Text

DHR Problems at Us Pwrs, Preliminary Draft Case Study Rept
	ML20129J033
Person / Time
Issue date:	07/31/1985
From:	Ornstein H; NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD)
To:	;
Shared Package
ML20129H990	List: ML20129H987; ML20129J006; ML20129J011; ML20129J015; ML20129J020; ML20129J024; ML20129J029; ML20129J033;
References
	NUDOCS 8507220159
	Download: ML20129J033 (91)
	v • d • e

'

i Preliminary DRAFT Case Study Report Decay Heat Removal Problems at U.S. Pressurized Water Reactors Reactor Operations Analysis Branch Office for Analysis and Evaluation of Operational Data July 1985 Prepared by:

Dr. Harold L. Ornstein NOTE: This report documents the preliminary results of an ongoing study by the Office for Analysis and Evaluation of Operational Data with regard to a number of operating events. This report is issued for review and comment as part of the " peer review" process used for AE00 case studies. Since the study is ongoing, the content, findings and recommendations are preliminary and may not represent the final position of AE00, the responsible program office or the Nuclear Regulatory Commission.

8507220159 850705 PDR MISC C507220107 PDR

Case Study Report Decay Heat Removal Problems at U.S. Pressurized Water Reactors Page Number EXECUTIVE

SUMMARY

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.0 INTRODUCTION

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.0 DECAY HEAT REMOVAL SYSTEM ...................... 7 2.1 Functional Description and System Design ............ 7 2.2 Consequences of the Loss of the Decay Heat Removal Function . . 16 2.3 Actions to Recover the Decay Heat Removal Function . . . . . . 20 3.0 OPERATIONAL EXPERIENCE . . . . . . . . . . . . . . . . . . . . . . . 23 3.1 Loss of Decay Heat Removal Systems . . . . . . . . . . . . . . 23 4.0 ANALYSIS AND EVALUATION OF THE UNDERLYING OR ROOT CAUSES OF DECAY . 34 HEAT REMOVAL SYSTEM LOSSES 4.1 Huma n Fac to rs . . . . . . . . . . . . . . . . . . . . . . . . . 34 4.2 Equipment Failures ......................42 4.3 Technical Specification Deficiencies .............43 5.0 FINDINGS AND CONCLUSIONS . . . . . . . . . . . . . . . . . . . . . . 48 5.1 Human Factors Considerations . . . . . . . . . . . . . . . . . 49 5.2 Design - Flow Path from the Reactor Coolant System to the . . . 52 Decay Heat Removal System 5.3 Technical Specification Deficiencies . . . . . . . . . . . . . 54 6.0 RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . 56 7.0~ REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 APPENDICES ...............................66 Appendix A - Loss of Decay Heat Removal Systems at U.S. ......66 Pressurized Water Reactors During 1982 and 1983 Appendix B - Selected Loss of Decay Heat Removal System Events at . 75 U.S. Pressurized Water Reactors During 1984 Appendix C - Decay Heat-Removal System Losses at Davis-Besse . . . . 79

EXECUTIVE

SUMMARY

The report analyzes U.S. pressurized water reactor (PUR) experience involving loss of operating decay heat removal (DHR) systems. Between 1976 and 1983, 130 loss-of-DHR events occurred during approximately 500 reactor years of operation. The DHR system is a safety-related system and its total loss under certain conditions could lead to core uncovery, and resultant fuel damage. The results of scoping analyses of total loss-of-DHR scenarios presented in this study indicate that for certain postulated events, unless timely corrective actions are taken, core uncovery could result on the order of one to three hours. To date, no serious damage has resulted from the loss-of-DHR system events that have occurred at U.S. PWRs. However, many of the events which have occurred thus far, may serve as important precursors to more serious events.

Analysis of operating data indicates that the underlying or root cause of most of the loss-of-DHR system events is human factors deficiencies involving procedural inadequacies and personnel error. Most of the errors were committed during maintenance, testing and repair operations.

The leading category of loss-of-DHR events (37 of 130) was the automatic closure of the suction / isolation valves, most of which resulted from human errors.

This report presents summaries of loss-of-DHR events which occurred during the years 1982 and 1983, and the most significant loss-of-DHR events in 1984. Since the 1984 data base was not complete at the time of this l

analysis, the available 1984 data was used to confirm the observed frequency and severity of loss-of-DHR events for prior years. Reference is made to an industry report, Nuclear Safety Analysis Center Report (NSAC-52) for summaries of loss-of-DHR events which occurred during the years 1976 through 1981.

The analysis of recent operating data indicates that the situation involving loss of DHR systems is not improving. In terms of the frequency or duration of loss, no clear trend towards improvement is evident. However, it may be too early to see the results of the implementation of the recommendations contained in NSAC-52 or industry actions.

The report makes several recommendations based upon the potential safety significance of the loss-of-DHR events. Implementation of those recommenda-tions should significantly improve DHR system reliability and availability.

The recommendations include: Improving human factors by upgrading coordina-tion, planning and administrative control of surveillance, maintenance, and testing operations which are performed during shutdown; providing operator aids to assist in determining time available for DHR recovery and to assist operators-in trending parameters during loss-of-DHR events; upgrading the-training and qualification requirements for non-licensed operations and maintenance staff; requiring the use of reliable, well-analyzed methods for measuring reactor vessel level during shutdown modes; modifying plant design to remove autoclosure interlocks and/or power to the DHR suction / isolation valves during periods which do not require valve motion; and clarifying plant technical specifications to eliminate ambiguities associated with operating mode definitions.

m-

-3 The report acknowledges'NRC's ongoing efforts to address shutdown decay heat removal requirements .(Unresolved Safety Issue A-45) and many of the AE00 recommendations are applicable to this generic issue.

L i

l l'

l I

l' t

l'

1.0 INTRODUCTION

The purpose of this study is to evaluate operational experience and to analyze the safety implications associated with total loss of decay heat removal (DHR) systems, [also referred to as the residual heat removal (RHR) systems, and shutdown cooling (SDC) systems], at U.S. pressurized water reactors (PWRs).1 The safety function of the DHR system is to transfer fission product decay heat from the reactor core at a rate which will assure that the fuel design limits and the reactor coolant pressure boundary design limits are not exceeded. An extended loss of the DHR function could lead to core uncovery, and associated fuel damage.

We note that NRC's General Design Criterion (GDC) 34 requires the DHR safety function to be accomplished assuming a single failure. However, we also note that there have been numerous single failures which have caused losses of this safety system. During the years 1976 through 1983, there have been about 130 loss-of-DHR events. Most of those events were of a short duration; however, several have extended beyond an hour with some lasting more than two hours.

1 In this report, a total loss of a DHR system is defined as failure of both DHR trains to perform their function when required. Such losses include momentary as well as long duration events. Inoperability of both DHR trains during times that they are not required to perform j their function are not included as total losses. Similarly, DHR systems which are administratively declared inoperable, but could still perform their function (e.g., inoperability due to missed surveillance or faulty snubbers), are not included as total losses.

I L

To date, no serious damage has resulted from the total loss of DHR systems at U.S. PWRs, and there has not been any danger to the public. None heless, the large number of loss-of-DHR events which have occurred thus far (occurrence frequency of 0.25/ reactor year), may serve as important precursors which warrant corrective actions before a far more serious ev nt occurs.

Numerous studies have been performed and numerous reports have been written on DHR systems. The most significant ones are:

In 1975, WASH 1400 (Ref. 1) noted that the loss of the DHR function subsequent to a transient can be a potentially significant contributor to the total risk associated with nuclear power plants, in 1980, the NRC declared " Shutdown Decay Heat Removal Requirements" an Unresolved Safety Issue (USI). Subsequently, the Office of Nuclear Reactor Regulation (NRR) has implemented task action plan A-45 to resolve this issue. The overall purpose of A-45 is to evaluate the adequacy of current licensing design requirements in order to ensure that nuclear power plants do not pose an unacceptable risk due to failure to remove shut-down decay heat.

In 1982, Oak Ridge National Laboratory (ORNL) evaluated events involving DHR systems in U.S. PWRs and U.S. boiling water reactors (BWRs) (Ref. 2) for the period June 1979 to June 1981, 1

ORNL found 38 loss-of-DHR system events which met their criteria for safety significance (which is equivalent to our definition of a total loss of a DHR system).

In 1983, the Nuclear Safety Analysis Center (NSAC) published a report (NSAC-52, Ref. 3) which reviewed DHR losses at U.S. PWRs during the years 1976 through 1981. It made numerous recommendations which if implemented, could have improved DHR systemreliabilityandoherallsafety.

. Interest in this study was first initiated because of the large number of loss-of-DHR events which occurred at the Davis-Besse plant (See Appendix C).

Subsequent analysis of the data, and additional licensee event reports (LERs) detailing DHR losses at other PWRs showed that the problems at the Davis-Besse plant were not unique to Davis-Besse or other Babcock and Wilcox (B&W) plants. As a result, the scope of the study also includes events which occurred at PWRs having reactors designed by Combustion Engineering (CE)andWestinghouse()().

This report highlights some facets of DHR losses and-DHR operations which are not addressed in previous reports, and it presents six recommendations which, if implemented, have the potential for significantly improving reactor safety.

2.0 DECAY HEAT REMOVAL SYSTEM 2.1 Functional Description and System Design The DHR system is designed to remove fission product decay heat from the reactor core. The safety function of the DHR system is to remove heat from the primary system at a rate that will enable operators to bring the plant from hot shutdown conditions to cold shutdown or refueling conditions (see Table 1), and to maintain the plant in sucn shutdown conditions for extended periods of time. For the transition phase associated with cooling the plant from operating pressures and temperatures, for example after a reactor trip, to hot shutdown, the steam generators are used to remove heat from the primary system. Upon reaching the reduced pressures and temperatures associated with the hot shutdown condition, the DHR system is activated.

During accident conditions, most DHR systems can be aligned to perform emergency core cooling functions (low-pressure coolant injection and recirculation). In W and B&W plants, the DHR system can also act as a booster system to provide the net positive suction head (NPSH) required by the' safety injection (SI) or high pressure injection (HPI) pumps for operation in the recirculation mode (" piggyback" operation). In B&W plants, the DHR system also provides auxiliary spray to the pressurizer to assist in depressurization after the reactor coolant pumps are secured.

The DHR system is typically composed of two redundant 100% capacity trains.

l It is usually located outside containment. A schematic diagram of a representative DHR system appears in Figure 1. Most DHR systems have a I

l l

Table 1 Plant Operational Modes 2 Average Reactivity % of Rated 3 Coolant Operational Mode Condition, K,ff Thermal. Power Temperature

1. POWER OPERATION z 0.99 > 5%

3 (TOHR) F

2. STARTUP > 0.99 5 5% g (TDHR) F

3. HOT STANDBY < 0.99 0

> (TDHR) F

4. HOT SHUTDOWN < 0.99 0 (TDHR) F > Tavg > 200*F

5. COLD SHUTDOWN < 0.99 0 1 200*F 4

6. REFUELING 1 0.95 0 < 140*F TDHR= temperature at which the DHR system is initiated (generally 280*F - 300*F) 4 2_ As defined in B&W, CE, W standard technical specifications, (e.g.,

Ref. 4).

1 3 t.acluding decay heat.

I 4 Fuel in the reactor vessel with.the vessel head closure bolts _less than fully tensioned or with the head removed.

l

FIGURE 1 SCHEMATIC DIAGRAM OF DHR SYSTEMS AT US PWR'S ,

N N

\

TO REACTOR VESSEL la

B&W PLANTS - VIA CORE FLOOD TANK DISCHARGE lr, 1 I I

i LINES I Jk CE and W PLANTS 1

VIA COLD LEGS l I ,

SUCTION -

e ISOLATION

, VALVES I

$(;i$M, M LEG

~'#"ifiI J L 1f i h DHR 5 HEAT =

j l

FROM REACTOR

'lI JL PUMP EXCHANGER l I BLDG SUMP FOR I 1 g

RECIRCULATION J L -

1 MODE OF LPCI 1 P l

-l a s a U""

l u

c Ex a

ER II BOHATED WATER FOR l INJECTION OF LPCI B&W PLANTS - FROM BWST

" COMPONENT COOLING" CE8W PLANTS - FROM RWST WATER CONTAINMENT

~

single suction or " drop" line which is tapped off one of the reactor coolant system (RCS)hotlegs. Because of their single suction or " drop" line design, most DHR systems are susceptible to complete system loss due to a single failure of a suction line valve. From the DHR pump discharge, the primary coolant flows through a heat exchanger where heat is transferred to the component cooling water system. After the primary coolant leaves the DHR heat exchangers, it returns to the reactor vessel. There are not many significant differences among DHR systems at U.S. PWRs. The most significant difference is the location at which the DHR flow returns to the RCS. In B&W plants, the DHR flow returns to the reactor vessel through piping which is shared with the core flood tanks' discharge. In other PWR designs the DHR flow returns to the reactor vessel through the cold legs.

Most DHR systems operate at temperatures of 300*F or less, and at pressures

' less than 300 psig. Because the DHR system is a low pressure design and located outside containment, significant efforts (administrative controls, system interlocks, etc.) are made to ensure isolation of the system when the RCS pressure exceeds the DHR system design pressure. Overpressurization and rupture of the low pressure system is commonly referred to as an

" interfacing LOCA - Event V."- WASH-1400 (Ref. 1) showed-that-for the PWR studied (Surry, a W plant), Event V could represent a high probability core damage accident sequence.

t DHR system requirements contained in the general design criteria (GDC) have changed over the years. The 1967 GDC did not address single failure aspects of the DHR system. The 1971 GDC, criteria number 34, requires the DHR system to meet single failure criteria. Newer plants which are designed to I

the 1971 GDC have been accepted by NRR even though they do not fully meet GDC 34's single failure criteria. Although some of the newer plants do have double drop lines and redundant valves, the control circuitry is such that a single failure can cause a loss of the DHR system. Recognizing this, NRC has declared " Shutdown Decay Heat Removal Requirements" an unresolved safety issue (A-45). To resolve A-45, NRR is evaluating the adequacy of current licensing design requirements in order to ensure that plants do not pose an unacceptable risk due to failure to remove shutdown decay heat. The objective of the task is to develop a comprehensive and consistent set of shutdown cooling requirements for existing and future LWRs.

Many plants are designed such that single failures in the DHR suction /

isolation valve interlocks, and single instrument bus failures or single valve failures can result in the loss of DHR systems. The DHR suction /

isolation valve interlocks are designed to prevent an interfacing LOCA (Event V) at the expense of interrupting DHR system operation. The functions of the interlocks are to:

1. Prevent opening of the suction / isolation valves when the reactor coolant system (RCS) pressure exceeds the DHR system pressure.

2. Assure that the suction / isolation valves are closed for plant i startup and repressurization.

In essence, the suction / isolation valve logic is single failure proof --

with regard to closing the valves (to prevent an interfacing LOCA) -- but it

necessitates an interruption of the DHR system function. Justification for

-this prioritization (interfacing LOCA first, and decay heat removal second) is based upon the design decision that there is less recovery time, and greater risk, associated with the interfacing LOCA than with a loss of DHR.

In an effort to reduce the single failure vulnerability of the DHR system, some recent designs have two " drop lines" from the RCS, and two suction lines, each having motor-operated isolation valves in series (Figure 2).

However, from the standpoint of the interfacing LOCA, the double drop line, double suction line configuration presents an additional failure path and, therefore, represents a higher interfacing LOCA risk than the single suction line configuration.

i f

FIGURE 2 SCHEMATIC DIAGRAM OF DOUBLE DROP LINE, DOUBLE SUCTION LINE DHR SYSTEM CONFIGURATION

\

1 i

I I

" DROP LINES" l FROM RCS l Wg HOT LEGS I

=

J & ! Oc c u q g TO DHR HEAT SUCTION / ISOLATION I q

d k h Ik EXCHANGERS VALVES n ha '

h, h,

i-,,,

o r m

e -

1 FROM RB SUMP FOR I FROM RWST RECIRCULATION l FOR INJECTION MODE OF LPCI MODE OF LPCI y

d CONTAINMENT

v 5

The plants haging two drop lines and two suction lines have DHR suction /

isolation valve closure logic which would close valves in both lines as a result of a single failure, (e.g. control logic failure that closes the valves, or a single erroneous closure signal). Consequently, a single active failure could cause the loss of the DHR system for such plants. For example, as noted in Reference 5, the Catawba plants, which have two drop lines, can lose both trains of DHR due to a single instrument bus failure.

It should be noted that the double drop line design is fail-safe -- where fail-safe implies preventing an interfacing LOCA, not sustaining DHR flow.

As a result, the double drop line designs with the present closure logic do not represent much of an impro'v esent against loss-of-DHR events associated with automatic closure of the suction / isolation valves.

In an attempt to provide radundant DHR flow paths, while minimizing the possibility of an interfacing LOCA outside containment, the Davis-Besse plant has a configuration which lies between the single and double drop line configurations. The Davis-Besse plant has one drop line with a smaller diameter bypass line as shown in Figure 3. The valves in the bypass line are manually operated (normally closed). This bypass configuration 5 Some plants with a double drop line/ double suction line configuration are: ,

Palo Verde 1,2,3 Vogtle 1,2 San Onofre 2,3 Shearon Harris 1 WPPS 3 Comanche Peak 1,2 Kewaunee Beaver Valley 2 Catawba 1,2 South Texas Callaway 1,2 Byron 1,2 Summer 1,2 Braidwood 1,2 Farley 1,2-

,, _ ea,a FIGURE 3 SCHEMATIC DIAGRAM OF THE DAVIS-BESSE PLANT'S DHR SUCTION BYPASS LINE CONFIGURATION N

\

l BY PASS LINE WITH MANUALLY OPERATED VALVES (8" NOMINAL DIAMETER) l M >< l TO DHR D P LINE 3

' PUMPS

'FROM RCS B LOOP HOT LEG MOTOR OPERATED SUCTION / ISOLATION VALVES (12" NOMINAL DIAMETER)

I

~

l l l i I

j CON 1AiNMeNT

provides an additional flow path to enable DHR cooling in the event there is a problem with the suction / isolation valves; yet, it does not provide the .

additional path and risk for a LOCA outside containment that is inherent in a double drop lin't configuration.

2.2 Consequences nf the Loss of the Decay Heat Removal Function The time margin available for restoring the DHR system, or establishing alternate methods of heat removal (prior to bulk boiling, core uncovery, fuel damage, etc.) depends upon the RCS temperature, the decay heat rate (which is dependent upon time interval elapsed from reactor trip to DHR system failure and core power operating history), and the amount of RCS inventory. During some operations, the RCS may be partially drained (e.g.,

to perform steam generator inspections or repairs). Decreased primary system inventory can significantly reduce the time available to recover the DHR function prior to bulk boiling and core uncovery.

It should also be noted that the reduced primary system inventory can result in rapid heatup rates and decreased time margins available prior to primary system boiloff even though the DHR loss may- happen many days after shutdown.-

For example, Reference 6 indicated Sequoyah 2 had a 92'F heatup of the primary system water in 77 minutes with reduced RCS inventory, even though the reactor was shutdown 18 days before the DHR loss occurred.

The results of an AE0D scoping calculation showed that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after a reactor trip, a partially drained RCS at a B&W plant could boil off enough coolant to uncover the core approximately one hour after losing the DHR system. The calcslation was based upon the assumptions that the RCS was drained down to the top of the hot-leg nozzle, the coolant in the reactor vessel was at a bulk temperature of 140 F, and the RCS was "open" to the atmosphere.

This analysis compares favorably with operating experience and licensees' analyses. For example, References 7, 8 and 9 reported that on August 29, 1984, 36 hourt after a reactor trip at ANO-2 (a CE plant), the DHR system failed while the plant was in a partially drained condition. The reactor vessel water heated up from 140*F to 205*F in about 30 to 40 minutes.0 In Reference 10, D.C. Cook (a W plant) reported the results of a corresponding analysis indicated that core uncovery would take place in about I hour after the loss of the DHR system. Recently, a foreign PWR experienced a loss-of-DHR during draindown. Subsequently, the foreign country's regulatory body performed a calculation and concluded that under slightly different conditions, core uncovery could begin in about I hour and 20 minutes, with fuel failure beginning two and one-half hours after the loss of the DHR system.

6 The entire event lasted 50 minutes. However, during the first 20 minutes, DHR was provided by make-up water which was gravity fed from the RWST, and by oscillatory DHR system flow (flow was provided by the DHR pump which was cavitating.)

1

.l Another AE00 scoping calculation was performed for a loss-of-DHR event at a B&W plant shortly after activating the DHR system. It was based upon a licensee calculation (Ref.11) which assumed a loss of the DHR system about three hours after reactor trip with a full RCS (no draindown). The results indicated that the RCS would heat-up to saturation conditions, and pressurize to the low temperature overpressurization (LTOP) setpoint within one-half hour. Upon reaching the LTOP setpoint, the RCS coolant would boil off at the LTOP setpoint pressure and escape through the PORV. The results of our calculations indicate that core uncovery would occur within about two and one-half hours after the loss of DHR occurred.

The time available for restoring the decay heat removal function prior to core uncovery can be as short as about an hour and can extend up to many hours or days. The time available depends upon the plant's operating history and status at the time of the DHR system loss. Figure 4 shows a typical time margin plot (time available for recovery of the DHR function vs. time after rod insertion that the DHR function was lost).

The results of AE0D's scoping calculations indicate that if losses of the DHR system occur during early stages of shutdown (e.g., 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after reactor trip - with the RCS partially drained, or shortly after activating the DHR system without primary system draining), corrective actions must be

. taken to either restore the DHR system or to implement alternate methods for removing reactor decay heat. These calculations highlight the fact that a loss of the DHR system can lead to a safety significant event unless timely recovery actions are taken.

i FIGURE 4 7- 1 DHR RECOVERY TIME MARGIN TIME TO CORE UNCOVERY 6 - BEGINNING OF LIFE OF REACTOR FUEL 3 DAYS AT 100% POWER l 5 -

7 Ei

$ 4 -

w I TIME TO START BULK BOILING P BEGINNING OF LIFE

> OF REACTOR FUEL

$ 3 DAYS AT 100% POWER g3 -

8 m

2 -

TIME TO CORE UNCOVERY END OF LIFE OF REACTOR FUEL 256 DAYS AT 100% POWER TIME TO START BULK BOILING END OF LIFE OF REACTOR FUEL 1 256 DAYS AT 100% POWER

[

I I 0 I O 10 20 30 TIME AFTER ROD INSERTION AT WHICH DHR LOSS OCCURS (days) i STARTING CONDITIONS: RCS DRAINED TO HOT LEG CL, OPEN TO ATMOSPHERE, l AVERAGE TEMPERATURE 140'F l

Historically, the U.S. NRC and the U.S. nuclear community have considered hot standby to be a safe end state. As a result, until recently no probablistic risk assessments of U.S. reactors have quantified all the risks associated with operations in shutdown modes 4, 5, and 6.

Because of recent interest in DHR, NSAC is funding probabilistic assessments of the risks associated with modes 4, 5 and 6 at two plants. It is anticipated that those assessments will be available during the sumer of 1985.

Because human factors are major contributors to DHR loss events (as discussed in chapter 4) and because estimates of human performance have relatively widespread error bounds, we believe that quantification of the risk from DHR system losses during modes 4, 5, and 6 is subject to greater error than most other reactor risks. In view of the extensive effort that is necessary to obtain a quantitative assessment of DHR risk, and because of the large uncertainty associated with such assessments, we consider the undertaking of a probablistic risk assessment on DHR systems to be outside

. the scope of the present case study.

2.3 Actions to Recover the Decay Heat Removal Function As noted in section 2.2, the time available for recovery from a loss of the DHR system prior to uncovering the core can be as short as about an hour.

Restoring the DHR system function appears to be the preferred recovery method. In addition to restoring the DHR system, many alternate methods are available for removing decay heat when the DHR-system is lost. Table 2

presents some backup methods which could be used to remove decay heat upon loss of the DHR system. It should be noted that not all of the methods listed in Table 2 are available at all plants. ,It is also important to note that use of miscellaneous makeup water sources (e.g., plant fire protection system) requires that precautions be taken to prevent boron dilution. Other than restoring the failed DHR system, there is no single backup method which is applicable for all loss-of-DHR events.

I

Table 2 Some Backup Methods for Decay Heat Removal Upon Loss .

oftheDHRSystem!

Vessel Head On Vessel Head Off or Detensioned

' Normal charging and letdown Normal charging and letdown Spent fuel cooling system (cross-ties Spent fuel cooling system if available) (cross-ties if available)

Chemical and volume control Chemical and volume control system to inject cold water system to inject cold water from the RWST from the RWST Use of steam generators and BWST (gravity flooding if i- condenser available) 1 Use of steam generators and HPI pumps atmospheric dumps i

Feed'and bleed - HPI and-PORV'or- -Pool boiling-with rekeup pro--

8 pressurizer safety valves videdfrommiscellaneouswgter sources (e.g., fire hoses) 7 Not all methods are available at all plants.

9 8 Precautions must be taken to control HPI flow to prevent low temperature overpressurization and pressurized thermal shock. Some plants rack out power to HPI.. pumps while.at low temperature and pressure (Ref. 11).

9 Use of miscellaneous water sources (e.g., fire hoses would require that precautions-are taken to prevent baron dilution.)

L

~

3.0 OPERATIONAL EXPERIENCE 3.1 Loss of DHR Systems Although the DHR system is a safety related system, there have been many events in which both trains of the DHR system were unable to perfom their required functions. From 1976 through 1983, there have been at least 130 events in which operating DHR systems failed.10 This represents a frequency of about 0.25 per reactor year, based on about 500 years of commercial U.S.

PWR operation. There were about 90 events from 1976 - 1981, and there were al ut 40 events during 1982 and 1983.

Our analysis and evaluation of DHR system failures were based upon 2 groups of data: Operating experience from 1976 through 1981 were obtained from LERs and Nuclear Safety Analysis Center (NSAC) report NSAC-52 (Ref. 3); and operating experience for the years 1982 and 1983 were obtained from LERs and NRC reports. The reader is directed to Reference 3 for sumaries of DHR system losses that occurred from 1976 to 1981. Appendix A of this report presents sumaries of the DHR syste- losses which occurred during 1982 and 1983. Because the 1984 data base was not yet complete, the 1984 operating experience was not included in our statistical presentation of the categories and causes of DHR system failures. However, the 1984 events were evaluated for significance in comparison to previous events. The most !

I significant DHR system failures of 1984 are summarized in Appendix B.

l l

I i

10 We have found 130 loss-of-DHR system events; however, other events may l have eluded our data search. l 1

l We evaluated the loss-of-DHR operating data to determine if there were any significant trends. For the 130 events which occurred between 1976 and 1983, Table 3 shows that 11 plants accounted for 95 events (approximately 8.6eventsperplant). Essentially one-fifth (21%) of the plants accounted for three-quarters (73%) of the loss-of-DHR events.

l Table 3 shows that the Davis-Besse plant has experienced the most losses of DHR. However, Table 3 also shows that there has been a marked improvement at that plant since 1981. During 1980, the Davis-Besse plant experienced I nine loss-of-DHR events, six of which involved inadvertent closure of the

suction isolation valves. The repeated DHR losses at Davis-Besse during the spring 1980 outage were reported to Congress in an Abnormal Occurrence tu E Report (Ref. 12). In Reference 12, the NRC stated that the licensee had A " serious deficiency in management or procedural controls in many areas."

Subsequently, Davis-Besse management took action to improve administrative

)

controls, operating and emergency procedures, and personnel training associated with plant shutdowns. In addition, the plant's technical specifications were modified to allow removal of power from the DHR suction /

isolation valves during plant shutdown (in order to preclude their inadvertentclosure). It appears that since these improvements ~have been-1 made, there have been no reported losses of the DHR systen at the

! Davis-Besse plant. (See Appendix C for additional details on DHR losses at l Davis-Besse.)

Davis-Besse's loss of DHR events were the stimulus for IE Bulletin 80-12 (Ref. 13). That bulletin required licensees of PWR facilities to review l

l l

r Table 3 Freauency of DHR tosses (1976 - 1983) 1976 1977 1978 1979 1980 1981 1982 1983 Total Davis-Besse 4 1 9 2 16 Beaver Valley - 1 1 1 4 2 1 1 10 Calvert Cliffs - 2 2 1 2 3 2 10 Salem - 2 2 8 10 Crystal River 1 2 2 3 2 10 Calvert Cliffs - 1 2 5 1 1 9 Trojan 1 5 1 7 North Anna - 1 1 2 2 2 7 North Anna - 2 3 3 6 Salem - 1 1 3 1 5 Farley - 1 2 2 1 5 McGuire - 1 2 1 3 Millstone - 2 1 1 1 3 ANO - 2 2 2 Ginna 2 2 Maine Yankee 2 2 Palisaaes 1 1 2 Rancho Seco 1 1 2 St. Lucie - 1 1 1 2 Sequoyah - 1 1 1 2 Turkey Point - 3 2 2 Turkey Point - 4 2 2 Indian Point - 3 1 1 Fort Calhoun 1 1 San Onofre 1 1 1 Oconee 1 1 1 Oconee ( 1 1 Zion 1 1 1 Surry 1 1 1 Sequoyai. 2 1 1

, Farley 2 1 1 McGuire 2 1 1 Summer 1 1 1._

130 Annual Frequency of DHR Losses .06 .08 .5 .3 .6 .5 .35 .5

-(8 of events)

(# of Operating Plants) their plants' capability to prevent DHR loss events; to review plant nardware and analyze procedures for adequacy of safeguarding against loss of redundancy and diversity of DHR capability. The operating data does not indicate that there has been an industry-wide improvement in loss of DHR experience as a result of actions that were taken in response to IE Bulletin 80-12.

From Table 3, we also note that Salem 2 has experienced an unusually high number of DHR losses in a single year. It had 8 losses in 1983 (6 during one outage and 2 during another outage). Four of those events involved inadvertent closure of the suction / isolation valves, three events involved DHR pump trip due to problems with the " safeguards equipment control" (SEC) system, and one event resulted from flooding of the service water bay (see Appendix A for details of those events). Subsequently, in 1984, Salem 2 had

, another loss-of-DHR event which involved inadvertent closure of a suction / isolation valve resulting from a procedural error during testing of II the " pressurizer overpressure protection" (P0P) system .

Table 3 indicates that until 1981, the Crystal River plant had nine loss-of-DHR events. There were between one and three losses every year for five years. Since 1981, there have not been any. The DHR losses at this plant I

11 Deficiencies associated with plant management, administrative controls, maintenance and test activities at the Salem station were addressed by l

the NRC subsequent to the 1983 Salem ATWS events. We believe that the l licensee has taken corrective action in these areas, and a general reduction in the frequency of loss-of-DHR events is anticipated as a-result.

l

\

seem to have stopped at about the same time that the plant implemented actions to improve their planning, coordination and management of outage and maintenance activities.

One measure of significance of loss-of-DHR events is the time interval that the DHR function was lost. Table 4 presents a summary of the duration of the loss-of-DHR events which occurred during 1982 and 1983. It also sunnarizes the duration of eleven significant DHR losses which occurred during 1984.

In 1982, there were 17 events, thirteen of which accounted for 283 minutes of DHR loss. The events ranged from about two minutes to about an hour.

The duration of the other four events is unknown.

In 1983, there were 28 events, 16 of which accounted for 242 minutes of DHR loss ranging from under a minute to 77 minutes. The duration of the other 13 events is unknown.

Because the 1984 data base was not complete at the time of this report, we were unable to review all of the 1984 data. Our initial screening indicated that although there were a number of loss of DHR events during 1984, eleven of those events were deemed to be significant. (Appendix B has descriptions of those eleven events). Those eleven events accounted for 516 minutes of DHR loss ranging in durations from seven minutes to two hours. Because of recent changes in reporting requirements, (new LER rule 10 CFR 50.73 effective January 1,1984) it is not possible to make a direct

4 Table 4 Duration of DHR Loss Events Duration 1982 1983 Eleven Selected 1984 Events 0 - 4 minute 4 4 0 5 - 9 minutes 3 4 1 10 - 19 minutes 0 3 1 20 - 29 minutes 1 1 2 30 - 39 minutes 2 1 0 40 - 49 minutes 1 1 4 50 - 59 minutes 1 0 0 60 - 69 minutes 1 0 1 70 - 79 minutes 0 1 0 80 - 89 minutes 0 0 0 I

90 - 99 minutes 0 0 1 100 - 109 minutes 0 0 0 110 - 119 minutes 0 0 0 i 120 - 129 minutes 0 0 1 i

! Total Duration in 283 242 516 I minutes (without (4 unknowns) (13 unknowns) j unknowns) l 1

l l

I l ! .

1 comparison of industry performance by examining the duration and frequency

~ ' of recent years' loss of DHR events. The new reporting requirements are more stringent than those of previous years. Virtually all loss of DHR events and their durations are now required to be reported. Licensee interpretation of previous reporting requirements may have resulted in many loss of DHR events which were not reported, as well as reports which were incomplete and did not include information about the durations of the events.

Examination of the data presented in Tables 3 and 4, and in Appendices A and B indicates that some plants have been having a disproportionate number of long duration DHR losses in recent years; i.e., North Anna 1 and 2 have had four long duration loss-of-DHR events in 1982 and 1983, and in 1984 North Anna 2 had a two hour loss. McGuire 2 had three long duration DHR loss events during a three week period between December 1983 and January 1984 (43 minutes, 62 minutes and 49 minutes). McGuire 1 had three loss-of-DHR events in 1982 and 1983, the longest of which lasted I hour.

The operating experience shows that North Anna and McGuire have experienced multiple and long duration loss-of-DHR events without apparent improvement.

The Calvert Cliffs plants have experienced multiple loss of DHR events without apparent improvement. Other plants such as Crystal River, Davis-Besse, and, Salem appear to have improved their performance as a result of increased management attention.

The fact that the number of DHR losses as well as the duration of losses in 1984 continue to be high ( > 16 events and > 516 minutes duration) tends to l

indicate that plant performance is not improving during shutdowns. However, it is important to note that during the years 1982, 1983 and 1984, the longest duration event was 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months whereas there were five events during the years 1976 - 1981 which were of longer duration. Although many of the 130 loss-of-DHR events exceeded an hour, plant. personnel have always been able to restore the DHR function prior to reaching an unsafe condition (core uncovery). Since none of the long duration events occurred immediately after shutdown there were no serious consequences. However, under slightly different circumstances, some of the loss-of-DHR events could have led to serious consequences. Figure 4 shows how recovery time varies as a function of the time after scram that the loss-of-DHR event occurs.

While none of the recorded DHR failures affected the health and safety of the public, some of the events caused significant plant disruptions, extended downtime, and expensive cleanup and recovery. The Oconee 2 DHR system loss, which occurred on September 18, 1981 (Ref. 14 and 15), is a good example of such an event. 2 On May 14, 1984, Ginna also experienced a stuck closed suction / isolation valve. It took about li hours to open the valve manually (see Appendix B).

12 On September 18, 1981, while at 94% power, Oconee 2 developed a steam generator tube leak (25-30gpm). A rapid plant cooldown and depressurization was begun. The plant cooldown and depressurization were delayed when it was found that one of the DHR suction valves was stuck closed, thereby making the DHR system unavailable. As a result, plant cooldown was delayed 17 hours1.967593e-4 days 0.00472 hours 2.810847e-5 weeks 6.4685e-6 months . The primary to secondary leak resulted in 21 million gallons of contaminated water being released into the turbine building. It took about 60 days to reprocess the contaminated waterr and to clean up the secondary system and the

! turbine building.

l

31 -

Our analysis of operating data included categorization of 130 DHR system failures that occurred at PWRs during the years 1976 - 1983. Table 5 presents the results and shows that events involving the suction / isolation valves and the DHR pumps accounted for about two-thirds of the DHR system failures.

N P

Table 5 Categories of Total DHR System Failures at U.S. PWRs 1976-1983 When Required to Operate (Loss of Function)

No. of Events (% of Events)

Automatic Closure of Suction / 37 (28.5)

Isolation Valves Loss of Inventory Inadequate RCS Inventory Resulting 25 (19.2) in Loss of DHR Pump Suction 35 > (26.9) i Loss of RCS Inventory Through DHR 10 1 (7.7) i l

/

System Necessitating Shutdown of DHR system Component Failures Shutdown or Failure of DHR Pump 21 (16.2))

27 i (20.7)

Inability to Open Suction / Isolation 6L (4.5) L s /

Valve Others 31 (23.8)

Total 130 (100.0)

More than one quarter of all DHR system losses which occurred between 1976 and 1983 involved automatic closure of DHR suction / isolation valves (37 events). The underlying or root causes of most of the automatic valve closure events were human factors (see section 4.1 for further discussion).

Only 2 of the automatic isolation valve closure events were legitimate responses to valid signals which correctly detected an RCS pressure exceeding the isolation setpoint, i.e. a low temperature overpressure event.

More than one quarter of all DhR system losses which occurred between 1976 and 1983 involved loss of RCS inventory (35 events). Twenty-five of the loss of inventory events resulted in inadequate pump suction, cavitation or air binding. Many events of this type were significant because of their long recovery times. Recovery required refilling the RCS and bleeding off the air or vapor bound pump (s). Appendix B indicates that in 1984 there have been at least six such events which lasted between 25 minutes and 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

About one-fifth of the DHR losses which occurred between 1976 and 1983 involved DHR system component failure. Twenty-one events involved shutdown or random failure of an operating DHR pump when the other pump or train was inoperable. Six events involved previously closed suction / isolation valves that could not be opened. Appendix B indicates that in 1984 there was one event in which a stuck suction / isolation valve could not be opened for li hours.

4.0 ANALYSIS AND EVALUATION OF THE UNDERLYING OR ROOT CAUSES OF DHR SYSTEM LOSSES Table 5 presented a listing of the categories of DHR system failures. In addition to categorizing the events, our analysis examined the lice.1see submittals to determine the underlying or root causes of the events.

Table 6 presents the results of our assessment.

It can readily be seen from Table 6 that the dominant underlying or root causes of DHR System failures are human factors (procedural inadequacies, operator or technician errors, etc.). Human factors account for almost two-thirds of the events. Equipment failures were the second major underly-ing or root cause and accounted for about one-quarter of the events.

4.1 Human Factors The operating data revealed that human factors are the dominant underlying or root causes of almost two-thirds'of the DHR system _ losses.

The major human factors problems that were common to many DHR system losses include:

PROCEDURES A. During normal outage activities (mointenance/ repair / test /

surveillance), procedures oftentimes:

I

Table 6 Underlying or Root Causes of DHR System Failures No. of Events (% of Events)

Human Factors Inadequate / faulty procedures 50 (38.5)

Operator / technician errors 23 > 84 (17.7) (64.7)

Inadequate / faulty procedures 11 (8.5) l combined with operator / s technician errors Equipment Failures Pumps, valves, relays, etc. 35 (26.9)

Unknown Causes 8 (6.2)

Human Factors Combined 2 (1.5) with Equipment Failures >

Others 1 (0.7)

Total 130 (100.9) r i

l u.

o omit caution statements regarding restoring equipment on completion of tasks, o fail to consider interactions with other tasks or equipment,

.o are poorly written and omit steps or contain ambiguous instructions, o fail to identify equipment the same way it is labeled or referred to by the operator.

B. During casualty identification and recovery activities, procedures frequently:

o are not available or are not applicable for a loss-of-DHR event, o are incomplete or lack specificity, o refer to or depend upon indicators, instruments, alarms or annunciators that are inadequate and/or are improperly placed, o do not provide operators with information about times available for safe recovery, and how to track the course of the event.

OPERATOR AIDS (Instrumentation, Monitoring Equipment Alarms, Annunciators,etc.)

In performing normal outage activities and identifying / mitigating casualties, man-machine interfaces are inadequate for ensuring task proficiency. In general, operator aids:

o arenotavailabletomonitorortrackoperationsorehents,

o may be poorly placed relative to the task being performed, o are not integrated into operator tasks (e.g., infrequently monitoredlevels, temperatures,etc.).

PERSONNEL ERRORS A. During normal outage activities, errors of omission and commission have been caused or exacerbated by:

o misunderstanding of procedures, instructions and tasks, o unfamiliarity with equipment or tasks, o lack of understanding of importance of tasks and the interfaces with other o,igoing tasks or activities, o accidents (bumping or dropping equipment),

o inadequate training.

B. During casualty identification and recovery activities, recovery times have been adversely impacted by:

o operator unfamiliarity with instrumentation used for diagnosis and/or recovery techniques, o operator unfamiliarity with other ongoing activities, o inadequate operator training.

s PLANNING For both normal outage activities and casualty activities:

o emphasis seems to be on minimizing outage time and meeting technical specification requirements (LC0's, etc.), not on equipment or system interactions, o interactions between simultaneous activities may not be factored into the task assignments or procedures (e.g.,

jumpering, blocking of circuits, and taking equipment out of service may not be accounted for).

Although the loss-of-DHR events associated with inadequate RCS inventory usually involved failures or inadequacies of equipment associated with liquid level measurement, we viewed them as having been caused by human factors since most of these events represented breakdowns of the man / machine interface. These events typically resulted from inadequate and/or improperly placed instrumentation, annunciators, alarms, inadequate monitoring procedures,-inadequate training associated with level measurement

! system operation, or operator error.

Some of the most significant events involving human factors occurred while the primary coolant system was partially drained and the operators were misled on the status of coolant inventory by inaccurate liquid level instrumentation. In many cases, the level instrumentation devices were incorrectly calibrated, or were makeshift apparatus which were prone.to L

failure and measurement errors (e.g., tygon tube sight gages). In most events of this type, the operators did not have advance warning of an inventory problem. A frequently observed scenario was one in which the RCS was drained down to the point where there was inadequate NPSH or' air entrapment in the DHR pump. As a result, the DHR pump cavitated, could not deliver the design coolant flow, or even became air 50und. The first symptoms were usually increases in pump noise and changes in pump motor current which were caused by inadequate suction head and cavitation. In many events, the operators diagnosed the problem as a pump problem when the cause was actually an inventory problem. As a result, in many cases, the operators activated the redundant pumps only to find that they also malfunctioned. It should be noted that continued operation of a DHR pump with inadequate NPSH or a closed suction valve could result in DHR pump failure.

Appendices A and B contain descriptions of eighteen events which occurred in 1982, 1983, and 1984 which involved insufficient inventory and subsequent pump problems. Between 1976 and 1984 there have been ten events wLere the .

operators required about an hour or more to restore operability of the air or vapor bound pumps. Most of the longer duration events occurred before 1982. In 1984 there were at least six inventory loss events, two of which lasted more than an hour.

With regard to the lack of information available to operators during DHR operations, we note that many plants do not have (or have improperly placed) annunciators to warn of low NPSH or low flow. For example, in Reference 16,

Diablo Canyon reported a DHR pump failure after operating for about an hour with a closed suction valve.

Regarding inadequate procedures and training for mitigation, or recovery from a DHR system loss, we note that in a recent LER (Ref. 17) Zion I reported a 45 minute loss of the DHR systcm due to draining of the primary system to a level below the DHR pump's suction line. The LER implied that there was no procedure available for this event. The licensee stated that "a procedure for loss of RHR will be prepared," and "a procedure for a loss of RHR will be written to provide guidance in the proper actions to be taken in the event of an indicated loss of RHR."

Subsequent oiscussions with operators at several plants that have experienced significant losses of DHR have indicated that plant personnel do not have adequate information about the time margins available for recovery from loss-of-DHR events prior to reaching bulk boiling, core uncovery or some other safety related threshold (i.e., tables or graphs showing time to reach bulk boiling or core uncovery as a function of time after reactor trip

-- such as that shown in Figure 4).

. ~ - . .. .

A poignant example of many of the aforementioned human factors concerns (e.g., procedures and man-machine interface) is documented in a recent NRC inspection report, (Ref. 18), from which excerpts are reprinted below).

" Licensee Monitoring of Core Cooling Parameters During Mode 6 Operation The NRC resident inspector expressed concern over the adequacy of surveillance practices provided by the licensee for monitoring-proper core cooling during extended periods in which the Unit 2

reactor vessel was partially drained with the closure head detensioned.

...the reactor vessel was drained to the middle of the hot leg nozzle, which provides approximately six feet of water above the top of the core.

... Depending on the prior core pcwer history and the length of time between reactor shutdown and head detensioning, core decay heat could be sufficient to boil the available water cover within a very short period of time (several hours) if proper core cooling were not maintained. This vulnerable state of plant condition forms the basis for NRC concern.

Considering the plant conditions noted above, the following points were noted with respect to licensee monitoring of important core cooling parameterst

1) There is no reactor vessel water level indication or alarm In the control room. The only current requirement for monitoring vessel water level is to monitor a temporary standpipe installed in containment on a once-per shift basis.

This could involve up to 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months between water level observations.

2) There is no core cooling flow alarm in the control room.

Core cooling flow indication is available in the control rcom; however, it is only required to be monitored once a shift.

3) There is no direct reactor vessel water temperature indication or alarm in the control room. Available reactor coolant temperature instruments are located in stagnant portions of the coolant loop and not in the shutdown cooling flow path.

... Based on the limited availability of instrumentation or alarms in the control room and the infrequently required monitoring of key core cooling parameters by operations personnel, the NRC resident requested the licensee to evaluate these concerns and identify what action is considered warranted.

The licensee acknowledged the NRC concerns and took action to increase the monitoring of core cooling flow to every two hours until the refueling cavity was flooded. The licensee agreed to further evaluate the specific NRC concerns from the standpoint of the adequacy of control room instrumentation and surveillance procedures."

(EmphasisAdded)

T

.p --

- . - - , _ - r - - - -

4.2 Equipment Failures Our analysis and evaluation of the operating data revealed that failure of equipment, such as pumps, valves, relays, etc., were the underlying or root causes of more than one-quarter of the DHR system failures (35 of 130).

The data showed that almost all of these 35 events involved random single failures which occurred while the plants were in modes 5 or 6. The redundant DHR trains were frequently unavailable due to testing, maintenance or repairs as allowed by plant technical specifications. We believe that

r there were very few DHR loss events during mode 4 because only a small time of each shutdown is spent in mode 4, and because'many of the test, maintenance and repair activities associated with plant shutdown are not initiated until the plants are in modes 5 or 6.

We note that in a generic letter (Ref. 19), NRR required all operating PWRs to modify their plant technical specifications to " provide for redundancy in decay heat removal capability in all modes of operation." To date, all but

..six plants have-modified-their-technical specifications to meet-the requirements of the generic letter. (Those six plants are Crystal River, Indian Point 2 and 3, Palisades, Rancho Seco, and TMI-1). Although, the technical specifications required by the generic letter decreased the likelihood of DHR loss due to single failures, they did not fully assure DHR redundancy during all DHR modes. , Implementing the technical specifications that were included with the generic letter do not prevent a licensee from disabling a train'of~ DHR during times of high DHR heat load.

For example:

a. The generic letter permits the plants to have only one train of DHR operable during periods of high risk i.e., high decay heat load during mode 4 and the early stages of mode 5.

b. Licensees were not required to formulate detailed casualty procedures for loss-of-DHR and train their staff in their use.

We note that NSAC's study of DHR operating experience (Ref. 3) suggests that both DHR trains should be operable during the time of high decay heat (the few hours that the plants are in hot shutdown mode and the first few days of cold shutdown). We endorse NSAC's concern for having such redundant DHR capability available during times of high decay heat.

4.3 Technical Specification Deficiencies Our review of loss-o'-]HR events identified the potential for increased risk due to inadequate technical specifications, specifically concerning the necessary conditions required for the determination of " cold shutdown," and the absence of a requirement for vessel level monitoring equipment.

4.3.1 Mode Definition /Early Disabling of Equipment An early loss of the DHR system could effectively place the plant in a degraded mode while the plant has a higher decay heat generation rate, l

resulting in a shorter time available for a safe recovery. For example, the following scenario .is currently possible:13

a. During plant shutdown, mode determination is based upon " average coolant temperature." However, " average coolant temperature" is not defined in the standard technical specifications. Thus, by selecting an inappropriate temperature to determine " average coolant temperature" an inaccurate and premature mode determination could result.

b. Once a plant is declared to be in " cold shutdown" (mode 5) plant personnel may disable redundant equipment and initiate maintenance, surveillance or repair activities and the DHR system may consist of only one operable train.

I

c. the plant becomes highly vulnerable to losing the DHR system due to a single component failure.

As noted in Table 1, standard t<-hnical specification definitions of

. . .- _ _. operational modes-depend upon " average coolant" temperature." However,

" average coolant temperature" is not defined in the standard plant technical specifications. In an AE0D survey of resident inspectors at the operating B&W plants, it was learned that the B&W plants are not consistent in the 13 We are unable to ascertain if this scenario has actually occurred thus fa r. However, review of operating data leads us to believe that the likelihood of occurrence is high.

methods they use to determine when cold shutdown conditions have been achieved. Most of the plants depend upon only one temperature measurement to make a mode determination. Some of the temperature readings that the B&W licensees use to determine when cold shutdown is achieved are:14 '

o Cold leg temperature o Hot leg temperature o DHR pump outlet temperature o DHR pump suction line temperature o DHR return line temperature However, we note that a reading of only one of these temperatures does not provide a valid indication of " average coolant temperature." Operating experience has shown that for B&W plants on DHR cooling, the " average primary coolant temperature" can be much higher than many temperatures being used for mode determination (Refs. 20 through 24). The hot leg temperatures,15 especially near the top of the candy canes, the coolant in the reactor upper head region, in the pressurizer, and the pressurizer surge line may be at substantially hotter temperatures than the temperatures being used for mode determination. As a result of a premature designation of cold shutdown, it is quite likely that plant personnel may disable safety systems 14 We have not canvassed resident inspectors at other PWRs; however, CE and W standard technical specifications define operational modes in a simitar manner, and do not define " average coolant temperature".

15 Except for the area of hot leg U bends (J legs or candy canes) which is unique to B&W plants, most of this discussion is also germane to PWRs cesigned by CE and }{.

and defeat DHR system redundancy in order to initiate test, maintenance and repair operations which are allowed during cold shutdown, prior to actually achieving cold shutdown conditions. In essence, safety-related equipment which may be required during hot shutdown conditions may be bypassed *or disabled prior to actually establishing the conditions required for their disablement.

We note that if some of the loss-of-DHR events had occurred while the primary coolant system temperature was higher, and the decay heat generation rate was higher, less time would have been available for recovery and core uncovery could have been reached. From the operating experience and our calculations, it appears that the risks associated with the loss of DHR can be significantly increased by the premature initiation of cold shutdown and concomitant test, maintenance, and repair operations.

4.3.2 Absence of requirements for RCS level measurement during shutdown In addition to the 25 DHR losses which resulted from inadequate RCS inventory through 1983, our review of operating data has shown that there

_ . were at-least six more events in 1984. Those loss-of-DHR events involved incorrect or faulty level measurement of a drained RCS. Some of those loss-of-DHR events were of long duration (40 minutes to two hours) because of the time required to restore the air or vapor bound DHR pumps. Our review of plant specific technical specifications revealed that there are no technical specification requirements addressing RCS level measurement (equipment or procedures) during shutdown. We consider the absence of such l

L I

requirements, especially during RCS draindown, a significant tachnical i

specification deficiency.

4.3.3 Omissions Regarding Equipment Operability In the course of performing this case study, we reviewed the technical specifications of many plants. That review revealed that the technical specifications at Oconee 1, 2 and 3 are incomplete with regard to shutdown modes and DHR system operability requirements; i.e.,

the technical specifications for the Oconee plants do not define operation with RCS average temperature between 200*F and 525 F,

, and do not address DHR system IO operability requirements during all shutdown modes.

Our review of several other plants technical specifications did not uncover omissions which are similar to those of the Oconee plants. However, we are not sure that there are no other operating plants having similar omissions.

f l-16 The Oconee plants' technical specifications refer to the DHR system as the LPI (Low Pressure Injection) system.

< l 5.0 FINDINGS AND CONCLUSIONS U.S. PWR experience has shown that during about 500 reactor years of

< operation there have been 130 losses of operating DHR systems (0.25 event 4

per reactor year). Some of those events lasted for several hours.

The operational data clearly indicates that human factors were the root cause of most of the loss-of-DHR events that have occurred at U.S. PWRs through 1983. Inadequate procedures and operator / technician errors during testing, surveillance, maintenance, and repair operations were the root causes of almost two-thirds of the loss-of-DHR events.

As noted in section 2.2, review of operational data, licensee submittals, and our scoping calculations all indicate that primary system boiloff and core uncovery can occur during certain events within a few hours after loss of the DHR system. The situation can be especially acute if the RCS is partially drained, or the loss occurs during the first several days of plant shutdown. Fortunately, the plants have recovered from the loss of DHR

~ --

events'that have occurred thus far, before sustaining serious consequences.

In addition, under certain conditions, primary system pressurization could l occur at all types of U.S. PWR plants within 30 to 60 minutes after losing the DHR system. Such pressurization could challenge the LTOP protection equipment. An extended failure to restore the DHR function could result in a small break LOCA, with primary system boiloff at the LTOP relief valve setpoint pressure. Continued boiloff could lead to core uncovery in as few as 2 to 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months .

In view of NSAC's ongoing probabilistic risk assessment (PRA) of loss-of-DHR events and in view of the large uncertainty associated with the quantification of human factors events (human factors being the dominant cause of the DHR system loss events), we have not performed a risk assessment of DHR system losses. We view the many loss-of-DHR events which have occurred at PWRs thus far (one loss-of-DHR event every four (PWR) reactor years, which equates to more than a dozen such events each calendar year) as a significant group of precursors. We conclude that corrective actions are required to minimize the probability and consequences of DHR losses.

As noted in section 3.1 we have been unable to detect a significant improvement in DHR loss experiences. If licensees were to incorporate the lessons learned from previous loss of DHR experiences, especially the recommendations provided in NSAC-52, we would expect to see improvement in DHR loss experience. However, the absence of such improvement and the descriptions of recent DHR loss events lead us to conclude that many licensees may not be incorporating NSAC-52's recommendations.

5.1 Human Factors Considerations From our analysis and evaluation of operational data, we conclude that many plants do not pay adequate attention to the human factors aspects of plant operations, testing, surveillance, and maintenance, during plant shutdowns.

As shown in Table 4, and as illustrated by the data appearing in Appendices A, B, and C, faulty procedures, and operator / technician errors

associated with plant shutdown operations were the underlying or root causes of almost two-thirds (84 of the 130) loss-of-DHR system events.

Based on discussions with plant personnel, reactor inspectors, and operating data we conclude that the techniques used for planning and coordination vary widely from plant to plant and are frequently inadequate. Most plants have outage planning groups which look at outage scheduling from the standpoint of schedule and hardware availability. However, equipment and system interactions associated with ongoing test, surveillance, and maintenance activities do not necessarily receive adequate planning or attention unless there is a particular technical specification requirement associated with it.

With regard to the man-machine interface associated with DHR system operation and malfunctions, we found that for many plants:

a. Existing procedures and equipment associated with RCS level monitoring during plant shutdowns are frequently inadequate and are failure prone. Inadvertent and undetected reduction of RCS inventory is a potentially'significant contributor to' risk, associated with loss of DHR when the RCS is partially drained (25 events through 1983, and at least six more events in 1984). We conclude that more reliable instrumentation and procedures should be used to reduce the frequency and, thus, the risk due to inventory problems leading to loss-of-DHR events.

. . 1

. 1 j

l

b. Operator aids are not readily available to assist in the detection of abnormal plant behavior while the plant is in modes 4, 5 and 6. I Instrument alarms and annunciators are not conveniently located to enable the operators to integrate them into normal and emergency procedures. In addition, operator aids are not available to enable operators to trend RCS and DHR system parameters during loss-of-DHR events (e.g., temperatures, pressures, flows, etc.).

We were informed by a reactor operator that during a recent DHR loss event, he had to rely upon his stopwatch and graph paper to determine how much margin was available prior to bulk boiling in the reactor. Time margin information such as that depicted in Figure 4 is not generally available to operators to assist them in recovering from loss-of-DHR events (plot or table of time after DHR loss until bulk boiling or uncovery begins as a function of time after rod insertion at which DHR loss occurs).

c. Operators usually are not provided with/or trained in the use of emergency procedures associated with casualties which occur during modes 4, 5 and 6. Specifically, emergency procedures for loss-of-DHR involving RCS level loss, pump failures (air or vapor binding), valve misalignment, DHR leakage, RCS leakage, boron dilution, inadvertent system heatup or pressurization, etc.

d. Based upon the corrective actions taken after loss-of-DHR events, we conclude that plant personnel, especially nc., iicensed operations and maintenance staff are not sensitized or fully aware of the risks associated with their activities during plant s._. .

l l

shutdown. The risks during times of high decay heat rate, drain and fill operations, and during operations in which redundant equipment is disabled do not appear to be fully appreciated by all plant personnel.

5.2 DesignConsiderations-FlowPathfromtheRCStotheDHRSNtem 5.2.1 Double Drop Line Configuration From our evaluation of the operating data, we conclude that adding a second drop line to provide a redundant DHR suction flow path will not result in a significant improvement in DHR system reliability and availability.

Furthermore, the double drop line configuration may result in an overall increase in risk due to the increase in the probability of Event V. As an alternate to the double drop line configuration, a suction bypass line (as discussed in Section 2.1) may provide a less expensive, and possibly safer (when considering Event V) method for improving DHR availability. We concluded that the use of a DHR suction bypass line would have contributed significantly to mitigating the September 1981 Oconee 2 event which resulted in significant onsite contamination end an-extensive outage (see section -

3.1). The suction bypass line would have introduced an alternate DHR flow path enabling a more rapid cooldown, thereby reducing the amount of leakage contamination and down-time. The use of a suction bypass line would also have contributed to mitigating the May 14, 1984 Ginna event (see Appendix B).

5.2.2 Inadvertent Closure of DHR system Suction / Isolation Valves As noted in Section 2.2, closure of DHR system suction / isolation valves shortly after initiation of the DHR system could result in a LTOP challenge to the RCS at PWRs within 30 minutes, with core uncovery occurring as early

~

as about two to three hours after valve closure.

Operating data has shown that for DHR system operation, removal of power or removal of the autoclosure interlocks to the DHR suction / isolation valves can be a safe effective method for preventing spurious suction / isolation valve closure.17 This design assumes that overpressure protection for the DHR system is provided by the DHR system relief valve. Since all plants do not have adequate relief through the DHR system, additional relief capacity may be necessary prior to removing power or the autoclosure interlocks to the suction / isolation valves.

4 17 As part of task A-45, NRR requested Sandia to perform a probabilistic assessment of DHR systems. Sandia's preliminary analysis indicates that for the PWR reviewed, the combined risk from DHR loss and Event V is decreased by removing the autoclosure interlocks to the suction isolation valves.

4 5.3 Technical Specification Deficiencies 18 5.3.1 Mode Definition /Early Disabling of Equipment We found that most plants' technical specifications are imprecise with regard to the designation of plant operating modes because the average coolant temperatures are undefined. As a result, a premature designation of cold shutdown is possible, and thus equipment can be disabled or bypassed and DHR redundancy eliminated during conditions of high decay heat load. As noted in Section 4.3, it is possible to enter a condition in which equipment.

may be bypassed prior to properly establishing the conditions required for the bypass. Thus, the plant is more vulnerable to loss-of-DHR due to a single failure, and with the higher decay heat, improper mode definition can reduce the time available to prevent core uncovery.

We conclude that regulatory action should be taken to assure the proper definition of shutdown mode, and assure DHR redundancy during periods of high decay heat load.

18 These deficiencies may be viewed by some as human factors type deficiencies because of their impact upon plant operating procedures, etc.

5.3.2 Absence of Requirements for RCS Level Measurement During Shutdown Our review of technical specifications concluded that the lack of requirements for RCS level measurement and monitoring during shutdown and draindown is a significant generic safety deficiency. Considering that:

a. there have been a significant number of long duration DHR losses involving inadequate RCS level in recent years (including six in 1984), and

b. the times available for recovery prior to reaching unsafe conditions are relatively short, we have concluded that regulatory action should be initiated to ensure reliable RCS level measurement.

5.3.3 Omissions Regarding Equipment Operability As noted in section 4.3.3, our review found three plants' technical specifications to be incomplete with regard to shutdown modes and DHR system operability requirements. We are not sure that there are no other plants that have similar omissions. Furthermore, the plants having those deficiencies have been determined to meet the requirements of NRR's generic DHR letter (Ref. 19). We are unable to ascertain why the deficient i

technical specifications have not yet been modified, and we question if there are other plants that have been determined to meet the requirements of the generic letter - but also have similar deficiencies.

i i

i

- - --.-.-- --,y- - -~ - --,

6.0 RECOMMENDATIONS

1. AE0D recomends that NRR assess the need for NRC requirements to improve planning, coordination, procedures, and personnel training during shutdown to ensure the availability of DHR We believe that significant improvements in DHR system availability and reliability can be achieved by focusing upon human factors aspects of plant shutdown. We recognize the fact that NRR is initiating a generic maintenance and surveillance program to look into some of these issues (Ref.

25). We recommend that, as part of that effort, NRR should review industry practice and determine if guidelines or specific requirements are necessary to ensure plant safety during DHR system operation. Emphasis should be placed upon detailed planning of test, surveillance and maintenance activities, and the equipment or system interactions which have frequently caused loss of DHR systems. ..

In addition, plant practices regarding the procedures and training of personnel for performance of normal (non-emergency) operations durinq

~

shutdown should be evaluated. For example: all operations and maintenance staff (licensed and non-licensed) should receive training to assure that they become sensitized to the risks associated with plant shutdown.

Emphasis should be placed upon understanding the risks and high vulnerability associated with times of high decay heat rate, drain and fill operations, disabling redundant safety equipment, etc.

2. AEOD recomends that NRR require PWR licensees to have a reliable method of measuring and monitoring reactor vessel level during shutdown modes of operation and corresponding technical specification requirements for operability.

Comon industry practice using unanalyzed makeshift devices such as failure prone tygon tube sight gages to monitor RCS level during plant shutdown should.be modified /or discontinued. We recomend that NRR require the licensees to use reliable, RCS level moritoring instruments during modes 4, 5, and 6. Consideration should be given to requiring redundant level indication during modes 4, 5 and 6 to ensure availability of trending data, and to warn operators in advance of unacceptably low RCS level. In addition, plant procedures should be modified to assure that the frequency of RCS level monitoring is comensurate with plant status (e.g., as noted in section 4.1, one plant could have monitored vessel level as infrequently as once every 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months , whereas fuel uncovery could occur only a few hours after a loss of DHR.) As a minimum, each plant's safety review comittee should r,eview the instrumentation and procedures used for RCS level measurement during modes 4, 5 and 6 to ensure that a high level of reliability is achieved.

3. AE00 recommends that NRR require the licensees to improve the man-machine interfaces related to DHR operation.

We recognize that all DHR losses cannot be totally eliminated by good

. planning, good procedures, well-trained personnel, etc. We believe that if f

all licensees would perform human factors analyses of their plants' DHR

operations, (including normal and abnormal conditions), and modify their plant practices and man-machine interfaces accordingly, the risks from DHR losses would be significantly reduced. A model,to use for such human factors analyses is one used by NRR (Ref. 26). Reference 26 requires licensees to perform specific task analyses, and to integrate instrumentation, alarms and annunciators into normal and emergency procedures for transients and accidents occurring during power operation. As a minimum, we recommend that NRR consider requiring licensees to perform human factors reviews as described in Reference 26, but extend them to shutdown operations, with emphasis on detection and mitigation of loss of r

DHR events.

The operators should be provided with information (such as Figure 4) outlining the time margins available for recovery from postulated loss of DHR events as a function of time from reactor trip for a representative set of DHR loss transients. Examples of such transients being: primary system filled at maximum DHR system temperature; primary system drained to minimum level and open to the atmosphere, RCS at refueling temperature, etc.

Information on time margins available would assist operators in recognizing

! the potential seriousness of the event, and assist them in choosing appropriate methods for restoration of the DHR function.

l

4. AEOD does not recommend changing the design of DHR systems to include redundant drop lines.

r Based upon our analysis of the suction / isolation valve closure logic at plants having redundant drop lines, and operating data from the Summer plant l

l _ _ _ _ _

we do not recommend adding a second dropline to plants that now have a single dropline configuration. Such a design change is being condidered as part of A-45. However, if NRR's A-45 task concludes that a single dropline configuration is unacceptable, and additional rdliability is required, it is recommended that NRR consider a smaller diameter DHR suction bypass line as a possible alternative. The bypass line configuration which we believe worthy of consideration is one with remotely operated valves to which power is locked out (actuation to be performed outside containment), with manual overrides (inside containment) to provide additional assurance of their opening in the event of motor or power source problems. This design would represent an improvement over the Davis-Besse design which cannot be operated from outside containment. (See Sections 2.1 and 5.2.1)

5. AEOD recommends that NRR consider removing the autoclosure interlocks to minimize loss-of-DHR events In order to prevent inadvertent DHR suction / isolation valve closures (during DHR system operation) it is recommended that NRR consider either requiring the removal of the autoclosure interlocks to the DHR suction / isolation valves, or requiring removal of power to the DHR suction / isolation valves when valve motion is not required. Prior to implementing this recommendation, it is necessary to ensure that there is adequate relief capacity to prevent overpressurization of the DHR system. (SeeSections2.2 and 5.2.2). NSAC-52 (Ref. 3) had a similar, but less stringent recommendation that the automatic suction valve closure circuits be blocked only when the vessel head is removed.

.a

l

6. AEOD recommends that NRR's technical specification improvement program address the issue of DHR system redundancy to ensure that the DHR system is available during Mode 4 and the early stages of Mode 5.

In Section 4.2, we noted that even though NRR's generic letter on DHR-addressed DHR system redundancy, plant technical specifications do not require DHR redundancy throughout periods of high risk (mode 4 and the early stages of mode 5). We also noted that test, maintenance, and other shutdown activi, ties can be initiated during these periods. As a result, there is a high likelihood that a DHR loss could occur at a time when the risk is highest. Upon considering operational data, and the plant practices, we believe that regulatory action is necessary to minimize the possibility of DHR losses during periods of high risk (early in shutdewn).

We recommend that NRR's technical specification improvement program address the DHR system operating requirements so that licensees modify plant technical specifications to:

a. assure all plants have proper shutdown mode definitions (as discussed in Sections 4.3 and 5.3) and,

b. to ensure that both trains of the DHR system are operable during mode 4 and the early stages of mode 5. (Presently,thegeneric 1etter permits one train to be inoperable during this time).

i NSAC-52 (Ref. 3) had similar recommendations for achieving DHR availability.

l Since the frequency and duration of loss-of-DHR events have not greatly i

l l

l t

1 improved following the issuance of that report, we believe that technical specification modifications are necessary to ensure adequate redundancy. In addition, we feel that an infomation notice should be issued to

~

re-erophasize to the licensees the overall safet significance associated with the operation of the DHR systems.

r 4

.. . .. - . - - - - . .., .- , . . . _ _ , - . , . - , - - , . . - , , . - . , . - - , n-.

7.0 REFERENCES

1. U.S. Nuclear Regulatory Commission, " Reactor Safety Study - An Assessment of Accident Risks in U.S. Comercial Nuclear Power Plants" WASH 1400 (NUREG-75/014), October 1975.19

2. J.A. Haried, Oak Ridge National Laboratory, " Evaluation of Events Involving Decay Heat Removal Systems in Nuclear Power Plants," USNRC Report NUREG/CR-2799, July 1982.19

3. Nuclear Safety Analysis Center / Electric Power Research Institute,

" Residual Heat Removal Experience, Review and Safety Analysis, Pressurized Water Reactors," NSAC-52, January 1983. Available from Research Reports Center (RRC) Box 50490, Palo Alto, CA 94303.

4. U.S. Nuclear Regulatory Commission, " Standard Technical Specifications for Babcock and Wilcox Pressurized Water Reactors," (NUREG-0103 Rev. 4), Revision of Fall 1980.19

5. Letter from H. B. Tucker, Duke Power Company, to H. R. Denton, NRC,

Subject:

Catawba Nuclear Station Docket Nos. 50-413 and 50-414, dated October 13, 1983.19

6. Tennessee Valley Authority, Licensee Event Report (LER) 50-328/83-101 Sequoyah 2 Nuclear Power Plant, dated August 18, 1983.20

7. U.S. Nuclear Regulatory Commission Region IV, Daily Report, August 31, 1984. 20 19 Available for purchase from National Technical Information Service, Springfield, VA 22161.

20 Available in the NRC Public Document Room at 1717 H Street, N.W.,

Washington, D.C. 20555 for inspection and copying for a fee.

I

8. Arkansas Power and Light Compny, Licensee Event Report (LER)50-368/84-023, Arkansas Nuclear One - Unit 2, dated October 1, 1984.21

9. Telephone Discussion between D.B. Lomax and J. T. Enos, Arkansas Power and Light Company, and H. L. Ornstein, NRC, November 9,1984.

10. Indiana and Michigan Electric Company, Licensee Event Report (LER) 50-316/84-014, D. C. Cook Unit 2, dated June 22, 1984. 21

11. Letter from R. J. Rodriguez, Sacramento Municipal Utility District, to J. F. Stolz, NRC,

Subject:

Docket No. 50-312 Rancho Seco Nuclear Generating Station Unit No. 1. Low Temperature Overpressurization Protection (LTOP) Setpoint, dated February 15, 1984. 21

12. U.S. Nuclear Regulatory Commission, " Report to Congress on Abnormal Occurrences, April - June 1980," NRC - (NUREG-0090, Vol. 3, No. 2),

November 1980.22

13. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Bulletin No. 80-12: " Decay Heat Removal System Operability," May 9, 1980. 21 w

14. Duke Power Corporation, Reportable Occurrence Report R0-270/81-17, Oconee 2, dated November 13, 1981.21 ,

15. Institute of Nuclear Power Operations, " Analysis of Steam Generator Tube Rupture Events at Oconee and Ginna,"82-030, November 1982.

21 Available in the NRC Public Document Room at 1717 H Street, N.W.,

Washington, D.C. 20555 for inspection and copying for a fee.

22 Available for purchase from National Technical Infortnation Service, Springfield, VA 22161.

J

16. Pacific Gas and Electric Company, Licensee Event Report (LER) 50-275/

84-004, Diablo Canyon Unit 1, dated February 2, 1984, 23

17. Commonwealth Edison Company, License Event Report (LER) 50-295/84-031, Zion Unit 1, dated October 16, 1984.

18. U.S. Nuclear Regulatory Commission, Inspection Report No. 50-206/84-04, 50-361/84-27,50-362/84-28, San Onofre Nuclear Generating Station, December 21, 1984.

19. U.S. Nuclear Regulatory Commission, " Generic Letter to All Operating Pressurized Water Reactors (PWR's)" from D. G. Eisenhut, June 11, 1980.

20. U.S. Nuclear Regulatory Commission Inspection Report 50-269/81-14, 50-270/81-14, and 50-287/81-14, Oconee Facility, July 23, 1981.

21. Letter from W. O. Parker, Duke Power Company, to J. P. O'Reilly, NRC,

Subject:

Oconee Nuclear Station, Docket No. 50-269, July 31, 1981.

22. Nuclear Safety Analysis Center / Institute of Nuclear Power Operations.

" Steam Voiding in the Reactor Coolant System During Decay Heat Removal Cooldown " Significant Event Report 91-81, October 26, 1981.

23. Florida Power Corporation Inter-office Correspondence - Operations Advisory from P. F. Mckee (Nuclear Operations Superintendent) to Licensed Operators, April 21, 1981.

24 U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Circular No. 81-10: " Steam Voiding in the Reactor Coolant System During Decay Heat Removal Cooldown," July 2, 1981.23 23 Available in the NRC Public Document Room at 1717 H Street, N.W.,

Washington, D.C. 20555 for inspection and copying for a fee.

~

25. Memorandum from H. L. Thompson, Jr., NRC to H. R. Denton, " Maintenance and Surveillance Plan," August 2, 1984.24

26. U.S. Nuclear Regulatory Commission, " Clarification of TMI Action Plan Requirements," II.F.2 Instrumentation for Detection of Inadequate Core Cooling,(NUREG0737), November 1980.25 i

l 24 Available in the NRC Public Document Room at 1717 H Street, N.W.,

Washington, D.C. 20555 for inspection and copying for a fee. ,

r f 25 Available for purchase from National Technical Information Service, Springfield, VA 22161.

L--______-____ _ _ _ _ _ _ _ _ _ _ _ _ _ - - _ - -_ _ _ _ _ _ _ _

Appendix A Loss of DHR Systems at U.S. PWRs During 1982 and 1983 Plant- Date Docket # LER # Description of Event Ginna 04/12/83 50-244 83-015 Air Binding of RHR pump (12 min. loss)

Ginna 05/01/83 50-244 83-017 Filling reactor refueling cavity - low RWST. Secured "A" RHR pump - Suction valve on operating "B" pump was closed.

(Duration of event unknown) a Turkey Point 3 10/07/83 50-250 83-018 Flow restriction on component cooling water discharge valve on RHR heat exchanger.

(Duration of event unknown)

Turkey Point 3 10/08/83 50-250 83-019 Procedural error during surveillance testing resulted in closure of suction / isolation valve (6 min. loss).

i i Salem 1 03/16/82 50-272 82-015 Vital bus tripped. Component a cooling water and service water were lost. Redundant trains were out for maintenance.

i (45 min. loss).

t

Plant Date Docket # LER # Description of Event .

Surry 1 05/17/83 50-280 83-024 Inaccurate standpipe level indication - low RCS level, RHR pump cavitated. (Duration of event unknown)

Zion 1 03/17/82 50-295 82-011 Inadvertent (contractor person-nel) opening of inverter output breaker caused closure of the RHR pump suction valve. (3 min. loss)

Salem 2 05/14/83 50-311 83-024 RHR suction valve closed during (2 events) 05/15/83 operation. (Duration of events unknown)

The 05/14/83 event was triggered by a vital instrument bus which was de-energized for maintenance; the 05/15/83 event was triggered by a failed comparator.

Salem 2 05/24/83 50-311 83-025 RHR pump trip caused by logic /

circuitry problem on the " safe-guards equipment control" (SEC) system. (Durationofevent unknown)

Salem 2 06/23/83 50-311 83-031 Loss of RHR pump due to spurious (2 events) actuation of the SEC system.

(Duration of event unknown)

cv 68 -

Pla,nt Date Docket # LER # Description of Event Salem 2 06/23/83 50-311 83-032 Failed gasket in joint down-stream of check valve flooded

. the service water bay. Lost all service water, RHR pumps, diesels, etc. (Duration of event unknown)

Salem 2 11/28/83 50-311 83-062 Vital bus transfer caused voltage spike which resulted in closure of suction / isolation valve. (Duration of event unknown)

Salem 2 12/20/83 50-311 83-066 Loss of vital bus - due to personnel error resulted in closure of suction / isolation valve (22 min. loss).

Rancho Seco 06/24/82 50-312 82-015 Simultaneous test and maintenance caused failure of bus, closure of the suction / isolation' valve, and-loss of DHR flow. (Duration of event unknown)

Calvert Cliffs 1 05/17/82 50-317 82-026 Spurious opening of breaker from the operating DHR pump (2 min. loss).

Plant Date Docket # LER # Description of Event Calvert Cliffs 1 10/12/83 50-317 83-061 Inadvertent isolation of shut-down cooling - caused by not ,

deactivating isolation system when performing a hydro test 2

on instrument sensing lines (30 min. loss).

Calvert Cliffs 2 11/22/82 50-318 82-053 Technician incorrectly de-energized a power supply panel; caused closure of a DHR return valve.

(4 min. loss).

Calvert Cliffs 2 11/24/82 50-318 82-054 DHR lost due to a failed power supply. (Durationofeventunknown).

Calvert Cliffs 2 12/28/82 50-318 82-055 Vital inverter failed, caused an isolation of the DHR return line. (Duration of event unknown).

Calvert Cliffs 2 01/04/83 50-318 83-001 Inverter tripped during surveillance testing - caused isolation of the DHR return line. (15 min loss).

Calvert Cliffs 2 01/07/83 50-318 83-005 Test procedure error. Operating DHR pump stopped due to test of recirculation actuation signal

. (9 min. loss).

~

l i

i i

_ _ _ . _ . ~ . . _ . _ _ _ _ _ _ _ _ _ . . _ _ _ _ _ . _ _ _ . . _ . . . _ _ _ _ _ _ _ _ _ _ _ . , _ .

I

4 Plant Date Docket # LER # Description of Event Sequoyah I g9/16/82 50-327 82-116 Power was removed to allow modification work on solid state protection system; RHR suction valve closed. (Duration ofeventunknown)

Sequoyah 2 08/06/83 50-328 83-101 False RCS level indication by makeshift tygon tube and rubber hose level instrument. RCS temperature rose from 103 F to 195 F in 77 min. Plant had been shut down 18 days earlier.

Beaver. Valley 1 05/12/82 50-334 82-018 Failure to start RHR pump due to circuit breaker problem. RHR pump that had been operating was erroneously sicured prior to attempt to startup idle pump. (2 min. loss)

Beaver Valley 1 06/29/83 50-334 83-020 Construction worker made an error in making a design modifica-tion. De-energized bus feeding RHR pump - faulty procedures and communications between shifts (92sec. loss).

71 -

Plant Date Docket # LER # Description of Event St. Lucie 1 03/29/83 50-335 83-021 Cons.truction workers shorted a power supply causing closure of DHR suction / isolation valves (10 min. loss).

Millstone 2 01/06/82 50-336 82-002 Technician error during a pre-ventive maintenance test resulted in loss of a vital instrument panel, and autoclosure of the suction /isciationvalves(7 min.

loss).

North Anna 1 10/19/82 50-336 82-067 RCS drained to below centerline (2 events) 10/20/82 of hot leg nozzles. RHR suction was lost because of low RCS level and incorrect level indication.

, (10/19/8236 min. loss; 10/20/82, 33 min. loss).

l North Anna 1 01/22/83 50-338 83-003 Failed inverter, caused RHR suction / isolation valve to close (4 min loss).

North Anna 1 02/18/83 53-338 83-009 Both RHR pumps were cavitating.

Cause not determined (5 min.

loss).

Plant Date Docket # LER # Description of Event North Anna 2 05/20/82 50-339 82-026 Lost suction to RHR pumps due (3 events) to draining of RCS and erroneous level indication (8 min., 26 min. , I hr. losses).

North Anna 2 04/14/83 50-339 83-023 Operator inadvertently opened a breaker, causing RHR suction /

isolation valve to close (<1 min loss). .

_ North Anna 2 04/29/83 50-339 83-036 Loss of vital bus. RHR suction /

isolation valve closed. Caused by maintenance personnel con-ducting a test as loads were being transferred (<1 min. loss).

North Anna 2 05/03/83 50-339 83-038 Inadequate monitoring of RCS level.

Loss of RHR pump suction. (Duration ofeventunknown)

Farley 2 09/28/83 50-364 83-042 Operating RHR pump failed while redundant pump was secured.

(Duration of event unknown)

Plant Date Docket # LER # Description of Event -

McGuire 1 03/02/82 50-369 82-024 Low RCS level due to vessel draining and inaccurate level indication. Operating RHR pump started to cavitate, the other pump was undergoing main-tenance. (Event lasted 51 min. -

a licensee analysis indicated that 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months were available prior to initial boiloff.)

McGuire 1 06/24/82 50-369 82-053 Inverter failure caused closure of suction / isolation valve (6 min. loss)

McGuire 1 04/05/83 50-369 83-017 Low RCS level due to vessel draining and valved out level sensor. Both

. RHR pumps cavitated. (Duration of event unknown)

McGuire 2 12/31/83 50-370 83-092 Low RCS level due to draining and inadequate level indication.

Running RHR pump had no flow (43 min. loss).

1 l

Plant Date Docket # LER # Description of Event I

Summer 1 11/12/83 50-395 83-136 Bus transfer during plant modifi-cation caused an interruption of power to an ESF instrumentation bus. An erroneous overpressurization signal resulted causing suction /

isolation valve closure, and inter-1 i ruption of DHR flow (5 min. loss).

.s 4

4 i

l

\

f l

l j .-

l l

l-l-

I w-r, w---- - , - , a_ , , -- -- -- -____.,,

9 Appendix B Selected Loss of DHR System Events at '

U.S PWRs During 1984 Plant Date Docket # LER # Description of Event Ginna 05/14/84 50-244 84-005 During cooldown DHR suction valve would not open when actuated from the control room.

Manual operation was required to open it. Cooldown was delayed about li hours.

Zion 1 09/14/84 50-295 84-031 While draining the RCS in preparation for primary -

secondary leak testing, the RCS level dropped below the DHR suction line. The liquid level was being read from a manometer type arrangement.

Incorrect level measurement resulted from the fact that the manometer reference leg was pressurized by nitrogen purge gas. RCS temperature increased from 110 F to 147*F (45 min. loss).

Plant Date Docket

LER # Description of Event Trojan 05/04/84 50-344 84-010 During RCS draindown faulty level measurement led to

. air binding of the RHR pump.

The RCS was vented to atmosphere.

A tygon manometer configuration was being used to measure RCS level, however, " crud blockage" of the manometer tap led to erroneous level measurement.

RCS temperature went from 105'F to 201'F (40 min. loss).

ANO-2 08/29/84 50-368 84-023 During RCS draindown, faulty level instrumentation led to air binding of the DHR pump. A tygon manometer config-uration was being used -

however, the operators did not account for reactor vessel pressurization due to the

! presence of nitrogen purge gas.

RCS temperature went from 140 F to 205 F (Approx. 35 min. loss) i l

l l

4.

Plant Date Docket # LER # Description of Event McGuire 2 01/09/84 50-370 84-001 During draining operations, a procedural deficiency led to inadequate NPSH/ air entrainment 4

of the DHR pumps (1 hr. 2 min.

loss).

McGuire 2 01/15/84 50-370 84-002 Personnel error during testing.

Re-energizing power to the breakers for the suction /

isolation valves caused automatic closure of the suction / isolation valves. Valves were opened .

1 manually (49 min. loss).

Salem 2 02/09/84 50-311 84-002 While testing the pressurizer overpressure protection system a procedural error resulted in automatic closure of a suction /

isolation valve (17 min.

loss).

D. C. Cook 2 05/21/84 50-316 84-014 Procedural error with a partially drained RCS.

Simultaneous operation of 2 DHR pumps caused vortexing at the loop suction. Both pumps became airbound (25 min.

loss).

Plant Date Docket # LER # Description of Event North Anna 2 10/16/84 50-339 84-008 Clogging of a standpipe used for RCS level monitoring resulted in a 64" error. Upon introduction of air, the operating pump cavitated.

The redundant pump was started and it also cavitated. Both pumps became airbound (2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months loss).

Summer 1 10/18/84 50-395 IE 1 DHR loop was out for surveil-Daily lance testing. An inverter Report failure caused closure of the operating loop's suction isolation valve. (25 min. loss).

Summer 1 11/06/84 50-395 IE A procedural error in testing Daily relays on the bus supplying the Report DHR pump caused the bus to strip.

The associated diesel was out for maintenance (7 min. loss).

l

Appendix C Decay Heat Removal System Losses at Davis-Besse Some of the most striking data on DHR losses comes from a review of the Davis-Besse plant's operatino experience. From 1978 - 1981, the Davis-Besse plant accrued the largest number of DHR losses of any PWR,16 events.*

Seven of those events involved automatic closure of the suction / isolation valves. There had been seven previous closures of the suction / isolation valves during plant startup and testing, however, those seven events are not included in the tally of 16. Subsequent to 1981, there have not been any DHR losses at the Davis-Besse plant. A detailed review of that plant's experience is quite enlightening.

Table C1 presents a listing of DHR suction / isolation valve events which have taken place at the Davis-Besse plant. Table C2 presents descrip-tions of all loss-of-DHR events which occurred at the Davis-Besse plant from startup testing through 1983.

Most of the inadvertent closures of the suction / isolation valves were due to human factors (operator errors, incorrect procedures, lack of procedures, etc.) and resultant failures of power supplies to the safety features actuation system (SFAS) channels. Most of the events which occurred sub-sequent to power operation were of short duration (four lasted four minutes or less and one lasted 18 minutes). Recovery from most of those events, required only clearing the perturbing signals and reopening the isolation valves. There were two events which lasted much longer:

The 16 loss-of-DHR events were complete losses of the DHR system function when the DHR system was required to remove decay heat.

Table C 1. DHR Suction / Isolation Valve Closure Events at Davis-Besse Causing a Loss of the DHR System Event Date LER # Duration of DHR System Loss riay 14,1977 77-006 Not stated - during plant startup and testing May 19,1977 77-007 Not stated - during plant startup and testing May 27,1977 77-002 Not stated - during plant startup and testing May 28,1977 77-003 Not stated - during plant startup and testing June 12,1977 77-005 Not stated - during plant startup and testing July 22,1977 77-009 Not stated - during plant startup and testing July 22,1977 77-009 Not stated - during plant startup and testing June 28,1979 79-067 18 minutes April 19, 1980 80-029 2i hours May 28,1980 80-043 2 minutes July 24,1980 80-058 50 munutes July 24,1980 80-058 2 minutes August 8,1980 80-058 3 minutes August 13, 1980 80-060 5 minutes 80 -

81 _

On April 19,1980, a 21 hour2.430556e-4 days 0.00583 hours 3.472222e-5 weeks 7.9905e-6 months loss-of-DHR event was initiated by a failure of an instrument bus, which eventually resulted in the closing of the suction / isolation valves. Restoration of the DHR system was impeded by air binding of the DHR pump. The licensee's lack of procedures for restoring the air bound pump and the extensive modification and maintenance activities that were being conducted at the time contributed to that event.

That event was reported to Congress as an Abnormal Occurrence (Ref.12).

The abnormal occurrence determination was made on the basis that the event represented a " serious deficiency in management or procedural controls in major areas."

On July 24,1980, a 50 minute loss-of-DHR event occurred as a result of suction / isolation valve closure. That event is of considerable interest because restoration of the DHR system was accomplished by using the suction bypass line to establish a flow path for the DHR system.

Davis-Besse's original operating license (April 1977) required power to be available to the DHR suction / isolation valves when the plant's DHR system was in operation. This requirement was based upon the NRC staff position that the DHR suction / isolation valves should always receive a signal to close on high f

pressure (concern for DHR system overpressurization). In 1977 and 1978, the Davis-Besse licensee proposed operating at low temperatures with low temperature overpressurization protection offered by the DHR system relief valve, and with

, power removed from the open suction / isolation valves. Removal of power to the suction isolation valves would preclude DHR loss from inadvertent closure of e

those valves.

4

82-After the 14th inadvertent suction / isolation valve closure event, the NRC approved an amendment to Davis-Besse's technical specifications allowing removal of power from the DHR suction / isolation valves during plant shutdown.

(To preclude returning the plant to power with the DHR suction / isolation valves open, the pressurizer heaters are interlocked with the DHR suction /

isolation valves. The pressurizer heaters cannot be activated above the setpoint of the DHR relief valve if both of the DHR isolation valves are open. The pressurizer heaters are also interlocked so that if only one DHR isolation valve is closed, the heaters will shut off at a pressure below the DHR system design pressure.)

. Subsequent to the implementation of the aforementioned technical specifica-tion amendment, the Davis-Besse plant has not experienced any further inadvertent DHR suction / isolation valve closures. It appears that the Davis-Besse plant's solution to the spurious DHR suction / isolation valve closure problems which have led to many loss of DHR system events has been effective. Furthermore, we note that as a result of the April 19, 1980 event (21 hour2.430556e-4 days 0.00583 hours 3.472222e-5 weeks 7.9905e-6 months DHR system loss), the licensee took action to modify operating l and emergency procedures to minimize the possibility of a recurrence.

1 Additional guidance was given to the plant staff on how to recover from loss-of-DHR events, including the venting of DHR pumps, and the implementation of backup cooling sources. Steps were also taken to improve administrative controls during shutdown.

i

NRR's June 11, 1980 generic letter on DHR (Ref.19) requested all PWRs to amend their technical specifications to provide for redundancy in DHR capacity. In response to NRR's generic letter on DHR, the Davis-Besse plant submitted an amendment to their technical specifications, indicating that an operable system will always be kept in a standby state during modes 3-6 in order to assure continuous DHR in the event that the operating heat removal system should fail .

Subsequent to implementing the aforementioned improvements in OHR system operation, there have not been any similar losses of the DHR system at the Davis-Besse plant. It appears that the corrective actions that were taken at the Davis-Besse plant have resulted in a substantial improvement in DHR system operation.

Table C 2. Losses of the DHR System at Davis-Besse LER # Date Description of Event 77-006 Mby 14,1971 During plant startup and testing, an I&C nechanic caused a short, therehy tripping an SFAS and an RPS channel. While trying to replace the blown fuse, an operator de-energized the wrong SFAS and RPS channels, therehy causing SFAS actuation, closing the DHR isolation valves. (Duration of event unknown).77-007 May 19,1977 During plant startup and testing, operator error caused a loss of essential power to an SFAS channel.

An error in restoring the power resulted in de-energizing another SFAS channel. SFAS actuation resulted, causing the DHR isolation valves to close.

(Duration of event unknown).77-002 May 27,1977 During plant startup and testing, while replacing a cover on a junction box containing an SFAS channel, a loose output lead shorted, resulting in closure of a DHR isolation valve. (Durationof event unknown.)77-003 May 28,1977 During plant startup and testing, a procedural error in recalibrating RCS pressure bistables on an SFAS channel resulted in closure of a DHR isolation valve. (Duration of event unknown.)

Table C 2. (Continued.)

LER# Date Description of Event'77-005 June 12,1977 During plant startup and testing, operators did not follow their procedures for SFAS monthly tests. As a result, a DHR isolation valve closed.

(Duration of event unknown).77-009 July 22,1977 During plant startup and testing, while inspecting (2 events) for loose electrical insulation, an I&C mechanic caused a current surge, which resulted in closing a DHR isolation valve. About 15 minutes later, after restoring the DHR flow, he caused another (identical) event which resulted in DHR isolation valve closure. (Duration of event unknown).78-060 May 28,1978 DHR flow was lost for about 2 minutes. An operator accidentally bumped a control switch de-energizing the bus supply power to the DHR pump.78-067 June 15,1978 Three loss of DHR events lasting a total of about (3 events) 2 minutes. Power was interrupted to the operating DHR pump. The other pump was inoperable at the time. Maintenance personnel accidentally bumped a relay tripping the operating DHR pump. An operator made two errors while trying to transfer power to an essential bus (resulting in two other power interruptions to the pump).

. Table C 2. (Continued)

LER# Date Description of Event 79-067 June 28,1979 18 minute loss of DHR. During surveillance test-ing, a slipped alligator clip caused a short circuit and failure of power supply to an SFAS channel. As a result, DHR suction valve closed.80-030 April 18,1980 29 minute loss of DHR. Leakage of RCS water through a partially closed valve resulted in inadequate DHR pump NPSH and erratic pump flow operation. The pump was secured until the leak was stopped and RCS level restored. During the event, RCS temperature rose from 93'F to 103 F.80-029 April 19,1980 21 hour2.430556e-4 days 0.00583 hours 3.472222e-5 weeks 7.9905e-6 months loss of DHR. Vibration from construction work actuated a ground fault relay. Due to an abnormal electrical lineup associated with outage activities, loss of power resulted in SFAS actu-ation. Control power to the DHR suction valves was lost, causing the suction valves to close. The SFAS actuation transferred the DHR pump suction to the BWST and then to the empty sump. The pump became airbound. RCS temperature increased from 90 F to 170*F while the vessel head was detensioned (140*F is the maximum temperature allowed while the l

l vessel head is detensioned).

l l

I

Table C 2. (Continued)

LER# Date Description 80-043 May 28,1980 2 minute loss of DHR due to an inadvert'e nt I

closure of a DHR isolation valve. An I&C mechanic was checking out a plant modification. Due to a test procedure inadequacy, the isolation valve 1

interlock circuit was actuated, and the valve closed.80-044 May 31,1980 8 minute loss of DHR flow. The operating DHR pump was secured by a control room operator. ,

(An I&C mechanic took a DHR flow meter out of service to perform surveillance testing. Control room personnel were unaware of this. Upon seeing that the DHR system flow had dropped offscale, a control room operator stopped the I pump.)

t 80-049 June 14,1980 DHR pump flow loss for about 2 minutes.

l I Inadvertent SFAS actuation caused DHR pump l

realignment to the BWST and BWST isolation. An i I&C mechanic was restoring containment pressure inputs to SFAS following an Integrated Leak Rate Test. Because of a procedural inadequacy, SFAS was actuated and the DHR pump was realigned to deliver BWST water to the RCS and the refueling i, .. . -

. . i i

j Table C 2. (Continued)

'LER# Date Description canal. When BWST level dropped to the low level limit, SFAS level 5 actuation took place closing the BWST isolation valve causing a loss of suction to the DHR pump.80-058 July 24,1980 CAR flow was lost for 50 minutes because of an automatic closure of an isolation valve. An electrician blew a fuse while conducting wire pulling operations associated with a plant design change. As a result of the blown fuse, an automatic closure of one of the DHR isolation valves took place, and the pump became air-bound.

The DHR flow path was restored by opening the manual bypass valves. During the event, the hottest in-core thermocouple temperature rose from 104*F to lil'F.80-058 July _24,.1980 . .. DHR . flow was _ lost..for about-2 minutes due to an- -

inadvertent closure of one of the DHR isolation valves. Subsequent to making a plant modifica-tion, an 1&C mechanic performed restoration work out of sequence. As a result, one of the isola-tion valves closed.

l l

Table C 2. (Continued)

LER# Page Description 80-058 August 8, 1980 DHR flow was lost for about 3 minutes due to an inadvertent closure of one of the DHR isolation

]

valves. Valve closure occurred during maintenance when a bistable in the valve circuit was removed due to a procedural error.80-060 August 13, 1980 vHR flow was lost for about 5 minutes due to an inadvertent closure of one of the DHR isolation valves. Valve closure occurred during SFAS channel modification work. The I&C mechanic failed to fully defeat the automatic isolation valve trip prior to performing SFAS channel modification work.81-004 January 7,1981 DHR pump failed to start due to a breaker problem. Electricians were able to restart the pump after a 15 minute delay.81-024 April 18,1981 2 minute loss of DHR flow. In response to "two burning potential devices" on a bus, the bus was isolated. An error was made in the sequence of l

transferring power and isolating the bus. Power was lost to the operating DHR pump.

ML20129J033

Contents

Text

SUMMARY

1.0 INTRODUCTION

SUMMARY

1.0 INTRODUCTION

7.0 REFERENCES

Subject:

Subject:

Subject:

Navigation menu

ML20129J033

Text

SUMMARY

1.0 INTRODUCTION

SUMMARY

1.0 INTRODUCTION

7.0 REFERENCES

Subject:

Subject:

Subject:

Navigation menu

Search