Auxiliary Feedwater Sys Risk-Based Insp Guide for Fort Calhoun Nuclear Power Plant

ML20100Q286
Person / Time
Site:	Fort Calhoun
Issue date:	09/30/1991
From:	Moffitt N Battelle Memorial Institute, PACIFIC NORTHWEST NATION
To:	Office of Nuclear Reactor Regulation
Shared Package
ML20100Q287	List: ML20100Q286
References
NUDOCS 9202190101
Download: ML20100Q286 (27)
v • d • e

Text

1

'O

• Mt 5 t5 --

h %h (tp g NUREG/CR-PNL-AUXILIARY FEE 0 WATER SYSTEM RISK-BASED INSPECTION GUIDE FOR THE FORT CALHOUN NUCLEAR POWER PLANT N. E. Moffitt B. F. Gore T. V. Vo September 1991 Prepared for Division of Radiation Protection and EtnergencyPreparedness Office of Nuc. ear Reactor Regulation U.S. Nuclear Regulatory Comission Washington, DC 20555 NRC FIN L1310 Pacific Northwest Laboratory Richland, Washington 99352

%Q

( -

>]ff, .

b 7094 ] O I v/

YXfTh3 -

t SUMHaRY TLis document presents a compilation of auxiliary feedwater (AFW) system failur. information which has been screened for risk significance in terms of failure frequency and degradation of system performance. It is a risk-prioritized listing of failure events and their causes that are significant enough to warrant consideration in inspection planning at the Fort Calhoun plant. This information is prescnted to provide inspectors with increased resources for inspection planning at Fort Calhoun.

The risk importance of various component failure modes was identified by analysis of the results of probabilistic risk assessments (PRAs) for many pressurized water reactors (PWRs). However, the component failure categories identified in PRAs are rather broad, because the failure data used in the PRAs is an aggregate of many individuals failures having a variety of root causes.

In order to help inspectors to focus on specific aspects of component operation, maintenance and design which might cause these failures, an extensive review of component failure information was performed to identify and rank the root causes of these component failures. Both Fort Calhoun and industry-wide failure information was analyzed. Failure causes were sorted on the basis of frequency of occurrence and seriousness of consequence, and categorized as commen cause failures, human errors, design problems, or component failures.

This information is presented in the body of this document. Section 3.0 provides brief descriptions of these risk-important failure causes, and

'Section 5.0 presents more extensive discussions, with specific examples and referen:es. The entries in the two sections are cross referenced.

An arbreviated system walkdown table is presented in Section 3.2 which includes only components identified as risk important. This table lists the system lineup for normal, standby system operation.

This information permits an inspector to concentrate on components important to the prevention of core damage. However, it is important to note that inspections should not focus exclusively on these components. Other components which perform essential functions, but which are not included because of high reliability or redundancy, must also be addressed to ensure that degradation does not increase their failure probabilities, and hence e their risk importance.

iii l

i .

y .-

/

CONTENTS

SUMMARY

................................................................ iii

1.0 INTRODUCTION

..................................................... 1 2.0 FORT CALHOUN AFW SYSTEM........................................... 2 2.1 SY ST EM D E SCR I PT I ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.2 SUCCESS CRITERION ........................................... 4 2.3 SYSTEM DEPENDENCIES ......................................... 4 2.4 OPERATIONAL CONSTRAINTS ..................................... 4 3.0 INSPECTION GUIDANCE FOR THE FORT CALHOUN AFW SYSTEM ............... 5 3.1 RISK IMPORTANT AFW COMPONENTS AND FAILURE MODES ....... ... 5 3.1.1 MUTLIPLE PUMP FAILURES DUE TO COMMON CAUSE ........... 5-3.1.2- TURBINE DRIVEN PUMP FW-10 FAILS To START ............. 6 3.1.3 MOTOR DRIVEN PUMP FW-6 FAILS 10 START................. 6 3.1.4 PUNP FW 6 OR FW-10 UNAVAILABLE DUE TO MAINTENANCE OR SURVEILLANCE . . . . . . . . . . . . . . . . . . . . . . . 7 3.1.5 AIR OPERATED VALVES FAIL CLOSED ...................... 7 3.1.6 MOTOR OPERATED ISOLATION VALVES Fall CLOSED .......... 7

~

3.1.7 HANUAL SUCTION OR DISCHARGE VALVES FAIL CLOSED ....... 8 3.1.8 LEAKAGE OF HOT FEEDWATER THROUGH CHECK VALVES ........ 9 3.2 RISK IMPORTANT AFW SYSTEM WALKDOWN TABLE .................... 9 4.0 GENERIC RISK INSIGHTS FROM PRAs ................................... 12 4.1 RISK IMPORTANT ACCIDENT SE00ruCEJ INVOLVING AFW SYSTEM FAILURE .............................................. 12 4.2 RISK IMPORTANT COMPONENT FAILURE MODES ...................... 13 v

l I

6 1 .

l CONTENTS (Continued) 5.0 FAILURE MODES DETERMINED FROM OPERATING EXPERIENCE ............... 14 5.1 FORT CALHOUN EXPERIENCE .................................... 14 5.1.1 AFW PUMP CONTROL LOGIC, INSTRUMENTATION AND ELECTRICAL FAILURES ..............l............... 14 5.1.2 FAILURE OF AFW PUMP DISCHARGE FLOW M NTROL VALVE TO STEAM GENERATORS ............................ 14 5.1.3 AFW VALVE FAILURES ................................... 14 5.1.4 HU,, MAN ERRORS ........................................ 14 5.2 INDUSTRY WIDE EXPERIENCE ................................... 15 5.2.1 COMMON CAUSE FAILURES ............................... 15 5.2.2 HUMAN ERRORS ........................................ 17 5.2.3 DESIGN / ENGINEERING PROBLEMS AND ERRORS .............. 18 5.2.4 COMPONENT FAILURES .................................. 19 REFERENCES ............................................................. 22 4

vi

i I

1.0 INTRODUCTION

This document is the sixteenth of a series providing plant-specific inspection guidance for auxiliary feedwater (AFW) systems at pressurized water reactors (PWRs). This guidance is based on information from probabilistic risk assessments (PPAs) for similar PWRs, industry-wide operating experience with AFW systems, plant specific AFW system descriptions, and plant specific operating experience. It is not a detailed inspection plan, but rather a compilation of AFW system f ailure information which has been screened for risk significance in terms of failure frequency and degradation of system performance. The result is a risk-prioritized listing of failure events and their causes that are significant enough to warrant consideration in inspection planning at the Fort Calhoun plant.

This inspection guidance is presented in Section 3.0, following a oescription of the Fort Calhoun AFW system in Section 2.0. Section 3.0 identifies the risk important system components by Fort Calhoun identification number, followed by brief descriptions of each of the various failure causes of that component. These include specific human errors, design deficiencies, and hardware failures. The discussions also identify where common cause failures have affected multiple, redundant components. These brief discussions identify specific aspects of system or component design, operation, maintenance, or testing for inspection by observation, records review, training observation, procedures review, or by observation of the implementation of procedures. An AFW system walkdown table identifying risk important components and their lineup for normal, standby system operation is also provided.

The remainder of the document describes and discusses the information used in compiling this inspection guid;nce. Section 4.0 describes the risk importance information which has been derived from PRAs and its sources. As review of that section will show, the failure categories identified in PRAs are rather broad (e.g., pump fails to start or run, valve fails closed).

Section 5.0 addresses the specific failure causes which have been combined under these categories.

AFW system operating history was studied to identify the various specific failures which have been aggregated into the PPA failure mode categories.

Section 5.1 presents summary of Fort Calhoun failure information, and Section 5.2 presents a review of industry-wide failure information. The industry-wide information was compiled from a variety of NRC sources, including AEOD analyses and reports, information notices, inspection and enforcement bulletins, and generic letters, and from a variety of INPO reports as well. Some Licensee Event Reports and NPRDS event descriptions were also reviewed individually. Finally, information was included from reports of NRC-sponsored studies of the effects of plant aging, which include quantitative analyses of reported AFW system fai'"res. This industry wide informatica was then combined with the plant-speci'ic failure information to identify the various root causes of the PRA failure categories, which are identified in Section 3.0.

1 l

1 - - - _ _ _ _ _ _ - - _ _ _ - _ _ - _ _ _ - _ _ _ - - _ - - _ _ - _ _ _ _ _ _ _ _ _ - -_ -

a .

1- .

2.0 FORT CAL}iQMN AFW SYSTEM 4

This section presents an cversiew description of the Fort Calhoun AFW

, system, including a simplified schematic system diagram. In addition, tht system success criterion, system dependencies, and administrative operational m 4" E con:traints are also presented.

2.1. System Descriotion i %,di The JJW system provides feedwater t' the steam ;,s:nerators (SG) to allow secondacy-side heat ies. oval from the prh .ry system when main feedwater is V unevaila lc. The syr. tem is captble of t-ictioning for extended periods, which Y allows tins to rectore main feedwater flow or to proceed with an o-derly (t,i ,d l

cooldcun of the olant to where the residual heat removal (,(HR) system can -

remove decay heat. A siinplified schem?. tic diage '.m of the AFW system is shown _

in Figure 2.1.

The system consists of an Emergency Feedwater Storage Tank (EFWi), one motor driven (MD) and one turbine driven (TD) AFW pump, interccanecting {

piping, valves, and associated indication, control, and support equipment.

it is designed to start up and establish flow automatically. Both pumps start )

on receipt of a steam generator low level signal to feed an intact steam generator. The turbine-driven and motor driven pumps will also start automatically on a blackout signal when the Engineered Safety Feature (ESF) sequencer re-energizes buses IA4 and 1A3 respectively.

A common line from the EFWT supplies water through two parallel, ler.kea open valves to the suction headers for the turbine-<iriven and the motor-driven "FW pmp. At the suction of each pump there it another lacked npen isolation v .1 M . Power, control, and instrumentation associated with each pump is

.ndependent from the other. Steam for the turbine-driven pump is supplied from either one or both steam ger.erators upstream of the main steam isolatica valves, through YCV-1045A and YCV-1045B. The steam supply linas then join upstrea'n of the AFW steam stop valve YCV-1045, before steam enters the -

turbine-driven pump. Each AFW pump is equipped with c continuous y

recirculation flow system, which prevents pump deadheading.

Auxiliary feedwater is supplied by the motor-driven pump (the turbine-driven cump is not normally used for routine operations) to each sterm generator through one of three flowpaths depending on the mode o.f plant operation. Two of the flow paths, used primarily during plant startup anu shutdov , connect the AFW piping to the main feeda ter piping upstrea,1 of the main feedwater regulating valves; one flowpath is through HCV-1384 and a backup flowpath is via cross connect valves FW-744 or FW-745, and FW-746. The third erergency AFW flowpath connects the AFW pumps discharge to the auxiliary feed nozzles through locked open manual valves FW-171, FW-172 and air-operated containment isolation / flow control valves HCV-1107A/B and HCV-1108A/B. The "B" valves can be throttled to control flow and also function as backup containment isolation valves. Each line contains check valves to prevent leakage from the feedwater lines.

2

y

[

l L -

rW rw r,

s, r

t

-@ M COND TANK FILL -

l FW LCY FW 'i i

III3 ' HCV 1040 i

o T[ N Og 3 FW DEMIN 7_ l FW LCV FW WTilSYS i y

l 653 1189 652 FW HCV FW 8 YCV 1045A FCV

FIRE MAIN N FW 1334 150 1105 151 gcy gy 1107B lt107A

[ / RC 2A N W 170 g l I109 164 Aus

[ ,y , ) [O1CV1H54

=

>$6. coo GAL m

339 1?Og 350 FW6

- ca 745 og }

p,- OX! ,

'~ v i

N FW 14W hf s i I

= rw to 174) d *

' 744 ( l

, rw

@ YCV 10458 6 72 h$ '8 8 8 M

gg HCV l ?'CV 11088, )108A HCV 1042 A,9 FCV w g ge- pw 8

8369 as: :4&

l usw > HCV FCV x l

FW FCV pw RC 28

.* iiO2 1 04 i385 , ,,,  % g j l

s F&

0) g YCV 1045 v

c b To FW80 Turthe omen Arw eump FIGURE 2.1 FT. CALHOUN AFW SYSTEM m .

6 The EFUT is the nurmal source of water for the AFW Systes and is required to store sufficient demineralized water (55,000 gallons) to maintain the reactor coolant system (RCS) at hot standby conditions for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> with steam discharge to atmosphere. All tank connections except thoye required for instrumentation, emergency feedwater pump suction, chemical analysis, and tank drainage are located above this minimum level. Backup water supplies for the EFWT are available in an emergency from temporary manual hookups via a hose from the hotwell to a gasoline engine-driven pump or from the Missouri River through a fire water hookup.

2.2 Soccess Criterion System success requires the operation of at least one pump sunplying rated _ flow to at least one steam generator.

2.3 System Dependencies The AFW system depends on_AC power for the motor-driven pump ano AFV system instrumentation, DC pnwer for control power to pumps and valves, and 3r.

automatic actuation signal. The Condensate and Fire systems provide emergency makeup to the EFWT. Instrument Air is required to operate the feed supply valves to the steam oenerators, the steam supply valves to the turbine-driven pump, the turbine gciernor speed control, and the recirculation contol valves.

The Main Feedsater System provides the flow path for normal reactor startup and shutdown operation of the AFW system through the main feedwat(r regulating bypass valves. Also, the turbine-driven pump also requires steam availability.

2.4 Qperational Constraints When the RCS is above 300 degrees Fahrenheit, the Fort Calhoun Technical Opecifications require that both AFW puu1ps and their associated flowpaths are ope-abl e . In Modes 1 and 2, one AFW pun may be inoperable for up to 24 hout s, provided that the other pump is usted to demonstrate it is operable.

The Fort Calhoun Technical Specifications require a minimum inventory of 55,000 gallons (8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> supply) of demineralized water be maintained during plant op; ration and a backup supply to the EFWT be available from the Missouri River via the fire water system.

4

3.0 INSPECTION GUIDANCE F00. THE FORT CALHOUN AFW SYSTEh In this section the risk important components of the Fort Calhoun AFW system are identified, and the important modes by which they are likely to fail are briefly described. These failure modes include specific human errors, design problems, and types of hardware failures which have been observed to occur for these types of components, both at Fort Calhoun and at PWRs throughout the nuclear industry. The discussions also identify where connon cause failures have af fected multiple, redundant components. These brief discussions identify specific aspects of system or component design, operation, maintenance, or testing for observation, records review, training observation, procedures review or by observation of the implementation of procedures.

Table 1.1 is an abbreviateJ AFW system walkdown table which identifies risk important components. This table lists the system lineup for normal, standby system operation. Inspection of the components identified addresses essentially all of the risk associated with AFW system operation.

3.1 Risk Imoortant AFW Cogorec.ts_and Failure Modas Common cause failures of multiple pumps are the most risk-important failure modes of AFW system components. These are followed in importance by single pump failures, level control valve failures, and individual check velve leakage failures.

The following sections address each of these failure modes, in decreasing order of importance. They present the important root causes of these component failure modes which have been distilled from historical records.

Each item is keyed to discussions in Section 5.2 which present additional information on historical events.

3.1.1 Multiple Pumo Failures due to Common Caun The following listing summarizes the most important multiple-pump failure modes identified in Section 5.2.1, Common Cause Failures, and each item is keyed to entries in that section..

Incorrect operator intervention into automatic system functioning, including improper manual starting and securing of pumps, has caused f ailure of all pumps, in:luding overspeed trip on startup, and inability to restart prematurely secured pumps. CC1.

Valve mispositioning has caused failure of all pumps. Pump suction, steam supply, and instrument isolation valves have been involved. CC2.

- Steam binding has caused failure of multiple pumps. This resuited from leakage of hot feedwater past check valves into a common discharge header, with several valves involved including a motor-operated discharge valve. (See item 7 below.) CC10. Multiple-pump steam binding has also resulted from improper valve lineups, and from running a pump deadheaded.

CC3.

Pump control circuit deficiencies or design modification errors have caused f ailures of multiple pemps to auto start, spurious pump trips during operation, and failures to restart after pump shutdown. CC4.

5

D Incorrect sotpoints and control circuit calibrations have also prevented proper operation of multiple pumps. CC5.

. . Loss of a vital power bus has failed both the turbine-driven and one motor-driven pump due to loss of control power to steam admission valves or to turbine controls, and to motor controls powered from the same bus. .

CC6.

. Simultaneous startup of multiple pumps has caused oscillations of pump suction pressure causing multiple-pump trips on low suction pressure, despite the existence of adequate static net positive suction head (HPSH). CC7. Design reviews have identified inadequately sized suction piping which could have yielded insufficient NPS!! to support operation of more than one pu:p. CC8.

3.1.2 Turbine Driven Pumo FW-10 Fails to Start or Run

. Improperly adjusted and inadequately maintained turbine governors have caused pump failurer. HE2. Problems include worn or loosened nuts, set screws, linkages or cable connections, oil leaks and/or contamination, and electrical failures of resistors, transistors, diodes and circuit cards, and erroneous grounds and connections. Cf5. Fort Calhoun has experienced similar type failures.

Terry turbines with Woodward Model EG governors have been found to overspeed trip if full steam flow is allowed on startup. Sensitivity can be reduced if a startup steam bypass valve is sequenced to open first.

del.

- Condensate slugs in steam lines have caused turbine overspeed trip on startup. it.sts repeated right after such a trip may fail to indicate the problem due to warming and clearing of the steam lines. Surveillance should exercise all steam supply connections. DE2.

. Trip and throttle valve problems which have failed the turbine driven pump include physically bumping it, failure to reset it following testing, and failures to verify control room indication of reset. HE?.

Whether either the overspeed trip or TTV trip can be reset without resetting the other, indication in the control room of TTV position, and unambiguous local indication of an overspeed trip affect the likelihood f these errors. DE3. At Fort Calhoun, the turbine-driven pump has failed to start on demand due to backpressure trip lever not being reset.

There was no indication for trip lever positior..

. Turbines with Woodward Model PG-PL governors have tripped on overspeed when restarted shortly after shutdown, unless an operator has locally ,

exercised the speed setting knob to drain oil from the governor speed setting cylinder (per procedure). Automatic oil dump valves are now available through Terry. DE4.

3.1.3 Motor Driven Pump Fk'-6 Fails to Sta. t or Run

- Control circuits used for automatic and manual pump starting are an important cause of motor driven pump failures, as are circuit breaker failures. CF7.

6

- hispositioning of handswitches and procedural deficiencies have prevented automatic pump start. HE3.

. Low lubrication oil pressure resulting from heatup due to previous operation has prevented pump restart due to failure to satisfy the protective interlock. DES.

3.1.4 Pumo FW 6 or FW-10 Unavailable Due to Maintenasqe or Surveillance

- Both scheduled and unscheduled maintenance remove pumps from operability.

Surveillance requires operation with an altered line-up, although a pump train may not be declared inoperable during testing. Prompt scheduling and performance of maintenance and surveillance mir.iti. ze this unavailability.

3.1.5 Air Operated Flow Control Valves Fail Closed Emeroency AFW feed to S/G A: HCV-1107ALB Emeraency AFW feed to S/G B: HCV-Il08A/S g Recirculation Flow Control MD:TD: FCV-1368:FCV-1369 The emergency AFW feedwater control valves to S/G A and B are r.ormally

- closed valves. They are designed to fail open on loss of control power or loss of air pressure. AFW pump recirculation flow valves are normally open '

and they control recirculation flow to the EFWT. They fail open on loss of Instrument Air or loss of control power.

- Control circuit problems have been a pripry cause of failures, both at Fort Calhoun and elsewhere. CF9. Valn failures have resulted from blown fuses, failure of control compo tents (such as current / pneumatic convertors), broken or dirty contacts, misaligned or broken limit switches, control power loss, and calibration problems. Degraded operation has also resulted from improper air pressure due to air regulator failure or leaking air lines.

- Out-of-adjustment electrical flow controllers have caused improper -

valve operation, affecting multiple trains of AFW. CC12.

- Leakage of hot feedwater through check valves has caused thermal binding of flow control MOVs. A0'!s may be similarly susceptible.

CF2,

- Multiple flow control valves have been plugged by clams when suction switched automatically to an alternate, untreated source.

CC9.

3.1.6 Motor Ooerated Isolation Valve Fail closed AFW to Main Feedwater Line: HCV-1384 This normally closed MOV supplies AFW flow to the steam generators through the main feedwater lines during system startup or :,hutdown. It fails as-is on loss of power and can be operated manually using a local handwheel.

- Common cause failure of MOVs has resulted from failure to use

, electrical signature tracing equipment to determine proper settings of .urque switch and torque switch bypass switches.

7 1

o .

. . Failure to calibrate switch settings for high torques necessary under design basis accident conditions has also been involved. ~

CC11. Fort Calhoun has experienced valve failure due improper torque switch setting.

. Valve motors have been failed due to lack of, or improper sizing or use of thermal overload protective devices. fvpassing and oversizing should be based on proper engineering ior desian basis conditions. CF4.

. Out-of-adjustment electrical flow controllers have caused improper discharge valve operation, affecting multiple trains of AFW.

CC12.

. Grease trapped in the torque switch spring pack or Limitorque SMB motor operators has caused motor burnout or thernc1 overload trip by preventing torque switch actuation. CF8.

. Manually reversing the direction of motion cf operating HOVs has overloaded the motor circuit.. Operating procedures should provide cautions, and circuit designs may prevent reversal before each stroke is finished. DE7.

. Space heaters designed for preoperation storage have been found wired in parallel with valve motors which had not been environmentally qualified with them present. DE8.

3.1.7 Manual Suction or Discharae Valves FtQ Closed E Nmo FW-10: Valves FW 349 or FW-172 MD Pumo FW-6: Valves FW-350 o* FW-171 EFWT Discharoe: Valves FW-339 or FW-1316 These manual valves are normally locked open. For each pump closure of the first valve listed would block suction to the pump. Closure of the second valve would block all pump discharge except recirculation to the EFWT. _

Valve mispositioning has resulted in failures of multiple trains of AFW. CC2. It has also been the dominant cause of problems identified during operational readiness inspections. HEl. Events have occurred most often during maintenance, calibration, or syc; w modifications.

Important causes of mispositioning include:

Failure to provide complete, clear, and specific procedures for tasks and system restoration Failure to promptly revise and validate procedures, training, and diagrams following system modifications Failure to complete all steps in a procedure Failure to adequately review uncompleted procedural steps after task completion

. Failure to verify support functions after restoration Failure to adhere scrupulously to administrative procedures regarding tagging, control and tracking of valve operations

. Failure te log the manipulation of sealed valves Failure to follow good practices of written task assignment and feedback of task completion information 8

_~ ____--__.-_-.-__.--._u- - _ . - _ _ , . _ _ _ _ . -

_ _ . - _ _ - - - _ . . _ _ . _ _ _ _ _ _ _ _ - - _ _ _ _ . - _ _ -_: _ _ _ _ - - - - -____--__-__---._---.._.__..___a

.. .. - -- - - . - . = . _ . .- - ___- - .-

.- 9 .

. . Failure to provide easily read system drawings, legible valve labels corresponding to drawings and procedures, and labeled indications of local-valve position

s-3.1.8L Leekaoe of Hot Feedwater throuch Check Valves:

At MFW connections: Valves FW 161. 162. 163. 164. 1334 At Pumo Discharaes: Valves FW-173. 174

. Leakage of hot feedwater through several check valves in series has caused steam binding of_ multiple lumps. -Leakage through a closed level control valve in series with chec( valves has also occurred, as would be required for leakage to reach the motor driven pump, FW-6 CC10.

. Slow leakage past the final check valva of 4 series may not force

. upstream check valves closed, allowing leakage past each of them in turn.

Piping orientation and valve design are important factors in achieving true series protection.. CFl. Check valve leakage has occurred at Fort Calhoun.

3.2 Ritk Imoortant AFW System Walkdown Table -

Table 3.1 presents an AFW system walkdown table including only components identified as risk important. This information allows inspectors to concentrate their efforts on components important to prevention of core damage. However,. it is ossential to note that inspections should not focus exclusively on these comments. Other components which perform essential functions, but which are absent from this table because of high-reliability or redundancy, must also be addressed to ensure that their risk importances are not increased. Examples: include an adequate water level in the EFWT and the

'(closed) valves cross connecting the discharges of the AFW pumps ~to the Main Feedwater flowpath.

9

. -. / : . -

l V '

-TABLE 3.1, : Risk Important AFW System Walkdown Table for:

Fort Calhoun AFW System Components t.:  ;

7 Required Actual Comoonent ( [pmoonent Nue Position Position:

i.

Electr.inl ,

FW-6 Motor-Driven Pump Racked In/

Closed Va'1ves FW-339 EFWT Outlet Valve Locked Open _

FW 1316- -EFWT Outlet Yalve Locked Open FW-349- TDAFW Pump FW-10: Suction Locked Open L

FW-350- MDAFW Pump FW-6 Suction Locked Open-

FW-172 TDAFW Pump Discharge Locked Open F_W-171_ HDAFW Pump Discharge Locked Open FW-900- .TDAFW~ Pump Recirculation Locked Open-

_ Isolation

-- FW-744 TDAFW Alternate Discharge. Closed Isol ation -

- FW-745 MDAFW Alternate Discharge Closed Isol ation--

- FW-746 -AFW Pumps Combined Alternate Locked Open Discharge--Isolation '

' FW-149: FCV-1101 ' Inlet Isolation Locked Open

' FW-150 HCV-1105 Inlet Isolation- Locked Open L FW-151 -: HCV-1105-Outlet Isolation Locked Open FW-169 .HCV-1584 Inlet Isolation Locked Open FW-170 -HCV-1384 Outlet Isolation- -Locked Open FW-190 FCV-1102 Inlet Isolation Locked Open FW-191 HCV-1106-Inlet Isolation Locked Open

- FW-192 HCV-1106 Outlet Isolation Locked Open w ~

!, ~ HCV-1107A AFW to S/_G A Isolatior Auto / Closed l

10 l

a.

,  :. Tantr 1 1. Risk Important AFW Systea Walkdown Table for Fort Calhoun AFW System Components (Continued) s HCV-1107B AFW to S/G A Isolation Auto / Closed HCV-Il0BA AFW to S/G E' Isolation Auto / Closed HCV-1108B AFW to S/G B Isolation Auto / Closed FW-1275 Emergency Makeup to EFWT Open from Fire System FW-661 LCV-1173 Inlet Isolation Open FW-662 LCV-1173 Outlet Isolation Open FW 663 LCV-1173 Bypass Isolation Closed FW-1317 LCV-1173 Bypass Isolation Closed FW-652 LCV-1189 Inlet Isolation Open FW-653 LCV-Il89 Outlet Isolation Closed FW-654 LCV-1189 Bypass Isolation Closed YCV-1045A TDAFW Pump Steam Supply Norraal/ Closed YCV-1045B TDAFW Pump Steam Supply Normal / Closed YCV-1045 TDAFW Pump Steam Stop Valve After Stop/

Closed FW-161 Piping Upstream of Check Valve Cool FW-162 Piping Upstream of Check Valve Cool

~

FW 163 Piping Upstream of Check Valve Cool FW-164 Piping Upstream of Check Valve Cool FW-1334 Piping Upstream of Check Valve Cool FW-173 Piping Upstream of Check Valve Cool FW-174 Piping upstream of Check Valve Cool 11

. -. ~

[

4.0 GENERIC RISX INSIGHTS FROM PAAS I s PRAs for 13 PWRs were analyzed to identify risk-important accident sequences involving loss of AFW, and to identify and risk-prioritize the component failure modes involved. The results of this analysis are described in this section. They are consistent with results reported by INEL and BNL (Gregg et al 1988, and Travis et al,1988).

4.1 Blik._Lmportant Accident Seouences involvino AFW System Failure Loss of Power System

. A loss of offsite power is followed by failure of AFW. Due to lack of actuating power, the PORVs canntt be opened, preventing adequate feed-and-bleed cooling, and resulting in core damage.

. A station blackout fails all AC power except Vital AC from DC invertors, and all decay heat removal systems except the turbine-driven AFW pump. AFW subsequently fails due to battery depletion or hardware failures, resulting in core damage.

. A DC bus fails, causing a trip and failure of the power conversion system. One AFW motor-driven pump is failed by the bus loss, and the turbine-drivdh pump fails due to loss of turbine or valve control power. AFW is subsequer.tly lost completely due to other failures.

Feed-and-bieed cooling fails because PORY control is lost, resulting in core damage.

Transient-Crused Reactor or Turbine Tric

. A transient-caused trio is followed by a loss of PCS and AFW.

Feed-and-bleed cooling fails either due to failure of the operator to initiate it, or due to hardware failures, resulting in core damage.

Loss of Main Feedwater

. A feedwater line break drains the common water source for MFW and AFW.

The oper:*. ort fail to provide feedwater from other sources, and fail to tr: fit %c feed-and-sleed cooling, resulting in core damage.

. A loss of main feedwater trips the plant, and AFW fails due to

- operator erro- m hardware failures. The operators fail to initiate feed-rd-bleed cooling, resulting in core damage.

Steam Generator Tube Ruoture

. A SGTR is followed by failure of AFW. Coolant is lost from the primary until the RWST is depleted. HPI fails since recirculation cannat be-established from the empty sump, and core damage results.

12

o .

1 4.0 Msk imocrtant Comoonent Failure Modes The generic component failure modes identified from PRA analyses as

< important to AFW system f ailure are listed below in decreasing order of risk importance.

1. Turbine-Driven Pump Failure to Start or Run.

2. Motor-Driven Pump Failure to Start or Run.

3. TDP or MDP Unavailable due to Test or Maintenance. ,

4. AFW System Valve Failures steam admission valves

- trip and throttle valve flow control valves

. pump dischatge valves "

pump suction valves

. valves in tep.ing or maintenance. '

5. Supply / Suction Sources

. - emergency feedwater storage t.ank stop valve

. hot well inventory suction valves.

In addition to individual hardware, circuit, or instrument failures, each of these failure modes may result from common causes and human errors. Comrron cause failures of AFW pumps are particularly risk important. Valve failures are somewhat.less important due to the multiplicity of steam generators and conn 2ction paths. Human errors of greatest risk importance involve: failures to initiato or control system operation when required; fail ee to restore proper system lineup after maintenance or testing; and fsilure to switch to alternate sourct:s when reouired. _

13

• . l 5.0 FAfLVRE N00ES DETERMINED FROM OPERATING EXPERIENCE This section describes the. primary root causes of component failures of the AFW system, as determined from a rbtew of ooerating 51 stories at Fort Calhoun and at other PWRs throughout the nuciar industry. Section 5.1 describes experience at Fort Calhoun. Section 5.2 summt.rizes information compiled from a variety of NRC sources, including AE00 ardy:es and reports, information notices, inspection and enforcement bulletins, and generic letters, and from a variety of INPO reports as well. Some Licensee Event ,

Reports (LERs) and NPRDS event descriptions were also reviewed individually,  ;

Finally, information was included from reports of NRC-sponsoreo studies of the '

effects of plant aging, which ir:clude quantitative analyses of AFW system failure reports. Thh information was used to identify the various root causes expected for the broad PRA-based failure categories identified in Section 4.0, resulting in the inspection guidelines presented in Section 3.0.

5.1 Fort Calhoun Experience The AFW s', m m at Fort Calhoun has experienced approximately 20 significant equipment failures since 1974. These include failures of the AFW pumps, the pump discharge level control valves to steam generators, and system check valves. Failure modes include electrical, instrumentation, and hardware failures.

5.1.1 AFW Pump Control Loaic. Instrumentation and flg_g_trical Failures There have been eight failures of the AFW pumps to start and/or run properly experienced since 1974. These have resulted from failures of governor speed control 'inkages, flow transmitters or other pump related failures. The failure causes are mechanical wear. corrosion, or inadequate preventative maintenance procedures. Failure of the turbine-driven pump to stop following a surveillance was caused by a blown fuse which stopped the steam admission valve from closing.

5.1.2 Failure of AFW pumo Discharae_ Flow Control Valve to Steam Generator l

There have been two failures of the pump discharge flow control valves l since 1974. These hava resulted from normal wear of valve internals allowing i excessive leakage.

l- 5.1.3 AFW Valve Failures l

Since 1974 there have oeen four events involving AFW valve failures resulting in excessive leakage. Included in this category are a check valve, a a manual gate valve, and air cperated globe valves. The failure ceuse in all cases was normal wear of valve internals.

5.1.4 Human Errors Two cases relating directly to human error affecting the AfW system were fcund in the events examined. One case involved inadvertant actuation of the

! AFW s.ystem during operation when an operator mispositioned a control switch I

during the performance of a surveillance. The other case involved improperly setting a torque switch which caused improper valve operation. Contributing factors leading to the human error were identified as inadequate control switch labeling ard improper test conditions for setting the torque switch.

14

V .

i 5.2 Industry Wide Experiengt Humar, errors, design / engineering problems and errors, and component failures are the primary root causes of AFW System failures identified in a review of industry wide system operating history. Common cause failures, which diskole more than one train of this operationally redundant system, are hignly risk significant, and can result from all of these causes.

This section identifies important common cause failure modes, and then providas a broader discussica. of the single failure effects of human errors,

-design / engineering problems and errors, and component failures. Paragraphs presenting details of these failure modes are ceded (e.g., CC1) and cross-referenced by inspection items in Section 3.

5.2.1 . Common Cause Failures The dominant cause of AFW system multiple-train failures has been human error. Design / engineering errors and component failures have been less frequent, but nevertheless significant, causes of multiple train failures.

E Human error in the form of incorrect operator intervention into automatic AFW system functioning during transients resulted in the temporary loss of all safety grade AFW pumps during events at Davis Besse (NUREG-1154, 1985) and Trojan (AE00/T416, 1983). In the Davis Besse event, improper manual initiation of the steam and feedwater rupture control system (SFRCS) led to overspeed tripping of both turbine-driven AFW pumps, probably due to the introduction of condensate into the AFW turbines from the long, unheated steam supply lines. (The system had never been tested with the abnormal, cross-connected steam supply lineup which resulted.) In the Trojan event the operator incorrectly stopped both AFW pumps due to misinterpretation of MFW pump speed indication. The diesel driven pump would not restart due to a protective feature requiring complete shbtdown, and the turbine-driven pump tripped on overspe;d, requirirg local reset of the trip and throttle velve. In cases where mi.nual intervention is required during the early stages of a transient, training should emphasize that actions should be performed methodically and deliberately to guard against such errors.

((L Valve mi.spositioning has accounted for a significant fraction of the human errors failing multiple trains of AFW. This includes closure of normally open suction valves or steam supply valves, and of isolation valves to sensors having control functions. Incorrect hcndswitch positioning and inadequate temporary wiring changes have also prevented automatic :: tarts of multiple pumps, Factors identified in studies of mispositioning errors include failure to add newly installed valves to valve checklists, weak administrative control of tagging, restoration, independent verification, and locked valve logging, and inadequate adherence to procedures. Illegible or confusing local valve labeling, and insufficient training in the determination L of valve position may cause or mask mispositioning, and surveillance which does not exercise complete system functicaing may not revaal mispositionings.

[.CL At ANO-2, both AFW pumps lost suction due to steam binding when they were lined up to both the CST and the hot startup/ blowdown demineralizer effluent (AE0D/C404,1984). At Zion-1 steam created by running the turbine-driven pump deadheaded for one minute caused trip of a motor-driven pump sharing the same inlet header, as well as damage to the turbine-driver pump (Region 3 Horning Report, 1/17/90). Both events were caused by procedural inadequacies.

15 i

+ *

'A Oc:1gn/ engineering errors hava accounted for a smaller, but sipificant fraction of common cause failures. Problems with control circuit design modifications at Farley defeated AFW pump auto-start on loss of main feedwater. At Zion 2, restart of both mator driven pumps uas blocked by circuit failure to deenergize when the pumps had been tripped with an automatic start signal present (IN 82-01,1982). In addition, AFW control circuit design reviews at Salem and Indian Point have identified designs where frilures of a single component could have failed all or multiple pumps (IN 87-34,1987).

(E Incorrect setpoints and control circuit settings resulting from analysis errors and failures to update procedure:, have also prevented pump start and caused pumps to trip spuricusly. Errors of this type may remain undetected despite serveillance testing, unless surveillance tests model all types of system init11 tion and oparating conditions. A greater fraction of instrumentation and control circuit problems Sas been identified during actual system operation (as opposed to surveillance testing) than for other types of iailures.

CC6, On two occasions at a foreign plar,t, failure of a balance-of-plant inverter caused failure of two AFW pumps. In addition to loss of the motor driven pump whose auxiliary start relay was powered by the invertor, the turbine driven pump tripped on overspeed because the governor valve opened, allowing full steam flow to the turbine. This illustrates the importance of assessing the effects of failures of balance of plant equipment which supports the operation of critical components. The instrument air system is another

. example of such a system.

• [E Multiple AFW pump trips have occurred at Millstone % Cook-1, Trojan and Zion-2 (IN 87-53, 1987) caused by brief, low pressure o' 'iations of suction pressure during pump startup . These oscillations occurred despite the availability of adequate static NPSH. Corrective actions aken include:

extending the time delay associated with the low pressure '. rip, removir.g the trip, and replacing tht trip with an alarm and operator ac tion.

{1 Design errors discovered during AFW system reanalys s. at the Robinson plant (IN 89-30, 1989) and at Millstone-1 resulted in the supply header from the CST being too small to provide adequate NPSH to the ; amps if more than one of the three pumps w:re operating at rated flow conditions. This could lead to multiple pump failure due to cavitation. Subsequent reviews at Robinson identified a loss of feedwater transient in which inadequate NPSH and flows less than design values had occurred, but which were not recognized at the time. Event analysis and equipment trending, as well as surveillance testing which duplicates service conditions as much as is practical, can help identify such design errors.

CC9, Asiatic clams caused failure of two AFW flow control valves at Catawba-2 when low suction pressure caused by starting of a motor-driven pump caused suction source realignr6ent to the Nuclear Service Water system. Pipes had not been routinely treated to inhibit clam growth, nor regularly monitored to detect their presence, and no strainers were installed. The need for surveillance which exercises alternative system operational modes, as well as complete system functioning, is emphasized by this event. Spurious suction switchover has also occurred at Callaway and at McGuire, although no failures resulted.

[C10. Common cause failures have also hen caused by component failures (AE00/C404,1984). At Surry-2. both the turbine driven pump and one motor 16

l .

l

• h8"en pmp were @clared inoperable due to steam binding caused by backleakage of hot water through multiple check valves. At Robinson-2 both motor driven pumps were found to be hot, and both motor and steam driven pumps were found to be inoperable at different times. Backleakage at Robinson-2 passed through closed motor-operated isolation valves in addition te multiple check valves. At Farley, both motor and ti,rbine driven pump casings were found hot, although the pumps were not declared inoperable. In addition to multi-train failures, numerous incidents of single train failures have occurred, resulting in the designation of " Steam Binding of Auxiliary Feedwater Pumps" as Generic Issue 93. This generic issue was resolved by Generic Letter 88-03 (Miraglia, 1988), which required licensees to monitor AFW piping temperatures each shift, and to maintain procedures for recognizing steam binding and for restoring system operability.

CCIL Common cause f ailures hve also failed motor operated valves. During the total loss of feedwater event at Davis Besse, the normally-open AFW isolation valves failed to open after they were inadvertently closed. The failure was due to improper setting of the torque switch bypass switch, which prevents motor trip on the high torque required to unseat a closed valve, Previous problems s'ith these valves had been addressed by increasing the torque switch trip setpoint - a fix which failed during the event due to the higher torque required due to high differential pressure across the valve. e Similar common mode failures of MOVs have also occurred in other systems, resulting in issuance of Geneiic Letter 89-10, "';afety Related Motor-Operated Valve Testing and Surveillance (Partlow,1989)." This generic letter requires licensees to develop and implement a program to provide for the testing, inspection and maintenance of all safety-related MOVs to provide assurance that they will function when subjected to design basis conditions.

CCl2, Other component failures have also resulted in AFW multi-train failures. These include out-of-adjustment electrical flow controllers resulting in improper discharge valve operation, and a failure of oil cooler cooling water supply valves to open due to silt accumulation.

5.2.2 Humn Errors EL The overwhelmingly dominant cause of problems identified during a series ~

of operational readiness evaluations of AFW systems was human performance. The majority of these human performance problems resulted from incomplete and i incorrect procedures, particularly with respect to valve lineup information.

A study of valve mispositicaing events involving human error identified failures in administrative control of tagging and logging, procedural compliance and completion of steps, verification of support systems, and inadequate procedures as important. Another study found that valve mispositioning events occurred most often during maintenance, calioration, a modification activities, insufficient training in determining valve position, and in administrativo reauirements for controlling valve positioning were important causes, as was oral task assignment without task completion ,

feedback.

EL Turbine driven pump failures have been caused by human errors in calibrating or adjusting governor speed control, poor governor maintenance, incorrect adjustment of governor valve and overspeed trip linkages, and errors associated with the trip and throttle valve. TTV-associatec errors include physically bumping it, failure to restore it to the correct position after testing, and failures to verify control room indication of TTV position following actuation.

17 l

. - - . ~- . . .. - . . - - - - -

d r L 9

+* ' '.

IIL Motor driven pumps have been failed by human errors in.m: positioning handswitches, and by procedure deficiencies.

5.2.3 Desion/Encineerino Problems and Errors DEL As noted above, the majority of AFW subsystem failures, and the greatest relative system degradation, has been found to result from turbine-driven pump -

failures.- Overspeed trips of Terry turbines controlled by Woodward governors have been-a rignificant source of these failures (AEOD/C602, 1986).- In many cases these overspeed trips have been caused by slow response of a Woodward Model EG governor on startup, at plants where full steam flow is allowed immediately. This oversensitivity has been removed by installing a startup steam bypass valve which opens first, allowing a controlled turbine acceleration and buildup of oil pressure to cont ol the governor valve when full steam flow is admitted.

DIL Overspeed trips of Terry turbines have been caused by condansate in the steau supply lines. Condenstta slows down the turbine, causing u.> governor

- valve to open farths , and overspeed results before the geve nor valve can respond, after the water slug clears. This was determined to be the cause of the loss-of-all AFW event at Davis Besse-(AEOD/602,1986), with condensation enhanced due to the long length of the cross-connected steam lines. Repeated tests-followir.g a cold-start trip may be successful due to system heat up.

DEL Turbine trip and throttle valve (TTV) problems are a significant cause of turbine driven pump failures (IN 84-66). In some cases lack of TTV position indication in the control room prevented recognition of a tripped TTV. In other cases it was possible to reset either the overspeed trip or the TTV without reseting the other. This problem is compounded by the fact that the position of the overspeed trip linkage can be misleading, and the mechai. ism may lack labels indicating when it is in the tripped position (AEOD/C602,1986).

DEL Startup of turbines with Woodward Model PG-PL governors within 30 minutes of shutdown has resulted in overspeed trips when the speed setting knob was not exercised locally to drain oil from the speed setting cylinder.

Speed control- is based on startup with an empty cylinder. Problems have c involved turbine rotation due to both procedure violations and leaking steam.

Terry has marketed two types of dump valves for automatically draining the oil after shutdown (AEOD/C602, 1986).

At Calvert Cliffs, a 1987 lost of-offsite-power event required a quick, cold

- - startup that resulted in turbine trip due to PG-PL governor stability problems. The short-term corrective action was installation of stiffer buffer springs (IN 88-09,1988). Surveillance had always been- ) receded by turbine warmup, which-illustrates the importance of testing whic1 duplicates service conditior.s as much as is practical.

DEL Reduced viscosity-of gear box oil heated by prior operation caused failure of a motor driven pump to start due to insufficient lube oil pressure.

Lowering the: pressure switch setpoint solved the problem, which had not been detected during testing.

!)1L Waterhammer at Palisades resulted in AFW line and hanger damage at both steam generators. The AFW spargers are located at the normal steam generator level, and are frequently covered and uncovered during level fluctuations.

Waterhammers in top-feed-ring steam generators resulted in main feedline 18

. ruoture at Fort Calhoun and feedwater pipe cracking at !ndian Point-2 (IN 84-32,1984).

DIL, Manually reversing the direction of motion of an operating valve b=s resulted in MOV failures where such loading was not considered ii. the design (AE00/C603,1986). Control circuit design may prevent this, requiring stroke completion before reversal.

Qfi.. At each of the units of the South Texas Project, space heaters provided by the vendor for use in preinstallation storage of MOVs were found to be wired in parallel to the Class lE 125 V DC motors for several AFW valves (IR 50-489/89-11; 50-499/89-11, 19 5 ). The valves had been environmentally qualified, but not with the non-safety-related heaters energized.

5.2.4 Component Failu'res Generic Issue II.E.6.1, "In Situ Testing Of Valves" was divided into four sub-issues (Beckjord,1989), three of which relate directly to prevention of AFW system component failure. At the request of the NRC, in-situ testing of check valves was addressed by the nuclear industry, resulting ie he EPRI report, " Application Guidelines for Check Valves in Nuclear Powt. Pl ants (Brooks, 1988)." This extensive report provides information on check valve applications, limitations, and inspection techniques. In-situ testing of MOVs was addrersed by Generic Letter 89-10 " Safety Related Motor Operated Valve Testing and Surveillance" (Partlow,1989) which requires licensees to develop and implement a program for testing, inspection and mintenance of all safety-related MOVs. " Thermal Overload Prot:ction for Electric Motors on Safety-Related Motor-0perated Valves - Ger,eric Issue II.E.6.1 (Rothber',1988)"

concludes that valve motors should be thermally protected, yet in a way which emphasizes system function over protection of the operator.

CFl. The common-cause stear binding effects of check valve leakage were identified in Section 5.2.1, entry CC10. Numerous single-train events provide additional insights into this problem. In some cases leakage of hot MFW past multiple check valves a series has occurred because adequate valve-seating pressure was limited tu the valves closest to the steam generators (AE0D/C404, 1984). At Robinson, the pump shutdown procedure was changed to delay closing the MOVs until after the check valves were seated. At r'arley, check valves were changed from swing type to lift type. Check valve rework has been done at a number of plants. Different valve designs and manufacturers are involved in this problem, ard recurring leakage has been experienced, even after repair and replacement.

CfF1, At Robinson, heating of motor operated valves by check valve leakage has caused thermal binding and failure of AFW discharge valves to open on demani.

At Davis Besse, high differential pressure across AFW injection valves resulting from check valve leakage has prevented MOV oper tion (AE00/C603, 1986).

CF3. Gross check valve leakage at McGuire and Robinson caused overpressurization of the AFW suction piping. At a foreign PWR it resulted in a severe waterhammer event. At Palo Verde-2 the MFW suction piping was overpressurized by check valve leakage from the AFW system (AE00/C404, 1984).

Gross check valve leakage through idle pumps represents a potential diversion of AFW pump flow.

CF4 Roughly one third of AFW system failures have been due to valve operator failures, with about equal failures for MOVs and A0Vs. Almost half of the MOV 19

~

iciiurer were due to motor or switch failures (Casada, 1989). An extensive study of MOV events (AEOD/C603, 1986) indicates continuing inoperability problems caused by: torque switch / limit switch settings, adjustments, or

- failures; motor burnout; improper sizing or.use of thermal overload devices; premature degradation related to inadeauate use of protective devices; damage due to misuse (valve throttling, valve operator hammering); mechanical problems (loosened parts, improper assembly); or the torque switch bypass circuit improperly installed or adjusted. The study concluded that current methods and procedures at many plants are r.ot adequate to assure that MOVs will operate when needed under credible accident conditions. Specifically, a surveillance test which the valve passed might result in undetected vsive inoperability due to component failure (motor burnout, operator parts failure, stem disc separation) or improper positioning of protective devices (thermal overload, torque switch, limit switch). Generic letter 89-10 (Partlow, 1989) has subsequently required licer.nes to implement a program ensuring that MOV switch settings are maintained so that the valves will operate under aesign basis conditions for the life of the plant.

E Component problems have caused a significant number of turbine driven pump trips (AEOD/C602, 1986). One group of events involved worn tappet nut faces, loose cable connections, luosened set screws, improperly latched TTVs, and improper assembly. Another involved oil leaks due to component or seal failures, and oil contamination due to poo mairk.ance activities. Governor oil may not be shared with turbine lubrication oil, resulting in the need for separate oil changes. Electrical component failures included transistor or resistor failures due to moisture intrusion, erroneous grounds and connections, diode failures, and a faulty circuit card.

E Electrohydraulic-operated discharge valves have performed very poorly, and three of the five units using them have removed them due to recurrent failures. Failures included oil leaks, contaminated oil, and hydraulic pump failures.

CF7. Control circuit failures were the dominant source of motor driven AFW pump failures (Casada, 1989). This includes the controls used for automatic and manual starting of the pumps, as opposed to the instrumentation inputs.

Most of the remaining problems were due to circuit breaker failures.

CF8. " Hydraulic lockup" of Limitorque SMB spring packs has prevented proper spring compression to actuate the MOV torque switch, due to grease trapped in the spring pack. During a surveillance at Trojan, failure of the torque switch to trip the TTV motor resulted in tripping of the thermal overload device, leaving the turbine driven pump inoperable for 40 days until the next surveillance (AEOD/E702, 1987). Problems result from grease cha'nges to EXXON NEBULA EP-0 grease, one of only two greases considered envf ronmentally qualified by Limitorque. Due to lower viscosity, it slowly migrates from the gear case into the spring pack. Grease changeover at Vermsnt Yankee affected 40 of the older MOVs of which 32 were safety relaud. Grease relief kits are needed for MOV operators manufactured before 1975. At Limerick, additional grease relief was required for MOVs manufactured since 1975. MOV refurbishment programs may yield other changeovers to EP-0 grease.  ;

1 E For AFW systems using air operated valves, almost half of the system degradation has resulted from failures of the valve controller circuit and its instrument inputs (Casada, 1989). Failures occurred predominantly at a few units using automatic electronic controllers for the flow control valves, with I the majority of failures due to electrical hardware. At Turkey Point-3, 20

2 '

c'ontroller malfunction resulted from water in the instrument Air system due to maintenance inoperability of the air dryers.

CF10. For systems using diesel driven pumps, most of ti.e failures were due to start control and governor speed control :ircuitry. Half of these occurred on-demand, as opposed to during testing (Casada, 1989).

(filt For systems using A0Vs, oper:bility requires the availability of Instrument Air, backup air, or backup nitrogen. However, NRC Maintenance Team Inspections have identified inadequate testing of check valves isolating the safety-related portion of the IA system at several utilities (letter, Roe to Richardson). Generic letter 88-14 (Miraglia, 1988), requires licensees to verify by test that air-operated safety-related components will perform as expected in accordance with all design-basis events, including a loss of .

normal IA.

4 t

Y J

21

, .. e

!4 # '

N.0 DEFERENCES Beckjerd, E. S. June 30, 1989. Closecut of Generic Issue II.E.6.1. "In Site a Testina of Valves". Letter to V. Stello, Jr., U.S. Nuclear Regulatory Comission, Washington, DC.

Brooks, B. P. 1988. Application Guidelines for Check Valves in Nuclear Power P]Jnu n . NP-5479, Electric Power Research Institute, Palo Alto, CA.

Casada, D. A. 1989. bxiliary Feedwater System Aoina Study. Volume 1.

Ooeratina Experience and Current Monitorina Practices. NUREG/CR-5404. U.S.

Nuclear Regulatory Commission, Washington, DC.

Gregg, R. E. and R. f. Wright. 1988. Doendix Review for Dominant Generiq Contributors. BLB-31-88. Idaho National Engineering Laboratory, Idaho Falls, Idaho.

Miraglia, F. J. February 17, 1988. Resolution of Generic Safety Issue 93.

" Steam Bindiro of Auxiliary Feedwater Pumos" (Generic letter 88-03). U.S.

Nuclear Regulatory Commission, Washington, DC.

Miraglia, F. J. August 8, 1988. Instrument Air Sucoly System Problems Affectina Safety-Related Eouipment (Generic letter 88-14). U.S. Nuclear Regulatory Commission, Washington, DC.

Partlow, J. G. June 28, 1989. Safeiv-Delated Motor-0perated Valve Testina AnLSurveillance (Generic letter 89-10). U.S. Nuclear Regulatory Commission, Washington, DC.

Rothberg, O. June 1988. Thermal Overload Protection for Electric Motors on Safety-Related Motor-Ocerated Valves - Generic Issue II.E.6.1. NUkEG-1296.

V.S. Nuclear Regulatory Commission, Washington, DC.

Travis, R. and J. Taylor, 1989. DLvplooment of Guidance for Generic.

Functionally Oriented PRA-Based Team Inspections for BWR Plants-Identification af Risk-Imoortant Systems. Components and Human Actions. TLR-A-3874-T6A Brookhaven National Laboratory, Upton, New York. _

AE00 Reports AF0D/C404. W. D. Lanning. July 1984. S_tagm Bindina e' Auxiliary Feedwattt Pumos. U.S. Nuclear Regulatory Commission, Washington, DC.

AEOD/C602. C. Hsu. August 1986. Operational Experience Involvina Turbine

. Overspted Trini. U.S. Nuclear Regulatory Commission, Washington, DC.

ALOD'C603. E. J. Browr. December 1986. A Review of Motor Ocerated Valve Ferformance. U.S. Nuclear Regulatory Commission, Washington, DC.

AE00/E702. E. J. Brown. March 19, 1987. M_pV Failure Due to Hydraulic Lockuo Er.gm Evcessive Grease in Sorina Pack. U.S. Nuclear Regulatory Commission, Washington, DC.

AEOD/T416. January 22, 1983. Loss of ESF Auxiliary Feedwater Pumo Capability at Tro.ian on January 22, 1983. U.S. Nuclear Regulatory Commission, Washington, DC.

22 i i

l

_ _ _ _ _ _ _ _ _ _ _ _ _ _ - - - - . - . _ . - - - - - - - - - - - - - - . - -- --_-.----------u

Information Notices

, IN 82-01. January 22, 1982. Auxiliary Feedwater Pumo lockout Resultino from W-2 Switch Circuit Modification. U.S. Nuclear Regulatory

.estinohouse W

Comission, Washington, DC.

IN 84-32. E. L. Jordan. April 18, 1984. Auxiliary Feedwater Soaroer and Pioe Hanaar Damace. U.S. Nuclear Regulatory Commission, Washington, DC.

IN 84 66. August 17, 1984. Undetected Unavailability of the Turbine-Driven Auxiliary Feedwater Train. U.S, Nuclear Regulatory Comission, Washington, DC.

IN 87-34. C. E. Rossi. July 24, 1987. Sinole Failures in Auxiliary Feedwater Systems. U.S. Nuclear Regulatory Commission, Washington, DC.

IN 87-53. C. E. Rossi. October 20, 1987. Auxiliary Feedwater_E.umo Trios Resultina from low Suction Pressure. U.S. Nuclear Regulatory Commission, Washington, DC.

IN 88-09. C. E. Rossi. March 18, 1988. Egduced Reliability of Steam-Driven Auxiliary Feedwa.tgr, Pumos Caused by Instability of Woodward PG-PL Tvoe Governors, U.S. Nuclear Regulatory Commission, Washington, DC.

IN 89-30. R. A. Azua. August 16, 1989. Robinson Unit 2 Inadecuate NPSH qf Auxiliary Feedwater Pumps. Also, Event Notification 16375, August 22, 1989.

U.S. Nuclear Regulatory Commission, Washington, DC.

Insoection Report IR 50-489/89-11; 50-499/89-11. May 26, 1989. South Texas Proiect Insoection Paparr_t. U.S. Nuclear Regulatory Commission, Washington, DC.

NUREG Recort NUREG-1154. 1985. Lqu of Main and Auxiliary Feedwater Event at the Davis Besse Plant on June 9.1985. U.S. Nuclear Regulatory Commission, Washington, DC.

1 23

.