ML20128N637

From kanterella
Jump to navigation Jump to search
Auxiliary Feedwater System RISK-BASED Inspection Guide for the Palo Verde Nuclear Power Plant
ML20128N637
Person / Time
Site: Palo Verde  Arizona Public Service icon.png
Issue date: 02/28/1993
From: Bumgardner J, Gore B, Moffitt N, Sloan J, Vo T
Battelle Memorial Institute, PACIFIC NORTHWEST NATION, NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION V)
To:
Office of Nuclear Reactor Regulation
References
CON-FIN-L-1310 NUREG-CR-5836, PNL-7908, NUDOCS 9302230328
Download: ML20128N637 (34)
v  d  e


Text

. .

NUREG/CR-5836 PNL-7908 Auxiliary Feecwater Sys~:em Risi-Basec Insaec~: ion Guice for ~:he Pa_o Verde Nuc ear Power Plant Prepared by, J. D. Humgardner, N. E. Moffitt,11. F. Gore, T. V. Vo, J. A. Sloan Pacific Northwest Laboratory Operated by Battelle Memorial Institute Prepared for U.S. Nuclear Regulatory Commission PR DO OO 28 G PDR

I

  • - e  :

}

AVAILABILITY NOTICE -

Availab*ty of Reference Materials Cited in NRC Publicatons Most documents cited in NRC pubNcations will be available from one of the following sources:  :

1. The NRC Pubhc Document Room 2t20 L Street, NWJ, Lower Level, Washington, DC 205$5 ,

l 2, The Superintendent of Documents, U.S. Government Printing Office, P,0 Box 37082 Washington, 1 DC 20013 7082 -

3. The National Technicalinformation Service, Springfield, VA 22161 Although the ksting that follows represents the majority of documents cited in NRC pub!! cations, it is notJ
  • Intended to be exhaustive.

Referenced documents ava!'able for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda; NRC bulletins, circulars, information notices; inspection and in>estigation notices; licensee event reports; vendor reports and correspondence; Commis-slon papers; and applicant end bcensee docuents and correspondence, The focowing documents in the NUREG series are ava!!able for purchase from the GPO Sales Program:

formal NRC staff and contractor reports, NRC-sponsored conference proceedings, international agreement -

reports,. grant publications, and NRC book'ets and brochures.: . Also available are regulatory culdes, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances ~

Documents avalable from the National Technical informatlon Service include NUREG-series reports and :

technical reports prepared by other Federal agencies and reports prepared by the Atomic Energy Commis-sion, forerunner agency to the Nuclear Regulatory Commission.

t Documents available from public and special technical librarles include all open hterature items, such as boolrs. journal articles, and transactons, Federal Register notices, Federal and State legislation, and con-gressional reports can usually be obtained from these libraries.

Documents sr.ch as theses. dissertations, foreign reports and translatior s. and non-NRC conference pro-ceecings are avallaL.e for purchase from the orgaatzathon sponsoring the publication cited.

Since copies of NRC draft reports are available free, to the extent of supply, upon written request to thel Ofhee of Administration Distribution and Mall Services-Section,- U.Si Nuclear Regulatory Commaslon,-

Washington, DC 20555.

Copies of indust'y codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library,7920 Norfolk Avenue, Bethesda, Maryland, for use by the public, Codes and standards are usualty copyrighted and may be purchased from the originating organization or, H they are-- .

American National Standards, from the American National Standards institute,1430 Broadway. New York, '

NY 10018, ,

DISCLAIMER NOTICE '

This report was prepared as an account of work sponsored by an agency of the United States Government.

j Neither the United State-s Govemment nor any agency thereof, or any of their employess, makes any warranty, j_ expressed or implied, or assumes any legal liability of responsibility for any third party's use, or the results of -

E such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately ownod rights.-

l-4 I.

i NUREGiCR-5836 PNL-7908 Auxi;iary Feecwater System Ris1-Based Inspection Guide for the Pa o Verc.e Nuclear Power Plant Manuscript Completed: December 1992 Date Published: February 1993 Prepared by J. D. Bumgardner, N. E. Moffitt, it F. Gore, T. V. Vo, J. A. Sloan*

Pacific Nonhwest laboratory Richland, WA 99352 Prepared for Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation U.S. Nuckar Regulatory Commission Washington, DC 20555 NRC FIN L1310

'U.S. Nuc! car Regulatory Commission

. - . . - - .- . - . . . ~ - ~ ~ - _ .. .-

Abstract -

In a study sponsored by the U.S. Nuclear Regulatory Commission (NRC), Pacific Northwest Laboratory has developed and applied a methodology for deriving plant-specific risk-based inspection guidance for the auxiliary feedwater (AFW) system at pressurized water reactors that have not undergone probabilistic risk assessment (PRA). This methodology uses existing PRA results and plant operating experience information. Existing PRA based inspection guidance information recently developed for the NRC for various plants was used to identify generic component failure modes. This information was then combined with plant specific and industry-wide component information and failure data to identify failure modes and failure mechanisms for the AFW system at the selected plants. Palo Verde was selected as one of a series of plants for study. The product of this effort is a prioritized listing of AFW failures which have occurred at the plant and at other PWRs. This listing h intended for use by NRC inspectors in the preparation ofinspection plans addressing AFW risk-important components at the Palo Verde plants.

iii NUREG/CR-5836

Contents Abstract ..... .. .. ................. ............... .. ...................................... iii Summary................................................................................... Ex Acknowledgments . . . . . ... . ........... .................................................. . xi 1 i n t r od u ct ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 2 Palo Verde A RV Syst e m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... ......... ... . .............. 2.1 2.1 System Description . . . ... .. ......... . . . ... . .......... .... .... ..... 2.1 2.2 Success Criterion .... . .. .. . . .... .. ..... .. . ..... ... .. ..... . ........... 2.1 23 System De pendencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . ............ 2.2 2.4 Operational Constraints . . . . ,, .. . ... .. , .... ... .... . . ...... ............. 2.2 3 Inspection Guidance for the Palo Verde ARV System .... ..... .. ................... .......... 3.1 3.1 Risk Important AFW Components and Failure Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 3.1.1 Multiple Pump Failures Due to Common Cause . ... ..... .. .. ,. ....... . ......... 3.1 3.1.2 Turbine Driven Pump AFA-P01 Fails to T. tart or Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 3.13 Motor Driven Pump AFB-P01 or AFN-P01 Fails to Start or Run . ....... ..... ......... 33 3.1.4 Pump Unavailable Due to Maintenance or Surveillance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.1.5 M ot or Ope rat ed Valves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.1.6 Manual Suction or Discharge Valves Fail Closed . . . .. . . .......... ...... ....... 3.4 3.1.7 Leakage of Ilot Feedwater through Check Valves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5 3.2 Risk Important ARV System Walkdown Table . . . ,, ...... .... .... ................... 3.5 4 G ene ric Risk Insights From PRAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 4.1 Risk Important Accident Sequences involving AFW System Failure . . . . . . . . . . ... .... .... 4.1 4.2 Risk Important Component Failure Modes . . . . . . . . . . . .. .......... ............ ......... 4.1 5 Failure Modes Determined From Operating Experience . . . . . . . . . . . ....... ... ........ .... .. 5.1 5.1 Palo Verde Experience . . . ...... .. .... ........ .. .. .. . . . .. ....... ... 5.1 5.1.1 ARV Pump Control Logic, Instrumentation and Electrieal Failures . ... .... ... ....... 5.1 5.1.2 Failure of ARV Pump Discharge Flow Control and Isolation Valves to Steam Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... ............. ......... 5.1 5.13 AFW Valve Failures . . . . . . . . . . . . . . .. ....... . .. ..... ... ...... ... . ... 5.1 5.1.4 liuman Errors . . . . ... .. . . .. .. .. . ... . ... . .. .... .... 5.1 v NUREG/CR-5836 1

i . _ .

5.2 I nd us t ry.Wid e Expe rie n ce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 5.2.1 Co m mo n Ca use Fa il u res . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 5.2.2 H u m a n E r r o rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4 5.2.3 Design / Engineering Problems and ".r . ors . . . . ............. ........... ......... ..... 5.4 5.2.4 Component Failures . . . . . . .... ... .......... ........ .. ............ ........... 5.5 6 References............................................................................... 6.1 NUREG/CR-5836 vi

Figure 2.1 Palo Verde Auxiliary Feedwater System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3

'Ihble 3.1 Risk Important AFW System Walkdown Thble for Palo Verde AFW System Components . . . . . . . . . . . . . . 3.6 4

vii NUREG/CR-5836

l

-i

'l

. Summary 1 This document presents a compilation of AFW system failure information which has been screened for risk '. .,

significance in terms of failure frequency and degradation of system performance. It is a risk.prioritized listing of .

failure events and their causes that are significant enough to warrant consideratior. In inspection planning at the Palo Verde plant. This information is presented to provide inspectors with increased resources for inspection planning at - ,

Palo Verde.

The risk importance of various component failure modes was identified by analysis of the results of PRAs for many'.

pressurized water reactors (PWRs). However, the component failure categories identified in PRAs are rather broad, because the failure data used in the PRAs is an aggregate of many individual failures having a variety of root causes. In -

order to help inspectors focus on gecific aspects of component operation, maintenance and design which might cause these failures, an extensive review of component failure information was performed to identify and rank the root ;

causes of these component failures Both Palo Verde and industry-wide failure information was analyzed. Failure causes were sorted on the basis of frequency of occurrence and seriousness of consequence, and categorized as common cause failures, human errors, design problems, or component failures.

This information is presented in the body of this document. Section 3.0 provides brief descriptions of these risk-

. Important failure causes, and Section 5.0 presents more extensive discussions, with specific examples and references.

The entries in the two sections are cross-referenced.

An abbreviated system walkdown table is presented in Section 3.2 which includes only components identified as risk important. This table lists the system lineup for normal, standby system operation.

This ir formation permits an inspector to concentrate on components important to the prevention of core damage.

However,it is important to note that inspections should not focus exclusively on these components. Other components which perform essential functions, but which are not included because of high reliability or redundancy, .

must also be addressed to ensure that degradation does not increase their failure probabilities, and hence their risk .

importance. -

l l

V l'

l' ix - NUREG/CR-5836

  • = - 5 f TI

Acknowledgmenis We wish to thank Dave IJarenzi, A. Fernandez, Dave Pan, and Roy Linthicum of the Arizona Public Service Company for reviewing and validating this document, Their input to Sections 2,3, and 4 make this report a more useful inspection tool. Their cooperation is greatly apprecated.

i-1 I

i d NUREG/CR 5836 l

1 Introducilon This document is one of a series providing plant-specific The remainder of the document describes and discusses -

inspection guidance for auxiliary feedwater (AFW) sys. the info.mation used in compiling this inspection guid-tems at pressurized water reactors (PWRs). This guld- ance Section 4.0 describes the risk importance infor-ance is based on information from probabilistic risk mation which has been derived from PRAs and its assessments (PRAs) for similar PWRs, industry-wide sources. As review of that section will show, the failure :

operating experience with AFW systems, plant specific categories identified in PRAs are rather broad (e.g.,

AFW system descriptions, and plant-specific operating pump falls to start or run, valve falls closed).. Section 5.0 experience. It is not a detailed inspection plan, but addresses the specific failure causes which have been

- rather a compilation of AFW system failure information combined under these categories.

which has been screened for risk significance in terms of failure frequency and degradation of system perform- AFW system operating history was studied to identify ance. The result is a risk prioritized listing of failure the various specific failures which have been aggregated events and their causes that are significant enough to into the PRA failure mode categories. Section 5.1.

warrant consideration in inspection planning at the Palo presents a summary of Palo Verde failure information, Verde plant. and Section 5.2 piesents a review of industry-wide fail-ute information. The industry-wide information was This inspection guidance is presented in Section 3.0, compiled from a variety of NRC sources,incluumg _

folknving a description of the Palo Verde AFW system AEOD analyses and reports,information notices,in-in Section 2.0 Section 3.0 identifics the risk important spection and enforcement bulletins, and generic letters, system components by Palo Verde identification num, and from a variety of INPO reports as well. Some . t her, followed by brief descriptions of each of the various . Licensee Event Reports and NPRDS event dcscriptions failure causes of that component. These include specific were also reviewed. Finally,information was fneluded human erro s, design deficiencies, and hardware fail- from reports of NRC-sponsored studies of the effects of ures. The discussions also identify where common cause plant aging, which include quantitative analyses of failures have affected multipic, redundant components. reported AFW system failures. This industry-wide' These brief discussions identify specific aspects of .information was then combined with the plant-specific :

system or component design, operation, maintenance, failure information to identify the various root causes of or testing for inspection by observation, records review, the PRA failure categories, which are identified in train.ing observation, procedures review, or by observa-' Section 3.0

tion of theimplementation of procedures. An AFW:

system walkdowri table identifying risk important com-p(ments and their lineup for normal, standby system operation is also provided.

l 1.1 NUREO/CR-5836

2 Palo Verde AIM System This section presents an overview description of the associated with each pump is tudcpendent from each Palo Verde Combustion Engineering Sptem 80 with a other. Steam for the turbine-driven pump is supplied Bechtel designed AFW system, including a simplified from either one or both steam generators upstream of schematic system diagram. In addition, the system the main steam isolation valves, through SGA-UV 134 success criterion, system dependencies, and adminis- and SGA-UV-138. Each AFW pump is equipped with a trative operational constraints are also presented. minimum recirculation flow system, which discharges back to the CST.

2.1 System Description Auxiliary feedwater is normally supplied '

  • the essential

{

a turbine-dtiven end motor-driven pumps inrough two redundant headers, to steam generators "1" and "2*, res-The AFW system provides feedwater to the steam Pectively. Each header contains two check valves, a generators (SG) to allow secondary-side heat removal from the primary sptem when main feedwater is wired open manual discharge Lolation valve, two motor-unavailable The system is capable of functioning for Operated regulating and isolation valves, a flow meas-uring device, and another check valve, before it joins the extended periods, which allows time to restore main main feedwater line inside tontainment. Each essential feedwater flow or to proceed with an orderly cooldown AFW header also contains a crossover line with redun-of the plant to where the shutdown decay heat cooling dant vahing that allows either essential pump to feed (SDC) system can remow decay heat. A simplified either steam generator. The non essential AFW pump schematic diagram of the AFW svstem ' is shown in is used to supply feedwater to the steam genet ators Figure 2.1.

through the main feedwater lines, upstream of the main 3e systern consists of a Condensate Storage Tank feedwater control valves auring startup and shutdown (CST), one seismic category I motor-driven (MD) AFW c nditions and it is isolated from the essential portions of the AFW system during emergency conditions.

pump, one seismic category I turbine-driven (TD) AFW pump, one seismic category II motor-driven pump, asso-The CST is the normal source of water for the AFW.

ciated piping, vahes, control, and instrumentation. The System and is required to store sufficient demineralized seismic category I and 11 pumps are designated as essen.

tial and non-essential, respectively. The essential water (300,000 gallons) to cooldown and maintain the reactor coolant system (RCS) at hot standby conditions portions of the system is designed to start up and estab-lish flow automatically. Both seismic category I pumps for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> with steam discharge to atmosphere. All start when a steam generator low level generates an tank connections except those required for instrumenta-Auxiliary Feedwater Actuation System (AFAS) signal to tion, emergency feedwater pump suction, chemical analysis, and tank drainage are located above this mini-feed an intact steam generator. The turbine-driven mum level. A backup water supply for the essential pump will also start automatically on a loss of power (LOP) signal and the motor-driven purer will start when AFW pumps can be manually aligned from the Reactor the standby diesel generator re-energizes bus E-PBB. Makeup Water Tank (RMWr).

SO4, on a blackout.

Separate lines from the CST supply each motor-driven 2.2 Success Criterion pump and the turbine-driven pump. Isolation valves in the lines supplying the essential pumps are wired open System success requires the operation of at least one manual valves. The non-essential pump takes suction pump supplying rated flow to at least one steam from the CST, through redundant, motor-operated, iso- generator.

lation valves. Power, control, and instrumentation 2.1 NUREG/CR-5836 i

1

+~ - - -. - . - - .

le

= AFW System 2.3 System Dependencies each motor-driven pump powered from a separate emergency bus! If one AFW pump becomes inoperable, The ARVsystem depends on AC power for the motor- it must be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or driven pump and ARV system instrumentation, DC the plant mt.51 be shutdown to hot standby within the, power for control power to pumps and valves, and an next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If two ARV pumps are inoperable, the automatic actuation signal.1he RMWT provides a plant must be shutdov,n to hot standby within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> backup water supply to the essential AFW pumps. The . and in hot shutdown within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If all Main Feedwater System provides the flow path for three pumps are Inoperabic, action must be taken to normal reactor startup and shutdown operation of the immediately restore one.

AFW system through the main feedwater regulating controlvalves. Also,the turbine-driven pump requires . The Palo Verde 1bchnical Specifications require a _

steam availability. minimum inventory of 300,000 gallons (8 hout supply) of demineralized v ater be stored in the CST.- .With the . _j CST inoperable, it must be restored to operable status ,

within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or if the RM%T is demonstrated to be 2.4 Operational Constraints operable within the initial 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> period, l' may serve as .

.] 4 a backup supply to the essential ARV pumps for seven

. When the reactor is in Modes 1,2,3, or 4, the Pal days.

Verde 7bchnical Specifications require that three AFW pumps and their associated flowpaths are operable with d

w

.i p .

l( NUREG/CR-5836 2.2

' AFW Systemi

-M 'N

} v.

1 m 1, ,

L $

ki g- 2 "l!" i 7

y  ! , 7 g :- .

I 3 j. ~s..

a  ! M' 7 i

l f '

l  %! S3Il d [l S3[i*3[l [ .

jgj jeg l l; [ *K!<! {!Cl I t!  !  ! }f i

j d,! '

n! }, L{jdj ti - *- - 5 4i b ' I.

~

! i -j

, x

, ,1 c .

_t l,a i jis

.- r \ 'l i N,g

_r,

. 35 i

_f. 5 - I T

[b .I /; Y -I i e i-

! 'h? j 5 412rs .n

" _ er _

t 's 1 i 'A i .

.l m& Li{ & L15

'v 6 %C.

r _.2 - - . _

=

k $ _

n

" 6

(

j ^

' 2.3 NUREO/CR-5836 o ___ _ -- . .

3 Inspection Guittance for flic Palo Venie AFW Systein in this section the rkk important components of the 11.1 Multiple Punip Fultures 1)ue to Palo Verde AFW system are identified, and the import- Cominun Cause ant modes t,y whkh they are likely to fail are briefly desceibed. 'these tailure modes include specific hurnan The falt ..ing listing summarl/cs the most important errors, design problems, and types of hardware failures inultipic.purnp failure modes identitled in Section 5.2.1, whk h hat , been observed to occur for these types of Common Cause Pallures, and exh item 1. ' yed with a oimponen, both at San Onofic and at PWRs through. 3411g i todo to entries in that section.

out the nuclear industry. 'the discuulons aim identify where common cause fallutes have aff ected multiple, ,

inconett operator intervention into automatic redundant components. Thee brief dhtuulons identify system functioning, including improper inanual spc4 tric mpects of system or component design, opera' itarting and securing of purnps, has caused tion, maintenance, or testing for observation, record 4 failure of all pumps, including overspeed trip on review, tialning observation, piocedures review or by startup, and inability to restatt prematurely observation of the truplementation of proudures. secured pumps. CCl. Y

'lhble 3.1 b an abbreviated AFW system walkdown table inspection Suggestion. Observe Abnormal and whit h identifica risk Important components. This table limergency Operating Procedure (AOP)/EOP) simu-lbts the systr- lineup for normal, standby system ope:a. lator training exercises to verify that the operators tion. Inspes > of the components identified nddresses comply with pimedures during observed evolutioM.

essentially an of the hk associated with AFW system Observe suiveillance testing on the AFW systerr ,o operation. verifyit is in stikt compliance with the surveillance test po>ced ure.

3.1 Itisk linportant AFW Components . wlve mispositioning bn caused failure of all anti Falltire blotles pumps. Pump suction,, cam supply, and in, strument isolation valves have been involved.

CC1 Comm. icause failures of multiple pumps are the most risk-important failure modes of AFW system compon-ents. '1hese are followed in importance by single pump Inypeedon Suggnuon. Verify that the system valve failures, level cont rol valve failures, and individual checic alignment, air operated valve c<mtrol and valve actu-ating air pressures are au rect using 3.1 Walkdown valve backleakage failures.

'Ihble, the system operating procedures, and operator rounds logsheet. Review surveillance procedures that The following sections adocss cach of these failure alter the standby alignment of the AFW system. Ensure modes,in decreasing order of importance. They present that an adequate return to normal alignment section the important root causes of these component fallute CXI515-modes which have been distilted from historical records, from Palo Verde and other plants. Each item is keyed

  • Steam binding has caused failure of multiple to discussions in Section 5.2 which present additional pumps. This resulted from leakage of hot information on historical events.

feedwater past check valves and a motor-operated valve into a common discharge header.

CC10. Multiple pump steam binding has also resulted from improper valve lineups, and from running a pump deadheaded. CC3. 'lhe mul-tipic isolation valves in cach essential AFW 3.1 NUREG/CR 5836

I J

Inspection Guldance >

I k

flowpath which are normally closed minimite connections, oil leaks and/or contamination, the hazard awociated with steam binding at and electrical faltures of resistors, transistors, Palo Verde. l diodes and circuit cards, and erroneous grounds j and connections. CF5 Sinillar failures have i inspection Suggestion. Verify that the pump discharge been experienced at Palo Verde. ,

piping temperature monitoring tape is the appropriate color for the tape installed. Inspection Suggestion. Review PM records to assure i the governor oil is being replaced or sampled and ' M

+ Pump control circuit deficiencies or design analyzed within the designated frequeng. During plant modification errors have caused failures of walkdowns carefully inspect the governor and linkages multiple pumps to auto start, spurious pump for loose fasteners, leaks, and unsecured or degraded .,

trips during operation, and failures to restart mndult. Review vendct manuals to ensure PM proced-after pump shutdown. CC4. -Incorrect setpoints urcs ele performed according to manufacturer's recom - t and control circuit calibrations have also mendations and good maintenance practices.

prevented proper operation of multiple pumpt _

CC5.

  • 7ttry turbines with Woodward Model EO gover. l nors have been found to overspeed trip if full steam . y inspection Suggestion. Review design change imple. flow is allowed on startup. Sensitivity can be _

mentation documents for the post maintenance testing reduced if a startup steam bypass valve is sequenced '

required prior to returning the equipment to service. to open first. del.

Assure the testing verifies that all potentially impacted functions operate wrrectly, and includes repeating any Impection Suggestion. Observe the operation of the . -

plant start.up or hLt functional testing that may be turbine driven Aux Feed pump during pump testing, and affected by the design change. assure that the one inch steam supply valves SG UV -

134A and 138A open first; and af ter k time delay the _ ,

  • Loss of a vital power bus has failed both the steam supply MOW open.-

tur': .1c-driven and one motor driven pump due .

to loss of control power to steam admission

  • Condemate slugs in steam lines have caused valves or to turbine controls, and to motor turbine overspeed trip on startup. 7bsts controls powered from the same bus. CC6. repeated right after such a tilp may fall to indicate the problem due to warming and clear.

Inspection Suggestion, he material condition of the ingof thesteamlines, Surveillancesshoukt electrical equipment is an indicator of probable exercise allsteam'snply connections. DE2. At reliability. Review the Preventative Maintenance (PM) Palo Verde, the steam supply lines are kept records to assure the equipment is maintained on an warm and free of condensate using controlled appropriate frequeng for the environment it is in and leakage, some of which passes through the that the PMs are actually being performed as required turbine, Operators verify the line temperature by the program. Review the outstanding Corrective is greater than 190 Fon their rounds.

Maintenance records to assure the deficiencies found on the equipment are promptly corrected. Inspection Suggestion. Verify that the steam traps are.

valved or bypassed on the steam supply line. If the :

3.1.2 'nirbine Driven Purnp AFA Pol Falls to steam trap discharge is visible, assure there is evidence Start or Run ofliquid discharge.

  • * ' Rip and throttle valve (AFA-liv 54) problems Improperly adjusted and inadequately main.

tained turbine governors have caused pump which have failed the turbine driven pump i failures. lie 2. Problems include worn or include physically bumping it, failure to reset it -

' k>osened nuts, set screws, linkages or cable following testing, and failures to verify control-l NUREO/CR-5836 3.2

_ _ _ _ _ . . - _ _ _ _ . ~ .. . _ _ _ _ ._. a

luspection Guidance room indication of re. set, llE2. Whether either cerning documentation of procedural deficiencies.

the overspeed tilp or trip and throttle valve Ensure operator training on procedural thanges is (ITV) trip can be reset withou: resetting the ourrent.

other, and unambiguity of control room and local indication of TTV position and overspeed 3.1.4 Punip Unnvallable Due to hininlenance trip linkage reset status, all affect the likelihood or Surveillance of these errors. DE3. At Palo Verde, the TlY has failed to reset properly due to misalignment

  • Both scheduled and unsc heduled m.natenance of the mechanical trip latch and control remove pumps from operability. Surveillance indication has been lost due to a blown f use. A requires operation with an altered line up, job performance measure (JPM) now exists to although a pump train may not be dectated train the operators on reset of the linkage- inoperable during testing. Prompt scheduhng and performance of maintenance and Inspection Suggestion. Carefully inspect the TTV over- surveillance minimite this unavailability.

speed trip linkage and assure it is reset and in good phpical condition. Review training procedures to Irnpection Suggeuton. Review the time the AFW ensure operator training on resetting the TrV is cut- system and components are inoperable. Assure rent. Observe operators during the monthly surveil' maintenance is scheduled to have a minimum of lance, and randomly select operators and have them equipment outages. The maintenance should be simulate a reset of the linkage, scheduled before the routine surveillance test, so credit can be taken for both post maintenance testing and 3.1.3 hiotor Driven Pump AFil.P01 or AFN- surveillance testing, avoiding excessive testing. Review P01 Falls to Start or Run surveillance schedule for frequency and adequacy to verify system operabilit) requirements per 'Ibchnical

  • Control circuits used for automatic and manual Specifications. Review quarterly safety system pump starting are an important cause of motor performance indicator for the Auxiliary Feed system.

driven pump failures, as are circuit breaker failures. CF7. A circuit breaker failure at Palo 3.1.5 hiotor Operated Valves Verde has caused a motor driven pump to fail to start. ' Rain A: HV-32.11V-33 UV-36. UV-37 Jbit!A,llV.30.11V 31. UV 34. UV-35 Inspection Suggestion. Review corrective maintenance Non-Essential Pump Sueticm: Recirculation: ilV-4.

records and non-conformance reposts when control HV-1: HV 95 circuit problems occur to determine if a trend exists.

Every time a breaker is racked in a post maintenance . Common cause failure of MOVs has resulted test (PMT) should be performed to start the pump, from failure to use electrical signature tracing assuring no control circuit problems have occurred as a equipment to determine proper settings of result of the manipulation of the breaker. (Control torque switch and torque switch bypass circuit stabs have to make up up(m racking the breaker, switches. Failure to calibrate switch settings for as well as cell switch damage can occur upon removal high torques necessary under design basis and reinstallation of the breaker.) accideht conditions has also been involved.

CCll. Palo Verde has experienced MOV fall-

  • Mispositioning of handswitches and procedural ure due to improper torque switch settings.

deficiencies have prevented automatic pump start. HE3. Inspection Suggestion. Review the MOV analytical test records to assure the testing and settings are based on Inspection Suggestion. Confirm switch position using dynamic system conditions. Overtorquing of the valve

'Thble 3.1. Rcview administrative procedures con- operator can result in valve damage such as cracking of 3.3 NUREG/CR-5836

Inspection cuidanee I

the seat or disc. Review the work documents to assure 3.1.6 Manunt Suction or Dlscanrge Valves fall ov(rtorquing is identified and correcthe actions are Closed taken to assute vahe operability following an overtorque condition. Review the work documents to T.Mn A: A.f4% AF-016 1 anure equipment qualification (EO) seats are renewed Train B: AF-021. AF-025 as required during ihe restoration from testing to Non Ewential Pumn: AF-001. AF-013 maintain the EO rating of the MOV.

These manual valves are all normally wired open. For

- Valve motors have been failed due to lack of,or each train, closure of the first valve kisted would block impropcr sizing or use of thermaloverload pump suction and closure of the sec(md valves would protective devices, Bypassing and oversiting block pump discharge, except for recirculation to the should be based on proper engineering for

~

CST.

design basis conditions. CF4.

  • Valve mispositioning has resulted in failures of Impection Suggestion. Review work documents to multiple trains of AFW. CC2. It has also been assure setpoints match the design settings. the dominant cause of problems identified dur.

Ing operational readiness inspections. HEl.

Grease trapped in the torque switch spring pack Due to Palo Verde's design, multiplc valve rnis-of 1 imitorque SMD motor operators has caused positioningwould be required to defeat AFW motor burnout or thermal overload trip by function. Events have occurred most often dur-preventing torque switch actnation. Cl% Palo ing maintenance, calibration, or system modifi-Verde has experienced similar failures- cations. Important causes of mispositioning include:

Inspection Suggestion. Review this only if the MOV testing program rescals deficiencies in this area. -

Failure to provide complete, clear, and specific procedures for tasks and system

. Manually reversine the direction of motion of restoration operating or coasting down MOVs has over-loaded the motor circuit. Operating pr9cedures - Failure to promptly revise and validate should proside cautions, and circuit designs may procedures, training, and diagrams fol-prevent reversal before each stroke is finished. lowing system modifications DE7. A valve motor operator was shorted as a result of personnel error during performance -

Failure to complete follow a written testing. procedure inspection Suggestion. Verify procedures and training - Pailure to adequately review uncom-address reversal of valve direction midstroke, pleted proceduralsteps after task Space heaters designed for preoperation storage have been found in DC MOVs wired in parallel - Pallure to verify support functions after with valve motors which had not been environ- restoration mentally qualified with them present. DC&

Pailure to adhere scrupulously to inspection Suggestion. Spot check MOVs curing MOV administrative procedures regarding testing to assure the space heaters are physically tagging, control and tracking of valve removed or disconnected. operations NUREO/CR-5836 3.4 i

Inspection Guldunce

- Failure to log the manipulation of Inspection Suggestion. Coveted by 3.1.1 bullet 3.

scaled valves

  • Slow leakage past the final check valve of a Failure to follow pod practices of series inay not force the (heck valve closed.

written task auignment and feedback of Other c heck valves in series inay leak similarly, task completion information Piping orientation and valve design are important factors in achieving true series Failure to provide easily read system protection CFl.

drawings, legible valve labels corres-p<mding to drawings and procedures, inspection Suggestion. Covered by 3.1.1 bullel 3.

and labeled indications of local valve position 3.2 Risk Important AFW System inspection Suggestion. Review the application of grgg ,gg administrative controls that relate to valve positioning and sealing, system restoration following maintenance, valve labeling, system drawing updating, and procedure %ble 3.1 presents an AFW systern walkdown table resisjon, for proper implementation. Including only cotuponents identified as risk important.

The lineup indicated is for normal power operation.

Ws information allows inspntors to conannate their 3.1.7 leakage of Ilot fecthvater il rougli efforts on components important to prevention of core Clieck Vnives: damage. Ilowever,it is essential to note that inspec-tions should not focus exclusively on these comments.

]hil_n,A AF-139. AEdon AF-079 Other components which pet form essential functions,

'llain it AF.J 38. AF-02.4, AF-080 but w hich are absent from this table tiecause of high Non-Euential tumrc AF-012 reliability or redundancy, must also be addrewed to ensure that their risk importances are not increased.

+ leakage of hot feedwater through several(heck F2amples include the (open)!. team lead isolation valves valves in series has caused steam binding of upstream of iIV-4716, an adequate water level in the multiple pumps. CC10. CST, and the (closed) valves cross connecting the discharges of the two motor-ditven AFW pumps.

3.5 NUREG/CR 5836

Inspection Guidance r

t i

hhle 3.1. Itisk Important AITY System Walkdown hble for Palo Verde AITY System Components Component Required Actual - t Component Name Position , Pontelon Number l l

B ESF Switchcear Roont AFDPol Motor Driven Pump Racked in .;

Indicating Lights Lit - i lockout Black Flag A ESF Switchcear Room AFN-Po t Motor Driven Pump Racked In/

Indicating Lights Lit Lockout Black Flag A Auxiliary Fml Pump Room AFA 1IV-54 Tiip and Hrottle Valve Reset /Open AFC-11V-33 AFW Pump A Flow Control to SO/ #2 Closed AFA UV 37 AFW Pump A Supply to S/O #21 solation Closed AFA V 137 Piping Upstream of Check %1ve Cool AFA-V 160 Body Drain T&T Valve Hrottled AFA-V 155 Turbine lithaust Drain Drottled AFA-FV-157 Turbine Casing Drain Brottied -

AFA-11V-32 AFW Pump A Ilow Control to S/O #1 Close

. AFC41V ARV Pump A Supply to S/O #1 Isolation ~ Closed AFA-V-M2 Main Steam Supply to AFW Pump.A _ Locked Open isolation AFA-V-016 - AFW Pump A Discharge Isolation Wired Open AFA-V-017 AFW Pump A Miniflow Isolation Locked Open l

l NUREO/CR-5836 1.6 l

.:. -;,- - _ :. ;-.- , , ..- .a.a _.. .. z . . , ; . a.. a - -. ~ ;, ..;,,,,-.

Impntion Guldunce lhble 3.1 (Continued)

Component itequirni Actual Number Component Name Pmillon ,

Pmithn AFA.V 058 AFW Pump A Suction from Reactor Clot Makeup \Wier lhnk AFA.V.006 A14Y Pump A Suction Itom CST Wired Open .

AFA-V-Ol $ Piping Upstream of Check %Ive Cool B AuxillatyhnLl'umpl[oits AFibilV.31 Al%V Pump 11 How Control to S/O #2 Closed _

AFil-UV.35 AFW Pump B Supply to S/O #2 Closed AFil-V-138 Piping Upstream of Check Wlve Cool AFB-llV.30 Al%V Pump 11 Flow Control to S/G #1 Clmed AMI UV.34 AITV Pump 11 Supply to S!G # 1 Isolation Closed AFil V.025 AITV Pump 11 Discharge isolation imcLed Open AFil.V-026 AFW l' ump B Miniflow Isolation lawked Open AFil-V-02x AFW Pump 11 Suction from Reactor Closed ,,

Makeup \Wier lhnk AFit V-021 AFW Pump B Suction from CST locked Open AFil.V-024 Piping Upstream of Check Wlve Cool Condemate ltamfer Pump Room CT.V-014 CSTisolation to AFW Pump B 12xted Open AFibV-078 AFW Pump B Recirculation to CST locked Open CT V-015 CST ! solation to AIAV Pump A locked Open AF,tV-077 AFW Pump A Recirculation to CST locked Open 3.7 NUREO/CR 5836

luspection Guidante

'Imble 3.1 (Continued)

Component Hequired Actual Number Component Name Position l'esition CrIl%4 Non Essential AFW Pump Suetion flom CST Closed CTil%1 Non Essential AITV Pump Suetion from CST Closed Iktbine 1)Sildine lfW) ft _.___

Al%Y401 Norrliential AISV Pump Suction isolation locked Open _ ,

AFN %012 Pip!ng Upstream of Check Valve Cool A

AFN %013 Non Essential AISV Pump Dhcharge locked Open L AFN-llV-95 Non Essential AITV Pump Minillow Open AFN %133 Recirculation 1lypaw lock Closed AFA %055 AUX Steam Supply to AISV Pump A Imck Closed hialn Steam Support Structure 120 ft ,

SO AJU%134 A S/O #1 Supply isolation to ATTY Pump A Closed -

SOA U%138 11 S!O #2 Supply isolation to Al%V Pump A Closed Control Room Panel 6

[

SG A-U%134A S/G #1 Supply isolation Solenoid Ilypau Valve Closed SO A UV 138A S/O #2 Supply isolation Solenoid llypass Valve Closed NUREO!CR-5836 3.8

4 Generic llisk insights From Pitas PRAs for 13 PWRs were analynd to identify risk- 4.2 IllSk Important Component Failure important accident sequences involving loss of AFW, ggggg and to identify and risk prioritize the component failure modes involved. The results of this analysis are des-cribed in this section. They are consistent with results ne generic component failure modes identified from PRA analyses as important to AFW system failure are reported by INEL and BNL (Gregg et al.1988, and listed below in decreasing order of risk importance.

' Davis et al.1988).

(1) 'Ibrbine-Driven Pump Failure to Start or Run.

4.1 Itisk Important Accident Sequences p) Motor Driven Pump Failure to Start or Run.

Involving AFW System Failure (3) TDP or MDP Unavailable due to Tbst or teu of Power System Maintenance.

  • A lou of ofkite pmer is followed by failure of (4) AIAV System Valve Failures Al'W, resulting in core damage.
  • steam admission valves
  • A station blackout fails all AC power except Vital AC from DC invertors, and all decay heat removal a trip and throtlic valve systems except the turbine-driven AFW pump.

AFW subsequently fails due to battery depletion or e flow costrol valves hardware faliures, resulting in core damage.

  • pump discharge valves
  • A nc bus falls, causing a trip and failure of the power conversion system. One AINV motor driven
  • pump suction valves pump is failed by the bus loss. AFW is subsequently
  • valves in testing or maintenance.

lost completely due to other failures.

Tramient Caused Reactor or %rbine Trip (3) Supply / Suction Sources

  • 6_ttJamient-enmed trip is followed by a loss of PCS
  • condensate storage tank stop valve and AIAV.
  • suction valves.

Ims of Main Feedwater in addition to individual hardware, circuit,or instru-

  • A lou of main feedwater trips the plant, and AITV ment failures,each of these failure modes may result fails due to operator error and hardware failures. from common causes and human errors. Common cause failures of AIAV pumps are particularly risk Steam Generator hbe Rupture important. Valve failures are somewhat less important due to the multiplicity of steam generators and connee-
  • An SGTR is followed by failure of AFW. Coolant is tion paths. Iluman errors of greatest risk importance lost from the primary until the RWST is depleted. involve: failures to initiate or control system operation llPI fails since recirculation cannot be established when required; failure to restore proper system lineup from the empty sump, and core damage results. after maintenance or testing; and failure to switch to alternate sources when required.

4.1 NUREO/CR ,5836

l l

5 Falliire Modes Determine (1 From Operating Experience his section describes the primary root causes of 5.1.2 Failure of ArW Pump Discharge Flow component failures of the AITV system, as determined Control and Isolation Valves to Steam from a review of operating histories at palo Verde and Generators at other PWRs throughout the nuclear industry. See-tion 5.1 describes experience at Palo Verde. Section 5.2 Here have been fificen failures of the pump discharge summarizes information compiled from a variety of flow control and isolation valves from 1986 to 19%).

NRC sources, including AEOD analyses and reports' These have resulted from excessive hatdened grease in information notices, inspection and enforcement bulle-toique switch s,pring packs, failed circuit breakers, out of tins, and generic letters, and f rom a variety of INPO adjustment torque and limit twitches, and excessive reports as well. Some Licensee Event Reports (LERs) packing leakage. The failure causes were attributed to and NPRDS event descriptions were also reviewed.

mW weg corrosion, inadequate valve design and Finally,information was included from reports of NRC' inadequate preventative maintenance, sponsored studies of the effects of plant aging,which include quantitative analyses of AFW system failure reports. This information was used to identify the 5.1. AITV Valve Failures various oot causes expected for the broad PRA based failure categories identified in Section 4.0, resulting in Between 1986 and 1990 there have been seven events the inspection guidelines presented in Section 3.0. involving AFW valve failures resulting in excessive leakage. The failure cause in all cass was normal weu of valve components.

5.1 Palo Verde Experience 5.1.4 iluman Errors The AFW system at Palo Verde has experlenec4 Dere have been nine r,ignificant human errors affectinj

approximately 50 significant equipment failures between the AFW system from 1986 to 1990. Personnel have 1986 and 1990. These include failures of the AISV inadvertently actuated the AFW pumps during survell.

pumps, the pump dist harge flow etmtrol valves to steam , gg g g generators, numerous valve operators, the turbine g gg gg governor and several circuit breakers. Pallure modes include electrical, instrumentation, and hardware and improperly installed valve internals. Both person-nel error and inadequate procedures have been f res' involved.

5.1.1 AlqY Pump Control logic, Instrumentation and Electrical Failures 5.2 Industry-Wide Experience Dere have been twelve failures of the AFW pumps to lluman errers. design / engineering problems and errors, start and/or run properly experienced from 1986 to and component failures are the primary root causes of 1990. These have resulted from failures of governor AFW System failures identified in a review ofindustry speed control linkages, circuit breakers, motor bearings' wide system operating history. Common cause failures, high vibreion, and impeller failures. De failure causes which disable more than one train of this operationally are mechanical wear, corrosion, inadequate design and redundant system, are highly risk significant, and can inadequate preventative maintenance proctdures, g g gg gg g ,

5.1 NUREO/CR 5836

{

Failure Modes This section identifies important common cause failure checklists, weak administrativs controlof tagging, modes, and then provides a broader discussion of the restoration, independent verification, and locked valve single fa!!ut e effects of human errors, design / logging, and inadequate adherence to proceduses.

engineering problems and errors, and component lilegible or confusing local valve labeling, and failures. Paragraphs presentingdetails of these failure insufficient tralning in the determination of valve modes are coded (e.g., CCl) and cross. referenced by position may cause or mask mispositioning, and inspection iterns in Section 3. surveillance which does not exercise complete system functioning may not teveal mispositionings.

5.2.1 Common Cause Fnilures 003. At ANO.2,both AFW pumps lost suction due to ne dominant cause of AFW system multiple. train fall. steam binding when they were lined up to both the CST urcs has been human error. Design' engineering errors and the hot startup/ blowdown demineraliter cifluent and component failures have been less frequent,but (AEOD/C4N 1984). At Zion.1 steam created by run.

nevertheless significant, causes of multiple train failures. ning the turbine. driven pumn deadheaded for one minute caused trip of a mot- .iven pump sharing the same inlet header, as well as amage to the turbine.

FCL lluman error in the form ofincorrect operator -

intervention into automatic AISV system functioning driven pump (Region 3 Morning Report,1/17f>0). Both during transients resulted in the tempcrary loss of all events were caused by procedural inadequacies, safety. grade AIAV pumps during events at Davis Besse (NUREG. ll541985) and 'nojan ( AEOD/T4161983). CC4. Design / engineering errors have accounted for a in the Davis Besse event, improper manual initiation of smaller, but significant fraction of common cause fall.

utes. Problems with control circuit design modifications the steam and feedwater rupture control system (SFRCS) led to overspeed tripping of both turbine. at Farley defeated AISV pump auto. start on loss of main feedwater. At Zion.2, restart of both motor driven driven AINV pumps, probably due to the introduction of condensate into the ATAV turbines from the long, pumps was blocked by circuit failure to deenergize when unheated steam supply lines. (The system had never the pumps had been tripped with an automatic start sig.

been tested with the abnormal, cross. connected steam nal present (IN 82-01 1982). In addition, AFW control supply lineup which resulted.) In the'Rojan event the circuit design reviews at Salem and Indian Point hP?e identified designs where failures of a single component operator incorrectly stopped both AIAV pumps due to rnisinterpretation of MIAV pump speed indication. De could have failed all or multiple pumps (IN 87 341987).

diesel driven pump would not restart due to a protective feature requiring complete shutdown, and the turbine. CC5. Incorrect setpoints and control circuit settings driven pump tripped on overspeed, requiring local reset resulting from analysis errors and failures to upoate of the trip and throttle valve. In cases where manual procedures have also prevented pump start and caused intervention is requlted during the early stages of a pumps to trip spuriously. Errors of this type may transient, training should emphasize that actions should remain undetected despite surveillance testing, unless be performed methodically and deliberately to guard surveillance tests model all types of splem initiation against such errors. and operating conditions. A greater fraction ofinstru.

mentation and control circuit problems has been identi.

002. Wlve mispositioning has accounted for a signifi. fled during actual system operation (as opposed to cant fraction of the human errors failing multiple trains surveillance testing) than for other types of failures.

of AFW. This includes closure of normally open suction valves or steam supply valves, and of isolation valves to CC6. On two occasions at a foreign piant, failure of a sensors having control functions, incorrect handswitch balance-of. plant inverter caused failure of two AIAV positioning and inadequate temporary wiring changes pumps. In addition to loss of the motor driven pump have also prevented automatic starts of multiple pumps. whose auxiliary start relay was powered by the invertor, Factors identified in studies of mispositioning errors the turbine driven pump tripped on overspeed because include failure to add newly installed valves to valve the governor valve opened, allowing full e m Saw to NUREO/CR-5836 5.2

l' allure Moden l

the turbine. This illustrates the importance of assessing causc41 by bat kleakage of hot water through inultiple the effects of failures of balance of plant equipment check valves. At Robinson.2 both motor driven pumps v.hich supports the operation of critical cumponents. were found to be hot, and both motor and steam driven

'Ihe instrument alt system is another example of such a pumps were found to be inoperable at different times.

System. Itacklcakage at Robinson 2 passed through (loud motor-operated isolation valves in addition to multiple M. Multipic Al:W purrp trips have occurred at check valves. At I arley, both motor and turbine driven Millstone-3, Cook 1,'Itojan and Zion 2 (IN 87 5319X7) pump casings were found hot, although the pumps were caused by brief, low pressure oscillations of suction not declared inoperable. In addition to multi. train fall-pressure during pump startup. 'Ihese oscillations uses, numerous incidents of single train failures have occurred despite the i.vallability of adequate static occurred, resulting in the designation of ' Steam Illnding NPSil. Corrective actions taken include: cxtending the of Auxiliary 1:ecdwater Purnps' as Generic issue 93.

time delay awociated with the low pressure trip, 'Ihis generic issue was resolved by Generic letter 8843 removing the trip, and replacing the trip with an alarm (Miraglia 1988), which required licensees to monitor and operator action. AI W piping temperatures each shift, and to maintain procedures for recogniting steam binding and for ffH. Design errors discovered during AITY system re- scatoring system operability.

analysis at the Robinson plant (IN 89-301989) and at Millstone 1 resulted in the supply headct from the CST CCil. Common cause f ailures have also failed motor being too small to ptovide adequate NPSil to the operated valves. During the totallou of feedwater pumps if more than one of the three pumps were oper. event at Davis liesse, the normally-open AITV isolation ating at tale 1 flow umditions. His could lead to valves failed to open after they were inadvertently multiple purnp failure due to cavitation. Subsequent closed. The failure was due to improper setting of the reviews at Robinson identified a loss of feedwates torque switch bypass switch,which prevents motor trip tran*, lent in which inadequate NPSil and flows less than on the high torque required to unscat a closed valve, design values had occurred, but which were not recog- Previous probicms with these valves had been addressed nized at the time. Event analysis and equipment trend- by increasing the torque switch trip setpoint- a fix which ing, as well as surveillance testing which duplicates failed during the event due to the higher torque required service conditions as much as is practical, can help due to high differential pressure across the valve. Simi.

identify such design errors. lar common mode failures of MOVs have also ocourted in other systems, resulting in issuance of Ocneric letter

[C9. Asiatic clams caused failure of two AISV flow 8910,

  • Safety Related Motor-Operated Valve 'Ibling ccmtrol valves at Catawba 2 when low suction pressure and Surveillance (Partiow 1989).' This generic letter caused by starting of a motor driven pump caused suc- requires licensees to develop and implement a program tion source realignment to the Nuclear Service Water to provide for the testing, inspection and maintenance system. Pipes had not been routinely treated to innibit of all safety-related MOVs to provide assurance that clam growth, nor regularly monttored to detect their they williunction when subjected to design basis presence, and no strainers were installed. The need for conditions.

surveillance which exercises alternative system oper-ational modes, as well as complete system functioning, is [CJ1 Other component failures have also resulted in emphasized by this event. Spurious suction switchover Al W multi train failures. These include out-of.

has also occurred at Callaway and at McGuire, although adjustment clectrical flow c(mtrollers resulting in no failures resulted. Improper discharge valve operation, and a failure of oil cooler cooling water supply valves to open due to silt Colo. Common cause failures have also been caused by accumulation.

component failures (AEOD/C4041984). At Surry 2, both the luibine driven pump and one motor driven pump were declared inoperable due to steam binding 5.3 NUREG/CR 5836

l'ulture Modes I

5.2.2 Ilttrnnn Errors controlled turbine ac<eleration and buildup of oil pressure to control the governor valve when full steam 111:1. The overvhelmingly dominant cause of problems flow is admitted.

identified during a series of operatioral readiness evaluations of Al'W systems was human performante. 10.1 Overspeed trips of *lbry turbines have been

'the majority of these human performance problems caused by condensate in the steam supply lines. C4m.

iesulted f rom incomplete and incorrect procedures, par- densate slows down the turbine, causing the gosernor titularly with respect to valve lineup information. A valve to open f arther, and overspeed results before the study of valve mhpositioning cw:nts involving human posernor valve can respond, af ter the water slug clears.

error identified failures in administrative control of This was deterinined to be the cause of the lors-of all.

tagging and logging, procedur al compliance and wmple. AFW event at Davis liesse (AEOD/6021986),with con-densation er.hanced due to the long length of the cross-tion of steps,senheation of support systems,and inadequate procedures as important. Another study e4mnected steam lines. Repeated tests following a mid-found that valve mispositioning events occurred most start trip may be sucerssful due to systern heat up.

of ten during maintenance, calibration.or modification actisitics Insufficient training in determining valve D12 'Ibtbine trip and throttle valve (TIV) problems position, and in administrative requirements for con. are a significant cause of tutbine driven pump failures trolhng vahe positioning were important causes, as was (IN RM6). In some caser, erk of TlY position indi.

oral tan assignment without task completion feedback. cation in the control roam pri vented recognition of a tripped T1V. In other cases it was possible to reset Hil2. '1bibine driven pump failures have been caused by either the overspeed trip or the TiV without resetting human en ors in calibrating or adjusting governor speed the other. This problem is wmpounded by the f act that wntrol, poor governor maintenance, incorrect adjust. the [eition of the overspeed trip linkage can be mis-ment of gosernor vahe and oserspeed trip linkages, and leading, and the mechanism may lack labels indicating errors associated with the trip and throttle vahe. TIV. w hen 11 is in the tripped position ( AEOD/C6021986).

associated errors include physically bumping it, failure to restore it to the cortret position after testing, and pill Startup of turbineswith Woodward Model PG PL failures to verify c(mtrol room in heation of TIV posi. governors within 30 minutes of shutdown has resulted in tion following actuation. oserspeed trips when the speed setting knob was not er.creised locally to drain oil from the speed setting 1111 Motor driven pumps have been failed by human cylinder. Speed control h based on startup with an errors in mispositioning handswitches, and by procedure empty cylinder. Problems have involved turbine rota-deficiencies. tion due to both proccdure violations and leaking steam.

'lury has marketed two types of durnp valves for auto-3.23 Design / Engineering Profileins and matically draining the oil after shutdown ( AEOD/C602 198 %

Errors Dist. As noted above, the majority of AFW subsystem

^' '" " I"*"b"N*II* E"*C ' # "'

required a quick,' cold startup that resulted in turbine 51$res and the greatest relative system degradation, tr p due to PG-PL governor stability problems. The has been found to result from turbine-driven pump fail, ondenn mirective action was installation of stiffer utes. Overspeed trip < of Terry turbines controlled by buffer springs (IN 88-tN 1988). Surveillance had always Woodward governors base been a significant source of een p d h tuMnc wannup,which illustrates the these failures (AEOD/CM21986). In many cases these importance of testing which duplicates service condi-overspeed trips hase been caused by slow tbpona.e of a tions as much as is practical.

Woodward Model EG gosernor on startup, at plants w here full steam flow is allowed immediately. This over-1111 Reduced viwosity of gear box oil heated by prior sensitivity has been remosed by installing a startup pera neau fadure M a mmor dnwn pump to stan steam bypass valve which opens first, allowing a NUREG/CR-58% 5.4

l' allure Modes due to insuf ficient tube oil pressure, lowering the pres. thermally protected, yet in a way whic h emphasites sure switch setpoint solved the problem, which had not system function over protection of the operator.

been detected during testing.

Cfl. The common-cause steam binding effects of check

])l1 Waterhammer at Palisades resulted in AIAVline valve leakage were identified in Section 5.2.1, entry and hanger damage at both steam generators. The Al%V CClo. Numerous iingle-train events provide additional spargers are located at the normal steam generator level, insights into this problem. In some cases leakage of hot and are frequently covered and uncoscred during level MIAV past multiple check valves in series has occurred fluctuations. Waterhammers in top-feed ring steam because adequate valve seating pressure was limited to generators resulted in main feedline rupture at Palo the valves closest to the steam generators (AEOD/C404 Verde and feedwater pipe cracking at Indian Point.2 1984). At Robinson, the pump shutdown procedure was _

(IN M 321984). changed to delay closing the MOVs until after the check valves were seated. At Parley, check valves were 1)M. Manually reversing the direction of motion of an changed from swing type to lift type. Check valve operating valve has resulted in MOV failures where rework has been done at a number of plants. Different such loading was not consideied in the design valve designs and manufacturcrs are involved in this (AEOD/CM)31986) Control circuit design may prevent problem, and recurring leakage has been experienced, this, requiring stroke completion before reversal. even af ter !epair and replacement.

1)]iH At each of the units of the South 'Ibxas Projcet, CF2. At Robinson, heating of motor operated valves by space heaters provided by the vendor for use in pre- check valve leakage has caused thermal binding and fall.

installation storage of MOVs were found to be wired in ute of Al%V discharge valves to open on demand. At parallel to the Class lE 125 V DC motors for several Davis Besse, high differential pressure actoss AfSV Al%V valves (IR 50-489/8911; 50-499/8911 1989). The injection valves resulting from check valve leakage has valves had been environmentally qualified, but not with prevented MOV operation (AHOD/C6031986).

the non safety-related heaters energized.

Ef4 Gross check valve leakage at McGuire and 5.2.4 Component Fnilures Robinson caused overpressurization of the AFW sue-tion piping. At a foreign PWR it resulted in a severe Generic issue li.E.6.1,'in Situ Tbsting Of Valves' was waterhammer event. At Palo Verde 2 the MFW suction divided into four sub-issues (Beckjord 1989), three of piping was overpressurized by check valve leakage from which relate directly to prevention of AITV system com. the AFWsystem (AEOD/C4041984). Gross check ponent failure. At the request of the NRC,in situ valve leakage through idle pumps represents a potential testing of check valves was addressed by the nuclear diversion of AIAV pump flow.

industry, resulting in the EPRI report,

  • Application Guidelines for Check Valves in Nuclear Power Piants CF4. Roughly one third of AIAV system failures have (Brooks 1988).' This extensive report provides infor. been due to valve operator failures,with about equal mation on check valve applications, limitations, and failures for MOVs and AOVs. Almost half of the MOV inspection techniques. In situ testing of MOVs was failures were due to motor or switch failures (Casada addressed by Generie Letter 89-10,
  • Safety Related 1989). An extensive study of MOV events (AEOD/CM13 Motor-Operated Valve 1bsti. y and Surveillance' 1986) indicates continuing inoperability problems (Partlow 1989) w hich requires licensees to develop and caused by: torque switch / limit switch settings, adjust-implement a program for testing, inspection and main. ments, or failures; motor burnout; improper siting or tenance of all safety-related MOVs. " Thermal Overload use of thermal overload devices; premature degradation Protection for Electric Motors on Safety Relatea related to inadequate use of protective devices; damage Motor-Operated Valves - Generic issue ll.E.6.1 due to misuse (valve throttling, valve operator hammer.

(Rothberg 1988)* concludes that valve motors should be ing); mechanical problems (loosened parts, improper assembly); or the torque switch bypass circuit improp-5.5 NUREG/CR 5836

l Failure Modes i

cily installcd or adjusted. The study concluded that actuate the MOV torque switch, due to grease trapped current methods and procedures at many plants are not in the spring pack. During a surveillance at 'Ilojan, adequate to assure that MOVs will operate when failure of the torque switch to trip the'1TV motor needed under credible accident conditions. Specifically, resulted in tripping of the therinal overload device, a surveillance test which the valve passed might result in leaving the turbine driven pump inoperable for 40 days undetected talve inoperability due to component failure until the next surveillance (AEOD/E7021987). Prob.

(motor burnout.optretor parts failure, stem dise lems result from grease changes to EXXON NEBULA separation) or improper positioning of protective EP-0 grease, one of only two greases considered devices (thermal overload, torque switch, limit switch). environmentally qualified by Limitorque. Due to lower Ocnetic Letter 8910 (Pattlow 1989) has subsequently viscosity, it slowly migrates from the gear case into the required licensees to implement a program ensuring spring pack. Orcase changeover at Vermont Wnkee that MOV switch settings are maintained so that the af fected 40 of the older MOW of which 32 were safety valves will operate under design basis conditions for the related. Orcase relief kits are needed for MOV life of the plant. operators manufactured before 1975. At Limerick, additional grease relief was required for MOW manu-M Component problems have caused a significant factured since 1975. MOV refurbishment programs may number of turbine driven pump trips (AEOb!C602 yield other changeovers to EP 0 ytease.

195n). One group of events involved worn tappet nut taces, loose cable connections, loosened set screws, M For AFW systems using air operated valves, improperly lats hed TFW, and improper assembly. almost half of the system degradation has resulted from Another involved oil leaks due to component or seal failures of the valve controller circuit and its instrument failures, and oil contamination due to poor maintenance inputs (Casada 1989). Ihllures occurred predominantly activities. Governor oil may not be shared with turbine at a few units using automatic (lectronic controllers for '

lubrication oil, resulting in the need for separate oil the now control valves, with the majority of failures due changes. Electrical component failures included tran. to electrical nardware. At Wikey Point-3, controller sistor or resistor failures due to moisture intrusion, malfunction resulted from water in the Instrument Air erroneous grounds and connections, diode failures, and system due to maintenance inoperability of the alt a faulty circuit card. dryers.

@ Electrohydraulic-operated discharge valves have CF10. For systems using dieseldriven pumps, most of performed very poorly, and three of the five units using the failures were due to start control and governor speed them have removed them due to recurrent failures. control circuitry. lialf of these occurred on demand,as Failures included oil leaks, contaminated oil, and opposed to during testing (Casada 1989).

hydraulic pump failures, m1. For systems using AOW, operability requires the M Control circuit failures were the dominant source availability of instrument Air, backup alt, or backup of motor driven AFW pump failures (Casada 1989). nitrogen. liowever, NRC Maintenance Ttam inspec-This includes the controls used for automatic and tions have identified inadequate testing of check valves manual starting of the pumps, as opposed to the instru. isolating the safety related portion of the l A system at mentation inputs, Most of the remaining problems were several utilities (Letter, Roe to Richardson). Generic due to circuit breaker failures. Letter 88-14 (Miraglia 1988), requires licensees to verify by test that air-operated safety.related components will M "Ilydrauliclockup"of Limitorque SMB spring pe' .rm as expected in accordance with all design-basis packs has prevented proper spring compression to events, including a loss of normal IA.

NUREO/CR-5836 S.6

6 References Deckjord, E. S. June 30,1989. Closcout of Generic issue AEOD Reports ll.E.61, *In Situ ksting of11dves'. lxtter to V. Stello, Jr., U.S. Nuclear Regulatory Commission, Washington, AEOD/C404. W. D. lanning. July 1984. Steam Binding DC ofAutillaryFeedwaterPumps. U.S. Nuclear Regulatory Cornmission, MSshington, DC Brooks, U. P.1988. Application Guidelinesfor Check l'alves in NuclearIbwer Plants. NP 5479, Electric AEOD/C602. C Hsu. August 1986. OperationalErper.

Power Research Institute, Palo Alto, California. icnce involving 7hrbine overspeed Trips. U.S. Nuclear Regulatory Commission, Washington, DC Casada, D. A.1989. Auriliary Feedwater System Aging Stude Volume L Operating Erperience and Current AEOD/C603. E.J. Browtt December 1986. A Review Afonitoring Practices. NUREGICR.5404. U.S. Nuclear ofhiotor Operated l'alve Performance. U.S. Nuclcar Regulatory Commission, Washington, DC, Regulatory Cornmission, Washington, DC.

Oregg, R. E. and R. E. Wright.1988. Appendit Review AEOD/E702. E.J. Brown. March 19,1987. Af0VFail-forik>minant Generic Contributors. DLU 3188. Idahn ute thic to flydraulic Lockup From Ercessive Grease in National Engineering Laboratory, Idaho Falls, Idaho. Spring Pack. U.S. Nuclear Regulatory Commission, Washington, DC.

Miraglia, E J. February 17,1988. Resolution of Generic Safety issue 93, ' Steam Binding ofAnnihary Feedwater AEODIT416. January 22,1983. Loss ofESFAuriliary Pumps'(Generic Letter 88-03). U.S. Nuclear Regulatory Feedwater Pump Capability at 7tojan on January 22, Commb.sion, Whshington, DC 1983. U.S. Nuclear Regulatory Commission, Whshing-ton, DC Miraglia, R J. August 8,1988. Instrumeni Air Suppy System Problems Affecting Safety Related Equipment information Nofices (Generic Letter 8814). U.S. Nuclear Regulatory Com-mission, Whshington, DC IN 82 01. January 22,1982. Aartliary Feedwater Pump Lockout Resultingfrom it'estinghouse ll'2 Switch Circuit Pattiow, J. O. June 28,1989. Safety-Related Afotor- Afodi/kation. U.S. Nuclear Regulatory Commission, Operated l'alve Testing and Surnillance (Generic Letter Whshington, DC 8910). U.S. Nuclear Regulatory Commission, Washington, DC IN 84 32. E. L Jordan. April 18,1984. Auriliary Fred-watcr Sparger and Pipe Hangar Damage. U.S. Nuclear Rothberg, O. June 1988. ThermalOverload Protection Regulatory Commission, Washington, DC for Electric hIotors on Safety Related Aiotor-operated Ihives Genericissue ll.E.61. NUREO 1296 U.S. IN 84-66. August 11,1984. Undetected Unavailability of Nuclear Regulatory Commission, Washington, DC the Turbine Driven Auriliary Fredwater 7 Fain. U.S. Nu-clear Regulatory Commission, Washington, DC Travis, R. and J. 'Paylor.1989. Development of Guid-ancefor Generic, lhnctionally Oriented PRA. Based Team IN 87-34. C E. Rossi July 24,1987. Single Failures in inspectionsfor Bil'R Plants Identification ofRisk. Annitiary Feedwater Systems. U.S. Nuclear Regulatory important Systems, Components and Human Actions. Commission. Washington, DC.

TLR-A 3874 TOA Brookhaven National Laboratory, Upton, New York.

6.1 NUREO/CR-5836

iemu u licader IN 87-53. C 11. Roul. October 20,1987. Antiliary impertion itegun1 li'edwater hunp 1hys Resu4ingfwin Low Suction hrs-surr. U.S. Nuclear llegulate,ry Onnmiulon, IR 50 489/8911; 50-499/8911. May 2fi,19S9. South Washington, DC. kras Project inspection Report. U.S. Nuclear Regula.

tory Commlulon, Washington, DC IN 8840. C IL Rout. March 18,198R Reduced Reli-ability ofStearn. Driven Autiliary l'erdwater Pumps NURi;G Vrgmrt Caused by in stability of Iiinutward PG.I'L 7}pe Gover.

nors. U.S. Nuclear Regulatory Commlulon, NURl!O il54.1985. Lins o/ Main and Auuliary licd-

\%hington, DC water Gent at the Davis liesse Plant on June 9,1985.

U.S, Nuclear Regulatory Commission, \hhington, DC IN 89-30.11. A. Arua. August 16,1989. Robin 30n Unit 2 Inadequate NPSil of Autiliary Fredwater Pumps. Also, thent Notification 16375, August 22,1939. U.S. Nu-clear Regulatory Commluton, Whington, DC NURiiGICR 5836 6.2

NUREG/CR-5KM PNL 7903 l

l DISTitillllTION No. of No. of Ceriti ferits Ofi31TJi 4 fAo l Verde i[tsidtet inspector Of[ irs 10 M1Enlar Regulatorvfemmia _t J.ll. Taylor 11rootheven National I aboratory

11. K. G rimes illdg.130 OWlH 9 A2 Upton, NY 11973 E Congel R. "havis OWFN 10 E2 lirookhaven National Laboratory illdg.130 A. C. Thadani Upton. NY 11973 OWlH 8 E2 R. Gregg T.R. Quay EG&O idaho, Inc.

OWIW 13 E16 P.O. Ilox 1625 Idaho Falls,ID 83415 S. M. Long OWFN 10 E4 Dr. D. R. Edwards Pr:fessor of Nuclear Eng ineering G. M. Ilolahn Univ,.mity of Missouri Aolla OWIN 8 E2 Rolla, MO 654Gi J.Chung ONSITE owl'N 10 E4 21 Pacific Northwest LaberAcry M. J. Virgilo OWFN 13 E4 J. D. Ilumgardr.cr L R. Dodd 2 11. Thomas 11. E Gore (10)

OWFN 121126 N. E. Maguirc Moffitt II. D. Shipp 2 U.S. Nuclear Reculgory Commission - Recion 5 T.V.Yo Publishing Coordination R. Zimmerman Tbchnical Report File (5)

S. A. Richards L Miller J. A. Sloan Distr.1

NIC tonw s36 U S. NUCLE AR ALGUL A102Y Commission 1 REPOM1 NUV6e R

' ac$ 11of.

k Y. Is,,,Y'

= :c3 BIBLIOGRAPHIC DATA SHEET is m.,,ver,on..,,,,,,,. + , NUREG/CR-5836 PUL' M 6

2. vir 6 Ano sustir ti Auxiliary Feedwater System Risk-Based Inspection Guide for the Palo Verde Nuclear Power Plant 3 oats atpont puetiswto west- ,s..

February l 1993

4. 8iN OM OM ANT Nuvet a L1310 s Ausoaisi . 7 y,g o, mi,c,.,

Technical J. D. Humgardner, N. II. Moffitt D. F. Gore. T. V. Vo, J. A. Skian' ,, ,g , ,o o ca v i , t o ,,,,,,,,, ,,,,,

10/91 to 12/92 u a .., ..,,. , c- , -

s ry,o,,ag gANiz A r ion - N Aw e An o Ao o a a ss ,,, .c. - o .

u,,,,, ., ,.,o ,,, ., m, ,,

Pacific Northwest I;iboratory 'U.S. Nuclear Regulatory Commission Richland, WA 993$2 9 f, **.,w m en..et ,, c.a,ww m.=se enc o . ni. 0%e.r neee. u s *wn.e .was m c.= e yggRG ANIZATION - N awe ANo Aco m ess un e.c. ,vas Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington. DC 20555

10. suPPLFhttNT ANY NOTES
11. AbsTR Act rico , , , i In a study aponsored by the U. '. Nuclear Regulatory Commission (NRC), Pacific Northwest Laboratory has developed and applied a methodology for deriving plant-specific risk-based inspection guidance for the auxiliary feedwater (AFW) system at pressurized vator reactors that have not undergone probabilistic risk assessment (PRA). This methodology uses exi' sting PRA results and plant operating experience information. Existing PRA-based inspection guidance information recently developed for the NRC for various plants was used to identify generic cceponent failure mcdes. This inforrration was then combined with plant-specific and industry-wide component information and failure data to identify failure mcdes and failure mechanisms for the AFW system at the selected plants. Palo Verde was selected as one of a series of plants for study. The product of this offort is a prioritized listing of A N failures which have occurred at the plant and at other PWRs. This listing is intended for use by NRC inspectors in the preparatic i of inspection plans addressing AFW risk-important components at the Palo Verde plants.
12. = 6 y wo m o s o e sc m e t o a s .o., ., ,. ,,,, ,, , , ,,, ,,,,,,,,, , ,,. , ,,,,,g,u,,,,,,m,,,

Unlimited Inspection, Risk, PRA, Palo Verde, Auxiliary Feedwater ( AW) .. u c,, , , c, m ,a i ,os ur,, , ,

Unclassified

, f.e M.sBO,1/

Unclassified 16 NVMBtR QF PAC,es 16 PRICs

%AC ponw 3Jn 12 49:

l 6

on recycled paper Federal Recycling Program

~~

d u t. P t,UduN NUREG/CH-506 AUXILIARY t thuWX1 t.x M M FOR TIIE PALO VERDE NUCLEAR POWER PLGT UN!TED STATES nasT ctAss Mart NUCLEAR REGULATORY wOMMISSION POSTAGE AND FEES PATO W'RC WASHINGTON, D.C. 20555 0001 PERVJT NO. G 67 I

OrflCIAL BUSWESS PENALTY TOR PRIVATE USE, $300 n r,

, ,,s.

T 1 3 7 c591 '$ ,w' e g a t i r T . r *- e- " V C 5+

g; N;C d

'[,},hi$alb2F~

7 o

~

_r c, r r r - ? l '. =

.g . q - t : ,, . - .

I 1

l I

l l

l l

Retrieved from "https://kanterella.com/w/index.php?title=ML20128N637&oldid=2892376"