ML20059C203
| ML20059C203 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry  |
| Issue date: | 09/30/1993 |
| From: | Dibiasio A, Gunther W, Wong S BROOKHAVEN NATIONAL LABORATORY |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| CON-FIN-A-3875 BNL-NUREG-52370, NUREG-CR-6022, NUDOCS 9311010051 | |
| Download: ML20059C203 (80) | |
Text
,
NUREG/CR-6022 BNL-NUREG-52370 High Pressure Coolant Injec~ ion (HPCI) Systern Ris:eBasec Inspec~ ion Guic e For Browns Ferry Nuc~ ear Power Station .
t Prepared by S. Wong A. Dilliasio, W. Gunther llrookhaven National I.aboratory i
l'repared for U.S. Nuclear Regulatory Conunission ggPo!888A Es83r
. .. __ .-- . .. - . _ . - ~. -_ .-- _ . - . . . . --..
l l l l AVAlULBil.lTY NOTICE Avastabelity of Reference Matenals Cited in NRC Publications
~
Most documents cited in NRC publications will be available from one of the following sources
- 1. The NRC Public Document Room, 2120 L Street, NW, Lower Level, Washington, DC 20555-0001 !
- 2. The Superinter. dent of Documents, U.S. Government Printing Office, Mall Stop SSOP, Washington, DC 20402-9328
- 3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC pubacations, it is not intended to be exhaustive, i Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; ven-dor reports and correspondence: Commission papers; ano applicant and licensee documents and corre-spondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and
- brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Reputations, and Nuclear Regulatory Commission issuances. '
Documents available from the Nat!onal Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commis-sion, forerunner agency to the Nuclear Regulatory Commission. Documents available from public and special technical libraries include all open literature items, such as books, }ournal and periodical articles, and transactions. Federal Register notices, federal and state legista-tion, and congressional reports can usually be obtained from these libraries, Documents such as theses, dissertations, forelgn reports and translations, and non-NRC conference pro-caedings are available for purchase from the organt2ation sponsoring the publication cited. Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the - Office of information Resources Management, Distribution Section, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001. , Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library,7920 Norfolk Avenue, Bethesda, Maryland, and are available there for refer-ence use by the public. Codes and standards are usualty copyrighted and may be purchased from the a , originating organization or, if they are American National Standards, from the American National Standards institute,1430 Broadway, New York, NY 10018. DISCLAIMER NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government, Neither the United States Governrnent nor any agency thereof, or any of their employees, makes any warranty, expresed or imphed, or assumes any legal liability of responsibility for any third party's use, or the results of , such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned r ghts.
-- w . ,
l NUREG/CR-6022 BNL-NUREG-52370 1 High Pressure Coolant Injection (HPCI) System Risk-Based Inspection Guide For Browns Ferry N~uclear Power Station Manuscript Completed: August 1993 Date Published: September 1993 Prepared by S. Wong, A. DiBiasio, W. 00' ther J. Chung. NRC Project Manager l I i ! Hrookhaven National Laboratory l Upton, NY 11973 l i Prepared for i Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 NRC FIN A3875
i ABSTRACT
. The High Pressure Coolant injection (HPCI) system has been examined from a risk perspective. A System Risk-Based Inspection Guide (S-RIG) has been developed as an aid to HPCI system inspections at the Browns Ferry Nuclear Power Plant, Units 1,2 and 3. The role of the HPCI system in mitigating accidents is discussed in this S-RIG, along with insights on identified risk-based failure modes which could prevent proper operation of the system.
The S-RIG provides a review ofindustry-wide operating experience, including plant-specific illustrative exampics to augment the PRA and operational considerations in identifying a catalogue. of basic PRA failure modes for the HPCI system. It is designed to be used as a reference for routine inspections, self-initiated safety system functional inspections (SSFis), and the evaluation of risk significance of component failures at the nuclear power plant. 2 b 5 i I k 1 4 e e t
+
l 1 iik
l CONTENTS ! Pace j i ABSTRACT . ......... .... .... .... . . ... ......... .... iii , EXECUTIVE
SUMMARY
. . . . . ............. .... ..... ........ vii .
ACKNOWLEDGMENTS . . . . . . . ....... . ..... ............... ix- ;
- 1. INTRODUCTION . . . .. .. .... .. . ...... .... ..... 1-1 1.1 Background . ........ ... . .. ... .............. 1-1 3 1.2 Purpose ........................ ....... ........... 1-1 j 1.3 ' Application to Inspections . . .. . . .. ...... . .. .. 1-1
- 2. IIPCI SYSTEM DESCRIPTION . .... . . . ........... .2-1
- 3. ACCIDENT SEQUENCE DISCUSSION . . . . . . . . . . . . . .. .... .. '3-1 3.1 Loss of High Pressure Injection and Failure to Depressurize . . .. 3-1 .;
3.2 Station Blackout (SBO) With Intermediate Term Failure ! of High Pressure Injection ... . .. . .. ..... . .... 3-2. 3.3 Station Blackout with Short Term Failure of High Pressure t Injection . .. ........ . . . ....... . ..... . .. . ... 33 3.4 ATWS With Failure of RPV Water Level Control at High
- Pressure . .. .... . .. . ..... .. .... . . 3-3 ,
3.5 Unisolated LOCA Outside Containment . .. .... ... .... 3-4 ' 3.6 Overall Assessment of HPCI Importance in the Prevention of Core Damage . . .. . .. . . . . . . .. . 3-5
- 4. PRA-BASED HPCI FAILURE MODES . . . .. . . .. . . ... 4-1 i
- 5. HPCI SYSTEM WALKDOWN CHECKLIST BY RISK IMPORTANCE 5-1 i
- 6. OPERATING EXPERIENCE REVIEW . .... .. ... ..... . 6-1 6.I HPCI System Failure Modes . . ... .. ....... 6-2 6.2 Site Visit Observations . . ..... ..... . . .. ... 6-15 '
6.3 Contribution of Human Errors to System Unavailability . 6-16 ! 6.4 Additional System Considerations . .. . . . ...... . 6-18 ,
.i l
- 7.
SUMMARY
, .. .... . . . . . .. . . .... . 7-1 ;
- 8. REFERENCES . . . ... . . . .... ...... .. 8-1 l
, APPENDICES ! A-I
SUMMARY
OF INDUSTRY SURVEY OF HPCI OPERATING EXPERIENCE HPCI PUMP OR TURBINE FAILS TO START OR RUN . . ...... A-1 ' . a A-2 SELECTED EXAMPLES OF ADDITIONAL HPCI FAILURE MODES IDENTIFIED DURING IND'USTRY SURVEY . . .. ... ...... A-9 , t [ v i i i i
l FIGURES Figure No. Pace 2-1 Simplified IIPCI System Flow Diagram ... ................... . 2-2 i TABLES a I Table No. Pace ) 1 4-1 Summary of PRA-Based Failure Modes for the IIPCI System 4-3 i 4-2 Browns Ferry Nuclear Plant HPCI System LER Survey Compared :l with Industry Experience . . . . ... . .......... .. . . 4-4
]
5-1 Browns Ferry Plant HPCI System Walkdown Checklist . . . ....... .. _5 2 - 6-1 HPCI System Failure Summary . . .. ..... . ... . . ... 6-1 6-2 HPCI Pump or Turbine Fails to Start or Run - Failure Subcategories . .. . . . . ...., ...... . ... 6-3 A-2 A-1 IIPCI Pump or Turbine Fails to Start -Industry Survey Results . . . . . . . . A-2 Summary of Illustrative Examples of Additional liPCI Failure Modes . ..... ... ................... ............. A 11
.i
-l l
i vi
EXECUTIVE
SUMMARY
This System Risk-Based Inspection Guide has been developed as an aid to HPCI system inspections at the Browns Ferry Nuclear (BFN) Plant. The document presents a risk-based I discussion of the role of the HPCI system in accident mitigation and provides a catalogue of PRA-based HPCI system failure modes (Sections 3 and 4). Most PRA oriented inspection plans contain these prerequisite information; however, the inspector (s) has to rely on his experience and knowledge of plant-specific and BWR plant operating histories to accomplish the inspection objec:ives. Thus, this system RIG integrates insights from industry-wide experience with PRA and other operational considerations to augment the catalogue of basic PRA-derived failure modes for use by the inspector (s). Risk-based input and insights from the operating experience database have been combined to develop a set of composite rankings of failure modes for the HPCI system. Table 4-2 shows the ranking of these HPCI system failure modes. This information can be used to optimize NRC resources by properly allocating proacove inspection efforts based on risk considerations and industry experience. In this regard, the more important or unusual component faults in the HPCI system are reflected in the system walkdown checklist presented in Section 5. Along with the assessment of the operating experience discussed in Section 6, this checklist provides guidance on - potential areas of NRC oversight both for routine inspections and the " post mortems" conducted after the occurrence of significant failures. Appendices A-1 and A-2 provide detailed information on selected failure events that were observed in the industry-wide operating experience. This information can also be utilized by the inspector (s) to have further insights on a particular component failure mode and provide the rationale for inspection emphasis. ' A comparison of the distribution of HPCI system failure events between the BFN plant and industry-wide BWR operating experience is presented in Table 4-2. Although the plant specific operating experience data are limited (because the BFN plant units were in cold shutdown for , about half of the evaluation period), the plant specitic LER frequency for some HPCI system failure modes was higher than that obsersed in the industry-wide survey results. These component > failures are candidates for greater attention in the inspection efforts and thus, the generic prioritization of plant components for inspection focus should be adjusted accordingly to reflect the observed distribution of failures. Because the distribution of plant specific component failures in the HPCI system is expected to vary in time (e.g., modifications may reduce or eliminate a number ! of chronic problems), the generic ranking of HPCI system failure modes developed in this report has not been revised to reflect the presently available BFN plant LER database. As the BFN plant matures in its operating lifetime, the knowledge feedback of operational l experience is assimilated by the utility's staff and reflected in the plant procedures. Therefore, the
- incidence of failure events such as inadvertent HPCI system isolations during the performance of .
surveillance and calibration activities is expected to decrease because ofimproved knowledge of the j system operations. However, component failures due to aging-related causes are expected to ! become a significant contributor to the frequency of BFN plant HPCI system failures. Review of ! industry-wide operating experience has identified several HPCI system failure events due to component aging problems in the pump and turbine control equipment at a few older BWR plants (e.g., Duane Arnold, Hatch, Cooper, and Brunswick) including the Browns Ferry nuclear plant. It i i I-vii p - - , - . - .y -- s-yy,r-
is noted that there is a concerted effort at the BFN plant to upgrade the HPCI system control equipment that would preclude the effects of component obsolescence, improve system reliability and thus, enhance HPCI system availability. Review of the BFN plant operational experience in this report included all HPCI system - related LERs generated from 1980 to mid 1992. Subsequently issued LERs can be correlated with the PRA-derived failure categories, and then used to update the distribution of plant specific HPCI system failures. A comparison of this updated database with the more static failure distribution of j HPCI failure events for the entire population of BWR plants can provide insights on ecrtain trends of recurrent problems that warrant additional inspection oversight as the plant ages. Recommendations have been made throughout this document regarding the emphasis or focus ofinspection activities for the HPCI system at the BFN plant. Some of these suggestions are : generic in nature, but some recommendations related to specific maintenance, testing. or l operational activities conducted at the BFN plant are made to assure that a highly reliable operation of the HPCI system is maintained. These recommendations could also be useful to the licensee in planning and conducting self-initiated safety system functional inspections (SSFIs) on l various safety systems including the HPCI system to ensure functional adequacy and operational l readiness of a plant system. Some of the specific recommendations for greater attention in future l inspections are: l
- 1. The inspector (s) should examine the surveillance and maintenance programs for the emergency diesel generators and the plant procedures for the recovery of either the 500 kV l or 161 kV offsite power supply during a loss of offsite power event. In addition, the training l program should be periodically reviewed to assure a continued awareness of temporary j connections, various contingency measures, and procedures for successful DC load shedding l required to cope with SBO-type conditions. [Page 3-2]
- 2. The plant licensee actions to monitor and control the temperature conditions in the HPCI toom should be reviewed and the effects ofloss of room cooling on long term operation of the HPCI system should be evaluated. It is noted that there are no room coolers in the BFN plant HPCI room. [Pages 3-3 and 6-19]
- 3. Within the context of using the HPCI system in an ATWS event, the capability of the licensee to perform the necessary bypasses of the system trip logic should be evaluated periodically. [Page 3-4]
- 4. The turbine exhaust rupture disks should be installed with a structural backing to prevent cyclic fatigue failures. [Page 6-7]
- 5. The inspector (s) should confirm that there is adequate oversight on the modifications, operations, maintenance and surveillances of the turbine speed control subsystem to ensure functional adequacy of the overall system. [Page 6-4]
- 6. Licensee responses to NRC Bulletin 88-04 should be reviewed to assess the adequacy of the design of the minimum flow bypass line. [Page 6-14]
viii l
. ~ _ _ _ _ .-. _ _ - _ __ . ~ - _ . , . . _ , ,
. ACKNOWLEDGMENTS The authors express their sincere appreciation to the NRC Program Manager for this project, Dr. J.W. Chung, for his technical direction, and to the NRC Licensing Project Manager, Mr. Thierry M. Ross, and NRC Resident Inspector at the BFN plant, Mr. R. Musser, for their assistance at the site visit.
We are also thankful to Mr. M. Morrison of TVA Licensing and his staff at the BFN plant for the voluntary participation in discussions and providing valuable comments on this report. Finally, we wish to thank Ann Fort for her help in the preparation of this manuscript. ix
]
i i
- 1. INTRODUCTION 1.1 Backcround Probabilistic risk assessment (PRA) is a comprehensive, integrated analysis of the diverse l '
aspects of design, operation, and maintenance of a plant to provide a snapshot of risks. A l probabilistic risk analysis may reveal the features of the plant design that merit further attention and thus, provide a focus for improving safety. In a study sponsored by the U.S. Nuclear Regulatory Cr,cmission Brookhaven National Laboratory (BNL) has developed and applied a methodology it providing plant specific risk-based inspection guidance for the High Pressure Coolant Injection (HPCI) system in boiling water reactor (BWR) plants that do not have a PRA , study. This methodology uses insights from existing PRA studies and plant-specific operating experience for consideration in inspection planning at the nuclear power plant selected for study. ; 1.2 Purnose This HPCI System Risk-Based Inspection Guide (S-RIG) has been developed as an aid to ! NRC inspection activities at the Browns Ferry Nuclear Power Station. The High Pressure Coolant Injection (HPCI) system has been examined from a risk perspective. Common BWR accident sequences that involve the HPCI system are described in Section 3 to provide a review of the , system's accident mitigation function and to identify system unavailability combinations that can greatly increase risk exposure. Section 4 provides the description and prioritization of the PRA-based HPCI system failure modes for inspection purposes. In Section 5, risk significant failure modes are identified in a system walkdown guide for inspection emphasis. Results of a BWR operating experience review are presented in Section 6 along with additional information in related areas such as HPCI support systems, human errors, and system interactions that affect the availability of the HPCI system. A summary of insights from the Browns Ferry plant operating experience review is provided in Section 7. 1.3 Application to hanections This inspection guide can be used as a reference for routine inspections and for identifying the significance of component failures that occur at the Browns Ferry Nuclear Power Plant. The ' information presented in Sections 4 and 5 can be used to prioritize day-to-day inspection activities. This S-RIG is also useful for NRC inspection activities in response a unusual event occurrences resulting from system failures. The accident sequence descriptions presented in Section 3 together with the discussion of multiple system unavailability (Section 6), provide some insight into the , combinations of system outages that can greatly increase risk. Within the ccmtext of the HPCI , system, revicw of the operating experience data provides insights on some of the more unusual g failure mechanisms (including corrective actions) that would be usefulin the review of the licensee , resptmse to a system failure. Recurrent component failures identified in this system RIG can also . be used for trending purposes to point out unique problems. Table 4-2 provides a summary of the j industry wide distribution of HPCI failure events, and presents a comparison of the Browns Ferry HPCI system failure history with industry experience. Certain HPCI system failure modes (e.g., inverter trips or failures, turbine stop valve failures, turbine exhaust rupture disk failures, and CST / suppression pool switchover logic failures) appear to account for a large fraction of the HPCI 1-1 l
system failures at_ the Browns Ferry nuclear plant and therefore, are candidates for increased inspection surveillances. These problem areas should be reviewed periodically as additional and - new data of plant-specific operating experience are compiled. 1-2
- 2. HPCI SYSTEM Dl;SCRIPTION .
At each Browns Fe ry Nuclear Plant unit, the High Pressure Coolant Injection (HPCI) system is a single train system coasisting of steam turbine-driven injection and booster pumps, a gland seal condenser, piping, valves, controls, and instrumentation. A simplified flow diagram of the system for Browns Ferry Nuclear Plant Unit 2 is shown in Figure 2-1. The system is designed to pump a. minimum of 5000 gpm into the reactor vessel over a range of reactor pressures from 150 to 1120 ; psig when automatically activated by a low-low reactor water level (- 45.0 inches) or high drywell j pressure (2.45 psig) signal, or when manually in'itiated from the control room. Each automatic initiation signal is generated from a "one-out-of-two-twice" logie in which at least one division I logic channel and one division II logic channel in either the low reactor water level logic or the. high drywell pressure logie must be actuated. Two sources of cooling water are available for the llPCI system. Initially, the HPCI pump takes suction from the condensate storage tank (CST) through a normally open motor-operated valve,2-FCV-73-40. The pump suction automatically transfers to the suppression pool on low CST level or high suppression pool ievel. This transfer is accomplished by a signal that opens the suppression pool suction valves. 2-FCV-73-26 and 2-FCV-73-27. Once these valves are fully open, stem-mounted limit switches automatically actuates to close the CST suction valve. There is a 5-second time delay for the switchover on high suppression - poollevel conditions. Events that raise the suppression pool temperature above the HPCI system design limits of temperature for the suction source may require a manual suction transfer back to the CST. - Upon HPCI system initiation, the normally closed injection valve 2-FCV-73-44 automatically. opens to allow water to be pumped mto the reactor vessel through a series of check valves in the - main feedwater line A. A minimum-flow bypass line is provided for pump protection. When the bypass valve 2-FCV-73-30 is open, flow is directed to the suppression pool. A full-flow test line is also provided to recirculate water back to the CST. The two isolation valves,2-FCV-73-35 and 7- - FCV-73-36, are equipped with interlocks to automatically close the test line (if open) upon the i generation of an HPCI ystem initiation signal. { The HPCI pump turbine is driven by reactor steam. The inboard and outboard HPCI system . 4 isolation valves in the steam line to the HPCI turbine,2-FCV-73-2 and 2-FCV-73-3, are normally . open to keep the piping to the turbine in a hot and pressurized condition which permits rapid ! startup of the HPCI system. Upon receiving a signal from the IIPCI system isolation logic, these , valves will close and cannot be reopened until the isolation signal is cleared and the logic is reset.
- Inboard isolation valve 2-FCV-73-2 is powered from the 480 VAC Reactor MOV Board 2A and l controlled by the isolation logic system A; while the outboard isolation valve 2-FCV-73-3 is '
l powered from the 250 VDC Reactor MOV Board 2A and controlled by the isolation logic system B. j Steam is admitted to the HPCI pump turbine through steam supply valve 2-FCV-73-16, a turbine stop valve 2-FCV-73-18, and a turbine governor valve 2-FCV-73-19, all of which are I normally closed and are opened by an HPCI system initiation signal. Exhaust steam from the turbine is discharged to the suppression pool, while condensed steam from the steam lines and leakage from the turbine gland seals are routed to a gland seal condenser. l A 2-1 4 s I
I ut x -
-. - 8
- me E * * * ".*.6 tu_ w:244;; 4 w hh
? pmu l
" l
<! a l 4 9 i aj ,! I.!! I
!a -
-i i
r I dl :
'^tl ~
i, >9m 9
, /
./ (, g:
- l. . .n,i e e i
'l o______, f i l
l i a~ 1.. d I 1 12l - o f (N i! i i E} I 5 3 F. I !; Ii ! I o u i
- L._
x, o M E i g _ ._ _ _ _ _ _ _ _ - . i 5, I, H'H+ --N " , e _d - 5 ! c i e 6 .a.c
- R 1 5, 7 r i-- , _-5 i F
a, i rl2 i
!Ll, a
,l' e
d"I a-E
=
I
's I
.,$r,;>;
f a
$ 2 b ]
i. r ti 5 , ,* l l' _ _. _ _ _D, 0*0 Yi, oil -
!!m 5c. .
! !' u .E i
6,:; e
, '. . a tiT-i
! oi3c@t ,2 $ e !
L e
.n er d % e, g
a i D-y , ! / 4'-
$!: ! l
. v' y!S s r :, ,
; !a a l DI,i e " !! 5 1-IV j%-
E [
-?- _ r. ,
3 ; , J - -- * -- j {g y t
] ~nt>,
{
- 7 lj ,
n; i p' f I L 2-2
. . .- _ - ~ . - .- . . - - - - - - - _= .
i-
- 3. - ACCIDENT SEQUENCE DISCUSSION e
The role of the HPCI system in the prevention of reactor core damage provides valuable information that can be applied in the normal day-to-day inspection activities of the system. His ' information is readily available if a nuclear power plant has its own Probabilistic Risk Assessment (PRA) study. In addition to considerations of plant specific design and operating nuances, the risk information includes insights from the quantification and prioritization of postulated likelihood of , accident sequences, system unavailabilities, and component risk importances. l Since most nuc! car power plants do not currently have PRAs, the application of risk insights to support audit and inspection activities is less straightforward. Thus, cight representative BWR accident sequences were developed from the review of available PRAs of BWR nuclear plants to provide a risk perspective for use in NRC inspection activities' He contributions of these eight representative sequences account for an average of 87 percent of the estimated core damage frequency due to internal event initiators in seven BWR plants. Because of operational and design similatitics, generic risk insights from the characterization of these representative accident scenarios can be applied to other BWR plants for risk based inspections. This information can be used to allocate inspection resources commensurate with risk importance. Since five of the eight r representative sequences require the HPCI system to function for accident mitigation purposes, the generic risk information allows the inspector to focus attention on the important systems and plant components. These five accident sequences are discussed in the subsections below. A PRA study of the Browns Ferry Unit 1 plant was performed as part of the NRC's Interim Reliability Evaluation Program (IREP) in 19822 Six of the eight dominant accident sequences identified in the study involve failure to remove long-term decay heat from the reactor, while the other two sequences involve an anticipated transient without a scram (ATWS) event. Thus, the results of this study indicate that the residual heat removal system is the most important system at the Browns Ferry plant. However, the IREP studies and other early PRAs (e.g. WASH-1400) have conservatively assumed no recovery of the power conversion system subsequent to the accident initiator and the loss of all water injection into the reactor core following containment failure. Furthermore, no credit was given for venting capability because most BWR plants at that time did not have procedures to facilitate such action. These assumptions resulted in the likelihood of one - accident sequence (i.e., loss of decay heat removal) to dominate the core damage frequency ; estimates and minimize the importance of other accident progressions and mitigating systems. , Therefore, insights from this PRA study were not utilized in the characterization of generie BWR accident sequences and were oflimited use in the evaluation of operational readiness of the HPCI ; system. Nothwithstanding these limitations, specific risk insights from the IREP study found to be , applicable have been incorporated into the discussions on PRA-based failure modes presented in i Section 6.1. 3.1 less of Hich Pressure inicction and Failure to Depressurire This sequence is initiated by a general transient (such as turbine trip with subsequent MSIV closure, loss of main feedwater, inadvertent SRV opening with MSIV closure, or loss of DC power), a loss of offsite power, or a small break LOCA event. The reactor successfully scrams. The power conversion system, including the main condenser, is unavailable either as a direct result of the initiator or due to subsequent MSIV closure. The high pressure injection systems-(IIPCI/RCIC) fail to inject into the vessel. The major causes of HPC1/RCIC unavailability include 3-1
.,e ,--+-,7 -, ,+ ,-
i hardware failures (primarily turbine / pump faults, or pump discharge or steam turbine i.nlet valves failing to open) and system outages due to test or maintenance activities. The CRD hydraulic system can also be used as an alternate source of high pressure injection (HPI) at the Browns .i Ferry Nuclear Plant units in both normal and enhanced modes of operation. Failure of the second l CRD pump during the enhanced mode of operation (which require two-pump injection flow) or unsuccessful flow control station valving prevents sufficient injection into the reactor pressure vessel (RPV). The operator attempts to manually depressurize the RPV, except that a common ! cause failure of the safety reliefvalves (SRVs) defeats both manual and automatic depressurization of the reactor vessel. The failure to depressurize the reactor vessel after HPl failure results in core , damage due to a lack of vesselinventory makeup. i 3.2 Station Blackout (SBO) with Intermediate Term Failure of Hith Pressure Iniection This sequence is initiated by a loss of offsite power (LOOP) event. The emergency diesel generators (EDGs) are unavailable, primarily due to hardware faults. A secondary contributor to EDG unavailability are outages for maintenance activities. Support system malfunctions include i' EDG room or battery /switchgear room HVAC failures, service water pump malfunctions, or EDO jacket cooler hardware failures. The HPCI and RCIC systems are initially available to provide ; reactor vessel inventory makeup. The high pressure injection systems can provide inventory makeup until: !
+
the station batteries are depleted, or -
\
l
+
the system fails due to environmental conditions, i.e., high lube oil temperatures or high - ! turbine exhaust pressure due to the high suppression pool temperature and pressure, or ; the RPV is depressurized wherein conditions can no longer support HPCI or RCIC ! system operation, or i
+
the HPCI system high area temperature logic isolates the system or long term exposure , to high temperatures disables the turbine driven pump. l The Browns Ferry Unit 2 IPE analyses indicate that the LOOP scenario is the most important initiating event which results in the highest frequency accident sequences contributing to the overall plant core damage frequency (CDF)). The total frequency of all LOOP-initiated accident sequences comprise about 69 percent of the Browns Ferry plant CDF. Of these accident scenarios, about 27 percent of the Browns Ferry plant CDF result from LOOP sequences involving station blackout (SBO). SBO coping measures include successful DC load shedding which allows the battery lifetime to be extended to 4 hours and thus, assure the continued operation of the HPCI or RCIC l systems to provide a source of water to the reactor core during that time. Plant procedures also address the recovery of either the 500 kV or 161 kV offsite power supply within 6 hours to help reestablish water level control in the reactor vessel. In addition, the emergency procedures instruct the operators to utilize the residual heat removal service water (RHRSW) system ( or the emergency equipment cooling water system as the backup) for water injection into the reactor vessel as a contingency measure if the SBO condition persists until decreasing reactor pressure j (decay heat) can no longer support the HPCI or RCIC system operation. Once the reactor vessel 1 is dyndzed, these plant procedures guide the operators in establishing a " feed and bleed" path 3-2 i l
from the suppression pool to the reactor vessel and back to the suppression pool via the safety relief valves (SRVs) with heat removal via RHR heat exchangers. The reactor building environmental conditions can also impact long term HPCI system opera-tion. The reactor building HVAC and HPCI toom cooling are dependent on AC power. Although the high area temperature isolation logic is not operable during SBO conditions at the Browns ! Ferry plant when DC battery power is depleted, there is an environmental qualification concern (e.g., operability ofinstrumentation and controls)if the HPCI pump room temperature approaches beyond 129 F under worse case conditions. The HPCI pump room does not have any room coolers, l'ut it is open to the adjacent RHR quadrangle area which is ventilated automatically by room coolers that are activated on high temperature in the area. Plant procedures (2-EOI 3) address proper operator response to lower any high temperature condition in the HPCI room.The plant activities to monitor and control high area temperature during a SBO event should be reviewed. The review should include an audit of any calculations necessary to establish a time frame for the implementation of these activities. 3.3 Station Blackout with Short Term Failure of Hich Pressure Iniection This SBO sequence is similar to the previous sequence except the high pressure injection systems fail early. 'The sources of emergency AC power, i.e., the emergency diesel generators (EDGs), fail primarily due to hardware failures. Secondary contributors are: output breaker failures and EDG unavailability due to test or maintenance activities. Support system malfunctions such as service water supply failures in the EDG jacket cooling water train, battery /switchgear room HVAC failures, or test and maintenance unavailability, are significant contributors to the loss of on-site emergency AC power. Station battery failures (including common mode) within 4 hours are an important contributor to this sequence, because the EDGs and HPI systems are dependent . , on DC power for instrumentation and control objectives. This accident sequence is a major contributor to the overall core damage risk at the Browns Ferry plant, primarily due to the short term failures of HPI systems (e.g., HPCI, RCIC and CRDH systems) and failure to recover AC power within 6 hours that prevent the possibility of cooling via the suppression pool source. The Browns Ferry IPE analyses indicate that the importance of : IIPCI/RCIC unavailability is assessed to be 0.1125 i.e., about 1L25 percent of the plant CDF is contributed by accident sequences involving failure of the IPCI and RCIC systems. As such, the HPCI/RCIC unavailability estimates are a significant influence on the total plant core damage frequency. j 3.4 ATWS with Failure of RPV Water I.evel Control at Hich Pressure l This sequence is initiated by a transient event with initial or subsequent MSIV closure and a ! j failure of the reactor protection system to provide an automatic scram. Attempts to manually ! scram are not successful; however, the Standby Liquid Control System (SLCS) is initiated. The condenser and the feedwater system are unavailable. The BWR Owner's Group Emergency , Procedure Guidelines (EPGs) recommend RPV water level reductions for control of reactor power below SG and the characterization of this BWR representative sequence was based on that i philosophy. As evidenced by the EOl Program Manual Section III relating EPGs for development of emergency operating instructions. ATWS mitigation procedures at Browns Ferry Unit 2 are consistent with the philosophy of the BWROG guidance document. 3-3 i
Dis sequence postulates a failure to ensure sufficient RPV makeup at high pressure to j prevent core damage. There are two failure modes considered in this scenario: :1
- 1. The operator fails to control acceptable water level at high RPV pressure. This results ;
in high reactor core power levels, continuous SRV discharges, and suppression pool ) heatup. After the suppression poolwater reaches saturation, containment pressurization ~ l begins to occur. High pressure injection fails due to high suppression pool temperature prior to containment failure.
- 2. The high pressure injection (HPCI) system fails, primarily due to pump failure to start j or as a result of testing and maintenanec (T&M) unavailability, Failure of injection or _ ,
minflow valves, inability of suction switchover, or loss of DC power are other potential i system failures. HPCI pump failure to start or run, pump unavailability due to testing i and maintenance activities, and Service Water EDG jacket cooler inlet or return valve , failures are the major contributors to HPCI system failures. i The inability to maintain acceptable RPV water level above the top of the active fuel (TAF) , requires manual emergency depressurization to allow the low pressure ECCS systems to inject ' water, and thus prevent the onset of core damage. l The continued operability of the HPCI system during an ATWS event is critical. Within the : context of this accident sequence (i.e., time available for success), the licensee capability to achieve I the HPCI pump suction transfer in time and perform logic bypasses of the high turbine exhaust pressure trip that causes a HPCI system isolation on high back pressure should be evaluated ' periodically. With regard to HPCI system availability, the remaining sections will provide discussions on system failures and availability evaluation. 3.5 Unisolated LOCA Outside Containment , The accident initiator in this sequence is a high pressure boundary failure _outside , containment with a failure to isolate the rupture. The piping failure is postulated in the following ~ l systems: main steam system (60%), feedwater system (12%), high pressure injection system (20%), and interfacing system piping lines (8%). The percentages in parentheses indicate the estimated relative contribution to core damage frequency due to piping failures of each system *. An interfacing systems LOCA event is defined as the initial pressurization of a low pressure piping line which results in a pressure boundary failure, compounded by the failure to isolate the failed piping line. The failure is typically postulated in a low pressure portion of the low pressure core spray (1.PCS) system, the LPCI system, shutdown cooling system, and (to a lesser extent), the HPCI or RCIC pump suction or the head spray line of RHR system. I De unisolated LOCA outside containment results in a rapid loss of the reactor coolant system (RCS) inventory and thus, eliminating the suppression pool as a long term source of RPV injection. Piping failures in the reactor building can also result in unfavorable environmental conditions for the Emergency Core Cooling Systems (ECCS). Unless the unaffected ECCS systems or the condensate system are available, long term RPV injection is suspect and core damage is likely. 3-4 1 l
l There have been several HPCI pump suction overpressurization events, primarily during surveillance testing of the normally closed motor-operated HPCI injection valve 2-FCV-73-445 This is of particular concern for the discharge configuration at the Browns Ferry plant that has a , testable air-operated check vahc in series with the normally closed MOV, because of the check valve's history of back leakage as observed in the industry-wide operating experience. The llPCI l interfacing rystems LOCA initiator :eems to be less of a prot >!cm when the normally open valve 2-FCV-73-34 is closed prior to surveillance testing of the valve 2-FCV-73-44. However, some of the concerns regarding the previous test configuration are also valid here. There must be reasonable assurance that the normally closed 2-FCV-73-44 valve is leak tight during plant operation and prior to stroke testing, confirmation is necessary to assure that it is fully closed and will provide the necessary protection for the upstream piping. At the Browns Ferry plant, a one-inch relief valve 2- ; RFV-73-506 was installed in the HPCI booster pump suction piping to ensure the mitigation of l overpressurization events. The valve is set to operate at 55 psig and is bench tested once per plant refueling cycle to comply with ASME Code Section XI requirements. , 3.6 Overall Assessment of IIPCI Imr ortance in the Prevention of Core Damage Ar previously stated, the high pressure injection function (HPCI/RCIC/CRD) is important for mitigation purposes in five of the eight representative BWR accident sequences. The various system failures and their risk importances for all eight accident sequences were prioritized by their , contribution to overall core damage (using a normalized Fussell-Vesely importance measure). The HPI function, in aggregate, was assessed to fallin the high importance category. Other high risk important systems are the Emergency AC Power system and the Reactor Protection system (RPS). The llPCI system itself is considered to be of medium risk importance, because of the multiple systems (e.g., RCIC and CRD systems) that can successfully provide vessel inventory makeup at high pressure. However, the Browns Ferry plant IPE analyses indicate that the importance of the HPCI system was assessed to be 0.16, i.e. about 16 percent of the plant core damage frequency were contributed by the likelihood of accident sequences involving failure of the HPCI system. For comparison, other systems of medium risk importance are: the Standby Liquid Ccmtrol Automa-tic / Manual Depressurization, Service Water, and DC Power systems. e l l i-3-5
l
- 4. PRA BASED HPCI FAILURE MODES PRA models are often used for inspection purposes to prioritize systems, components, and human actions in plant operational activities from a risk perspective, This enables the inspection i effort to be apportioned based on a core damage prevention measure called risk importance. Risk importance measures (e.g., Fussell-Vesely importance measure) can be can be used to determine
( the ranking of risk significant failure modes. A list of HPCI system failure modes for this system Risk-Based Inspection Guide (System RIG) was developed from a review of BWR plant specific RIGS", and the PRA-Based Team Inspection Methodology'. As presented in Table 4-1, the identified component failure modes are grouped by risk significance that was determined by PRA and other operational considerations. Table 4-2 provides a summary of the operating experience of the HPCI system for the industry and at the Browns Ferry Nuclear Plant with regard to these risk significant failure modes. Appendices A-1 and A-2 provide more detailed information on the failure events, and selected examples of other PRA-based HPCI system failure modes. Due to the artifact of modeling, PRAs do not generally provide detailed guidance for inspection activities and are less helpful in the determination of specific failure modes or root causes of equipment failures. This makes it necessary for an inspector to draw on his experience, and a variety of information sources such as the plant operating history, Licensee Event Reports (LERs), NRC Bulletins,Information Notices and Generic Letters, INPO documents, and vendor information to conduct an inspection of the PRA-prioritized items. Information useful for prioritization of inspection efforts has been obtained by review of HPCI system operating experience at the Browns Ferry Nuclear Plant and other BWR plants to aggregate " observed problems to the categories of PRA-derived failure medes. This information is used to develop the - system walkdown checklist of risk significant components for inspection emphasis. The system walkdown checklist for use by the inspector (s) is presented in the next section. The results of the HPCI operating experience review are discussed in Section 6 with illustrative examples to show applicability to the PRA-based failure modes. The survey of HPCI-related LERs generated at the Browns Ferry Nuclear Plant included all LERs documented between 1980 and 1992 for the 3 plant units. It is noted that Browns Ferry Plant Units 1 and 3 were in cold shutdown status throughout most of this period. Thus, the sample of HPCI-related LERs considered in this review was largely based on the operational history of the Browns Ferry Nuclear Plant Unit 2. Because the Browns Ferry Unit 2 was in operation for about half of the evaluation period, this review effectively included the HPCI-related LERs from the - other plant units as well. As shown in Table 4-2, the plant specific LER frequency for several HPCI system failure modes is higher than that observed in the industry-wide survey results. The more frequent HPCI system failure modes observed at the Browns Ferry Nuclear Plant were:
- 1. HPCI Pump or Turbine failure to start or run due to:
i) turbine speed control faults, ii) inverter trip or failures, iii) turbine stop valve failures, or iv) turbine exhaust rupture disk failures, and 4-1
i
- 2. CST / suppression pool switchover logic failures.
~i The survey of operating experience of the Browns Ferry Plant HPCI system is discussed in ;
Section 6 with the focus on recurrent problems found in recently issued LERs, l l
.)
t i 1
'l I
.j ,
4/2
? s
- Table 41 Summary of PRA-Based Failure Modes for the IIPCI System Hieh Risk Imrx)rtance Pump or Turbine Fails to Start or Run' System Unavailable Due to Test or Maintenance Activities
- Turbine Steam Inlet Valve FCV-73-16 Fails to Open Pump Discharge Valve FCV-73-44 Fails to Open :3 Medium Risk Imrxirtance CST / Suppression Pool Switchover Logie Fails' Suppression Pool Suction Valves FCV-73 26 and FCV-73-27 Fail to Open* . .;
Normally Open Pump Discharge Valve FCV-73 34 Fails Closed or is Plugged t Lower Risk Importance CST Suetion Line Check Valve CKV-73-505 Fails to Open CST Suction Line Manual Valve IICV-2-705 Plugged - Normally Open CST Pump Suetion Valve FCV-73-40 Fails Closed or is Plugged Pump Discharge Check Valve FCV-73-45 Fails to Open Suppression Pool Suction Line Check Valve CKV-73-517 Fails to Open Normally Open Steam Line Containment Isolation Valve FCV-73-2 or FCV-73 3 Fails Closed
- Steam Line Drain Pot Malfunctions i Turbine' Exhaust Line Faults, including:
a Normally Open Turbine Exhaust Valve FCV-73-64 is Plugged - Turbine Exhaust Check Valve CKV-73-603 Fails to Open Turbine Exhaust Line Vacuum Breaker Valves Fail to Operate False High Steam Line Differential Pressure Signal : False liigh Area Temperature Isolation Signal False Low Suction Pressure Trip False fligh Turbine Exhaust Pressure Signal System Actuation Logie Fails , Pump Suction Strainer Blockage Minimum Flow Valve FCV-73-30 Fails to Open, Given Delayed Activation of Pump Discharge Valve FCV-73-44. q Indicates a failure mode found in the Browns Ferry plant operating experience review discussed in Section 6. ' i 4-3 : 1 1 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ . - , . . . . , , . , . - , , , , _y, ,
Table 4-2 Browns Ferry Nuc! car Plant liPCI System LER Survey Compared with Industry Experience All BWRs (1935-1989) Browns Ferry (1980-1992) Failure Description Failure
# of Failures Failure - Ranking: # of Failure Comments Contribution'(Fe ) Failures' Centribution ("c) .!
IIPCI Pump or TurNne Fails to Start or Run , TurNne speed control 11 4 15 4 faults 16 7 4 Imbe oil supply faults 11 1 Turbine overspeed and reset problem 8 5 0 0 inverter trips or 7 4 4 15 4 failures TurNne step valve 3 2 8 4 failures 5 u L- Terbine exhaust 2 8 4 i rupture disk failures 5 3 Flow controller ' failures 5 0 0 i TurNne control valve i faula 3 2 1 4 t loss of tube oil cooling 2 1 1 4 , Misc-valid high Row during testing 2 1 0 0 Fails to start or run SUBTOTAL 64 40 1 15 62 System unavailable due to T&M activities 43 27 2 6 23 l - _ =
! l t s n . e 7 1 7 7 7 9 - m 5 1 8 5 5 5 6 m 4 o C
)
(
)
2 9 en r o 9 ui 1 l iu t 0 0 0 4 0 0 0 0 0 8 0 Fiab 8 r 9 t 1 n ( o y r C r e F - s n . fo "s
&x r
e r 0 0 0 1 0 0 0 0 0 2 B #u li a F .. e g r n iuk i l 3 4 5 6 7 8 9 0 1 2 a n 1 1 1 FaR
)
9 ( - n 9
)
e r 'o 8 luiu t 6 5 5 2 3 2 1 1 1 1 9 1 iab < < _ 5
- Fi r t
8 n 9 1 e ( C s R s W e U r u l ll i A a 0 8 5 3 4 3 F 1 2 1 1 1 r e c c l e - i y n e o n n e t o h n o n ol s o h r u et a ep v s n k i t e irl s pi a i t p ms a e s lnli i a s e goo i o n o a c 4 a n o bi n b ua i n f i r ter mf r t c a i t ei s i t c rl t f i ocig s c s p u a ne a t a r s o s a) r u a e up n e v e l e1 h s e r s n t g pl el r D h a igit t sU c l s a i t inI t c a h u t hi ov a pr e e h ne eR if d C igta h r w oer igs t t pv u . r n( ) mP m l u h s e u las Sm u e s erl a be . r pi mK k el l te s e el pa e s s s a mud r a e /e l s mgn Tt l r v c s
'a Td ng t
i sl s uR a re sl l h a ul ya yi la l oh o Si u Fa ex yi a
) F Fd is Tvc P( S' a f Sf F tei s Fp Ne xlc Cs d , 't I n
o C( 2-4 . e lba pu T _
s t n e 9 0 m 1, 4 6 6 - m _ o C
)
(
)
_ 2 9 en r o 9 ui t 1
- li u 4 0 4 0 ab Fi 8 r 9 t 1 n
( o y r C r e F s mv fo 's o r e r 1 0 1 B #u li a F e g r n ui 3 4 A
/
li n k 1 a 1 N
. Fa R
)
(
) e r 'n o 9 ui 8 4 3 0 tu 9
1 liab Fi 5 r t 8 9 n 1 o ( C s R
" s 1 er B u I
li M a 6 5 0 - F . f _ o _ t n ve n
) e -
n 2 mls o 4 la ep ini a i t p lo0 vo s. f o1 ir p( wo n t n ev nv e n c s ot e el e iola pe is t li pc av D s v o mf a oe - s e e no u ) l alinno li r u r ot pi pt s im2 i0n 1 mmid r al as t e . uclia Susf
) F a
MF( Ntoesis oke d .
't -
n - e - C ( 2-4 b l e b a . T -
. ' i ! , ; i i fI;, I j ! > !' 4 4
Table 4-2 Comments
- 1. Failure contribution is expressed as a percentage of all significant HPCI system failures identified by the Operating Experience Review.
i 2. Failure ranking is a subjective prioritization based on PRA and operational considerations, recovery potential, current accident management philosophy and conditional failures, as applicable.
- 3. Significant HPCI system failures at the Browns Ferry Nuclear Plant are determined from the review of all available LERs (1980 to 1992).
- 4. Although some caution is needed in making this observation because of the limited plant specific data, this failure mode seems to comprise a disproportionate fraction of the Browns Ferry IIPCI system unavailability. This area is a candidate for enhanced inspection attention.
- 5. Failure importance was upgraded from the PRA-based ranking of Table 4-1.
- 6. Failure importance was downgra'Jed from the PRA-based ranking of Table 4-1.
- 7. HPCI system isolation and trip logics are significant contributors to unavailability. The system can be isolated by a single malfunction, yet instrument surveillance intervals can be greater than that required for the more reliable actuation logic.
- 8. Unlike the system trip and isolation logic, the actuation logic arrangement (one out-of-two twice) diminishes the importance of a single instrument failure to reliable system operation. At least two low RPV level or two high drywell pressure sensors must fail to result in significant risk As discussed in Section 6, system availability is more dependent on the reliability of control power.
- 9. The latest BWROG Emergency Procedure Guidelines deemphasize the importance of the suppression pool as an injection source during plant abnormal conditions.
- 10. Importance of failure mode is conditional on the delayed opening of the pump discharge line valve, FCV-73-44.
1
- 11. Unlike the rest of the failure modes listed herein," Systems Interactions"is not a PRA-based failure mode. It was identified as a significant failure mechanism during the operating experience review and is discussed in Section 6.
4-7 i f
l l 4
- 5. IIPCI SYSTEM WALKDOWN CIIECKLIST BY RISK IMPORTANCE I 1
- Table 5-1 presents the HPCI system walkdown checklist for use by the inspector (s). This information allows the inspector to focus the inspection efforts on components that are important
! to system availability and operability. . Equipment locations and power sources are identified to assist in the assessment of this system. The risk significance of the various components identified in this checklist have been determined by information in PRAs and other operational considerations. - 4 I 6 l l I e 5-1
f 4 Table 5-1 Browns Ferry Plant HPCI System Walkdown Checklist Description . ID NO, Location Power Source Standby Actual and Location Position Position - A. Components ofIligh Risk Significance Turbine Steam FCV HPCI Room 250 VDC RMOV Closed Isolation Valve 16 Reactor Bldg, Board A, Elev. 519' Panel / Breaker 3D Inboard Steam FCV-73-2 Drywell 480VDC RMOV Open Isolation Valve Board A. Panel / Breaker 17E Outboard Steam FCV-73-3 HPCI Room- 250 VDC RMOV Open Isolation Valve Elev. 551' Board A, Panel / Breaker 11D1 Pump Inboard FCV HPCI Room- 250 VDC RMOV Closed Discharge Valve 44 Elev. 519' Board A, Panel / Breaker 7A B. Components of Medium Risk Significance CST Suetion FCV HPCI Room- 250 VDC RMOV Open Isolation Valve 40 Elev. 519' Board A, Panel / Breaker 1D2 Pump Outboard FCV HPCI Room. 250 VDC RMOV Open Discharge Valve 34 Elev. 519' Board.A, Panel / Breaker SA Pump Minimum FCV HPCI Room- 250 VDC RMOV Closed Flow Valve 30 Elev. 519' Board A, Panel / Breaker 8D Pump Suction FCV HPCI Room- 250 VDC RMOV Closed From 26 and Elev, 519' Board A, Suppression FCV Panel / Breaker 4D Pool (2 Valves) 27 and 9D Turbine Exhaust H CV Torus Room- NA Open Valve to 23 E!cv. 519' Suppression Pool 5-2
t Table 5-1 (Cont'd) Description ID NO. location Power Source Standby Actual and Location Position Position - Full Flow Test FCV IIPCI Room- 250 VDC RMOV Closed Valves to CST 35 and Elev. 519' and Board A, FCV 541' Panel / Breaker 6A ( 36 and Board B, Panel / Breaker 4A - f Notes: 1. All circuit breakers should be in the closed (ON) position. j 2. These valves are included in the ASME Inservice Testing (IST) Program. . Additionally, some of these valves are required to be tested under the guidance of Generic i f Letter 89-10. Results of IST and Generic Letter 89-10 testing requirements may be reviewed to assure the adequacy of operational readiness of these valves. ; A l l l' i 4 \ I l l t l 5-3 l l
. . . . . . - . _ , - . . . . .- l
- -s--------ex-- - - - -
l l l l I d I I I 1
?
I l 1 V l t p l w f l l 1, l ,1 i 4 i 1 e ] i J a
. - m-
There was only one LER in this failure category identified in the industry-wide operating experience review. No LERs related to false high turbine exhaust pressure signals were found for the BFN plant during the review period since 1980. IIPCI Failure No.11 - Normally Open Turbine Exhaust Valve Fails Closed Failure of any one of the turbine exhaust valves to open would cause a turbine trip as a result of a valid high turbine exhaust signal. One BWR plant had experienced a failure of the turbine h exhaust line swing check valve. The valve internals were found wedged in a MOV located downstream in the turbine exhaust line and this could potentially cause a turbine trip due to high exhaust pressure. The failure was attributed to the forceful cycling of the swing check discs under low flow conditions. Additional information on the background of such problems is provided in the NRC AEOD Report E402" and Information Notice 82-26."
~
At the BFN plant, no LERs were found within the review period that involved failure of normally open turbine exhaust valve HCV-73-23 to close, llPCI Failure No.12 - Condensate Storage Tank / Suppression Pool Switchover Logie Fails In the standby mode, the HPCI pump suction is normally aligned to the condensate storage tank (CST). Upon a low CST level signal via level switch LS-73-56A and LS-73-56B, or a high suppression pool level signal via level switch LS-73-57A and LS-73-57B, the suppression pool suction valves FCV-73-26 and FCV-73-27 automatically open with subsequent closure of the CST suction valve FCV-73-40. System operation continues with the use of the HPCI booster pump to draw suction from the suppression pool. This PRA-based HPCI failure mode has become less important as a result of changes in the BWR Emergency Procedure Guidelines which generally advocate the continued use of water sources that are external to the containment. This avoids potential ECCS degradation due to high suppression pool temperature (high HPCI lube oil temperature) while simultaneously increasing suppression pool mass. Thus, an HPCI pump suction transfer to the suppression poolis no longer greatly desirable and especially in decay heat removal accident sequences, the operator would likely bypass the switchover logic to maintain the CST suction source, or realign to the CST if a switchover to the pool had occurred. Therefore, the inspection focus should be on the continued viable option of the CST as an injection source during an accident sequence. There were 2 LERs describing problems involving the CST / suppression pool switchover logic at the BEN plant since 1980. In the first event (LER 259/82-071), the condensate storage tank low level switches LS-73-56A and LS-73-56B failed to operate due to dirty and corroded activating plates of the level switches. The plate points were cleaned. The second event (LER 259/84-028) was related to the failure of the automatic CST / suppression pool transfer logic to perform its intended function during surveillance testing because of a dirty contact on the limit switch. Present surveillance practices at the BFN plant include testing and calibrating the CST low level and suppression pool high level transfer switches on a quarterly basis. During these surveillance inspections, the relays in the HPCI system logic are also actuated to satisfy overlap testing requirements which are used to demonstrate HPCI logic operability once per refueling outage. 6-13
l
\
HPCI Failure No.13 - Suppression Pool Suetion Line Valves FCV-73-26 or FCV-73-27 Fail to < Open At the BFN plant, there are two 250 VDC powered suppression pool HPCI pump suction valves, FCV-73-26 and FCV-73-27, with a check valve CKV-73-517 in between them and this valve arrangement is in series with a hand control valve HCV-73-25. In the standby mode, the HPCI system is initially aligned to the condensate storage tank (CST). The suppression pool suction i valves are opened and the CST suction valve is closed on a CST low water level or a high suppression pool level signal. The importance of this failure mode has been diminished by the current emergency procedure guidelines which emphasize the continued use of external sources of water injection. This requires operator action to bypass the HPCI suppression pool switchover logic to prevent the opening of the suppression pool suction valves FCV-73-26 and FCV-73-27. ' This is especially true for the decay heat removal (non KrWS) sequence where it is likely that inventory makeup from the CST can be maintained. In the industry-wide survey, there have been 6 failures of the suppression pool suction valve to open which represents about 49 of all HPCI system failures. All these failures occurred during system surveillances. For the BFN plant, one LER was identified that described the failure of the hand control valve in the suppression pool suction line. In this event (LER 259/87-027), the normally locked open hand control valve HCV-73-25 which isolates the suppression pool from the Orst motor operated suppression pool isolation valve FCV-73-26 during layup was found in a failed closed position (as observed through a borescope) with the stem separated from the valve dise. The failure was attributed to tensile overload on 3 of the 4 bolts which hold the key attachment between the shaft and the disc of the valve. The bolts were replaced with stainless steel bolts. Current surveillance practices at the BFN plant include verifying the normally open position of this valve. The RCM program schedule has recommendations to replace this valve with a newer design. As an interim measure, this valve is inspected at each refueling outage for signs of corrosion and appropriate maintenance actions are taken to correct any identified problems. HPCI Failure No.14 - Niinimum Flow Valve FCV-73-30 Fails to Open The minimum Cow bypass line is provided for pump protection. The bypass valve, FCV-73-30, automatically opens on a low Dow signal of 600 gpm or less flow when the pump discharge pressure is greater than 125 psig. When the bypass line is open, pump How is directed to the suppression pool. The valve automatically closes on a high now signal of 1200gpm or more Dow. During an actual system demand, failure of the minimum Dow valve to open is important only when the opening of the pump discharge valve FCV-73 44 is signi0cally delayed. In probabilistic terms, this combination of events is generally not risk significant. With regard to system operation and testing in the minimum Dow mode, the licensee response to NRC Bulletin 88-04" should be reviewed to determine the adequacy of the design of the minimum Dow bypass line. Unless there is a design concern or a recurring problem with either component, inspection attention may be minimized in this area. l At the BFN plant, there were no LERs in this failure category identified over the 12 year j review period. Although the HPCI minimum Dow valve has not been prone to failures, current surveillance practices at the BFN plant include verifying proper operation of this valve during performance of valve stroke time testing and dowrate testing activities. t l 6-14
i
- 6. OPERATING EXPERIENCE REVIEW As previously stated, an operating experience review was performed to evaluate recent industry-wide operating experience of the llPCI system in BWR plants and categorize the various observed problems with PRA derived failure modes. Approximately 200 Licensee Event Reports l
(LERs) describing liPCI system failures that occurred in the period between 1985 to 1992 were reviewed for applicability to the PRA failure modes for the HPCI system. Sixty-two LERs did not ) j have a corresponding failure mode. These LERs generally documented successful system I challenges, administrative deviations, or seismic / equipment qualification concerns. The remaining 140 LERs documented 159 IIPCI system faults or degradations. As presented in Table 6-1, these failures have been categorized by PRA failure modes to provide a relative indication of the contribution to all HPCI system faults. Each of the 14 PRA-based failure modes that has corresponding industry failures is discussed below. Selected LERs identified during the operating experience review are summarized to illustrate typical failure mechanisms and potential corrective actions. Where applicable, other sources of background information including NRC IE Bulletins, Information Notices, Inspection Reports, NUREGs, and AEOD Reports are cited. The Browns Ferry Nuclear (BFN) Plant liPCI system operating experience over the plant life is also integrated into the discussion of each liPCI failure mode. Table 6-1 IIPCI Failure Summary llPCI Failure Failure Total Contribution i Number Description Failures * (%) l 1 Pump or Turbine Fails to Start or Run 64 40 2 System Unavailable Due to Test or Maintenance Activities 43 27 3 False liigh Steam Line Differential Pressure Iwlation Signal 10 6 4 Turbine Steam Inlet Valve (F001) Fails to Open 8 5 I 5 Pump Discharge Valve (F006) Fails to Open 8 5 l 6 Systems Interactions Fail IIPCI System" 3 2 7 System Actuation Imgic Fails 4 3 S False Iligh Area Temperature Isolation Signal 3 2 I 9 False Low Suetion Pressure Trip 2 1 I 10 False High Turbine Exhaust Signal 1 <1 l 11 Normally Open Turbine Exhaust Valve Fails 1 < 1 Closed i 12 CST / Suppression Pool Switchover I ogie Fails 1 <1 13 Suppression Pool Suetion Valve (F042) Fails to 6 4 Open L 14 Minimum Flow Valve (IU12) Fails to Open _L 3 Total 159 Identified during the HPCI System Operating Experience Review which examined HPCI LERs l from 1985 to mid 1992. Non PRA-derived failure mode; operating experience is discussed in Section 6. 6-1 1 l _ _ _ _ _ _ _ _ _ _ _ _ __ __
The search of LERs generated from the Browns Ferry Nuclear Plant Units 1,2, and 3 (Docket numbers 50-259,260, and 296, respectively) was conducted for the period between 1980 and 1992, and 67 LERs were found to be related to llPCI system problems. It is noted that the BFN plant units were in operation for about half of the evaluation period and thus, this evaluation effectively considers the operating experience of the BFN station as ifit was a single nuclear power plant. Out of the 67 IIPCI system-related LERs reviewed for the BEN plant,26 LERs were found to fall within the set of PRA. based failure modes. The breakdown of the 26 LERs within each category of PRA-based failure modes is : 15 LERs were related to llPCI pump or turbine failures to start or run, six LERs were related to llPCI system unavailability due to testing and maintenance activities, two LERs described CST / suppression pool switchover logic failures, and each of the remaining LERs were related to events involving the suppression pool suction valve failure to open, steam line outboard isolation valve failing closed, or a system interactions problem failing the HPCI system. Based on the LER survey, specific component failures of importance that require attention at the BFN plant are turbine speed control faults, inverter failures, turbine stop valve j failures, turbine exhaust rupture disk failures, and condensate storage tank level switch failures. l The information compiled in this section should be usefulin more detailed reviews of the HPCI , system, rather than routine operational checks. It may be used during programmatic inspections (such as maintenance program reviews) or in reactive inspections of HPCI system failures. I Illustrative examples of corresponding industry tailures for the first failure mode,"HPCI Pump or Turbine Fails to Start or Run," are presented in Table bl along with details of the root cause, method of detection, corrective actions, and potential iaspection areas that could identify and prevent similar pioblems. The examples of industry fai' ares for the other PRA failure modes are discussed in Table A-2. The text provides addition n information on the distribution of failure events within a particular failure mode. 6.1 HPCl Svstem Failure Modes HPCI Failure No. l- Pump or Turbine Fails to Start or Run The major contributor to HPCI system unavailability, both hom risk and operational considerations,is the tailure of the turbine driven pump to start or continue running. This failure mode includes dependent failures as a result of subtle interactions between various subsystems and components and thus, root cause analysis and component repair becomes a complex task. The concern on system interaction problems has been reflected in BWR plant PRAs by the assessment of various subsystem, or support system failures that cause this failure of the pump or turbine to start or run. However, the uncertainties associated with identifying system interaction problems have resulted in some confusion in the application of PRA insights for inspection activities. For the purposes of this study, this failure has been defined as the loss of functional capability of those components that directly support the operation of the pump or turbine. The basic event describing "IIPCI Pump or Turbine Fails to Start or Run" accounted for 64 failures or 41G of the HPCI system f aults in the industry-wide operating experience review. Table 6-2 shows the subcategories of failure mechanisms that may result in Failure No.1, and the number of events in each subcat ego ry. 6-2
Table 6-2 l IIPCI Pump Turbine Fails to Start or Run - Failure Subcategories l Sub-category Description LER Failures l A. Turbine speed control faults, including I L EG-M control box 6 Motor speed changer (EG-R actuator remote servo) 5 )- Resistor box 2 16 L Ramp generator / signal converter box Magnetic speed pickup cable 1f 1 , Speed control potentiometer ly - f B. Lube oil supply faults 11 C. Turbine overspeed and auto reset problems 8 D. Inverter trips or failures 7
- l. E. Turbine stop valve failures 5 l F. Turbine exhaust rupture disk failures 5
, G. Flow controller failures 5 H. Turbine control valve faults 3 ( I. Imss of lube oil cooling 2 J. Miscellaneous: Valid high steam flow during testing 2 TOTAL 64 l A. Turbine Sr' ecd Control Faults The turbine speed is controlled automatically by a control system consisting of a flow j controller and an electro-hydraulic turbine governor. As in most other plants, the BFN plant HPCI pump turbine has a Woodward governor control system. The turbine governor system-receives the flow controller signal input and processes the electrical signal to effect hydraulic-mechanical motion to position the governor (control) valve. The system has a " ramp" generator which upon turbine start, will control the acceleration rate up to a speed relative to the flow controller output demand signal. The ramp generator is part of the ramp generator and signal converter (RGSC) box at the BFN plant and the ramp" rate is adjustable. } Turbine speed control faults are a major contributor to the pump failure to start. *Ihe sixteen failures identified in the industry-wide LER survey include: I - six electro-mechanical governor (EGM) control box faults, two dropping resistor assembly (resistor box) failures, L - one ramp generator / signal converter box failure, f - one magnetic speed pickup cable malfunction, 1 - one speed control potentiometer problem, and five motor speed changer / electro-mechanical hydraulic (EG-R) actuator faults. l -- 6-3 L L l
- . .- ---- - - . . _ . . ~ . _ -
( The LER survey for the BFN plant identified 4 LERs related to turbine speed control faults. ; In the first event (LER 259/80-079), an electrical ground occurred on the EGR actuator as a result ; of corrosion between the EGR actuator connector and connector pins. The electrical ground ; caused failure of the EGM output transistors 09 & 010, and resulted in turbine speed control ! problems. The second event (LER 260/83-009) was related to a HPCI pump turbine failure. l resulting from the erratic performance of the flow controller which was caused by trapped air in the hydraulic oil control system following maintenance repair work, in the third event (LER ! 260/84-003), the operator was unable to bring the speed of the llPCI turbine down to the required j 2,400 RPM because of an erratic ramp generator / signal converter box adjustment. The fourth event l (LER 260/85-015) was related to a design deficiency in the resistor box. A special test showed that j AC output voltage from the dropping resistor box was insufficient when its input voltage was at the ! design minimum. The resistor box was modified to ensure that the EGM control box would j receive the required AC voltage signal under worst case conditions. i
-l As a result of the observed problems, significant hardware modifications of the IIPCI system _
have been made at the BFN plant unit 2 to reduce the potential occurrence of turbine speed l control faults. The llPCI governor control system has been redesigned and upgraded with new : components, and the EGM control panel has been relocated frorn the turbine skid to the IIPCI i room wall to climinate the vibration effects of the skid environment. .A new overspeed test ' controller in place of the original bias speed setting potentiometer, and new and more reliable , 24/48 Vdc power supplies for the control system were also installed. Other specific upgrades j included the replacement of the RSGC box, EGM controller, speed sensor and cable assembly with l new components, replacement of existing copper piping for auxiliary oil supply with stainless steel, , and addition of seismic restraints to the turbine skid piping. In addition to hardware improvements, the system surveillances include functional testing of the EG-R assembly on a quarterly basis during the performance of the IIPCI system flow rate test to assure reliable operation. Monthly , inspections to verify the correctness of system oil pressures require the auxiliary oil pump to be l cycled, and this operation results in cycling of the turbine stop valve and turbine control valve ; which further verifies the operability of the EG.R assembly. Furthermore, a tiered approach in the 1 electrical maintenance procedures (ECl-2-073-GOV 001, GOV 002, and GOV 003) provide an auditable process of governor control system checks and calibration. , The IIPCI turbine speed control is a very complex area that requires specialized attention. I EG-R actuator failures may increase as the HPCI system and speed control subsystem ages. j , Thus, the inspector (s) should confirm that there is adequate oversight on the modifications, I operations, maintenance and surveillances of the turbine speed control subsystem to ensure functional adequacy of the IIPCI system. ; B. Lube Oil Surply Faults l This failure mode subcategory consists of eleven failures to provide sufficient lubricating oil ] to turbine components. As presented in Table A-1, most of the failure events are related to the j auxiliary oil pump (AOP) faults which include two bearing failures and five auxiliary oil pump pressure switch faults. nree other events involving low bearing oil pressure events were attributed to valve mispositioning and oil contamination. < i t 6-4 ' f
, . _ . _ - , . - - . _ , - - _ , . _ , . ~ , , . , - , - , .
L There was one LER event at the BFN plant describing a lube oil supply fault. In this event (LER 260/82-016), the HPCI lubricating oil reservoir was found to be almost empty because the - reservoir drain valve was sufficiently open to drain most of the reservoir contents. This condition rendered the HPCI system inoperable. The cause of the problem was attributed to personnel error. Current surveillance practices at the BFN plant preclude the occurrence of such an event. Daily shift walkthrough inspections require plant personnel to verify that the lube oil reservoir is
- not depleted through visual observation. Furthermore, the HPCI lube oil reservoir is sampled once a month to assure contamination free oilin the tube oil reservoir supply. If degraded oil samples :
are found, the oil is filtered to return it within specifications. C. Turbina;_Overspeed and Auto Reset Problems The mechanical overspeed trip function is set at 125 percent of the rated turbine speed. The - displacement of the emergency governor weight lifts a ball tappet which displaces a piston that " allows oil to be dumped through a port from the oil operated turbine stop valve 2-FCV-73-18. This allows the spring force acting on the piston inside the stop valve oil cylinder to close the stop valve. The overspeed hydraulic device is capable of automatic reset after a preset time delay. In the industry-wide survey, overspeed and auto reset problems -were found to have
)_ contributed to eight failures in the turbine driven pump failure category. Although the LER search did not identify any event involving turbine overspeed and auto reset problems at the BFN plant, the licensee personnel should be cognizant of the potential problems of turbine overspeed trips } resulting in " lockout" conditions. Additional sources ofinformation on turbine overspeed trips are NRC Information Notice 86-14," 86-14 Supplements 1 and 2," and AEOD Case Study Report C602."
D. HPCI inverter Trins or Failures Control power supply for the BFN plant HPCI system was originally provided by the HPCI
. " Topaz" inverter that was powered from a 125 V DC bus. As a result of design modifications to have more reliable control power supplies for the HPCI system, the HPCI inverter was replaced with a direct connection to the Division 11120 Vac Uninterruptible Power Supply (UPS) system used by the analog trip system. The design change also added new 48 Vdc power supplies to provide reliable DC power to the governor control system. The present design of the HPCI system also include loss of power annunciator alarms in the main control room (MCR) for all HPCI control power supplies.
The LER survey for the BFN plant identified 4 LERs related to problems associated with the < old " Topaz" inverters. In three failure events (LERs 259/85-006,260/83-028 and 260/83-034), the HPCI system was declared inoperable as a result of blown inverter fuses. The fourth event (LER , 260/83-046) was related to a failure of the inverter transformer which resulted in the HPCI system being declared inoperable. Although the EPCI inverter has been replaced with a direct connection to the Division 11120 Vac UPS system in the present design of the HPCI system, the licensee personnel should be cognizant of the impact of fuse problems on the reliability of control power supplies. An extensive fuse control program has been implemented at the BFN plant to control activities related to fuses. This program includes fuse coordination calculations for safety-related power supplies, updated fuse drawings, and new identification documentation for safety-related 6-5 , f
l I J fuses. Additional information on potential problems due to inadequate fuse control programs is provided in NRC Information Notice 91-51." E. Turbine Ston Valve Failures The turbine stop valve FCV-73-18 is located in the steam supply line near to the inlet connection of the turbine. The primary function of the valve is to close quickly and stop the flow of steam to the turbine when appropriately signaled. A secondary function of this hydraulically operated valve is to open slowly to provide a controlled rate of admission of steam to the turbine and its governing valve. Review of the industry-wide operating experience indicated that there were 5 failures of the i turbine stop valve. Since 1980, two reportable events involving HPCI turbine stop valve failures have occurred at the BEN plant. In the first event (LER 259/80-026), the HPCI turbine stop valve 1-FCV-7318 would not open completely because of a worn out mechanical overspeed trip piston. In the second event (LER 260/82-012), the HPCI turbine stop valve 2-FCV-73-18 would not stay f open because the Leespring did not compress adequately to allow the trip mechanism to remain in the reset position. As part of a reliability-centered maintenance (RCM) program for the HPCI system at the BFN plant, the overspeed trip tappet is scheduled for maintenance inspections at every refueling 4 outage. Based on vendor information (GE Services Information Letter) which identified potential binding problems, the tappet assembly is replaced with a new component design with improved performance reliability. The vendor has also recently verified that the turbine stop valve has the correct spring constant in the pilot valve spring. In addition, operability of the turbine stop valve [ is verified on a quarterly basis during the performance of the HPCI system flow rate sutveillance test. During this test, the specified opening times of the turbine stop valve are' verified and anomalous operation of the valve is noted for corrective actions. i F. Turbine Exhaust Runture Disk Failures r The HPCI pump turbine has a set of two mechanical rupture diaphragms in series which protect the exhaust piping and turbine casing from overpressure conditions. When the inner disk ruptures, pressure switches initiate turbine trip and HPCI isolation signals. Low pressure steam flows past the ruptured diaphragm through a restriction orifice directly into the HPCI room. Rupture of the second disk would vent the turbine exhaust into the HPCI pump room without flow restriction. The nominal rupture pressure is approximately 175 psig. 1 Since 1980, there were two LER events related to turbine exhaust rupture disk failures at the BEN plant. In the first event (LER 260/80-032), failure of the teflon sheet portion of a rupture disc resulted in a HPCI turbine trip. The second event (LER 260/83-074) was related to the rupture of a turbine exhaust rupture disk which rendered the HPCI system inoperable soon after system initiation following a reactor scram.
.f in the IREP PRA study of the BFN plant, the dominant contributors to HPCI system unavailability were rupture disk failures. These failures accounted for about 31 and 45 % of HPCI system unavailability considered in the LOCA and transient initiated sequences, respectively. Thus, the installation of rupture disks with a structural backing (or the periodic inspection of the older 6-6 o
t I; type design of disk) was recommended to prevent these cycliv fatigue failures. Presently, the BFN plant utilizes "Fike Metal Product" rupture discs to ensure that the turbine casing does not experience overpressurization during a transient event. These rupture discs are replaced at every { five years to ensure satisfactory operation. Furthermore, design modifications and installation of new governor control system components climinate governor control system startup tran.'ients [ which had caused the rupture dise failures. l l G. Flow Controller Failures h f The flow controller 2-FIC-73-33 in conjunction with the electro-hydraulic turbine governor controls turbine speed and pump flow rate. The flow controller senses pump discharge flow and ) outputs a 4 to 20 milliamp signal to the turbine governor to maintain a constant pump discharge flow rate over the pressure range of operation. f There were no LER events involving flow controller failures at the BFN plant. j 11. Turbine Control Valve Faults i f In the industry-wide operating experience review, three turbine control valve fault events were attributed to different root causes. At the BFN plant, one LER event (LER 260/83-028) described the HPCI turbine control valve failure to open due to a misadjusted rod. Potential failures of the turbine control valve can occur as a result of broken lifting beam bolts or broken steam control valve pilot (or poppet). NRC AEOD Study Report T906" provides additional information on contributors to the bolt failures of HPCI Terry turbines. Presently, mechanical maintenance procedures (MMI-23) at the BFN plant include quality control inspections of all HPCI system mainwance work to preclude the occurrence of turbine control valve faults. In particular, these procC i es have a QC signoff for verification of the cover nut torquing after maintenance on the turbine control valve. f I. Ioss of Lube Oil Cooling The loss of tube oil cooling can be caused by faults in the cooling water lines to and from the cooler, cooler leakage, or flow blockage. A prolonged loss of lube oil cooling can lead to turbine
, bearing failure.
In the LER survey of the BFN plant, there was one event (LER 259/80-055) in which the pressure control valve 1-PCV-73-43 was found to be stuck closed due to a loose valve guide and this resulted in the loss of lube oil cooling. Presently, the HPCI system flow rate surveillance test procedure requires that all turbine and pump skid temperatures to be recorded durmg the test I performance for subsequent review to ensure adequate cooling is available to all system components including the presst ce control valves under normal operating conditions.
, J. Miscellaneous --- Valid Hich Steam Flow Durine Testine Another potential system failure involves the practice of running the auxiliary oil pump to t lubricate the turbine bearings or to clear an electrical ground in the system. In the Monticello plant, this practice was used in attempts to clear an electrical ground in the electro-hydraulic governor. A system test was initiated to confirm HPCI system operability when the electrical fault 6-7
could not be cleared. When the operator opened the turbine steam admission valve to simulate a ; cold quick start, the system isolated on high steam flow. The operation of the auxiliary oil pump , caused the hydraulically operated turbine stop valve to move from its full closed to its full open j position. When the stop valve moves from its fully closed position, it initiates a ramp generator , response that provides the flow control signal to the turbine steam admission valve and thus, l allowing it to move to the open position. Since the auxiliary oil pump had been running for some ' time, the ramp generator had timed out and a maximum steam flow demand signal was sent to the j control valve. This prevented the turbine steam admission valve from restricting steam flow as it > normally would during a turbine start, and this condition results in high steam flow and a valid system isolation. f Common practice in some plants include running the auxiliary pump periodically to keep the turbine bearings lubricated. When the auxiliary oil pump is running, the liPCI system wir isolate j if an automatic initiation signal is received at any time after the ramp generator has timed out, ; which occurs after approximately 10 to 15 seconds. The following corrective actions have been { taken at the Monticello plant to address the problem:
]
A modification has been approved that will climinate ramp generator initiation while the auxiliary oil pump is running unless a valid initiation signal occurs.
)
The llPCI system operating procedures have been revised to include caution statements l addressing system inoperability when the auxiliary oil pump is running. j h The operating procedures utilized to verify system operability have been revised to j include precautions about system status before and during the test. The control system j ramp generator function during the opening of the steam admission valve is described in 3 these procedures. i l in summary, this is a significant concern because a common plant practice has the potential ; to disable the liPCI system. BFN plant operating procedures (BF OI-73) address this problem" by { including a precautionary statement that if the auxiliary oil pump is started before the steam supply i valve FCV-73-16 is open, the possibility of a turbine trip due to overspeed or liPCI isolation due ; to excessive steam flow exists. i llPCI Failure No 2 - System Unavailability Due to Test or Maintenance Activities In a probabilistic risk assessment (FRA), estimates of system unavailability are determined l using a fault tree methodology. The fault tree is a diagrammatic representation of the known i contributors to system unavailability, in addition to component failures, the system may not bc ) functional due to testing or maintenance (T&M) activities. In a single train system such as the 4 IIPCI system, test and maintenance activities on one critical component may usually disable the ; entire system. It is important to keep the downtime of the IIPCI system due to 'l&M activitics as . Iow as possible because of its direct contribution to system unavailability. In the BFN plant IPE { analyses, the llPCI system unavailability was estimated to be 1.21E-5 per year and the importance l of IIPCI system was determined to be 0.16, i.e. about 16 percent of the plant core damage .: frequency were contributed by the likelihood of accident sequences involving failure of the HPCI ! system. The earlier 1 REP PRA study indicated that routinely scheduled surveillance tests and i ! maintenance account for over 25% of the IIPCI system unavailability. This particular value was i i 6-8 i P f'
l significantly higher than the T&M contribution in the other plant systems analyzed. In the present IPE analyses, the treatment of T&M contributions in the 11PC1/RCIC system models were conservative in that no credit was taken for the simultaneous performance of T&M procedures on the IIPCI/RCIC systems. Each performance of T&M activities was assumed to occur separately which resulted in the cumulative effects of T&M impact on liPCI/RCIC system unavailability. The root sources of execssive liPCI system unavailability due to T&M induced failures were examined as part of this operating experience review. In the industry-wide survey, forty-three examples of test or maintenance errors (27% of all11PCI system failures) were divided into three categories: 1) inadequate maintenance or insufficient post-maintenance testing,2) human error that inadvertently disables the HPCI system, and 3) system inadvertently disabled during testing activity. Inadequate maintenance or insufficient post maintenance testing resulted in 22 HPCI system failures. The problems included valve packing leaks, misadjusted torque switch settings, l miscalibrations of a steam line differential pressure instrument and an EGR actuator, improper _ connectian of a gland exhauster drain line to the tube (high pressure) side of the gland seal condenser, system adjustment without a retest, and a rag left in the turbine sump which disabled the shaft driven oil pump. In the second T&M category consisting of 4 HPCI system failure events caused by human
- crrors, pertinent examples include the disabling of the wrong HPCI system at a two unit site, l mistakenly disabling the auxiliary oil pump due to a smoke odor in the HPCI room, and valving errors which subsequently caused a low pump suction trip oc inadequate lube oil pressure at the l pump. The final category, " system inadvertently disabled during testing," consists of thirteen l
personnel errors that temporarily disabled the HPCI system. These incidents include steam line containment isolation valve closure due to errors during testing of the isolation logic, a valve motor failure due to overheating caused by excessive stroking during a surveillance test, and an inverter trip caused by personnel error which resulted in a high voltage condition affecting both Channel C battery chargers. Unlike the first two categories, the majority of these failures have a high probability of recovery. The search of HPCI system-related LERs identified 6 LERs generated at the 13FN plant that resulted from events in which the llPCI system was unavailable due to maintenance and testing activities. In most of these events, the IIPCI system was rendered inoperable during the performance of surveillance tests. One event (LER 259/82-032) occurred during testing activities l on the 4 kV relays in which the power supply breakers for the train A RHR and core spray motor driven pumps were racked out, and this resulted in the inoperability of both pumps and the HPCI system. Procedural deficiency and lack of communication were the causes of simultaneous j unavailability of these safety-related equipment. The next event (LER 260/82-014) described ) surveillances not being performed due to personnel error after the HPCI system was made inoperable to allow the performance of circuit calibrations. A maintenance-induced failure event (LER 260/83-009) occurred when the HPCI turbine failed due to erratic operation of the flow controller which was caused by trapped air in the hydraulic oil control system following maintenance work. Two events (LERs 260/83-047 and 260/92-003) resulted from deficiencies in installation procedures. In the first case (LER 83-047), a wiring error resulted in the HPCI system being inoperable during a tachometer calibration activity. The second event (LER 92-003) was related to the inadvertent installation of a test plug that was 120 degrees out of orientation. During performance of the HPCI system functional test, the inboard and outboard steam isolation valves isolated as a result of concurrent heating and subsequent activation of three temperature detectors { 6-9 1 l
which satisfied the logic for a Group 4 isolation. Corrective actions taken at the BIN plant include revising test procedures for safety-related equipment to incorporate human factors considerations to prevent human errors during calibration and installation activities. The last T&M cvent (LER 296/85-003) was related to the IIPCI system being declared inoperable for failing to reach rated flow in 25 seconds (actually took 35 seconds) as a result of an incorrectly set position of the limit switch which starts the 11PCI auxiliary oil pump. A discrepancy in engineering drawings caused the craftsmen to incorrectly set the switch position. The in-service inspection (ISI) program per ASME Code Section XI recommendations at the BlW plant ensures that relevant 11PCI system valves are ,
. checked to assure alllimit switch settings are in agreement with valve stem position and correctly indicated in the main control room. In addition, the RCM program requires that the Limitorque .
operators of safety-related valves to be checked during a refueling outage to assure no signs of ( damage in the torque and limit switches. I in summary, the T&M contributions to IIPCI system unavailability must be continuously monitored by the inspector (s) to assure it is as low as possible. The licensee should be administratively limiting the time that the 11PCI system is in test or maintenance during normal plant operation. System restoration should be vigorously pursued such that the 11PCI system should not be down for days when repair work can be reasonably accomplished in hours. Whenever feasible, portions of the system should be tested during outages. In addition, llPCI system unavailability can also be minimized by adequate root cause analysis and effective corrective action to avoid multiple system outages to address the same failure. Efficient work planning and good engineering practices could also prevent inadvertent or unnecessary removals from service and system isolations during calibration or surveillances. The licensee at the BlW plant has set the present unavailabilty goal of the Unit 2 IIPCI system to be 0.016. IIPCI Failure No. 3 - False liigh Steam Line Differential Pressure Isolation Signal The llPCI system is constantly monitored for leakage by transmitter devices sensing steam flow rme, steam pressure, area temperatures adjacent to liPCI steam lines and equipment, and high IIPCI turbine exhaust pressure. The steam flow rate is monitored by two differential pressure switches located across two different cibows in the steam piping inside the primary containment. The flow measurement is derived by measuring differential pressure across the inside and outside radius of each cibow. If a leak is detected, the IIPCI steam line is automatically isolated and the liPCI system isolation is annunciated in the main control room. Over the 12 year review period, there were no LERs in this failure category identified for the BFN plant. IIPCI Failure No. 4 - Turbine Steam Inlet Valve FCV 7316 Fails to Open 4 Motor operated valve FCV-73-16 is a normally closed, DC powered gate valve. This valve opens on an automatic or manualinitiation signal, provided that the turbine exhaust valve is open, to admit reactor steam up to the turbine stop valve. In the industry-wide survey, there were 8 failures of this valve to open on demand which comprise 5% of all11PCI system failures. Most of these failures were due to mechanical / thermal ) 6-10 f l
d i i i- binding problems due to insufficient stem lubrication, loose torque switch adjustment screws, and ' ( inadequate opening torque capability. There were no LERs in this failure category identified during the 12 year review period for the BFN plant. ; IIPCI Failure No.5 - Pump Discharge Valse FCV-73-44 Fails to Open , I' Motor operated valve FCV-73-44 is a normally closed, DC powered gate valve that is automatically opened upon system initiation. The failure of this valve to open disables the HPCI system to inject water into the reactor vessel. ) i ) nere have been 8 HPCI pump discharge valve failures documented in the industry wide j operating experience review which account for 5% of all system failures. Most of the valve failures ' ,\ were generic problems including valve motor failures, a ground of the DC control voltage at the . , torque switch, and inadequate torque problems due to the use of starting resistors in the valve , motor circuitry. i
- The BFN plant did not have any reportable failures of the HPCI pump discharge valve FCV-j 73-44 over the 12 year review period.
]
G IIPCI Failure No. 6 - IIPCI System Interactions l l J Systems interactions refer to unrelated system failures that can disable the HPCI system. , ! Although there is no associated PRA. based failure category, the industry-wide operating experience : review identified the following examples of system interactions that disabled the HPCI system: t ' a) During a fire protection system surveillance test, approximately one gallon of water drained onto a battery powered motor control center (MCC) causing a circuit breaker- > overload trip and valve inoperability. b) A cracked flow control valve test coupling allowed water to be sprayed on a battery powered MCC and resulted in disabling a loss of power monitor on the main steam line , drain. The HPCI system was disabled when the MCC was deenergized to allowinspection l and drying of the components. c) An automatic sprinkler system in the HPCI room activated after a system test. The probable cause was buildup of steam vapor from the leakoff drain system that activated p an ionization detector. d) Setpoint drift in a Fenwal temperature switch caused activation of a deluge system during j 7 a HPCI turbine overspeed test. . l The LER survey identified one LER event at the .BFN plant in which system interactions ' problems affected HPCI system operability. In this event (LER 259/82-032), the power supply breakers for train A RHR and core spray pump motors were racked out during the performance : of a surveillance test on the 4 kV relays, and this resulted in both safety-related pumps and the i HPCI system inoperable. Procedural deficiency and lack of communication were the causes of the simultaneous unavailability of these safety-related equipment. Operator training lessons at the BFN i plant include examples and descriptions of consequences of support systems interactions that may 6-11
-. . - ~ -
i i i
-i cause HPCI system inoperability. The training objectives of providing awareness of system i
. interactions problems are further tested and reinforced by simulator training exercises which l include proper diagnosis of the effects of the system interactions scenarios.
HPCI Failure No. 7 - System Actuation Logie Fails
-1 Startup and operation of the HPCI system is automatically initiated upon detection of either - .
l low-low reactor vessel water level (- 45.0 inches decreasing) in the retetor vessel or high drywell ' pressure (2.45 psig. increasing). The HPCI system can also be manvally initiated by arming and then depressing the manual initiation switch in the control room. In the industry-wide survey, there were 4 LERs associated with this failure mode. These LERs illustrate that failure of the HPCI system actuation logic is more likely due to common causes such as the loss of electrical power. Unlike the llPCI system trip logic, the redundancy (one out of two : twice design concept) and the diversity (low vessel level /high drywell pressure conditions) of the ! actuation logic make it less susceptible to the impact ofindividual sensor failures. Over the 12 year : review period, there were no LERs in this failure category identified for the reactor level and containment pressurization instrumentation of the BFN plant HPCI system. ; i IIPCI Failure No. 8 - False Iligh Area Temperature Isolation Signal The HPCI system is constantly monitored for leakage by transmitter devices sensing steam flow rate, steam pressure, and area temperatures adjacent to the steam line and equipment. If a leak is detected, the system is automatically isolated and alarmed in the control room. At the BFN plant Unit 2, the high HPCI system area temperature (indicative of a steam leak)is monitored by the temperature switch 2-TS-73-2A-S. I In the industry-wide survey, this category accounted for three HPCI system failures ( i.e., about 2% of all failures). During the 12 year review period, there were no LERs identified for the BFN plant that were related to false high HPCI system area temperature isolation signals. 1 IIPCI Failure No. 9 - False Low Suetion Pressure Trips l L The purpose of the low pump suction pressure trip is to prevent damage to the HPCI pumps ! due to loss of suction. At the BFN plant Unit 2, the pressure switch 2-PS-73-29 actuates to cause . the turbine stop valve to close in the event that low HPCI pump suction pressure is' sensed. 1 In the industry-wide survey, there were two occurrences of HPCI pump turbine trips that were attributed to false low suction pressure signals. However, the BFN plant has not experienced any HPCI system isolations due to false low pump suction pressure trips since 1980. IIPCI Failure No.10 - False High Turbine Exhaust Pressure Signal The high turbine exhaust pressure signal is one of several logic signals from'the protective . turbine trip circuitry that close the turbine stop valve and isolate the HPCI system. The high , turbine exhaust pressure signal is generated by pressure switches PS-73-22A and PS-73-22B at the i BFN plant, and is indicative of a turbine or a control system malfunction, i L 6-12 i i
, - . . , . - . , , - , - - ,-r
. . . ~ , .,.
[ Other Failure Modes The industry-wide Operating Experience Review did not identify any HPCI system failures for -! the following PRA-based failure modes: ,
- Normally Open Pump Discharge Valve FCV-73-34 Fails Closed.or is Plugged ~
Pump Discharge Check Valve FCV-73-45 Fails to Open
- CST Suction Line Check Valve CKV-73-505 Fails to Open a CST Suction Line Manual Valve HCV-2-705 Plugged . .
- Normally Open CST Pump Suction Valve FCV-73-40 Fails Closed or Is Plugged ;
Suppression Pool Suction Line Check Valve CKV-73-517 Fails to Open .
- Normally Open Steam Line Containment Isolation Valve FCV-73-2 or FCV-73-3 Fails Closed a
Steam Line Drain Pot Malfunctions I'
- Turbine Exhaust Line Vacuum Breaker Valves Fail to Operate Suction Strainer Plugged
' Die PRA-based prioritization of HPCI failure modes have a good correlation with the actual industry-wide experience of HPCI system failures. With the exception of the first failure _ mode 1 listed above for the pump discharge valve FCV-73-34, all of the HPCI faults listed above have been considered as " low importance" failure events in the PRA-based rankings of Section 4. l In the LER survey, one LER event involving failure of the steam line isolation valve was identified for the BFN plant. In this event (LER 296/84-013), the HPCI outboard steam line isolation valve FCV-73 3 could not be opened electrically because the motor pinion gears had been installed backwards. Current surveillance practices at the BFN plant include verifying. proper operation of all HPCI system flow / pressure control valves (e.g., FCV-73-19, FCV-73-43, PCV 501, PCV-73-502, etc.) during the performance of HPCI system flow rate tests.
6.2 Site Visit Observations During a plant site visit to the BFN plant, discussions on various aspects of operation, maintenance and surveillance of the HPCI system to ensure reliable system performance were held ; with licensee representatives. Recent or planned modifications to prevent or eliminate problems , identified in previously issued LERs were discussed. The recent or planned modifications to upgrade the HPCI system at the BFN plant are: a) The governor wntrol system has been redesigned and upgraded with new components such l as a new overspeed test controller in place of the original bias speed setting potentiometer, I l new and more reliable 24/48 Vdc power supplies, and new replacement: of the: ramp 3~ generator / signal converter (RGSC) box, EGM controller, speed sensor and cable assembly; ,. b) The EGM control panel has been relocated from the turbine skid to the HPCI room wall to- r l eliminate the vibration effects of the skid environment as well as allowing ' case of - F maintenance; c) Seismic restraints has been added to the turbine skid piping to improve the margin of safety' , and seismic qualifications; , 9 6-15 s.-.,-- - , , , ,,,,, __,, , ._,
,- -. - , - < , , , , - - - ..,w
d) Existing copper piping for the auxiliary oil supply has been replaced with stainless steel to be i compatible with correct material requirements; ( c) Control power supply from the IIPCI " Topaz" inverter has been replaced with a direct , connection to the Division 11120 Vac Uninterruptable Power Supply (UPS) system used by the analog trip system; f) A one-inch relief valve (2-RFV-73-506) has been installed in the llPCI booster pump suction piping to ensure the mitigation of overpressurization events; and / g) The tappet assembly on the overspeed trip was being replaced with a new Dresser-Rand design based on the recommendation of GE Service Information Letter (SIL) No. 392, / Revision 1. In addition to the above modificatons. the licensee have established a reliability-centered maintenance (RCM) program for maintenance of the HPCI system and a recommended surveillance program per ASME Section XI requirements to check limit switch settings of all relevant IIPCI system valves. Furthermore, the licensee has instituted a performance monitoring program to assure contamination free oil in the lube oil reservoir supply and introduced requirements in mechanical maintenance procedures (MMI-23) to include quality control inspections of all pertinent HPCI system repair work. It is noted that there is a concerted effort at the BEN plant to upgrade the IIPCI system control equipment that would preclude the effects of component obsolescence, improve system reliability and thus, enhance IIPCI system availability. 6.3 Contribution of Human Errors to System Unavailability The potential for human error exists for activities involving maintenance, calibration, surveillance, ano operation of plant systems. In PRAs, the influence of operator error on plant risks is typically modeled both in fault trees (system failure diagrams) and in the event trees that delineate the postulated sequences. As such, these human errors are usually defined as gross actions that can cause complete failure of a system. Typical human errors considered in PRAs that affect IIPCI system availability are: a) Failure to manually start the high pressure injection system after automatic injection fails, b) Operator failure to transfer pump suction from the CST to the suppression pool after a pump trip on low suction due to CST unavailability, c) Failure to provide makeup to the CST during an ATWS event, 1 d) Failure to transfer pump suction from the suppression pool to the CST during an event in which high suppression pool temperatures are reached (e.g., during an ATWS event, or during a non-ATWS event where there is failure of suppression pool cooling), c) Failure to override the HPCI high. temperature isolation logie (.or station blackout sequences), 6-16
. ~ . . .
.sta...JJu.ud..au .Ju4 .
f) MiscaHbration of IIPCI system sensors that disables system actuation, causes system isolation on erroneous high RPV level indication, or results in false system isolation signals, and g) Failure to reset the IIPCI system for operation after testing or maintenance. Except for the last two listed items, all these human errors are either: (i) conditional errors, i.e., mistakes made within the context of an liPCI system failure or isolation (errors a and b), or (ii) event specific errors (items e, d and e). These types of human errors make direct observation of their occurrence unlikely.Therefore, the potential for these human errors can only be evaluated indirectly by a review of the licensee procedures and observation of operator performance at a simulator. The last two types of human errors can occur during normal operation and thus, are more casily inspectable. NRC Resident Inspectors routinely examine surveillance, calibration and - maintenance practices and procedures, and perform main control room and plant lineup verifications of ECCS. IIPCI system operability is confirmed by checking the steam supply and exhaust lineup, pump suction and discharge lineups, and the control function settings (hand / auto station in automatic mode). In addition to the examination of licensee practices and procedures, the application ofinsights from the review of industry-wide experience can help reduce a significant portion of the HPCI system unavailability due to human error contributions. In the reactive mode, a thorough root cause analysis and suitable corrective measures can prevent similar occurrences in the future. In the LER survey of HPCI system-related failure events at the BFN plant, five LERs describing failure events caused by human errors were identified. These 5 LERs are brictly summarized below: (a) LER 259/85-056 described a c( nfiguration problem in which the normal and alternate control power supplies to the 4kV shutdown board "A" were found to be reversed as a result of a wiring error that was attributed to personnel error during the initial installation of the shutdown battery board. (b) LER 259/82-032 described the simultaneous unavailability of safety systems due to procedural deficiency and lack of communication, when the power supply breakers for train "A" RHR and core spray pump motors were racked out during the performance of a test on 4 kV relays which rendered the safety-related pumps and HPCI system inoperable. (c) LER 260/82 016 reported that the HPCI system was rendered inoperable when the HPCI system lubricating oil reservoir was found to be almost empty because the reservoir drain valve was opened 1 and 1/2 turns as a result of personnel error. (d) LER 260/83-028 described a HPCI turbine control valve failure to open because of a rod misadjustment. (e) LER 296/84-013 described the inability of HPCI outboard steam isolation valve FCV-73-3 to be opened electrically because the motor pinion gears had been installed backwards. 6-17
o l 1 Present practices at the BFN plant include incorporating lessons learned from LER analyses into the training programs for maintenance and surveillance test personnel, and utilizing insights from root cause analyses to resolve a mixed spectrum of potential problems. A Site Standard Practice document (SSP-12.9) provides guidance for the performance ofincident investigations and root cause analysis of significant and some non-significant human errors related to the operation, maintenance and surveillance of the llPCI system. This document also provides the requirement for mandatory training of at least one member of the incident investigation team in root cause analysis techniques. The implementation of this site procedure has proved to be useful in identifying and rectifying problems. 6.4 Additional System Considerations The LER survey of industry-wide experience has identified several other HPCI system considerations that could impact the overall risk of a plant. These considerations are discussed in ' the following subsections with any related BFN plant experience. 6A.1 LOCAs Outside Containment Unlike the 11PCI system failure modes discussed previously, that result in unavailability of the system for core damage mitigation purposes, failures in the llPCI system boundary can te potential initiators of a LOCA outside conuinment. The industry survey identified degradations nf the steamline isolation function and pump suction line overpressurizations as potential cau es. Examples of steam line isolation problems include: a steamline differential pressure transmitter with a non-conservative setting, and an inboard containment isolation valve that failed to close. Examples of pump suction line overpressurizations include: a slow closure of the pump dischargo check valve that caused a pressure surge after a turbine trip, and a water hammer caused by steam void collapse folluwing system initiation after feedwater backleakage elevated the temperature in the pump discharge line. (NRC IN 89-36 provides a discussion on elevated temperatures in ECCS systems.") At the BFN plant, the main control room has analog indicating loops to provide indication of the llPCI booster pump suction pressure (PI 73 28A) and the main pump discharge pressure (PI-73-31 A). Backleakage from the feedwater system would cause these pressures to increase noticeably and the instrumentation would alert operators to respond to the potential overpressurization problem. In general, the potential event of IIPCI system LOCA outside containment is considered to be a small contributor to the total core damage likelihood. The diversity of the steam line break-6-18
_. -- _ m _ _ ._ _. _ _ _ _ . _ _ __ .. I i detection logic and the downstream feedwater check valve reduce the potential for an unisolated LOCA outside containment. The examples presented above are potential areas for inspection to assure that plant design or operation does not increase the possible occurrence of this initiator. 6.4.2 Support Systems Required for HPCI System Operation The high pressure coolant injection system is dependent on other systems (called support systems) for successful operation. These systems are: DC Power For system control, pump operation and valve movement. Room Cooling For HPCI pump room cooling to support'long term operations. This function requires service water (for cooling) and AC power . supply for the fan motor. IIPCI Actuation RPV level and primary containment pressure instrumentation for system initiation and shutdown. . Review of the HPCI system operational history showed that the influence of reliable support systems on HPCI system availability was obviously significant. The loss or degradation of the DC battery or DC bus that provides control power to the llPCI system has a straightforward effect. Besides battery charger problems or inadvertent fuse openings, the unusual DC system problems included a battery degradation due to corrosion of the cell plates. The suspected cause was a
- galvanic reaction due to plate weld metal impurities. Another concern is insufficient voltage at the load centers during degraded voltage conditions which could trip the station inverters or fail MOVs (e.g., Browns Ferry 1, Brunswick 1 & 2 and Nine Mile Point 1 events). This problem would be of particular concern during a loss of offsite power or a station blackout event. A BFN plant LER (LER 259/85-032) reported the potential for electrical support system failures.
The effects of loss of HPCI room cooling on continued HPCI system operation are not very clear. Tolerable ambient conditions in the HPCI room is typically required to support long term HPCI system operation. Besides random failures which can occur at any time, there is one accident ! sequence specific effect that should be examined. During station blackout conditions, the HPCI room temperatures may increase substantially when continued HPCI system operation is most critical. At the BIN plant, the HPCI pump room does not have any room coolers. However,it is , l open to the adjacent RHR quadrang!c area which is ventilated automatically by room coolers that are activated on high temperature in the area. Although there are plant procedures (2-EOI-3) to address proper operator response to lower any high temperature condition in the HPCI room, the licensee actions to preserve HPCI system operation should be examined. ne licensee should have . acceptable nump room and steam line temperature calculations, or have other proceduralized ! provisions i bypa:- high temperature isolation) to assure long term HPCI system operability. The RPV level or high drywell pressure instrumentation is required for actuation of various 1 ECCS systems including the HPCI system. The operating experience review did not have any pertinent examples of failures of the ECCS actuation logic which directly affected HPCI system operation. This is because the ECCS actuation instrumentation logic does not activate the HPCI , system directly. The initiation signal to start the HPCI system automatically is relayed via the 6 19 t 9
, , _ , . ...2, , ,._..-,,v -- _
Shared Actuation Instrumentation signals generated to actuate intermediate ECCS systems in response to plant abnormal conditions. In summary, support system malfunctions sometimes can impact liPCI system operation in a subtle manner. Within the context of specific accident scenarios, the incipient failure of these support systems may render the front-line system inoperable. The inspector (s) should verify that licensee personnel are aware of these support system dependencies and confirm that compensating measures are adequate to address this concern. Presently, operator training lessons at the BFN plant include examples and descriptions of consequences of support system interactions problems that may cause llPCI system inoperability. Awareness of support systems interaction problems are further tested and rcinforced by simulator training exercises to enhance proper diagnosis of the effects of the systems interaction scenarios. j i 6.4.3 Simultaneous Unavailability of Multiple Systems l Multiple system unavailability of certain functionally related systems is a major concern because of the increased risk associated with continued operation. Although standard technical specification 3.0.3 provides the operational constraints to limit the risk exposure somewhat, the licensee should avoid planned multiple system outages if possible. l l Within the context of the accident sequences discussed previously (in Section 3), unavailability { of certain combinations of systems results in a relatively large risk of core damage. For example, the llPCI system operating experience review found nine LERs that documented simultaneous unavailability of IIPCI and RCIC systems. During such outage periods, the probability of core damage becomes very much higher due to the increased likelihoods of accident sequences in which IIPCI and RCIC systems are required for mitigation purposes. This would include all of the accident scenarios described in the Accident Sequence Description except for the "Unisolated LOCA Outside Containment" sequence. Unavailability of the HPCI system and an emergency , diesel generator together would have a similar impact on overall plant risk. Additionally, the simultaneous unavailability of the IIPCI system and ADS (one LER describes this occurrence i during logic testing) would have a significant impact on the progression of Sequence 1, "less of liigh Pressure Injection and Failure to Depressurize". Although some of these LER examples of multiple system unavailability were due to random failures, the majority of such outages involve licensee decisions to disable a system for surveillance tests when another critical system is not operable. At the BFN plant, Technical Specification 3.5.c - items 2 & 3 forbid multiple systems to become simultaneously unavailable during normal plant operation." Plant procedures SSP-7.1 " Work Control" and SSP-7.2 " Outage Management" provide guidance to the Operations staff to ensure that Technical Specifications for the BFN plant units are maintained when plant conditions require outage work to be performed. If one system is out ! of service and another system unexpectedly becomes inoperable, the Operations Shift Supervisor is responsible for placing the plant in safe shutdown conditions per SSP 12.1 T2mduct of Operations" in conformance with Technical Specifications. In the LER survey, two LERs were found to describe occurrences of simultaneous unavailability of IIPCI and other safety systems at the BFN plant. In the first esent (LER 259/82-032), the power supply breakers for the train "A" RliR and core spray pump motors were racked out during the performance of a surveillance test on 4 kV relays which rendered the safety pumps 6-20 1 m ,-mr ~ , . - , - , ~.-,r- - y - y,-- - *. w ~wy
i and the HPCI system inoperable. The second event (LER 296/85-003) was related to the HPCI system being declared inoperable as a result of failing to reach rated flow in 25 seconds (actual time taken was 35 seconds) due to an incorrectly set limit switch which starts the HPCI auxiliary oil pump, and a failed restart of the RCIC pump during a subsequent RCIC pump operability performance test to satisfy technical specification requirements.The RCIC pump failed to restart , because the limitorque operator of a motor-operated steam isolation valve would not reope , to allow steam supply to the pump turbine. At the BFN plant, administrative control procedures prevent unavailability of multiple systems [ due to testing and maintenance activities. The operations staff is required to assure that no ; i licensed conditions are violated when removing a system from service. Furthermore, all repair work or testing ou a system must be approved by the operations staffin accordance with procedure SSP-7.1 " Work Control" and procedure SSP-8.1 " Conduct of Testing." s
)
i
~i 6-21 y... ,-
l l
- 7. SUMMAlW l This System Risk-Based inspection Guide (System RIG) has been developed as an aid to IIPCI system inspections at the Browns Ferry Nuclear Plant. The document presents a risk based discussion of the role of the llPCI system in accident mitigation and provides a catalogue of PRA-based ilPCI system failure modes. In addition, the system RIO uses information from industry operating experience, including illustrative examples, to augment the identification of the basic PRA failure modes. The risk-based input and insights from the operating experience database have been combined to develop a set of composite rankings of failure modes for the llPCI system.
Table 4-2 shows the ranking of these llPCI system failure modes. This information can be used to optimize NRC resources by properly allocating proactive inspection efforts based on risk considerations and industry experience. In addition, important component faults are summarized , in Section 6 and the discussions of risk implications provide insights both for routine inspections and the " post mortems" conducted after the occurrence of significant failures. Review of the BFN plant IIPCI system operational history has identified the following , component failure modes that experienced a high frequency of occurrenec: i turbine speed control faults, inverter trips or failures, turbine stop valve failures, turbine exhaust rupture disk failures, and CST / suppression pool switchover logie failures, in addition, there was a relatively large number of IIPCI system failure events due to test and maintenance activities. The importance of keeping the llPCI system downtime due to T&M activities as low as reasonably possible is to minimize its direct contribution to system ' unavailability. These areas should be given further attention during routine inspections and specialized inspection activities in the future. As the BFN plant matures in its operating lifetime, the incidence ofinadvertent HPCI system isolations due to surveillance and calibration activities is expected to deercase because ofimproved knowledge of the system. Ilowever, component failures duc to aging-related causes are expected to become a more significant contributor to the BFN plant IIPCI system failure distribution.
- Review ofindustry-wide operating experience has identified several IIPCI system failure events due l to component aging problems in the pump and turbine control systeins at a few older BWR plants I
including the Browns Ferry nuclear plant. It is noted that there is a concerted effort at the BFN plant to upgrade the IIPCI system control equipment that would preclude the effects of component obsolescence, improve system reliability and thus, enhance HPCI system availability, ; 4 1 I i I 7-1 l
Recommendations have been made throughout this document rc~arding the emphasis or focus of inspection activities for the llPCI system at the BFN plant. Sonic of these suggestions are generie in nature, but some recommendations. related to specific maintenance, testing, or operational activities conducted at the BFN plant are made to assure that a highly reliable operation of the IIPCI system is maintained. These recommendations could also be useful to the licensee in planning and conducting self-initiated safety system functional inspections (SSFis) on various safety systems including the IIPCI system to ensure functional adequacy and operational readiness of a plant system. t 7-2 (
l l-l
- 8. REFERENCES
- 1. NUREG/CR-5692, " Generic Risk Insights for General Electric Boiling Water Reactors," R.
Travis, et al., May,1991.
- 2. NUREG/CR-2802, " Interim Reliability Evaluation Program: Analysis of the Browns Ferry Nuclear Plant, Unit 1," S. Mays,et al., July,1982.
- 3. IPE Submittal, " Browns Ferry Nuclear Plant, Unit 2. Probabilistic Risk Assessment,"
September,1992.
- 4. Shoreham Nuclear Power Station Probabilistic Risk Assessment, Docket No. 50-322, Iong Island Lighting Company, June,1983.
- 5. NRC Case Study Report, AEOD/C502, "Overpressurization.of Emergency Core Cooling Systems in Boiling Water Reactors," Peter Lam, September,1985.
- 6. Brookhaven National Laboratory (BNL) Technical Report A-3453-87-5 " Grand Gulf Nuclear Station Unit 1, PRA-Based System Inspection Plans " J. Usher, et al., September,1987.
- 7. BNL Technical Report A-3453-87-2," Limerick Generating Station, Unit 1, PRA-Based System Inspection Plans," A. Fresco, et al., May,1987.
- 8. BNL Technical Report A-3453-87-3, "Shoreham Nuclear Power Station, PRA Based System Inspection Plans," A. Fresco, et al., May,1987.
- 9. BNL Technical Report A-3864 2," Peach Bottom Atomic Power Station, Unit 2, PRA-Based System Inspection Plan," J. Usher, et al., April,1988.
- 10. BNL Technical Report A-3872-T4, " Brunswick Steam Electric Plant, Unit 2, Risk-Based Inspection Guide," A. Fresco, et al., November,1989.
- 11. NRC Information Notice 86-14,"PWR Auxiliary Feedwater Pump Turbine Control Problems,"
March 10,1986.
- 12. NRC Information Notice 86-14 Supplement 1, "Overspeed Trips of AFW, IIPCI and RCIC .
Turbines," December 17,1986; Supplement 2, August 26,1991.
- 13. NRC AEOD Case Study Report C602," Operational Experience InvolvingTurbine Overspeed Trips," August,1986.
- 14. NRC Information Notice 9151," inadequate Fuse Control Programs," August 20,1991.
- 15. NRC AEOD Technical Review Report T906," Broken Limiting Beam Bolts in HPCI Terry Turbine," April 18,1989.
- 16. Browns Ferry Nuclear Plant Operating Instructions, HPCI,01-73, Revision 0, April 18,1988.
8-1
- 17. NRC AEOD Report E402, " Water llammer in BWR High Pressure Coolant Injection -
Systems," January,1984,
- 18. NRC Information Notice 82 26, "RCIC and IIPCI Turbine Exhaust Check Valve Failures,"
July 22,1982.
- 19. NRC Bulletin 88-04, " Potential Safety Related Pump 1.oss," May 5,1988.
- 20. NRC Information Notice 89-36," Excessive Temperatures in Emergency Core Cooling System Piping located Outside Containment," April 4,1989.
- 21. Browns Ferry Nuclear Plant, Unit 2, Technical Specifications, Amendment No. 215, May 21, 1993.
Additional References A. Browns Ferry Nuclear Plant Licensed Operator Training Materials, HPCI System, OPL 171.042, Revision 4, March 26,1991. B. GE Service Information Letter, SIL No. 392, Revision 1, " Improved HPCI Turbine Mechanical-IIydraulie Trip Design," November 28,1990. 8-2
( APPENDIX A-1
SUMMARY
OF INDUSTRY SURVEY OF llPCI OPERATING EXPERIENCE IIPCI PUMP OR TURBINE FAILS TO START OR RUN A-1
Table A-1 HPCI Pump or Turbine Fails to Start - Industry Survey Results l Failure Desc_ Root Cause Corrective Measures Comme nts Insgetion Guidance TURRINF FPEED CONTROL > FAUI U EGM control box malfunction Two simdar failures attributed to aging EGM printed circuit boards will be Each of these EGM control box effects due to long term energitation and replaced at eight year intervals. failures occurred at older plants pembly elevated ambient temperatures. Addaional llPCI pump room coolmg and appear to be aging related. An EGM printed circuit board faikd and added. caused a false high steam flew signal. De second failure involved the electronics in the control box chassis. EGM control box had a ground. Two printed ctreuit boards replaced. Miscahbration of null voltage settings. Recalibration of voltage settings. Failed transistor in the EGM control box. Box replaced. Surveillance procedures being expanded to verify proper functioning of the outpot
> speed circuit.
04 Motor speed IIPCI faikd auto initiation sunri!!ance Error was not detected during a changer /UG-R because the electrical connections between previous test at 160 psig. Procedures actuator matfunctions. the governor and the control valve revised to functionally test the electrohydraulic servo were in error. gtwernor control sptem during the km pressure suncillana testing. l Capacitor failure in motor gear unit. Replaced capacitor Failure may have been caused by Ambient temperatures in excessive llPCI room equipment areas should be temperature. verified with specifications. Irnproper gaping and foreign accumulation Component replaced or seniced. on contacts. EG-R actuator grounded at pin connection Corrosion products renxwed. due to the accumulation of corrosion products. Here were three occurrences of this event that have been attributed to a design change in the actuator pin connections.
Table A.1 (Cont'd) # Failure Desc. Rwt Cause Correct've r Measures Comme nts InsFction Guidance , J,,
; Dropping resistor Resistor box design deficiency.special test Resistor box modified to ensure assembly problems. showed output voltage insufficient when EGM control to will receive input voltage at design minimum. required voltage under worst case conditions. - <
Resistor Failure Resistor component replaced Ramp teneratorsignal Slow IIPCI resp.mse time attnbuted Gain and time settings reset. Settings had not been modified converter twax. incorrect turbine imp gain and ramp time based on power ascension test
- settings. program.
i Magnetic speed Cabic damaged during IIPCI maintenance Cable repaired. i pickup cable. preventing speed feedback to the speed controller. 4 Speed centrol lawe control room panel terminations.. Repaired panel terminations.
+
, potentiometer. ) , I Ulm O!!: SUPPI Y FAUll3 Auxiliary oil pump Microswitch within pressure switch fails. Microswitch replaced. 2 additional failures due to A pressure switch fails. miscalibratkm. and one attributed to a piece of teflon -p . tape that blocked sensing orifice of switch. j loose hydraube control sutem pressure Component adjusted. switch contacting arm. -! Auxiliary oil pump Pump bearing failurc degraded pump Pump replaced.- Similar ewnt. pump motor l. failure, performance,1ower discharge pressure, besring failure was possibly due , bearing had been recently replaced- to daily use to supply oil to potential human error. turbine stop valve. Atiditional low Iluman error. All control valves Valves correctly positioned, handtes Two similar events have occurred bearing oil pressure mispositioned. removed. Surveillance revised to at other piants. occurrences. check oil pressure during turbine test. -t .. Lmbe oit Paraffin in tube oil coated piston caused Piston cleaned. He process of periodically contamination. binding of hydraulic trip relay, sampling tube oil should be verified. j l k 4 9
- m. w e_---
Table A-1 (Cont'd) I' Failure Desc. Root Cause Corrective Measures Comments laspection Guidance 1URHINE OVI:RSPTTD AND 3 1 AlfTO RFSIT PR ollt fM 5 Electrical termination lase electrical terminainm on solenoid Wiring to the solenoids will be lhe corrective action for a failures valve cod disabled the remote reset restrained to reduce strain on the similar earlier event apparently function l'ailure attnbuted to normal terminstims- did not address the root cause of IIPCI vibration. the failure. Gerspeed trip device Overspeed trip device tappet assembly Tappet remachined. Similar occtarrence at another tapped binding. head was bindmg in valve body. plant. Polyurethane tappet, previously machined per GE guidance had crperienced additional greath. loow hydraulic control sptem pressure Repaired contactor arm. None. switch contactor arm. te Drain port blocked. Erratic stop valve operation. Ilkwked drain Drain port cleared. Additionalinformation on port in mrspeed trip and auto reset turbine overspeed trips is piston assembly caused trip mechanism to prcwided in NRC Information grie between tripped and normal Notice 86-14 and 8614. Supp. 3. pcsitions INYFRlFR TRIPS OR Fall URI3 Imtrter tripped and could not be reset Replaced inverter. due to a failed diode. See Ref.16 for effects of irwerter aging and preventative measures. Inverter failed due to the failure of an Repland imttter, A similar event imutving a internal capacitor. ruptured capacitor occurred at another plant. Internal electronic Inverter overheating due to a failed Repaired or replaced cooling fan. faults integral cooling fan. Inverter failure due to bkmu fuse. Replaced fuse. i
1.,
~
Table A-1 (Cont d) Failure Dese. Root Cause Corrective hicasures Onmments Inspection Guidancr Internal electronic Inverter trip due to high volt 2Fe ut eint Equalize voltage was reduced faults (cont'd) drift. allowing inverter to reset. TURBfNF STDP VALVE FAILURPS Control oil leaks. Od leak developed at pilot valve Flange bolts torqued. Similar event at another plant. assembly / hydraulic cylinder flange tolts were loose. Pilot oil trip solenoid Vahr stuck open due to disintegration of Valve's expendable parts now valve. diaphragm that caused va?ve plunger to scheduled for replacement at every j stick above the rical third refueling outage. l 1 Valve would not open due to excessive Piston rings were fabricated from Further discussion L' IE Circular leakage of piston rings in hydraulic resin impregnated leather. Vendor 80-07. cylinder actuator, remnmended replacement every five years. Potential aging concern. hicchanical valve Valve and actuator stems separated at split 11alance chamber adjustment was Similar failure occurred involving Overstress and ultimate , y failures. coupling. Balance chamber adjustment performed in 1985 per Gli SIL 352. a loose vahr position sensor fracture will usually occur l 6 drift believed to have caused increased Adjustment will be checked quarterly bracket that caught on actuator at the undercut on the , momentum and disk overtravel. for a minimum of 3 quarters. housing when the valve opened. coupling threads due to I De valve failed in the open reducing cross section. j position. Incipient stem failure may ; be indicated by circumferential cracks in threaded stem area. l TURI!!NE IN11AUST RUI'lVRE DISK Cyclic fatigue. . Inner rupture disk failed do - :lic Both disks replaced with an Improved design appears to AEOD Report E402 fatigue (alternating pressure as- euum improved design that has a structural climinate the cyclic fatigue provides additional ' within the exhaust line). Vacuum occurs ' backing to prevent flexing during failure mode, examples of turbine during cold quick starts with cold piping. exhaust line vacuum conditions. exhaust rupture disk failures. Water hammer Exhaust diaphragm ruptured by water Blocked hne cleared; rupture disk A similar event has occurred at induced disk rupture. carryover from exhaust line drain pot due replaced. another plant. Duration and to a blocked drain line. frequency of exhaust line blowdown increased. 1
] 'm- _ ..-__ -
s A Table A-1 (Cont *d) Failure Desc. Root Cause Correctin Measures Comments inspection Guidance FIDW , CONTROlJFR j Fall URES Failures appear to be aging Ambient conditions in Fadure to coatrolin Defectwe ampliner card and solder joint Repairs gerformed- related, yet it appears some areas containing this automatic, attributed to aB ing. licensees do not intend to equipment should be periodically replace sensitive verified against equipment or otherwise address specifications. the rtet cause of these failures. Dropping resistor failed in the instrument Resistors R26, R24, and zener diode amplifier circuitry due to normal heat of C24 all appeared to be affected bf ' $ operation. ambient temperatures and were ! replaced. Intermittent operatkm of internal switch The slight oxidized contacts were contacts did not alkm the controller to cleaned and lubricated, In the long read the (km setpoint in auto. term, permanent jumpers will be installed to bypass the switches. y Gear train failure. Onose fastener caused intermediate gear to Procedures wdl be redwd to require i unmesh which prevented adjustment of the a periodic check of the gear train controlle .etting. and fasteners. i Miscalibratkw Ilow controller indicated a flow of 400 Controller recahbrated. , I gpm when system not in operatkm. Failure '! attributed to miscalibration. TURlilNE CON 1ROL VAINE FAULT 5 Control oil Icat. Od supply line nippic leaking because Nipple repaired, plan' wrsonnel i plant personnel stepped on line to gain informed of failure cause. ' ! access to control vahc. Throttle valve lifting Six of the eight lifting beam bolts failed IJcensee to change thread lubricant: Per AEOD Report B06, beam bolting failure. due to stress corrosion cracking of . non-metal bearing petroleum jelly improper heat treatment and the j~ improperly heat treated bolts. The recommended. use of a copper based anti-remaining two bolts were cracked. , seizure compound were enajor . contributors to this failure.
Table A-1 (Cont'd) Corrective Measures Comments inspection Guidance Fadure Desc. Root Cause 1.05S OF f 3fi1E 011, PCV_F035 had an incorrect diaphragm Formation of a procurement Additional IIR reported a COOIJNG installed due to inadequate controls to engineering group. diaphragm failure resulting in a 5 update plant information with industry gpm leak. No cause stated.
- PCV-FO.15 failures. caperience.
A modification was proposed to the periodic use of the auxiliary Operating procedures MITEJJANFOUS Used auxiliary oil pump to flush oil 1 eliminate ramp generator initiation oil pump is a common practice should be reviewed to through the governor to clear a ground. on auxiliary oil pump startup, unless that can disable the IIPCI ensure that cautions Subsequently, system isolated on startup a valid initiation signal is present. system, identify IIPCI system because the od pump cauws the stop and inoperability when the I control valves to p full ope n. auxiliary oil pump is i r unning. 4 in 4 e M
- . - _ _ _ . _ - _ _ _ - - - - , 2- -----___--a-- - 2, -- - u- -- - -aa-, . _ _ _ _ _ - --amn--- -
w, >rnv~ - < -w-n %
1 i P i
-f 9
F i APPENDIX A-2 , 1 SELECTED EXAMPLES OF ADDITIONAL HPCI FAILURE MODES IDENTIFIED DURING INDUSTRY SURVEY l t s k
'(
.}
t t l' . : 1 F
?
?
i h t A-9 .<
=l l - - ., ,- - _ . , . . , , ,
\
Table A-2 Summary of Illustrative Examples of Additional IIPCI Failure Modes Failure Desc. Root Cause Correctrve Measures Comments Inspecten Guidance IIPCI Failure 3 - Differential pressure transmitter failed due Amphfier card comwction was Rosemont Transmitter NRC Infornution Notice l False Iligh Steamline to inadequate connection of amplifier secured. 6Ll6 provides additional Differential Pressure condition card was either incorrectly information on steamline Isolation Signal seated during installation or worked loose. pressure measurement. j Miscalibration and a stuck pressure Wrong tunversion value caused Rose mont "I ransmitter indicator disabled both drvisions of high miscabbration and was cortected. l
.iP transmitters. I Transmitter operating outside tolerances Recabbrated transmitter Conservatively narrow instrument i due to incorrect serpoint adjustment tolerances were used during the setpoint adjustment. He instrument was a Rosernount
- Transmitter.
Setroint drift cause spurious system Setpoint was adjusted. Ilarton transmitter increased calibration isolations fretguency nuy be necessary. , 1 Setpoint draft caused by moisture intrusion Unknow n llarton transmitter.
- through the dial rod shaft seal.
4 4 IIPCI Failure 4 - Mechanicabhermal bmding of disk due to Interim corrective action was drilling ^1his failure was attributed to hrbine Steam Inlet inadequate clearances. a boke in the valve disk Double procedural and training Valve [F001] fails to disks were to be installed during a inadequacies. open failure refueling outage as a long 3
- term solutkm. '
a
%ermal binding of disk Replaced motor gears and installed he thernul binding can occur A four hour system 5
larger pourr supply cable to motor. for ~2 hours after system is warmup may be required returned to servia following a by procedures to cooldown. circunwent this problem. Motor failure Surge protection added to shunt coil Motor failure caused by high of DC motor control circuitry. voltage transient in shunt coit ; that occurred when supply l breaker opened. Motor failure. Valve repaired and torque switch Motor windings failed due when Other safety related MOVs adjustment screws were correctly . torque setting out of adjustment - were also affected. torqued. due to lacsc torque switch Procedures were revised ,i adjustment screws. - and torque suitch limiter plates were installed.
...,a- m et...,,-.-,+--,+--1--+, ,-r- .=v .-ws-9.~ i---- m-- *,-w ,.,-e., .o, # . , e i-y ~ . . - . . y - , , ,... %.w,, % e em. , , , . , . , , - -. . . - .
Table A-2 (Cent'd) Failure Desc. Root Cause Corrective Measures Comments Inspection Guidann llPCI Failure 4 - Valve motor failure due to incorrect steam Valve anotor was replaced. (cont'd) lubricathm Ucensee resiew determined that valve Removed step starting resistors- Other DC MOVs were also INPO SER 25-M and might not open due to insufficient torque. evaluated. NRCInformation Notice 58-72 provide further guidana, llPCI Failure 5 - Mispositioned aunliary amtacts in starting Replaced contacts. Pump Discharge time delay relay for vahc rnotor. Valve [FM6) Fails to Open Valve motor failure Valve motor replaced. Failure attributed to heat related breakdown of valve motor internals. Ucensee review determined that valve may Step starting resistors had not been Potential problem may affect INPO SER 25-88 and have insufficient torque to open. considered in the torque analyses other DC MOVs NRC Information Notice and were remcwd. prmide addnional h _ guidance. w IIPCI I ailure 7 - Fuse failure due to cicctrical grounding. Fuse replaud and ground corrected. System Actuation irgic Fails 5ptem failed to actuate due to inadequate Design modified Further discussion in Al!OD seal in time. Report IM07. IIPCI Failure 8 - Failed peer supply resister. Resistor replaced. False Iligh Area Temperature Isolation Failed temperature monitoring malute. Module replaced. New matel replacement Signal considered. Design error. Minimum intake setpoint temperature was increased. IIPCI Failure 9 - Pressure switch isolation valve None. Isolated pressure switch actuated False tra Suction inadvertently closed. due to changing emironmental Pressure Trip conditicms. IIPCI Failure 10 - Corrosion of pressure switch seals. Pressure switch replaced. Seal corrosion allowed moisture False Iligh Turbine into casing and shorted wiring. Exhaust Pressure Signal
. . . . . . . l
Table A-2 (Cent'd) Failure Desc. Root Cause Corrective Measures Comments insgrction Guidance llPCI Failure 11 - F2haust line swing check valve failure Check vahr replaced. Failure of check vahr was References [2t} and {22] Normally Open blocked MOV attnbuted to overstressed cycling prtwide further Turbine Exhaust due to high exhaust pressure. information. Valve Fails Cksed IIPCI Fadere 12 - level switches out of calibration Switches replaced. Accumulation of foreign material CST /$uppression Pool on 11 oat caused failure. Ingic Fails itPCI Failure 13 - Motor failure. Windmg insulatk n Replaced notor. Voltage surge liigh voltage transients occurred Suppression Pool degraded due to high voltage transients. protection added to circuitry. as supply breaker was epened. Suction Une Vahrs Fail to Open Torque switch out of adjustment. Recabbrated. limit switch out of adjustment Replaced limit switch. Vahr stem separated from disk. Vahc repaired. 'three bolts faded due to tensile These valves were cntrimd. Other similar valves manufactured by were inspected. Associated Control Istuipment. Inc. IIPCI Failure 14 - Vahr inoperable due to damaged motor Switch replaced. Damage resulted from overtravel Design changes may be Mmimum flow Valve starter disconnect switch. of operatinF handle due to poor required as a result of this y failure. aW Fails to Open design. 1 L._ .- . . , . w g l
i DISTRIBUTION-No. of Copies No. of Cor>ies OFFSITE U.S. Nuclear Regulatory 2 B. Gore Commission Pacific Northwest 12b. Richland, WA 99352 A. El Bassoni OWFN 10 E4 ONSITE W. D. Beckner 26 Brookhaven National Lab. OWFN 10 E4 - W. Gunther (10) K. Campe R. Hall OWFN 10 E4 J. Higgins J. Taylor 10 J.Chung A. DiBiasio OWFN 10 E4 F. Congel Technical Publishing (5) OWFN 10 E4 Nuclear Safety Library (2)- B. K. Grimes 2 J. Bickel OWFN 9 A2 EG&G Idaho, Inc. P.O. Box 1625 Idaho Falls,ID 83415 J. N. Hannon J. Lyons OWFN 13 E21 Illinois Dept.ofNuclear Safety 1035 Outer Park Drive Springfield, IL 62704 A. Hsia OWFN 13 D1 E. V. Imbro OWFN 9 Al 2 II. E. Polk OWFN 12 II26 4 Browns Ferry Nuclear Power Station Resident Inspector 4 U.S. Nuclear Regulatory Commission - Region II Regional Administrator
e---------. .. . U.S. NUCLE AR REGUL ATORY COMMISSION 1. RE PORT NUMBE R NRC FORu 335 ndo Numtwrs H R 1 m2. 3*.2m2 BIBLIOGRAPHIC DATA ~ SHEET "WU#U tsn insena:tsom on the reverset BNL-NUREG-52370
- 2. TITLE AND SUBTITLE High Pressure Coolant Injection (HPCI) System Risk-Based DATE REPOR T PUBLISHED 3.
Inspection Guide for Browns Ferry Nuclear Power Station uom n An l _ September 1993 4, FIN OR GRANT NUMBER A3875
- 5. AUTHOH(Si 6. TYPE OF REPORT S. Wong, A. DiBiasio, W. Gunther Technical A PE R IOD COV E R E D rincluswe Deres/
- 8. PE R F ORMING oRGANIZ AT lON - N AM E AND ADDRE SS itr hiRC orovo* Dwowm. Or6ce or Reunm. U S. Nuorar Reesterarv Commrwon. end markne nddress. st evntrartor, prorsk nome end urssoling eddresL9 .
Brookhaven National Laboratory Upton, NY 11973
- 9. SPONSORING oRG ANIZ ATioN - N AM E AND ADDR E SS tar NRc. rvpe '5eme ns obr >ve" it contractor. prov.ar NRC Owinon, otra or Regeon. u A toucover Requismrv commosuan.
and meshan address,I Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555-0001
- 10. SUPPLEMENT ARY NOTES
- 11. A.BST R ACT tyco.oras or armi ne fligh Pressure Coolant Injection (HPCI) system has been exa.ained from a risk perspective. A System Risk-Based Inspection Guide (S-RIG) has been developed as an aid to IIPCI system inspections at the Browns Ferry Nuclear Power Plant, Units 1,2 and 3. The role of the HPCI system in mitigating accidents is discussed in this S-RIG alongwith insights on identified risk-based failure modes which could prevent proper operation of the system.
The S-RIG provides a review ofindustry-wide operating experience, including plant-specific illustrative examples to augment the PRA and operational considerations in identifying a catalogue of basic PRA failure modes for the HPCI system. It is designed to be used as a reference for routine inspections, self-initiated safety system fune:ional inspections (SSFIs), and the evaluation of risk significance of component failures at the nuclear power plant.
- 12. K E Y Vv%R DE SCH!P1 OHS (tat warns or perman rher wist samt smeerowr an amenne the resort.s u. Av AsLaaiu n M Ai&MtNi Unlimited-g, M LUHil y LL A5bd ICAIlON BWR Type Reactors-Reactor Components, BWR Type Reactors-Reactor . .
8"*'** Safety, Reactor High Pressure Coolant Injection, High Pressure ", Coolant Injection-Risk Assessment, Reactor-Risk Assessment, Unclass2fied Reactor Cooling Systems, Reactor Accidents, High Pressure Coolant """"'" # "*"'8 Injection Failures.
- 16. PRICE I
NHC FORM 335 089)
Printed on recycled paper Federal Recycling Program
~
l
F NUREGICH-6022 IllGil PRESSURE COOLANT INJECTION (IIPCI) SYSTEM RISK BASED '- SEPTEMBER 1993 - INSPECTION GUIDE FOR IIROWNS FERRY NUCLIs\R POWER STATION UNITED STATES NUCLEAR REGULATORY COMMISSION RRST CLASS Mall POSTAGE AND FEES PAfD WASHINGTON. D.C. 20555-0001 USNRC PERMIT NO. G-67 OFFICIAL BUSINESS PENALTY FOR PRIVATE UoE, $300 10C555139531 1 1ANios US N o C - Q a C '4 CIV FCIA i O URL I C A TI O N ~C S Vc "c TPS-POR-NUciEG P-211 , i ka5'iINGTCN OC 2C555 i}}