Auxiliary Feedwater System RISK-BASED Inspection Guide for the Callaway Nuclear Power Plant

ML20082M616
Person / Time
Site:	Callaway
Issue date:	08/31/1991
From:	Gore B, Moffitt N, Vo T Battelle Memorial Institute, PACIFIC NORTHWEST NATION
To:	Office of Nuclear Reactor Regulation
References
CON-FIN-L-1310 NUREG-CR-5763, PNL-7725, NUDOCS 9109050285
Download: ML20082M616 (34)
v • d • e

Text

_ _ __ - __ - _ _ . _ .

NUREG/CR-5763 PNL-7725 Auxiliary Feec. water System Risk-Basec Inspection Guide for the Callaway Nuclear Power Plant l

l l

l l.

l l Prepared by N. E. Moffitt, 8. F. Gore T. V. Vo l

Pacific Northwest Laboratory Operated by Battelle Memorial Institute Prepared for U.S. Nuclear Regulatory Commission l

l l 00 kob!k obOSSkaa G PDR

AVAILABluTY NOTICE

] Availab6lity of Reference Matenais Cited in NRC Pubicatons Most documents cited h NRC publications will be available from one of the following sources:

1. The NRC Public Document Room, 2120 L Street, NW., Lower Level, Washington, DC 20555 2, The Superintendent of Documents, U.S. Govemment Printing Office, P.O. Box 37082, Washington, DC 20013-7082

3. The National Technical Information Service, Springfield VA 22161 Although the listing that fohows represents the rnajority of documents cited in NRC publicat6ons, it is not intended to be exhaustive. ,

Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda; NRC bulletins, circulars, information notices, inspection and investigation notices; licensee event reports; vendor reports and correspondence; Commis-sion papers; and applicant and ucensee documents and correspondence.

The following documents in tho NUREG series are available for purchase from the GPO Sales Program:

formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and <

brochures. Also available are regulatory guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commissnan Issuances.

Documents available from the National Technical information Service include NUREG-series reports and technical reports prepared by other Federal agencies and reports prepared by the Atomic Energy Commis-sion, forerunner agency to the Nuclear Regulatory Commission, ,

Documents available from public and special technical libraries include all open hierature iterns, such as books, journa; articles, and transactions Federal Register notices, Federal and State legislation, and con-gressional reports can usually be obtained from these libraries.

Documents such as theses, dissertaticns, foreign reports and translations, and non-NRC conference pro-ceedings are available for put chase from the organi2ation sponsoring the publication cited.

Single copies of NRC draft reports are available free, to the extent of suppN, upon written request to the .

Office of Administration, Distribution and Mali Services Section, U.S. Nuclear Regulatnry Commission, Washington, DC 20555.

Copies of Industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library,7920 Norfolk Avenue, Bethesda, Maryland, for use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organ 12ation or, if they are American Nationa; Standards, from the American National Standards institute,1430 Broadwa/, New Yort NY 10018.

DISCLAIMER NOTICE This report was prepared as an account of work sponsored by an agency of the United States Govemment.

Neither the United States Govemmont nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liability of responsibility for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe povately owned rights.

NUREG/CR-5763 PNL-7725 Auxiliary Feedwater System Risk-Based Inspection Guide for the.Callaway Nuclear Power Plant Manuscript Completed: July 1991 Date Pubhsbed: August 1991 Prepared by N. E. Moffitt. IL F, Gore, T. V. V -

Pacific Northwest laboratory Richland, WA 99352 l

Prepared for .

Division of Radiation Protection and Emergency Preparedness  !

Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN L1310

SUMMARY

This document presents a compilation of auxiliary feedwater (AfW) system failure information which has been screened for risk significance in terms of failure frequency and degradation of system performance. It is a risk-prioritized listing of failure events and their causes that are significant enough to warrant 'nsideration in inspection planning at the the Callaway pl ant . This information is presented to provide inspectors with increased resources for inspection p. ;nning at Callaway.

The risk importance of various component failure modes was identified by analysis of the results of probabilistic risk assessments (PRAs) for many pressurized water reactors (PWRs). However, the component failure categories identified in PRAs are rather broad, because the failure data used in the PRAs is an aggregate of many individuals failures having a variety of root causes.

In order to help inspectcrs to focus on specific aspects of component operation, maintenance and design which might cause these failures, an extensive review of component failure information was performed to identify and rank the root causes of these component failures. Both Callaway and industry-wide failure information was analyzed. Failure causes were sorted on the basis of frequency of occurrence and seriousness of consequence, and categorized as common cause failures, human errors, design problems, or component failures.

This information is presented in the body of this document. Section 3.0 provides brief descriptions of these risk-important failure causes, and Section 5.0 presents more extensive discussions, with specific examples and references. The entries in the two sections are cross-referenced.

An abbreviated system walkdown table is presented in Section 3.2 which includes only components identified as risk important. This table lists the system lineup for normal, standby system operation.

This information permits an inspector to concentrate on components important to the prevention of core damage. However, it is important to note that inspections should not focus exclusively on these components. Other components which perform essential fur.ctions, but which are not included because of high reliability or redundancy, must also be addressed to ensure that degradation does not increase their failure probabilities, and hence their risk importances.

iii

CONTENTS

SUMMARY

.............................................................. iii

1.0 INTRODUCTION

.................................................... I 2.0 CALLAWAY AFW SYSTEM ............................................. 2 2.1 SYSTEM DESCRIPTION ......................................... 2 2.2 SUCCESS CRITERION .......................................... 4 2.3 SYSTEM DEPENDENCIES ........................................ 4 2.4 OPERATIONAL CONSTRAINTS .................................... 4 3.0 INSPECTION GUIDANCE FOR THE KEWAUNEE AFP SYSTEM ................. 5 3.1 RISK IMPORTANT AFW COMPONENTS AND FAILURE MODES ............ 5 3.1.1 MULTIPLE PUMP FAILURES DUE TO COMMON CAUSE .......... 5 3.1.2 TURBINE DRIVEN PUMP FAILS TO START OR RUN ............................. ....... 6 3.1.3 MOTOR DRIVEN PUMP A OR B FAILS TO START OR RUN ..... .................................. 7 3.1.4 PUMP UNAVAILABLE DUE TO MAINTENANCE OR SURVEILLANCE .................. 7 3.1.5 AIR OPERATED CONTROL VALVES FAIL CLOSED ............. 7 3.1.6 MOTOR OPERATED CONTROL AND ISOLATION VALVES FAIL CLOSED .................................. 8 3.1.7 MANUAL SUCTION OR DISCHARGE VALVES FAIL CLOSED ......................................... 9 3.1.8 LEAKAGE OF H0T FEEDWATER THROUGH CHECK VALVES .............................................. 9 3.2 RISK IMPORTANT AFW SYSTEM WALKDOWN TABLE ................... 10 4.0 GENERIC RISK INSIGHTS-FROM PRAs ................................. 14 4.1 RISK IMPORTANT ACCIDENT SEQUENCES INVOLVING AFW SYSTEM FAILURE ......................................... 14 4.2 RISK IMPORTANT COMP 0NENT FAILURE MODES ... .......... ..... 15 v

i CONTENTS (continued) 5.0 FAILURE MODES DETERMINED FROM OPERATING EXPERIENCE .............. 16 5.1 CALLAWAY EXPERIENCE......................................... 16 5.1.1 MOTOR DRIVEN PUMP FAILURES .......................... 16 5.1.2 TURBINE DRIVEN PUMP FAILURES ........................ 16 5.1.3 FLOW CONTROL AND ISOLATION VALVE FAILURES ........... 16 5.1.4 HUMAN ERRORS ........................................ 17 5.2 INDUSTRY WIDE EXPERIENCE ............................... ... 17 5.2.1 COMMON CAUSE FAILURES ............................... 17 5.2.2 HUMAN ERRORS ........................................ 20 5.2.3 DESIGN / ENGINEERING PROBLEMS AND ERRORS .............. 20 5.2.4 COMPONENT FAILURES .................................. 22 REFERENCES .... ...................................................... 25 vi

, .- . . - - . ~ . - ...- . - - - - . _ - -~ -

1.0 INTRODUCTION

This document is the eleventh of a series providing plant-specific inspection guidance for auxiliary feedwater (AFW) systems at pressurized water reactors (PWRs). This guidance is based on information from probabilistic risk assessments (PRAs) for similar PWRs, industry-wide operating experience with AFW systems, plant-specific AFW system descriptions, and plant-specific operating experience. It is not a detailed inspection plan, but rather a compilation of AFW system failure information which has been screened for risk significance in terms of failure frequency and degradation system performance.

The result is a risk-prioritized listing of failure events and the causes that are significant enough to warrant consideration in inspection planning at Callaway.

This inspection guidance is presented in Section 3.0, following a description of the Callaway AFW system in Section 2.0. Section 3.0 identifies the risk important system components by Callaway identification number, followed by brief descriptions of each of the various failure causes of that component.

These include specific human errors, design deficiencies, and hardware failures. The discussions also identify where common cause failures have affected multiple, redundant components. These brief discussions identify specific aspects of system or component design, operation, maintenance, or testing for inspection by observation, records review, training observation, procedures review, or by observation of the implementation of procedures. An AFW system walkdown table identifying risk important components and their lineup for normal, standby system operation is also provided.

The remainder of the document describes and discusses the information used in compiling this inspection guidance. Section 4.0 describes the risk importance information which has been derived from PRAs and its sources. As review of that section will show, the failure events identified in PRAs are rather broad (e.g., pump fails to start or run, valve fails closed). Section 5.0 addresses the specific failure causes which have been combined under these broad events.

AFW system operating history was studied to identify the varii , specific failures which have been aggregated into the PRA failure events. Section 5.1 presents a summary of Callaway failure information, and Section 5.2 presents a review of industry-wide failure information. The industry-wide information was compiled from a variety of NRC sources, including AE00 analyses and reports, infonnation notices, inspection and enforcement bulletins, and generic letters, and from a variety of INP0 reports as well. Some Licensee Event Reports and NPRDS event descriptions were also reviewed individually.

Finally, information was included from reports of NRC-sponsored studies of the effects of plant aging, which include quantitative analyses of reported AFW system failures. This industry-wide information was then combined with the plant-specific failure information to identify the various root causes of the l broad failure events used in PRAs, which are identified in Section 3.0.

l l

1

2.0 LALLAWAY AFW SYSTEM This section presents an overview of the Callaway AFW system, including a simplified schematic system diagram. In addition, the system success criterion, system dependencies, and administative operational constraints are also presented.

2.1 System Description

The AFW system provides feedwater to the steam generators (SG) to allow secondary-side heat removal from tht. primary system when main feedwater is unavailable. The system is capable of functioning for extended periods, which allows time to restore main feedwater flow or to proceed with an orderly cooldown of the plant to where the residual heat removal (RHR) system can remove decay heat. A simplified schematic diagram of the Callaway AFW system is shown in Figure 2.1.

The system is designed to start up and establish flow automatically. All pumps start on receipt of a steam generator low-low level signal. (The motor-driven pumps start on low-low-level in one SG, whereas, two SG low-low level signals are required to for a turbine-driven pump start.) The motor-driven (MD) pumps start for the following conditions: shutdown sequencer actuation, LOCA sequencer actuation, and motor-driven Auxiliary Feedwater Actuation Signal (AFAS). The singic turbine-driven (TO) pump starts on an undervoltage condition on bus NB01 or NB02.

The normal AFW pump suction is from the condensate storage tank (CST). A common header from the CST supplies water to both the motor-driven and turbine-driven pumps through a check valve and a normally open motor controlled isolation valve. Two redundant safety related back-up sources of water for the AFW pumps are provided from the essential service water system (ESW)._ Power, control, and instrumentation associated with each train are independant from each other. Steam for the turbine driven pump is supplied through FC-HV-312 from steam generators B and C, from a point upstream of the main steam isolation valves. Each AFW pump is equipped with a recirculation flow system which prevents pump deadheading.

The discharges of the motor-driven pumps are normally aligned so that the A pump supplies the B and C steam generators and the B pump supplies the A and D steam. generators. Cross-connect valves are provided to allow feeding of any steam generator from either pump. The cross-connect valves are locked shut t- and administratively controlled. The turbine-driven pump also feeds all four I steam generators, but through seperate lines. Each of the eight feedwater I

lines contains a flow limiting orifice which ensures that AFW flow will be provided to the intact steam generators if one is faulted, and limits AFW pump runout. Isolation valves in the lines from all AFW pumps are locked open manual valves. Two types of flow control-valves are used in the AFW system.

The motor-driven pumps discharge through motor-operated flow control valves (AL-HV-5,7,9,ll) and the turbine-driven pump di, charges through air operated flow control valves ( AL-HV-6,8,10,12) . A nitrogen accumulator provides backup to the instrument air for salve operation. Each line also contains multiple check valves to prevent leakage from the feedwater lines.

2

s

• ac 2 e

~

le9 gi

< 0 9m Sus I W

/ ml g E O

g i H m

i <

8 t

(

s

) a J

/ m i - s  : >--

6 u M s e e s s e n e s s e n e s s e e s s e s s e e s s e s s e n e s s e e s s e s e s s e s e n e s s ee e s s e s s e siseessessassessessesses s pees y

,. a., y:

E z e, re W

n . It l "J H c' "7 Et ES Em ~' E- (_ <:C

- / .

/-

CD a o i [h o a E

j E

s I

h

>L e

n

-u e

.n n

-s m

e e E  ?

s If >

s o e c e, -> -,o E

/-ws -

-> -p -> o ,  ;

i - 2 e -u y4 s- 3 ._.J

_a e c -

7 .a

• c -

,e e s X_.

d 2

> ~

g a C-[m h"OS g jec{ g i = -

.se:-

e a 's I liil:

X! Es s Zi Zei Xi 5

~ _J w- L 'n <C n

c

~

r  ;

o C)

C C

> a .

r.

. , n yv 5 -

-o e Eo 4.i

. . p::} ., i 2

X N V. X .

: , n [n

,o s

R .u; o o

?, ,

Es.....:. M .:..... =.n

c. P g- i; :E o 2, .

~

y Ei 2

e b  ! - k -h- ,  !$

E v s. h(. ==

=

sO

.....,i Nt V s',

V4 N -cc...

EE m: : T7: .% BM D s.-

Ac c g c

As v

- . tr cx

• C yD p '

200 2  % I . 2 2 I k S"O E. C EC

~

g 5 ,g

'o  ; .

3....................................

. w i . ......................................................e. = -

, gg gg N ru. p gg EDW .wg

• Ecy

=~~

Dh - I-E h.

• = CWC kpm um L uCO Cc=

CWO ACO l' 3 i

l l

l The CST is the normal source of water for the AFW system and is required in store sufficient water to raintain the reactor coolant system (RCS) at hot standby for four hours followed by a cooldown to the point where RHR systen can be placed in service. All tank connections except those required for instrumentation, auxiliary feedwater pump suctitn, and tank drainage are located above this minimum level.

2.2 Success Cr Qerion System success requires the operation of two motor-driven ' r e 4 1ying rated flow to three steam gennrators assuming that one is e et, or one motor-driven pump and the turbine-driven pump feeding thrt eam generators.

2.3 System Dependencies The AFW sys'om depends on AC powcr for motor-driven pumps and motor-controlled flow control valves, DC power for control power to pumps, valves, and automatic actuation signals, instrument air for AFW flow control valves, and nitrogen accumulators to backup instrument air. The CST and Essential Service Water (ESW) provide tot ;on tources for the AFW system. in addition, the turbine-driven pump also e:i ires steam availability.

2.4 Operational Constraints When the reactor is critical the Callaway Technical Spc> ifications require that all three AFW pumps and associated flow paths are operable with each motor-driven pump powered from a different emergency bus. If one AFW pump becomes inoperable, it must be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or the plant must te shut down to hot standby within the next six hours. If two AFW pumps are inoperable, the plant must be shut down to hot standby within six hours. With three AFW pumps inocerable, corrective action to restore at least one pump to oper?ble status must be initiated immediately.

The Callaway Technical Specifications requires a four hour supply of water to be stored in the CST (281,000 gallans). With the CST inoperable, the essential service water system may serve as a backup supply for seven days before plant shutdown is required.

4 1

3.0 INSPECTION GUIDANCE FOR THE CAllAWAY ATV SYSTEM in this section the ask important components of the Caliaway AFW system are identified, and the ...portant failure modes Ter these components are briefl described. These failure modes include specific human errors, design deficiencies, and types of hardware failures which have been observed to occur for these components, both at Callaway and at PWRs throughout the nuclear industry. The (iscussions also identify where common cause failures have affected multiple, redundant components. These brief discussions identify specific aspects of system or component design, operation, maintenance, or testing for obscriation, records review, troining observation, procedures review, or by observation of the implementation of procedures.

Table 3.1 is an abbreviated AFW system walkdown table which identifies risk-important components. This table lists the system lineup for normal (standby) system operation. Inspection of the identified components addiesses -

essentially all of the risk associated with AfW system operation.

3.1 Risk Important AFW Components and Failure Modes Common cause f ailures of multiple pumps are the most risk-important failure modes of AFW system components. These are followed in importance by single pump failures, level control valve f ailures, and individual check valve leakage failures.

The following sections address each of these f ailure modes, in decreasing order of risk-importance. They present the important root causes of these component f ailure modes which have been distilled from historical records.

Each item is heyed to discussions in Section 5.2 where additional information on historical events is presented.

3.1.1 .itiple pump Failures due to Common cause The following listing summarizes the most important multiple-pump failure modes identified in Section 5.2.1, Common Cause failures, and each item is keyed to entries in that section.

. Incorrect operator intervention into automatic system functioning, including improper manual starting and securing of pumps, has caused failure of all pumps, inciuding overspeed trip on startup, and inability to restart prematurely secured pumps. CCl.

. Valve mispositioning has caused failure of all pumps. Pump suction, steam supply, and instrument isolation valves have been involved.

CC2.

. Steam binding has caused failure of multiple pumps. This resulted from leakage of hot feedwater past check valves into a common discharge header, with several valves involved including a motor-5

operated discharge valve. (See item 3.1.8 below.) C010. Multiple-pump steam binding has also resulted f rom improper v:.lve lineups, and from running a pump deadheaded. CC3.

. Pump control circuit deficiencies or design modification errors have caused failures of multiple pumps to auto start, spurious pump trips during operation, and failures to restart after pump shutdown. CC4.

Incorrect setpoints and control circuit calibrations have also prevented proper operation of multiple pumps. CCS,

. Loss of a vital power bus has failed both the turbine-driven and one motor-driven pump due to loss of control power to steam admission valves or to turbine controls, and to motor controls powered from the same bus. CC6.

. Simultaneous startup of multiple pumps has caused oscillations of pump suction pressure causing multiple-pump trips on low suction pressure, despite the existence of adequate static net positive suction head (NPSH). CC7. Design reviews have identified inadequately sized suction piping which could have yielded insufficient NPSH to support operation of more than one pump. CC8.

3.1.2 Turbine Driven Pump Fails to Start or Run

. Improperly adjusted and inadequately maintained turbine governors have caused pump failures. HE2. Problems include worn or loosened nuts, set screws, linkages or cable connections, oil leaks and/or contamination, and electrical failures of resistors, transistors, diodes and circuit cards, and erroneous grounds and connections.

. CF5. Control circuit failure has also occured at Callaway.

. Terry turbines with Woodward Model EG governort have been found to overspeed trip if full steam flow is allowed on startup. Sensitivity can be reduced '.f a startup steam bypass valve is sequenced to open first. del.

. Condensate slugs in steam lines have caused turbine overspeed trip on startup. Tests repeated right after such a trip may fail to indicate the problem due to warning and clearing of the steam lines.

Surveillance should exercise all steam supply connections. DE2.

Callany has experienced a similar f ailurc,

. Trip and throttle valve (TTV) problems (FC-HV-312) which have f ailed the turbine driven pump include physically bumping it, failure to reset ,t following testing, and f ailures to verify control room indication of reset. HE2. Whether either the overspeed trip or TTV trip can be reset without resetting the other, indication in the control room of TTV position, and unambiguous local indication of an overspeed trip affect the likelihood of these errors. DE3. Failure of the overspeed trip linkage to reset due to linkage binding has occurred at Callaway.

6

. Turbines with Woodward Model PG-PL governors have tripped on overspeed when restarted shortly after shutdown, uni:ss an onerator has locally exercised the speed setting knob to drain oil from the governor speed setting cylinder (per procedure). Automatic oil dump valves are now available through Terry. DE4. This is not a problem at Callaway because the governor is positioned by electronic speed reference signals therefore, control oil pressure decay is not a concern.

3.1.3 Motor Driven Pump A or B Fails to Start or Run

. Control circuits used for automatic and manual pump starting are an important cause of motor driven pump failures, as are circuit breaker failures. CF7.

. Hispositioning of handswitches and procedural deficiencies have prevented automatic pump start. HE3.

. At Callaway, high vibration has resulted from misalignment between a pump and its motor.

. Low lubrication oil pressure resulting from heatup due to previous operation has prevented pump restart due to failure to satisfy the protective interlock. DES.

3.1.4 Pumo Unavailable Due to Maintenance or Surveillance

. Both scheduled and unscheduled maintenance remove pumps from operability. Surveillance requires operation with an altered line-up, although a pump train may not be declared inoperable during I testing. Prompt scheduling and performance of maintenance and surveillance minimize this unavailability.

3.1.5 Air Operated Flow Control Valves Fail Closed TD Pumn Train: Al-HV-6.8.10.12 These normally-open air operated valves (A0Vs) control flow to the steam generators. They fail open on loss of Instrument Air.

. Control circuit problems have been a primary cause of failures, both at Callaway and elsewhere. CF9. Valve failures have resulted from blown fuses, f ailure of control components (such as current / pneumatic convertors), broken or dirty contacts, misaligned or broken limit switches, control power loss, and calibration problems. Degraded operation has also resulted from improper air pressure due to air regulator failure or leaking air lines.

7

. Out-of adjustment electrical flow controllers have caused improper valve operation, affecting multiple trains of AFW. CCl2. Callaway has experienced problems in individual trains.

. Leakage of hot feedwater through check valves has caused thermal binding of flow centrol MOVs. A0Vs may be similarly susceptible.

CF2.

. Inadequate air pressure regulation at Callaway has resulted in control valve failure to operate.

. Multiple flow control valves have been plugged by clams when suction switched automatically to an alternate, untreated scurce. CC9.

Although this particular problem has not occurred at Callaway, ,

unintended suction source switching h n occurred there due to human error.

3.1.6 Motor Operated Finw Control and holation Valves Fail Closed MD Pump Train Flow Control: AL-HV-5.7.9.11 ESW Suction isolation: AL HV-30.31.32.33.

CST Suction isoletion: Al-HV-34.35.36 These MOVs control flow to the steam generators and provide AFW pump suction isolation. The flow control valves and CST suctio:, valves are normally open and the ESW suction valves are normally closed. They all fail as-is on loss of power.

. Common cause failure of MOVs has occurred at Collaway and elsewhere, from failure to use electrical signature tracing equipment to determine proper settings of torque switch and torque switch bypass switches. Failure to calibrate switch settings for high torques necessary under design basis accident conditions has also been involved. CC11.

. Valve motors have been failed due to lack of, or improper sizing or use, of thermal overload protective devices. Bypassing and oversizing should be based on proper mgineering for desion basis conditions. CF4.

. Out-of-idjustment electrical flow controllers have caused improper discharge valve operation, affecting multiple trains of AFW. CCl2.

. Grease trapped in the torque switch spring pack of the operators of MOVs has caused motor burnout or thermal overload trip by preventing torque swit;h actuation. CF8. Similar failures have occurred at Callaway.

. Manually reversing the direction of motion of operating MOVs has overloaded the motor circuit. Operating procedures should provide 8

cautions, and circuit designs may prevent reversal before each stroke is finished. DE7.

. Space heaters designed for preoperation storage have been found wired in parallel with valve motors which had not been environmentally qualified with them present. DE8.

3.1.7 Manual Suction or Discharae Valves Fail Closed CST Discharae Valve: V015 TD Pumo Train: Valves V0ll.014: V055:

MD Pumn Trains: Valves V005.008: V031.043 These manual valves are normally locked open. Closure of the dirst valve listed would block suction from the CST for all AFW pumps. For each train, closure of the first valves would block suction from the essential service water system. Closure of the second set of valves would block all pump discharge except recirculation to the CST.

. Valve mispositioning has resulted in failures of multiple trains of AFW. CC2. It has also been the dominant cause of problems identified during operational readiness inspections. HEl. Events have occurred most often during maintenance, calibration, or system modifications. Important causes of mispositioning include:

. Failure to provide com;'ete, clear, and specific procedures for tasks and system restoration

. Failure to promptly revise and validate procedures, training, and diagrams following system modifications

. Failure to complete all steps in a procedure

. Failure to adequately review uncompleted procedural steps after task completion

. Failure to verify support functions after restoration

. Failure to adhere scrupulously to administrative procedures regarding tagging, control and tracking of valve operations

. Failure to log the manipulation of sealed valves

. Failure to follow good practices of written task assignment and feedback of task completion Information

. Failure to provide easily read system drawings, legible valve labels corresponding to drawings and procedures, and labeled indications of local valve position 3.1.8 Leakaae of Hot feedwater throuah Check Valves:

Discharae of MD Pumos A.B: TD Pumo: Valves V042.030: V0jL4.

tid Pumo Trains: V045.048.033.0M TD Pumo Trains: V057.062.061 & Z

. Leakage of hot feedwater through several check valves in series has caused steam binding of multiple pumps. Leakage through a closed level control valve in series with check valves has also occurred, 9

as would be required for leakage to reach the motor driven or turbine driven pumps. CC10

. Slow leakage past the final- check valve of a series may not force upstream check valves closed, allowing leakage past each of them in turn. Piping orientation and valve design are important factors in achieving true series protection. CF1.

3.2 Risk Imoortant AFW System Walkdown Table Table 3.1 presents an AFW system walkdown table including only components identified as risk important. This information allows inspectors to concentrate their efforts on components important to prevention of core damage. However, it is. essential to note that inspections should not focus exclusively on these components. Other components which perform essential functions, must also be addressed to ensure that their risk importances are not increased. Examples include the (open) steam lead isolation valves upstream of FC-HV-312, and an adequate water level in the CST.

10 l

% m- -

--.ee.. --,-7 rwn,- , e ,-f.s - --ee--v_-__ ____ __.,,,.,_.-- _x_s- ____.,___._,__m,mm_ . , , , _ _ _ _ _ _ __ _ _ _ _ _ _ . _ , _ _ . . , _ _ . _

- .. - - - - - - - - - - - - - . - - _ ~ - - _ . _ - _ . - _ . - _ . .-

r TABLE 3.1. Risk Importance AFW System Walkdown Table Required Actual I Component # Component Name Location Position Position  ;

Electrical  ;

A Motor Driven Pump Racked In/ i Closed i i

B Motor Driven Pump Racked In/ l Closed i Valve  :

V015 CST Outlet Locked Open l

Al-HV-30 MDP B ESW Suction Closed AL-HV-31 MDP A ESW Suction Closed AL HV-32 TDP ESW Suttien Cl sed AL-HV-33 TDP ESW Suction Closed Al-HV-34 HDP B CST Suction Open Al-HV-35 HDP A CST Suction Open AL-HV-36 TDP CST Suction Open $

V005 MDP B ESW lsolation Locked Open V008 MDP A ESW Isolation Locked Open f V011 TDP ESW lsolation Locked Open V014 TDP ESW lsolation Locked Open __

V031 MDP B Discharge Isolation Locked Open .__

V043 MDP A Discharge Isolation Locked Open l

V055 TDP Discharge Isolation Locked Open V028 MDP B Recirculation to CST Locked Open V040 MDP A Recirculation to CST Locked Open V052 TDP Recirculation to CST Locked Open 11 f

T w - --

, , , , , , , , - , , , , -<e, . - . , , . , . .,v-,-_, - - - - - -,, ------,-e

TABLE 3.1. Risk Importance AFW System Walkdown Table .

(Continued)

V032 AFW lsolition Valve Locked Open ,

V034 AFW lsolation Va'Ive Locked Open V035 AFW lsolation Valve 1ocked Open V037 AFW lsolation Valve Locked Open V044 AFW lsolation Valve Locked Open ,

l V046 AFW lsolation Valve Locked Open i l

V047 AFW lsolation Valve Locked Open i V049 AFW lsolation Valve Locked Open V056 AFW lsolation Valve Locked Open

)

V058 AFW isolation Valvc Locked Open V061 AFW lsolation Valve Locked Open V063 AFW lsolation Valve Locked Open ,

V066 AFW lsolation Valve Locked Open V068 AFW lsolation Valve Locked Open V071 AFW lsolation Valve Locked Open V073 AFW lsolation Valve Locked Open V076 MDP B Discharge Crosstie Locked Closed _

V077 MDP A Discharge Crosstie Locked Closed Al-HV-5 MDP B Flow Control to SG D Open Al-HV-7 MDP B Flow Control to SG A Open AL-HV-9 MDP A Flow Control to SG B Open __

Al-HV-Il MDP A Flow Control to SG C. Open AL HV-6 TDP Flow Control to SG D Open AL-HV-8 TDP Flow Control to SG A Open _ _ _ _

12 b 3 -- . -, ..._ _ . . - _ _ . , . - . . . . - - . . . . _ _ , . , . - - . . . . . .

_.._._._._.__._m___._~_._.

l TABLE 3.1. Risk Importance AFW System Walkdown Table (Continued)

Al-HV-10 TDP flow Control to SG B Open Al-HV 12 TDP flow Control to SG C Open

. AB-HV-5 TDP Main Steam Supply Closed _

, AB-HV-6 TDP Main Steam Supply Closed AB HV-48 TDP Main Steam Supply Bypass Open AC-HV 49 TDP Main Stream Supply Bypass Open FC-HV-312 TDP Trip and Throttle Supply Valve Closed FC-HV-313 TDP Trip and Throttle Valve Open V033 Piping Upstream of Check Valve Cool . , _ , ,

V036 Piping Upstream of Check Valve Cool V045 Piping Upstream of Check Valve Cool .

V048 Piping Upstream of Check Valve Cool V057 Piping Upstream of Check Valve Cool V062 Piping Upstream of Check Valve Cool V067 Piping Upstream of Check Valve Cool P

V072 Piping Upstream of Check Valve Cool t.

l 13

4.0 CENERIC RISK INSIGHTS FROM PRAs PRAs for 13 PWRs were analyzed to identify risk-important accident scquences involving loss of AFW, to identify and risk prioritize the component failure modes involved. The results of this analysis are described in this section. They are consistent with results reported by INEL and BNL (Gregg et al 1988, and Travis et al, 1988).

4.1 Risk Imoortant Accident Seouences involvina AFW System failure loss of Power System A loss of offsite nower is followed by failure of AFW. Due to lack of actuating power, the power operated relief valves (POR',%) eacnot be opened preventing adequate feed-and-bleed cooling, and resulting in core damage.

A station blackout fails all AC power except Vital AC fron DC invertors, and all decay heat removal systems except the turbine-driven AFW pump. AFW subsequently fails due to battery depletion or hardware failures, resulting in core damage.

A DC bus fails, causing a trip and failure of the power conversion system. One AFW motor-driven pump is failed by the bus loss, and the turbine-driven pump fails due to loss of turbine or valve control power. AFW is subsequently lost completely due to other failures.

Feed-and bleed cooling falls because PORV control is lost, resulting in core damage.

Transient-Caused Reactor or Turbine Trip A tra_asient-caused trin is followed by a loss of the power conversion system (PCS) and AFW. Feed-and-bleed cooling fails either due to failure of the operator to initiate it, or due to hardware failures, resulting in core damage.

Loss of Main Feedwater A feedwater lina break drains the common water source for MFW and AFW. The operators fail to provide feedwater from other sources, and f ail to initiate feed and-bleed cooling, resulting in cure damage.

A loss of main feedwater trips the plant, and AFW fails due to operator error and hardware failures. The operators fail to initiate feed-aad-bleed cooling, resulting in core damage.

Steam Generator Tube Runture (SGTR)

A SGTR is followed by failure of AFW. Coolant is lost from the primary until the refueling water storage tank (RWST) is depleted.

14

_ - __- _ . . . _ . . . _ . _ . _ . _ _ . . _ _ . _ _ _ _ _ _ _ . . ~ _ _

High pressure injection (HPI) fails since recirculation cannot be established from the empty sump, and core damage results.

4.2 Risk Irportant Component failure Modes The generic component failure modes identified from PRA analyses as important to AFW system failure are listed below in decreasing order of risk importance.

1. Turbine Driven Pump failure or Start or Run.

2. Motor-Driven Pump Failure to Start or Run.

3. TDP or HDP Unavailable due to Test or Maintenance.

4. AFW System Valve Failures steam admission valves trip and throttle valves flow control valves pump discharge valves pump suction valves valves in testing or maintenance.

5. Supply / Suction Sources

- condensate storage tank stop valve hot well inventory suction valves.

In addition to individual hardware, circuit, or instrument faildres, each of these failure modes may *esult from common causes and human errors.

Common cause f ailures of AFW pumps are particularly risk important.

Valve failures are somewhat less important due to the multiplicity of steam generators and connection paths. Human errors of greatest risk importance involve: failures to initiate or control system operation when required; failure to restore proper system lineup after maintenance or testing; and f ailure to switch to alternate sources when required.

15

5.0 FAILURE MODES DETERMINED FROM OPERATING EXPERIENCE This section describes the primary roo. cause of AFW system component failures, as determined from a review of operating aistories at Callaway and at other PWRs throughout the nuclear industry. Section 5.1 describes experience at Callaway. Section 5.2 summarizes information compiled from a variety of NRC sources, including AE00 analyses and reports, information notices, inspection and enforcement bulletins, and generic letters, and from a variety of INPO reports as well. Some Licensee Event Reports and NPRDS event descriptions were also reviewed individually. Finally, information was included from reports of NRC-sponsored studies of the effects of plant aging, which include quantitative analysis of AFW system failure reports. This information was used to identify the various root causes expected for the broad PRA-based failure events identified in Section 4.0, resulting in the inspection guidelines presented in Section 3.0.

5.1 Callaway Experience The AFW system components at Callaway have experienced approximately thirty-six failures since 1984. The following types of equipment have been involved: AFW pumps, pump discharge flow control and isolation valves, the turbine steam supply valves, turbine trip and throttle valves, and essential service water backup supply valves. Failure modes include electrical, instrumentation and control, hardware failures, and human errors.

5.1.1 Motor Driven Pumo Failure; There have been two events since 1984 that have resulted in failure of the motor driven pumps. Failure modes involved mechanical wear of pump packing and misalignment between the pump and motor resulting in high vibration.

5.1.2 Turbine Driven Pump Failures Six events have occurred since 1984 that have resulted in decreased operational readiness or spurious r, tarting of the turbine driven pump.

Failure modes involved failures in instrumentation and control circuits, system hardware failures, and mechanical wear. The turbine driven pump overspeed trip linkage has failed to reset properly due to binding caused by a dirty ball and tappet plunger and the turbine driven pump has also tripped on overspeed when a condensate slug passed through the turbine driver.

5.1.3 Flow Control a_ad Isolation Valve Failur_qi Approximately twenty-five events since 1984 have resulted in impaired operational readiness of the air and motor operated flow control valves, and motor operated isolation valves. Principal failure causes were equipment wear, corrosion, instrumentation and control circuit failures,' valve hardware failures, and human errors. Valves have failed to operate properly due to blown fuses, failure of control components (such as 1/P convartors), broken or !

dirty contacts, misaligned or broken limit switches, control power loss, and 16

operator calibration problems. Inadequate design operating setpoints for air pressure regulators has also caused control valves to f ail to operate. Human

errors have resulted in improper control circuit calibration and limit switch I adjustment.

5.1.4 ligm_an Errors There have been six significant events affecting the AFW system since 1984. Personnel have inadvertantly actuated the AFW pumps during testing, initiated AFW pump suction swapover to essential service water, and mispositioned control swit. , s during operation. Both personnel error and inadequate procedures have sen involved. Misunderstanding of operability requirements has resulted in equipment exceeding Technical Specification limits.

5.2 Industry Wide Experience Human errors, design / engineering problems and errors, and component failures are the primary root causes of AFW System failures identified in a review of industry wide system operating history. Common cause failures, which disable more than one train of this operationally redundant system, are highly risk significant, and can result from all of these ceases.

This section identifies important common cause failure modes, and then provides a broader discussion of the single failure effects of human errors, design / engineering problems and errers, and component failures. Paragraphs presenting details of these failure modes are coded (e.g., CC1) and cross-referenced by inspection items in Section 3.

5.2.1 Common Cause Failures The dominant cause of AFW system multiple-train f ailures has been human error. Design / engineering errors and component failures have been less frequent, but nevertheless significant, causes of multiple train f ailures.

h Human error in the form of incrrrect operator intervention into au' aatic ATW system functioning during transients resulted in the temporary loss of all safety-grade AFW pumps during events at Davis Besse (NUREG-1154, 1985) and Trojan (AE0D/T416, 1983). In the Davis Besse event, improper manual initiation of the steam and feedwater rupture control system (SFRCS) led to overspeed tripping of both turbine-driven AFW pumps, probably due to the introduction of condensate into the AFW turbines from the long, unheated steam supply lines. (The system had never been tested with the abnormal, cross-connected steam supply lineup which resulted.) In the Trojan event the operator incorrectly stopped both AFW pumps due to misinterpretation of MFW pump soeed indication. The diesel driven pump would not restart due to a protective feature requiring complete shutdown, and the turbine-driven pump tripped on overspeed, requiring local reset of the trip and throttle valve. In cases where manual intervention is required during the early stages of a transient, training should emphasize that actions should be performed methodically and deliberately to guard against such errors.

17

___ _ _ . - ___ _ m.___ _ _ . _ _ _ ._ _ -_._ __

E Valve mispositioning has accounted for a significant fraction of the human errors failing multiple trains of AFW. This includes closure of normally open suction valves or steam supply valves, and of isolation valves to sensors having control functions. Incorrect handswitch positioning and inadequate temporary wiring channes have also prevented automatic starts of multiple pumps. Factors identified in studies of mispositioning errors include failure to add newly installed valves tu valve checklists, weak administrative control of tagging, restoration, independent verification, and locked valve logging, and inadequate adherence to procedures. Illegible or confusing local valve labeling, and insufficient training in the determination of valve position may cause or mask mispositioning, and surveillance which does not exercise complete system functioning may not reveal mispositionings.

E At ANO-2, both AFW pumps lost suction due to steam binding when they were lined up to both the CST and the hot startup/ blowdown demineralizer efflunt (AE0D/C404,1984) . At Zion-1 steam created by running the turbine-driven pump deadheaded for one minute caused trip of a motor-driven pump sharing the same inlet header, as well as damage to the turbine-driven pump (Region 3 Morning Report, 1/17/90). Both events were caused by procedural inadequacies.

CC4. Design / engineering errors have accounted for a smaller, but significant fraction of common cause failures. Froblems with control circuit design modifications at Farley defeated AFW pump auto start on loss of main feedwater. At Zion-2, restart of both motor driven pumps was blocked by circuit failure to deenergize when the pumps had been tripped with an automatic start signal present (IN 82-01, 1982). In addition, AFW control circuit design reviews at Salem and Indian Point have identified designs where

, failures of a single component could have failed all or multiple pumps (IN 87-34,1987).

.C.CL Incorrect setpoints and control circuit settings resulting from analysis errors and failures to update procedures have also prevented pump start and <

caused pumps to trip spuriously. Errors of this type may remain undetected  !

despite surveillance testing, unless surveillance tests model all types of <

system initiation and operating conditions. A greater fraction of  ;

instrumentation and control circuit problems has been identified during actual  ;

system operation (as opposed to surveillance testing) than for other types of failures.

E On two occasions at a foreign plant, failure of a balance-of-plant inverter caused failure of two AFW pumps. In addition to loss of the motor driven pump whose auxiliar/ start relay was powered by the invertor, the turbine driven pump tripped on overspeed because the governor valve opened, allowing full steam flow to the turbine. This illustrates the importance of assessing the effects of failures of balance of plant equipment which supports

the operation of critical components. The instrument air system is another l exanple of such a system.

( CC7. Multiple AFW pump trips have occurred at Millstone-3, Cook-1, Trojcn and Zion-2 (IN 87-53, 1987) caused by brief, low pressure oscillations of saction 18

'-,.-+="r e-----*--ew-s-,wr.*-v,-w,,,. - - -

pressure during pump startup . These oscillations occurred despite the availability of adequate static NPSH, Corrective actions taken include:

extending the time delay associated with the low pressure trip, removing the ,

trip, and replacing the trip with an alarm and operator action.

E Design errors discovered during AFW system reanalysis at the Robinson plant (IN 89-30, 1989) and at Millstone-1 resulted in the supply header from the CST being too small to provide adequate NP5H to the pumps if more than one of the three pumps were operating at rated flow conditions. This could lead to multiple pump failure due to cavitation. Subsequent reviews at Robinson identified a loss of feedwater transient in which inadequate NPSH and flows less than design values had occurred, but which were not recognized at the time. Event analysis and equipment trending, as well as surveillance testing -

which duplicates service conditions as much as is gractical, can help identify such design errors.

E Asiatic clams caused failure of two AFW flow control valves at Catawba-2 when low suction pressure caused by rtarting of a motor driven pump caused suction source realignment to the Nuclear Service Water system. Pipes had not been routinely treated to inhibit clam growth, nor regularly monitorad to detect their presence, and no strainers were installed. The need for surveillance which exercises alternative system operational modes, ris well as complete system functioning, is emphasized by this event. Spurious suction switchover has also occurred at Callaway and at McGuire, although no failures resulted.

CC10, Common cause failures have also been caused by component failures (AE00/C404, 1984). At Surry-2, both the-turbine driven pump and one motor driven pump were declared inoperable due to steam binding caused by backleakage of hot water through multiple check valves. At Robinson-2 both motor driven pumps were found to be hot, and both motor and steam driven pumps were found to be inoperable at different times. Backleakage at Robinson-2 -

passed through closed motor-operated isolation valves in addition to multiple check valves. At Farley, both motor and turbine driven pump casings were found hot, although the pumps were not declared inoperable, in addition to multi-train failures, numerous incidents of single train failures have occurred, resulting in the designation of "Sieam Binding of Auxiliary Feedwater Pumps" as Generic Issue 93. This generic issue was resolved by Generic-Letter 88-03 (Miraglia, 1988), which required licensees to monitor AFW piping temperatures each shift, and to maintain procedures for recognizing steam binding and for restoring system operability.

CCll. Common cause failures have also failed motor operated valves. During the total loss of feedwater event at Davis Besse, the normally-open AFW isolation valves failed to open after they were inadvertently closed. The failure was due to improper setting of the torque switch bypass switch, which prevents motor trip on the high torque required to unseat a closed valve.

Previous problems with these valves had been addressed by increasing the torque switch trip setpoint - a fix which failed during the event due to the higher torque required due to high differential pressure across the valve.

Similar common mode failures of MOVs have also occurred in other systems, l resulting in issuance of Generic Letter 89-10, " Safety Related Motor-Operated i 19

Valve Testing and Surveillance" (Partlow, 1989). This generic letter requires licensees to develop and implement a program to provide for the testing, ,

inspection and maintenance of ell safety-related MOVs to provide assurance that they will function when subjected to design basis conditions.

CC12. Other component failures have also resulted in AfW multi-train failures. These include out-of-adjustment electrical flow controllers resultjng in improper discharge valve operation, and a failure of oil cooler cooling water supply valves to cpen due to silt accumulation.

5.2.2 Human Errors E The overwhelmingly dcminant cause of problems identified during a series of operational readiness evaluations of AFW system: was human performance. The majority of these human performance problems resulted from incomplete and incorrect procedures, particularly with respect to valve lineup information.

A study of valve mispositioning events involving human error identified failures in administrative control of tagging and logging, procedural compliance and completion of steps, verification of support systems, and inadequate procedures as important. Another study found that valve mispositioning events occurred most often during maintenance, calibration, or modification activities. Insufficient training in determining valve position, and in administrative requirements for controlling valve positioning were important causes, as was oral task assignment without task completion feedback.

R Turbine driven pump failures have been caused by human errors in calibrating or adjusting governor speed control, poor governor maintenance, incorrect adjustment of governor valve and overspeed trip linkages, and errors associated with the trip and throttle valve. TTV-associated errors include physically bumping it, failure to restore it to the correct position after testing, and failures to verify control room indication of TTV position following actuatien.

11EL Motor driven pumps have been failed by human errors in mispositioning handswitches, and by procedure deficiencies.

5.2.3 Desian/Encineerino Problems and Errors R As noted above, the majority of AFW subsystem failures, and the greatest -

relative system degradation, has been found to rcsult from turbine-driven pump '

failures. Overspeed trips of Terry turbines controlled by Woodward governors have been a significant source of these failures (AE0D/C602, 1986). In many cases these overspeed trips have been caused by slow response of a Woodward Model EG governor on startup, at plants where full steam flow is allowed immediately. This oversensitivity has been removed by installing a startup steam bypass valve which opens-first, allowing a controlled turbine acceleration and buildup of oil pressure to control-the governor valve when full steam flow is admitted.

afl. Overspeed trips of Terry turbines have been caused by condensate in the steam supply lines. Condensate slows down the turbine, causing the governor j 20

valve to open farther, and overspeed results before the governor valve can respond, after the water slug clears. This was determined to be the cause of the loss of-all-AFW event at Davis Besse (AE00/602, 1986), with condensation enhanced due to the long length of the cross connected steam lines. Repeated tests following a cold-start trip may be successful due to system heat up.

E Turbine trip and throttle valve (TTV) problems are a significant cause of turbine driven pump failures (IN 84-66). In some cases lack of TTV position indication in the control room prevented recognition of a tripped TTV. In other cases it was possible to reset either the overspeed trip or the TTV without reseting the other. This problem is compounded by the fact that the position of the overspeed trip linkage can be misleading, and the mechanism may lack labels indicating when it is in the tripped position

( AE0D/C602, 1986) .

Q1 Startup of turbines with Woodward Model PG PL governors within 30 minutes of shutdown has resulted in overspeed trips when the speed setting knob was not exercised locally to drain oil from the speed setting cylinder.

Speed control is based on startup with an empty cylinder. Problems have involved turbine rotation due to both procedure violations and leaking steam.

Terry has marketed two types of dump valves for automatically draining the oil after shutoown (AE0D/C602, 1986).

At Calvert Cliffs, a 1987 loss-of-offsite-power event required a quick, cold startup that resulted in turbine trip due to PG-PL governor stability problems. The short-term corrective action was installation of stiffer buffer springs (IN 88-09,1988). Surveillance had always been preceded by turbine warmup, which illustrates the importance of testing which duplicates service conditions as much as is practictl.

D E Reduced viscosity of gear box oil heated by prior operation caused failure of a motor driven pump to start due to insufficient lube oil pressure.

Lowering the pressure switch setpoint solved the problem, which had not been ,

detected during testing.

QL6 62 Waterhammer at Palisades resulted in AFW line and hanger damsge at both steam generators. The AFW spargers are located at the normal steam generator level, and are frequently covered and uncovered during level fluctuations.

Waterhammers in top-feed-ring steam generctors resulted it, main feedline rupture at Maine Yankee and feedwater pipe cracking at indian Point-2 (IN 84-32,1984).

DE Manually reversing the direction of motion of an operating valve has resulted in MOV f ailures where such le3 ding was not considered in the design (AE0D/C603, 1986). Control circuit design may prevent this, requiring stroke completion before reversal.

DEfL At each of the units of the South Texas Project, space heaters provided by the vendor for use in preinstallation storage of MOVs were found to be wired in parallel to the Class IE 125 V DC motors for several AFW valves (IR 50-489/89-11; 50-499/89-11, 1989). The valves had been environmentally qualified, but not with the non-safety-related heaters energized.

21

5.2.4 f_omponent Failures Generic Issue ll.E.6.1, "In Situ Testing Of Valves" was divided into four sub-issues (Beckjord, 1989), three of which relate directly to prevention v AFW system component failure. At the request of the NRC, in-situ testine check valves was addressed by the nuclear industry, resulting in the EPR1 report, " Application Guidelines for Check Valves in Nuclear Power Plants (Brooks, 1988)." This extensive report provides information on check valve applications, limitations, and inspection techniques. In-situ testing of MOVs was addressed by Generic Letter 89-10, " Safety Related Motor-Operated Valve Testing and Surveillance" (Partlow,1989) which requires licensees to develop and implement a program for testing, inspection and maintenance of all safety-related MOVs. " Thermal Overload Protection for Electric Motors on Safety-Related Motor-0perated Valves - Generic issue II.E.6.1 (Rothberg, 1988)"

concludes that valve motors should be thermally protected, yet in a way which emphasizes system function over protection of the operator.

A The common-cause steam binding effects of check valve lot.%ge were identified in Section 5.2.1. entry CC10. Numerous single-train events provide additional insights into this problem. In some cases leakage of hot MFW past multiple check valves in series has occurred because adequate valve-seating pressure was limited to the valves closest to the steam generators (AE0D/C404, 1984). At Robinson, the pump shutdown procedure was changed to delay closing the M0Vs until after the check valves were seated. At Farley, check valves were changed from swing type to lift type. Check valve rework has been done at a number of plants. Different valve designs and manufacturers are involved in this problem, and recurring leakage has been experienced, even after repair and replacement.

E At Robinson, heat % af motor operated valves by check valve leakage has caused thermal binding and failure of AFU discharge valves to open on demand.

At Davis Besse, high differential pressure across AFW injectioe valves resulting from check valve leakage has prevented M0V operation (AE00/C603, 1986).

CF3. Gross check valve leakage at McGuire and Robinson caused overpressurization of the AFW suction piping, At a foreign PWR it resulted in a severe waterhammer event. At Palo Verde-2 the MFW suction piping was overpressurized by check valve leakage from the AFW system (AE00/C404,1984).

Gross check valve leakage through idle pumps represents a potential diversion of AFW pump flow.

R Roughly one third of AFW system failures have been due to valve operator failures, with about equal failures for MOVs and A0Vs. Almost half of the MOV failures were due to motor or switch failures (Casada, 1989). An extensive study of MOV events (AE0D/C603, 1986) indicates continuing inoperability problems caused by: torque switch / limit switch settings, adjustments, or failures; motor burnout; improper sizing or use of thermal overload devices; premature degradation related to inadequate use of protective devices; damage due to misuse (valve throttling, valve operator hammering); mechanical problems (loosened parts, improper assembly); or the torque switch bypass circuit improperly installed or adjusted. The study concluded that current 22

4 methods and procedures at many plants are not adequate to assure that MOVs will operate when needed under credible accident conditions. Specifically, a surveillance test which the valve passed might result in undetected valve inoperability due to component failure (motor burnout, operator parts failure, stem disc separation) or improper positioning of protective devices (thermal overload, torque switch, limit switch). Generic Letter 89-10 (Partlow, 1989) has subsequently required licensees to implement a program ensuring that MOV switch settings are maintained so that the valves will operate under design basis conditions for the life of the plant.

UL Component problems have caused a significant number of turbine driven pump trips (AE00/0602, 1986). One group of events involved worn tappet nut faces, loose cable connections, loosened set screws, improperly latched TTVs, and improper assembly. Another involved oil leaks due to component or seal failures, and oil contamination due to poor maintenance activities. Governor oil may not be shared with turbine lubrication oil, resulting in the need for separate oil changes. Electrical component failures included transistor or resistor failures due to moisture intrusion, erroneous grounds and connections, diode f ailures, and a faulty circuit card.

U L Electrohydraulic-operated discharge valves have performed very poorly, and three of the five units using them have removed them due to recurrent failures. Failures included oil leaks, contaminated oil, and hydraulic pump failures.

CF7. Control circuit failures were the dominant source of motor driven AFW pump failures (Casada, 1989). This includes the controls used for automatic and manual starting of the pumps, as opposed to the instrumentation inputs.

Most of the remaining problems were due to circuit breaker failures.

UL " Hydraulic lockup" of Limitorque SMB spring packs has prevented proper spring compression to actuate the M0V torque switch, due to grease trapped in the spring pack. During a surveillance at Trojan, failure of the torque switch to trip tha TTV motor resulted in tripping of the thermal overload device, leaving the turbine driven p.mp inoperable for 40 days until the next surveillance (AE0D/E702, 1987). Problems result from grease changes to EXXON NEBULA EP-0 grease, one of only two greases considered environmentally qualified by Limitorque. Due to lower viscosity, it slowly migrates from the gear case into the spring pack, Grease changeover at Vermont Yankee affected 40 of the v.cer MOVs of which 32 were safety related.

Grease relief kits are needed for MOV operators manufactured before 1975. At Limerick, additional grease relief was required for i40Vs manufactured since 1975. MOV refurbishment programs may yield other changeovers to EP-0 grease.

U1 For AFW systems using air operated valves, almost half of the system degradation has resulted from failures of the valve controller circuit and its instrument inputs (Casada, 1989). Failures occurred predominantly at a few units using automatic electronic controllers for the flow control valves, with the majority of failures due to electrical hardware. At Turkey Point-3, controller malfunction resulted from water in the Instrument Air system due to maintenance inoperability of the air dryers.

23

__ -- ,,._ _ - . _ . . _ _ , . . . _ , . . . , . . .- ..,__.-..,,,,.m.. , _ . , _ . , . , ,,_,.g__ ,, _,. .-y__m

Cfl0. For systems using diesel driven pumps, most of the failures were due to start control and governor speed control circuitry. Half of these occurred on demand, as opposed to during testing (Casada, 1989). -

CFll. For systems using A0Vs, operability requires the availability of i instrument Air, backup air, or backup nitrogen. However, NRC Maintenance Team l Inspections have identified inadequate testing of check valves isolating the safety-related portion of the IA system at several utilities (letter, Roe to Richardson). Generic Letter 88-14 (Hiraglia, 1988), requires licensees to vei:fy by test that air-operated safety-related components will perform as expected in accordance with all design basis events, including a loss of normal IA.

t

s b

24 I

,%,-~- -,,,,,y,w-3. _ , - ..~.,.,,s-,.-_..,_.e,

~-_r,.... . ~ . , .w.,___....,,__- ,,,_,..._....,._,.ym.,.-- _. , . . . , ..m- _.,.., ,

6.0 REFERENCES

Beckjord. E. S. June 30, 1989. Closecut of Generic issue 11.E.6.1. "in Situ Testina of Valves". Letter u V. Stello, Jr., U.S. Nuclear Regulatory Commission, Washington, DC.

Brooks, B. P. 1988. Application Guidelines for Check Valves in Nuclear Power Plants. NP-5479, Electric Power Research Institute, Palo Alto, CA, Casada, D. A. 1989. Auxiliary feedwater System Aoina Stydv. Volume 1.

Operatina Experience and Current Monitorina Practices. NUREG/CR-5404. U.S.

Nuclear Regulatory Commission, Washington, DC.

Gregg, R. E. and R. E. Wright. 1988. Appendix Review for Dominant Generic Contributors. BLB-31-88. Idaho National Engineering Laboratory, Idaho Falls, Idaho.

Miraglia, ~ J. February 17, 1988. Resolution of Generic Safety issue 93.

" Steam Bind,na of Auxiliary Feedwater Pumps * (Generic Letter 88-03). U.S.

Nuclear Regulatory Commission, Washington, DC.

Miraglia, F. J. August 8, 1988. Instrument Air Supply System Problems F*1ctina Safety R</rlated Eouipment (Generic Letter 88-14). U.S. Nuclear

.latory Commission, Washington, DC.

Partlow, J. G. June 28, 1989. Sjlfety-Related Motor Operated Valve Testina and Surveillance (Generic letter 89-10). U.S. Nuclear Regulatory Commission, Washington, DC.

Rothberg, O. June 1988. Thermal Overload Protection for Elect _rf c Motors on Safety-Related Motor-0perated Valves - Generic issue ll.E.6.1. NUREG-1296.

U.S. Nuclear Regulatory Commission, Washington, DC.

Travis, R. and J. Taylor. 1989. Development of Guidance for Generic.

Functionally Oriented PRA-Based Team Inspections for BWR Plants-ldentification of Risk-Imnortant Systems. Components and Human Actions. TLR-A-3874-TGA Brookhaven National Laboratory, Upton, New York.

AE00 Reports AE00/C404. W. D. Lanning. July 1984. Steam Bindina of Auxiliary Feedwater Pumns. U.S. Nuclear Regulatory Commission, Washington, DC.

AEOD/C602. C. Hsu. August 1986. Operational Experience involvino Turbine Oversneed Trios. U.S. Nuclear Regulatory Commission, Washington, DC.

AE0D/C603. E. J. Brown. December 1986. A Review of Motor-0perated Valve Performance. U.S. Nuclear Regulatory Commission, Washington, DC.

AEOD/E702. E. J. Brown. March 19, 1987, MOV Failure Due to Hydraulic Lockuo From Excessive Grease in Sorina Pack. U.S. Nuclear Regulatory Commission, Washington, DC.

AEOD/T416. January 22, 1983. Loss of ESF Auxiliary Feedwater Pump Capability l at Troian on January 22. 1983. U.S. Nuclear Regulatory Commission, Washington, DC.

25 i

. . . _ , . , _ . . . . _ - _....,-_--_.__m,... . . , . - _ _

_ _ . , , _ _ _ _ _ . _ . , _ . _ _ _ - _ . . ~ , , . _ _ . - _ _ _ . _ . - . _ , . . _ - . . , - _ .

informat ion Not ices i IN 82 01. Januar.s 22, 1982. Auxiliary Feedwater Pumo Lockout Resultina from Westinahouse W 2 Switch Circuit Modification. U.S. Nuclear Regulatory Commission, Washington, DC.

IN 84-32. E. L. Jordan. April 18, 1984. Auxiliary Feedwater Soarqer and l Pine Hanaar Damaae. U.S. Nuclear Regulatory Commission, Washington, DC.

i IN 84-66. August 17, 1984. Vndetected Unavailability of the Turbine-Driven i Aqxiliary Feedwater Train. U.S. Nuclear Regulatory Commission, Washington, .

DC.

l IN 87-34. C. E. Rossi. July 24, 1987. Sinale Failures in Auxiliary '

Feedwater Systems. U.S. Nuclear Regulatory Commission, Washington, DC. l 1

IN 87-53. C. E. Rossi. October 20, 1987. Auxiliary Feedwater Pump Trios i Resultino from low Suction Pressure. U.S. Nuclear Regulatory Commission, I Washington, DC. I IN 88-09. C. E. Rossi. March 18, 1988. Reduced Reliability of Steam-Driven Auxiliary Feedwater Pumos Caused by Instat'ility of Woodward PG-PL lyne Governors. U.S. Nuclear Regulatory Commission, Washington, DC.

IN 89-30. R. A. Azua. August. 16, 1989. Robinson Unit 2 Inadeouate NPSH of Auxiliary Feedwater Pgmas. Also, Event Notification 16375, August 22, 1989.

U.S. Nuclear Regulatory Commission, Washington, DC.

Inspection Report IR 50-489/89 11; 50-499/89-11. May 26, 1989. South Texas Pro _iect inspection Report. U.S. Nuclear Regulatory Commission, Washington, DC.

NUREG Report NUREG-ll54, 1985. loss of Main and Auxiliary Feedwater Event at the Davis Besse Plant on June 9. 1985. U.S. Nuclear Regulatory Commission, Washington, DC.

1 26

DISTRIBUTION No. of No of Copies [gpiqi 0FFSITE 4 Callaway Resident Jnspectors Office

, U.S. Nuclear Reaulatoty

[ommission U.S. Nuclear Reaulatory ,

Commission - Reaion 3 A. El Bassoni OWFN 10 E4 E. Greenman 2 H. Miller W. D. Beckner W. D. Shafer OWFN 10 E4 0FFSITE K. Campe 0WFN 10 E4 J. H. Taylor Brookhaven National Laboratory J. Chung Bldg. 130 OWFN 10 E4 Upton, NY 11973 F. Congel R. Gregg OWFN 10 E2 EG&G Idaho, Inc.

P. O. Box 1625 M. C. Cullingford Idaho Falls, ID 83415 OWFN 12 Gi8 Dr. D. R. Edwards B. K. Grimes Professor of Nuclear Engineering OWFN 9 A2 University of Missouri - Rolla Rolla, M0 65401 J. N. Hannon 0WFN 13 E21 ONSITE 10 S. M. Long 26 Eagific Northwest laborator.y OWFN 10 E4 S. R. Doctor M. D. Lynch L. R. Dodd 0WFN 13 E21 B. F. Gore (10)

N. E. Moffitt (5)

M. W. Peranich B. D. Shipp OWFN 12 D22 F. A. Simonen T. V. Vo W. T. Russell Publishing Coordination 0WFN 12 G18 Technical Report File (5) 2 K. S. West OWFN 12 H26 Distr.1

us Nucts An atout Atony coweissioN i ge eomu ass ,, Ngt;

~

Ni E" BIBLIOGRAPHIC DATA SHEET ts= ,mr wr.om .,, ,* m,"'

NURUG/CR-5763 2 Tatt ANo sustatt PNL-7725 Auxiliary Feedwater System Risk-Based Inspection Guide for the Callaway Nuclear Power Plant 3 oaf t asPoni Pusussio us . j August 3991 4 FIN OR GH ANI NUVeta L1310

6. AU1MOR55, 6 T YPt OF REPORT N. E. hoffitt, l'. . F . C o r e , T . V. Vo

'rechni cal rPtnioocovtato,,m ,.eo,w 3/91 to 7/91 e n n,On umo Onc ANiz AT ios - Nau 6 AN o Aco n t ss <n aac- o. a. o" a- u s =- - ae,-== c--- ~ ~* -- c ~~' . e+--

fnyvee esp # frieekered ese44kj Pacific Northwest Laboratory Richland, WA 99352 e $PO onn e, aerea, u s =,eme, a p.,wm ce ,s e*.

gDRG ANil ATION - N AM t AND A DD R ESS m enc. syn 4.= e eae.r, u rear,mi,, ,,.ece wac o..

Division of Radiation Protection and Emergency Preparedness Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 10, $UPPLI.ME NT ARY NOT15

11. ABST MACT (soo <es er ==i in a study sponsored by the U.S. Nuclear Regulatory Commission (NRC),

Pacific Northwest Laboratory has developed and applied a methodology for deriving plant-specific risk-based inspection guidance for the auxiliary feedwater (AfW) system at pressurized water reactors that have not undergone probabilistic risk assessment (PRA). This methodology uses existing PRA results and plant operating experience information. Existing PRA-based inspection guidance information recently developed for the NRC for various plants was used to identify generic component failure modes. This information was then combined with plant-specific and industry-wide component information and failure data to identify failure modes and failure mechanisms for the AFW system at the selected plants. Callaway was selected as the eleventh plant for study. The product of this effort is a prioritized listing of AfW failures which have occurred at the plant and at other PWRs. This listing is intended for use by NRC inspectors in the preparation of inspection plans addressing AfW risk-important components at the Callaway plant.

12. E t Y WORDS/DESCR :P10H S toen ewes or nar eae, .m e.sar ee.eewaws a secessae sae sev=<,,, 2 3 A v 64^84'i ' lia i k M* '* I Unlimited Inspection, Risk, PRA, Callaway, Auxiliary Feedwater (AFW) ,,,,,,,g,u,,,,g,,,

< r a., +.ee, Unclassified e rs. ama,,

Unclassified Ib. NUM8t R OF PAGli 16 PRICE asce comu 3n o sei l

A

• A imA. -_._..s. _s_. _2 ,

i THIS DOCUMENT WAS PRINTED USING RECYCLED PAPER

[

UNITED STATES seic t 00 1 ct *> s eiii < y NUCLEAR REGULATORY COMMISSION *" ^is'J" ' * z WASHINGTON, D.C. 20555 ,,,,, , c, s, @

n M

OFFICIAL BU$lNE*S PENALTY FOR PRIVATE USE,4300 &

4 190555139531 1 la'5IRb u? rPC-0An" o c. T ! n t,5 SVCI TPS-PO " '* U R o - 2 ? '- vc  ?!555 W t. S a l N G T O N C

d e-N x-e, M

"b em n

kv d, {

z c

?

,mn hM e

" Y tri 490; Z

O 5

e m

'v1 O

m i

I

--- - - _--- _