ML20126H138
| ML20126H138 | |
| Person / Time | |
|---|---|
| Site: | Cook  |
| Issue date: | 07/31/1991 |
| From: | Gore B, Lioyd R, Moffitt N Battelle Memorial Institute, PACIFIC NORTHWEST NATION |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML20126H006 | List: |
| References | |
| FOIA-92-267 NUDOCS 9301050078 | |
| Download: ML20126H138 (30) | |
Text
i.- ..
NUREG/CR-PNL-AUXILIARY FEE 0 WATER SYSTEM RISK-BASED INSPECTION GUIDE FOR THE 0. C. COOK NUCLEAR POWER PLANT R. C. Lloyd N. E. Hoffitt B. F. Gore T. V. Yo i
July 1991 Prepared for Division of Radiation Protection and-Emergency Preparedness Office of Nuclear Regulatory Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 I NRC FIN L1310 .
i i
i l
Pacific Northwest Laboratory l
Richland, Washin; ton 99352 l 9301c50078 920626 O$EA 92-267 PDR 1
1 I
SUMMARY
This document presents a compilation of auxiliary feedwater (AFW) system failure information which has been screened for risk significance in terms of failure frequency and degradation of system performance. It is a risk-prioritized listing of failure events and their causes that are significant enough to warrant consideration in inspection planning at the the D. C. Cook pl ant . This information is presented to provide inspactors with increased resources for inspection planning at D. C. Cook.
The risk importance of various component failure modes was identified by analysis of the results of probabilistic risk assessments (PRAs) for many pressurized water reactors (PWRs). However, the component failure categories identified in PRAs are rather broad, because the failure data used in the PRAs is an aggregate of many individuals failures having a variety of root causes.
In order to help inspectors to focus on specific aspects of component operation, maintenance and design which might cause these failures, an extensive review of component failure information was performed to identify and rank the root causes of these component failures. Both 0. C. Cook and industry wide failure information was analyzed. Failure causes were sorted on the basis of frequency of occurrence and seriousness of consequence, and categorized as common cause failures, human errors, design problems, or component failures.
This information is presented in the body of this document. Section 3.0 provides brief descriptions of these risk-important failure causes, and Section 5.0 presents more extrasive discussions, with specific examples and references. The entries in the two sections are cross-referenced.
An abbreviated system walkdown table is presented in Section 3.2 which includes only components identified as risk important. This table lists the system lineup- for normal, standby system operation.
This information permits an inspector to concentrate on compor9nts important to the prevention of core damage. However, it is import...t to note that inspections should not focus exclusively on these components. Other components which perform essential functions, but which are not included because of high reliability or redundancy, must also be addressed to ensure that degradation does not increase their failure probabilities, and hence their risk importances.
iii 4
CONTENTS iii
SUMMARY
1.0 INTRODUCTION
.................................................... 1 2
2.0 D. C. COOK AFW SYSTEM ...........................................
2 2.1 SYSTEM DESCRIPTION .........................................
4 2.2 SUCCESS CRITERION ..........................................
4 2.3 SYSTEM DEPENDENCIES ........................................
4 2.4 OPERATIONAL CONSTRAINTS ....................................
5 3.0 INSPECTION GUIDANCE FOR THE D. C. COOK AFW SYSTEM ...............
5 3.1 RISK IMPORTANT AFW COMPONENTS AND FAILURE MODES ............
5 3.1.1 MULTIPLE PUMP FAILURES DUE TO COMMON CAUSE ..........
3.1.2 TURBINE DRIVEN PUMP FAILS TO START OR RUN ..................................... 6 3.1.3 MOTOR DRIVEN PUMP "E" OR "W" FAILS TO 7
START OR RUN ..... ..................................
3.1.4 PUMP UNAVAILABLE DUE TO 7
MAINTENANCE OR SURVEILLANCE .........................
7 3.1.5 AIR OPERATED CONTROL VALVES FAIL ....................
8 3.1.6 MOTOR OPERATED VALVES FAIL CLOSED ...................
3.1.7 MANUAL SUCTION OR DISCHARGE VALVES 9
FAIL CLOSED .........................................
3.1.8 LEAKAGE OF HOT FEEDWATER THROUGH CHECK 9
VALVES ..............................................
10 3.2 RISK IMPORTANT AFW SYSTEM WALKDOWN TABLE ...................
14 4.0 GENERIC RISK INSIGHTS FROM PRAs .................................
4.1 RISK IMPORTANT ACCIDENT SEQUENCES INVOLVING AFW SYSTEM FAILURE ......................................... 14 15 4.2 RISK IMPORTANT COMPONENT FAILURE MODES .....................
v
(
1
- s. ..
CONTENTS (continued) 16 5.0 FAILURE MODES DETERMINED FROM OPERATING EXPERIENCE ..............
- 0. C. COOK EXPERIENCE....................................... 16 5.1 5.1.1 MULTIPLE PUMP FAILURES ........................... 16 5.1.2 MOTOR DRIVEN PUMP FAILURES ....................... 16 5.1.3 TURBINE DRIVEN PUMP FAILURES ..................... 16 5.1.4 FLOW CONTROL AND ISOLATION VALVE FAILURES ................................... 16 5.1.5 CHECK VALVE FAILURES ............................. 17 5.1.6 HUMAN ERRORS ..................................... 17 5.2 INDUSTRY WIDE EXPERIENCE ................................... 17 5.2.1 COMMON CAUSE FAILURES ............................... 17 5.2.2 HUMAN ERRORS ........................................ 20 5.2.3 DESIGN / ENGINEERING PROBLEMS AND ERRORS ..............- 20 5.2.4 COMPONENT FAILURES ........................-.......... 22 REFERENCES ........................................................... 25 i
l l
l l
l l
l l- vi l
L r.
1.0 INTRODUCTION
This document is the nineteenth of a series providing plant-specific inspection guidance for auxiliary feedwater (AFW) systems at pressurized water reactors (PWRs). This guidance is based on information from probabilistic risk assessments (PRAs) for similar PWRs, industry wide operating experience with AFW systems, plant-specific AFW system descriptions, and plant-specific operating experience. It is not a detailed inspection plan, but rather a compilation of AFW system failure information which has been screened for risk significance in terms of failure frequency and degradation system performance.
The result is a risk-prioritized listing of failure events and the causes that are significant enough to warrant consideration in inspection planning at D.
C. Cook.
This inspection guidance is presented in Section 3.0, following a description of the D. C. Cook AFW system in Section 2.0. Section 3.0 identifies the risk important system components by D. C. Cook identification number, followed by brief descriptions of each of the various failure causes of that component. These include specific human errors, design deficiencies, and-hardware failures. The discussions also identify where common cause failures have affected multiple, redundant components. These brief discussions identify specific aspects of system or component design, operation, maintenance, or testing for inspection by observation, records review, training observation, procedures review, or by observation of the implementation of procedures. An AFW system walkdown table identifying risk important components and their lineup for normal, standby system operation is also-provided.
The remainder of the document describes and discusses the information used in compiling this inspection guidance. Section 4.0 describes the risk importance information which has been derived from PRAs and its sources. As review of that section will show, the failure events identified in PRAs are rather broad (e.g., pump fails to start or run, valve fails closed). Section 5.0 addresses the specific failure causes which have been combined under these broad events.
AFW system operating history was studied to identify the various specific failures which have been aggregated into the PRA failure events. Section 5.1 presents a summary of D. C. Cook failure information, and Section 5.2 presents a review of industry-wide failure information. The industry-wide information was compiled from a variety of NRC sources, including AE00 analyses and reports, information notices, inspection and enforcement bulletins, and generic letters, and from a variety of INP0 reports as well. Some Licensee Event Reports and NPRDS event-descriptions were also reviewed-individually.
Finally, information was included from reports of NRC-sponsored studies of the effects of plant aging, which include quantitative analyses of reported AFW system failures. This industry-wide information was then combined with the plant-specific failure information to identify the various root causes of the-broad failure events used in PRAs, which are identified in Section 3.0.
1
sq y 2.0 D. C. COOK AFW SYSTEM This section presents an overview of the D. C. Cook AFW system, including '
a simplified schematic system diagram. In addition, the system success criterion, system dependencies,-and administative operational constraints are also presented.
2.1 System Descriotion The AFW system provides feedwater to the steam generators (SG) to allow .
secondary side heat removal from the primary system when main feedwater is .
unavailable. The system is capable of functioning for extended periods, which allows time to restore main feedwater flow or to proceed with an orderly cooldown of the plant to less than 350 degrees F from normal operating
-conditions in event of total loss of off-site power, to where the residual heat removal (RHR) system can remove decay heat. A simplified schematic diagram of the D. C. Cook AFW system is shown in Figure 2.1.
The system consists of one Condensate Storage Tank (CST), two motor-driven (MD) AFW pumps, one turbine-driven (TD) AFW-pump, associated piping, valves and instrumentation for each unit. The system is designed to start up and establish flow automatically. All pumps start on receipt of a steam generator low-low level signal or AMSAC (ATWS Mitigation System Actuation Circuitry). The motor-driven pumps start on low-low level in one SG, whereas, two SG low-low level signals are required for a turbine-driven pump start;
> The motor-driven pumps also start for the following conditions: a blackout signal, trip of both feedwater pumps, and a safety injection signal. The turbine-driven pump also starts on an undervoltage condition on 2 of 4 RCP buses.
The preferred source of AFW pump suction is from each unit's CST. A common header supplies water to both the motor-driven and turbine-driven pumps through a a sealed open isolation valve and a check. valve. The CST for each unit can.be cross connected through a normally closed, air operated valve;(CRV- -
L 51). An additional back-up source of water for the AFW pumps is provided from the essential service' water system (ESW) through-normally. closed, motor L
operated isolation valves (WMO 744,753,754).
i . Power, control, and instrumentation associated with each train are independent from each other. In addition, each unit has its own battery-system-("N"-train) as an emergency electrical supply to ensure AFW system l
reliabi_ity. Steam for the turbine driven pump is supplied through MCM.221 and 231 from steam generators 1 and 4, from a point upstream of the main' steam isolation valves. Each AFW pump-is equipped with an emergency leakoff system
-which prevents pump deadheading.
The discharges of the motor-driven pumps for each unit are-normally-
- aligned: so that the West "W" pump supplies the 1 and 4 steam-generators.and -
~
the East "E" pump supplies the 2 and 3 steam generators. The discharge: piping '
for each unit's "E" sump contains a cross-connect valve (FW 129) which' "W" AFW pump. Cross-connects to the disc 1arge piping of the opposite unit's tie operation is only to-be used-if AFW flow can't be achieved from the L 2 L:
- - - - - - = - . -- ,
's ~*
P'
- ( g.
ma */~
e c5 t ,
J 1
e(Em n -
) -c
- ,(
)
/\
= I
- h /\ /\
n :# $~-
_T. T. E
- ?. Y. E
?. ?. !
ma
_ ~ CR. Es EN Ea. EN. ER.
E E hg 1 h
E E g> M mf "
" ? "
E5 ~d2 ~93 _T T _? 2 4 -
a c4 _ca.X c 4. _a_
c c w
-d _d_f N _
=
g E$
,,e - >d. ----
h$
,JLNS k { _sy
?^,
Ch -
E((- EN- U La.J
=m J E$~[-
Nw bNg rw- LA.
E
- dD w
E:: .
Ed "
's<c o t i i M j :. W (a (a o
'N / .
v
_.. gd r- A,.
b >
C!
C"'1
-a 6,
rtv EQ[. y CM I I 4 J k3N r E d b *{
r n
="3
-[i
[ g cm E3[ Q -
,, y ?
><}- gir:si r ""
ya E"- .
EE _
w w
% 6h d
- s-6 sg i
N $i N sb e
=C = n e egs
- EU E r!u R
e R
a w -
g l
l
affected unit. The cross-connect valve is sealed closed and administrative 1y controlled. The turbine-driven pump feeds all four steam generators, but through separate lines. Steam generator inlet isolation valves are sealed open manual valves and the flow discharge isolation valves are motor operated. Each line also contains check valves to prevent leakage from the feedwater lines.
The Condensate Storage Tank (CST) has a 500,000 gallon capacity and is required to store a minimum of 175,000 gallons for AFW system use, to maintain the reactor coolant system (RCS) at hot standby for nine hours with steam discharge to atmosphere, followed by a cool down to 350 degrees F.
2.2 Success Criterion System success requires the operation of at least one pump supplying rated flow to two steam generators.
2.3 System Dependencies The AFW system depends on AC power for motor-driven pumps and motor-controlled isolation valves, DC power for control power to pumps, valves, and automatic actuation signals, and instrument air for AFW emergency leakoff valves. Each air operated valve is designed to fail in its safe condition on loss of instrument air. In addition, the turbine-driven pump also requires steam availability.
2.4 Qperational Constraints When the reactor is in Modes 1, 2, or 3, the D. C. Cook Technical Specifications require that all three AFW pumps and associated flow paths are operable with each motor-driven pump powered from a different emergency bus and the turbine-driven feedwater pump capable of being operated from an operable steam supply. Also, at least one auxiliary feedwater flowpath in support of the other unit's shutdown functions must be available. If one AFW pump becomes inoperable, it must be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or the plant must be shut down to hot standby within the next six hours and to hot shutdown within the following six hours. If two AFW pumps are inoperable, the plant must be shut down to hot standby within six hours and to hot shutdown within the following six hours. With three AFW pumps inoperable, corrective action to restore at least one pump to operable status must be initiated immediately.
The D. C. Cook Technical Specifications requires a minimum volume of 175,000 gal. of water to be stored in the Condensate Storage Tank. With the CST inoperable, it must be restored to operable status within four hours or the plant must be shut down to hot shutdown within the the next twelve-hours.
If the essential service water system is demonstrated to be operable, it may serve as a backup AFW supply for seven days before plant shutdown is required.
4 I,
3.0 H SPECTION GUIDANCE FOR THE D. C. COOK AFW SYSTEM In this section the. risk important components of the D. C. Cook AFW system are identified, and the important failure modes for these components are briefly described. These failure modes include specific human errors, design deficiencies, and types of hardware failures which have been observed to occur for these components, both at D. C. Cook and at PWRs throughout the nuclear industry. The discussions also identify where common cause failures have affected multiple, redundant components. These brief discussions identify specific aspects of system or component design, operation, maintenance, or testing for observation, records review, training observation, procedures review, or by observation of the implementation of procedures.
Table 3.1 is an abbreviated AFW system walkdown table which identifies risk-important components. This table lists the system lineup for normal (standby) system operation. Inspection of the identified components addresses essentially all of the risk associated with AFW system operation.
3.1 Risk Important AFW Comoonents and Fail"re Modes Common cause failures of multiple pumps are the most risk-important failure modes of AFW system components. These are followed in importance by single pump failures, level control valve failures, and individual check valve leakage failures.
The following sections address each of these failure modes, in decreasing order of risk-importance. They present the important root causes of these component failure modes which have been-distilled from historical records.
Each item is keyed to discussions in Section' 5.2 where additional information on historical events is presented.
3.1.1 Multiole Pumo Failures due to Common Cause The following listing summarizes the most important multiple-pump failure modes identified in Section 5.2.1, Common cause Failures, and each item is keyed to entries in that section.
. Incorrect operator intervention into automatic system functioning, including improper manual starting and securing of pumps, has caused failure of all pumps, including overspeed trip on startup, and inability to restart prematurely secured. pumps. CC1.
. Valve mispositioning has caused failure of all pumps. Pump suction, steam supply, and instrument isolation valves have been involved.
CC2.
. -Steam binding has caused failure of multiple pumps. This resulted from leakage of hot feedwater past check valves into a common discharge header, with several valves involved including a motor-operated discharge valve. (See item 3.1.8 below.) CC10. Multiple-pump steam binding has also resulted from improper valve lineups, and from running a pump deadheaded. CC3.
5
. Pump control circuit deficiencies or design modification errors have caused failures of multiple pumps to auto start, spurious pump trips during operation, and failures-to restart after pump shutdown. CC4.
Incorrect setpoints and control circuit calibrations have also prevented proper operation of multiple pumps. CC5.
. Loss of a vital power bus has failed both the turbine-driven and one motor-driven pump due to loss of control power to steam admission valves or to turbine controls, and to motor controls powered from the same bus. CC6.
. Simultaneous startup of multiple pumps has caused oscillations of pump suction pressure causing multiple-pump trips on low suction pressure, despite the existence of adequate static net positive suction head (NPSH). CC7. Design reviews have identified inadequately sized suction piping which could have yielded insufficient NPSH to support operation of more than one pump. CC8.
At D. C. Cook, a low pressure suction trip rendered a motor driven pump inoperable while the turbine driven pump was out.of service for testing.
3.1.2 Turbine Driven Pumo Fails to Start or Run
. Improperly adjusted and inadequately maintained turbine governors have caused pump failures. HE2. Problems include worn or loosened nuts, set screws, linkages or cable connections, oil leaks and/or contamination, and electrical failures of resistors, transistors, diodes and circuit cards, and erroneous grounds and connections.
CF5. Improperly adjusted governors have occurred at D. C. Cook.
. Terry turbines with Woodwar'd Model EG governors have been found to-overspeed trip if full steam flow is allowed on startup.
Sensitivity can be reduced if a startup steam bypass valve is sequenced to open first. del.
. Condensate slugs in steam lines have caused turbine overspeed trip on startup. Tests repeated right-after such a trip may fail to indicate the problem due to warming and clearing of the steam lines.
~
Surveillance should exercise all steam supply connections. DE2.
. Trip and throttle valve (TTV) problems which have failed the-turbine driven pump include- physically bumping it, failure to reset it following testing, and failures to verify control room indication of reset. HE2. Whether either the overspeed trip or TTV trip can be reset without resetting the_other, indication in the control room of TTV position, and unambiguous local indication of an overspeed trip affect the-likelihood of these errors.'DE3. TTV problems have occurred at D. C. Cook.
. Turbines with Woodward Model PG-PL governors have tripped on overspeed when restarted shortly after shutdown, .unless an operator has locally exercised the speed setting knob to drain oil from the 6
c ,
governor speed setting cylinder (per procedure). Automatic oil dump valves are now available through Terry. DE4.
3.1.3 Motor Driven Pumo "E" or "W" Fails to Start or Run
. Control circuits used for automatic and manual pump starting are an important cause of motor driven pump failures, as are circuit breaker failures. CF7. Control circuit failures have prevented automatic pump starts at D. C. Cook.
. Hispositioning of handswitches and procedural deficiencies have prevented automatic pump start. HE3, Hispositioning of handswitches has occurred at D. C. Cook.
. Low lubrication oil pressure resulting from heatup due to previous operation has prevented pump restart due to failure to satisfy the protective interlock. DES.
3.1.4 Pumo Unavailable Due to Maintenanqt.or Surveillance
. Both scheduled and unscheduled maintenance remove pumps from operability. Surveillance requires operation with an altered line-up, although a pump train may not be declared inoperable during testing. Prompt scheduling and performance of maintenance and surveillance minimize this unavailability.
3.1.5 Air Operated Control Valves Fail TD Pumo Train: FRV-258.256 MD Pumo "E" Train: FRV-257.255 MD Pumo "W" Train: FRV-247.245 The first valve listed for each train is a normally-open air operated valve (A0V) that controls AFW pump emergency leakoff (ELO) to the CST. They fail open on loss of Instrument Air or loss of power. The second valve listed These for each train is a normally closed A0V in the AFW pump test flow line.
valves fail closed on loss of instrument air or loss of power.
. Control circuit problems have been a primary cause of failures, both at D. C. Cook and elsewhere. CF9. Valve failures have resulted from blown fuses, failure of control components (such as current / pneumatic convertors), broken or dirty contacts, misaligned or broken limit switches, control power loss, and calibration problems. Degraded operation has also resulted from improper air pressure due to air regulator failure or leaking air lines.
. Out-of-adjustment electrical flow controllers have caused improper valve operation, affecting multiple trains of AFW. CCl2.
1 7
=, .
. Leakage of hot feedwater through check valves has caused thermal binding of flow control MOVs. A0Vs may be similarly susceptible. CF2.
. Multiple flow control valves have been plugged by clams when suction switched automatically to an alternate untraated source. CC9.
s 3.1.6 dator Ooerated Isolation Valves Fail Closed MD Pumo Discharae Isolation: FMO-212.222.232.242 TD Pumo Discharoe Isolation: FM0-211.221.231.241 Essential Service Water Suction Isolation: WM0-744.754.753
, These MOVs isolate flow to the steam generators and provide AFW pump suction isolation from the ESW system. The discharge isolation valves are normally open and the essential service water suction valves are normally closed. They all fall as-is on loss of power.
. Common cause failure of MOVs has occurred at D. C. Cook and elsewhere, from failure to use electrical signature tracing equipment to determine proper settings of torque switch and torque switch bypass switches. Failure to calibrate switch settings for high torques necessary under desian basis accident conditions has also been involved. CC11.
. Valve motors have been failed due to lack of, or improper sizing or use, of thermal overload protective devices. Bypassing and oversizing should be based on proper engineering for desian basis conditions. CF4.
. Out-of-adjustment electrical flow controllers have caused improper discharge valve operation, affecting multiple trains of AFW. CCl2.
. Grease trapped in the torque switch spring pack of the operators of MOVs has caused motor burnout or thermal overload trip by preventing l torque switch actuation. CF8.
. Manually reversing the direction of motion of operating MOVs has overloaded the motor circuit. Operating procedures should provide cautions, and circuit designs may prevent reversal before each stroke is finished. DE7.
. Space heaters designed for preoperation storage have been found wired in parallel with valve motors which had not been environmentally qualified with them present. DE8.
8 i
y , - - -
-w ,-w r - ,-
r ,
~ - . - - . - - - . . - - - . . - - . . - - - . - - . . .. ._
- l( m, .
'i 3.1.7 Manual Suction or Discharoe Valves Fail closed TD Pumo Train: FW-133:136:137-1.-7.-3.-4
-MD Pumo "E" Train: FW-123:130:131-2.131 3 MD Pumo "W" Train: FW-162:158:131-1.131-4 These manual valves are normally locked open. For each train, closure of the first valves would block pump suction, closure of the second valves would block pump discharge and closure of the' third set of valves would block discharge to the steam generators. :
. Valve mispositioning-has resulted in failures of multiple trains of AFW.- CC2. It has also been the dominant cause of problems identified during operational readiness inspections. HEl. Events-have occurred most often during maintenance, calibration, or system modifications. Important causes of mispositioning include:
. Failure to provide complete, clear, and specific procedures for tasks'and system restoration
. Failure to promptly revise and validate procedures, training, and diagrams following system modifications-
. Failure to- complete all steps in a- procedure . . .
. Failure to adequately review uncompleted procedural . steps after task completion
. Failure to verify support functions after restoration
. Failure to adhere scrupulously to administrative procedures regarding tagging, control and tracking-of valve operations
. Failure to log 1the manipulation of sealed valves
. Failure to follow good practices of written task assignment and feedback of task. completion information
. Failure to. provide easily read system drawings, legible valve labels corresponding to drawings and procedures, and labeled
-indications of local __ valve position 3.1.8 Leakaae of Hot Feedwater throuah Check Valves:
MD Pumo "E" Train: FW-132-2.FW-132-3.FW-128 MD-Pumo "W" Train: FW-132-1.FW-132-4 FW-159 TD Pumo Train: -FW-138-1.-2.-3 -4.FW-135
. Leakage of hot feedwater_ through several check valves in' series has.
caused steam binding of multiple pumps. ' Leakage;through a closed level control valve in series with check valves has:also occurred, as would be required for leakage to reach the motor driven-or turbine: driven pumps. CC10
.- Slow leakage past the final check valve of a' series may not force upstream check valves closed, allowing leakage.past each of them in turn. Piping orientation-and valve design are important factors in-achieving true series protection. CFl.-D. C. Cook has experienced check valve leakage. ,
9
3.2 Risk Imoortant AFW System Walkdown Table Table 3.1 presents an AFW system walkdown table inclucing only-components identified as risk important. _ This information allows inspectors-to concentrate their efforts on components important-to-prevention of core damage. However, it is essential to note that inspections should not- focus
-exclusively on these components. Other components which perform essential functions, must also be addressed to ensure that their risk importances are not increased. Examples include the (open) steam lead stop check valves _and ensuring an adequate water level in the CST.
10
7 TABLE 3.1. Risk Importance AFW System Walkdown-Table Required Actual-Component # Component Name Location Position Position Electrical E Motor Driven Pump Racked In/
Closed W Motor Driven Pump Racked In/ "
Closed Valve CRV-51 Unit 1-Unit 2 AUX FP Suction Supply Closed Cross-Tie C-259 AFPs Suct from CST Sealed Open FW-162 "W" MDAFP Suct Isol Sealed Open FW-122 CST to "W" MDAFP Sealed Open FW-123 "E" HDAWP Suct Isol Sealed Open -
FW-133 CST to TDAFP Suct Isol Sealed Open WM0 744 ESW Supply to "W" MDAFP Closed WM0-754 ESW Supply to "E" MDAFP Closed WM0-753 ESW Supply to TDAFP Closed ESW-243 ESW Supply to "W" MDAFP Locked Closed ESW-145 ESW Supply to "E" MDAFP Locked Closed ESW-240 ESW Supply to TDAFP Locked Closed l
FRV-247 "W" MDAFP Emergency Leakoff Valve Auto /Open FRV-257 "E" MDAFP Emergency Leakoff Valve Auto /Open FRV-258 TDAFP Emergency Leakoff Valve Auto /Open FW-174 "W" MDAFP Emergency Leakoff _Isol Locked Open FW-175 *E" MDAFP Emergency Leakoff Isol Locked Open FW-127 TDAFP Emergency Leakoff Isol Locked Open 11
TABLE 3.1. Risk Importance AFW System Walkdown Table (Continued)
FW-158 "W" MDAFP Disch Isol to S/G 1 & 4 Sealed Open FW-130 "E" MDAFP Disch Isol to S/G 2 & 3 Sealed Open FW-136 TDAFP Disch Isol Sealed Open FW 131-1 "W" MDAFP Disch to S/G 1 Ctrl Sealed Open Inlet Isol FW 131-4 "W" MDAFP Disch to S/G 4 Ctrl Sealed Open _
Inlet Isol FW 131-2 -"E" MDAFP Disch to S/G 2 Ctrl Sealed Open _
Inlet Isol FW 131-3 "E" MDAFP Disch to S/G 3 Ctrl Sealed Open Inlet Isol FW 137-1 TDAFP Disch to S/G 1 Ctrl Sealed Open -
Inlet Isol FW 137-4 TDAFP Disch to S/G 4 Ctrl Sealed Open Inlet Isol FW 137-2 TDAFP Disch to S/G 2 Ctrl Sealed Open Inlet Isol TDAFP Disch to S/G 3 Ctrl Seal ed ' 0 pen -
FW 137-3 Inlet Isol FW-129 "E" MDAFP Cross-tie to Opposite Unit S/G 1 and 4- Sealed Closed FM0-212 "W" MDAFP Flow to S/G 1 Auto /Open FM0-242 "W" MDAFP Flow to S/G 4 Auto /Open FM0-222 "E" MDAFP Flow to S/G 2 Auto /Open FM0-232 "E" MDAFP Flow to S/G 3 Auto /Open FM0-211 TDAFP Flow to S/G 1 Open FriO-241 TDAFP Flow to S/G 4 Open FM0-221 TDAFP Flow to S/G 2 Open 12
.. ... L TABLE 3.1. Risk Importance AFW System Walkdown Table (Continued)
FMO-231 TDAFP Flow to S/G 3 Open Open MCM-221 S/G 2 Mainsteam to TDAFP MCM-231 S/G 3 Mainsteam to T0AFP Open FW 132-1 Piping Upstream of Check Valve Ambient Piping Upstream of Check Valve Ambien +,
FW 132-2 FW 132-3 Piping Upstream of Check Valve Ambient
! FW 132-3 Piping Upstream of Check Valve Ambient FW 137-1 Piping Upstream of Check Valve Ambient FW 137-2 Piping Upstream of Check Valve Ambient FW 137-3 Piping Upstream of Check Valve Ambient l.
FW 137-3 Piping Upstream of Check Valve Ambient l
(
l' 13 l
l
l l
4.0 q[R[RIC RISK INSIGHTS FROM PRAs PRAs for 13 PWRs were analyzed to identify risk-important accident sequences involving loss of AFW, to identify and risk-prioritize the component failure modes involved. The results of this analysis are described in this section. They are consistent with results reported by INEL and BNL (Gregg et al 1988, and Travis et al,1988).
4.1 Risk Imoortant Accident Sequences Involvino AFW System Failure loss of Power System .
. A_ loss of offsite oower is followed by failure of AFW. Due to lack of actuating power, the power operated relief valves (PORVs) cannot be opened preventing adequate feed-and bleed cooling, and resulting in core damage.
. A station blackout fails all AC power except Vital AC from DC invertors, and all decay heat removal systems except the turbine-driven AFW pump. AFW subsequently fails due to battery ~~
depletion or hardware failures, resulting in core damage.
e A DC bus fails, causing a trip and failure of the power conversion system. One AFW motor-driven pump is failed by the bus loss, and the turbine-driven pump fails due to loss of turbine or valve control power. AFW is subsequently lost completely due to other failures, Feed-and bleed cooling fails because PORV control is lost, resulting in core damage.
Jransient-Caused Reactor or Turbine Trio
. A transient-caused trio is followed by a loss of the power conversion system (PCS) and AFW. Feed and-bleed cooling fails either due to failure of the operator to initiate it, or due to hardware failures, resulting in core damage.
Loss of Main Feedwater
. A feedwater line break drains the common water source for MFW and AFW. The operators fail to provide feedwater from other sources, and fail to initiate feed-and-bleed cooling, resulting in core damage.
. A loss of main feedwater trips the plant, and AFW fails due to operator error and hardware failures. The operators fail to initiate feed-and-bleed cooling, resulting in core damage.
14
. =. -. -- - -
l i
Steam Generator Tube Ruoture (SGTR1
. A SGTR is followed by failure of AFW. Coolant is lost from the primary until the refueling water storage tank (RWST) is depleted. High pressure injection (HPI) fails since recirculation cannot be established from the empty sump, and core damage results.
4.2 Risk imoortant Comoonent Failure Modes l The generic component failure modes identified from PRA analyses as important to AFW system failure are listed below in decreasing order of risk importance.
- 1. Turbine Driven Pump Failure or Start or Run.
- 2. Motor-Driven Pump Failure to Start or Run.
- 3. TDP or MDP Unavailable due to Test or Maintenance.
- 4. AFW System Valve failures
. steam admission valves
. trip and throttle valves
. flow control valves
. pump discharge valves e pump suction valves
. valves in testing or maintenance.
- 5. Supply /Suc; ton Sources
. condensate storage tank stop valve
. hot well inventory
. suction valves
' In addition to individual hardware, circuit, or instrument failures, each of these failure modes may result from common causes and human errors. Common cause failures of AFW pumps are particularly risk important. Valve failures are somewhat less important due to the-multiplicity of steam generators and connection paths. Human errors of greatest risk importance involve: failures to initiate or control system operation when required; failure to restore proper system
- lineup after maintenance or testing; and failure to switch to alternate sources when required.
15' L
\
- - . . . ~. _ - _. . __- ._. - ..
5.0 FAllVRE MCDES DETERMINED FROM OPERATING EXPERIENCE This section describes the primary root cause of AFW system component failures, as determined from a review of operating histories at D. C. Cook and at other PWRs throughout the nuclear industry. Section 5.1 describes experience at D. C. Cook. Section 5.2 summarizes information compiled from a variety of NRC sources, including AEOD analyses and reports, information notices, inspection and enforcement bulletins, and generic letters, and from a variety of INP0 reports as well. Some Licensee Event Reports and NPRDS event descriptions were also reviewed individually. Finally, information was included from reports of NRC-sponsored studies of the effects of plant aging, which include quantitative analysis of AFW system failure reports. This information was used to identify the various root causes expected for the broad PRA-based failure events identified in Section 4.0, resulting in the inspection guidelines presented in Section 3.0.
5.1 D. C. Cook Exoerience The AFW system at D. C. Cook has experienced failures of the AFW pumps, pump flow control and discharge isolation valves, turbine trip and throttle valves, essential service water backup supply valves, and numerous system check valves. Failure modes include electrical, instrumentation and control, hardware failures, and human errors.
( ._ .. [ ))
5.1.1 Multiole Pumo Failures , .y lOS
- r. se c c o,-
There was Lgme incident 1wh' ate a MDAFP tripped while the turbine driven pump was out of service. The MDAFP was placed in service within the allotted time period so that a reactor shutdown was not required.
5.1.2 Motor Driven Pumo Failures There have been six events since 1981 that have resulted in failure of the motor driven pumps. Failure modes involved control circuit problems, circuit breaker problems, dirty pump suction gauge, out of balance pump bearings, and worn pump seals.
5.1.3 Turbine Driven Pumo Failures Twelve events have occurred since 1981 that have resulted in decreased operational readiness or spurious starting of the turbine driven pump.
Failure modes involved failures in instrumentation and control circuits, pump hardware failures, corrosion, mechanical wear, and human failures during maintenance activities. The TTV and associated linkage were the cause of several of the TDAFP failures.
5.1.4 Flow Control and Isolation Valve Failures Approximately forty events since 1981 have resulted in impaired operational readiness of the air operated emergency leakoff valves, motor operated flow control valves, and motor operated isolation valves. Principal 16 w , y - , - - - , . . - - - .w.
o, .
q s 4 failure causes were equipment wear, corrosion, instrumentation and control-circuit failures, valve hardware failures, and human errors. Valves have failed to operate properly due to blown fuses, failure of control components (such as-I/P convertors), broken or dirty contacts, misaligned or broken limit switches, control power loss, and operator calibration problems. Human errors have resulted in improper control circuit calibration, limit switch adjustment, and connection to wrong phase power.
5.1.5 Check Valve Failurn More than ten events of check valve failure have occurred since 1981.
The failure mode cited in all cases was normal wear- and aging.
5.1.6 Human Errors There have been approximately fifteen events-affecting the AFW system since 1981. Personnel have inadvertantly actuated the AFW pumps during testing, bumped switches, misused air tubes, and mispositioned control switches during operation. Both personnel error and inadequate procedures have been involved. Hisunderstanding of operability requirements has resulted in equipment exceeding Technical Specification limits.
5.2 Industry Wide Exoerience Human errors, design / engineering problems.and errors, and component failures are the primary root causes of AFW System failures identified in a review of industry wide system operating history. Common cause failures, which disable more than one train of this operationally redundant system, are highly risk significant, and can result from all of these causes.
This section identifies important common cause failure modes, and then provides a broader discussion of the single failure effects of human errors, design / engineering problems and errors, and component failures. Paragraphs presenting details of these failure modes are coded (e.g., CC1) and cross-referenced by inspection items in Section 3.
5.2.1 Common Cause Failures The dominant cause of AFW system multiple-train failures has been human
- error. Design / engineering errors and component failures have been less frequent, but nevertheless significant, causes of multiple train failures.
((L. Human error in the form of incorrect operator intervention into automatic AFW system functioning during transients resulted in the temporary loss of all safety-grade AFW pumps during events at Davis Besse (NUREG-1154,,
1985) and Trojan (AE00/T416, 1983). In the Davis Besse event, improper manual initiation of the steam and feedwater rupture control system (SFRCS) led to overspeed tripping of both turbine-driven AFW pumps, probably due to the introduction of condensate into the AFW turbines from the long, unheated steam supply lines. (The system had never been tested with the abnormal, cross-connected steam supply lineup which resulted.) In the Trojan event the l operator incorrectly stopped both AFW pumps due to misinterpretation of MFW l
17 l
L u
e, , ,
pump speed indication. The diesel driven pump would not restart due to a protective feature requiring complete shutdown, and the turbine-driven pump tripped on overspeed, requiring local reset of the trip and throttle valve. In cases where manual intervention is required during the early stages of a transient, training should emphasize that actions should be performed methodically and deliberately to guard against such errors, h Valve mispositioning has accounted for a significant fraction of the human errors f ailing multiple trains of AFW. This includes closure of normally open suction valves or steam supply valves, and of isolation valves to sensors having control functicns, incorrect handswitch positioning and inadequate temporary wiring changes have also prevented automatic starts of multiple pumps. Factors identified in studies of mispositioning errors include failure to add newly installed valves to valve checklists, weak administrative control of tagging, restoration, independent verification, and locked valvo logging, and inadequate adherence to procedures. Illegible or confusing local valve labeling, and insufficient training in the determination of valve position may cause or mask mispositioning, and surveillance which does not exercise complete system functioning may not reveal mispositionings.
E At ANO-2, both AFW pumps lost suction due to steam binding when they were lined up to both the CST and the hot startup/ blowdown demineralizer effluent (AE00/C404,1984). At Zion-1 steam created by running the turbine-driven pump deadheaded for one minute caused trip of a motor-driven pump sharing the same inlet header, as well as damage to the turbine-driven pump (Region 3 Horning Report, 1/17/90). Both events were caused by procedural inadequacies.
E Design / engineering errors have accounted for a smaller, but significant fraction of common cause failures. Problems with control circuit design modifications at Farley defeated AFW pump auto start on loss of main feedwater. At Zion-2, restart of both motor driven pumps was blocked by circuit failure to deenergize when the pumps had been tripped with an automatic start signal present (IN 82-01,1982). In addition, AFW control circuit design reviews at Salem and Indian Point have identified designs where failures of a single component could have failed all or multiple pumps (IN 87-34,1987).
E Incorrect setpoints and control circuit settings resulting from analysis errors and failures to update procedures have also prevented pump start and caused pumps to trip spuriously. Errors of this type may remain undetected despite surveillance testing, unless surveillance tests model all types of system initiation and operating conditions. A greater fraction of instrumentation and control circuit problems has been identified during actual system operation (as opposed to surveillance testing) than for other types of failures.
E On two occasions at a foreign plant, failure of a balance-of-plant inverter caused failure of two AFW pumps, in addition to loss of the motor driven pump whose auxiliary start relay was powered by the invertor, the turbine driven pump tripped on overspeed because the governor valve opened, allowing full steam flow to the turbine. This illustrates the importance of 18 l
c, .
assessing the effects of failures of balance of plant equipment which supports the operation of critical components. The instrument air system is another example of such a system.
E Multiple AFW pump trips have occurred at Millstone-3, Cook-1, Trojan and Zion-2 (IN 87-53, 1987) caused by brief, low pressure oscillations of suction pressure during pump startup , These oscillations occurred despite the availability of adequate static NPSH. Corrective actions taken include:
extending the time delay associated with the low pressure trip, renoving the trip, and replacing the trip with an alarm and operator action.
E Design errors discovered during AFW system reanalysis at the Robinson plant (IN 89-30,1989) and at Millstone-1 resulted in the supply header from the CST being too small to provide adequate NPSH to the pumps if more than one of the three pumps were operating at rated flow conditions. This could lead to multiple pump failure due to cavitation. Subsequent reviews at Robinson identified a loss of feedwater transient in which inadequate NPSH and flows less than design values had occurred, but which were not recognized at the time. Event analysis and equipment trending, as well as serveillance testing which duplicates service conditions as much as is practical, can help identify such design errors.
E Asiatic clams caused failure of two AFW flow control valves- at Catawba-2 when low suction pressure caused by starting of a motor-driven pump caused suction source realignment to the Nuclear Service Water system. Pipes had not been routinely treated _to inhibit clam growth, nor regularly monitored to detect their presence, and no strainers were installed. The need for surveillance which exercises alternative system operational modes, as well as complete system functioning, is emphasized by this event. Spurious suction switchover has also occurred at Callaway and at McGuire, although no failures resulted.
CC10. Common cause failures have also been caused by component failures (AE00/C40t 1984). At Surry-2, both the turbine driven pump-and one motor-driven pum, are declared inoperable due to steam binding caused by leakage of hot water t, rough. multiple check valves. At Robinson-2 both motor driven pumps were found to be hot, and both motor and steam driven pumps were found to be inoperable at different times. Backleakage at Robinson-2 passed through closed motor-operateJ isolation valves in addition to multiple check valves.
At Farley, both motor and turbine driven pump casings were found-hot, 'although the pumps were not declared inoperable. In addition to multi-train failures, numerous incidents of single train failures have occurred, resulting in the designation of " Steam Binding of Auxiliary Feedwater Pumps" as Generic Issue-
- 93. This generic issue was resolved by Generic Letter 88-03 (Miraglia, 1988),
which required licensees to monitor AFW piping temperatures each shift, and to maintain procedures for recognizing steam binding and for restoring system operability.
CC11. Common cause failures have also failed motor operated valves. During the total loss of feedwater event at Davis Besse, the normally-open AFW isolation valves failed to open after they were inadvertently closed. The failure was due to improper setting of the torque switch bypass _ switch, which 19
4-, .- ., l
-j
\
prevents motor trip on the high torque required to unseat a closed valve.
Previous problems with these valves had been addressed by increasing the torque switch trip setpoint - a fix which failed during the event due to the higher torque required due to high differential pressure across the valve. !
Similar common mode failures of MOVs have also occurred in other systems, resulting in issuance of Generic Letter 89-10, " Safety Related Motor-Operated Valve Testing and Surveillance" (Partlow,1989). This generic letter requires l licensees to develop and implement a program to provide for the testing, !
inspection and maintenance of all safety related MOVs to provide assurance l that they will function when subjected to design basis conditions.
CCl2. Other component failures have also resulted in AFW multi-train failures. These include out-of-adjustment electrical flow controllers resulting in improper discharge valve operation, and a failure of oil cooler cooling water supply valves to open due to silt accumulation. !
5.2.2 Human Errors HEL. The overwhelmingly dominant cause of problems identified during a series of operational readiness evaluations of AFW systems was human performance. The majority of these human performance problems resulted from incomplete and 1 incorrect procedures, particularly with respect to valve lineup information. l A study of valve mispositioning events involving human error identified i failures in administrative control of tagging and logging, procedural compliance and completion of steps, verification.of support systems, and inadequate procedures as important. Another study found that valve mispositioning events occurred most often during maintenance, calibration, or modification activities. Insufficient training in determining valve position, and in administrative requirements for controlling valve positioning were important causes, as was oral task assignment without task completion l
feedback.
l HEL Turbine driven pump failures have been caused by human errors in l
calibrating or adjusting governor speed control, poor governor maintenance, L incorrect adjustment of governor valve and overspeed trip linkages, and errors associated with the trip and throttle valve. TTV-associated errors include
! physically bumping it, failure to restore it to the correct position after l testing, and failures to verify control room indication of TTV position following actuation.
B R,. Motor driven pumps have been failed by human errors in mispositioning_
handswitches, and by procedure deficiencies.
- 5.2.3 Desion/Encineerino Problems and Errors DE As noted above,- the majority of AFW subsystem failures, and the greatest relative system degradation, has been found .to result from turbine-driven pump failures. Overspeed trips of Terry turbines controlled by Woodward governors have been a significant source of these failures (AE00/C602, 1986). In many l
cases these overspeed trips have been caused by slow response of a Woodward Model EG governor on startup, at plants where full steam flow is allowed immediately. This oversensitivity has been removed by installing a startup L 20 l
- .s *.
steam bypass valve which opens first, allowing a controlled turbine acceleration and buildup of oil pressure to control the governor valve when l full steam flow is admitted.
E Overspeed trips of Terry turbines have been caused by condensate in.the steam supply lines.- Condensate slows down the turbine, causing the governor ,
valve to open farther, and.overspeed results before the governor valve can respond, after the water slug clears. This was determined to be the cause of l the loss-of-all-AFW event at Davis Besse (AE00/602, 1986), with condensation I
enhanced due to the long length of the cross-connected stear. lines. Repeated !
tests following a cold-start trip may be successful due to system heat up.
R Turbine trip and throttle valve (TTV) problems are a significant cause of turbine driven pump failures (IN 84-66). In some cases lack of TTV i position indication in the control room prevented recognition of a tripped i TTV. In other cases it was possible to reset either the overspeed trip or the TTV without resoting the other. This problem is compounded by the fact that the position of the overspeed trip linkage can be misleading, and the mechanism may-lack labels indicating when it is in the tripped position (AE0D/C602,1986).
l E Startup of turbines with Woodward Model PG-PL governors within 30 minutes of shutdown has resulted in overspeed trips when the. speed setting l.
i knob was not exercised locally to drain oil from the speed setting cylinder.
l Speed control is based on startup with an empty cylinder. Problems have involved turbine rotation due to both procedure violations and leaking steam.
Terry has marketed two types of dump valves for automatically draining the oil aftershutdown(AE00/C602,1986).
At Calvert Cliffs, a 1987 loss-of-offsite-power event required a quick,. cold
' startup that resulted in turbine trip due to PG-PL governor stability.
l problems. The short-term corrective action was installation of stiffer buffer i springs (IN 88-09,1988). Surveillance had always been preceded by turbine warmup, which illustrates the importance of testing which duplicates service l
conditions as much as is practical.
ML. Reduced viscosity of gear box oil heated by prior operation caused-failure of a motor driven pump to start due to insufficient lube oil pressure.
Lowering the pressure switch setpoint solved the problem, which'had not been
,! detected during testing.
E Waterhammer at Palisades resulted in AFW line and hanger damage at both steam generators. The AFW spargers are located at the. normal steam generator level, and are frequently covered and uncovered during level fluctuations.
Waterhammers in top-feed-ring steam generators resulted in main feedline rupture at Maine Yankee and feedwater pipe cracking at Indian Point-2 (IN 84-32,1984).
ML Manually reversing the direction of motion of an operating valve has resulted in M0V failures where such loading was not considered in the design (AE00/C603,1986). Control circuit design may prevent ti.is, requiring stroke co:apletion before reversal.
21
, - . . ~ _.. . .- = - . ~ - -_ - . .- - - . . - -
. , . l. : ,
m
_ E -_At each of the units of the South Texas Project, space heaters provided by the vendor for use in preinsta11ation storage of MOVs were found-to be wired in parallel to the Class 1E 125 V DC motors for several AFW valves (IR 50-489/89 11; 50-499/89-11, 1989). The valves-had been environmentally '
qualified, but not with the non-safety-related heaters energized.
5.2.4 fm oonent Failures Generic Issue II.E.6.1, "In Situ Testing Of Valves" was divided into four sub-issues-(Beckjord, 1989), three of which relate directly to prevention of AFW system component failure. . At the request of the NRC, in-situ testing of check valves was addressed by the nuclear industry, resultine in the EPRI report, " Application Guidelines for Check Valves in Nuclear Power Plants" (Brooks,1988).- This extensive report provides information on check valve -
applications, limitations, and inspection techniques. In-situ testing-of MOVs ,
was addressed by Generic Letter 89-10. " Safety Related Motor-0perated Valve Testing and Surveillance" (Partlow,1989) which requires licensees to develop and implement a program for testing, inspection and maintenance of.all safety-related MOVs. " Thermal Overload Protection for Electric Motors on Safety-Related Motor 0perated Valves - Generic Issue II.E.6.1 (Rothberg,1988)"
concludes that valve motors should be thermally protected, _ yet in = a way which emphasizes system function over protection of the operator.
_ h The common-cause steam binding effects of check valve leakage were '
identified in Section 5.2.1, entry CC10. Numerous single-train events provide additional insights into this problem. 'In some cases leakage of hot MFW past multiple check valves in series has occurred because adequate-valve-seating pressure was limited to the valves closest to the steam generators (AEOD/C404, 1984). At Robinson, the pump shutdown procedure was changed;to delay closing-the MOVs:until after the check-valves were seated. At Farley, check valves were changed from swing type to lift type. Check valve rework-has been done at a number of-plants. Different valve designs and manufacturers are invol.ved-in this problem, and recurring leakage has been experienced,1even after repair and replacement.
E At: Robinson, heating of motor operated-valves by check valve leakage has caused thermal binding and failure of AFW discharge valves-to:open on demand.
At Davis Besse, high differential pressure across AFW injection valves resulting from check valve leakage has prevented MOV operation (AE00/C603, i 1986).
E Gross. check valve leakage at McGuire and Robinson caused-overpressurization of the AFW suction piping. .At a foreign-PWR_it resulted in i a severe waterhammer event.. At Palo Verde-2 the MFW suction piping was overpressurized by check valve leakage.from the AFW system (AE00/C404, 1984).
L Gross check valve leakage through idle pumps represents a potential' diversion j of. AFW pump flow. .
E Roughly.one third of AFW system failures have been due to valve operator -
L failures, with about equal failures for MOVs and A0Vs. Almost half of the M0V failures were due to motor or switch failures (Casada, 1989). An extensive study of MOV-events (AE0D/C603, 1986) indicates continuing inoperability L 22
. . ~ , , ,
e,. .,
problem: caused by: torque switch / limit switch rettings, adjustments, or failures; motor burnout; improper sizing or use of thermal overload devices; premature degradation related to inadequate ust; of protective devices; damage due to misuse (valve throttling, valve operator hammering); mechanical problems (loosened parts, improper assembly); or the torque switch bypass circuit improperly installed or adjusted. The study concluded that current methods and procedures at many plants are not adequate to assure that MOVs will operate when needed under credible. accident conditions. Specifically, a surveillance test which the valve passed might result in undetected valve inoperability due to component failure (motor burnout, operator parts failure, stem disc separation) or improper positioning of protective devices (thermal overload, torque switch, limit switch). Generic letter 89-10 (Partlow, 1989) has subsequently required licensees to implement a program ensuring that MOV switch settings are maintained so that the valves will operate under design basis conditions for the life of the plant.
A Component problems have caused a significant number of turbine driven pump trips (AE00/C602, 1986). One group of events involved worn tappet nut faces, loose cable connections, loosened set screws, improperly latched Tivs, and improper assembly. Another involved oil leaks due to component or seal failures, and oil contamination due to poor maintenance activities. Governor oil may not be shared with turbine lubrication cil, resulting in the need for separate oil changes. Electrical component faiiures included transistor or resistor failures due to moisture intrusion, erroneous grounds and connections, diode failures, and a faulty circuit card.
A Electrohydraulic-operated discharge valves have performed very poorly, and three of the five units using them have removed them due to recurrent failures. Failures included oil leaks, contaminated oil, and hydraulic pump failures.
[fL Control circuit failures were the dominant source of motor driven AFW pump failures (Casada,1989). This includes the controls used for automatic and manual starting of the pumps, as opposed to the instrumentation inputs.
Most of the remaining problems were due to circuit breaker failures.
A " Hydraulic lockup" of Limitorque SMB spring packs has prevented proper spring compression to actuate the MOV torque switch, due to grease trapped in the spring pack. During a surveillance at Trojan, failure of the torque switch to trip the TTV motor resulted in tripping of the thermal overload device, leaving the turbine driven pump inoperable-for 40 days until the-next surveillance (AE00/E702,1987). Problems result from grease changes to EXXON NEBULA EP-0 grease, one of only two greases considered environmentally qualified by Limitorque. Due to lower viscosity, it slowly migrates from the gear case into the spring pack. Grease changeover at Vermont Yankee affected 40 of the older MOVs of which 32 were safety related.
Grease relief kits are needed for MOV operators manufactured before 1975. At Limerick, additional grease relief was required for MOVs manufactured since 1975. MOV refurbishment programs may yield other changeovers to EP-0 grease.
A For AFW systems using air operated valves, almost half of the system degradation has resulted from failures of the valve controller circuit and its 23
e . .. . ,
instrument inputs (Casada,-1989). Failures occurred predominantly at a few units using automatic electronic controllers for the flow control valves, with the majority of failures due to electrical hardware. At Turkey Point-3, controller malfunction resulted from water in the Instrument Air system due to maintenance inoperability of the air dryers.
CF10. For systems using diesel driven pumps, most of the failures were due to start control and governor speed control circuitry. Half of these occurred on demand, as opposed to during testing (Casada, 1989).
CF11, For systems using A0Vs, operability requires the availability of Instrument Air, backup air, or backup nitrogen. However, NRC Maintenance Team Inspections have identified inadequate testing of check valves isolating the safety-related portion of the IA system at several utilities (letter, Roe to-Richardson). Generic Letter 88-14 (Hiraglia, 1988), requires licensees to verify by test that air-operated safety-related components will perform as expected in accordance with all design-basis events, including a loss of normal IA.
24
a .. . ,
6.0 REFERENCES
- Beckjord, E. S. June 30, 1989. Closecut cf Generic Issue II.E.6.1. "In Situ Testina of Valves". Letter to V. Stello, Jr., U.S. Nuclear Regulatory Commission, Washington, DC.
Brooks, B. P. 1988. Aeolication Guidelines for Check Valves in Nuclear Power Plants. HP-5479, Electric Power Research Institute, Palo Alto, CA, Casada, D. A. 1989. Auxiliary Feedwater System Aoina Study. Volume 1.
Oneratina Exoerience and Current Monitorina Practices. NUREG/CR-5404. U.S.
Nuclear Regulatory Commission, Washington, DC.
Gregg, R. E. and R. E. Wright. 1988. Apoendix Review for Dominant Generic Contributors. BLB-31-88. Idaho National Engineering Laboratory, Idaho Falls, Idaho.
Miraglia, F. J. February 17, 1988. Resolution of Generic Safety issue 93.
" Steam Bindino of Auxiliary Feedyater Pumos" (Generic letter 88-03). U.S.
Nuclear Regulatory Commission, Washington, DC.
Miraglia, F. J. August 8, 1988. Instrument Air Sucolv System Problems Affectina Safety-Related Eouipment (Generic Letter 88 14). U.S. Nuclear i Regulatory Commission, Washington, DC.
Partlow, J. G. June 28, 1989. Safety Related Motor Ocerated Valve Testina and Surveillance (Generic letter 89-101 U.S. Nuclear Regulatory Commission, Washington, DC.
Rothberg, O. _ June 1988. Thermal Overload Protection for Electric Hotors on Safety Related Motor Ocerated Valves - Generic issue ll.E.6.1. NUREG-1296.
U.S. Nuclear Regulatory Commission, Washington, DC.
Travis, R. and J. Taylor, 1989.- Development of Guidance for Generic.
Functionally Oriented PRA-Based Team Insoections for BWR Plants-Identification of Risk-Imoortant Systems. Comoonents and Human Actions. TLR-A 3874-TGA Brookhaven National Laboratory, Upton, New York.
- AE0D Reoorts
- AE0D/C404. W. D. Lanning. July 1984. Steam Bindina of Auxiliary Feedwater j- Pamps. U.S. Nuclear Regulatory- Commission, Washington, DC.
AE00/C602. C. Hsu. August 1986. Operational Exoerience Involvina Turbine Overspeed Trios. U.S. Nuclear Regulatory Commission, Washington, DC.
l i
AEOD/C603. E. J. Brown. December 1986. A Review of Motor-Ocerated Valve -
Performance. U.S. Nuclear Regulatory Commission, Washington, DC.
25 l
.6- .
. ,,-r . , . , ,.- . - _ _ - ,,, ,.,. ,-.-. - m--m- ,....y,;- 4 .y -m- -_,
e ... . ,
AEOD/E702. E. J. Brown. March 19, 1987. MOV Failure Due to Hydraulic Lockuo From Excessive _ Grease in Sorina Pact. U.S. Nuclear Regulatory Commission, Washington, DC.
AEOD/T416. January 22, 1983. Loss of ESF Auxiliary Feedwater Pumo Caoability 11__Tro.ian on January 22. 1931 U.S. Nuclear Regulatory Commission, Washington, DC.
Information Notices IN 82 01. January 22, 1982. Auxiliary Feedwater Pumo Lockout Resultina from Westinohouse W 2 Switch Circuit Modification. U.S. Nuclear Regulatory Commission, Washington, DC.
IN 84 32. E. L. Jordan. April 18, 1984. Auxiliary Feedwater Scaraer and Pioe Hanaar Damaae. U.S. Nuclear Regulatory Commission, Washington, DC.
IN 84-66. August 17, 1984. Undetected Unavailability of the lurbine Oriven Auxiliary Feedwater Train. U.S. Nuclear Regulatory Commission, Washington, DC.
Sinale Failures in Auxiliary IN 87-34. C. E. Rossi. July 24, 1987.
feedwater Systems. U.S. Nuclear Regulatory Commission, Washington, DC.
IN 87 53. C. E. Rossi. October 20, 1987. Auxiliary Fegdwater Pumo Trios Resultina from low Suction Pressure. U.S. Nuclear Regulatory Commission, '
Washington, DC.
IN 88 09. C. E. Rossi. March 18, 1988.
Reduced Reliability of Steam-Driven
- Auxiliary Feedwater Pumos Caused by Instability of Woodward PG-PL Tvoe Governors. U.S. Nuclear Regulatory Commission, Washington, DC.
IN 89 30. R. A. Azua. August 16, 1989. Robinson Unit 2 Inadeauate NPSH of Auxiliary Feedwater Pumos. Also, Event Notification 16375, August 22, 1989.
U.S. Nuclear Regulatory Commission, Washington, DC.
Inspection Report IR 50-489/89-11; 50 499/89-11. May 26, 1989. South Texas Pro.iect Inspection Reoort. U.S. Nuclear Regulatory Commission, Washington, DC.
i l
NUREG Rec.ati NUREG-1154. 1985. Loss of Main and Auxiliary Feedwater Event at the Davis Besse Plant on June 9. 1985. U.S. Nuclear Regulatory Commission, Washington, 26
,umem: 9 --cw --see-<- 7 e-=- +y qrwe-i.g. --,w+ew. en w,,- snmy * -e ei v -w, ---pl- i