Potential Safety Related Pump loss," May 5,1988.
- 14. NRC Information Notice 82-26,"RCIC and HPCI Turbine Exhaust Check Valve Failures,"
July 22,1982.
- 15. GPCo HPCI System Operating Procedure 34SO-E41-001-2S, Revision 8.
- 16. GPCo HPCI Operations Training Program Student Text, LT-ST-00501-02, Revision 2.
8-1
- 17. Hatch Unit 2 HPCI P&lD H-26020, Revision 23 and H-26021, Revision 18.
- 18. Edwin I. Hatch Technical Specifications, Unit 1 and 2.
- 19. OE Service Information Letter, SIL No. 392, Revision 1, Improved HPCI Turbine Mechanical-Hydraulic Trip Design," November 28,1990.
l 1
I r 1
h L
i T
1 r
8-2 I
_ _ _ __i_
APPENDIX A-1
SUMMARY
OF INDUSTRY SURVEY OF HPCI OPERATING EXPERIENCE HPCI PUMP OR TURBINE FAILS TO START OR RUN i
A-1
Table A-1 HPCI Pump or Turbine Fails to Start - Industry Survey Results Failure Desc. Root Cause Corrective Measures Comments Inspection Guidance 1URillNE SPITD CON 1ROI FAUI,TS EGM control box malfunction Two similar failures attributed to aging EGM , o nted circuit boards will be Each of these EGM control box effects due to long term energization and replaced at eight year intervals. failures occurred at older plants gussibly elevated ambient temperatures. Additional IIPCI pump room cooling and appear to be aging related.
An EGM printed circuit board failed and added. ,
caused a false high steam flow signal.1he second failure involved the electronics in the control box chassis.
EGM control box had a ground. Two printed circuit boards replaced.
Miscalibration of null voltage settings. Recalibration of voltage settings.
Failed transistor in the EGM control box. Box replaced. Surveillance procedures being expanded to verify proper functioning of the output h
ta speed circuit.
Motor speed IIPCI failed auto initiation surveillance Error was not detected during a changer /EG-R because the electrical connections between previous test at 160 psig. Procedures actuator malfunctions. the governor and the control valve revised to functionally test the electrohydraulic servo were in error. governor control system during the low pressure surveillance testing.
Capacitor failure in motor gear unit. Replaced capacitor Failure may have been caused by Ambient temperatures in excessive IIPCI room equipment areas should be ternperature. verified with specifications. .
t Improper gaping and foreign accumulation Component replaced or serviced.
on contacts.
EG-R actuator grounded at pin connection Corrosion products removed.
due to the accumulation of corrosion products. There were three occurrences of this event that have been attributed to a design change in the actuator pin
<nnnections.
i
_ _ _ _ _ _ . _ _ _ _ _ . - _ _ _ - . _ _ _ . __ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ * - , et __
Table A.1 (Cont'd) l Failure Desc. Root Cause Corrective hicasures Cnmments inspection Guidance Dropping resistor Resistor box design deficie.vspecial test Resistor box modified te ensure assembly problems, showed output voltage insufficient when EGht control box will receive input voltage at design minimum. required voltage under worst case conditions.
Resistor Failure Resistor component replaced Ramp generator / signal Slow IIPCI response time attributed Gain and time settings reset. Settings had not been modified converter box. incorrect turbine loop gain and ramp time based on power aswnsion test settings. program.
hiagnetic speed Cable damaged during IIPCI maintenance Cabic repaired.
pickup cable. preventing speed feedback to the speed controller.
Speed control loose control room panel terminatons. Repaired panel terminations.
I.UBE OIL SUPPLY FAUIJI3 h Auxiliary oil pump hiicroswitch within pressure switch fails. hiicroswitch replaced. 2 additional failures due to pressure switch fails. miscalibration, and one attributed to a piece of teflon tape that blocked sensing orifice of switch.
Loose hydraulic mntrol system pressure Component adjusted.
switch contacting arm.
Auxiliary oil pump Pump bearing failure degraded pump Pump replaced. Similar event-ptmp motor failure. performance / lower discharge pressure, bearing failure was possibly due bearing had been recently replaced- to daily use to supply oil to potential human error. turbine stopvalve.
Additional low Iluman error. All control valves Valves mrrectly positioned, handles Two similar events have occurred bearing oil pressure mispositioned. removed. Surveillance revised to at other plants.
occurren s. check oil pressure during turbine test.
Lube oil Paraffin in tube oil coated piston caused Piston cleaned. The process of periodically contamination. binding of hydraulic trip relay. sampling tube oil should be verified.
i
_____.____ __-__ _a
Table A-1 (Cont'd)
Failure Desc. Root Cause Corrective Measures Comments Inspection Guidance TURillNE OVERSPEED AND AtJIU RESirr PROlllEM S Electrical termination Inne electrical termination on solenoid Wiring to the solenoids will be 'Ihe corrective action for a failures valve coil disabled the re note reset restrained to reduce strain on the similar earlier event apparently function. Failure attributed to normal terminations. did not address the root cause of IIPCI vibration. the failure.
Overspeed trip device Overspeed trip device tappet assembly Tappet remachined. Similar occurrence at another tapped binding. head was binding in valve body. plant.
Polyurethane tappet, previously machined per GE guidance, had experienced additional growth.
lawe hydraulic control system pressure Repaired contactor arm. None.
> switch contactor arm.
b Drain port blocked. Erratic stop valve operation. Illocked drain Drain port cleared. Additional information on port in overspeed trip and auto reset turbine overspeed trips is piston assembly caused trip mechanism to provided in NRC Information cycle between tripped and normal Notice 86-14 and 86-14, Supp.1.
positions.
INVERTER TitifS OR Fall.URES Inverter tripped and could not be reset Replaced inverter, due to a failed diode. See Ref.16 for effects of inverter aging and preventative measures.
Inverter failed due to the failure of an Replaced inverter. A similar event involving a internal capacitor, ruptured capacitor occurred at another plant.
Internal c!cctronic Inverter overheating due to a failed Repaired or replaced cooling fan.
faults integral cooling fan.
Inverter failure due to blown fuse. Replaced fuse.
Table A 1 (Cont'd)
Root Cause Corrective Measures Comments Inspection Guidance Failure Dese.
Internal electronic Inverter trip due to high voltage setpoint Equalize voltage was reduced faults (cont'd) drift. allowing inverter to reset.
'IURBINE STUP VAINE FAILURES Control oil leaks. Oilleak developed at pilot valve Flange bolts torqued. Similar event at another plant.
assembly / hydraulic cylinder flange bolts were loose.
Pilot oil trip solenoid Valve stuck open due to disintegration of Yalve's expendable parts now valve. diaphragm that caused valve plunger to scheduled for replacement at every stick above the seat. third refueling outage.
Valve would not open due to excessive Piston rings were fabricated from Further discussion in IE Circular leakage of piston rings in hydraulic resin impregnated leather. Vendor 80-07.
cyiinder actuator. remmmended replacement every five years. Potential aging concern.
Sin;ilar failure occurred involving Overstress and ultimate
> Mechanical valve Valve and actuator stems separated at split Balance chamber adjustment was performed in 1985 per GE SIL 352. a loose valve gosition sensor fracture will usually occur
& failures. coupling. Balance chamber adjustment bracket that caught on actuator at the undercut on the drift believed to have caused increased Adjustment will be checked quarterly momentum and disk overtravet. for a minimum of 3 quarters. housing when the valve opened, coupling threads due to
'Ihe valve failed in the open reducing cross section.
position. Incipient stem failure may be indicated by circumferential cracks in threaded stem area.
TURHINE l'XilAU5T RUPTURE DISK Cyclic fatigue. Inner rupture disk failed due to cyclie Both disks replaced with an Improved design appears to AEOD Report E402 fatigue (alternating pressure and vacuum improved design that has a structural climinate the cyclic fatigue presides additional within the exhaust line). Vacuum occurs backing to prevent ficxing during failure mode. cramples of turbine during mid quick starts with cold piping. exhaust line vacuum conditions. exhaust rupture disk failures.
Water hammer Exhaust diaphragm ruptured by water Blocked line cleared; rupture disk A similar event has occurred at induced disk rupture. carryover from exhaust line drain pot due reglaced. another plant. Duration and to a blocked drain line. frequency of exhaust line blowdown increased.
Table A-1 (Cont'd)
Failure Desc. Ront Cause Corrective Measures Comments Inspection Guidance FI OW CONIKOI I FR FAILURIL5 Failures appear to be aging Ambient conditions in Failure to :nntrol in Defective amplifier card and solder joint Repairs performed. related, yet it appears some areas containing this automatic, attributed to aging. licensees do not intend to equipment should be periodically replace sensitive verified against equipment or otherwise address specifications.
the root cause of these failures.
Dropping resistor failed in the instrument Re.Ators R26, R24. and rener diode amplifier circuitry due to normal heat of C24 ah .ppeared to be affected by operation. ambient temperatures and were replaced.
Intermittent operation ofinternal switch The slight oxidized contacts were contacts did not alkvw the controller to cleaned and lubricated. In the kmg read the flow setpoint in auto. term, permanent jumpers will be installed to bypass the switches.
D Gear train failure. Loose fastener caused intermediate gear to Proadures will be revised to require unmesh which prevented adjustment of the a periodic check of the gear train controller setting. and fasteners.
Miscalibration Flow controller indicated a llow of 400 Controller recalibrated.
gpm when system not in operation. Fadure attributed to miscalibration.
TURDIN1?
COVIROL VAINE FAULD Control oil leal Oil supply line nipple leaking because Nipple repaired; plant personnel plant personnel stepped on line to gain informed of failure cause.
access to control vahr.
'Ihrottle valve lifting Six of the eight liftin5 beam bolts failed licensee to change thread lubricant; Per ALOD Report TW6, beam botting failure. due to stress corrosion cracking of non. metal bearing petroleum jelly improper heat treatment and the improperly heat treated boite. 'Ihe recommended, use of a copper based anti.
remaining two bolts were cracked. seizure compound were major contributors to this failure.
{
l Tame A.1 (Cont'd)
Failure Desc. Root Cause Corrective Measures Comments Inspection Guidance LOSS OF I UBE OIL PCV_I:035 had an incorrect diaphragm Formation of a procurement Additional IER reported a COOIJNO installed due to inadequate controls to engineering group. diaphragm failure resulting in a 5 update plant information with industry gpm leak. No cause stated. ,
PCV-F035 failures. experience.
MISCEIJ ANFOUS Used auxiliary oil pump to flush oil A modification was proposed to "Ihe periodic use of the auxiliary Operating procedures through the governor to clear a ground. climinate ramp generator initiation oil pump is a common practice should be reviewed to l Subsequently, system isolated on startup on autiliary oil pump startup, unless that can disable the IIPCI ensure that cauti<ms because the oil pump causes the stop and a valid initiation signal is present. syste m. identify llPCI system control valves to go full open. inoperability when the auxiliary oil pump is running.
r i
de 4
1 f
i L
- n. , , ,, , s , u e
E
\
(
I l
-)
l APPENDIX A-2 ,
1 SELECTED EXAMPLES OF ADDITIONAL HPCI FAILURE l
MODES IDENTIFIED DURING INDUSTRY SURVEY i t
i t
A-9
Table A-2 Summary of Illustrative Examples of Additional HPCI Failure Modes Failure Detc. Root Cause Corrective Measures Comments Inspection Guidance llPCI Failure 3 - Differential pressure transmitter failed due Amplifier card mnnection was Rosemont Transmitter NRC Information Notice False Iligh Steamline to inadequate connection of amplifier secured. 82-16 provides additional Differential Pressure condition card was either inwrrectly information on steamline Isolation Signal seated during installation or worked loose. pressure measurement. !
Miscalibration and a stuck pressure Wrong convers% value caused Rosemont Transmitter indicator disabled both divisions of high miscalibration and was corrected.
.iP transmitters.
Transmitter operating outside tolerances Recahbrated transmitter Conservatively narrow instrument j due to incorrect setpoint adjustment tolerances were used during the ,
setpoint adjustment. De instrument was a Rosemount Transmitter.
Setpoint drift cause spurious system Setpoint was adjusted. Harton transmitter increased calibration isolations frequency may be necessary.
Setpoint draft caused by moisture intrusion Unknown Barton transmitter.
h w
through the dial rod shaft seat IIPCI Failure 4 - Mechanic 4' thermal binding of disk due to Interim corrective action was drilling his failure was attributed to hrbine Steam inlet inadequate clearances. a hoke in the valve disk. Double procedural and training Valve [F001] fails to disks were to be installed during a inadequacies.
open failure refueling outage as a long term solution Hermal binding of disk Replaced motor gears and installed He thermal binding can occur A four hour system larger power supp!y cable to motor. for ~2 hours after system is warmup may be required '
returned to service following a by pro dures to cooldown. circumvent this problem.
Motor failure Surge protection added to shunt coil Motor failure caused by high of DC motor mntrol circuitry. voltage transient in shunt coil that occurred when supply breaker opened.
Motor failure. Valve repaired and torque switch Motor windings failed due when Other safety related MOVs adjustment screws were correctly torque setting out of adjustment were also affected.
torqued. due to loose torque switch Procedures were revised adjustment screws. and torque switch limiter plates were installed.
_ _ - - - _ . _ - ___m. _--_.__-m______.--_ _ 1 w e- r _.__ _ _ _ _ _ _ _
Table A-2 (Cont'd)
Failure Desc. Root Cause Corrective Measures Canme nts Inspection Guidance llPCI Failure 4 - Vaht motor failure due to incorrect steam Valve motor was replaced.
(cont'd) lubrication licensee review determined that valve Removed step starting resistors. Other DC MOVs were also INPO SER-25-88 and might not open due to insufficient torque. evaluated. NRC Information Notice 88-72 provide further guidance.
IIPCI Failure 5 - Mispositioned auxiliary contacts in starting Replaced contacts.
Pump Discharge time delay relay for valve motor.
Vaht [F006] Fails to Failure attributed to heat related Open Valve motor failure Valve motor replaced.
breakdown of vahe motor internals.
IJcensee review determined that vaht may Step starting resistors had not been Potential problem may affect INPO SER 25-88 and have insufficient torque to open_ considered in the torque analyses other DC MOVs NRC Information Notice and were removed. provide additional guidance.
U IIPCI Failure 7 - Fuse failure due to electrical grounding. Fuse replaced and ground corrected.
System Actuation irgic Fails System failed to actuate due to inadequate Design modified. Further discussion in AEOD seal in time. Report E407.
IIPCI Failure 8 - Failed power supply resistor. Resistor replaced.
False liigh Area Temperature Isolation Failed temperature monitoring module. Module replaced. New mcalet replacement considered.
Signal Design error. Minimum intake setpoint temperature was increased.
IIPCI Failure 9 - Pressure switch isolation valve None. Isolated pressure switch actuated False low Suction inadvertently closed. due to changing environmental Pressure Trip (nnditions.
IIPCI Failure 10- Corrosion of pressure switch seals. Pressure switch replaced. Seal corrosion alkwved moisture False Iligh Thrbine into casing and shorted wiring.
Exhaust Pressure Signal ;
u ___ _
Table A-2 (Cont'd)
Failure Desc. Root Cause Corrective Measures Comments Inspection Guidance IIPCI Failure 11 - Bhaust line swing check valve failure Check valve replaced. Failure of check valve was Referenas [21] and [22]
Normally Open blocked MOV attributed to overstressed cycling provide further Tbrbine Bhaust due to high exhaust pressure. information.
Valve Fails Closed IIPCI Failure 12 - Irvel switches out of calibration Switches replaced. Accumulation of foreign material CST! Suppression Pool on float caused failure.
Iogic Fails llPCI Failure 13 - Motor failure. Winding insulation Replaced motor. Voltage surge Ifigh voltage transients occurred Suppression Pool degraded due to high voltage transients. protection added to circuitry as supply breaker was opened.
Suction Une Valves Fail to Open Torque switch out of adjustment. Recalibrated.
Umit switch out of adjustment. Replaced limit switch.
Valve stem separated from disk. Valve repaired. 'Ihree bolts failed due to tensile lhese valves were overload. Other similar valves manufactured by were inspected. Associated Control y Equipment, Inc.
L W IIPCI Failure 14 - Valve inoperable due to damaged motor Switch replaced. Damage resulted from overtravel Design changes may be Minimum Flow Valve starter disconnect switch. of operating handle due to poor required as a result of this Fails to Open design, failure.
i
[
1 DISTRIBUTION No. of Copies No. of Copies OFFSITE l U.S. Nuclear Regulatory 2 B. Gore j Commission Pacific Northwest Lab.
l Richland, WA 99352
- A. El Bassoni OWFN 10 E4 ONSITE l
l W. D. Beckner 6 Brookhaven National Lab.
OWFN 10 E4 W. Gunther K. Campe R. Hall OWFN 10 E4 J. Higgins J. Taylor i 10 J.Chung A. DiBiasio
} OWFN 10 E4 l
l F. Congel Technical Publishing OWFN 10 E4 Nuclear Safety Ubrary l
l B. K. Grimes 2 J. Bickel )
P.O. Box 1625 Idaho Falls,ID 83415 J. N. Hannon l OWFN 13 E21 A. Hsia OWFN 13 D1 E. V. Imbro OWFN 9 A1 2 H. E. Polk OWFN 12 H26 4 Hatch Nuclear Power Station Resident inspector 4 U.S. Nuc! car Regulatory Commission - Region II Regional Administrator
NHC F OHM 33S U S NUCLE AH HL GUL ATOHY COMMISSION 1. HL POR1 NUMBL H fa% ,,a !^JL"17f,",E,d."h,'"T*'
nwar BIBLIOGRAPHIC DATA SHEET isa osuructwns on u o ,e rc.me, NUREGlCR-6014 2 m L L AND SU LW T L L NL-NUREG- 523 6 7 High Pressure Coolant Injection System Risk-Based Inspection Guide for Hatch Nuclear Power Station 3 DATE REeoHT PustisstD ucw u.s l
May 1993
- 4. F IN OP GR AN T #dOMBE H A'M 7 5
'a. AUTHOH(S) 6. TYPE of REPORT A. M. DiBiasio
- 1. PL R l00 COV E R E D toncswswo Dores)
R
- 6. n,,e PE RF o.e.MaNG,oRG uno aa,~ o ANiZ ATlON - N AME ANO ADDR ESS tar Nac, proroor Dwasen. Oor.co or Neeson. v.s Nucsear Reeaterary Commmen, andmanhns acwess. is consrector prov Brookhaven National Laboratory !
Upton, NY 11973 i
l
- 9. SPoWS,oRINLi e ,,o .oem ORG s ANIZATioN - N AME AND ADDRESS fit Nac, tree *3saw as see.e";et coarrerror, provide NAC Dwema. Ortue or Aeyme, ui Nucerer aeposetory Commmma Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 1
- 10. SUPPLEMENTARY NOTES
- 11. ABST R ACT (2co worm er arsss A review of the operating experience for the High Pressure Coolant Injection (HPCI) system at the Hatch Nuclear Power Station, Units 1 and 2, is described in this report. l The information for this review was obtained from Hatch Licensee Event Reports (LERs) ,
that were generated between 1980 and 1992. These LERs have been categorized into 1 23 failure modes that have been prioritized based on probabilistic risk assessment
( considerations. In addition, the results of the Hatch operating experience review have been compared with the results of a similar, industry wide operating experience review. This comparison provides an indication of areas in the Hatch HPCI system that should be given increased attention in the prioritization of inspection resources.
l
~
- 12. %E Y WOHDS/DESCH:PT OH 5 Itar woeur orpareses rae: wits amst researraen = tocarm, rae repurr.J R AV AAB81 V bl *l t"E N1 unlimited BWR Type Reactors-Reactor Components, BWR Type Reactors-Reactor ,,atcuRm coaswicAtic,rd j Safety, Reactor High Pressure Conlant Injection, High Pressure ,,,,,,,,,,,,
Coolant Injection-Risk Assessment, Reactor-Risk Assessment, unclessified Reactor Cooling Systems, Reactor Accidents, High Pressure Coolant ,7,,. , ,o Injection Failures.
unclassified
- 15. NUMBER OF PAGES
- 16. PRICE NRC FORM 335 (2491
Printed on recycled paper Federal Recycling Program
~ NUREGICR-6014 IIKGill EmnAUbimEbfA11aT1thTEPECTITTN MAY 1993 GUIDE FOR IIATCll NUCl. EAR l'OWER STATION UNITED STATES FIRST CLASS Mall NUCLEAR REGULATORY COMMISSION POSTAGE AND FEES PAID WASHINGTON, D.C. 20555-0001 USNRC PERMIT NO. G-67 OFFICIAL BUSINESS PENALTY FOR PRIVATE USE, S300 1
120555139531 1 1ANIRG US NRC-0ADM PIV FOIA R PUBLICATIONS SVCS TPS-PDP-NUREG
- -211 WASHINGTON DC 90555 l
I l
i,
- _ _ _ _ _ _ _ . _ _ _ . _ _ _