ML20116A308

From kanterella
Jump to navigation Jump to search
Auxiliary Feedwater System RISK-BASED Inspection Guide for the North Anna Nuclear Power Plants
ML20116A308
Person / Time
Site: North Anna  Dominion icon.png
Issue date: 10/31/1992
From: Gore B, Moffitt N, Nickolaus J, Vo T
Battelle Memorial Institute, PACIFIC NORTHWEST NATION
To:
Office of Nuclear Reactor Regulation
References
CON-FIN-L-1310 NUREG-CR-5837, PNL-7923, NUDOCS 9210290305
Download: ML20116A308 (32)
v  d  e


Text

- _ - -

'5 i: NUREG/CR-5837 PNL-7923 Auxiliary Feedwater System

Risk-Based Inspection Guide for the North Anna Nuclear Power P_ ants Prepared by J. R. Nickolaus, N. E.1.foffitt, B. F. Gore, T. V. Vo Pacific Northwest Laboratory
Operated bv

- Battelle M . .orial Institute Prcpared for -

U.S. Nuclear Regulatory Commission 1

in 2:888RZsa88be PDR O

p ::

t' i

.a i

!' l I

AVAILABILITY NOTICE Availabihty of Referonoe Matettals Cited in NRC Ph fcations l

Most documents cited in NRC pubacations wal be avanable from one of the following sources:

[2 1. The NRC Pubile Document Room,2120 L Street, NW., Lower Level, Washington, DC 20555

2. The Superintendent of Documents, U.S. Government Printir 3 Office, P.O. Box 37082, Washington, t DC 00013-7082
3. The National Technical information Service, Springfield, VA 22161 Although the Isting that foAows represents the majority of documents cited in NRC publications, it is not inunded to be exhaustive.

Refererred documents available for hspection and copying for a fee from toe NRC Public Document Room hclude NRC correspondence and internal NRC memoranda; NRC bunetina, circulars, information notices,-

insp6ction and investigation notices; licensee event reports; vendor reports and correspondence; Commis-slon papers; and applicant and $censee documents and correspondence.

The following documents in the NUREG series are available for purchese from the GPO Sales Program:

formal NRC staff and contractor reports, NRC-sponsored conference croceedings, international agreement reports, grant publicat6ons, and NRC book! cts and brochures, Also available are regulatory geldes, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances.

DoeJments avaAable from the National Technical Information Service include NUREG-series reports and technical reports prepared by other Federal agencias and reports prepared by the Atomic Energy Commis-sion, forerunner agency to the Nuclear Regulatory Commission.

Documents available from public at:d special technical libraries include all ooen literature items, such as books, journal articles, and transactions. Federal Register notices Federal and State legislation, and con-gressional reports can usually be obtained 1 rom these librarles. ,

Documents such as theses, dissertatens foreign reports and trant;*tions, and non-NRC conference pro-ceedirtJs s'e available for purchase frori the organization sponse :he publication cited. .

Sogte copies of NRC draft reports are available free, to the extent of suppty, upon written request to the Office of Administration, Distribution and Mail Services Section, U.S. Nuclear Regulatory Commission, Wuhington, DC 20555.

Copies of industry codes anti standards used in a substantive manner in the NRC rt*gulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, for use by the pub!!c. Codes end standarLa are usually copg,ghted and may be purchased from the originating organteatloa or, if they are American National Standards, from the American National Standards institute,1430 Broadway, New York, NY 10018.

DISCLAIMER NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government.

Neither the United States Government nor any agency thereof, or aav of their employees, makes any warranty, expressed or implied, or assumes any legal liability of responshtty for any third party's use, or the resu:ts of such use, of any information, apparatus, product or process disclosed in this report. or represents that ils use by such third party would r.ot infringe privately owned rights.

NUREG/CR-5837

- PNL-7923 -

Auxiliary Feedwater System Risk-Based Inspection Guide l for the North Anna Nuclear Power Plants Manuscript Completed: September 1992 Date Published. October 1992 Prepared by J. R. Nickolaus, N. F. Moffitt, H. F. Gore, T. V. Vo Pacific Northwest L;iho atory Rt.hland, WA 99352 Prepared for ,

Division of Radiation Protection and Emergency Preparedness OITice of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN L1310

.-r, - -...,.w .- , - , m m -~. . . . . . . .,

t Abstract - l l

In a study sponsored by the U.S. Nuclear Regulatory Commission (NRC), Pacific Northwest Laloratory has developed and applied a methodology for deriving plant specific risk-based inspection Euldance for the auxiliary feedwater (AFW) system at pressurized water reactors that have not undergone probabilistic risk assessment (PRA). This methodology uses existing PRA results and plant operating experience information. Existing PRA based inspection guidance information recently developed for the NRC for various olants was used to identify generic component fail-ure modes. His information was then combined with plant-specific and industry-wide component information and failure data to identify failure modes and failure mechanisms for the AFW system at the selected plants. North Anna was selected as a plant for study. The product of this effort is a prioritized listing of AFW failures which have occurred at the plant arid at other PWRs. His listing is intended for use by the NRCinspectors in preparation ofinspection plans addressing AFW risk important components at the North Anna plant.

4 I

a l

4 4

i k-C t

i i

l.

iii NUREG/CR-5837

Contents Abstract .. .. . . . . . . .. . .. . ..... . .. iii Summary . . .. . . . . , . vil 1.0 Introduction . . . .. . . .. .. . . 1.1 2.0 North Anna AFW System . . . . ..... ... .. . . 2.1 2.1 System Description . . . . .. . 2.1 2.2 Success Criterion . . ... . . . 2.2 2.3 System Dependencies . . . . . . .. . . . 2.2 2.4 Operational Constraints . . .. 2.2 3.0 Inspection Guidance for the North Anna AISV System . . .. . . 3.1 3.1 Risk Important AESY Components and Pailure Modes . . . 3.1 3.1.1 Multiple Pump Failures due to Common Cause . . . . . 3.1 3.1.2 'Ibrbine Driven Pump Pails to Start or Run . .. . . . 3.2 3.1.3 Motor Driven Pump Pails to Start or Run . . 3.2 3.1.4 Pump Unavailable Due to Maintenance or Surveillance 3.2 3.1.5 Air Operated Valves Pail Closed . . 3.2 3.1.6 Motor Operated Control Valves Pail Closed . . . .. 3.3 3.1.7 Manual Suction or Discharge Valves Fail Closed . . . . 3.3 3.1.8 leakage ofIlot Feedwater Through Check Valves .. . 3.4 3.2 Risk Important AFW System Walkdown Table .. . . 3.4 4.0 Generic Risk Insights From PRAs . . . 4.1 4.1 Risk Important Accident Sequences Involving AIM System Failure . . . 4.1 4.2 Risk Important Component Failure Modes . . 4.1 5.0 Pailure Modes Determined from Operating Experience . . 5.1 5.1 North Anna Experience . . 5.1 5.1.1 Multiple Driven Pump Failures . . 5.1 5.1.2 Moto: Driven Pump Pailures 5.1 5.1.3 Turbine Driven Pump Pailures . , . 5.1 5.1.4 Flow Control and Isolation Valve Failures 5.1 5.1.5 Check Valve Failures . 5.1 5.1.6 Human Errors 5.2 5.2 Indeary Wide Experience 5.2 I

v NUREG/CR.5837 l

Contents 5.2.1 Common Cause Failures . . .. ..... .... ....... ..... ........ . ............ 5.2 5.2.2 liuman Errors . .. . . . ... ... ........ .. ... .. ... ..... . 5.4 5.2.3 Design / Engineering Problems and Errors ... ... .... . ... .. . ......... ... 5.4 5.2.4 Component Failures . . . . . ...... ... ... . .... ... .. .. 5.5 6.0 References . . . . . . . .. .. ........ .. .. . 6.1 Figure 2.1 Nonh Anna Auxiliary Redwater Syste u . . ... . . . .. .. . . . .. .. 2.3 h ble 3.1 Risk Importance AFW System Walkdovm Table for North Anna AFW System Components . . . . . . . . 3.5 I

l 1

NUREG/CR.5837 vi

i Summary This document presents a compilation of auxiliary feedwater (AFW) system failure information which has been -

screened for risk significance in terms of failure frequency and degradation of system performance, it is a risk-prioritized listing of failure events and their causes that are significant enough to wanant consideration in inspection planning at the North Anna plant. This information is presented to provide inspectors with increased resources for.

inspection planning at North Anna.

- The risk importance of various comporsent failure modes was identified by analysis of the results of probabilistic risk assessments (PRAs) for many pressurized water reactors (PWRs). However, the component failure categories identified in PRAs are rather broad, because the failure data used in the PRAs is an aggregate of many individual failures having a variety of root causes. In order to help insp&,5 Tocus on specific aspects of component operation, raaintenance and design which might cause these failures, an c. . - ve review of component failure information was performed to identify and rank the root causes of these component failures. Both North Anna and industry wide ,

failure information was analyzed. Failure causes were sorted on the basis of frequency of occurrence and seriousness of mnsequence, and categorized as common cause failures, human errors, design problems, or component failures.

This information is presented in the body of this document. Section 3.0 provides brief descriptions of these risk-important failure causes, and Section 5.0 presents more extensive discussions, with specific examples and references.

The entries in the two sections are cross-referenced, An abbreviated system walkdown table is presented in Section 3.2 which includes only components identified as risk important. His table lists the sptem lineup for normal, standby sptem operation.

His information permits an inspector to concentrate on components important to the prevention of core f.amage.

However, it is important to note that inspections should not focus exclusively on these components. Other components which perform essential functions, but which are not included because of high reliability or redundancy, must also be addressed to ensure that degradation does not increase their failure probabilities, and hence their risk trnportance.

vii NUREO/CR.5837

- _ _ - _ ___ - - ~ .

1 Introduction his document is one of a series providing plant specific components and their lineup for normal, standby system i inspection guidance for auxiliary feedwater (AFW) sys- operation is also provided.

tens at pressurized water reactors (PWRs). This guid-  !

- ance is based on information from probabilistic risk as- De remainder of the document describes and discusses sessments (PRAs) for similar PWRs, industry-wide the information used in compiling this inspection guid-operating experience with AFW systems, plantepecific ance. Section 4.0 describes the risk importance informa; AFW system descriptions, and plant specific operating tion which has been derived from PRAs and its sources. .

experience, it is not a detailed inspection plan, but /f review of that section will show, the failure events l rather a compilation of AFW system failure information identified in PRAs are rather broad (e.g., pump fails to 1 which has been screened for risk significance in terms of - start or run, valve fails closed). Section 5.0 addresses failure frequency and degradation of system perform- the specific failure causes which have been combined ance. He result is a risk-prioritized listing of failure under these broad events.

events and their causes that are significant enough to warrant consideration in inspection planning at North AFW system operating history was studied to identify Anna, the various specific failures which have been aggregated into the PRA failure events. Section 5.1 presents a sum-This inspection guidance is presented in Section 3.0, fol- mary of North Anna failure information, and Section 5.2 lowing a description of the North Anna AFW system in presents a review of industry wide failure information.

Section 2.0, Section 3.0 identifies the risk important sys- The industry wide information was compiled from a g - tem components by North Anna identification number, variety of NRC sources, including AEOD analyses and followed by brief descriptions of each of the various fail- reports,information notices, inspection and enforce-ute causes of that component; nese include specific ment bulletins, and generic letters, and from a variety of human errors, design deficiencies, and hardware fail- INPO reports as well. Some 1.icensee Event Reports .

ures. De discussions also identify where common cause and NPRDS event descriptions were also reviewed. Fi-failures have affected multiple, redundant components. nally,information was included from reports of NRC Dese brief discussions identify specific aspects of sys- sponsored studies of the effects of plant aging, which in-

- tem or component design, operation, maintenance, or . clude quantitative analyses of reported AFW system testing for inspection by observation, records review, failures. T;is industry wide information was then com-training observation, procedures review, or by observa- bined with the plant-specific failure information to iden-

~-

tion of the implementation of procedures. An AFW . tify the various root causes of the broad failu-e events system walkdown table identifying risk important used in PRAs, which are identified in Section 3.0, l.

r i

l 4

1.1 NUREG/CR-5837 a- r -re-  %~n -. ,, ., . , , .. . .L,,,,,. . _ . . , _ _ _ , , _ . _ , , _ , , _

1 2 North Anna AFW System His section presents an overWv of the North Anna The system is designed to automatically start. SGs levels ARV system (a Westinghouse 3 loop plant), including a are manually controlled. The TDARV and thc  !

simplifie :matic system diagram. In addition, the MDAFW pumps will start upon any o.'the following

, system suu. :riterion, sptem dependencies, and ad- conditions and initiate auxiliary eer dwater flow:

ministrative operational constraints are also presented.

Low low SG level 2.1 System Description Main feedwater pumps breakers open The AFW system provides feedwater to the steam gen-Safety injection erators (SG) to allow secondary-side heat removal when main feedwater is not available and to promote natural a

im of reserve station service Orculation of the Reactor Coolant System (RCS)in the event of a loss of all three reactor coolant pumps. The ATWS Mitigation System actuation is initiated.

- system is capable of functioning for extended periods during a totalloss of offsite power or a Icas of the main The AFW pumps discharge through check valves and feedwater system. This allows time to restore offsite are normally aligned to one SG (FW P-3A to the "C" SG power or main feedwater flow or to proceed with an or_ via HCV-FW-100C, FW-P-3B to the "B" SG via MOV-derly cooldown of the plant to the point where the Res. FW-100B, and the TDARV pump (FW-P-2) to the "A" idual Heat Removal system (RHR) can remove decay SG via FW MOV-100D). Depending upon plant condi-heat. A simplified schematic of the North Anna AFW t.ons, the discharge of each pump can be lined up to any system and TDAFW pump steam supply is shown in SG by opening lock-closed manual isolation valves. The Figure 2.1. AFW lines for the SGs are each equipped with a flow

. element, flow transmitter, and a manual flow control The AFW system consists of one turbine-driven pump valve.

(TDAFW) and two rnotor-driven feed pumps

(MDAFW) that provide feedwater to the steam genera- In addition to dual, redundant steam supply and dis-tors, one Emergency Condensate Storage Tank (ECST), charge headess, power, control, and instrumentation as-

. and associated piping, valves and instrumentation. sociated with the two AFW system trains are indepen-Feedwater is supplied to the TDAFW and MDAFW dent from each other.

{

pumps from the ECST through individual suction I

- headers. The TDAFW and MDAFW pumps are capa. The Emergency Condensate Storage Tank is the normal ble of supplying all steam generators. Steam is supplied s urce of water for the AFW system. The tank is re-to the TDAFW turbine from all three SGs through auto- quired to store a sufficient quantity of demineralized i matically c(mtrolled air operated valves (TV-MS-111 A water (110,000 gallons) to maintain the reactor coolant and B) located upstream of the main steam trip valves. system (RCS) at hot standby conditions for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> dur-The TDAFW and MDAFW pumps are equipped with a ing a loss of power and with steam release to the atmos.

F phere and then to cool the RCS to place the RHR sys-continuons recirculation flow and TOAFW bearing cooling system, which prevents pump deadheading and tem in service. The administratively controlled, locked bearing overheating. The MDAFW pumps are pen and hxked closed valve configuration requires that protected from runout conditions by Pressure Control the ECST discharge valves (R%173, Fs%160 and 4

Valves (PCV) and the TDAFW pump by a restricting FW-143) be locked open to supply the AFW system.

orifice, all are located in the pump discharge lines. Additionally, the Service Water and Fire Protection g systems can be manually aligned to provide backup 4 supply to the AFWsystem.

I l

1 j 2.1 NUREG/CR-5837

< c North Anna 2.2 Success Criterion busses and one steam turbine capable of being powered from an OPERABLE steam supply system) and associ-ated now paths to be OPERABLE. If one AFW pump System success requires the operation of at least one or flow path Ncomes inoperable, it must be testored to pump supplying a minimum of 340 pm to at least one

~

of the t_hree steam generators witbi one minute aster a operable statas within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or the unit must be .

' loss of all main feedwater, placed in HOT SHUTDOWN within the n xt 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

When two AFW pumps or flow path becomes inopera-ble, thnnit must be placed in HOT STANDBY within

-2.3 Systent Dependeneles  ? how and in HOT SHUTDOWN within the following o nours. % hen three AFW pumps beceme inoperable

. immediate corrective actions m';st be taken to restore at .

The' AFW system depends on AC and DC power at vari- least one AFW to OPER ABLE status as soon as ous voltage levels for TD %, N turbine gevernors, motor possible.

operated valve control circuits, solenoid valves, and monitor and alarm circuits, instrument Air is required North Anna Tt'chnical Specificaticas require the Emer-for the Main Steam Admission valves # "V-MS-IlI A & gency Condensate Storage Thnk o be operable with a B), AFW Hand Control Valves (FW-HCV-A, B & C) minimum contalped water volume of at icast 110,000 and Pressure Control Valves (FW.PCV-159A & B)- gallons.

The Main Steam Admission and AFW HCVs and PCW fail _open on a loss of Instrument Air or power. Steam V'sth the Emergency Condensate Storage Tank inoper-availability is required for the TDAFW pumps. able,within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> either the Emergency condensate Storage Tank is to be returned to OPERABLE status or the 300f00 gallon condensate storage tank is to be dem-2.4 Operational Constraints onstrated to be OPERABLE as a backup supply to the AFW system and the Emergency Condensate Storage When the reactor is in MODES 1,2, or 3 (ilot Standby Tank is to be returned to OPERABLE status within 7 .

through Power Operation), North Anna Technical Spec- ' days or the unit is to be placed in HOT SHUTDOWN ifications require three independent t.FW pumps (two within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

motor drisen powered from separate emergency I

l l

l 1- l i

l I

i 1

l i

NUREG/CR-5837 - 2.2

, - ..,,--a -..;.-

FROM CONDENSATE MAKEUP FW142 LC 7 _ f '

k

)

'it(' ECST x .

FW 549 ..f.,~

A \

- MOV 100C

=A ,w5-Z[tZimS44 l LC J m .

a 'n' X FW111 FW125 .' P-3A a -

b 3' '* PCV M 546 1 P M

N 132 FW126 LC J k 157,B LC 3 L 766 LC FW165 V

N FW173A LO 9

127 +

FW129 p pw394 5 P-38 LO LO P FROM rw 3 fg 37

.g. gf MN m155 f Twi62 Fw t BO FW100 FW94 p.

LC 3k Jk yw190 LC FW183

]

/ gw.P 2 l 49 G pwi43 j(

iO 6CV

)L g

  • 8 TUBB!NE I1 J (

(- " i FW95 DRIVEN

= M96 FW 47 LC nM e #

~6'

~-

t Q FROM MFW FW61 I Q L1 J FW148 FW145 1 f A" SG N62 1

  • g V LC J k 100A N 43 3I %y hd h I

~

FW64 ' FW63 k FW227 m 229 FW2x m 175 TV- 1B FRO HdV FW278 FW279 MOV CNM WATER 1003 LO 1000 BM ~

A HR TV MS-111 A 7,

e Z Z Figure 2.1. North Artna Auxiliary Feelwater S,wtem O >

f E w

n x- .-

3 Inspection Guidance for the North Anna AGW System in this section the risk important components of the 3.1.1 Multiple Pump Fdlures due to Common North Anna ARV system are identified, and the impor- Cause tant failure modes for these components are briefly des-l cribed. These failure modes include specific human er- The following listing summarizes the most important i rors, design deficiencies, and types of hardware failures multiple-pump failure modes identified in Section 5.2.1, which have been observed to occur for these compo- Common Cause Pailures, and each item is keyed to en.

l' nents, both at North Anna and at PWRs throughout the tries in that section.

nuclear industry. The discussions also identify where common cause failures have affected multiple, redun-

  • Incorrect operator intervention into automatic svs-dant components. These brief discussions identify spec- tem functioning, including improper manual start- i ific aspects of system or component design, operation, ing and securing of pumps, has caused failure of all maintenance, or testing for inspection actisities. These pumps, including overspeed trip on startup, and in-activities include observation, records review, training ability to restart prematurely secured pumps. Con-observation, procedures review, or by observation of the trol switch mispositioning has caused both of the implementation of procedures. TDARV pumps to trip on overspeed. CCl.

Thble 3.1 is an abbreviated ARV system walkdown table ,

Wlve mispositioning has caused failure of all which identifies risk important components. This table pumps. Pump suction, steam supply, and instru.

lists the system lineup for normal (standby) system op- ment isolation valves have been involved. CC2.

cration. Inspection of the components identified in the ARV system walkdown table address essentially all of . Steam binding has caused failure of multiple pumps.

the risk associated with ARV system operation. This resulted from leakage of hot feedwater past check valves and a motor operated valve into a com-mon discharge header. CC10. Multiple-pump steam 3.1 Risk important AFW Components binding has also resulted from improper valve lineups, and from running a pump deadheaded.

and Failure Modes CC3.

Common cause failures of multiple pumps are the most

  • Pump control circuit deficiencies or design modifl.

risk-important failure modes of AFW system compo.

cation errors have caused failures of multiple pumps nents. These are fo!! owed in importance by single pump failures, level control valve failures, and individual check to auto start, spurious pump trips during operation, and failures to restart after pump shutdown. CC4.

valve Icakage failures.

incorrect setpoints and control circuit calibrations have also prevented proper operation of multiple The following sections address each of thcsc failure pumps. CC5.

modes,in decreasing order of risk-importance. They present the important root causes of these component

  • Loss of a vital power bus has failed both the turbine-failure modes which have been distilled from historical

' driven and one motor-driven pump due to loss of -

records. Each item is keyed to discussions in Section 5.2 control power to steam admission valves or to tur-where additional information on historical events is bine controls, and to motor controls powered from presented.

the same bus. CC6.

3.1 NUREO/CR-5837

-. ~ . _. - - . . , - _ . . .

l l -Inspection Guidance

+

l' - Simultaneous staMup of multiple pumps has caused indication in the control room of TTV position, and i' oscillations of pump suction pressure causing multi- unatubiguous local indication of an overspeed trip l ple-pump trips on low suction pressure, despite the affect the likelihood of these errors. DE3c existence of adequate static net positive suction head (NPSH). CC7, Design reviews have identified +

Stress corrosion cracking caused failure of the tur-inadequately sized suction piping which could have bine driven pump, allowing the final stage shaft yielded insufficient NPSH to support operation of sleeve to rub and eventually become friction welded more than one pump. CC8. to the stationary final stage piece of the pump 3.1.2 'Ibrbine Driven Pump Falls to Start or +

Mispositioning of handswitches and procedural def.

Run iciencies have prevented automatic pump start.

HE3. North Anna has experienced similar failings.

+

Improperly adjusted and inadequately maintained turbine governors have caused pump failures. HE2. 3.1.3 Motor Driven Pump Fails to Start or: y Problems include worn or loosened nuts, set seren, Run  ;

linkages or c'ible connections, oil leaks and/or con-  ;

tamination, and electrical failures of resistors, tran- +

Control circuits used for automatic and manual j sistors, dk) des and circuit cards, and erroneous pump starting are an important cause of motor - l grounds and connections. CF5. North Anna has ex- driven pump failures, as are circuit breaker failures, perienced similar failure . CF7. North Anna has experienced similar failures.

+

'Ibtry turbines with Woodward Model EG gover- a Mispositioning of handswitches and procedural def-nors have been found to overspeed trip if full steam iciencies have prevented automatic pump etarts.

flow is allowed on startup, Sensitivity can be re- HE3. North Anna has experienced similar failings.-

duced if a startup steam bypass valve is sequenced to _ _

open first. del. +

1.aw lubrication oil pressure resulting from heatup due to previous operation has prevented pump re-

+

Turbines with Woodward Model PG-PL governors start due to failure to satisfy the protective inter-have tripped on overspeed when restarted shortly lock. DE5.

after shutdown, unless an operator has locally exer-

cised the speed setting knob to drain oil from the 3.1.4 Pump Unavailable Due to Mnintenance governor speed setting cylinder (per procedure). or Surveillance Automatic oil dump valves are now available through'Ibtry. DE4. .

Both scheduled and unscheduled maintenance re-move pumps from operability. ' Survcillance requires Condensate slugs in steam lines have caused turbine operation with an altered line up, although a pump overspeed trip on startup. Tbsts repeated right after train may not be declared inoperable during testing.

such a trip may fail to indicate the problem due t Prompt scheduling and performance of mainten-warming and clearing of the steam lines. Surveil' ance and surveillance minimize this unavailability.

lance should exercise all steam supply connections.

DE2.

3.1.5 Air Opernted Valves Fail Closed

+

'Itip and throttle valve (TIV) problems which have Main Steam Admission valves: MS-111 A & B failed the turbine driven pump include phwically AFW Flow Control %Ives: HCV-100A B & C '

bumping it, failure to reset it followmg testing, and i failures to verify control room indication of reset.

AFW Pressure Control Wives: Q'FW-PCV-159A &

3 HE2. Whether either the overspeed trip or TIY --

trip can be reset without resetting the other, NUREO/CR4837 3.2

,,. n-a- -

, -- ,n ~ + , , ~ , < - , - , , -< - - - --L -----

n------ ~ _ _ , - ... - - . --. . - . - - + . - , . , ._

- Inspection Ouldance.

The normally closed air operated Main Steam Admis- . Valve motors have been failed due to lack of, or im-sion valves admit steam to the TDAFW turbine They proper sizing or use,of thermal overload protective fall open on loss of Instrument Air. The normally - devices. Bypassing and oversizing should be based closed .AFW HCVs and PCVs fall open on a loss of in- on proper engineering for design basis conditions, strument Air. Pump runout could occur upon failure of CF4. North Anna has experienced similar failures.

the PCVs open. Failure of the normally closed HCVs (FW-HCV-100A & B) open will allo,v different flow
  • Out-of. adjustment electrical flow controllers have

. paths to the SGs if the downstream normally locked caused improper discharge valve operation, affec '

closed manual isolation valves are open. ing multiple trains of AFW CCl2.

. - Control c!rcuit problems have been a primary cause

  • Grease trapped in the torque switch spring pack of-of failures. CF9. Valve failures have resulted from the operators of MOVs has caused motor burnout blown fuses, failure of control components (such as or thermal overload trip by preventing torque switch-current /i meumatic convertors), broken or d?-ty con- actuation. CF8.

tactL misaligned or broken limit switches, control power kiss, and calibration problems. Degraded op-

  • Manually reverslag the direction of motion of oper-eration has also resulted from improper air pressure ating MOVs has overloaded the motor circuit. Op-due to the wrong type of air regulator beingin- erating procedures should provide cautions, and stalled or leaking air lines. North Anna has exper- circuit designs may prevent reversal before each -

ienced similar failures. stroke is finished. DE7. ,

-Inadequate air pressure regulation has resulted in -

Space heaters designed for pre-operation storage control valve failure to operate, hwe been found wired in parallel with valve motors which had not been environmentally qualified with 3.1.6 Motor Operated Valves Fail Closed them present. DE7 TDAFW Flow Control valves: FW-MOV-100A. B

  • Multiple flow controlvalves have been plugged by L

&C clams when suction switched automatically to an al-TDAFW Pump Discharce isolation: ternate, untreated source. CC9.

FW-MOV-100D

+ Leakage of hot feedwater through check valves has The TDAFW Flow Control valves are used to control caused thermal binding of normally closed flow con-SG level. FW-MOV-100B is normally open and fails . trol MOVs. AOVs may be similarly susceptible.

' "As-Is". FW MOV-100A & C are normally closed and - CF2.

also fail"As-Is" and are only used during off normal con-ditions. The TDAFW pump discharge isolation valve is 3.1.7 Manual Suction or Discharge Valves Fail-normally open and is used to isolate APV toibe SGs. Closed

+ Common cause failure of MOVs has & curred from TDAFW Pump Thiin: M-143: FW 278 failure to use electrical signature tracing equipment MDAFW Pumps: FW-6& FW-173: FW-184c to determine proper setti_ngs of torque switch and FW-93. FW 172. FW-128 torque switch bypass switches. Failure to calibrate switch settings for high torques necessary under de- These manual valves are normally locked open . R)r .

sign basis accident conditions has also been in- each train, closure of the first valves would block pump -

volved; CCIL lbth Anna has experienced similar suction and closure of the second valves would block failures. pump discharge.

e 3.3 NUREG/CR-5837 '.

d

_--____'__m_ _

, , . , , . . .m , 4_. , a. ,

i=

i inspection Guidance

  • Wlve mispositioning has resulted in failures of mul-- 3.1.8 Leakage ofIlot Feedwater thro!'gh tiple trains of AIN. CC2 It has also been the - Check Valves dominant cause of problems ider.tified during opera-tional readiness inspections. HEl. Events have oc-MDARV Pumn FN-P-3A: FW-165. IM 127.-

curred most often during maintenance, calibration, gy.132. IM43. RV 95 or system modifications, important causes of mis- MDARV Pump BV P-3B: RV-183. FW 93.

positioning include: FW-IN. FW4L IM-125 -

TDAFW Pumm FW-148. FW-279. IMM Failure to provide complete, clear, and specific pro-cedures for tasks and system restoration .

leakage of hot feedwater through several check valves in series has caused steam binding of multiple -

Failure to promptly revise and validate procedures, pumps. Leakage through a closed level control training, and diagrams following system valve in settes with check valves has also occurred,-

modifications as would be required for leakage to reach the motor driven or turbine driven pumps. CC10, North Failure to complete all steps in a pnredure Anna has experienced leaking check valves.

Failure to adequately review uncompleted procc- .

Slow leakage past the final check valve of a series dural steps after task completion may not force the check valve closed. Other check valves in series may leak similarly. Piping orienta-

+

Failure to verify support functions after restoration tion and valve design are important factors in

  • Pailure to adhete scrupulously to administrative pro-cedures regarding tagging, control and trat.kmg of
    • P"'" "8 3.2 Risk Important AFW System Walk-Pailure to log the manipulation of scaled valves down 'lhble Pailure to follow good practices of written task as- Thble 3.1 presents an AFW system walkdown table in-signment and feedback of task completion ciuding only components identified as risk important.

information This information allows inspectors to concentrate their efforts on components important to prevention of core Pailure to provide easily read system drawings, leg- damage However,it is essential to note that inspec-ible valve labels corresponding to drawings and pro- tions should not focus exclusively on these components-cedures, and labeled indications of local valve Other components which perform essential functions, position must also be addressed to ensure that their risk impor-i tances are not increased. An example would include en-suring an adequate water level in the. CST exists.

NUREG/CR 5837 3.4

- - ~ . . . . . . ~ . . - . . ~ - ~ - . . _ _ , - . , - . ~ . ~ . - - _ . . . - _ - . - - . . . . . . -. -

Inspection Guidance

%ble 3.1. Risk Importance AITY System Walkdow n nble for North Anna AFW System Components' Component .. .

IIeqntred . Actual 2

. Number Component Name Position losed Position Electricil FW P-3A Motor Driven Pump Racked In/ Closed FW-P-3B Motor Driven Pump Racked 8n/ Closed .

Wives FW-545 Full Flow Rectre Line Isolation to ECST Locked Closed '

FW-142 Condensate Inlet to ECST ' Locked Closed FW-193 Inlet Isolation for Recirc to ECST Locked Open FW-143 Suction %1ve to FW-P-2 Locked Open FW-160 Suction %Ive to FW P-3A Locked Open B V-173 Suction Wlve to FW-P 3B - Locked Open FW-180 Suction Valve to Pump P-3A from Firemain Locked Closed FW 175 Isolation Wlve from Firemain to AFW pumps Locked Closed FW-162 - Suction %1ve to Pump P-3B from Firemain Locked Closed '

. FW-145 Suction %Ive to FW P-2 from Firemain Locked Closed -

FW-227 Isolation Valve for Service Water to AFW pumps Locked dosed FW 190 Discharge valve for BV-P-3B to HCV header Locked Closed FW-184 Discharge valve for FW-P-3B to MOV header - Locked Open FW-546 FW-P-3B full flow Recirc isolation . Locked Closed -

FW-172 . Discharge valve for FW P-3A to HCV header Locked Open ._

FW-166 Discharge valve for BV-P-3A to MOV header Locked Closed .

=

3.5 NUREG/CR 5837' t

- vc e - . _ , _ _ _ _

. .- . . - _ . - - . . - - . = - . . - . . - ~ . ~ - . - . . . -

Inspection Ouidance L- Thble 3.1. (Continued) l.

ll Component Required Actual Number Component Name Position-losed Position FW-548 FW-P-3A full flow Recire isolation Locked Closed FW 155 Discharge valve for FW-P-2 to HCV header Locked Closed ~

ITV 149 Discharge valve for FW-P-2 to MOV header Locked Closed PCV-159A Pressure control Valve on MOV header Set 9tX) psig i

PCV-159B Pressare Control Wlve on HCV header Set 900 psig l FW-62 1 solation valve downstream of ITV MOV-100A Locked Closed

)

FW 64 Isolation valve downstream of FW HCV-100A Locked Closed MOV-100A MOV on AFW header RC-E 1 A Closed HCV-100A HCV on AFW header RC-E-1 A Closed

~

FW-94 Isolation vahe downstream of MOV-100B Locked Open FW %  ! solation valve downstream of HCV 100B Locked Closed MOV-100B MOV on AFW header RC-E 1B Open ,

HCV-100B HCV on AFW header RC-E 1B Closed FW-126 Isolation valve downstream of FW-MOV-100C Locked Closed FW-128 Isolation valve downstream of FW-HCV-100C Locked Open MOV-100C MOV on AFW header RC-E-IC Closed 4 i

HCV-100C' HCV on AFW header RC-E.1C Open FW-543 FW-P-2 full Recire isolation Locked Closed -

l l

MOV-100D AFW header MOV to RC-E-1A, SO A .Open

~

FW-278 MOV-100D isolation v05. Locked Open FW-68 Piping upstream of check valve ' Cool

, NUREG/CR-5837 3.6 i , , .-. . . . .-

Inspection Guldsnce-Table 3.1. (Continued)

Component Requirut . Attual -

Number Component Name Position-losed Position FW 100 - Piping upstream of check valve Cool FW-132 Piping up",tream of check valve Cool FW-61 Piping upstream of check valve Cool l_

l FW43 Piping upstream of check valve ' Cool -l l

FW-93 Piping upstream of check valve Cool FW-95 Piping upstream of check valve Cool J

' FW-125 Piping upstream of check valve Cool FW 127 Piping upitream of check valve Cool

- FW-279 Piping upstream of check valve Cool Control Board Indicators AFW Pumps Pull to. lock ECST Level >91.4%

a 3.7 NURE /CR;5837-

--+--s ,, - ,- - , - - - m,-,

4 Generic RiskInsights from PRAs PRAs for 13 PWRs were analyzed to identify risk- Inss of Main Feedws.,ter important accident sequences invohing loss of AFW, to identify and risk-prioritize the component failure modes = A feedwater line break drains the common water involved. The results of this analysis are described in source for MFW and AFW. The operators fail to this section. They are consistent with results reported provide feedwater from other sources, and fail to by INEL and DNL (Gregg et al.1988, and Tiavis et al. initiate feed-and-bleed cooling, resulting in core 1988). damage.

  • A loss of rnain feedwater trips the plant, and AFW 4,1 RishImportant Accident Sequences fails due to operator error and hardware failures.

m paators ran to initiate feed-and-biced cooling, IniOlVing AFW System Failure resulting in core damage.

Ioss of Power System Steam Generator %be Rupture (SGTR)

=

A loss of offsite rower and raain feedwater is fol- ,

A SGTR is followed by failure of AFW. Coolant is lewed by failure of AFW. Due to lack of actuating lost from the primary until the refueling water stor-power, the power operated relief valves (PORVs) age tank (RWST) is depleted. High pressure injec-cannot be opened preventing adequate feed-and.

tion (HPI) fails since recirculation cannot be estab-bleed cooling, and resulting in core damage. I shed frGm the empty sump, and core damage results.

  • A station blackout fails all AC power except Vital AC from DC invertors, and all decay heat removal systems except the turbine-driven AFW pump.

AFW subsequently fails due to battery depletion or 4.2 Risk Important Component Failure hardware failures, resulting in core damage. Modes A DC bus fails, causing a trip and failure of the The generic component failure modes identified from power conversion system. One AFW motor-driver. PR.A analyses as important to AFW system failure are pump is failed by the bus loss, and the turbine. listed below in decreasing order of risk importance.

% driven pump fails due to loss of turbine or valv,;

g. control power. AFW is subsequently lost com- 1. Turbine-Driven Pump Failure to Start or Run.

pletely due to other failures. Feed-and-bleed cool-ing fails because POP' control is lost, resulting in 2. Motor-Driven Pump Failure to Start at Run.

core damage-

3. TDAFW pump ct l'DAFW pump Unasailable due Transient-Caused Reactor or Turbine Trip to Rst or Maintenance.

L

  • A transient-caused trip is followed by a loss of the 4. AFW System Wlve Failures power conversion system (PCS), main feedwater, and AFW. Feed-and-bleed cooling fails either due - steam admission valves to failure of the operator to initiate it, or due to hardware failures, resulting in core damage.
  • trip and throttle valves

+ flow control valves 4.1 NUREG/CR-5837

Generic Risk Insights pump discharge valves in addition to individual hardware, circuit, or instru-ment failures, each of these failure m(xics may result

+

pump suction valves from common causes and human errors. Common cause failures of AFW pumps are particularly risk im-

  • valves in testing or maintenance. portant. Wlve failures are somewhat less important due to the multiolicity of steam generators and connection
5. Supply / Suction Sources paths. Human errors of greatest risk importance in-volve: failures to initiate or control system operation

+

condensate storage tank stop valve when required; failure to restore proper system lineup after maintenance or testing; and failure to switch to al-hot w ' inventory ternate sources when required. ._

+ suction valves.

s f

i c

NUREG/CR4837 4.2

5 Failure Modes Determined from Operating Experience This section describes the primary root cause of AFW ments, packing leaks, normal wear and aj,ing, dirty system component failures, as determined from a review contacts, foreign material in the oil system, and system of operating histories at North Anna and at other PWRs design deficiencies.

throughout the nuclear industry, Section 5.1 desc11bes experience at North Anna from 1978 through 19(XI. Sec- 5.1.3 'Ibrbine Driven Pump Failures j tion 5.2 summarizes information compiled from a vari- ,

ety of NRC sources, including AEOD analpes and re- Approximately twenty events have occurred that have ports, information notices, inspection and enforcement resultet in decreased operational readiness of the AFW bulletins, and generic letters, and from a variety of system. Failure modes involved instrumentation and ll INPO repo-ts as well. Some Licensee Event Reports control circuits, pump hardware failures, turbine hard- ,

and NPRDS event descriptions were also reviewed indi- ware failures, mechanical wear, system design deficien-

vidually, Finally,information was included from reports cies, procedural deficiencies, and human failures during l of NRC-sponsored studies of the effects of plant aging, maintenance activities. Improper or inadequate mainte-which include quantitative analysis of AFW system fail- nance has resulted in improper adjustment of a gover-ure reports. This information was used to identify the nor settings, and steam leaks have caused isolation of various root causes expected for the broad PRA. based the TDAFW pump.

failure events identified in Section 4.0, resulting in the inspection guidelines presented in Section 7.0. 5.1.4 Flow Control and Isolation Valve Failures 5.1 North Anna Experience Approximately fony-five events have resulted in im-ired operational readiness of the air operated and The AFW sptem at North Anna has experienced fail- motor operated isolation valves. Principal failure causes ures of the AFW pumps and pump governors, pump dis- were equipment wear, corrosion, instrumentation and charge isolation valves, turbine trip and throttle valves, control circuit failures, instrument drift, moisture in in-and system check valves. Failure modes include ele.tri- strument and control circuits, valve hacdware failures, cal, instrumentation and control, hardware failures, and valve wear, and human errors. Valves have failed to op-human errori crate properly due to failure of control components, contamination and corrosion products in the instrument 5.1.1 Multiple Pump Failures air system, broken or dirty contacts, torque switch set.

tings, defective torque switches, debris in the system, There has been an incidence of entering Mode 3 with all and calibration problems. Human errors have resulted .

AFW pumps incapable of automatic starts. The steam in introduction of water to the instrument and control supply valves for the TDAFW pump were in the close circuits, improper control circuit repairs, limit switch position and the MDAFW pumps were in the pull-tm adjustment, valve regulator adjustment, and packing lock position. leaks.

5.1.2 Motor Driven Pump Failures 5.1.5 Check Valve Failures There have been approximately fourteen events of Approximately eleven events of check valve failure have

. motor driven pump failures. One resulted in a trip of a occurred. The failure mode cited was normal wear and MDAFW pump from overturrent. .MDAFW pumps aging, dirty components, missing components, and im-have failed to start due to instrument and control circuit proper or inadequate maintenance.

failures. Failure modes have been due to oil seal adjust-5.1 NUREG/CR-5837

,,y -

l Failure Modes 5.1.6 Iluman Errors feature requiring complete shutdown, and the turbine-driven pump tripped on overspeed, requiring local reset 1 Diere has been one event affecting the ARV system. of the tr.p and throttle valve. In cases where manualin-Personnel have inadvertently tripped a pump during po. tervention is required during the early stages of a tran-sitioning of control switches. sient, training should emphasize that actions should be performed methodically and deliberately to guard against such errors.

5.2 Industry Wide Experience CC2. Valve mispositioning has accounted for a signifi-

. cant fraction of the human errors failing multiple trains liuman errors, design / engineering problems and errors' of AIAV. Diis includes closure of normally open suction and component failures are the primary root causes of

, ygg gg; gg AFW System failures identified in a review of industry sensors having control functions. Incorrect handswitch wide system operating historv. Common cause tonures, pos t oning and inadequate temporary wiring changes which disable more than one train cf this operationally have also prevented automatic starts of multiple pumps.

redundant system, are highly risk significant, and can re-P hMbu h ionipon b sult from all of these causes. ,.

m M n@ inlW vh m vh

. . . checklists, weak administrative control of tagging, res-This section identities important common cause failure toration, independent verification, and h>cked valve log-modes, and then provides a broader discussion of the g ng, and inadequate adherence to procedures, lileitible single failure effects of human errors, design / engineer.

r c(miusing hical valve labeling, and insuffic.ent tr'in-a ing problems and errors, and component failures. Para- g  ; gg graphs presenting details of these failure modes are mask mispositioning, and surveillance which does not coded (e g., CCl) and cross-referenced by inspection exercise complete system functioning may tiot reveal items in Section 3.

misp, aitionings.

5.2.1 Common Cause Failutes CC3. At ANO-2, both AFW pumps lost suction due to steam binding when they were lined up to both the CST The dominant cause of AFSV system multiple-train fail- and the hot startup/ blowdown demineralizer effluent urcs has been human error. Design / engineering errors (AEOD/C4N,1984). At Zion-1 steam created by run-and component failures have been less frequent, but ning the turbine-driven pump deadheaded for one min-nevertheless significant, causes of multiple train failures. ute caused trip of a motor-driven pump sharing the same inlet header, as well as damage to the turbine-CCI. Human error in the form ofincorrect operator in- driven pump (Region 3 Morning Report,1/17b0F Both tervention into automatic ARV system functioning dur- events were caused by procedural inadequacies.

ing transients resulted in the temporary loss of all safety-grade AIAV pumps during events at Davis-Besse CC4. Design / engineering etrors have accounted for a (NUREG-1154,1985) and Tfojan (AEODff416,1983). smaller, but significant fraction of common cause fail-In the Davis Besse event, improper manual initiation of utes. Problems with control circuit design modifications the steam and feedwater rupture control system at Parley defeated AFW pump auto-start on loss of (SFRCS) led to overspeed tripping of both turbine- main feedwater. At Zion 2, restart of both motor driven driven ARV pumps, probably due to the introduction of pumps was blocked by circuit failue to deenergize when condensate into the AFW turbines from the long, un- the pumps had been tripped with an automatic start sig-heatett steam supply lines. (The system had never been nal present (IN 82-01,1982). In addition, AFW control tested with the abnormal, cross-connected steam supply circuit design reviews at Salem and Indian Point have lineup which resulted.) In the Trojan event the operator identified designs where failures of a single component incorrectly stopped both AFW pumps due to misinter" could have failed all or multiple pumps (IN 87-34, pretation of MRV pump speed indication. The diesel 3937),

driven purnp would not restart due to a protective NUREG/CR-5837 5.2 l

Failure Modes.

i CCS. Incorrect setpoints and control circuit settings re- CM Asiatic clams caused failure of two AFW flow sulting from analysis errors and failures to update procc- control valves at Catawba-2 when low suction pressure dures have also prevented pump start and caused pumps _ caused by starting of a motor-driven pump caused suc.

- to trip spuriously. Errors of this type may remain unde- tion source realignment to the Nuclear Service Water tected despite surveillance testing, unless surveillance s) tem. Pipes had not been routinely treated to inhibit' 4

tests model all types of system initiation and operating clam growth, not regularly monitored to detect their conditions. A greater fraction ofinstrumentation and presence, and no strainers were installed. The need for -

control circuit problems has been identified during surveillance which exercises alternative system opera-actual system operation (as opposed to surveillance test- tional modes, as well as complete system functioning,i<

. ing) than for other types of failures. emphasized by this event Spurious suction switchover has also occurred at Callaway and at McGuire, although -

CC6. On two occasions at a foreign plant, failure of a no failures resulted.

balance-of-plant inverter caused failure of two AFW pumps. In addition to loss of the motor driven pump CClo. Cornmon cause failures have also been caused by -

whose auxiliary start relay was powered by the invertor, component failures (AEOD/C404,1984). At Surry-2, the turbine driven pump _ tripped on overspeed because both the turbine driven pump and one motor driven the governor valve opened, allowing full steam flow to pump were declared inoperable due to steam binding the turbine. This illustrates the importance of assessing caused by backleakage of hot water through multiple the effects of failures of balance of plant equipment check valves. At Robinson-2 both motor driven pumps

. which supports the operation of critical components. were found to be hot, and both motor and steam driven The instrument air system is another example of such a pumps were found to be inoperable at different times.

system. Backleakage at Robinson-2 passed through closed ,

motor-operated isolation valves in addition to multiple CC7. Multiple AFW pump trips have occurred at check valves. At Farley, both motor and turbine driven Millstone-3, Cook 1, Trojan and Zion-2 (IN 87-53, pump casings were found hot, although the pumps were -

1987) caused by brief, low pressure oscillations of suc- not declared inoperable, in addition to multi-train fail-tion pressure during pump startup. These oscillations ures, numerous incidents of single train failures have oc-occurred despite the availability of adequate static curred, resulting in the designation of" Steam Binding of NPSH, Corrective actions taken include: extending the Auxiliary Feedwater Pumps

  • as Generic issue 93. This time delay associated with the low pressure trip, remov-  ;;eneric i3 sue was resalved by Generic Letter 88-03 ing the trip, and replacing the trip with an alarm and op- (Miraglia,1988), which required licendecs to monitor crator action. AFW piping temperatures each shift, and to maintain procedures for recognizing steam binding and for restor-Cf8. Design errors discovered during AFW system re- ing system operability.

-analysis at the Robinson plant (IN 89-30,1989) and at Millstone-1 tuulted in the supply header from the CST CCl 1. _ Common cause failures have also failed motor-

- being too small to provide adequate NPSH to the operated valves. During the total loss of feedwater event pumps if more than ane of the three pumps were operat- at Davis Besse, the normally-open AN isolation valves ing at rated flow conditions. This could lead to multiple failed to open after they were inadvertently closed. The pump failure due to cavitation. Sutequent_ reviews at failure was due to improper setting of the torque switch Robinson identified a loss of feedwater transient in bypass switch, which prevents motor trip on the high

'which inadequate NPSH and Dows less than design val, torque required to unseat a closed valve. Previous prob-ues had occurred, but which were not recognized at the tems with these valves had been addressed by increasing .

- time. Event analysis and equipment trending,as well as- the torque switch trip setpoint - a fix which failed during

- surveillance testing which duplicates service conditions the event due _to the higher torque required due to high--

as much as is practkal, can help identify such design differential pressure across the valve. Similar common errors. - mode failures of MOVs have also occurred in other 5.3 NUREG/CR 5837 -

. --- -. ... . . - . .. ~_ _ -- . . - - ~ ~ - -- - ~ , . .- -

Failure Modes systems, resulting in issuance of Generic letter 89-10, 5.2.3 Design / Engineering Problerns nnd

" Safety Related Motor-Operated Valve 1bsting and Sur- Errors veillance (Partlow,1989)." This generic letter requires licensecs to develop and implement a program to pro- del. As noted above, the majority of AFW subsystem vide for the testing, inspection and maintenance of all failuresiand the greatest relative system degradation, safety-related MOVs to provide assurance that they will has been found to result from turbine-driven pump fail-function when subjected to design basis conditions. ures. Overspeed trips oflbrry turbines controlled by Woodward governors have been a significant source of CCl2. Other component failures have also resulted in these failures (AEOD/C602,1986). . In many cases these AFW multi-train failures. These include out-of- overspeed trips have been caused by slow response of a adjustment electrical flow controllers resulting in im' Woodward Model EG governor on startup, at plants proper discharge valve operation, and a failure of oil where full steam flow is allowed immediately. This over-cooler cooling water supply valves to open due to silt sensitivity has been removed by installing a startup accumulation. steam bypass valve which opens first, allowing a con-trolled turbine acceleration and buildup of oil pressure 5.2.2 Human Errors to control the governor valve when full steam How is admitted.

1IE l. The overwhelmingly dominant cause of problems identified during a series of operational readiness eval- DE2. Overspeed trips of Tbtry turbines have been uations of AFW systems was human performance. The caused by condensate in the steam supply lines. C4m-majority of these human performance problems resulted densate slows down the turbine, causing the governor from incomplete and incorrect procedures, particularly valve to open farther, and overspeed results before the with respect to valve lineup information. A study of governor valve can respond, after the water slug clears.

valve mispositioning events involving human error iden- This was determined to be the cause of the lost-of all-  ;

tified failures in administraHve control of tagging and AFW event at Davis ficsse (AEOD/602,1986), with logging, procedural compliance and completion of steps, condensation enhanced due to the long length of the; verification of support systems, and inadequate procc- cross-connected steam lines. Repeated tests following a dures as important. Another study found that valve mis- cold. start trip may be successful due to system heat up.

positioning events occurred most of ten during mainten-n ance, calibration,or modifica' ion activities. Insufficient DE3. 'Ibrbine trip and throttle valve (TfV) problems training in determining valve psition, and in adminis- are a significant cause of turbine driven pump failures trative requirements for controlling valve positioning (IN 84-66). In some cases lack of1TV position indica-were important causes, as was oral task assignment with- tion in the control room prevented recognition of a

-out task completion feedback. tripped TfV. In other cases it was possible to reset either the overspeed trip or the TTV without resetting

- HE2. 7brbine driven pump failures have been caused by the other. This problem is compounded by the fact that-human errors in calibrating or adjusting governor speed the position of the overspeed trip linkage can be mis-control, poor governor maintenance, incorrect adjust- leading, and the mechanism may lack labels indicating ment of governor valve and overspeed trip linkages, and when it is in the tripped position (AEOD/C602,1986).

errors associated with the trip and throttle valve. TTV-

- associated errors include physically bumping it, failure DE4. Startup of turbines with Woodward Model PO.

l to restore it to the correci position after testing, and PL governors within 30 minutes of shutdown has re-

. failures to verify control room Indication of TTV posi- suited in overspeed trips when the speed setting knob tion followiag actuation. was not exercised locally to drain oil from the speed set.

ting cylinder. Speed control is based on startup with an HE3. Motor driven pumps have been failed by human empty cylinder. Problems have involved turbine rota-

, errors in mispositioning handswitches, and by procedura tion due to both procedure violations and leaking steam.

i deficiencies.

i . NUREG/CR-5837 5.4

Failure Modes

'Ibtry has marketed two types of dump valves for aute- testing of check valves was addressed by the nuclear in-

- matically draining the oil after shutdown ( AEOD/C602, dustry, resulting in the EPRI report,' Application 1986). Guidelines for Check Valves in Nuclear Power Plants (Bmoks,1988)." This extensive report provides infor.

At Calvert Cliffs, a 1987 loss-of-offsite-power event re- mation on check valve applications, limitations, and in-quired a quick, cold startup that resulted in turbine trip spection techniques. In. situ testing of MOVs was ad-due to PG PL governor stability prablems. The short- dressed by Generic Letter 89-10," Safety Related Motor-term corrective action was installation of stiffer buffer Operated %1ve 'Ibsting and Surveillante' (Partlow, springs (IN 88-09,1988). Surveillance had always been 1989) which requires licensees to develop and imple-7 preceded by turbine warn.up, which illustrates the im- ment a program for testing, inspection and maintenance portance of testing which duplicates service conditions of all safety-related MOVs. " Thermal Overload Protec-as much as is practical. tion for Electric Motors on Safety-Related Motor.

Operated Valves . Generic Issue II.E.6.1 (Rothberg, DES. Reduced viscosity of gear box oil heated by prior 1988)" concludes that valve motors should be thermally operation caused failure of a motor drisen pump to start protected, yet in a way which emphasizes system func-due to insufficient tube oil pressure. Lowering the pres- tion over protection of the operator.

sure switch setpoint solsed the problem, which had not been detected during testing. CFl. The common-eause steam binding effects of check valve leakage were identified in Section 5.2.1, entry DE6. %hterhammer at Palisades resulted in AFW line CC10. Numerous single-train events provide additional and hanger dam?ge at both steam generators. The AFW insights into this problem. In some cases leakage of hot spargers are located at the normal steam generator icvel, MFW past multiple check valves in series has occurred and are frequently covered and uncovered during level because adequate valve-seating pressure was limited to ,

fluctuations. Waterhammers in top. feed ring steam the valves closest to the steam generators (AEOD/C404,  !

generators resulted in main feedline rupture at Maine 1984). At Robinson, the pump shutdown procedure was l Yankee and feedwater pipe cracking at Indian Point-2 changed to delay closing the MOVs until after the check (IN 84-32,1984). valves were scated. At Farley, check valves were changed from swing type to lift type. Check valve re.

DF7. Manually reversing the direction of motion cf ar work has beca done at a number of plants. Different l operating valve has resulted in MOV failures where valve designs and manufacturers are involved in this such loading was not considered in the design (AEOD/ problem, and recurring leakage has been experienced, C603.1986). Contro! circuit design may prevent this, re even after repair and replacement.

quiring stroke completion before rev:rsal.

CF2. At Robinson, heating of motor operated valves by DE8. At each of the units of the South Texas Project,

~

check valve leakage has caused thermal binding and fail.

space heaters provided by the vendor for use in pre- ure of AFW discharge valves to open on demand. At installation storage of MOVs were found to be wired in Davis Besse, high differential pressure across AFW in-parallel to the Class IE 125 V DC motors for several jection valves resulting from check valve leakage has AFW valves (IR 50-489/89-11; 5C 499/89-11,1989). The prevented MOV operation (AEOD/C6(G,1986).

valves had been environmentally qualified, but not with the non-safety-related heaters energized. CF3. Gross check valve leakage at McGuire and Robinson caused overpressurization of the AFW suc-5.2.4 Component Failures tion piping. At a foreign PWR it resulted in a severe waterhammer esent. - At Palo Verde-2 the MFW suction Generic Issue !!.E.6.1,'In Situ 'Ibsting Of Valves

  • was piping was overpressurized by check valve leakage from divided into four sub-issues (Beckjord,1989), three of the AFWsystem (AEOD/C4C4,1984). Gross check which relate directly to prevention of AFW system com. valve leakage through idle pumps represents a potential ponent failure. At the request of the NRC,in-situ diversion of AFW pump flow.

5.5 NUREC/CR-5837

l Failure Modes CF4. Roughly one third of AFW system failures have CF7. Control circuit failures were the dominent source been due to valve operator failures, with about equal of motor driven AFW pump failutes (Casada,1989).

failures for MOVs and AOVs. Almost half of the MOV This includes the controls used for automatic and man-failures were due to motor or switch failures (Casada, ual starting of the pumps, as opposed to the instrumen.

1989). An extensive study of MOV events (AEOD/ tation inputs. Most of the remaining problems were due -

C603,1986) indicates continuing inoperability problems to circuit breaker failures, caused by: torque switch / limit switch settings, adjust-ments, or failures; motor burnout; improper sizing or CF8. " Hydraulic h>ckup" of Limitorque SMB spring use of thermal overload devices; prema'ure degradation packs has prevented propet spring compression to act.

related to inadequate use of protective s , vices; damage uate the MOV torque switch, due to grease trapped in due to misuse (valve throttling, valve operator hammer- the spring pack. During a surveillance at Trojan, failure _

ing); mechanical problems (loosened parts, improper as- of the torque switch to trip the TTV motor nesulted in sembly); or the torque switch bypass circuit improperly tripping of the thermal overload device, leaving the installed or adjusted. The study concluded that current tut bine driven pump inoperable for 40 days until the methods and procedures at many plants are not ade- next surveillance ( AEOD/E702,1987). Problems result quate to assure that MOVs will operate when needed from grease changes to EXXON NEBULA EP-0 grease, under credible accident condWcns. Specifically, a sur- one of only two greases considered environmentally veillance test which the valve passed might result in un- qualified by Limitorque. Due to lower viscosity,it detected valve inoperability due to component failure . slowly migrates from the gear case into the spring pack.

. (motor burnout, operator parts failure, stem disc sep- Grease changeover at Vermont Yankee affected 40 of aration) or improper positioning of protective devices the older MOVs of which 32 were safety related. Grease .

(thermal overload, torque switch, limit switch). Generic relief kits are needed for MOV operators manufactured Letter 89-10 (Partlow,1989) has subsequently required before 1975. At Limerick, additional grease relief was licensees to implement a program ensuring that MOV required for MOVs manufactured since 1975. MOV re-switch settings are maintained so that the valves will op- furbishment programs may yield other changeovers to erate under design basis conditions for the life of the EP-0 grease, plant.

C2. For AFW systems using air operated valves, al.

CFS. Component problems nave caused a significant most half of the system degradation has resulted from number of turbine driven pump trips (AEOD/C602, failures of the valve controller circuit and its instrument >

1986). One group of events involved worn tappet nut inputs (Casada,1989). Pailures occurred predominantly .

faces, loose cable connections, loosened set screws,im- at a few units using automatic electronic controllers for

_ properly latched TTVs, and improper assembiv An- the flow control valves, with the majority of failures due other involved oilleaks due to compot mt or s'al fail- to electrical hardware. At 'Ibrkey Point-3, controller ures, and oil crmtamination due to poor maintenance malfunction resulted from water in the Instrument Air s activities. Governor oil may not be shared with turbine system due to maintenance inoperability of the air lubrication oil, resulting in the need for separate oil dryers.

changes. Electrical component failures included tran-sistor or resistor failures due to moisture intrusion, CF10. For systems using diesel driven pumps, most of erroneous grounds an6 annections, diode failures, and the failures were duc to start control and governor speed --

a faulty circuit card. . control cittuitry. Half of these o< curred on demand, as

_ opposed to during testing (Casada 1989).

CF6. Electrohydraulic-operated discharge valves have performed /y poorly,and three of the five units using CFI1. For systems using AOVs, operability requires the them have rei :oved them due to recurrent failures, availability of instrument Air, backup air, or backup ni-Failures inc!wed oil leaks, contaminated oil, and hy-- trogen. However, NRC Maintenance Tbam Inspections -

draulic pump failures. have identified inadequate testing of check valves

- NUREG/CR-5837 5.6

~ Failure Modes isolating the safety-related portion of the IA system at ~ verify by test that air-operated safety-related compo-several utilities (12tter, Roe to Richardson). Generic nents will pctform as expected in accordance with all Letter 88-14 (Miraglia,1988), requires licensecs to design-basis events, including a loss of normal IA. -

\

l.

9 5.7 NUREG/CR-5837 V' .re w-- c -- --.,3y,., , ,_.,

6 References Beckjord, E. S. June 30,1989. Clo3cout of 6enenc ne AEOD Reports H E.h l, *In Situ Testing of I ah es* l ettet to V. Steho, Jr., U.S. Nuricar Regulatory Commission, \Wshington, AEOD/C404. W. D. Lanning. July 19M. Steam Binding DC. ofAutihary Feedwater Pumps. U.S. Nuclear Regulatory Commission, \Wshington, DC.

Dmoks, B. P. 19M. Avphcation Guidehars for Check lbhr in Nuclear Power Plants. NP-5479, Eleettie AEOD'CbO2. C. Hsu. August 1986. OperatwnalExper.

Power Research Institute, Palo Alto, Califorma. ience invohing 7hrbine Overspeed Tnps. U.S. Nuclear Regulatory Commission, \WsHn}; ton, DC.

j Casada, D. A.1989. Antihary Fee:Jwater System Agmg Study lidame 1. Operating Esperience and Current AEODictD3. E. J. Btown. Decemt~.1986. A Review Afonitoring Practices. NUREGICR.5404. U.S. Nuclear of Afowr.uperated lidw Performance. U.S. Nuclear Regulatory Commission, Washington, DC. Regulatory Commission, NWshington, DC.

Gregg, R. E. and R. E. Wright.1988. Append'r Review AEOD/E702. E.J. Brown. March 19,1987. Af0VFad.

for Dominant Genenc Contributors. BLB-31-88. ldaho ure Due to Hydrauhc Lochip From Etcessive Grease in National Engineering Laborato.y, Idaho Falls, 'daho. Spnng Mick. U.S. Nuclear Regulatory Commission,

\Wshington, DC.

Miraglia, E J. February 17,1988. Resolution of Generic Safety issue 93, " Steam Bmshng of Auriharv Feedwinct AEOD!T41b. January 22,1483. Loss of ESFAutdiary Pumps" (Genenc Lener 83-03). U.S. Nuclear Regulatory Feedwater Pump Capabihty at 7wjan on January 22, Commission, \Wshington, DC. 1983. U.S. Nuc_ lear Regulatory Commission, \Wshing-ton, DC.

Miraglia, E J. August 8,1488. Instrument Air Supply System l>oblems Affecting Safety-Related Equ,,.nent Information Notices (Generic Letter 88-14). U.S. Nuclear Regulatory Com-mission, \Wshington, DC. IN 82-01. Jannary 22,1982. Autihary Fecdwater htr;ip Loci out Resukingfrom IVestinghouse IV-2 Switch Circmt Partlow, J. G. June 28,1989. Safety-Related Afotor. Afothfication. U.S. Nuelcar Regulatory Commission, Operated lidve Testing and Surveillance (Generic Letter \%shington, DC.

69-10). U.S. Nuclear Regulatory Commbsion, Washington, DC. IN 84 32. E. L Jordan. April 18,1984 Auuhmy Feed.

water Sparger and hpe Hangar Damage. U.S. Nuelcar Rothberg, O. June 1988. Therma! Overload Protecnon Regulatory Commission, \Wshington, DC.

for Eleanc Afotors on Safety-Reh..ed Afotor. Operated lidwes - Genenc Issue H.Eh1 NUREG-1206 t i S. IN sau. August 17,1984. Undercaed linavailabday of Nuclear Regulatory Commisse . \W:.hington, DC. the Turbine.unven Anuhary feedaater 7 rain. U.S. Nu-clear Regulatory Commission, \Wshington, DC.

Travis, R. and J. Taylor.1% ) ' pment of Guid-Q ancefor GenerLc, Functio.wl3 :ented PRA-Based Team 1N 87 34. C. E. Rossi. July 24,1987. Single Fadures in Inspectionsfor BWR Plants.ldentification of Risk. Aurihary Feedwater Systenu. U.S. Nucicar Regulatory Q Commission, \%shington, DC, important Systems, Components and Human Actions.

TLR-A-3874-TG A Brookhaven National Laboratory, Upton, New York.

6.1 NUREGICR-XXXX

References IN 87 53 C E. Rossi. October 20,1987 Auritiary Insfection Report feedwater 1%mp IHps Re>altingfrom Low Suction Ives-sure. U.S. Nuclear Regulatory Commission, IR 50-489/8911; 50-499M911. May 26,1989. South Washington,DC Tetas Project frupection Report. U.S. Nuticat Regula-tory Commission. Washington, DC IN 88 09. C E. Rossi. March 18,1988. Reduced Reli-ability of Stearn Driven Auxiliary Ferdwater Pumps NUREG Report Caused by Instability of 1%xiward PG PL 4pe Gover-nors. U.S. Nuclear Regulatory Commission, NUREG 1154.1985. Loss ofMain and Aardiary Ferd.

Wahington, DC water Event at the Davis Besse Plant on June 9,1985, U.S. Nuclear Regult. tory Commission Washington, DC.

IN 89-30. R. A. Azua. August 16,1989. Robinson Unit 2 Inadequate NPSH ofAntiliary Feedn ater Pumps. Also, Event Notification 16375, August 22,1989. U.S.

Nuclear Regulatory Commission, Washington, DC

?

D k

I L

NUREO/CR.5839 6.2 f

l

Distribution No. of No. of Copics Copies OFFSITE 2 U S. Nuclear Reculatory Commission - Recion 2 10 (ts. Nuclear Reculatory Commksion L Reyes A.lierdt B. K. O rimes OWFN 9 A2 4 North Anna Resident inspector Office E Congel J. ii. "Ihyloi OWFN 10 E4 Erookhaven National 12boratory Bldg.130 H. DerLow Upton,NY 11973 OWFN 14 H2O R. Travis W. Berkner Brookhaven National Laboratory OWFN 10 /.2 Bldg.130 Upton.NY 11973 A. El Bassioni OWFN 10 A2 R. Gregg

=

EO & G Idaho,Inc.

E. Imbro P.O. Box 1625 OWFN 9Al Idaho Falls,ID 83415 S.M.Long Dr. D. R. Edwards OWFN 10 A2 Professor of Nuclear Engineering Universityof Missouri Rolla K. Campe Rolla,MO 65401 OWFN 1 A2 ONSITE J. Chucg (10)

OWFN 10 A2 27 Pacific Narthwest laboratory B. 'Ihornas S. R. Doctor 0%FN 12 H26 L R. Dodd B. E Gore (10) 2 U.S. Nuclear Reculatory Commbsion - Recion 1 N. E. Moffitt J. R. Nickolaus (5)

C. Hehl B. D. Shi,ap W.E Kane E A.Simonen T V. Vo Publishing Coordination

'Ibchnical Report File (5) e l

Distr.1 NUREG/CR 5837

.g,,o.u m v2 .,vca. aiovuio ,cou .m o~ .

=1 , g .,. ,,

~~ '"

EoEEE' BIBLIOGRAPHlO DATA SHEET a .,,,,w,., ,

FUR G CR-5837 3.141LL AND A871T LE Auxiliary Feodwater System Risk-Based Inspe: tion Guide for the North Anna Nuclear Power Plants 3 cati at90aTPueusato

.,0 i. ...

j October 1992

4. F #N QA Gh&NI Nuupt k L1310 6.Av1HOMtLJ 6.TYPtOF81 PORI J. R. Nickolaus, N. E. Mof fitt, B. F. Gore, T. V. Vo
r. rs e uo cuvs nev o. ,
o. ..

12/91 to 8/92 a . o,. . . . u.a . . , c_ s-.,,,--,.. j aggmza no~ - ~ Au t ano Aoon tss ,,, ..c. - , o.

Pacific Northwest Laboratory ,

Richland, WA 99352 w .. . ,,,-, ..e o.. o,, ., . u, , .- c.

s. vogyamzAnou - aaut ino Aoon ass ,,, ..e.

Division of Radiation Protection and Emergency Preparedness Of fice of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, O.C. 20555

10. $UPPLEMENT Amy Notts
11. ABST R ACT (200 e .r e.,

In a study sponsored by the U.S. Wuclear Regulatory Commission (NRC), Pacific Northwest Laboratory has developed and applied a methodology for deriving plant-specific risk-based inspection guidance-for the auxiliary feedwater (AFW) system at pressurized water reactors that have not undergone probabilistic risk assessment (PRA) .

l This methodology uses existing PRA results and plant operating experience information.

I Existing PRA-based inspection guidance information recently developed for the NRC for various plants was used to identify generic component failure modes. This information was then combined with plant-specific and industry-wide component infor-mation and failure data to identify failure modes and failure mechanisms for the '

A."W system at the selected plants. North Anna was selected as a plant for study.

The product of this of fort is a prioritized listing of AFW f ailures which have occurred at the plant and at other PWRs. This listing is intended for use by the NRC inspectors in preparation of inspection plans addressing AFW risk-important components at the North Anna plant.

t2. atv woaos ctsca:P i o a 5 .. . , ., , - ,, ,, , , - . ., ,,. , u . ... - o o a u.. i Unlimited-

j Unclassified o -,

Unr.lassified thNuubin06PAGe$

16 P,UCL

~~L . . . ..

B Printed on recychd pape.

1 Feceral Recycling Program

t.

OCTOBER 1992 NUREG/CR-5837 AUXILIARY FEEDWATER SYSTEM RISK-BASED INSPECTION GUIDE FOR Ti1E NORTII ANNA NUCLEAR POWER PLANTS nRST CLASS MA4, UNITED STATES POSTAGE AND FEES PAfD NUCLEAR REGULATORY COMMISSION USNRC WASHINGTON, D.C. 20555-0001 PERWT NO. G-67 OFFICIAL BUSINESS PENALTY FOR FRrVATE USE, $N

. 3 g, *i i W r.

  • * '~

,,C53515 551 'O C "'

h $ ' P C - C C' "',,,g g . r . T T m ;3 qiV C'la -

7 p e r y - .:* U r _t e 9'5"?

p-ili nC

.g a s p I *t r, , . . . ,

l 1

Retrieved from "https://kanterella.com/w/index.php?title=ML20116A308&oldid=2808591"