Auxiliary Feedwater System RISK-BASED Inspection Guide for the Byron and Braidwood Nuclear Power Plants

ML20091D173
Person / Time
Site:	Byron, Braidwood
Issue date:	07/31/1991
From:	Gore B, Moffitt N, Vo T Battelle Memorial Institute, PACIFIC NORTHWEST NATION
To:	Office of Nuclear Reactor Regulation
References
CON-FIN-L-1310 NUREG-CR-4427, PNL-7492, NUDOCS 9108130320
Download: ML20091D173 (35)
v • d • e

Text

- -. . - - - - - .. . . - - .-- . . .- - . . .

NUREG/CR-4427 l PNL-749?  !

Auxiliary Feedwater System Risk-Based Inspection Guic e for the Byron and Braidwooc Nuclear Power Plants l

l

[. INI f ftt, B. F. Gore, T. V. Vo '

i Pacific Northwest Laboratory Operated by Battelle Memorial Institute l

Prepared for U.S. Nuclear Regulatory Commission l

hD DO 05 O 454-O PDR

l AVAILADlLITY NOTICE Availabitity of Reference Matenals Cded en NRC Pubications Most documents cited in NRC pubkcations wtli be available from one of the fonowdng sources:

1. The NRC Pubec Document Room, 2120 L Street, NW, Lower Level, Washingt n, DC 20555

2. The Superintendent of Documents, U.S. Government Printing C* ice, P.O. Box 37082 Washington, DC 20013-7082

3. The National Technical information Seroce, Springfield, VA 22161 Although the Esting that follows represents the majority of documents cited in NRC publicat6ons, it is not intended to be exhaustive.

Referenced documents available for hspection and copying for a fee from the NRC Pubuc Document Room include NRC correspondence and htema! NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, Information notices, inspection and investigatlon notices: Ucensee Event Reports; ven-dor reports and correspondence: Commission papers; and applicant and Ecensee docurnents and corre-spondence.

The foBowing documents in the NUREG series are avsaable for purchase from the GPO Sales Program:

formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. A}sn ava8able are Regulatory Guides, NRC regulatlons in the Code of federal Regulations, and Nuclear Regulatory Commission issuances.

Documents available from the National Technical information Service include NUREG series reports and technica! reports prepared by other ft detal agencies and reports prepared by the Atomic Energy Comrnis-sion, forarunner agency to the Nuclear Regulatory Commission.

Documents ava!!able from pubilc and special technical Rbraries include all open uterature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legista-tion, and congressional reports can usualry be obtained from these Ebraries.

Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference pro- I ceedings are avanable for purchase from the organtzation sponsoring the pubhcation etted.

Single copies of NRC draft reports are avalable free, to the extent of supp?y, upon written request to the Offee of information Resources Management, Distribution Section, U.S. Nuclear Regulatory Commission, Washington. DC 20555.

Copies of industzy codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library,7920 Norfolk Avenue, Bethesda, Maryland, and are avaliable there for refer-ence use by the pubhc. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards institute,1430 Broadway, New Yori . NY 10018.

I DISCLAIMER NOTICE This report was prepared as an account of work sponsored by an agercy of the United States Govemment.

Neither the United States Govemment nor any agency thereof, or any of their employees, makes any warranty, expresed or implied, or assumes any legal habi'ity of responsibihty for any third part/s use, or the resutts of such use, of any information, apparatus, product or process disclosed in this repor1, or represents that its use by such third party would not infringe privately owned rights.

l

l NUREG/CR-4427 PNL-7492 Auxiliary Feedwater System Risk-Based Insaection Guide for the Byron and Braidwood Nuclear Power Plants Manuscript Completed: February 1991 Date Published: July 1991 Prepared by N. E. Moffitt, B. F. Gore, T. V, Vo Pacific Northwest laboratory ~

Richland, WA 99352 Prepared for Division of Radiation Protection and Emergency Preparedness Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN L1310

l

{

SUMMARY

This document presents a compilation of auxiliary feedwater (AFW) system failure information which has been screened for risk significance in terms of failure frequency and degradation of system performance. It is a risk-prioritized listing of failure events and their causes that are significant enough to warrant consideration in inspection planning at the standardized nuclear pc,wer plants at Bryon and Braidwood. These plants are described in the common final safety analysis report (FSAR) as being as nearly identical as site characteristics permit. This information is presented to provide inspectors with increased resources for inspection planning at Byron /Braidwood.

The risk importance of various component failure modes was identified by analysis of the results of probabilistic risk assessments (PRAs) for many pressurized water reactors (PWRs). However, the component failure categories identified in PRAs are rather broad, because the failure data used in the PRAs is an aggregate of many individuals failures having a variety of root causes.

In order to help inspectors to focus on specific aspects of component operation, maintenance and design which might cause these failures, an extensive review of component failure information was performed to identify and rank the root causes of these component failures. Both Byron /Braidwood and industry-wide failure information was analyzed. Failure causes were sorted on the basis of frequency of occurrence and seriousness of consequence, and categorized as common cause failures, human errors, design problems, or component failures.

This information is presented in the body of this document. Section 3.0 provides brief descriptions of these risk-important failure causes, and Section 5.0 presents more extensive discussions, with specific examples and references. The entries in the two sections are cross-referenced.

An abbreviated system walkdown table is presented in Section 3.2 which '

includes only components identified as risk important. This table lists the system lineup for normal, standby system operation.

This information permits an inspector to concentrate on components important to the prevention of core damage. However, it is important to note that

• inspections should not focus exclusively on these components. Other components which perform essential functions, but which are not included because of high reliability or redundancy, must also be addressed to ensure y that degradation does not increase their failure probabilities, and hence their risk importances, iii

l

[QNTENTS

SUMMARY

........................................................ iii 1.0 IN1R000CTION ............................................... 1 2.0 BYRON /BRAIDWOOD AFW SYSTEM ................................. 2 2.1 SYSTEM DESCRIPTION ...................... ............ 2 2.2 SUCCESS CRITERION .................................... 4 2.3 SYSTEM DEPENDENCIES .................................. 4 2.4 -0PERATIONAL CONSTRAINTS .............................. 4 3.0 INSPECTION GUIDANCE FOR THE BYRON /BRAIDWOOD AFW SYSTEM .... 5 3.1 RISK IMPORTANT AFW COMP 0NENTS AND FAILURE MODES ...... 5 3.1. 3. MULTIPLE PUMP FAILURES DUE TO COMMON CAUSE ......................................... 5 3.1.2 MOTOR DRIVEN PUMP OR DIESEL DRIVEN PUMP FAILS TO START ........................... 6 3.1.3 PUMP A OR B UNAVAILABLE DUE TO MAINTENANCE OR SURVEILLANCE ................... 6 3.1.4 AIR OPERATED VALVES FAIL CLOSED ................ /

3.1.5 MOTOR OPERATED ISOLATION VAVLES FAIL CLOSED ................................... 7 3.1.6 MANUAL SUCTION OR DISCHARGE VAVLES FAIL CLOSED ................................... B 3.1.7 LEAKAGE OF HOT FEEDWATER THROUGH CHECK VALVES .................................. 8 3.2 RISK IMPORTANT AFW SYSTEM WALKDOWN TABLE .............. 9 4.0 GENERIC RISK INSIGHTS FROM PRAs ............................ 13 y

i l

CONTENTS (Continued) 4.1 RISK IMPORTANT ACCIDENT SEQUENCES INVOLVING AFW SYSTEM FAILURE ........................................ 13 4.2 RISK IMPORTANT COMPONENT FAILURE MODES ................ 14 15 5.0 FAILURE MODES DETERMINED FROM OPERATING EXPERIENCE .........

15 5.1 BYRON /BRAIDWOOD EXPERIENCE ............................

5.1.1 MOTOR-DRIVEN PUMP FAILURES ..................... 15 5.1.2 DIESEL DRIVEN PUMP FAILURES .................... 16 5.1.3 FLOW CONTROL AND ISOLATION VAVLE FAILURES ...... 16 5.1.4 AFW VALVE FAILURES ............................. 16 5.1.5 HUMAN ERRORS ................................... 16 17 5.2 INDUSTRY WIDE EXPERIENCE ..............................

5.2.1 COMMON CAUSE FAIULRES ............... ...... ... 17 5.2.2 HUMAN ERROPS ................................... 20 5.2.3 DESIGN / ENGINEERING PROBLEMS AND ERRORS ......... 20 5.2.4 COMPONENT FAILURES ............................. 22 REFERENCES ...................................................... 25 vi

l.0 INTRODUCTION This document is the fourth of a series providing plant-specific inspection guidance for auxiliary feedwater (AFW) systems at pressurized water reactors (PWRs). This guidanct is based on information from probabilistic risk assessments (PRAs) for similar PWRs, industry-wide operating experience '

with AFW systems, plant-specific AFW system descriptions, and plant-specific opcrating experience, it is not a detailed inspection plan, but rather a compilation of AFW system failure information which has been screened for risk significance in terms of failure frequency and degradation of system performance. The result is a risk-prioritized listing of failure events and their causes that are significant enough to warrant consideration in inspection planning at the Byron /Braidwood plants.

This inspection guidance is presented in Section 3.0, following a description of the Byron /Braidwood AFW system in Section 2.0. Section 3.0 identifies the risk important system components by Byron /Draidwood identification number, followed by brief descriptions of each of the various failure causes of that component. These include specific human errors, design deficiencies, and hardware failures. The discussions also identify where common cause failures have affected multiple, redundant components. These brief aiscussions identify specific aspects of system or component design, operation, maintenance, or testing for inspection by observation, records review, training o'servation, o procedures review, or by observation of the implementation of procedures. An AFW system walkdown table identifying risk important components and their lineup for normal, standby system operation is also provided.

The remainder of the document describes and discusses the information used in compiling this inspection guidance. Section 4.0 describes the risk importance information which has been derived from PRAs and its sources. As review of that section will show, the failure categories identified in PRAs are rather broad (e.g., pump fails to start or run, valve fails closed).

Section 5.0 addresses the specific failure causes which have been combined under these categories.

AFW system operating history was studied to identify the various specific failures which have been aggregated into the PRA failure mode categories.

Section 5.1 presents a summary of failure information from Byron /Braidwood, and Section 5.2 presents a review of industry-wide failure information. The industry-wide information was compiled from a variety of NRC sources, including AE00 analyses and reports, information notices, inspection and enforcement bulletins, and generic letters, and from a variety of INP0 reports as well. Some Licensee Event Reports and NPRDS event descriptions were also reviewed individually. Finally, information was included from reports of NRC-sponsored studies of the effects of plant aging, which include quantitative analyses of reported AFW system failures. This industry-wide information was then combined with the plant-specific failure information to identify the various root causes of the PRA failure categories, which are identified in Section 3.0.

1

2.0 BYRON /BRAIDWOOD AFW SYSTEM This section presents an overview of the Byron /Braidwood AFW systems, including a simplified schematic system diagram, in addition, the system success criterion, system dependencies, and administrative operational constraints are also presented.

2.1 System Description

The AFW system consists of two full capacity pumping subsystems; one utilizes an electric motor driven pump and the other uses a diesel engine driven pump. The diesel driven pump has parallel, redundant, DC starting circuits, each capable of independently starting it. However, mechanical failure of one of the two starting motors would fail the starting system.

Either of the two AFW pumps supplying feedwater to the four steam generators (SG) will provide secondary-side heat removal from the primary system when main feedwater is unavailable. The syster

• Sapable of functioning for extended periods, which allows time to resure main feedwater flow or to proceed with an orderly cooldown of the plant to the point where the residual heat removal (RHR) system can remove decay heat. A simplified schematic of the Byron /Braidwood AFW system is shown in Figure 2.1.

The system is designed to start up and establish flow automatically.

Both pumps will start on receipt of a steam generator low-low level signal, any SI signal, or an undervoltage condition on 2 of 4 reactor coolant pump buses. In addition, the motor driven pump starts in its assigned sequence if the emergency diesel generator (EDG) starts due to an undervoltage condition on engineered safeguards (ESF) bus 141.

Feedwater is supplied to esch AFW pump from a separate header off of the Condensate Storage Tank (CST). The common CST suction header to the AFW pumps has a vent line connection s ich mitigates the negative suction pressure transient experienced during a motor-driven pump start. Isolation valves in these lines are locked open. Power, control, and instrumentation associated with the motor driven and diesel driven pumps are independent from one another. Each AFW pump is equipped with a recirculation fic. system to the CST which prevents pump deadbeading. The essential service water recirculation system (SX) provides backup if it is needed. At Byron, SX recirculation flow is directed to a cooling tower and at Braidwood, the SX recirculation flow is directed to a cooling pond.

The discharges of the AFW pumps feed all four steam generators either simultaneously or, in the event of a failure in a pumping subsystem, individually. Flow from each pump discharges through a normally open discharge valve, AF-004A or B, into two separate AFW headers which supply the four steam generators. Each of the eight lines to the SGs contains a flow-limiting orifice that ensures AFW flow will be provided to the intact steam generators if one is faulted and also prevents pump runout. Flow control (

valves AF-005A-H, in the eight lines are pneumatic, but can also be operated manually using DC control power from the remote shutdown panel, or locally using valve handwheels. Each line has a check valve, AF-014A-H, to prevent 2

HF004H TEf1PERING CD200 HF002H _

- 1 088 S T Eftti CENEhnTOR

~

f tFOC50 H7 01343 4214pt Et1ERC ENCY te k itF005 E fire 13E el4E TEMPERING SUPPLY i

RFe22H ,

UEn STEHet GEteERHTOR f tFue5 8 fire 13 e eggs "

TELL CST

~

D IIH flFe24 flFeOS F fire 13 r 814F 70 FLOs4 flF017B flF66GB

!$f"o _ .

lg h" (1 Fee 5 C fife 13C' JS4C C i

L.C,- -

h ar-.h., mi4 "Q 1e & Q a itFOOSO HFe 130 et40 g TEtlPERIHO Ftou

} , ,t,.

=H i -

g g-  ;

HFee5D HFe s3 D e14D STORACE *

H,804, m i -,

dit}-t@ h' g

.. H, ee. . . ,,F e . . . . e ,4 .

,,,,, H,,,,,

Figure 2.1 BYRON \BRAIDWOOD AUXILIARY FEEDWATER SYSTEM

l l

reverse flow and a normally open motor operated isolation valve, AF-013A-H, used to isolate the system on high steam generator flow.

The condensate storage tank is the normal source of water for the AFW system and is required to store a sufficient quantity of demineralized water to maintain the reactor coolant system (RCS) at hot standby conditions for 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> with steam discharge to atmosphere and then to cool it to 350 degrees Fahrenheit, at which point the RHR system is put in service. All tank connections are located such that a continuous reserve of 200,000 gallons is maintained for the AFW system. Backup AFW supply is provided by the essential service water (SX) system.

2.2 Success Criterion System success requires the operation of at least one pump supplying rated flow to at least one of the four steam generators within one minute on a loss of normal feedwater.

2.3 System Deoendencies The AFW system depends on AC and DC power at various voltage levels for motor operated valve control circuits, solenoid valves, and monitor and alarm circuits. Instrument Air is used for normal operation of several pneumatic control valves. The diesel oil system supplies the IB AFW pump day tank which feeds the IB diesel driven AFW pump.

2.4 Q2erational Constraints When the reactor is in Modes 1, 2, or 3 the Byron /Braidwood Technical Specifications require that both AFW pumps and associated flow paths are operable with the motor driven pump powered from an ESF bus, and the diesel pump powered from a direct drive diesel engine. The diesel engine is required to have an operable fuel supply system consisting of a day tank containing a minimum of 420 gallons of fuel. If one AFW pump becomes inoperable, it must be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or the unit must be shutdown to hot standby within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. With both AFW pumps inoperable the unit must be placed in hot standby within 6 h urs and in hot shutdown within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The Byron /Braidwood Technical Specifications require a water level in the CST of at least 40%. With the CST inoperable, the essential service water system may serve as backup supply to the AFW pumps for 7 days before unit shutdown is required.

I 1

4 I

N -- --____._

l 3.0 INSPECTION GUIDANCE FOR THE BYRON /BRAIDWOOD AFW SYSTEM In this section the risk important components of the Byron /Braidwood AFW systen are identified, and the important modes by which they are likely to fail are Dridly *~ %. These failure modes include specific human errors, desica problems, and types of hardware failures which have been observed t0 occur for these types of components, both at Byron /Braidwood and at PWRs throughout the nuclear industry. The discussions also identify where common cause failures have affected multiple, redundant components. These brief discussions identify specific aspects of system or component design, operation, maintenance, or testing for observation, records review, training observation, procedures review or by observation of the implementation of procedures.

Table 3.1 is an abbreviated AFW system walkdown table which identifies risk important components. This table lists the system lineup for normal, standby system operation. Inspection of the components identified addresses essentially all of the risk associated with AFW system operation.

3.1 Hisk Imcortant AFW Components and Failure Modes l Common cause failures of multiple pumps are the most risk-important failure modes of AFW system components. These are followed in importance by single pump failures, level control valve failures, and individual check valve leakage failures.

The following sections address each of these failure modes, in decreasing order of importance. They present the important root causes of these component failure modes which have been distilled from historical records.

, Each item is keyed to discussions in Section 5.2 which present additional l information on historical events.

3.1.1 Multiole Pump Failures due to Common Cause The following listing summarizes the most important multiple-pump failure

modes identified in Section 5.2.1, Common Cause Failures, and each item is l

keyed to entries in that section..

l Incorrect operator intervention into automatic system functioning,

! including improper manual starting and securing of pumps, has caused

, failure of all pumps, and inability to restart prematurely secured pumps.

l CCl.

Valve mispositioning has caused failure of all pumps. Pump suction, steam supply, and instrument isolation valves have been involved. CC2.

At Braidwood, control switch mispositioning during a surveillance rendered both trains of AFW inoperable.

Steam binding has caused failure of multiple pumps. This resulted from leakage of hot feedwater past check valves into a common discharge l header, with several valves involved including a motor-operated discharge 5

i valve. (See item 3.1.7 below.) CC10. Multiple-pump steam binding has also resulted from improper valve lineups, and from running a pump deadheaded. CC3.

- Pump control circuit deficiencies or design modification errors have caused failures of multiple pumps to auto start, spurious pump trips during operation, and failures to restart after pump shutdown. CC4.

Incorrect setpoints and control circuit calibrations have also prevented proper operation of multiple pumps. CC5.

. Simultaneous startup of multiple pumps has caused oscillations of pump suction pressure causing multiple-pump trips on low suction pressure, despite the existence of adequate static net positive suction head (NPSH). CC7. Design reviews have identified inadequately sized suction piping which could have yielded insufficient NPSH to support operation of more than one pump. CC8.

3.1.2 Motor Driven Pumo or Diesel Driven Pumo Fails to Start or Run

. Control circuits used for automatic and manual pump starting are an important cause of motor driven pump failures, as are circuit breaker failures. CF7. Similar failures have also occurred at Byron /Braidwood.

. Control circuits for automatic starting and speed control are an important cause of diesel driven pump failures. CF10. Similar failures have also occured at Byron /Braidwood.

. Hispositioning of handswitches and procedural deficiencies have prevented automatic pump start. HE3.

- Low lubrication oil pressure resulting from heatup due to previous operation has prevented pump restart due to failure to satisfy the protective interlock. DES. Byron /Braidwaod have experienced similar failures.

- Mechanical failure of either of the two diesel driven pump starting motors will result in failure of the pump to start.

3.1.3 Pumo t or B Unavailable Due to Maintenance or Surveillance

. Both scheduled and unscheduled main +enance remove pumps from operability.

Surveillance requires operation with an altered line-up, although a pump train may rot be declared inoperable during testing. Prompt scheduling and performance of maintenance and surveillance minimize this unavailability.

6

. . ~ . _ ~ . -- .-. --- .. - - _ - . _ - - . .

3.1.4 Air Operated Valves f ail Closed Motor Driven Pumo Dischtrae Isolation Valve: AF004A Diesel Driven Pumo Discharae Isolation Valve: AF0043 Flow Control-Valves: AF005A-H Pumo Recirculation Valves: AF002A-8: AF0li

~

These normally-open air operated valves (A0Vs) control flow to the steam generators and pump recirculation flow to the CST. They all fail open on loss of Instrument. Air, except AF024 which fails closed.

Control circuit problems have been a primary cause of failures, both at Byron /Braidwood'and elsewhere. CF9. Valve failures have resulted from blown fuses, failure of control components (such'as current / pneumatic convertors), broken or dirty. contacts, misaligned or broken limit switches, control power loss, and calibration problems. Degraded operation has also resulted-from improper air pressure due to air regulator-failure or leaking air lines. CF11.

Leakage of hot feedwater through check valves has caused thermal binding of normally closed flow control MOVs. A0Vs may be similarly susceptible.

CF2.

Multiple flow l control- valves have been plugged by clams when suction switched automatically to an alternate, untreated source. CC9.

-3.1.5 Motor Operated Isolation Valves Fail Closed SG Isolation: AF013A-H SX Emeraency Supply: AF017A-B: AF06A-B These MOVs isolate flow to the steam generators and provide emergency service water supply to the AFW-pumps. The steam generator isolation valves are normally open and the SX emergency supply valves are normally closed.

They all fail as-is on loss of power.

Common cause failure of MOVs has resulted from failure to use.clectrical signature tracing equipment to determine proper = settings ofLtorque switch 4 and torque switch bypass switches.- Failure to calibrate switch settings for high torques necessary under desian basis accident conditions has also been involved, both at Byron /Braidwood and elsewhere. CC11.

Valve motors' have been failed due ~ to lack of, or improper sizing or use of thermal overload protective devices. Bypassing and oversizing should be based on proper engineering for desian basis conditions. CF4.

Out-of-adjustment electrical flow controllers have caused . improper discharge valve operation, affecting multiple trains of AFW. CCl2.

7 1

l l

1

. Grease trapped in the torque switch spring pack of the operaturs of MOVs has caused motor burnout or thermal overload trip by preventing torque switch actuation. Ct8.

. Manually reversing the direction of motion of operating MOVs has overloaded the motor circuit. Operating procedures should provide cautions, and circuit designs may prevent reversal before each stroke is finished. DE7.

- Space heaters designed for preoperation storage have been found wired in parallel with valve motors which had not been environmentally qualified with them present. DE8.

3.1.6 Manual Suction or Discharae Valves Fail Closed Motor Driven Pumo lA Train: CD 208: AF002A Diesel Driven Pumo IB Train: CD 209: AF002B These manual valves are normally locked open. For each train, closure of either valve listed would block suction from CST.

. Valve mispositioning has resulted in failures of multiple trains of AFW.

CC2. It has also been the dominant cause of problems identified during operational readiness inspections. HEl. Events have occurred most often during maintenance, calibration, or system modifications. Important causes of mispositioning that har occurred both at Byron /Braidwood and elsewhere include:

. Failure to provide complete, clear, and specific procedures for tasks and system restoration

. Failure to promptly revise and validate procedures, training, and diagrams following system modifications

. Failure to complete all steps in a procedure

. Failure to adequately review uncompleted procedural steps after task completion

. Failure to verify support functions after restoration

. Failure to adhere scrupulously to administrative procedures regarding tagging, control and tracking of valve operations

. Failure to log the manipulation of sealed valves

. Failure to follow good practices of written task assignment and feedback of task completion information

. Failure to provide easily read system drawings, legible valve labels corresponding to drawings and procedures, and labeled indications of local valve position 3.1.7 Leakaoe of Hot Feedwater throuah Check Valves:

At MFW connections: Valves 014A-H

. Leakage of hot feedwater through check valves has caused steam binding of multiple pumps. Leakage through a closed level control valve in series 8

with check valves has also occurred. CC10. Check valve leakage has also been experienced at Byron /Braidwood.

- Slow leakage oast the final check valve of a series may not force upstream chec( valves closed, allowing leakage past each of them in turn.

Piping orientation and valve design are important factors in achieving true series protection. CFl.

3.2 Risk Imoortant AFW System Walkdown Table Table 3.1 presents an AFW system walkdown table including only components identified as risk important. This information allows inspectors to concentrate their efforts on components important to prevention of core -

damage. However, it is essential to note that inspections should not focus exclusively on these comments. Other components which perform essential functions, but which are absent from this table because of high reliability or redundancy, must also be addressed to ensure that their risk importances are not increased. Examples include adequate water level in the CST, and the diesel driven pump support systems (e.g., fuel oil tank level, starting batteries, lube oil system).

9

l TABLE 3.1. Risk Important AFW System Walkdown Table Required Actual Component # Component Name Location Position Position Electrical 1A Motor Driven Pump Racked In/

Closed IB Diesel Driven Pump Racked In/

Battery Charger Closed YAlya CD 208 CST Isolation Valve Train A Locked Open CD 209 CST Isolation Valve Train B Locked Open AF 002 A MD Pump Suction Valve Loc?.ed Open AF 002 B Diesel Pump Suction Valve Locked Open AF 004 A MD Pump Discharge Isolation Open AF 004 B Diesel Pump Discharge Isolation Open AF 005 A MD Pump Flow Control to S/G A Open AF 005 B MD Pump Flow Control to S/G B Open AF 005 C MD Pump Flow Control to S/G C Open AF 005 D MD Pump Flow Control to S/G D Open __

AF 005 E Diesel Pump Flow Control to S/G A Open AF 005 F Diesel Pump Flow Control to S/G B Open AF 005 G Diesel Pump Flow Control to S/G C Open AF 005 H Diesel Pump Flow Control to S/G D Open 10

TABLE 3.1. Risk Important AFW System Walkdown Table (Continued)

AF 013 A KD Pump to S/G A Isolation Valve Open AF 013 B KD Pump to S/G B Isolation Valve Open AF 013 C HD Pump to fS G C isolation Valve Open AF 013 D MD Pump to S/G D isolation Valve Open AF 013 E Giesel Pump to S/G A Isolation Valve Open AF 013 F Diesel Pump to S/G B Isolation Valve Open AF 013 G Diesel Pump to S/G C isolation Valve Open AF 013 H Diesel Pump to S/G D lsolation Valve Open AF 017 A MD Pump Emergency Service Water Closed Suct 9 Valves AF 06 A HD Pump Emergency Service Vater Closed Suction Valves AF 017 B Diesel Pump Emergency Service Water Closed Suction Valves AF 06 B Diesel Pump Emergency Service Water Closed Suction Valves AF 022 A HD Pump to CST Recirculation Valve Open AF 022 B Diesel Pump to CST Recirculation Valve Open AF 024 Pump Recirculation to ESW Tower / Pond Closed 11

i TABLE 3.1. Risk Important AFW System Walkdown Table (Continued)

AF 014 A Piping Upstream of Check Valves (Cool) ,

<130*F AF 014 B Piping Upstream of Check Valves (Cool)

<130*F AF 014 C Piping Upstream of Check Valves (Cool)

<130'F AF 014 D Piping Upstream of Check Valves (Cool)

<130'F AF 014 E Piping Upstream of Check Valves (Cool)

<!30*F AF 014 F Piping Upstream of Check Valves (Cool)

<l30'F AF 014 G Piping Upstream of Check Valves (Cool)

<130'F AF 014 H Piping Upstream of Check Valves (Cool)

<130*F 12

I 4.0 GENERIC RISK INSIGHTS FROM PRAs PRAs for 13 PWRs were analyzed to identify risk-important accident sequences involving loss of AFW, and to identify and risk prioritize the co onent failure modes involved. The results of this analysis are described in this section. They are consistent with results reported by INEL and BNL (Gregg et al 1988, and Travis et al,1988).

4.1 Risk 1moortant Accident Seonggces involvina AFW System Failure loss of Power System A loss of offsite oower is followed by failure of AFW.

Due to lack of actuating power, the PORVs cannot be opened, preventing adequate feed and bleed cooling, and resulting in core damage.

. A station blackout fails all AC power except Vital AC from DC invertors, and all decay heat removal systems except the turbine-driven AFW pump. AFW subsequently fails due to battery depletion or hardware failures, resulting in core damage.

A DC bus fails, causing a trip and failure of the power conversion system. One AFW motor-driven pump is failed by the bus loss, and the turbine-driven pump fails due to loss of turbine or valve control power. AFW is subsequently lost completely due to other failures.

Feed-and bleed cooling fails because PORV control is lost, resulting in core damage.

Transient-Caused Reactor or Turbine Trio A transient-caused trip is followed by a loss of PCS and AFW.

Feed-and-bleed cooling fails either due to failure of the operator to initiate it, or due to hardware failures, resulting in core damage.

Loss of Main feedwater A feedwater line break drains the common water source for MFW and AFW, The operators fail to provide feedwater from other sources, and ,

fail to initiate feed-and-bleed cooling, resulting in core damage. '

A loss of main feedwater trips the plant, and AFW fails due to operator error and hardware failures. The operators fail to initiate feed-and-bleed cooling, resulting in core damage.

Steam Generator Tube Rupture A SGTR is followed by failure of AFW. Coolant is lost from the primary until the RWST is depleted. HPI fails since recirculation cannot be established from the empty sump, and core damage results.

13 l

l 1

4.2 . Risk Imoortant Component Failure Modes The generic component failure modes identified from PRA analyses as important to AFW system failure are listed below in decreasing order of risk importance.

1. Turbine Driven Pump Failure to Start or Run.

2. Motor Driven Pump Failure to Start or Run.

3. TOP or HDP Unavailable due to Test or Maintenance.

4. AFW System Valve Failures steam admission valves trip and throttle valve flow control valves pump discharge valves pump suction valves valves in testing or maintenance.

5. Supply / Suction Sources condensate storage tank stop valve hot well inventory suction valves.

In addition to individual hardware, circuit, or instrument failures, each of these failure modes may result from common causes and human errors. l Common cause failures of AFW pumps are particularly risk important. Yalve failures are somewhat less important due to the multiplicity of steam generators and connection paths. Human errors of greatest risk importance involve: failures to initiate or control system operation when required; failure to restore proper system lineup after maintenance or testing; and failure to switch to alternate sources when required, t

14 l l 1

5.0 fAIG RE MODES DE1 ERMINED FROM OPERATING EXPERIENCE This section describes the primary root causes of AFW system component failures, as determined from a review of operating histories at Byron /Braidwood and at other PWRs throughout the nuclear industry. Section 5.1 describes experience from the standardized nuclear power plants at Byron and Braidwood. These plants are described in the common final safety analysis report (FSAR) as being as nearly identical as site characteristics permit. In order to provide a complete review of AFW system component failures, operating experiences from both plants are included in the report. Byron experience is listed first followed by similar experiences at Braidwood. Section 5.2 summarizes information compiled from a variety of NRC sources, including AEOD analyses and reports, information notices, inspection and enforcement bulletins, and generic letters, and from a variety of INP0 reports as well.

Some Licensee Event Reports and NPRDS event descriptions were also reviewed individually. Finally, information was included from reports of NRC-sponsored studies of the effects of plant aging, which include quantitative analysis of AFW system failure reports. This information was used to identify the various root causes expected for the broad PRA-based failure events identified in Section 4.0, resulting in the inspection guidelines presented in Section 3.0 5.1 Byron Exnerience The AFW system at Byron has experienced approximately 50 equipment failures since 1985. The following types of equipment have been involved: AFW pumps, pump discharge flow control valves, pump discharge isolation valves, service water backup supply valves, and numerous system check valves. Failure modes include electrical, instrumentation and control, hardware failures, and human errors.

ilraidwood Exp.erienca The AFW system at Braidwood has experienced only eight significant equipment failures since 1986. These include failures of the AFW pumps, pump discharge flow control and isolation valves, and manual pump suction valves.

Failure modes include instrumentation and control, hardware failures and human error.

5.1.1 Motor Driven Pumo Failyns At Byron there have been two events since 1985 that have resulted in failure of the motor driven pumps. Failure modes involved electrical faults '

and inadequate design considerations. The motor driven pumps have tripped on low suction pressure due to a pressure transient while starting, and failed to start due to a damaged muir circuit breaker.

Braidwood has experienced only one failure of the motor driven pump since 1986. The failure mode was attributed to chipped mechanical seal that was improperly installed.

15

l 5.1.2 Diesel Driven Pumo failures At Byron more thta twenty events since 1985 have resulted in decreased operational readiness of the diesel driven pumps. Failure modes involved failure of instrumentation and control circuits, electrical faults, system hardware failures, and human errors. The diesel driven pump has tripped or failed to reach proper speed as a result of air trapped in pressure sensing lines, pressure switch calibration problems, misaligned speed controls, rusty level switches and loose electrical connections.

There have been two failures of the diesel driven AFW pumps experienced at Braidwood since 1986. These resulted from failures of a fuel shutoff, solenoid and an overcrank timing relay. The failure causes were attributed to corrosion and dirty relay contacts.

5.1.3 Flow Control and Isolation Valve Failures At Byron more than twenty events since 1985 have resulted in failures of the air operated flow control and motor operated isolation valves. Principal failure causes were equipment wear, instrumentation and control circuit failures, valve hardware failures, and human errors. Valves have failed to operate properly due to blown fuses, failure of control components (such as 1/P convertors), broken or dirty contacts, misaligned or broken limit switches, and valve operator calibration problems. Improper air pressure has caused degraded flow control valve operation in a number of events due to failure of an air regulator or a leaking air line. Human errors have resulted in improper control circuit calibration and limit switch adjustment.

There has been one failure of a flow control valve at Braidwood since 1986. This resulted from the failure of the valve control circuit card. The failure mode was due to defective circuitry.

5.1.4 AFW Valve Failures Byron has experienced five cases of check valve failure since 1985. In all cases, normal wear and aging was cited as the failure mode, resulting in leakage. Also, there have been two cases of improper operation of the service water backup supply valves due to valve positioner problems. These failures were attributed to improperly adjusted torque switches.

Since 1986 there have been two events at Braidwood involving AFW valve failures. One was a H0V failure caused by inadequate design and the other was a manual valve failure casued by binding of the valve actuator due to wear.

These types of valves have also experienced various packing leaks.

5.1.5 Human Errors At Byron there have been five significant human errors affecting the AFW system since 1985. Personnel have inadvertently actuated the AFW pumps during testing, failed to calibrate equipment or realign equipnr..t in the correct position following maintenance and testing, and improperly installed valve 16 F

- ~-

packing. Both personnel error and inadequate procedures have been involved.

Misunderstanding of operability requirements has resulted in equipment exceeding Technical Specifications limits.

There have been three significant human errors at Braidwood affecting the AFW system since 1986. Personnel have inadvertantly actuated the AFW pumps during ter, ting, caused both trains of the AfW system to be inoperable during surveillances, therefore exceeding Technical Specifications requirements and "

improperly installed AfW pump mechanical seals. Both personnel error and inadequate procedures have been involved.

5.2 Indusin_ Wide __ Experienle Human errors, design / engineering problems and errors, and component failures are the primary root causes of AFW System failures identified in a review of industry wide system operating history. Common cause failures, which disable more than one train of this operationally redundant system, are highly risk significant throughout the industry, and can result from all of these causes.

This section identifies important common cause failure modes, and then provides a broader discussion of the single failure effects of human errors, design / engineering problems and errors, and component failures. Paragraphs presenting details of these failure modes are coded (e.g., CCl) and cross-referenced by inspection items in Section 3.

5.2.1 Common Cause foilures The dominant cause of AFW system multiple-train failures has been human error. Design / engineering errors and component failures have been less frequent, but nevertheless significant, causes of multiple train failures.

((L Human error in the form of incorrect operator intervention into automatic AfW system functioning during transients resulted in the temporary loss of all safety grade AfW pumps during events at Davis Besse (NUREG-ll54, 1985) and Trojan (AEOD/T416, 1983). In the Davis Besse event, improper manual initiation of the steam and feedwater rupture control system (SFRCS) led tc overspeed tripping of both turbine driven AfW pumps, probably due to the introduction of condensate into the AfW turbines from the long, unheated steam supply lines. (The system had never been tested with the abnormal, cross-connected steam supply lineup which resulted.) This type of problem is not applicable to Byron /Braidwood. In the Trojan event the operator incorrectly stopped both AfW pumps due to misinterpretation of MfW pump speed indication.

The diesel driven pump would not restart due to a protective feature requiring complete shutdown, and the turbine-driven pump tripped on overspeed, requiring local reset of the trip and throttle valve. In cases where manual intervention is required during the early stages of a transient, training should emphasize that actions should be performed methodically and deliberately to guard against such errors.

17

\

i l E Valve mispositioning has accounted for a significant fraction of the human errors failing multiple trains of AFW. This includes closure of normally open suction valves or steam supply valves, and of isolation valves to sensors having control functions. Incorrect hr.ndswitch positioning and inadequate temporary wiring changes have also prevented automatic starts of multiple pumps. Factors identified in studies of mispositioning errors include failure to add newly installed valves to valve checklists, weak administrative control of tagging, restoration, independent verification, and locked valve logging, and inadequate adherence to procedures, lilegible or confusing local valve labeling, and insufficient training in the determination of valve position may cause or mask mispositioning, and surveillance which does not exercise complete system functioning may not reveal mispositionings.

CIL At ANO-2, both AFW pumps lost suction due to steam binding when they were lined up to both the CST and the hot startup/ blowdown demineralizer effluent (AE0D/C404,1984). At Zion-1 steam created by running the turbine-driven pump deadheaded for one minute caused trip of a motor-driven pump sharing the same inlet header, as well as damage to the turbine-driven pump (Region 3 Morning Report, 1/17/90). Both events were caused by procedural inadequacies.

((L Design / engineering errors have accounted for a smaller, but significant fraction of common cause failures. Problems with control circuit design modifications at Farley defeated AFW pump auto-start on loss of main feedwater. At Zion-2, restart of both motor driven pumps was blocked by circuit failure to deenergize when the pumps had been tripped with an automatic start signal present (IN 82-01,1982). In addition, AFW control circuit design reviews at Salem and Indian Point have identified designs where failures of a single component could have failed all or multiple pumps (IN 87-34,1987).

((L Incorrect setpoints and control circuit settings resulting from analysis errors and failures to update procedures have also prevented pump start and caused pumps to trip spuriously. Errors of this type may remain undetected despite surveillance testing, unless surveillance tests model all types of system initiation and operating conditions. A greater fraction of instrumentation and control circuit problems has been identified during actual system operation (as opposed to surveillance testing) than for other types of failures.

((#_,, Cn two occasions at a foreign plant, failure of a balance-of-plant invertor caused failure of two AFW pumps. In addition to loss of the motor driven pump whose auxiliary start relay was powered by the invertor, the turbine driven pump tripped on overspeed because the governor valve opened, allowing full steam flow to the turbine. This illustrates the importance of assessing the effects of failures of balance of plant equipment which supports the operation of critical components. The instrument air system is another example of such a system. '

((L Multiple AFW pump trips have occurred at Hillstone-3, Cook-1, Trojan and Zion-2 (IN 87-53, 1987) caused by brief, low pressure oscillations of suction 18 l

- , -- . . - - _ . . , . - - _ . - J

l I

i pressure during pump startup . These oscillations occurred despite the availability of adequate static NPSH. Corrective actions taken include:

extending the time delay associated with the low pressure trip, removing the trip, and replacing the trip with an alarm and operator action.

GL. Design errors discovered during AFW system reanalysis at the Robinson plant (IN 8930,1989) and at Millstone-l resulted in the supply header from the CST being too small to provide adequate NPSH to the pumps if more than one of the three pumps were operating at rated flow conditions. This could load to multiple pump failure due to cavitation. Subsequent reviews at Robinson identified a less of feedwater transient in which inadequate NPSH and flows less than design values had occurred, but which were not recognized at the time. Event analysis and equipment trending, as well as surveillance testing which duplicates service conditions as much as is practical, can help identify such design errors.

GL Asiatic clams caused failure of two AFW flow control valves at Catawba- ,

2 when low suction pressure caused by starting of a motor driven pump caused suction source realignwnt to the Nuc1 car Service Water systeni. Pipes had not F i routinely treated to inhibit clam growth, nor regularly monitored to os ect their presence, and no strainers were installed. The need for surveillance which exercises alternative system operational modes, as well as complete system functioning, is emphasized by this event. Sputious suction switchover has also occurred at Callaway and at McGuire, although no failures resulted.

C010. Common cause failures have also been caused by component failures (AEOD/C404,1984). At Surry 2, both the turbine driven pump and one motor driven pump were declared inoperable due to stear binding caused by backleakage of hot water through nultiple check valves. At Robinson-2 both niotor driven pumps were found to be hot, and both motor and steam driven pumps were found to'be inoperable at different times, Backleakage at Robinson-2 passed through closed motor-operated isolation valves in addition to multiple check valves. At farley, both motor and turbine driven pump casings were found hot, although the pumps were not declared inoperable. In addition to multi-train failures, numerous incidents of single train failures have occurred, resulting in the designation of " Steam Binding of Auxiliary feedwatar Pumps" as Generic Issue 93. This generic issue was resolved by Generic Letter 88-03 (Miraglia, 1988), which required licensees to monitor AFW piping temperatures each shift, and to maintain procedures for recognizing steam binding and for restoring system operability.

G1h Common cause failures have also failed motor operated valves. During the total loss of feedwater event at Davis Besse, the normally-open AFW isolation valves failed to open after they were inadvertently closed. The failure was due to improper setting of the torque switch bypass switch, which prevents motor trip on the high torque required to unseat a closed valve.

• Previous problems with these valves had been addressed by increasing the torque switch trip setpoint - a fix which failed during the event due to the higher torque required due to high differential pressure across the valve.

Similar common mode failures of MOVs have also occurred in other systems, 19 l

l 1

l resulting in issuance of Generic letter 89-10,

• Safety Related Motor-Operated Valve Testing and Surveillance (Partlow, 1989)." This generic letter requires licensees to develop and implement a program to provide for the testing, inspection and maintenance of all safety related MOVs to provide assurance that they will function when subjected to design basis conditions.

I CCl2, Other component failures have also re. ilted in AFW multi-train failures. These include out-of-adjustment electrical flow controllers resulting in improper discharge valve operation, and a failure of oil cooler cooling water supply valves to open due to silt accumulation.

5.2.2 Human Errors DEL The overwhelmingly dominant cause of problems identified during an industry wide series of operational readiness evaluations of AFW systems was human performance. The majority of these human performance problems resulted from incomplete and incorrect procedures, particularly with respect to valve lineup information. A study of valve mispositioning events involving human error identified failures in administrative control of tagging and logging, procedural compliance and completion of steps, verification of support systems, and inadequate procedures as important. Another study found that valve mispositioning events occurred most often during maintenance, calibration, or modification activities. Insufficient training in determining valve position, and in administrative requirements for controlling valve positioning were important causes, as was oral task assignment without task completion feedback.

E Although not a)plicable to Byron /Braidwood, turbine driven pump failures have been caused by luman errors in calibrating or adjusting governor speed control, poor governor niaintenance, incorrect adjustment of governor valve and overspeed trip linkages, and errors associated with the trip and throttle valve. TTV-associated errors include physically bumping it, failure to restore it to the correct position after testing, and failures to verify control room indication of TTV position following actuation.

E Motor driven pumps have been failed by human errors in mispositioning handswitches, and by procedure deficiencies.

5.2.3 Desian/Enaineerino Problems and Errors As noted above, the majority of AFW subsystem failures, and the greatest relative system degradation, has been found to result from turbine-driven pump failures. These types of failures are not a problem at Byron /Braidwood, however, they are significant throughout the industry and merit discussion.

DEL - Dff are not applicable to Byron /Braidwood.

DEL Overspeed trips of Terry turbines (not applicable at Byron /Braidwood) controlled by Woodward governors have been a significant source of these 4 failures (AE00/C602, 1986). In many cases these overspeed trips have been caused by slow response of a Woodward Model EG governor on startup, at plants where full steam flow is allowed imediately.

20 L-

This oversensitivity has been removed by installing a startup steam bypass valve which opens first, allowing a controlled turbine acceleration and buildup of oil pressure to control the governor valve when full steam flow is admitted.

DIA Overspeed trips of Terry turbines (not applicable at Byron /Braidwood) have been caused by condensate in the steam supply lines. Condensate slows down the turbine, causing the governor valve to open farther, and overspeed results before the governor valve can respond, af ter the water slug clears.

This was determined to be the cause of the loss-of all-AFW event at Davis Besse (AEOD/602, 1986), with condensation enhanced due to the long length of the cross-connected steam lines. Repeated tests following a cold-start trip may be successful due to system heat up.

DIL Turbine trip and throttle valve (TTV) problems (not applicable at Byron /Braidwood) are a significant cause of turbine driven pump failures (IN 84 66). In some cases lack of TTV position indication in the control room prevented recognitioa of a tripped TTV. In other cases it was possible to reset either the oversaecd trip or the TTV without resetting the other. This problem is compounded ay the fact that the position of the overspeed trip linkage can be misleading, and the mechanism may lack labels indicating when it is in the tripped position (AE00/C602, 1986).

OfL Startup of turbines with Woodward Model PG PL governors (not applicable at Byron /Braidwood) within 30 minutes of shutdown has resulted in overspeed trips when the speed setting knob was not exercised locally to drain oil from the speed setting cylinder. Speed control is based on startup with an empty cylinder. Problems have involved turbine rotation due to both procedure violations and leaking steam. Terry has marketed two types of dump valves for automatically draining the oil after shutdown (AE00/0602,1986).

At Calvert Cliffs, a 1987 loss-of-offsite-power event required a quick, cold startup that resulted in turbine trip due to PG-PL governor stability problems. The short-term corrective action was installation of stiffer buffer springs (IH 88-09,1988). Surveillance had always been preceded by turbine warmup, which illustrates the importance of testing which duplicates service conditions as much as is practical.

DIL Reduced viscosity of gear box oil heated by prior operation caused failure of a motor driven pump to start due to insufficient lube oil pressure.

Lowering the pressure switch setpoint solved the problem, which had not been detected during testing.

Offu. Waterhammer at Palisades resulted in AFW line and hanger damage at both steam generators. The AFW spargers are located at the normal steam generator level, and are frequently covered and uncovered during level fluctuations.

Waterhammers in top-feed-ring steam generators resulted in main feedline rupture at Maine Yankee and feedwater pipe cracking at Indian Point-2 (IN 84-32,1984).

21

I I

EfL Hanually reversing the direction of motion of an operating valve has l resulted in H0V failures where such loading was not considered in the design '

(AE00/0603,1986). Control circuit design may prevent this, requiring stroke completion before reversal.

EEfL At each of the units of the South Texas Project, space heaters provided 1 by the vendor for use in preinstallation storage of HOVs were found to be wired in parallel to the Class IE 125 V DC motors for several AFW valves (IR 50-489/89-11; 50-499/89-11, 1989). The valves had bee 9 environmentally qualified, but not with the non-safety-related heaters energized.

5.2.4 Component failures Generic Issue II.E.6.1, "In Situ Testing Of Valves" was divided into four sub-issues (Beckjord,1989), three of which relate directly to prevention of AFW system component failure. At the request of the NRC, in-situ testing of check valves was addressed by the nuclear industry, resulting in the EPRI report, " Application Guidelines for Check Valves in Nuclear Power Plants (Brooks,1988)." This extensive report provides information on check valve applications, limit tions, and inspection techniques. In-situ testing of HOVs was addressed by Generic Letter 89-10 " Safety Related Motor-0perated Valve Testing and Surveillance" (Partlow, 1989) which requires licensees to develop and implement a program for testing, inspection and maintenance of all safety-related H0Vs. " Thermal Overload Protection for Electric Hotors on Safety-Related Motor Operated Valves - Generic Issue II.E.6.1 (Rothberg, 1988)"

concludes that valve motors should be thermally protected, yet in a way which emphasizes system function over protection of the operator.

A The common-cause steam binding effects of check valve leakage were identified in Section 5.2.1, entry C010. Numerous single-train events throughout the industry provide additional insights into this problem. In some cases leakage of hot HFW past multiple check valves in series has occurred because adequate valve-seating pressure was limited to the valves closest to the steam generators (AE0D/0404, 1984). At Robinson, the pump shutdown procedure was changed to delay closing the HOVs until after the check l valves were seated. At farley, check valves were changed from swing type to l

lift type. Check valve rework has been done at a number of plants. Different valve designs and manufacturers are involved in this problem, and recurring leakage has been experienced, even after repair and replacement.

i l

A At Robinson, heating of motor operated valves by check valve leakage has caused thermal binding and failure of AFW discharge valves to open on demand.

At Davis Besse, high differential pressure across AFW injection valve:

resulting from check valve leakage has prevented H0V operation (AEOD/0603, 1986).

E Gross check valve 1.eakage at McGuire and Robinson caused overpressurization of the AFW suction piping. At a foreign PWR it resulted in a severe waterhammer event. At Palo Verde-2 the NFW suction piping was overpressurized by check valve leakage from the AFW system (AE00/C404, 1984).

Gross check valve leakage through idle pumps represents a potential diversion of AFW pump flow.

22

(

C & Roughly one third of AFW system failures have been due to valve operator failures, with abott equal failures for MOVs and A0Vs. Almost half of the MOV failures were due to motor or switch failures (Casada, 1989). An extensive study of MOV events (AEOD/C603, 1986) indicates continuing inoperability problems caused by: torque switch / limit switch settings, adjustments, or failures; motor burnout; improper sizing or use of thermal overload devices; premature degradation related to inadequate use of protective devices; damage due to misuse (valve throttling, valve operator hammering); mechanical '

problems (loosened parts, improper assembly); or the torque switch bypass circuit improperly installed or adjusted. The study concluded that current methods and procedures at many plants are not adequate to assure that MOVs will operate when needed under credible accident conditions. Specifically, a surveillance test which the valve passed might result in undetected valve inoperability due to component failure (motor burnout, operator parts failure, stem disc separation) or improper positioning of protective devices (thermal overload, torque switch, limit switch). Generic Letter 89-10 (Partlow, 1989) has subsequently required licensees to implement a program ensuring that MOV switch settings are maintained so that the valves will operate under design basis conditions for the life of the plant.

E Component problems have caused a significant number of turbine driven pump trips throupou. the industry, however, these are not a problem at Byron /Braidwood (AE00/C602, 1986). One group of events involved worn ta> pet nut faces, loose cable connections, loosened set screws, improperly latcied TlVs, and improper assembly. Another involved oil leaks due to component or seal failures, and oil contamination due to poor maintenance activities.

Governor oil may not be shared with turbine lubrication oil, resulting in the need for separate oil changes. Electrical component failures included transistor or resistor failures due to moisture intrusion, erroneous grounds and connections, diode failures, and a faulty circuit card.

E Electrohydraulic-operated discharge valves have performed very poorly, and three of the five units using them have removed them due to recurrent failures. Failures included oil leaks, contaminated oil, and hydraulic pump failures.

E Control circuit failures were the dominant source of motor driven AFW pump failures (Casada, 1989). This includes the controls used for automatic and manual starting of the pumps, as opposed to the instrumentation inputs.

Most of the remaining problems were due to circuit breaker failures.

[1]. " Hydraulic lockup" of Limitorque SMB spring packs has prevented proper spring compression to actuate the MOV torque switch, due to grease trapped in the spring pack. During a surveillance at Trojan, failure of the torque switch to trip the TTV motor resulted in tripping of the thermal overload device, leaving the turbine driven pump inoperable for 40 days until the next surveillance (AE0D/E702, 1987). Problems result from grease changes to EXXON NEBULA EP-0 grease, one of only two greases considered environmentally qualified by Limitorque. Due to lower viscosity, it slowly migrates from the gear case into the spring pack. Grease changeover at Vermont Yankee affected 40 of the older MOVs of which 32 were safety related. Grease relief kits are needed for MOV operators manufactured before 1975. At Limerick, additional grease relief was required for MOVs manufactured since 1975. MOV refurbishment programs may yield other changeovers to EP-0 grease.

23 I

(EE For AFW systems using air operated valves, almost half of the system degradation has resulted from failures of the valve controller circuit and its instrument inputs (Casada, 1989). Failures occurred predominantly at a few units using automatic electronic controllers for the flow control valves, with the majority of failures due to electrical hardware. At Turkey Point-3, "

controller malfunction resulted from water in the Instrument Air system due to maintenance inoperability of the air dryers.

CF10. For systems using diesel driven pumps, most of the failures were due to start control and governor speed control circuitry. Half of these occurred on demand, as opposed to during testing (Casada, 1989).

CFil, For systems using A0Vs, operability requires the availability of Instrument Air, backup air, or backup nitrogen. However, NRC Maintenance Team inspections have identified inadequate testing of check valves isolating the safety-related portion of the IA system at several utilities (letter, Roe to Richardson). Generic Letter 88-14 (Miraglia, 1988), requires licensees to verify by test that air-operated safety-related components will perform as expected in accordance with all design basis events, including a loss of normal I A.

24

)

6.011ERENCES Beckjord, E. S. June 30, 1989. O osecut of Generic Issue ll.E.6.1. "In Situ Testing _of Valves". Letter to V. Stello, Jr., U.S. Nuclear Regulatory Commission, Washington, DC.

Brooks, B. P. 1988. Application Guidalines for Check Valves in Nuclear Power n

Plan.t.1 NP-5479 Electric Power Research Institute, Palo Alto, CA.

Casada, D. A. 1989. Auxiliary feedwatqr. System Anino Study. Vol um_.g_1 Operatina Experience and Current Monitorin;L Practices. NUREG/CR-5404. U.S.

Nuclear Regulatory Commission, Washington, DC.

Gregg, R. E. and R. E. Wright.1988. Amadix Review for Dominant Generic Contributors. BLB-31-88. Idaho National Engineering Laboratory, Idaho f alls, Idaho.

Miraglia, F. J. February 17, 1988. Resolution of Gengric Safety issue 93.

" Steam Bindina of Auxiliary Feedwater Pumos" (Geperic Letter 88-03). U.S.

Nuclear Regulatory Commission, Washington, DC.

Miraglia, F. J. August 8, 1988. Instrument Air _ Supply System Problems Affectina Safety-Related Eauipment (Generic letter 88-14,). U.S. Nuclear Regulatory Commission, Washington, DC.

Partlow, J. G. June 28, 1989. Safety-Related Motor-0perated Valve Testina and Surveillance (Generic Letter 89111 U.S. Nuclear Regulatory Commission, Washington, DC.

Rothberg, 0. June 1988. Ih.ermal Overload Protection _for Electric Motors on Safety-Related Motor-0perated valves - Generic lysue ll,E.6.1. NUREG-1296.

U.S. Nuclear Regulatory Commission, Washington, DC.

Travis, R. and J. Taylor. 1989. Development of Guidance for Generic.

Functionally Oriented PRA-Based Team Insooctions for BWR Plants-Identification pf J.isk-lmoortant Systems. Components and Human _.J1tioni. ILR-A-3874-T6A Brookhaven National Laboratory, Upton, New York.

AE00 Reoorts W. D. Lanning. July 1984. Steam Bindina of Auxiliary Feedwater AE0D/C404.

Pumps. U.S. Nuclear Regulatory Commission, Washington, DC.

AE00/C602. C. Hsu. August 1986. Op1 rational Experience Involv'.na Turbine Oversoeed Trios. ').S. Nuclear Regulatory Commission, Washington, DC.

AE00/C603. E. J. Brown. December 1986. A Review of Mttor-0perated Valve Performantg. U.S. Nuclear Regulatory Commission, Washington, DC.

AEOD/E702. E. J. Brown. March 19, 1987. M0V Failure Due to Hydraulic Iockup from Excessive Grease in Sprina Pack. U.S. Nuclear Regulatory Commission, Washington, DC.

25 i

AEOD/T416. January 22, 1983. Loss of_ESF Auxiliary Feldwater Purn D ngbility at Trojan on January 22. IBM. U.S. Nuclear Regulatory Comission,

! Washington, DC.

Information Notices IN 82-01. January 22, 1982. Aniliary Feedwater Pumo_LqCkout Resultino from Westinahouse W-2 Switch Ciicuit Modification. U.S. Nuclear Regulatory Commission, Washington, DC.

IN 84-32. E. L. Jordan. April 18, 1984. Auxiliary feedwater Sparcer and Pipe Hancar Damage. U.S. Nuclear Regulatory Comission, Washington, DC.

IN 84 66. A:1 post 17, 1984. Undetected Unavailability of the Turbine-Driven Auxiliary FeWaater Train. U.S. Nuclear Regulatory Comission, Washington, DC.

IN 87-34. C. E. Rossi. July 24, 1987. Sinale Failures in AuxiliAty Feedwater Systems. U.S. Nuclear Regulatory Comission, Washington, DC.

IN 87-53. C. E. Rossi. October 20, 1987. A_uxiliary F. redwater Pump Trip 1 P3sultina from low Suction Pressure. U.S. Nuclear Regulatory Commission, Washington, DC.

IN 88-09. C. E. Rossi. March 18, 1988. {Ldpced Reliebility of Sleam-Driven Auxiliary Feedwater Pumos Caused by Instability of Woodwerd PG-PL Tvoe Governors. U.S. Nuclear Regulatory Commission, Washington, DC.

IN 89-30. R. A. Azua. August 16, 1989. Robinson Unit 2 Inadeaunte NPSH of Auxiliary Feedwitt er Pumos. Also, Event Notification 16375, August 22, 1989.

U.S. Nuclear Regulatory Commission, Washington, DC.

Inspection Report IR 50-489/89-1); 50-499/89-11. May 26, 1989. South Texas Proiect inspection Report. U.S. Nuclear Regulatory Commission, Washington, DC.

[4UREG Repar.1 NUREG-1154. 1985. Loss of Hain and Auxiliary Feedwater Event at the Davis Besse Plant on June 9.1985. U.S. Nuclear Regulatory Commission, Washington, DC.

26

! DISTRIBUT108 NUREG/CR-4427 PNL-7492 No. of No. of (191t1 C2Riti 0FFSITE Q1 fille U25. Nuclegt._Reaulatory U.S. Nuclear Reaulatory Commissiqn Commission - Reaion 1 A. El Bassioni S. Collins OWFN 10 E4 W.F. Kane W.D. Beckner U.S. Nuclear Reaulatory OWFN 10 E4 Commission - Reaton 2 R.J. Barrett P. Burnett OWFN 13 D1 A. Gibson L. Reyes K. Campe 0WFN 10 E4 U11m_Muclear Regulatory Commission - Reaion 3 J. Chung OWFN 10 E4 H. Farber E. Greenman F. Congel 4 W. Kropp OWFN 10 E2 2 H. Miller W.D. Shafer H.C. Cullingford 4 T. Taylor OWFN 12 G18 T. Tongue B.K. Grimes U.S. Nuclear Reaulatorv OWFN 9 A2 Commit 11on - Region 4 A. Hsia S. Collint 0WFN 13 Dil L.J. Callan 10 S.M. Long U.S. Nullear Reaulatory OWFN 10 E4 [ommisiion - Reaton 5 M.W. Peranich R. Pate 0WFN 12 D22 L.F. Miller D.F. Kirsch R.M. Pulsifer OWFN 13 D1 J.H. Taylor Brookhaven National Laboratory W.T. Russell Bldg. 130 OWFN 12 G18 Upton, NY 11973 2 K.S. West OdFN 12 H26 DISTR - 1

DISTRIBUTIOR NUREG/CR-4427 PNL-7492 No. of Copies 0FFSITE R. Gregg EG&G Idaho, Inc.

P.O. Box 1625 Idaho Falls, ID 83415 Dr. D.R. Edwards Professor of Nuclear Engineering University of Missouri - Rolla Rolla, MO 65401 ONSITE 29 Eggific Northwest Laboratory S.R. Doctor L.R. Dodd B.F. Gore (10)

N.E. Moffitt (5) 8.D. Shipp F.A. Simonen T.V. Vo (5)

Publishing Coordination Technical Report File (5)

}

DISTR - 2

h,'oaM *sc u.s.eucts Aa as out AToav co auissioN i.

5,uvyi

~ ~~

E8E BIBLIOGRAPHIC DATA SHEET NUREG/CR-4427 is. ,w,.,,. .,,,,, .,

PNL-7492

i. Tatt ANo susiitt, Auxiliary Feedwater System Risk-Based Inspection Guide for the Byron and Braidwood Nuclear Power Plants 8

,,'",""**5",',

D July 1991 4, FIN On G AANt Nvustm L1310

6. AUTHOR 153 6 TYPE OF P& PORT N.E. Moffitt, B.F. Gore, T.V. V Technical

.ciaioocovtato,, ,

3/90 to 6/91 o, ., a- u.s , c . - ,,,, ,, .,, ,. ,

s. gegaggNizAt son - NAv6 ANo Aoontss m..c.-, s Pacific Northwest Laboratory Richland, WA 99352

9. SPO RG ANIZ ATioN N AME ANo AoDR tss i,, wac. ,v 's.=w .a.w'; a esae,.r.,. ,, *ac o. on., ., a., c A m re , a., , c Division of Radiation Protection and Emergency Preparedness Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Washington, DC 20555

10. SUPPLEMENT AMY Nott$

11. ABST RACT isco sv.r are,#

In a study sponsored by the U. S. Nuclear Regulatory Commission (NRC), Pacific Northwest Laboratory has developed and applied a methodology for deriving plant-specific risk-based inspection guidance for the auxiliary feedwater ( AFW) system at pressurized water reactors that have not undergone probabilistic risk assessment (PRA). This methodology uses existing PRA results and plant operating experience information.

Existing PRA-based inspection guidance information recently developed for the NRC for various plants was used to identify generic component failure modes. This information was then combined with plant-specific and industry-wide component information and failu ' data to identify failure modes and failure mechanisms for the AFW system at the selected plants. Byron and Braidwood were selected for the fourth study in this program. The product of this ef fort is a prioritized listing of AFW failures which have occurred at the plants and at other PWRs. This listing is intended for use by NRC inspectors in tiel preparation of inspection plans addressing AFW risk-important components at the Byron /Braidwood plants.

is, na y wonoseotsca: Pions ri.. , .,,,,, . .. ,..,

i g .p ,g ,si.1... i iuacuait i c6*mnc*no,.

inspection risk ne probabilistic risk assessment (PRA) Unclassified l auxiliary feedwater (AFW) <r- a ,

Byron Unclassified Braidwood 16,NvM6tROFPAGts 16.PRici svRC PORM 336 (2497 a

l f

f THIS DOCLMENT WAS PRINTED USING RECYCLED PAPER

I i

UNITED STATES 7

,,,, c ,,, , gg , m , ,, ,, , ,

NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 205S5

• cstw u nts ***

, [,# , , ,

f'g OFFICnAL BU$1 NESS h.

PENALTY FOR PRIVATE USE,8300 l 4

UC1205551 NRC- 11531 ,

I I A N1 PG l Y~SpDupu u.223 n;Dy f aDBLICtTitt,3 sycg WASHINGyog DC 27,555 3m

?5 Zd Uh 3

s C

C C

2 C

3 i

a a

n - - __ - -_ _. - . _ _ _ _ - - _ _ _ _ _ .