ML20059F429
| ML20059F429 | |
| Person / Time | |
|---|---|
| Site: | South Texas  |
| Issue date: | 12/31/1993 |
| From: | Bumgardner J, Gore B, Moffitt N, Nicholaus J, Vo T Battelle Memorial Institute, PACIFIC NORTHWEST NATION |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| CON-FIN-L-1310 NUREG-CR-5897, PNL-8104, NUDOCS 9401140022 | |
| Download: ML20059F429 (36) | |
Text
..
j PN L-8104
_ _.. ~ _.... _ _. _
Auxi iary Feecwa~:er System Ris1-3asec1 Insaection Guic e
' for ~:ae Sou::a Texas Projec:
Nuc ear Power Plan ~:
t i
Prepared by J. D. Burnpardner, J. H. Nwkolaus N. E. Molfitt, it I:. Gore, T. V Vo Pacific Northwest I.aboratory Operated by flattelle 51emorial Institute Prepared for U.S. Nuclear Regulatory Commission 9401140022 931231 PDR ADOCK 05000498 O
d t
AVAILABILITY NOTICE Availability of Reference Materials Cited in NRC Pubhcations Most documents cited in NRC publications will be available from one of the following sources:
1.
The NRC Pubbe Document Room, 2120 L Street, NW,. Lower Level Washington. DC 20555-0001 2.
The Superintendent of Documents. U.S. Government Printing Office, Mail Stop SSOP, Washington. DC 20402-9328 3
The National Technical information Service. Springfield. VA 22161 Although the listing that follows represonts the majority of documents cited in NRC publications, it is not in-tended to be exhaustNe.
Referenced documents available for inspectjon and copying for a fee from the NRC Public Document Room include NRC c orrespondence and interna! NRC memoranda: NRC bulletins, circulars information notices, in-
' i spection and investigation notices: heensee event reports; vendor reports and correspondence; Commission papers: and appbcant and hcensee documents and correspondence.
The f ollowing documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings. internatlonal agreement reports.
r g< ant pubhcations, and NRC booHets and brochures. Also available are regulatory guides. NRC regulations in the Code of Federal Regulancr>s. and tJuclear Regulatory Commission Issuances.
[
Documents available from the Nattonal Technicallnformation Service include NUREG-series reports and tech-nical reports prepared by other Federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the fJuclear Regulatory Commission.
Documents a vailab!e ftom pubke and special technical hbraries include all open literature it ems, such as books, journal articles. and transactions. Federal Register notices Federal and State legislation. and congressional reports can usually be obtained from these 1:branes Documer's such as theses. d<ssertahons foreign reports and translations, and non-NRC conference pro-ceedmys are available for purchase from the organl2ation sponsoring the pubkcation cited.
l Single copies of NRC draf t reports are avadable free, to the extent of supply, upon written request to the Office of Administration. Distribution and Mall Services Section. U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are main-l tained at tne NRC Library. 7920 Norfolk Avenue. Bethesda, Maryland, for use by the pubhc. Codes and stan-dards are usually copyrighted and may be purchased from the originating organization or, if they are American l
fJational Standards, from the Arnerican National Standards institute.1430 Broadway, New Yorir, NY 10018.
I f
L
.i DISCLAIMER NOTICE This report was prepared as an account of work sponsored by an agency of the United States Govemment.
Neither the Unrted States Govemment nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any lega: liabihty of responsibility for any third party's use, or the results of j
such use, of any information. apparatus, product or process disclosed in this report, or represents that its use by such third party would not infange pnvately owned rtghts.
l i
-n..-+---.
a~
a.,.
e m-
NUREG/CR-5897 PNL-8104 RG Auxiliary Feedwater System Risk-Based Inspection Guide for the South Texas Project Nuclear Power Plant
.t Manuscript Completed: December 1993 Date Published: December 1993 Prepared by J. D. Humgardner, J. R. Nickolaus, N. E. Moffitt, B. E Gore, T. V. Vo J. Chung, NRC Project Manager Pacific Northwest Laboratory Richland, WA 99352 Prepared for Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 NRC FIN L1310
Abstract In a study sponsored by the U.S. Nuclear Regulatory Commission (NRC), Pacific Northwest laboratory has developed and applied a methodology for deriving plant-specific risk-based inspection guidance for the auxiliary feedwater (AFW) system at pressurized water reactors that have not undergone probabilistic risk assessment (PRA). His methodology uses existing PRA results and plant operating experience information. Existing PRA-based inspection guidance information recently developed for the NRC for various plants was used to identify generic component failure modes. This information was then combined with plant-specific and industry-wide component information and failure data to identify failure modes and failure mechanisms for the AFW system at the selected plants. South Texas Project was selected as a plant for study. The product of this effort is a prioritized listing of AFW failures which have occurred at the plant and at other PWRs. This listing is intended for use by the NRC inspectors in preparation of inspection plans addressing AFW risk important components at the South Texas Project plant.
l I
1 l
i l
l l
iii NUREG/CR-5897
l l
1 i
I l
4 Contents l
1 Abstract.
iii Summary vii Acknowledgments.
xi 1 Introduction 1.1 2 South Texas Project AFW System.
2.1
2.1 System Description
2.1 2.2 Success Criterion.
2.2 2.3 System Dependencies 2.2 2.4 Operational Constraints.
2.2 3 Inspection Guidance for the South Texas Project AFW System....
3.1 3.! Risk Important AFW Components and Failure Modes.
3.1 3.1.1 Multiple Pump Failures Due to Common Cause 3.1 3.1.2 Turbine Driven Pump Fails to Start or Run 3.2 3.1.3 Motor Driven Pump Fails to Start or Run.......
3.3 3.1.4 Pump Unavailable Due to Maintenance or Surveillance....
3.3 3.1.5 Air Operated Valves Fall Closed......
3.4 l
3.1.6 Motor Operated Valves Fall Closed.....................
3.4 3.1.7 Manual Suction or Discharge Valves Fail Closed......................
3.5 3.1.8 leakage of Hot Feedwater Through Check Valves......
3.6 3.2 Risk Important AFW System Walkdown Table.
3.6 1
I 4 Generic Risk Insights from PRAs 4.1 1
4.1 Risk Important Accident Sequences Involving AFW System Failure 4.1 4.2 Risk Important Component Failure Modes 4.1 l
l l
l I
i l
l v
5 Failure Modes Determined from Operating Experience 5.1 5.1 5.1 South Texas Project Experience..
5.1.1 Multiple Pump Failures.
5.1 5.1.2 Motor Driven Pump Failures 5.1 5.1.3 Turbine Driven Pump Failures....
5.1 5.1.4 Flow Control and Isolation Valve Failures 5.1 i
5.1.5 Check Valve Failures 5.1.6 Human Errors.
5.1 5.1 5.2 industry Wide Experience 5.2.1 Common Cause Failures..
5.2 5.2.2 Human Errors.....
5.3 5.2.3 Design / Engineering Problems and Errors.
5.4 5.2.4 Component Failures....
5.5 l
6 References 6.1 i
I l
l I
r I
i I
l vi NUREG/CR-5897 I
L
Figure 2.1 South Texas Auxiliary Feedwater System 2.3 Pable 3.1 Risk Important Walkdown Table for South Texas AFW System Components 3.7 l
)
1 l
l vii NUREG/CR-5897
l l
l Summary This document presents a compilation of auxiliary feedwater (AFW) system failure information which has been screened for risk significance in terms of failure frequency and degradation of system performance. It is a risk-prioritized listing of l
failure events and their causes that are significant enough to warrr.at consideration in inspection planning at the South l
Texas Project plant. This information is presented to provide inspectors with increased resources for inspection planning at South Texas Project.
The risk importance of various component failure modes was identified by analysis of the results of probabilistic risk assessments (PRAs) for many pressurized water reactors (PWRs). However, the component failure categories identified in PRAs are rather broad, because the failure data used in the PRAs is an aggregate of many individual failures having a variety of root causes. In order to help inspectors focus on specific aspects of component operation, maintenance and design which might cause these failures, an extensive review of component failure information was performed to identify and rank the root causes of these component failures. Both South Texas Project and industry wide failure information was analyzed. Failure causes were sorted on the basis of frequency of occurrence and seriousness of consequence, and catego-rized as common cause failures, human errors, design problems, or component failures.
This information is presented in the body of this document. Section 3 provides brief descriptions of these risk-important failure causes, and Section S presents more extensive discussions, with specific examples and references. He entries in the two sections are cross-referenced.
1 1
An abbreviated system walkdown table is presented in Section 3.2 which includes only components identified as risk l
important. This table lists the system lineup for normal, standby system operation.
i This information permits an inspector to concentrate on components important to the prevention of core damage.
However, it is important to note that inspections should not focus exclusively on these components. Other components which perform essential functions, but which are not included because of high reliability or redundancy, must also be addressed to ensure that degradation does not increase their failure probabilities, and hence their risk importance.
1 Introduction his document is one of a series providing plant-specific De remainder of the document describes and discusses inspection guidance for auxiliary feedwater (AFW) sys-the information used in compiling this inspection guid-tems at pressurized water reactors (PWRs). This guid-ance. Section 4.0 describes the risk importance informa-ance is based on information from probabilistic risk tion which has been derived from PRAs and its sources.
assessments (PRAs) for similar PWRs, industry-wide As review of that section will show, the failure events operating experience with AFW systems, plant-specific identified in PRAs are rather broad (e.g., pump fails to AFW system descriptions, and plant specific operating start el run, valve fails closed). Section 5.0 addresses the experience. It is not a detailed inspection plan, but rather speci& failure causes which have been combined under a compilation of AFW system failure information which these broad events.
has been screened for risk significance in terms of failure frequency and degradation of system performance. He AFW system operating history was studied to identify the result is a risk-prioritized listing of failure events and their various specific failures which have been aggregated into causes that are significant enough to warrant consideration the PRA failure events. Section 5.1 presents a summary in inspection planning at the South Texas Project.
of South Texas Project failure information, and Sec-tion 5.2 presents a review of industry wide failure infor-His inspection guidance is presented in Section 3, follow-mation. He industry wide information was compiled ing a description of the South Texas Project AFW system from a variety of NRC sources, including AEOD analyses in Section 2. Section 3 identifies the risk important sys-and reports, information notices, inspection and enforce-tem components by South Texas Project identification ment bulletins, and generic letters, and from a variety of number, followed by brief descriptions of each of the INPO reports as well. Some Licensee Event Reports and A
various failure causes of that component. These include NPRDS event descriptions were also reviewed. Finally, specific human errors, design deficiencies, and hardware information was included from reports of NRC sponsored failures. The discussions also identify where common studies of the effects of plant aging, which include quanti-cause failures have affected multiple, redundant compon-tative analyses of reported ATW system failures. His ents. These brief discussions identify specific aspects of industry-wide information was then combined with the system or component design, operation, maintenance, or plant-speci6c failure information to identify the various testing for inspection by observation, records review, root causes of the broad failure events used in PRAs, training observation, procedures review, or by observa-which are identified in Section 3.
tion of the implementation of procedures. An AFW sys-tem walkdown table identifying risk important components and their lineup for normal, standby system operation is also provided.
1.1 NUREG/CR-5897
1 2 South Texas Project AFW System his section presents an overview of the South Texas he system is designed to automatically start. AFW flows Project AFW system (Dual unit, Westinghouse 4 loop are automatically controlled until manual control is taken plants), including a simplified schematic system diagram.
by the operator within ten minutes. The MDAFW pumps in addition, the system success criterion, system dependen-will start upon any of the following conditions and initiate cies, and administrative operational constraints are also auxiliary feedwater flow:
presented.
Low-law S/G level Safety Injection (MODE I)
2.1 System Description
The AFW system provides feedwater to the steam genera-Ioss of offsite power in MODE II (only starts pumps on recirc) tors (S/G) to allow secondary-side heat removal when main feedwater is not available and to promote natural cir-
- Ioss f offsite power with a Safety injection culation of the Reactor Coolant System (RCS) in the event of a loss of all four reactor coolant pumps. The system is capable of functioning for extended periods during a total ATWS Mitigation System actuation is initiated.
loss of offsite power or a loss of the main feedwater sys-tem. This allows time to restore offsite power or main ne TDAFW pump will start upon any of the following feedwater flow or to proceed with an orderly cooldown of conditions and initiate auxiliary feedwater flow:
the plant to the point where the Residual Heat Removal
- low-low S/G level system (RHR) can remove decay heat. A simplified sche.
matic of the South Texas Project AFW system and TDAFW pump steam supply is shown in Figure 2.1.
Safety injection (MODE 1)
He AFW system consists of one turbine-driven pump ATWS Mitigation System actuation is initiated.
(TDAFW) and three motor-driven feed pumps (MDAFW) that provide feedwater to the steam generators, one ne AFW pumps discharge through check valves and are Auxiliary Feedwater Storage Tank (AFWST), and associ-n rmally aligned to supply one S/G (MDAFW #13 to S/G ated piping, valves and instrumentation. Feedwater is "C", MDAFW #12 to S/G "B", MDAFW #11 to S/G supplied to the TDAFW and MDAFW pumps from the "A", and TDAFW #14 to S/G "D") Depending upon P ant conditions, the discharge of each pump can be lined l
AFWST through individual suction headers. He TDAFW and MDAFW pumps are capable of supplying up to any S/G by opening normally closed, fail closed, all steam generators. Steam is supplied to the TDAFW Pneumatic isolation valves. He AFW lines for the S/Gs turbine from S/G "D" through an automatically controlled are each equipped with a flow element, flow transmitter, and an automatic flow control valve.
motor operated valve (MOV-0143) and the turbine trip and throttle valve (MS-0514). The TDAFW and The AFWST is the normal source of water for the AFW MDAFW pumps are equipped with automatic recircula.
tion valves (AF-00ll,0036,0058, and 0091) and the system. He tank is required to store a sufficient quantity TDAFW with a turbine bearing cooling system, which of demineralized water (485,000 gallons) to maintain the prevents pump deadheading and bearing overheating. He reactor coolant system (RCS) at hot standby conditions for pumps are protected from runout conditions by motor 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> during a feedline break with steam release to the operated flow control valves (AF-7523,7524,7525, and atmosphere and then to cool the RCS to place the RHR 7526) located in the pump discharge lines. Power, con, system in service. The administratively controlled, locked trol, and instrumentation associated with the four AFW pen and locked closed valvs configuration requires that system trains are independent from each other, the AFWST discharge valves (AFD093, AF0094, 2.1 NUREG/CR-5897 I
b.
AFW System AF0095, AF0096. AF0073, AF0053, AF0031, and separate emergency busses and one steam turbine capable AF0024) be locked open to supply the AFW system.
of being powered from an OPERABLE steam supply Additionally, the Condensate and Fire Protection systems system) and associated flow paths to be OPERABLE. If can be manually aligned to provide backup supply to the the Train A h1DAFW pump is inoperable, it must be re-AFWST.
stored to operable status as soon as possible. With any of the following combinations of auxiliary feedwater pumps inoperable:
2.2 Success Criterion (1) Train B or Train C MDAFW pump System success requires the operation of either of the following: at least two pumps supplying a minimum of (2) Train D TDAFW pump and any MDAFW pump 540 gpm to two S/Gs in an ATWS condition, OR, at least (3) Train A and either Train B or Train C MDAFW one pump supplying a minimum of 540 gpm within one minute to: a) at least one S/Gs after a main feedwater line PUSP rupture or steam line break or b) at least two S/Gs on loss of main feedwater or after a loss of offsite power.
(4) Train D TDAFW pump.
The affected AFW pumps must be returned to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or the unit must be placed in HOT
' 3 System DeEendencies STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and HOT SHUT-
=
DOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. When Train B and The AFW system depends on AC and DC power at vari-Train C MDAFW pumps, or any three AFW pumps are ous voltage levels for TDAFW turbine governor, motor inoperable the unit must be placed in HOT STANDBY operated valve control circuits, solenoid valves, and moni-within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and HOT SHUTDOWN within the follow-tor and alarm circuits. Instrument Air is required for the ing 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. When four AFW pumps become inoperable AFW cross connect valves (AF-FV-7515,7516,7516 and immediate corrective actions must be taken to restore at 7517). These valves fail closed on a loss ofInstrument least one AFW pump to OPERABLE status as soon as
(
Air. Steam availability is required for the TDAFW possible.
pump.
South Texas Project Technical Specifications require the AFWST to be OPERABLE with a minimum contained 2.4 Operational Constraints water volume of 485,000 gaHons. With the AFWST inoperable, the AFWST must be restored to OPERABLE When the reactor is in MODES 1,2, or 3 (Hot Standby status within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or the unit must be in HOT through Power Operation), South Texas Project Technical STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and HOT SHUT-Specifications require four independent AFW pumps DOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
(three motor driven each capable of being powered from NUREG/CR-5897 2.2
N SG RECIRC AF0280 ATMOS O
F 1FAF0281 MS0143 MS0514 AF0011 2u h-AF0014
_g a,
~
[FW x
R x
AF0012 AFh AF0019 v
NO A
A AF0093 AF0024 NMP 14 M0269 q
Fire W X
X j
m8 rm um Om SG1D
[y',L
]
AFWST 70 -
M AFWST AF0037 SG RECIRC AF0282
+
ygg PUMP A
^
Af7317)
AFW AF0094 AF0031 g
}
X AF0041 AF7525 AF0048 F0039 AF0267 M
)
TO :
SG 1 A j
AFWST AF0040 P
SG RECIRC AF0284 W
y3y PUMPB AFW AF0285
- p' @
AFm95 AFM53 y
)
A 59 AF7524 AF0065 From CND Hotwen h
AF0265 AF7516)h AF0067 From MF W
~
u A s AF0070 S/G RECIRC AF0286 y3y PuuP c AFW AF7515 gg AF0096 AF0073 7
g X
X AF0078 AF7523 AF0085 h
0087 AFC263 Z
yo -
M NmWW SG1C h
AFWST AF0092 y
?
I Figure 2.1. South Texas Auxiliary Feedwater System
{
R 8
3 Inspection Guidance for the South Texas Project AFW System in this section the risk important components of the South 3.1.1 Multiple Pump Failures Due to Texas Project AFW.ystem are identified, and the impor-Common Cause tant failure modes for these components are briefly des-cribed. nese failure modes include specific human ne following listing summarizes the most important errors, design deficiencies, and types of hardware failures multiple-pump failure modes identified in Section 5.2.1, which have been observed to occur for these components, Common Cause Failures, and each item is keyed to both at South Texas Project and at PWRs throughout the entries in that section.
nuclear industry. The discussions also identify where common cause failures have affected multiple, redundant Incorrect operator intervention into automatic system components. nese brief discussions identify specific functioning, including improper manual starting and aspects of system or component design, operation, mainte' securing of pumps, has caused failure of all pumps, nance, or testing for inspection activities. These activities including overspeed trip on startup, and inability to include observation, records review, training observation, restart prematurely secured pumps. Control switch procedures review, or by observation of the implementa-mispositioning has caused both of the TDAFW pumps tion of procedures-to trip on overspeed. CCI.
Table 3.1 is an abbreviated AFW system walkdown table Inspection Suggestion - Observe Abnormal and Emer-which identifies risk important components. His table gency Operating Procedure (AOP/EOP) simulator-lists the system lineup for normal (standby) system oper-training exercises to verify that the operators comply ation inspection of the components identified in the with procedures during observed evolutions. Observe AFW system walkdown table address the majority of the surveillance testing on the AFW system to verify it is risk associated with AFW system operation.
in strict compliance with the surveillance test procedure.
3.1 Risk Important AFW Components Valve mispositioning has caused failure of all pumps, and Failure Modes Pump suction, steam supply, and instrument isolation valves have bec i involved. CC2.
Common cause failures of multiple pumps are the most risk-important failure modes of AFW system components.
Inspection Suggestion - Verify that the system valve These are followed in importance by single pump failures, aggnnynt, air operated valve control and valve aau-level control valve failures, and individual check valve ating air pressures are correct using 3.1 Walkdown leakage failures.
Table, the system operating procedures, and operator rounds logsheet. Review surveillance procedures that he following sections address each of these failure alter the standby alignment of the AFW system.
modes, in decreasing order of risk-importance. Rey Ensure that ac adequate return to normal section present the important root causes cif these component
- exists, failure modes which have been distilled from historical records. Each item is keyed to discussions in Section 5.2 Steam binding has caused failure of :nultiple pumps.
where addWonal information on historical events is This resulted from leakage of hot feedwater past presented.
check valves and a motor operau:d valve into a com-mon discharge header. CClo. Mu tiple-pump steam binding has also resulted from impn.oer valve line-ups, and from running a pump deadhe.Aed. CC3.
3.1 NUREG/CR-5897
p---
Inspection Guidance In3pection Suggestion - Verify that the pump dis-inadequately sized suction piping which could have charge temperature is within the limits specified on yielded insufficient NPS11 to support operation of the operator rounds logsheet ( < 240"F). Assure any more than one pump. CC8.
instruments used to verify the temperature by the utility are of an appropriate range and included in a
/rupection Suggestion - Assure that plant conditions c.
calibration program. Verify affected pumps have which could result in the block. age or degradation of been vented every 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to ensure steam binding the suction flow path are addressed by system main-has not occurred. Verify that a maintenance work tenance and test procedures. Design changes that request has been written to repair leaking check affect the suction flow path should repeat testing that valves.
verified an adequate suction source for simultaneous operation of all pumps. Verify that testing has at Pump control circuit deficiencies or design modifica-some time demonstrated simultaneous operation of all tion errors have caused failures of multiple pumps to pumps Verify that surveillances adequately test all auto start, spurious pump trips during operation, and aspects of the system design functions, for example, failures to restart after pump shutdown, CC4.
demonstrate that the AFW pumps will trip on low incorrect setpoints and control circuit calibrations suction pressure.
have also prevented proper operation of multiple The South Texas Project has experienced stress corro-pumps. CC5.
sion cracking / hydrogen embrittlement of AFW pump
/rupection Suggestion - Review design change imple-sleeve materials which caused one pump to fail its mentation documents for the post maintenance testing performance test. He sleeve material was common required prior to returning the equipment to service, to all pumps.
Assure the testing verifies that all potentially impacted a
functions operate correctly, and includes repeating
/n.spection Suggestion - Review Design Modification any plant start-up or hot functional testing that may be records to ensure that the pump sleeves have been or afTected by the design change.
are scheduled to be replaced with materials that are not susceptible to stress corrosion cracking.
Loss of a vital power bus has failed both the turbine-driven and one motor-driven pump due to loss of con-3.1.2 Turbine Driven Pump Fails to Start or trol power to steam admission valves er to turbine Run controls, and to motor controls powered from the same bus. CC6.
Improperly adjusteJ and inadequately maintained tur-bine governors have caused pump failures. llE2.
/rupection Suggestion - He material condition of the Problems include worn or loosened nuts, set screws, electrical equipment is an indicator of probable relia-linkages or cable connections, oil leaks and/or con-bility. Review the Preventative Maintenance (PM) tamination, and electrical failures of resistors, tran-records to assure the equipment is maintained on an sistors, diodes and circuit cards, and erroneous appropriate frequency for the environment it is in and grounds and connections. CFS.
that the PMs are actually being performed as required by the program. Review the outstanding Corrective Insperrion Suggestion - Review PM records to assure Maintenance records to assure the deficiencies found the governor oil is being replaced within the designa-on the equipment are promptly corrected.
ted frequency. During plant walkdowns carefully in-spect the governor and linkages for loose fasteners.
Simultaneous startup of multiple pumps has caused leaks, and unsecured or degraded conduit. Review oscillations of pump suction pressure causing vendor manuals to ensure PM procedures are per-multiple-pump trips on low suction pressure, despite formed according to manufacturer's recommendations the existence of adequate static net positive suction and good maintenance practices.
head (NPSil). CC7. Design reviews have identified NUREG/CR-5897 3.2
Inspection Guidance I
I Turbines with Woodward hiodel PG-PL governors overspeed trip operation. Review training procedures have tripped on overspeed when restarted shortly after to ensure operator training on resetting the TTV is shutdown, unless an operator has locally exercised the current.
speed setting knob to drain oil from the governor Stress corrosion cracking caused failure of the turbine speed setting cylinder (per procedure). Automatic oil dump valves are now available through Terry. DE4.
driven pump, allowing the final stage shaft sleeve to rub and eventually become friction welded to the sta-Inspection Suggestion - Observe the operation of the tionary final stage piece of the pump.
turbine driven Aux Feed pump and assure that the governor is reset as directed in OPOp02-AF-0001 by Inspection Suggestion - Covered under 3.1.1 bullet 7.
rotating the speed control knob fully in the counter-hiispositioning of handswitches and procedural defi-clockwise direction, then fully in the clockwise direc-tion. Assure the turbine is not coasting over, which ciencies have prevented automatic pump start. HE3.
can result in refill of the speed setting cylinder.
Inspeaion Suggestion - Confirm Switch position using Condensate slugs in steam lines have caused turbine Table 3.1. Review administrative procedures con-overspeed trip on startup. Tests repeated right after cerning documentation of procedural deficiencies.
such a trip may fail to indicate the problem due to Ensure operator training on procedural changes is warming and clearing of the steam lines. Surveillance current.
should exercise all steam supply connections. DE2.
3.1.3 Motor Driven Pump Fails to Start or Inspedian Suggestion - Verify that the steam traps are Run valved in on the steam supply line. For steam traps that are on a pressurized portion of the steam line, Control circuits used for automatic and manual pump check the steam trap temperature (if unlagged) t starting are an important cause of motor driven pump assure it is warmer than ambient (otherwise it may be failures, as are circuit breaker failures. CF7.
stuck or have a plugged line). If the steam trap dis-charge is visible, assure there is evidence of liquid Inspeaion Suggestion - Review corrective mainten-discharge.
ance records when control circuit problems occur to determine if a trend exists. Every time a breaker is Trip and throttle valve (TTV) problems which have racked in a PMT should be performed to start the failed the turbine driven pump include physically pump, assuring no control circuit problems have bumping it, failure to reset it following testing, and occurred as a result of the manipulation of the failures to verify control room indication of reset.
breaker. (Control circuit stabs have to make up upon HE2. Whether either the overspeed trip or TTV trip racking the breaker, as well as cell switch damage can can be reset without resetting the other, indication in occur upon removal and reinstallation of the breaker.)
the control room of TTV position, and unambiguous local indication of an overspeed trip affect the likeli-Mispositioning of handswitches and procedural defi-hood of these errors. DE3. The South Texas Project ciencies have prevented automatic pump starts. HE3.
has experienced steam cutting of the TTV inlet Danges.
In3pedian Suggestion - Covered under 3.1.2 bullet 6.
Inspection Suggestion - Carefully inspect the TTV 3.1.4 Pump Unavailable Due to Maintenance overspeed trip linkage and assure it is reset and m or Surve,illance good physical condition. Assure that there is a good steam isolation to the turbine, otherwise continued Both scheduled and unscheduled maintenance remove turbine high temperature can result in degradation of the oil in the turbine, interfering with proper pumps from operability. Surveillance requires oper-ation with an altered line-up, although a pump train 3.3 NUREG/CR-5897
Inspection Guidance may not be declared inoperable during testing.
adverse trends, especially those valves on reduced Prompt scheduling and performance of maintenance testing frequency. Review air system surveillances and surveillance minimize this unavailability.
moisture content of air is within established limits.
In3pection Suggestion - Review the time the AFW 3.1.6 Motor Operated Valves Fail Closed c
system and components are inoperable. Assure all maintenance is being performed that can be per-AFW Flow Control valves: AF-7523. 7524. 7SM formed during a single outage time frame, avoiding 7526 multiple equipment outages. De maintenance should T_DAFW Pump Steam Admission valve: M S-0143 be scheduled before the routine surveillance test, so TDAFW Pumn Trin & Brottle valve: MS-0514 credit can be taken for both post maintenance testing
/\\FW Ston/ check valves: AF-0019. 0048. 0065. &
and surveillance testing, avoiding excessive testing.
0085 Review surveillance schedule for frequency and ade-quacy to verify system operability requirements per The AFW flow control valves are used to control AFW Technical Specifications.
flow and are normally open and fail as is. De TDAFW pump steam admission valve is normally open and fails 3.1.5 Air Operated Valves Fail Closed open. De TDAFW pump Trip & Throttle valve is nor-mally closed and fails as is. The AFW Stop/ check valves AFW Cross-Connect Valves: AF-FV-7515. 7516 are normally closed and fail closed.
7517. & 7518 Common cause failure of MOVs has occurred from The normally closed and administratively locked in failure to use electrical signature tracing equipment to neutral air operated AFW Cross-Connect valves allow determine proper settings of torque switch and torque manually initiated AFW flow from any AFW pump to any switch bypass switches. Failure to calibrate switch S/G during off normal conditions. They fait closed on a settings for high torques necessary under design basis loss ofInstrument Air, accident conditions has also been involved. CCI1.
Control circuit problems have been a primary cause Inspeaton Suggestion - Review the MOV test records of failures. CF9. Valve failures have resulted from to assure the testing and settings are based on blown fuses, failure of control components (such as dynamic system conditions. Overtorquing of the current / pneumatic convertors), broken or dirty con-valve operator can result in valve damage such as tacts, misaligned or broken limit switches, control cracking of the seat or disc. Review the program to power loss, and calibration problems. Degraded assure overtorquing is identified and corrective ac-operation has also resulted from improper air pressure tions are taken to assure valve operability following due to the wrong type of air regulator being installed an overtorque condition. Review the program to or leaking air lines. He South Texas Project has had assure EQ seals are renewed as required during the AOVs fail to fully seat due to inadequate restoration from testing to maintain the EQ rating of maintenance.
the MOV.
Inadequate air pressure regulation has resulted in Valve motors have been failed due to lack of, or control valve failure to operate.
improper sizing or use, of thermal overload protective devices. Bypassing and oversizing should be based In3pection Suggestion - Check for control air system on proper engineering for design basis conditions.
alignment and air leaks during plant walkdowns.
CF4.
(Regulators may have e small amount of external bleed to maintain downstream pressure.) Check for Inspection Suggestion - Review the administrative cleanliness and physical condition of visible circuit controls for documenting and changing the settings of elements. Review valve stroke time surveillance for NUREG/CR-5897 3.4 L---------___---_
Inspection Guidance thermal overload protective devices. Assure the 3.1.7 Manual Suction or Discharge Valves inforn ation is available to the maintenance planners.
Fail Closed Out-of-adjustment electrical flow controllers have e
TDAFW Pumm AF-(093. 0024. 0012. 0014 & 0026 caused improper discharge valve operation, affecting MDAFW Pumpr AFe94. 0095. 0046. 0031. 0053.
multiple trains of AFW. CC12.
0073. orul. 0059. 007FJX)43. 0061. 0080. 0039 0067 & 0081 Inspection Suggestion - Review PM frequency and records, only upon a trend of failure of the lhese manual valves are nortrally locked open. For each controllers.
train, closure of the first or secon) valves would block pump suaian and closure of the following valves would Grease trapped in the torque switch spring pack of the block pamp discharge or recirculation.
e operators of MOVs has caused motor burnout or ther-mal overload trip by preventing torque switch actua-Valve mispositioning has resulted in failures of mul-tion. CF8.
tiple trains of AFW. CC2. It has also been the domi-nant cause of problems identified during operational Inspection Suggestion - Review this only if the MOV readiness inspections. HEl. Events have occurred testing program reveals deficiencies in this area.
most often during maintenance, calibration, or system modifications. South Texas Project personnel have Manually reversing the direction of motion of oper-nadvertently mispositioned a recirculation valve e
ating MOVs has overloaded the motor circuit. Oper-resulting in a feed rate insufficient to maintain S/G ating procedures should provide cautions, and circuit level. Important causes of mispositioninginclude:
designs may prevent reversal before each stroke is finished. DE7.
Failure to provide complete, clear, and specific Inspeaion Suggestion - None. Circuit design prevents this problem at South Texas.
Failure to promptly revise and validate proced-ures, training, and diagrams following system Space heaters designed for pre-operation storage have e
modifications been found wired in parallel with valve motors which had not been environmentally qualified with them Failure to complete all steps in a procedure present. DE8.
Inspection Suggestion - Spot check MOVs during Failure to adequately review uncompleted proced-ural steps after task completion MOV testing to assure the space heaters are physically removed or disconnected.
Failure to verify support functions after restoration Leakage of hot feedwater through check valves has e
caused thermal binding of normally closed flow control MOVs. AOVs may be similarly susceptible.
Failure to adhere scrupulously to administrative procedures regarding tagging, control and track-CF2 ing of valve operations Inspection Suggestion - Covered by 3.1.1 bullet 3.
Failure to log the manipulation of sealed valves Failure to follow good practices of written task assignment and feedback of task completion information 3.5 NUREG/CR-5897
Inspection Guidance Failure to provide easily read system drawings, laspection Suggestion - Covered by 3.1.1 bullet 3.
legible valve labels corresponding to drawings Slow leakage past the final check valve of a series and procedures, and labeled indications of local valve position may not force the check valve closed. Other check valves in series may leak similarly. Piping orienta-Inspection Suggestion - Review the administrative tion and valve design are important factors in achiev-controls that relate to valve positioning and sealing, ing tme series protection. CFl.
system restoration following maintenance, valve labeling, system drawing updating, and procedure Inspection Suggestion - Covered by 3.1.1 bullet 3.
revision, for proper implementation.
3.1.8 Leakage of Hot Feedwater Through 3.2 Risk Important AFW System Check Valves:
Walkdown Table MDAFW Pumo #11: AF-0119. 0048. & 0036 Table 3.1 presents an AFW system walkdown table in-MDAFW Pumo #12: AP-0120. 0065. & 0058 cluding only components identified as risk important.
MDAFW Pumo #13: AF-0121. 0085. & 0091
'Ihis information allows inspectors to concentrate their TDAFW Pump #14: AF4122. 0019. & 0011 efforts on components important to prevention of core damage. Ilowever, it is essential to note that inspections leakage of hot feedwater through several check should not focus exclusively on these components. Other a
valves in series has caused steam binding of multiple components which perform essential functions, must also pumps. Leakage through a closed level control valve be addressed to ensure that their risk importances are not in series w;th check valves has also occurred, as increased. An example would include ensuring an ade-would be required for leakage to reach the motor quate water level in the AFWST exists, driven or turbine driven pumps. CC10, I
l i
l
\\
1 NUREG/CR-5897 3.6
i inspection Guidance 4
l l
Table 3.1 Risk Important Walkdown Table for South Texas AFW System Components Actual Component #
Component Name Required Position Position Electrical 3S141MPA01 AFW Motor Driven Pump #11 Racked In/
Closed 3S141MPA02 AFW Motor Driven Pump #12 Racked In/
Closed 3S141MPA03 AFW Motor Driven Pump #13 Racked In/
Closed-Valves AF-0275 AFWST Drain locked Closed
- AF4277 AFWST Drain Locked Closed
- AF4094 AFWST to AFW pump #11 locked Open*
AF4031 AFW pump #11 Suction Isolation locked Open -
AF4041 APW pump #11 Manual Discharge locked Open AF4039 AFW pump #11 Recire Isolation locked Open AF-0043 AFW pump #11 Manual Flow Control Iecked Open AF4040 AFW pump #11 Test Line Isolation locked Closed AF-0048 Piping upstream of atop / check valve Cool AF-0036 Piping upstream of ARC valve Cool AF-PV-7517 AFW Cross-tie local handwheel locked Neutral 2
AF-0283 S/G 1 A to S/G Recire pump 11 A 1mcked Closed isolation valve 3.7 NUREG/CR-5897..
Inspection Guidance Table 3.1 (Continued)
Actual Component #
Component Name Required Position Position AF-0282 S/G 1 A to S/G Recire pump ll A locked Closed isolation valve AF4267 AF-0119 check valve bypass locked Closed **
AF-0095 AFWST to AFW pump #12 Imcked Open*
AF-0053 AFW pump #12 Suction isolation Locked Open i
AF-0059 AFW pump #12 Manual Discharge locked Open AF-0067 AFW pump #12 Recire isolation Locked Open AF-0061 AFW pemp #12 Manual Flow Control locked Open AF-0070 AFW pump #12 Test Line Isolation locked Closed AF-0065 Piping upstream of stop/ check valve Cool AF-0058 Fiping upstream of ARC valve Cool AF-FV-7516 AFW Cross-tie local handwheel locked Neutral AF-0284 S/G 1B to S/G Recire pump 11B locked Closed isolation valve AF 0285 S/G 1B to S/G Recire pump I1B locked Closed isolation valve AF-0265 AF-0120 check valve bypass lacked Closed **
AF-0096 AFWST to AFW pump #13 locked Open*
AF-0073 AFW pump #13 Suction isolation locked Open AF-0078 AFW pump #13 Manual Discharge lecked Open AF-0087 AFW pump #13 Recire Isolation locked Open AF-0080 AFW pump #13 Manual Flow Control locked Open NUREG/CR-5897 3.8 i
i
Inspection Guidance Table 3.1 (Continued)
Actual Component #
Component Name Required Position Position AF-0092 AFW pump #13 Test Line Isola. ion locked Closed AF-0085 Piping upstream of stop/ check valve Cool AF-0091 Piping upstream of ARC valve Cool
[
AF-FV-7515 AFW Cross-tie local handwheel locked Neutral AF-0287 S/G IC to S/G Recire pump 11C Locked Closed isolation valve AF-0286 S/G IC to S/G Recire pump 1IC Locked Closed isolation valve AF-0263 AF-0121 check valve bypass locked Closed **
AF-0093 AFWST to AFW pump #14 locked Open*
AF-0024 AFW pump #14 Suction isolation locked Open AF-0012 AFW pump #14 Manual Discharge Locked Open AF4026 AFW pump #14 Recire isolation Locked Open AF-0014 AFW pump #14 Manual Flow Control locked Open AF 0037 AFW pump #14 Test Line Isolation Locked Closed AF-FV-7518 AFW Cross-tie local handwheel Locked Neutral AF-0280 S/G 1D to S/G Recire pump 1iD locked Closed Isolation valve AF-0281 S/G 1D to S/G Recire pump 11D locked Closed Isolation valve AF-0269 AF-0212 check valve bypass locked Closed **
AF-0019 Piping upstream of stop/ check valve Cool 3.9 NUREG/CR-5897
Inspection Guidance Table 3.1 (Continued)
Actual Component #
Component Name Required Position Posi: ion 6
AF-0011 Piping upstream of ARC valve Cool MS-0514 TDAFW Pump Trip & Brottie valve Latched and Closed MS4143 TDAFW Pump Steam Admission valve Open Valves are located in a pit at the base of the AFWST. Access to the pit requires that a cover be unbolted and removed. Special entry requirements may apply for enclosed space entry. Inspection of this area is best accomplished when other activities are in progress in the valve pit, which require removal of the cover.
- Valves are located in containment.
4 e
a NUREG/CR-5897 3.10
4 Generic Risk Insights from PRAs PRAs for il PWRs were analyzed to identify risk-kss ofMain Feedwater important acciden, sequences involving loss of AFW, to identify and risk-prioritize the component failure modes A feedwater line break drains the common water involved. The results of this analysis are described in this source for MFW and AFW. The operators fail to section. Dey are consistent with results reported by pravide feedwater from other sources, and fail to INEL and BNL (Gregg et al.1988, and Travis et al.
initiate feed-and-bleed cooling, resulting in core 1988).
damage.
A loss of main feedwater trips the plant, and AFW 0.1 Risk Important Accident fails due to operator error and hardware failures. De operators fail to initiate feed-and-bleed cooling, Sequences Involv g AFM7 System m
resulting in core damage.
Failure Steam Generator Iltbe Rupture (SGIR)
Uss of Power System A SGTR is followed by failure of AFW. Coolant is b_ loss of offsite power and main feedwater is fol-lost from the primary until the refueling water storage lowed by failure of AFW. Due to tack of actuating tank (RWST) is depleted. High pressure injection power, the power operated relief valves (PORVs)
(HPI) fails since recirculation cannot be established cannot be opened preventing adequate feed-and-bleed from the empty sump, and core damage results.
cooling, and resulting in core damage.
A station blackout fails all AC power except Vital AC 4.2 Risk Important Component from DC invertors, and all decay heat removal sys-Failure Modes tems except the turbine-driven AFW pump. AFw subsequently fails due to battery depletion or hard-ware failures, resulting in core damage.
The generic component failure modes identified from PRA analyses as important to AFW system failure are A DC bus fails, causing a trip and failure of the listed below in decreasing order of risk importance.
power conversion system. One AFW motor-driven pump is failed by the bus loss, and the turbine-driven
- 1. Turbine-Driven Pump Failure to Start or Run.
pump fails due to loss of turbine or valve control power. AFW is subsequently lost completely due to
- 2. Motor Driven Pump Failure to Start or Run.
other failures. Feed-and-bleed cooling fails because PORV control is lost, resulting in core damage.
Transient-Caused Reactor or Turbine Trip
- 4. AFW System Valve Failures A_ transient-caused trio is followed by a loss of the a
steam adnu,ss,on valves power conversion system (PCS), main feedwater, and i
AFW. Feed-and-bleed cooling fails either due to failure of the operator to initiate it, or due to trip and throttle valves hardware failures, resulting in core damage.
flow control valves 4.1 NUREG/CR-5897
Generic Risk Insights pump' discharge valves In addition to individual hardware, circuit, or instrument failures, each of these failure modes may result from pump suction valves common causes and human errors. Common cause fail-o ures of AFW pumps are particularly risk important.
valves in testing or maintenance.
Valve failures are somewhat less important due to the multiplicity of steam generators and connection paths.
- 5. Supply /Sction Sources Human errors of greatest risk importance involve: fail-ures to initiate or control system operation when required; condensate storage tank stop valve failure to restore proper system lineup after maintenance or testing; and failure to switch to alternate sources when hot well inventory required.
a
- suction valves.
1 l
l l
NUREG/CR-5897 4.2
5 Failure Modes Determined from Operating Experience his section describes the primary root cause of AFW 5.1.3 Turbine Driven Pump Failures system component failures, as determined from a review of operating histories at South Texas Project and at other Here has been one reported occurrence that resulted in PWRs throughout the nuclear industry. Section 5.1 des-decreased operational readiness of the AFW system. He cribes experience at South Texas Project from 1988 failure was in a 'ITV flange.
through 1991. Section 5.2 summarizes information com-piled from a variety of NRC sources, including AEOD 5.1.4 Flow Control and Isolation Valve analyses and reports, information notices, inspection and Failures enforcement bulletins, and generic letters, and from a variety ofINPO reports as well. Some Licensee Event Approximately seven events have resulted in impaired Reports and NPRDS event descr,ptions were als i
operational readiness of the air operated and motor oper-reviewed. Finally, mformation was included from repotts of NRC-sponsored studies of the effects of plant aging, ated valves. Principal failure causes were equipment wear, instrumentation and control circuit failwes, instru-which melude quantitative analysis of AFW system failure ment drift, valve hardware failures, valve wear, and reports. This mformation was used to identify the various Vhs fai W m o o
de r t causes expected for the broad PRA-based failure to failure of control components and valve motor failures.
events identified in Section 4, resultmg m the inspect.ion guidelines presented in Section 3.
Human errors have resulted in packing leaks. Space heat-ers provided by the vendor for use in pre-installation stor-age of MOVs were found ta be wired in parallel to the Class IE 125 V DC motors for several AFW valves. The 5.1 South Texas Proj.ect Experience v,iy,,3,a seen,nyironmentajiy qu,iiri,d, hot not with he AFW system at South Texas Project has experienced failures of the turbine driven AFW pump, pump discharge 5.1.5 Check Valve Failures flow control valves, and AFW train cross connect valves.
Failure modes include electrical, instnamentation and There have been no reported check valve failures at the control, hardware failures, and human errors.
South Texas Project.
5.1.1 Multiple Pump Failures 5.1.6 IIuman Errors here have been no reported multiple pump failures at the
%ere has been one event affecting the AFW system.
South Texas Project. However, South Texas Project has Personnel have inadvertently mispositioned a recirculation experienced stress corrosion cracking / hydrogen embrittle-valve resulting in a feed rate insufficient to maintain S/G ment of AFW pump sleeve materials which caused one
- geyeg, pump to fail its performance test. He sleeve material was common to all pumps.
5.2 Industry Wide Experience 5.1.2 Motor Dn.ven Pump Failures Here have been no reported motor driven pump failures Human errors, design / engineering problems and errors, at the South Texas Project.
and component failures are the primary root causes of AFW System failures identified in a review ofindustry wide system operating history. Common cause failures, which disable more than one train of this operationally 5.1 NUREG/CR-5897
Failure Modes redundant system, are highly risk significant, and can Factors identified in studies of mispositioning errors result from all of these causes.
include failure to add newly installed valves to valve checklists, weak administrative control of tagging, This section identifies important common cause failure restoration, independent verif cation, and locked valve modes, and then provides a broader discussion of the logging, and inadequate adherence to procedures, lile-single failure effects of human errors, design / engineering gible or confusing local valve labeling, and insufficient problems and errors, and component failures. Paragraphs training in the determination of valve position may cause presenting details of these failure modes are coded (e.g.,
or mask mispositioning, and surveillance which does not CCl) and cross-referenced by inspection items in exercise complete system functioning may not reveal Section 3.
mispositionings.
5.2.1 Common Cause Failures CC3. At ANO-2, both AFW pumps lost suction due to -
steam binding when they were lined up to both the CST Re dominant cause of AFW system multiple-train fail.
and the hot startup/ blowdown demineralizer effluent ures has been human error. Design / engineering errors (AEOD/C4041984). At Zion-1 steam created by running and component failures have been less frequent, but the turbine-driven pump deadheaded for one minute nevertheless significant, causes of multiple train failures.
caused trip of a motor-driven pump sharing the same inlet header, as well as damage to the turbine-driven pump CCI. Human error in the form ofincorrect operator (Region 3 Morning Report,1/17/90). Both events were intervention into automatic AFW system functioning caused by procedural inadequacies, during transients resulted in the temporary loss of all safety-grade AFW pumps during events at Davis-Besse CC4. Design / engineering errors have accounted for a (NUREG-11541985) and Trojan (AEOD/T4161983). In smaller, but significant fraction of common cause failures.
the Davis Besse event, improper manual initiation of the Problems with control circuit design modifications at steam and feedwater rapture control system (SFRCS) led Farley defeated AFW pump auto-start on loss of main to overspeed tripping of both turbine-driven AFW pumps, feedwater. At Zion-2, restart of both motor driven pumps probably due to the introduction of condensate into the was blocked by circuit failure to deenergize when the AFW turbines from the long, unheated steam supply lines.
pumps had been tripped with an automatic start signal (The system had never been tested with the abnormal, present (IN 82-01 1982). In addition, AFW control cir-i cross-connected steam supply lineup which resulted.) In cuit design reviews at Salem and Indian Point have identi-the Trojan event the operator incorrectly stopped both fied designs where failures of a single component could
)
AFW pumps due to misinterpretation of MFW pump have failed all or multiple pumps (IN 87-341987).
speed indication. He diesel driven pump would not restart due to a protective feature requiring complete shut.
CC5. Incorrect setpoints and control circuit settings down, and the turbine-driven pump tripped on overspeed, resulting from analysis errors and failures to update requiring local reset of the trip and throttle valve. In cases procedures have also prevented pump start and caused where manual intervention is required during the early pumps to trip spuriously. Errors of this type may remain stages of a transient, training should emphasize that undetected despite surveillance testing, unless surveillance actions should be performed methodically and deliberately tests model all types of system initiation and operating to guard against such errors.
conditions. A greater fraction ofinstrumentation and control circuit problems has been identified during actual CC2. Valve mispositioning has accounted for a signifi-system operation (as opposed to surveillance testing) than caat fraction of the human errors failing multiple trains of for other types of failures.
AFW. This includes closure of normally open suction velves or steam supply valves,and of isolation valves to CC6. On two occasions at a foreign plant, failure of a sensors having control functions. Incorrect handswitch balance-of-plant inverter caused failure of two AFW positioning and inadequate temporary wiring changes have pumps. In addition to loss of the motor driven pump also prevented automatic starts of multiple pumps, whose auxiliary start relay was powered by the invertor, the turbine driven pump tripped on overspeed because the NUREG/CR-5897 5.2
._____a
Failure Modes governor valve opened, allowing full steam flow to the to be inoperable at different times. Backleakage at turbine. His illustrates the importance of assessing the Robinson-2 passed through closed motor-operated isola-effects of failures of balance of plant equipment which tion valves in addition to multiple check valves. At supports the operation of critical components. He instru-Farley, both motor and turbine driven pump casings were ment air system is another example of such a system.
found hot, although the pumps were not declared inoper-able. In addition to multi-train failures, numerous inci-CC7. Multiple AFW pump trips have occurred at dents of single train failures have occurred. resulting in Millstone-3, Cook-1, Trojan and Zion-2 (IN 87-531987) the designation of " Steam Binding of Auxiliary Feedwater caused by brief, low pressure oscillations of suction pres-Pumps" as Generic Issue 93. His generic issue was sure during pump startup. These oscillations occurred resolved by Generic letter 88-03 (Miraglia 1988), which despite the availability of adequate static NPSH. Correc-required licensees to monitor AFW piping temperatures tive actions taken include: extending the time delay each shift, and to maintain procedures for recognizing associated with the low pressure trip, removing the trip, steam binding and for restoring system operability.
and replacing the trip with an alarm and operator action.
CCI1. Common cause failures have also failed motor CC8. Design errors discovered during AFW system re-operated valves. During the total loss of feedwater event analysis at the Robinson plant flN 89-301989) and at at Davis Besse, the normally-open AFW isolation valves Millstone-1 resulted in the supph header from the CST failed to open after they were inadvertently closed. He being too small to provide adequate NPSH to the pumps if failure was due to improper setting of the torque switch more than one of tne three pumps were operating at rated bypass switch, which prevents motor trip on the high flow conditions. His could lead to multiple pump failure torque required to unseat a closed valve. Previous prob-due to cavitation. Subsequent reviews at Robinson identi-lems with these valves had been addressed by increasing fied a loss of feedwater transient in which inadequate the torque switch trip setpoint - a fix which failed during NPSH and flows less than design values had occurred, but the event due to the higher torque required due to high which were not recognized at the time. Event analysis differential pressure across the valve. Similar common and equipment trending, as well as surveillance testing mode failures of MOVs have also occurred in other sys-which duplicates service conditions as much as is practi-tems, resulting in issuance of Generic letter 89-10, cal, can help identify such design errors.
" Safety Related Motor-Operated Valve Testing and Sur-veillance (Partlow 1989)." his generic letter requires CC9. Asiatic clams caused failure of two AFW flow con-licensees to develop and implement a program to provide trol valves at Catawba-2 when low suction pressure for the testing, inspection and maintenance of all safety-caused by starting of a motor-driven pump caused suction related MOVs to provide assurance that they will function source realignment to the Nuclear Service Water system.
when subjected to design basis conditions.
Pipes had not been routinely treated to inhibit clam growth, nor regularly monitored to detect their presence, CCl2. Other component failures have also resulted in and no strainers were installed. He need for surveillance AFW multi-trsin failures. These include out-of-which exercises altemative system operational modes, as adjustment electrical flow controllers resulting in well as complete system functioning,is emphasized by improper discharge valve operation, and a failure of oil this event. Spurious suction switch-over has also occurred cooler cooling water supply valves to open due to silt at Callaway and at McGuire, although no failures accumulation.
resulted.
5.2.2 IIuman Errors CClo. Common cause failures have also been caused by component failures (AEOD/C4041984). At Surry-2, 11111. He overwhelmingly dominant cause of problems both the turbine driven pump and one motor driven pump identified during a series of operational readiness evalu-were declared inoperable due to steam binding caused by ations of AFW systems was human performance. He backleakage of hot water through multiple check valves.
majority of these human performance problems resulted At Robinson-2 both motor driven pumps were found to be from incomplete and incorrect procedures, particularly hot, and both motor and steam driven pumps were found 5.3 NUREG/CR-5897
Failure Modes with respect to valve lineup information. A study of valve valve can respond, after the water slug clears. This was mispositioning events involving human error identified determined to be the cause of the loss-of-all-AFW event at failures in administrative control of tagging and logging, Davis Besse (AEOD/6021986), with condensation en-procedural compliance and completion of steps, verifica-hanced due to the long length of the cross-connected tion of support systems, and inadequate procedures as steam lines. Repeated tests following a cold-start trip may important. Another study found that valve mispositioning be successful due to system heat up.
events occurred most often during maintenance, calibra-tion, or modification activities. Insufhcient training in DE3. Turbine trip and throttle valve (TIV) problems are determining valve position, and in administrative require-a significant cause of turbine driven pump failures ments for controlling valve positioning were important (IN 84-66). In some cases lack of TfV position causes, as was oral task assignment without task comple-indication in the control room prevented recognition of a tion feedback, tripped TIV. In other cases it was possible to reset either the overspeed trip or the TIY without resetting the other.
HE2. Turbine driven pump failures have been caused by This problem is compounded by the fact that the position human errors in calibrating or adjusting governor speed of the overspeed trip linkage can be misleading, and the control, poor governor maintenance, incorrect adjustment mechanism nuy lack labels indicating when it is in the of governor valve and o aspeed trip linkages, and errors tripped position (AEOD/C6021986).
associated with the trip and throttle valve. TIV-associated errors include physically bumping it, failure to p_lM. Startup of turbines with Woodward Model PG-PL restore it to the correct position after testing, and failures governors within 30 minutes of shutdown has resulted in to verify control room indication of TTV position follw-overspeed trips when the speed setting knob was not exer-ing actuation.
cised locally to drain oil from the speed setting cylinder.
Speed control is based on startup with an empty cylinder.
BF3. Motor driven pumps have been failed by human Problems have involved turbine rotation due to both pro-errors in mispositioning handswitches, and by procedure cedure violations and leaking steam. Terry has marketed deficiencies.
two types of dump valves for automatically draining the oil after shutdown (AEOD/C6021986).
5.2.3 Design / Engineering Problems and Errors At Calvert Cliffs, a 1987 loss-of-ofIsite-power event re-quired a quick, cold startup that resulted in turbine trip del. As noted above, the majority of AFW subsystem due to PG-PL governor stability problems. The short-term corrective action was installation of stiffer buffer failures, and the greatest relative system degradation, has been found to result from turbine-driven pump failures.
Springs (IN 88-091988). Surveillance had always been Overspeed trips of Terry turbines controlled by Wood-preceded by turbine warmup, which illustrates the import-ance f testing which duplicates service conditions as ward governors have been a significant source of these failures (AEOD/C6021986). In many cases these over, much as is practical.
speed trips have been caused by slow response of a Woodward Model EG governor on startup, at plants DES. Reduced viscosity of gear box oil heated by prior where full steam flow is allowed immediately. This over-peration caused failure of a motor driven pump to start sensitivity has been removed by installing a startup steam due to insufficient tube oil pressure. Lowering the pres-bypass valve which opens first, allowing a controlled tur-sure switch setpoint solved the problem, which had not bine acceleration and buildup of oil pressure to control the been detected during testing.
governor valve when full steam flow is admitted.
DE6. Waterhammer at Palisades resulted in AFW line DE2. Overspeed trips of Terry turbines have been caused and hanger damage at both steam generators. The AFW by condensate in the steam supply lines. Condensate spargers are located at the normal steam generator level, slows down the turbine, causing the governor valve to and are frequently covered and uncovered during level open farther, and overspeed results before the governor fluctuations. Waterhammers in top-feed-ring steam NUREG/CR-5897 5.4
Failure Modes generators resulted in main feedline rupture at Maine designs and manufacturers are involved in this problem, Yankee and feedwater pipe cracking at Indian Point-2 (IN and recurring leakage.,as been experienced, even after 84-32 1984).
repair and replacement.
DE7. Manually reversing the direction of motion of an CF2. At Robinson, heating of motor operated valves by operating valve has resulted in MOV failures where such check valve leakage has caused thermal binding and fail-loading was not considered in the design (AEOD/C603 ure of AFW discharge valves to open on demand. At 1986). Control circuit design may prevent this, requiring Davis Besse, high differential pressure across AFW injec-stroke completion before reversal.
tion valves resulting from check valve leakage has pre-vented MOV operation (AEOD/C6031986).
DE8. At each of the units of the South Texas Project, space heaters provided by the vendor for use in pre-CF3. Gross check valve leakage at McGuire and installation storage of MOVs were found to be wired in Robinson caused overpressurization of the AFW suction parallel to the Class IE 125 V DC motors for several piping. At a foreign PWR it resulted in a severe water-AFW valves (IR 50-489/89-11; 50-499/89-111989). He hammer event. At Palo Verde-2 the MFW suction piping valves had been environmentally qualified, but not with was overpressurized by check valve leakage from the the non-safety-related heaters energized.
AFW system (AEOD/C4041984). Gross check valve leakage through idle pumps represents a potential 5.2A Component Failures diversion of AFW pump flow.
Generic issue II.E.6.1, "In Situ Testing Of Valves" was CF4. Roughly one third of AFW system failures have divided into four sub-issues (Beckjord 1989), three of been due to valve operator failures, with about equal which relate directly to prevention of AFW system com-failures for MOVs and AOVs. Almost half of the MOV ponent failure. At the request of the NRC, in situ testing failures were due to motor or switch failures (Casada of check valves was addressed by the nuclear industry, 1989). An extensive study of MOV events (AEOD/C603 resulting in the EPRI report, " Application Guidelines for 1986) indicates continuing inoperability problems caused Check Valves in Nuclear Power Plants (Brooks 1988)."
by: torque switch / limit switch settings, adjustments, or This extensive report provides information on check valve failures; motor burnout; improper sizing or use of thermal applications, limitations, and inspection techniques. In overload devices; premature degradation related to inade-situ testing of MOVs was addressed by Generic 12tter quate use of protective devices; damage due to misuse 89-10, " Safety Related Motor-Operated Valve Testing and (valve throttling, valve operator hammering); mechanical Surveillance" (Partlow 1989) which requires licensees to problems (loosened parts, improper assembly); or the develop and implement a program for testing, inspection torque switch bypass circuit improperly installed or and maintenance of all safety-related MOVs. " Therms!
adjusted. He study concluded that current methods and Overload Protection for Electric Motors on Safety-Rch wl Procedures at many plants are not adequate to assure that Motor-Operated Valves - Generic Issue II.E.6.1 MOVs will operate when needed under credible accident (Rothberg 1988)" concludes that valve motors should be conditions. Specifically, a surveillance test which the thermally protected, yet in a way which emphasizes valve passed might result in undetected valve inoperability system function over protection of the operator.
due to component failure (motor burnout, operator parts failure, stem disc separation) or improper positioning of
- 21. The common-cause steam binding effects of check protective devices (thermal overload, torque switch, limit valve leakage were identified in Section 5.2.1, entry switch). Generic letter 89-10 (Partlow 1989) has subse-CC10. Numerous single-train events provide additional quently required licensees to implement a program ensur-insights into this problem. In some cases leakage of hot ing that MOV switch settugs are maintained so that the MFW past multiple check valves in series has occurred valves will operate under design basis conditions for the because adequate valve-seating pressure was limited to the life of the plant.
valves closest to the steam generators. Different valve 5.5 NUREG/C R-5897
Failure Modes ff. Component problems have caused a significant only two greases considered environmentally qualified by number of turbine driven pump trips (AEOD/C6021986).
Limitorque. Due to lower viscosity, it slowly migrates One group of events involved worn tappet nut faces, loose from the gear case into the spring pack. Grease change-cable connections, loosened set screws, improperly over at Vermont Yankee affected 40 of the older MOVs latched 'ITVs, and improper assembly. Another involved of which 32 were safety related. Grease relief kits are oil leaks due to component or seal failures, and oil con-needed for MOV operators manufactured before 1975. At tamination due to poor maintenance activities. Governor Limerick, additional grease relief was required for MOVs oil may not be shared with turbine lubrication oil, result-manufactured since 1975. MOV refurbishment programs ing in the need for separate oil changes. Electrical com-may yield other changeovers to EP-0 grease.
ponent failures included transistor or resistor f:.ilures due to moisture intrusion, erroneous grounds and connections, fl9. For AFW systems using air operated valves, almost diode failures, and a faulty circuit card.
half of the system degradation has resulted from failures of the valve controller circuit and its instrument inputs f_f6. Electrohydraulic-operated discharge valves have (Casada 1989). Failures occurred predominantly at a few performed very poorly, and three of the five units using units using automatic electronic controllers for the flow them have removed them due to recurrent failures. Fail-control valves, with the majority of failures due to electri-ures included oil leaks, contaminated oil, and hydraulic cal hardware. At Turkey Point-3, controller malfunction pump failures.
resulted from water in the Instrument Air system due to maintenance inoperability of the air dryers.
ff Control circuit failures were the dominar:t source of motor driven AFW pump failures (Casada 1989). This CF10. For systems using diesel driven pumps, most of includes the controls used for automatic and manual the failures were due to start control and governor speed starting of the pumps, as opposed to the instrumentation control circuitry. Half of these occurred on demand, as inputs. Most of the remaining problems were due to cir-opposed to during testing (Casada 1989).
cuit breaker failures.
fE.1. For systems using AOVs, operability requires the ff8. " Hydraulic lockup" of Limitorque SMB spring availability ofInstrument Air, backup air, or backup packs has prevented proper spring compression to actuate nitrogen. However, NRC Maintenance Team Inspections the MOV torque switch, due to grease trapped in the have identified inadequate testing of check valves isolating spring pack. During a surveillance at Trojan, failure of the safety-related portion of the IA system at several the torque switch to trip the TTV motor resulted in trip-utilities (Letter, Roe to Richardson). Generic letter i
ping of the thermal overload device, leaving the turbine 88-14 (Miraglia 1988), requires licensees to verify by test driven pump inoperable for 40 days until the next sur-that air-operated safety-related components will perform veillance (AEOD/E7021987). Problems result from as expected in accordance with all design-basis events, grease changes to EXXON NEBULA EP-0 grease, one of including a loss of normal IA.
1 NUREGICR-5897 5.6
j l
6 References Beckjord, E. S. June 30,1989. Closcout of Generic AEOD Reports issue 11.E.6.1, "In Situ Testing of Valves". Extter to V. Stello, Jr., U.S. Nuclear Regulatory Commission, AEOD/C404. W. D. lanning. July 1984. Steam Washington, D.C.
Binding ofAuxiliary Feedwater Pumps. U.S. Nuclear Regulatory Commission, Washington, D.C.
Brooks, B. P.1988. Application Guidelinesfor Check valves in Nuclear Power Plants. NP-5479, Electric AEOD/C602. C. Hsu. August 1986. Operational Power Research Institute, Palo Alto, California.
Experience Involving 7hrbine Owr 3 peed Trips. U.S.
Nuclear Regulatory Commission, Washington, D.C.
Casada. D. A.1989. Auxiliary Feedwater System Aging Study. Volume 1. Operating Experience arui Current AEOD/C603. E. J. Brown. December 1986. A Review Afonitoring Praaices. NUREG/CR-5404. U.S. Nuclear ofAfotor-Operated Valve Performance. U.S. Nuclear Regulatory Commission, Washington, D.C.
Regulatory Commission, Washington, D.C.
Gregg, R. E., and R. E. Wright.1988. Appendit Review AEOD/E702. E. J. Brown. March 19,1987. Af0V for Dominant Generic Contributors. BLB-31-88. Idaho Failure Due to Hydraulic lockup From Excessive Grease National Engineering Laboratory, Idaho Falls, Idaho.
in Spring Pack. U.S. Nuclear Regulatory Commission, Washington, D.C.
Miraglia, F. J. February 17,1988. Resolution of Generic Safety issue 93, " Steam Binding of Antiliary AEOD/T416. January 22,1983. Loss ofESF Auxiliary Feedwater Pumps" (Generic Letter 88-03). U.S. Nuclear Fredwater Pump Capability at Trojan on January 22, Regulatory Commission, Washington, D.C.
1983. U.S. Nuclear Regulatory Commission, Washington, D.C.
Miraglia, F. J. August 8,1988. Instrument Air Supply System Problerra Afecting Safety-Related Equipment information Notices (Generic htter 88-14). U.S. Nuclear Regulatory Commission, Washington, D.C.
IN 8241. January 22,1982. Auriliary Feedwater Pump Lockout Resultingfrom Westinghouse W-2 Switch Circuit Partlow, J. G. June 28,1989. Safety-Related Afotor.
Afodification. U.S. Nuclear Regulatory Commission, Operated Valw Testing and Surveillance (Generic Utter Washington, D.C.
89-10). U.S. Nuclear Regulatory Commission, Washington, D.C.
IN 84-32. E. L. Jordan. April 18,1984. Auxiliary Feedwater Sparger and Pipe llangar Damage. U.S.
Rothberg, O. June 1988. 'Ihermal overload Protection Nuclear Regulatory Commission, Washington, D.C.
for Electric Afotors on Safety-Related Afotor-Operated Valws - Generic issue ll.E.6.1. NUREG-1296. U.S.
IN 84-66. August 17,1984. Undetected Unamilabilityof Nuclear Regulatory Commission, Washington, D.C.
the Turbine-Driven Auxiliary Feedwater Train. U.S.
Nuclear Regulatory Commission, Washington, D.C.
Travis, R., and J. Taylor. 1989. Development cf Guidancefor Generic, Functionally Oriented PRA-Based IN 87-34. C. E. Rossi. July 24,1987. Single Failures Team inspectionsfor BWR Plants-Identificution of Risk-in Antiliary Feedwater Systems. U.S. Nuclear Regulatory important Systems, Components and fluman Actions.
Commission, Washington, D.C.
TLR-A-3874 ' IGA Brookhaven National laboratory, Upton, New York.
6.1 NUREG/CR-5897
References IN 87-53. C. E. Rossi. October 20,1987. Antiliary inspection Report Feedwater Pump Trips Resultingfrom Inw Saction Pressure. U.S. Nuclear Regulatory Commission, IR 50-489/89-11;50-499/89-11. May 26,1989. South Washington, D.C.
Texas Project inspection Report. U.S. Nuclear Regulatory Commission, Washington, D.C.
IN 88-09. C. E. Rossi. March 18,1988. Reduced Reliability ofSteam-Driven Antiliary Feedwater Pumps NUREG Report Cau. sed by Instability of Woodward PG-PL I)pe Governors. U.S. Nuclear Regulatory Commission, NUREG-1154. 1985. Loss of Afain and Antiliary Washington, D.C.
Feedwater Brnt at the Davis Besse Plant on June 9, 19SS. U.S. Nuclear Regulatory Commiss:on, IN 89-30. R. A. Azua. August 16,1989. Robinson Unit Washington, D.C.
2 Inadequate NPSil of Auxiliary Feedwater Pumps. Also, Event Notification 16375, August 22,1989. U.S.
Nuclear Regulatory Commission, Washington, D.C.
l l
l NUREG/CR-5897 6.2 l
NUREG/CR-5897 PNie8104 Distribution No. of No.of Copies Copies OFFSITE 4
South Texas Resident Inspector Ollice U.S. Nuclear Reculatory CommininD J. H. Taylor Brookhaven National laboratory B. K. Grimes Bldg.130 OWFN 11 E4 Upton, NY I1973 F. Congel R. Travis OWFN 10 E2 Brookhaven National l2boratory Bldg.130 A. C. Thadani Upton, NY l1973 OWFN 8 E2 R. Gregg J. T. larkins EG&G Idaho, Inc.
OWFN 13 H3 P.O. Box 1625 Idaho Falls, ID 83415 J. W. Roe OWFN 13 E4 Dr. D. R. Edwards Prof, of Nuclear Engineering G. M. Holahan University of Missouri - Rolla OWFN 8 E2 Rolla, MO 65401 J. Chung ONSITE OWFN 12 Gl8 23 Pacific Northwest Laboratory M. J. Virgilo OWFN 13 A2 S. R. Doctor L. R. Dodd 2
B. 'Ihomas B. F. Gore (10)
OWFN 12 H26 N. E. Maguire-Moffit B. D. Shipp U.S. Nuclear Reculatory Commission -
F. A. Simonen Recion 4 T. A. Vehec T.V.Vo A. B. Beach Publishing Coordination L J. Callan Technical Report File (5)
S. J. Collins T. F. Westerman Distr.1
NRC FORM 335 U S NUCLE AH REGUL A1oRY COMMIS$f 0N
- 1. HiPOH1 NUMBEH
!289t l Assigned by NRC. Add Voi,, supp., ney.,
NHCM 1102, and ddoendum Numhyre,if any 3 m a2m BIBLIOGRAPHIC DATA SHEET NUREG/CR-5897 (See instructions on the reverwl PNL-8104
- 2. TIT L E AND SUBilT LE Auxiliary Feedwater System Risk-Based Inspection Guide for the South Texas Project Nuclear Power Plant 3.
DAT E HLPOHI PUBilSHE D MoNin vtan December 1993
- 4. FIN OH GH AN T NUMBE R L1310
- 5. AUTHOH(S) 6 T YPE OF R E POH T J. D. Bumgardner, J. R. Nicholaus, N. E. Moffitt, Technical B.
F. Gore, T. V. Vo
- i. P E s iOD cOv E s E D,,na,,,, oma 3/92 to 10/93 6 PE R F O R MING OHG ANilA TION - N AME AN D ADDH ESS tri NRC orovs* Durmon. 0!!*ce or Retro". u S Nurn h"su'*rovv Corm" ****on. *"0 m**h"e ntk!'ess oc contraa ror, provune name and mankne nadresu Pacific Northwest Laboratory Richland, WA 99352
- 9. SPONSOR ING oRG ANIZA TloN - N AM E AND ADDR E SS itr Nnt, rvoe '5ame ns ahorr~, or ontractor. prove &* NRC Dovision. 0Hoce or R*uoon. U1 Nu&ar Resulerarv Commowen, c
and manhng eddresL}
Division of Systems Safety and Anal sis f
Of fice of Nuclear Reactor Regult. tion U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 10, SUPPLEMENTARY NOTES 11 ABSTR ACT 1200 words or kui In a study sponsored by the U.S. Nuclear Regulatory Commission (NRC), Pacific Northwest Laboratory has developed and applied a methodology for deriving plant-specific risk-based inspection guidance for the auxiliary feedwater (AFW) system at pressurized water reactors that have not undergone probabilistic risk assessment (FRA).
This methodology uses existing PRA results and plant operating experience information.
Existing PRA-based inspection guidance information recently developed for the NRC for various plants was used to identify generic component failure modes.
This information was then combined with plant-specific and industry-wide component information and failure data to identify failure mos as and failure mechanisms for the AFW system at the selected plants.
South Texas Project was selected as one of a series of plants for study.
The product of this effort is a prioritized listing of AFW failures which have occured at the plant and at other PWRs.
This listing is intended for use by NRC inspectors in the preparation of inspection plans addressing AFW risk-important components at the South Texas Project plant.
- 12. K E Y WOR DS/DE SCH:PT ORS tt,st words orporesce ther e,ts assar reseereneri en Joratine she seport i iJ A V AtL Abt L.ii V b I A f 4 Mk N I Inspection, Risk, PRA, South Texas Project, Auxiliary Feedwater (AFW)
Unlimited
- 14. SICUhli W CL AWF GCA IlON f f hos Pegel Unclassified I rh., uapora>
Unclassified Ib. NUMBEf4 OF PAGES
- 10. PHICE NRC FORM 335 (2491
j 1
I Printed l
on recycled paper l
Feceral Recycling Program
-, - - -. =
NUREG/CR-5897 AUXILIARY FEEDWATER SYSTEM RISK-BASED INSPECTION GUIDE DECEMBER 1993 FOR Tile SOLTTH TL"?
- POJECT NUCLEAR POWER PLANT UNITED STATES FmST CLASS MAIL MUCLEAR iiEGULATORY COMMISSION
. POSTAGE AND FEES PAfD WASHINGTON, D.C. 20555-0001 USNRC PERM!T NO. G 67 120555139531 1 1ANipG US NRC-0ADM OFFICIAL BUSINESS DIV FOIA e, PUBLICATIONS SVCS PENALTY FOR PR!VATE USE, $300 TPS-POR-NUREG P-211 WASHINGTON DC 2C555 I
.