ML20135F778

From kanterella
Jump to navigation Jump to search
Forwards Final Case Study Rept AEOD/C502, Overpressurization of ECCS in Bwrs. Rept Identifies & Evaluates Eight Events Involving Actual or Potential Overpressurization of ECCS in BWRs
ML20135F778
Person / Time
Issue date: 09/11/1985
From: Dircks W
NRC OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS (EDO)
To: Asselstine, Palladino, Roberts
NRC COMMISSION (OCM)
References
NUDOCS 8509170390
Download: ML20135F778 (1)
v  d  e


Text

. . - . - . -_- _ __ _ - .- . - - _ - - _

a, n ses PDK MEMORANDUM FOR: Chairman Palladino o Comissioner Roberts i Comissioner Asselstine Comissioner Bernthal Comissioner Zech FROM: William J. Dircks

' Executive Director for Operations

SUBJECT:

AE0D CASE STUDY REPORT "0VERPRESSURIZATION OF EMERGENCY CORE COOLING SYSTEMS IN BOILING WATER REACTORS" (AE0D/C502)

Enclosed for your information is a copy of an AE0D case study report on opera-i tional events involving actual and potential overpressurization of emergency  !

core cooling systems in boiling water reactors. Eight events, each entailing

, the failure of a testable isolation check valve on the injection line of an emergency core cooling system, were identified and evaluated. Five of the eight events involved an additional failure of the second and final isolation barrier, the motor-operated injection valve. Each of the events studied is considered a precursor to a loss-of-coolant accident due to a potential loss of integrity of the lower pressure emergency core cooling system. Collectively, these operating events indicate a trend which has serious safety implications -- that j the likelihood of an interfacing loss-of-coolant accident is higher by two to

several orders of magnitude than had been previously assessed. Accordingly, based on the results of the preliminary AE0D case study, NRR has established a Generic Issue with a priority ranking of "High" to address this concern.

AE0D's recommendations to prevent a recurrence of these events have been forwarded to NRR for apprnpriate action.

l I would be pleased to provide any clarification or further information that

you may desire.

I

(S?gt
d)V5th:Q.D:tfg William J. Dircks Executive Director for Operations t

Enclosure:

As stated  :

i cc w/ enclosure:

SECY g

S p + g(I Distribution /

PDR FHebdon, AEOD (w/0) ROABSF(v/o) -

AE0D CF w/o KSey.frit, AEOD(w/o) Plam, AEOD(w/o)

AE00 SF w/o JRoe,A0/EDO CHeltemes, AE00 w/o TRehm, A0/EDO HDenton,NRR(w/o) SRubin, AE0D (w/o) _@M)

TIppolito. AE00 w/o VStello, DEDROGR ROAB'CF (w/o)

WDircks EDO RF ,

h{[)g i

ROAB Plam g SC:ROA SRubin i C:ROABN KSeyfrit.

DD:A TIpp Dd CHI temes WD rcks ED0 J' 09/o6/85 09/06/ 09/6/85 09/ /85 09/ /85 09/// /85

n. - - - .

, ,..,---m ,,. , - _ , , , - . , , . - - , , , ,,,,,,-,,,,.,,,-.v., ,,.,,---,-+.n

- , ,,a, ,._y,,,,m-

?

CASE STUDY REPORT

Office for Analysis and Evaluation of Operational Data U.S. Nuclear Regulatory Comission

  • This report documents results of a study completed to date by the Office for Analysis and Evaluation of Operational Data with regard to a particular operational situation. The findings and recommendations do not necessarily represent the position or requirements of the responsible program office nor the Nuclear Regulatory Connission.

l

- . .= _ _ _ __ _ . .. _

. i ABSTRACT A generic review and evaluation of operational events involving actual and potential overpressurization of emergency core cooling systems in boiling water reactors has been conducted. Eight events, each entailing the failure of a testable isolation check valve on the injection line of an emergency core cooling system, were identified and evaluated. Five of the eight events involved an additional failure of the second and final isolation barrier--the inadvertent opening of a normally closed motor-operated injection valve. Four of these five events occurred during power operation, thus leading to an actual overpressurization of an emergency core cooling system. Each of these operational events is considered a precursor to an interfacing loss-of-coolant accident between the reactor coolant system and an emergency core cooling system. Such an accident would involve the sudden discharge of reactor coolant at operating pressure and temperature outside the primary containment and would also likely disable one or more of the safety systems required to mitigate the accident. Collectively, these operating events indicate a trend which has serious safety implications--that the likelihood of an interfacing loss-of-coolant accident is higher by two to several orders of magnitude than had been previously assessed. This trend provides a strong indication that prompt corrective actions should be taken to prevent a recurrence of these reported multiple failures. Several recommendations have been developed to eliminate the root causes of these occurrences.

h

. ii TABLE OF CONTENTS r

Page ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . 1 EXECUTIVE

SUMMARY

..................... I

1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . 4
2. OPERATIONAL DATA REVIEW .................. 5
3. ' ANALYSIS OF OPERATIONAL DATA . . . . . . . . . . . . . . . 20 3.1 Testable Isolation Check Valve Failures . . . . . . . 20 3.2 Inadvertent Opening of an Injection Valve . . . . . . 21 3.3 Overpressurization Frequency . . . . . . . . . . . . 22
4. EVALUATION OF SAFETY SIGNIFICANCE . . . . . . . . . . . . 24 4.1 Precursors to an Interfacing LOCA . . . . . . . . . . 24 4.2 Potential for Pressure Boundary Rupture . . . . . . . 24 4.3 Probability of an Interfacing LOCA . . . . . . . . . 26 4.4 Accident Scenarios .................27
5. GENERIC EVALUATIONS BY OTHER NRC OFFICES AND INDUSTRY , .. 29
6. CONCLUSIONS .......................30
7. RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . 31
8. REFERENCES . . . . . . . . . . . . . . . . . . . . . . . 34

iii LIST OF FIGURES Figure Title Page 1 A Typical Testable Check Valve . . . . . . . . . . 7 2 Simplified Flow Diagram for Division A of LPCI/RHR at Vermont Yankee . . . . . . . . . . . . 8 3 Simplified Flow Diagram for the High Pressure Coolant Injection System at Cooper . . . . . . . 10 4 Simplified Flow Diagram for the High Pressure Core Spray System at LaSalle-1 . . . . . . . . . 11 5 Simplified Flow Diagram for Loops B & C of LPCI/RHR at LaSalle-1 . . . . . . . . . . . . . 13 6 Simplified Flow Diagram for the High Pressure Coolant Injection System at Pilgrim . . . . . . 15 7 Simplified Flow Diagram for Division B of r LPCI/RHR at Hatch-2 . . . . . . . . . . . . . . 17 8 Simplified Flow Diagram for Core Spray System I at Browns Ferry-1 . . . . . 19 LIST OF TABLES Table Title Page 1 Summary of Operating Events . . . . . . . . 6 i

1 l

l l

4

  • EXECUTIVE

SUMMARY

In an engineering evaluation report issued in May 1984 by the Office for Analysis and Evaluation of Operational Data (AE0D) regarding a stuck open testable isolation check valve on the low pressure coolant injection line at 4 Hatch-2, the safety significance of the event was assessed to be high because the mispositioned valve substantially increased the likelihood of an inter-facing loss-of-coolant accident (interfacing LOCA) involving the reactor coolant system (RCS) and the residual heat removal (RHR) system. Such an accident would involve the discharge of high-pressure, high-temperature reactor i coolant into the low-pressure RHR system, would like1y disable at least one

! train of the RHR system, and would certainly bypass the containment. The l isolation check valve was held open by its attached air operator as a result of pneumatic pressure reversal caused by maintenance errors.

Three months after the issuance of the above AE0D report, on August 14, 1984, a testable isolation check valve of the core spray system at Browns Ferry-1 failed open in an almost identical way as at Hatch-2. The ;nispositioned check valve, together with an inadvertent opening of a normally closed motor-operated injection valve, led to an overpressurization of the core spray system. The core spray system was pressurized to near operating reactor pressure and I temperature. Paint on sections of piping vaporized and actuated a smoke

detector. Steam from the relief valve on the core spray system, which opened to relieve the overpressurization, discharged into an open drain line. A roving fire watch spotted steam escaping from the drain line and initiated a fire alarm. The mixture of water and steam which sprayed from the drain line contaminated 13 workers responding to the fire alarm.

t Prompted by these events, and to consider the need for generic corrective actions, AE00 took another look at operational data dating back to 1975, broadening the search scope to testable isolation check valve failures in all emergency core cooling systems as well as the reactor core isolation cooling systeminboilingwaterreactors(BWRs). The operating BWRs reviewed are in i

the BWR/3 to BWR/S product lines. This review resulted in identifying a total

, of eight events including the events at Hatch-2 and Browns Ferry-1, all involving the failure of a testable isolation check valve which provides the first isolation barrier between either the RCS or the feedwater system and an emergency core cooling system. Among these events, five events involved an additional failure of the second and final isolation barrier, namely the inadvertent opening of a normally closed motor-operated injection valve. Four of the five events occurred during power operation, thus leading to an overpres-surization of an emergency core cooling system. A fifth event occurred while 4

the plant was in cold shutdown, resulting not in an overpressurization of the associated emergency core cooling system but a rapid draining of the reactor vessel.

Among the eight observed failures of the testable isolation check valve (stuck open), five were associated with interference by the attached air operator; two involved causes related to the check valve itself; and one involved a failure whose cause remains unknown. All of the five observed failures of the normally closed motor-operated injection valve (inadvertent opening) were caused by personnel errors comitted during surveillance testing of the safety systems.

\

To varying degrees, each of the eight operational events should be considered as a precursor to an interfacing LOCA involving the RCS and an emergency core cooling system. Such an accident would involve the sudden discharge of reactor coolant at operating pressure and temperature outside the primary containment, and would also likely disable one or more of the safety systems required to mitigate the accident. Collectively, these operating events indicate a trend with serious safety implications--that the likelihood of an interfacing LOCA as a result of multiple independent failures (a stuck open testable isolation check valve together with inadvertent opening of a normally closed motor-operated injection valve) is higher by two to several orders of magnitude than had been previously assessed by analysis. This trend provides a strong indication that corrective actions should be taken on an expedited basis to prevent a recurrence of the aforementioned multiple failures.

AEOD has developed several recommendations which are briefly described below and will be further discussed in the report. These recommendations appear to involve minimum costs and, if effectively implemented, can significantly reduce the reactor accident risks associated with such multiple failures. The recomendations are:

(1) Disable the nonsafety-related air operator of the testable isolation check valve on the injection line in the safety systems involved.

Disabling the air operator would eliminate about 40% of the causes for testable isolation check valves being stuck open. This option involves three essential elements. First, the disabling of the nonsafety-related air operator should be conducted in a way not to pose any mechanical interference 11th the operability of the check valve in lifting on demand or in providing isolation protection.

Secondly, it would be necessary to conduct surveillance testing of the isola-tion check valve by flow testing during cold shutdown in accordance with ASME Section XI, IWV-3520. Finally, it would be desirable to retain the position indication of the check valve in the control room after the air operator is disabled to ensure early detection of an unseated check valve disk.

(2) Perform leakage testing of the testable isolation check valve prior to plant startup after each refueling outage or following maintenance, repair or replacement of the valve, as an alternative to Recommendation 1.

This corrective action would detect the most serious degradation in testable isolationcheckvalvesyetobservedfromoperatingexperience(i.e.,being stuck open with reversed indications caused by maintenance errors associated with the air operator). This action is similar to the required leakage testing of isolation check valves, which do not have position indication in the control room, between the primary coolant system and the low pressure injection system piping in pressurized water reactors in the Event V Orders issued by the NRC in 1981. It is also consistent with the requirements currently being developed by the Office of Nuclear Reactor Regulation in the review of the Inservice Test Programs in accordance with 10 CFR 50.55 a(g)(4).

(3) Reduce human errors in maintenance and surveillance testing activities.

This would favorably impact about 50% of the testable isolation check valve failures and 100% of the motor-operated injection valve failures. The use of a two-person team in conducting maintenance and surveillance of the isolation

barriers between the RCS and emergency core cooling systems should be consid-ered. This short term action, when supplemented by an eventual long term improvement and/or standardization of maintenance and surveillance procedures and upgrading in training and qualification of personnel, would provide a diverse and redundant means to guard against errors of commission and omission observed in the operating events. This approach would also conform to the guidelines on independent verification stated in Item I.C.6 of NUREG-0737,

" Clarification of TMI Action Plan Requirements."

(4) Study reducing the frequency of surveillance testing of the isolation barriers of the emergency core cooling systems during power operation.

This option involves complex and interrelated issues regarding system isolation '

and injection capabilities of the safety systems. It would also require changes in the current plant. technical specifications. On one hand, reducing the frequency of surveillance testing at power would reduce, in almost direct proportion as demonstrated by operational data, the probability of inadvertent opening of normally closed motor-operated injection valves on safety systems.

On the other hand, a reduction in the frequency of surveillance testing at power, if not compensated by improved maintenance procedures and practices, would reduce the reliability of the associated safety systems during accidents.

These two competitive aspects should be promptly evaluated to establish a well-founded testing frequency. The goal of this recommendation is consistent with those developed by an interoffice, interdisciplinary, NRC Task Group on Technical Specifications, documented in NUREG-1024. " Technical Specifications--

Enchancing the Safety Impact," for providing better assurance that surveillance testing does not adversely impact safety. This recommendation is also consis-tent with the long term Technical Specification Improvement Program currently being conducted by the Office of Nuclear Reactor Regulation.

l b

L

1. INTRODUCTION In May 1984, AE0D issued a report (Ref.1) evaluating the failure (stuck open) of a testable check valve on a low pressure coolant injection (LPCI) line of the residual heat removal (RHR) system which occurred at Hatch-2 on October 28, 1983. The safety significance of the event was tied to the increased likeli-hood of overpressurizing the low-pressure RHR system from inadvertent opening of a normally closed motor-operated injection valve, which in turn led to an increase in the likelihood of an interfacing LOCA. Such an accident (which is predicated on a rupture failure of the low-pressure system piping when it is overpressurized) would involve a sudden discharge of high-pressure, high-temperature reactor coolant outside the primary containment that would also likely disable the low-pressure RHR system.

Less than three months after AE0D's report on the Hatch event was released, a similar but more serious event occurred at Browns Ferry-1 (Ref. 2). On August 14, 1984, during power operation at Browns Ferry-1, a held open testable check valve coincident with an inadvertently opened injection valve led to an actual overpressurization of the low-pressure core spray system. The causes for failure of the testable check valve were very similar to those involved at Hatch-2. Prompted by the similarity and seriousness of the Browns Ferry event, AE0D initiated an expedited generic review of events involving actual and potential overpressurizations of BWR emergency core cooling systems. This report provides additional operational data uncovered by this review together with the evaluation results regarding event frequency, root causes and safety significance of these events. Finally, several AE0D recommendations for corrective actions are provided.

1

i l

2. OPERATIONAL DATA REVIEW After the Browns Ferry event on August 14, 1984, AE0D took another look at operating experience dating back to 1975 involving actual and potential overpressurizations of emergency core cooling systems as well as the reactor core isolation cooling system in BWRs. The operating BWRs reviewed are in the i BWR/3 to BWR/5 product lines. This search identified a total of eight operating events, including the events at Browns Ferry-1 and Hatch-2. All involved the failure of a testable isolation check valve on a safety system injection line. The events which were found are tabulated in Table 1. A schematic of a typical testable check valve is given in Figure 1.

Among the eight events, five involved an additional independent failure of the second and final isolation barrier, the inadvertent opening of a normally closed motor-operated injection valve upstream of the testable isolation check valve. Four of these five events occurred while the plant was at power, leading to the overpressurization of an emergency core cooling system. A fifth event occurred while the plant was in cold shutdown, resulting not in an overpressurization of the safety system involved, but a rapid decrease of reactor vessel water level before the event was terminated by plant personnel.

The operating events identified by the search are discussed in the following paragraphs.

Vermont Yankee (LER 75-24)

On December 12, 1975, with the plant at 99% power, monthly operability surveillance testing was being conducted on Loop "A" LPCI injection valve V-10-25A (see Fig. 2). Initially . injection valve V-10-25A failed to respond to an open signal from its remote control switch. To determine if the motor-operated valve failure was caused by excessive differential pressure across the valve disk or a specific mechanical or electrical malfunction, plant  ;

personnel first manually cracked open V-10-25A. Then the valve was success- i fully cycled fully open and closed. During this time, and unknown to the plant i personnal, testable isolation check valve V-10-46A downstream of the injection i valve was not seating properly, and the supposedly closed motor-operated valve j (V-10-27A) upstream of the injection valve was partially open. With a par-tially open flow path between the RCS and RHR system unknowingly established, RCS water at operating pressure and temperature flowed into the low-pressure LPCI Loop "A" system piping, pressurizing it in excess of its design pressure.

High pressure in the line caused a mixture of steam and water to be discharged from each of the three RHR system relief valves and the RHR heat exchanger tube sheet-to-shell flange area. The gasket in the tube sheet-to-shell flange area began leaking as a result of the elevated pressure conditions.

The exact cause for the testable isolation check valve not seating properly was not reported at the time of the event in 1975. The upstream injection valve (V-10-27A) had been closed from the control room prior to opening V-10-25A as part of the surveillance test sequence, but had failed to fully shut. The partial opening of the motor-operated valve also was not known by plant personnel at the time of the event due to a false closed position indication.

The exact causes for the faulty position indication also were not reported at the time of the event. Following successful pressure and operability testing of the subsystems involved in the overpressurization event, the subsystems were declared operable.

i I

Table 1 Summary of Operatina Events Event Percent System Testable Isolation Check Valve Normally Closed Injection Valve Plant Date Power Involved Status Cause Status Cause Overpressurization Vermont Yankee 12/12/75 99 LPCI/RNR Open Unknown Intentional but Monthly Testing Yes LER 75-24 Inappropriate of LPCI Opening Cooper 01/21/77 97 HPCI Open Loose Part Obstruction inadvertent Personnel Errors Yes LER 77-04 Opening during HPCI Functional Test LaSalle-1 10/05/82 20 HPCS Open Oried Lubricant Closed --

No LER 82-115 and Insufficient Preload in Air Operator; Opened '

Bypass Line m e

LaSalle-I 06/17/83 48 HPCS Open Thermal Binding; Closed --

No LER 83-066/03L Opened Bypass Line LaSalle-1 09/14/83 0 LPCI/RHR Open Maintenance Errors Intentional but RHR Relay Logic No, but 5,000 LER 83-105/01T Inappropriate Testing Gallons of RCS Opening Water Orained to the Suppression Pool Pilgrim 09/29/83 98 hPCI Open Rusted Linkage on Inadvertent Personnel Errors in Yes LER 83-48 Air Operator opening HPCI Logic Testing Hatch-2 10/28/83 90 LPCI/RHR Open Maintenance Errors on Closed --

No LER 83-112/03L Air Operator Browns Ferry-1 08/14/84 100 LPCS Open Maintenance Errors on Inadvertent Personnel Errors in Yes LER 84-032 Air Operator Opening LPCS Logic Testing

I 7 l l

l Disc Position Indicator W.(

Actuator Travel Indicator 180' L E A I I l (_________________________,

I '

l '

\ Hinge Pin j

l Actuator Shaft [ Actuator

. f

~~~C d

?dl l I-

\

p ,'

W s .......

Flow m 4 h l

, c &... j..

w Y -

// j-). 3 Stellite Disc 6 -

Drains

\

Integral Stellite Seat Solenoid Valve i Figure 1 A Typical Testable Check Valve

Testable l l MOV MOV Check Valve V 10-27A V.10-25A V 10-46A Reactor Vessel I"

Relief

% Valve Recirc 1 r Containment Boundary 24" Relief Valve N To DRW MOV j

V 10 65 A RHR MOV LO Pump 1C V.1013C 3..

go" e Relief Valve To From

EDRW + Suppression RHR J MOV LO LO LO Pump 1A 1- V 1013A Y M 20" RHR Heat Exchanger i f i f E 14-1 A L L I

Cross Tie From Loop 8 Water Supply Figure 2 Simplified Flow Diagram for Division A of LPCl/RHR at Vermont Yankee

i Cooper Station (LER 77-04) l On January 21, 1977, with the plant operating at 97% power, plant personnel l were in the process of performing high pressure coolant injection (HPCI) system l turbine trip and initiation logic surveillance testing (see Fig. 3). When the

! motor-operated injection valve M0-19 was opened as required by the surveillance l test, feedwater flowed backwards in the injection line, pressurizing the HPCI system close to operating pressure. It was not reported whether the low-pressure suction piping of the HPCI system was pressurized in excess of its design pressure (150 psi) during the event. However, from a review of the system configuration it can be concluded that the low-pressure piping was likely overpressurized. There is a small 1-inch relief valve (about 20 gpm capacity) installed on the 16-inch suction piping. Its 20 gpm capacity, ,

specified in accordance with the ASME code (Ref. 3) to relieve pressure resulting from thermal imbalances or pump flow variations, is not sufficient to hold system pressure below design for the low-pressure system piping in the event of a significant feedwater backflow. Due to the small relief valve capac-l ity, it is likely that, when both the injection valve (M0-19) and the check i valve (AO-18) were open, the Cooper HPCI pump suction piping was overpressurized.

This conclusion is also supported by other similar operating events involving l HPCI overpressurization (e.g., the Pilgrim event discussed in this report and the HPCI gland seal condenser leak at Browns Ferry-2 on November 29,1974).

The ifcensee determined that the HPCI testable check valve (AO-18), downstream of the ir.jection valve, had been stuck open during the test allowing feedwater to backflow into the system when the injection valve was cycled open. The testable isolation check valve was disassembled following shutdown of the reactor about two weeks later and, was found to be blocked open by a 14-1/2-inch long "

sample probe which had wedged under the edge of the valve disk. This prevented the check valve from fully cicsing. It was determined that the broken probe had come from a sample point or a 24-inch feedwater line upstream of the HPCI injection line junction. The le19th of time that the check valve had been stuck [

open was not determined.

LaSalle-1 (LER 82-115)

On October 5,1982, with the plant operating at 20% power, quarterly surveil-lance testing on the high pressure core spray system (HPCS) was being conducted.  ;

The testable isolation check valve IE22-F005 and its associated bypass valve IE22-F354 failed to indicate completely closed after they were opened for the test (see Fig. 4). Both the testable isolation check valve and its bypass valve are situated on the HPCS injection line inside primary containment. The HPCS '

system was declared inoperable. The motor-operated HPCS injection valve was closed and deactivated.

During the surveillance test, the check valve bypass valve IE22-F354 was first opened to equalize the pressure on both sides of the testable check valve disk. i The testable check valve was then tested open by operating a remote handswitch.

This handswitch energized the actuator solenoid valve to allow instrument air to be supalied to one side of the piston cylinder of the valve's air operator,  !

causing tie piston cylinder to move a rack and gear assembly against spring  !

tension. The rack and gear assembly movement rotated the actuator rod which lifted the valve disk off its seat. When the handswitch was returned to its

1 Containment Boundary Feedwater 1 r l l Testable Check Valve -

Reactor MO 20 AO 18 h Vessel 9 O

'T2 vm A

e %

e -

, n LO Motor Operated ,

8 injection Valve MO 19 14" O HPCI Steam Line 10" From HPCIPumps 1 r Suppression Pool N

b

/ LO HPCI Turb.no i

e 16

~

1 f To Reactor Bldg Floor '

From Fro m Drain CST CST 1A 18 MO 17

= - a Figure 3 Simplified Flow Diagram for the High Pressure Coolant injection System at Cooper

Containment Boundary l l Testable Check Valve 1E22 F005 ' Motor Operated Reactor Vessel + Injection Valve 1E22 F004 1E22 F038

. 12" r p 12" 16" 1E22.F024 LO 16" LA A'

High Pressure Core Spray Pump j 1E22 F354 Relief Valve n L 3.. 24"

~

Z -. - Z . MOv Suppression Pool 1E22 F015 xW

'///////////////////////////////

1E22 F002 MOV 1E22 F001 From Condensate .

Storage Tank -

Figure 4 Simplified Flow Diagram for the High Pressure Core Spray System at LaSalle.1 I

1

closed position, the solenoid valve was deenergized, cutting off instrument air to the piston cylinder. This should have allowed the spring (tension) to return the rack and gear assembly to its normal position. This, in turn, should have rotated the actuator rod back to its original position, allowing the valve disk to reclose by its own weight and differential pressure.

However, the disk did not completely reseat.

The failure of testable check valve IE22-F005 to reclose was investigated by the licensee. It was determined that the failure was caused by: (1) dried lubricant on the actuator piston cylinder, (2) insufficient preload on the actuator spring assembly, and (3) the stuck open testable check valve bypass valve 1E22-F354 Together, these problems prevented the piston cylinder of the check valve air operator from returning to its fully retracted position.

LaSalle-1 (LER 83-066) 4 On June 17, 1983, with the plant at 48% power and quarterly surveillance testing of the HPCS system in progress, HPCS testable isolation check valve 1E22-F005 and its associated bypass valve IE22-F354 failed to indicate closed af ter being tested open. The HPCS system was declared inoperable and was isolated by deactivating the normally closed motor-operated HPCS injection valve 1E22-F004 l The licensee determined that the failure of the testable isolation check valve to reclose was caused by: (1) a stuck open bypass valve 1E22-F354, which prevented a pressure differential from developing across the valve disk of the testable check valve; and (2) possible thennal binding of the check valve disk.

With respect to the latter cause, the licensee indicated that the Anchor Darling check valve and bypass valve have a tendency if tested hot to remain

~

4 partially open after being cycled. The failure of the bypass valve to reclose I

was traced to insufficient return spring tension in the bypass valve. While

, shutting down the plant, both the bypass valve and the testable check valve

{ closed without any assistance as reactor pressure and temperature decreased.

, Following an analysis of the event, the licensee submitted a request to the NRC l to conduct surveillance testing of testable check valve IE22-F005 only during i cold shutdown.

LaSalle-1 (LER 83-105)

On September 14, 1983, the plant staff was in the process of performing a routine RHR system relay logic surveillance test while the' plant was in cold shutdown. At the time of the test, the "B" RHR loop was lined up with both drywell spray valves IE12-F016B and IE12-F0178 open, the suppression pool spray valve IE12-F027B open, the test return to the suppression pool valve 1E12-F0248 open, the manual valve 1E12-F0928 on the LPCI loop "B" inadvertently open, and the "C" RHR loop injection valve 1E12-F042C cpen (see Fig. 5). Unaware that the LPCI loop "B" testable isolation check valve IE12-F041B was also stuck open, the plant staff opened (as required by the test precheck) the "B" RHR loop injection valve IE12-F042B, When the injection valve was opened, a rapid decrease in reactor vessel water level was observed. Water level dropped quickly from +50 inches to 0 inches, causing a Group VI primary containment

isolation at +12.5 inches. Automatic containment isolation is not required to l be operable while the plant is in shutdown or refueling mode. The operator '

quickly secured the valve line-up, stopping the water level decrease. Most of l

13 -

Containment Boundary

/ F017B F0168 DryweH Spray C ' ' = 13 -

r ,' rm F041C F042C I i x9 y $. wg Reacto, F0418 F0428 s F0928 l Vessel '

F' l

LO g e

F050B F053B

3. l M.. r, g L v-0 Recirc Pump .

C F0278 Relief Valve l Wetwell Spray : r ,= l F0248 l

p- 3

- -- MA'S _ F0038

, h -Suppression Pool ,. -f _

F0268 a

O Cross Tie to Loop A '

74/jg/yyyy,,,yy,y,.y ,,,,,, ,,,,, ,

Pump Discharge N&

FC04C e

( JL RHR Relief -

e Pump C F047B Valve F004B ,,

24" f  ;

F006B c2 RHR Cross Tie from RHR m'f2 Pump B -

Loop A Water Supply r, RHR Heat g g Eachanger 1B From RCS &T2 uT2 Recirc 7, r, Figure 5 Simplified Flow Diagram for Loops B and C of LPCl/RHR at LaSalle 1 I

- - - - - . _ _ ._ . _ __l

the water lost from the reactor vessel went to the suppression pool, while some went to the drywell.

The cause of the draindown was detemined to be the stuck open testable isola-tion check valve IE12-F041B and the inadvertently open manual isolation valve IE12-F0928 on the loop "B" LPCI injection line. Thus, when the injection valve was opened during the test..an open flow path between the reactor vessel and '

the suppression pool and drywell was established which allowed backflow of reactor water into the drywell and wetwell. The isolation check valve also i- provides.the first isolation barrier between the high-pressure RCS and the low-pressure RHR system when the plant is operating at power.

. The manual valve IE12-F0928 should have been closed but was inadvertently left

. open due to a temporary procedure' change implemented prior to the logic

{. surveillance test. The testable isolation check valve was stuck open due to l two causes. First, it was held open by its attached air operator as a result of a misalignment of the interfacing gears between the check valve and the air operator. The misalignment resulted from maintenance errors on the air opera-tor that were made earlier in the outage. During the maintenance, a score t

mark on the spline shaft of the check _ valve was used instead of a " timing" mark for aligning the gears. The gear misalignment resulted in the air operator holding the check valve disk in the open position and inhibiting disk movement in the closed direction during the draindown. Additionally, the packing gland

. .on the check valve shaft was found to be too tight, inhibiting free movement of 3~ the valve disk. Finally, the valve position indications were reversed following the maintenance, which led the operator to believe that the check

valve was closed when in fact it was open.

i Pilgrim (LER 83-48)

On September 29, 1983, during HPCI system logic testing while the plant was at 98% power, the low-pressure suction piping of the HPCI system was overpres-surized to near operating reactor pressure. The event occurred when two HPCI i i pump discharge motor-operated valves, MO 2301-8 and M0 2301-9, were simulta-neously opened as a result of personnel errors (see Fig. 6). The errors i

occurred because more than one surveillance test was being conducted at the

same time, and test prerequisites and initial test conditions were not ensured i for all steps in the . test procedures. Since the testable isolation check valve (A0 2301-7) downstream of the discharge valves was partially stuck open at the
time, the overpressurization occurred when the pump discharge valves were opened. The overpreesurization of the suction piping (which is designed for

! 150 psi) ruptured tb gland seal condenser gasket on the HPCI turbine.- This in

. turn caused a mixture of water and steam to spray from the condenser onto a

! limit switch. The water spray resulted in a 250 V de battery ground and a  !

large amount of water on the HPCI room floor. Smoke detector alarms also were j set off by vapor from the heated paint on the low-pressure piping. An HPCI
l. high suction pressure alarm and lube oil high temperature alarm were also actuated during'the event.

I The exact cause for the testable check valve being partially open was not detemined. There was some evidence that a rusted linkage between the valve

-stem and the attached air operator had contributed to the valve being partially-open. In the short term, the licensee repaired the linkage and returned the-

~

valve to its correct position. The licensee decided to replace the check valve i

i i

a_..._  :..._- ...- _ __ ., . _ . . . . _ . _ _ _ . . _ . _ _ . _ . , _ _ . . _ _ , _ , _ , , _ . _ . - . _ . . _ ,

Containment Boundary HPCI Steam Supply l l Testable MO Reactor + Check Valve 2301 9 HPCI Vessel 8 Turbine 1 r i

V

/

l L J Vm AO MO 2301 7 2301 8 HPCI Pump g

14" 16" LO if 18" Relief Valve MFeedwater Line 8 g .. g n

lf To CRW LO 2301 22 2301-36 2301-35  :

From 6..

Suppression Pool 74 h' 7(

l MO l 2301-6 l l

From Condensate _ i 16"  ;

Storage Tank -

i  !

t P

Figure 6 Simplified Flow Diagram for the High Pressure Coolant injection System at Pilgrim I

I i

with a new design as a long term solution. To prevent a recurrence of the personnel errors, instructions for verbal communications were to be implemented at the plant.

Hatch-2 (LER 83-112)

On October 28, 1983, with the plant in cold shutdown, the testable isolation check valve F0508 on the 24-inch "B" LPCI injection line of the RHR system was found open and could not be closed (see Fig. 7). It was determined that the valve was being held open by its attached air operator. The licensee's investigation revealed that the air supply lines to the air operator had been connected backwards during a prior maintenance on the valve performed on June 7, 1983. The resultant pneumatic pressure reversal caused the air opera-tor to hold the check valve open even though the check valve was not being tested. The mispositioned check valve was not detected for a four-month period, during which the plant operated at close to full power. The failure to detect the mispositioned valve was attributed to a second error involving the reversal of the electrical leads for the valve position indicator following the June 7, 1983 maintenance. This had apparently been done by plant personnel in the belief that the valve was actually closed. Inadequate post-maintenance testing also contributed to the error not being detected.

During the four-month period when the testable check valve was held open, the normally closed motor-operated LPCI injection valve, F0158, upstream of the check valve, remained closed. As a result, inadvertent overpressurization of the LPCI/RHR system did not occur during this period.

Immediate corrective actions taken by the licensee following discovery of the maintenance errors were to correctly reconnect the air supply lines to the check valve air operator, and to correctly reconnect the electrical leads to the position indicator. This placed the check valve in its correct position and restored correct valve position indications. The licensee also counseled plant maintenance personnel on the importance of performing equipment maintenance correctly. For the long term, the licensee was to consider adopting an alternative testing method for the check valve which would not require the use of the air operator.

Browns Ferry-1 (LER 84-032)

On August 14, 1984, while at 100% power and during the performance of a six-month surveillance test of the core spray system logic, the normally closed motor-operated injection valve (FCV 75-25) on core spray system I was inadvertently opened. When the valve opened, reactor coolant at operating pressure and temperature backflowed into the low-pressure core spray system, pressurizing the system piping close to full reactor pressure. The backflow also heated portions of the system piping to about 400 F. Paint on sections of piping was damaged by heat which also actuated a smoke detector. Steam from the relief valve on the core spray system, which opened to relieve the over-pressurization, discharged into an open drain line. Steam escaping from the drain line was spotted by a roving fire patrol who initiated a fire alarm. A ,

mixture of hot water and steam sprayed from the seals of pump "A" of core spray system I. Thirteen workers were contaminated by the sprayed water / steam mixture while responding to the fire alarm. The overpressurization, which lasted about 13 minutes, was terminated when plant personnel reclosed the

Containment Boundary l l Relief $"

Valve J L

To Suppression Reactor 1" Pool Via RHR Vessel MOV Testable Test Line Motor Operated Check Valve injection Valve

= AO MOV j i JL F050B F015B Re ' '-

F 17B pu p 3..

F1228 , MOV MOV F048B F003B MOV F0478 From From Suppression Suppression Pool Pool AO AO F065D . F065B

~

MOV MOV F004D F004B a /\

Cross Tie RHR Heat from Div- '\  ; Exchanger A Supply B001B ha r, F034D Ky F034B F031D F031B N .

RHR RHR Pump D Pump B ,

Figure 7 Simplified Flow Diagram for Division B of LPCl/RHR at Hatch-2 i

1

i 9

- \

injection valve. A simplified flow diagram of the plant's core spray system I l at the plant is given in Figure 8.

An investigation by the licensee following the event determined that the nor-mally closed testable isolation check valve (FCV 75-26), downstream of the injection valve, had also been open during the event. With the check valve open, a flow path between the high-pressure RCS and the low-pressure core spray system piping was created when the injection valve was inadvertently opened.

The cause for the open testable check valve was traced to a pneumatic pressure reversal in the air actuator. The reversal was caused by an earlier mainten-ance error in installing a plunger with reversed air ports in the air actuator pilot solenoid valve. A review of plant maintenance records indicated that the valve likely had been held open since December 1983. The valve misposition was not detected for the ensuing eight-month period because of a second error ccamitted during the same maintenance. The valve position indications were altered following the maintenance such that the valve misposition was not evident.

A review was also conducted to determine the cause for the inadvertent opening of the injection valve during the surveillance test. The test procedures specified that the valve motor operator circuit breaker be opened prior to the test so that the valve would have no motive power and would remain closed during the logic test. It was determined, however, that the licensed operator assigned to perforn this step had failed to open the breaker. He had mistaken a " power on" light to mean that the breaker was open. Thus, when the test signal was applied during the logic test, the injection valve opened.

Containment Boundary l l Relief Valve Reactor ,

Vessel  :: :

Testable Motor Operated J Check Valve injection Valve 10** FCV 75 26 FCV 75-25 FCV 75-23 1- To CRW 12" , 14" LO 4 k HCV 75-27 HCV HCV X 7518 75 10 75-537C 75 537A Core Spray Core Spray

~

Pump C Pump A k

FCV FCV 75-11 10" 75-2 10**

From HCV 75-1 l #..

Suppression Pool XLO }

I IHCV HCVl f J L 75-12 75 3 J k From 14,, 10.,

Condensate Storage }l l Tank '

Figure 8 Simplified Flow Diagram for Core Spray System I at Browns Ferry-1 l

l 1

l

i l

l l

3. ANALYSIS OF OPERATIONAL DATA 3.1 Testable Isolation Check Valve Failures The failures of the testable isolation check valves in the operating events discussed in Section 2 can be grouped into three general cause categories as shown below:

Cause Description Number of Events A. Causes related to problems associated with the attached air operator o Maintenance errors involving pneumatic 2 pressure reversal o Maintenance errors involving an incorrect 1 timing mark / gear misalignment o Rusted stem-to-actuator linkage 1 o Insufficient spring preload and dried I lubricant B. Causes related to problems associated with the check valve o Loose part obstruction in valve disk / seat area 1 o Open bypass line and thermal binding 1 of the valve disk C. Unknown Causes 1 From the above tabulation, it can be seen that the dominant cause of inadver-tently open testable isolation check valves is related to the nonsafety-related attached air operator. Five out of the eight events reviewed involved a mechanical interference of the air operator which prevented the valve from fully closing. Additionally, the cause of each of these five failures could be attributed to an air operator maintenance problem involving either an error of comission (e.g., pneumatic pressure reversal, timing mark misalignment) or an error of omission (e.g., rusted linkage, insufficient preload). The dominant source of (partially) open check valves could therefore be eliminated if the attached air operator were removed or disabled. To disable the air operator, its motive power could be removed by either disconnecting the air supply to the operator or by removing electrical power to the operator solenoid air pilot valve. However, either or even both of these approaches (which disable but do not remove the air operator) would not have eliminated all of the air-operator related occurrences discussed in Section 2. The events involving mechanical interference (e.g., rusted stem-to-actuator linkage of dried lubricant) would still have occurred. Therefore, disabling the air operator would have prevented three of the eight (about 40%) open check valve events.

Only two out of the eight open check valve occurrences clearly involved pro-blems associated with the valve itself. In contrast to the actuator-related occurrences, only one could be even partially attributable to a maintenance problem on a valve or actuator. This event involved insufficient return spring

, tension in an open bypass valve (a maintenance problem) in conjunction with thermal binding of the check valve intervals (an operations / design related pro-blem). One of the two remaining events involved a loose part obstructing full closure of the check valve disk while the other was related to unknown causes.

From this review, it would appear that improved controls over testable check valve maintenance activities, together with improved post-maintenance testing and/or leakage testing, could reduce the instances of open or partially open check valves used to isolate emergency core cooling systems. However, not all of the known or potential valve failure mechanisms would be eliminated if such improvements were implemented.

It should also be pointed out that the diversity of the causes involved in these failures would imply differences in the reclosure capability of an open check valve if a large negative differential pressure were to develop across the disk (which might occur in the event of a low-pressure piping rupture upstream of the valve). At one end of the spectrum would be the event at Cooper in which a broken sample probe was physically preventing valve closure.

In this case, it is likely that the valve would remain stuck open even in the presence of a large differential pressure. The event at LaSalle which involved mechanical interference resulting from improper reassembly of the actuator-to-valve gear system would also fall into this category. At the other end of the spectrum would be the event at Pilgrim in which a rusted linkage between the attached air operator and the valve stem was inhibiting full valve closure.

In this case, the valve would be expected to reclose in the presence of a large differential pressure. Even so, if a valve disk was held in a substantially open position, it is not certain that the valve disk would withstand the dynamic loadings associated with reclosure.

In sumary, in approximately 250 reactor years of BWR operation by the time of the most recent event, eight events involving an open testable isolation check valve have occurred. Therefore, the likelihood of a testable isolation check valve being open is of the order of 8 events /250 reactor years = 3 x 10E-2/

reactor year.*

3.2 Inadvertent Opening of an Injection Valve The motor-operated injection valves in the BWR low-pressure safety systems dis-cussed in the operating experiences are designed to automatically open to permit delivery of coolant to the core during an accident once the appropriate system pumps are running and reactor pressure has been adequately reduced.

These injection valves are also interlocked to prevent a spurious valve opening from possibly causing an overpressurization of the low-pressure piping of these systems if reactor pressure is high and the safety system pumps are not 10E-2 denotes 10-2 ,

running. However, if an injection valve were to spuriously open or an injection valve disk were to lose its integrity while the reactor coolant system was at full pressure with the pumps not running, only the (closed) downstream isolation check valve, or an automatic closure of the upstream (outboard) motor-operated throttling injection valve (on the low-pressure safety systems) would prevent an overpressurization of the low-pressure system piping.

There are potentially four credible ways that a normally closed motor-operated injection valve can allow an inadvertent open flow path. They are:

(1) instantaneous rupture of the valve disk, (2) inadvertent opening due to a spurious signal caused by a hardware malfunction, (3) inadvertent opening due to a personnel error in conducting a surveillance test, and (4) intentional, but inappropriate opening by personnel action during a surveillance. A review of the operating events discussed in Section 2 indicates that the most likely reasons for a normally closed motor-operated injection valve to be opened when it should not be are those described by (3) and (4) above (i.e., incorrect personnel actions during a surveillance). In fact, each of the four overpres-surization events discussed previously (i.e., Vermont Yankee, Cooper, Pilgrim and Browns Ferry-1) occurred because an injection valve was incorrectly opened during surveillance testing while the downstrean check valve was not fully closed.

The one other event that involved a significant consequence was the draindown event at LaSalle-1. It also involved the incorrect opening of an injection valve caused by operator actions. It may also be said that there could have been other unreported incidents involving incorrect opening of an injection valve caused by a personnel error during surveillance testing. This would appear to be the case since such a personnel error woula not have been reportable unless it had led to a significant consequence. In other words, an event involving the incorrect opening of an injection valve during a surveillance test while the downstream check valve was fully closed would not have resulted in a signif-icant consequence and likely would not have been reported. Therefore, there probably have been more incorrect injection valve opening events than those found for this evaluation.

Finally, the two other injection valve inadvertent opening modes (instantaneous disk rupture and spurious opening due to hardware fault) would appear to be l much less likely based on the absence of any reported operational events.

3.3 Overpressurization Frequency Overpressurization of an emergency core cooling system outside containment would only occur if both the testable isolation check valve and a normally closed motor-operated injection valve were open while the reactor coolart system was at high pressure.

Over a nine-year interval up to the end of 1984, five events involving the failures of both a testable isolation check valve (not being fully closed) and an injection valve (being inappropriately opened) have occurred at five dif-ferent plants (Vermont Yankee, Cooper, Pilgrim, LaSalle-1 and Browns Ferry-1).

Four of these events occurred while the reactor was at power. As a result, in these four events, an unexpected overpressurization of an emergency core cooling system occurred.

l l

- l Approximately 250 years of domestic BWR operation were accumulated by the time of the most recent event. This then would result in a probability of 4 events /

250 reactor years ev 2 x 10E-2/ reactor year for an overpressurization event in which reactor. coolant (Vermont Yankee and Browns Ferry) or feedwater (Cooper and Pilgrim) at operating pressure and temperature flowed into an emergency

! core cooling system piping network outside containment. This probability appears to be several orders of magnitude higher than that which has been previously estimated by analysis (Refs. 4, 5, 6 and 7). Past analyses generally have forecasted a value in the range of 10E-5 to 10E-6 per reactor year. Thus, based on the observed operational events, the likelihood of an overpressurization is substantially higher than that which has been previously assessed.

I

j 4 EVALUATION OF SAFETY SIGNIFICANCE 4.1 Precursors to an Interfacing LOCA To varying degrees, each of the eight operating events discussed previously could be considered a precursor to an interfacing LOCA between the RCS and an emergency core cooling system. All of the events involved, at the least, a partially open testable isolation check valve which significantly degraded the isolation barriers between the high-pressure RCS and the low-pressure piping of an emergency core cooling system. Additionally, more than half of the events (five out of eight) included a second failure involving the inadvertent opening of the normally closed upstream motor-operated injection valve. For four of these five events, opening of the injection valve removed the final isolation barrier between the high-pressure RCS (or the high-pressure feedwater line) and an emergency core cooling system. The combined failures resulted in an unexpected overpressurization of the low-pressure piping of an emergency core cooling system.

In the Vermont Yankee event, the overpressurization caused a steam / water mixture to be discharged from the RHR system relief valves and leakage from the RHR heat exchanger tube sheet-to-shell flange area. For the event at Pilgrim, feedwater backflowed through the HPCI injection line. The overpressurization caused the HPCI gland seal condenser gasket to rupture, allowing hot water to spray into the HPCI equipment room. Although no equipment damage or release was reported for the very similar event at Cooper, it is likely that the event consequences were _not dissimilar to the Pilgrim event. For the Browns Ferry event, high-temperature steam and water discharged from a core spray pump seal as a result of a core spray system overpressurization.

An actual pipe failure (rupture) has not occurred as a result of any of the four overpressurization events. However, as will be discussed in the following section, .there is not a high degree of assurance that such a failure will not occur. Therefore, each of the overpressurization events may be viewed as a significant step towards the occurrence of an interfacing LOCA.

4.2 Potential for Pressure Boundary Rupture The pressure boundaries associated with the piping, pumps and valves of the various emergency core cooling systems discussed in this report are designed, fabricated, installed, and tested in accordance with NRC requirements, including the applicable ASME codes and ANSI' standards. The NRC's require-ments, as embodied in these industry codes and standards, involve inherent conservatisms in the maximum allowable stresses from (primary) internal pres-sure loads. Typically, for newer plants, the maximum allowable stress would be equivalent to the lesser of one-third the ultimate (rupture) stress or two-thirds the yield stress for ASME Class I components, or the lesser of one-quarter the ultimate stress or two-thirds the yield stress for ASME Class 2 and 3 components.

Additionally, the maximum calculated primary stress for a typical piping system (based on the stated design pressure) would likely be significantly less than the maximum allowable stress permitted by the Code. Thus, there would normally be a significant factor (in the range of two to three) between the design pressure and the pressure at which rupture of a pipe or a large component might actually occur. For example, a TVA engineering evaluation of the affected core spray

system piping and its supports indicated that the overpressure transient did not adversely affect system integrity (damage short of actual failure), and that the piping system was acceptable for continued use. A similar observation can also be made regarding the Pilgrim event, when the HPCI suction piping (150 psig design) was likely pressurized to close to operating reactor pressure, yet inspections after the event revealed no pipe damage.

A large overpressurization without piping failure cannot always be ensured, however, for the following reasons. First, the presence of undetected flaws in the piping, its tees, fittings or welds can make the difference between piping failure and nonfailure when a pipe is stressed beyond its design stress. A flaw could exist as a result of an undetected error in the design, fabrication or installation of the piping system. It could also be caused by operational transients the piping system might have experienced previously. An example would be pipe failures associated with waterhammer events. There have been numerous waterhammer events in which the piping system was stressed by hydro-dynamic pressure loads beyond its design pressure without resulting in any pipe rupture. However, the waterhammer at Maine Yankee in January of 1983 actually resulted in a feedwater line rupture. The piping failure was determined to have occurred at a point in the piping where a pre-existing flaw was located.

Had the flaw not existed, it is likely that the pipe failure would not have occurred during the waterhammer, even though the piping was stressed beyond its design limits. Hence, overpressurization of a low-pressure piping system with a pre-existing flaw present might result in a sufficiently high local stress to cause a piping failure.

Secondly, components in the low-pressure systems such as pump seals, heat exchanger tubes, thermocouple wells, gaskets and blind flanges might fail due to an overpressurization and lead to a large break area. In fact, the RHR heat exchanger tube sheet-to-shell flange gasket at Vermont Yankee and the HPCI turbine gland seal condenser gasket at Pilgrim failed as a result of overpres-surizations. Even though these gasket failures led to a relatively small loss of reactor coolant at Vermont Yankee and Pilgrim, there is no assurance that multiple failures of such low-pressure components leading to a larger break area would not occur. Thirdly, there is some small likelihood that a severe waterhammer could result from an overpressurization event. A waterhammer might occur if the discharge piping of the emergency core cooling systems were not entirely filled with water. Since the discharge piping of these systems are normally required by Te:hnical Specifications to be filled with water, and there are elaborate procedurer in place to vent and fill the discharge piping at specified intervals, the likelihood of a waterhammer is small. However, the high local stresses caused by a severe waterhammer have been known to cause pipe failures.

Based on the above considerations for piping system failure, a range of values of 10E-2 to 10E-3 is judgmentally assigned to the rupture probability of an emergency core cooling system when it is pressurized to twice its design pressure. This range of values is judged reasonable as it reflects (in decreasing order of importance) the uncertainties associated with undetected flaws being present, the multiple failures of low-pressure components such as gaskets or pump seals leading to a large break area, and the potential occur- l rence of a severe waterhammer. A value as high as 0.1 has been considered  ;

1

plausible for rupture probability of an emergency core cooling system when it is pressurized to about twice its design pressure (Ref. 8).

The above range also reflects a general consensus that a pipe rupture is more likely when a system is pressurized in excess of twice its design pressure than when it is operating within its design pressure limits. Even when operating within the design envelope, there is a very small (but finite) probability for a pipe, pump casing or valve body to instantaneously rupture. As discussed later in this report, even if the low value 10E-3 is used for the system rupture probability, the safety insignificance of the operating events would still be deemed high.

4.3 Probability of an Interfacing LOCA In Section 3, the probability of overpressurizing an emergency core cooling system by the RCS or the feedwater system was estimated from operating data to be of the order of 4 events /250 BWR reactor years, 2 X 10E-2/BWR reactor year.

This probability can t,e compared with the results of previous comprehensive risk studies for an interfacing LOCA between the RCS and an emergency core cooling system. Such a comparison would require the exclusion

  • of the HPCI overpressurization events at Cooper and Pilgrim by the feedwater system. In these two events, the RCS was not directly involved in the overpressurization.

Even if the feedwater pumps had been tripped, it would not be expected to be involved due to the expected seating of the inboard feedwater check valve (see Figs. 3 and 6). Then the probability of overpressurizing an emergency core ccoling system by the RCS is of the order of 2 events /250 BWR reactor years, 1 X 10E-2/BWR reactor year.

The failure probability of an emergency core cooling system pipe (or Isrge pressure boundary component) when it is pressurized to about twice its design pressure may be assumed to be in the range 10E-2 to 10E-3, as previously Even though the Cooper and Pilgrim events were not included in the estimation of the interfacing LOCA probability, they are still considered precursors to such an interfacing LOCA. If the inboard feedwater check valve whose normal position is full open during plant power operation should be stuck during the overpressurization event, RCS coolant would be involved. Since this additional failure (of the inboard feedwater check valve) reduces the likelihood of these 1 HPCI overpressurization events leading to an interfacing LOCA, they are not I included in the estimated probability. However, these events are important I operating events because of the occurrence of multiple failures and the poten-tial adverse impact on other vital safety equipment.

l l

discussed. The probability of a BWR interfacing LOCA involving the RCS and an emergency core cooling system would be:

P LOCA

= P Press X Pp ,j)

Where:

P LOCA

= Probability of an interfacing LOCA between the RCS and an emergency core cooling system, P

Press

= Probability of pressurizing an emergency core cooling system to twice its design pressure, P

Fail = Probability of a large rupture of a system pressure boundary when pressurized to twice its design pressure.

, From operating data, P

Press

= 1 X 10E-2/ reactor year, and from previous discussion, Pp ,$) = 10E-2 to 10E-3, then P

LOCA

= 1 X 10E-4 to 1 X 10E-5/ reactor year.

This interfacing LOCA probability for a BWR is higher, by two to three orders of magnitude, than that which had been assessed in previous comprehensive risk studies (Refs. 4, 5, 6 and 7). These studies have estimated the probability of a BWR interfacing LOCA between the RCS and an emergency core cooling system to be approximately 10E-7 per reactor year.

1 4.4 Accident Scenarios If an emergency core cooling system pipe outside containment were to rupture because of an open check valve and an open injection valve, break isolation would depend on the break location and the operability of isolation valves.

Specifically, successful isolation would depend on the reclosure capability of the testable isolation check valve in the presence of actuator or valve disk interference, the capability of the check valve disk to withstand the dynamic reclosure loadings, and the capability of the motor-operated isolation valves to close under adverse environmental conditions. Therefore, successful isola-tion of such a pipe break outside containment would involve many uncertainties.

If the break cannot be isolated, a number of accident scenarios are plausible.

They would involve many interrelated and complex issues, including the role and adequacy of reflooding the core and removing the decay heat with other safety systems, the rate of depletion of the water inventory in the condensate storage tank or the suppression ment, flooding or steam)on pool, vitalthe extent ofinadverse equipment environmental the reactor impact building, and the (impinge-role of human intervention. An in-depth evaluation of these issues is beyond the scope of this study. In any case, regardless of the specific accident

28 -

a .

scenario postulated, a blowdown of the RCS inventory through a large break into the reactor building during power operation would be a very serious accident, well beyond the current plant licensing bases. The reactor coolant lost would bypass the containment and also would likely disable one or more of the safety systems which could be used to mitigate the accident.

a b

d f

m - - - ,.- . .

A.- , . . - . . r .... _ .m,

5. GENERIC EVALUATIONS BY OTHER NRC 0FFICES AND INDUSTRY Prompted by some of the recent events, the generic issues associated with the degradation of high-pressure / low-pressure system isolation barriers, overpres-surization of emergency core cooling systems, and the related accident risks are currently being evaluated by the NRC and the nuclear industry. A brief summary of recently completed or currently ongoing activities in this area is given below, o An engineering evaluation of the safety significance of the open testable isolation check valve event which occurred at Hatch-2 was issued by AEOD on May 31, 1984 (Ref. 1),

o The Office of Inspection and Enforcement issued an information notice for the events at Pilgrim, Hatch-2 and Browns Ferry-1 on September 28, 1984 (Ref. 2).

o The Office of Inspection and Enforcement is currently evaluating the safety issues related to the isolation of the RCS from low-pressure systems (Ref. 9).

o The Region I staff conducted, prior to reviewing the final AE0D case study report, a series of inspections at operating plants to better understand the existing design features and administrative controls that are in place to prevent overpressurizing the emergency core cooling systems.

o The Office of Nuclear Reactor Regulation / Division of Human Factors Safety will include the insights gained from the Hatch event in the generic naintenance evaluation program (Ref. 10).

o The Office of Nuclear Reactor Regulation has identified the issue as Generic Issue 105, " Interfacing System LOCA at BWRs," and assigned it a high priority status (Refs. 8 and 11). An action plan for the resolution of the generic issue is being developed.

o The Office of Nuclear Reactor Regulation is currently assessing various requirements for leakage testing of check valves on discharge lines of emergency core cooling systems as a part of an ongoing review of the pump and valve Inservice Test Programs in accordance with-10 CFR 50.55 a(g)(4).

o The industry's events analysis program has issued evaluation reports to the industry on every post-1980 event discussed in this case study report except the first two LaSalle events (LER 82-115 and 83-066/03L).

i 1

6. CONCLUSIONS The BWR operating events discussed in this study represent a trend with significant safety implications. Specifically, the events indicate that the probability for simultaneous failures of independent and diverse isolation barriers between the high-pressure RCS and the low-pressure piping of an ,

emergency core cooling system of a BWR is significantly higher, by several orders of magnitude, than that which had been commonly believed. That is, the operating events indicata a probability of overpressurization of an emergency core cooling system of approximately 2 X 10E-2 per reactor year. This is three to four orders of magnitude higher than the 10E-5 to 10E-6 per reactor-year j probability assessed by past comprehensive probabilistic safety studies.

Although none of the overpressurization events have led to a failure of low-pressure system piping, pumps or valves, there is not a high degree of assurance provided by the current design basis that such a failure would not occur. The absence of a pre-existing flaw in the overpressurized piping may have been the key factor which has prevented a pipe failure to date.

A large rupture of a low-pressure pipe outside primary containment of an [

emergency cooling system could result in plant conditions well outside the current design basis. Isolation of the break would depend on successful [

reclosure of either the isolation check valve or a motor-operated isolation ,

valve. As evidenced by the operating events, full closure of the check valve may not be assured due to interference at the disk or from the attached air i actuator. Closure of a motor-operated isolation valve also may not be assured i because the harsh environment created by the break might discole the vital  ;

electrical equipment needed for valve closure. Clearly, successful mitigation of such a break outside containment would involve many uncertainties which would be difficult to resolve. ,

L The significantly higher-than-expected overpressurization probability, coupled with the uncertainties associated with pipe failure probability (e.g., flaw probability) and break isolation probability (e.g., valve interference, t environmental effects), indicates that the reactor accident risks associated with an unisolated interfacing LOCA outside containment are significantly higher than previously thought. In view of the elevated risks, prompt consideration should be given to implementing relatively low cost, near term ,

corrective actions. Several relatively low cost, but potentially effective  !

corrective actions proposed by AEOD are delineated in the next section.

P-i o

e

- 31.-

~

7. RECOMMENDATIONS (1) Disable the nonsafety-related air operator associated with the testable isolation check valve in a way not to pose any mechanical interference with the operability of the check valve either in lifting on demand or in providing isolation protection.

This may be achieved by either removing the air operator, removing the pilot solenoid valve or capping of one or more of its air lines, or disconnecting the power supply to the pilot solenoid valve. Such action would effectively eliminate the potential for an open isolation check valve caused by maintenance error associated with the air operator. These errors were responsible for about 40% of the testable isolation valve failures in the operating events.

This option would involve two additional elements:

o Adopt flow testing in accordance with ASME Section XI, IWV-3520 (Ref.12).

This would be necessary to satisfy testing requirements of the isolation check valve when its attached air operator is disabled. Flow testing would be conducted during cold shutdown with a frequency at least as often as every refueling outage.

o Retain position indication of the isolation check valve.

Position indication is a desirable feature which allows early detection of a mispositioned check valve, thereby enhancing the safety margins in the prevention of an interfacing LOCA.

The nonsafety-related air operator was first installed to allow surveillance testing of the isolation check valve to detect its failure to lift on demand.

However, such a failure mode has not been widely observed. Furthermore, flow testing in accordance with ASME Section XI would detect such a failure. On the other hand, maintenance errors associated with the nonsafety-related air operator have been shown from operating experience to cause about 40% of the isolation check valve failures in which the check valve remained undetected in the open position for a period of time. Therefore, disabling the nonsafety-related air operator and adopting flow testing in accordance with ASME Section XI while retaining position irdication of the check valve is judged to be an effective corrective action.

(2) Conduct leakage testing of the testable isolation check valve prior to plant startup after each refueling outage or following maintenance, repair or replacement work on the valve, as an alternative to Recommendation 1.

This corrective action would detect the most serious degradation of testable isolation check valves yet observed from operating experience (i.e., being stuck open with reversed indications caused by maintenance errors associated with the air operator). For BWRs licensed after 1980, leakage testing requirements for check valves in the discharge lines of the emergency core cooling systems have been included in their plant Technical Specifications.

Therefore, this corrective action would apply only to BWRs licensed prior to 1980. This proposed corrective action is consistent with the requirements currently being developed by the Office of Nuclear Reactor Regulation to be implemented in connection with the plant specific reviews of the first full (120-month) pump and valve inservice test programs in accordance with 10 CFR 50.55 a(g)(4). This proposed corrective action is also similar to the leakage testing required by the Event V Orders issued by NRC in 1981 for l

l L

1 isolation check valves, which do not have control room position indication and which are located between the primary coolant system and the low pressure injection system piping in pressurized water reactors.

Although leakage testing could also be performed on the normally closed motor-operated injection valve, it would appear that such testing would be of limited safety benefit. Operating experience indicates that inadvertent opening of the valve due to human errors in surveillance testing rather than valve leakage has been the cause of overpressurizing emergency core cooling systems. Furthermore, there is continuous monitoring with a control room alarm on high pressure in the injection line upstream of the normally closed motor-operated injection valve to alert the operator of excessive RCS leakage past the valve.

(3) Reduce human errors in maintenance and surveillance test activities which have the potential to degrade the isolation valves between the RCS and low-pressure piping of the emergency core cooling systems.

Human errors during maintenance were responsible for about 50% of the reported testable isolation check valve failures. Human errors during surveillance tests also caused 100% of the reported motor-operated injection valve inadver-tent openings. Effective corrective actions dealing with these errors would have a significant impact on preventing the recurrence of the overpressurization events.

Specifically, the use of a two-person team when conducting maintenance and surveillance tests of isolation barriers between the RCS and emergency core cooling systems should be considered. This short term action, when supplemented by an eventual long term improvement and/or standardization in maintenance and surveillance procedures and upgrading of training and qualification of personnel, would provide a diverse and redundant means of safeguarding against errors of omission or commission in conducting repairs or testing of such isolation barriers as observed in the operating events. This near term action also conforms to the guidelines on independent verification stated in Item I.C.6 of NUREG-0737, " Clarification of TMI Action Plan Requirements" (Ref. 13). Finally, a regulatory progran to reduce human errors is currently under development in the Division of Human Factors Safety, Office of Nuclear Reactor Regulation, as stated in the Maintenance and Surveillance Program Plan. However, AE0D believes that implementation of human performance improvements relating to the isolation barriers of emergency core cooling systems should not await the more protractei completion and implementation schedule of this program.

(4) Study reducing the frequency of surveilTance testing of the isolation barriers of emergency core cooling systems du-ing power operation.

Reducing the frequency of surveillance testing of an emergency core cooling system at power would reduce, in almost direct proportion, the probability of inadvertent opening of a normally closed motor-operated injection valve. This is supported by the operational data discussed in Section 3.2. On the other hand, reducing surveillance testing frequency would reduce the system reliability for safety injection. This may be assessed both qualitatively and quantitatively. Qualitatively, the fundamental aim of surveillance testing is to detect failures so that timely corrective actions can be taken for repair.

The lengthening of the interval of surveillance testing would increase the time l

I L -- _J

--. -. . . -~ . .- - - - =_ . ~ ~ -- - - . - . .

U

[ 'y interval in which failures would remain undetected. This would increase the i

likelihood that.the system is not operable when required. Quantitatively,the adverse impact on system. unavailability (probability that an emergency core cooling system is inoperable) due to lengthening the surveillance interval is illustrated below.' ,

Let q represent the unavailability of a component which is repairable and is periodically tested. Then according to a widely used constant failure rate  ;

model (Ref. 14), q can be expressed as:

CT + Ct, q=1 ,

= CT if t is less than 0.1, 7 T i where  :

C = component failure rate per hour, -

1 T = test interval in hours, j t = average repair time per failure in hours.

l l This failure rate model indicates. that the component unavailability, q, is-often directly proportional to the testing interval.T. For example, the unavailability of a component or a system with an annual surveillance testing

'l interval is about 12 times higher than the same system with a monthly testing interval (if the repair time is of the order of days within the framework of  ;

]- the constant failure rate model).

l Based on:these discussions, it is. recommended that'a detailed and expedited i'

evaluation be conducted, consistent with the current NRR Technical Specifica-tions Improvement Program, to assess-the potential benefits 'versus penalti.es associated with reducing the frequency of surveillance testing of isolation barriers of emergency core cooling systems while at power.

This recommendation is consistent with those developed in NUREG-1024,

" Technical Specifications--Enhancing the Safety Impact," by an interoffice, interdisciplinary, NRC Task Group on Technical Specifications (Ref. '15) to provide better assurance that surveillance tests do not adversely impact i safety. This recommendation is also consistent with the long-term Technical l Specification Improvement Program currently being conducted by the Office of Nuclear Reactor Regulation.

l t

i I

b

_ _ . . - _ _ n. , . , - . . .- .. . ~ _ . - . _ ... _ _.

B

8. REFERENCES
1. " Stuck Open Isolation Check Valve on The Residual Heat Removal System at Hatch Unit 2," AE0D/E414, U.S. Nuclear Regulatory Comission, May 31, 1984
2. IE Information Notice 84-74, " Isolation of Reactor Coolant System from Low-Pressure Systems Outside Containment," U.S. Nuclear Regulatory Commission, September 28, 1984
3. " Rules for Construction of Nuclear Power Plant Components," ASME Boiler and Pressure Vessel Code,Section III, July 1, 1983.
4. " Reactor Safety Study - An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," NUREG 75/014(WASH-1400), October 1975.
5. " Interim Reliability Evaluation Program: Analysis of the Browns Ferry, Unit 1, Nuclear Power Plant," NUREG/CR-2802, August 1982.
6. " Interim Reliability Evaluation Program: Analysis of the Millstone Point -

Unit 1, Nuclear Power Plant," NUREG/CR-3085, January 1983.

7. "Probabilistic Risk Assessment--Limerick Generating Station," U.S. Nuclear Regulatory Comission, Docket No. 50-352 and 50-353,1983.
8. " Issue Sumary Work Sheet: Generic Issue 105, Interfacing Systems LOCA at BWRs," Division of Safety Technology, Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Comission, June 1985.
9. " Isolation of High-Pressure RCS from Low-Pressure Systems," memorandum from R. L. Baer, IE, to W. Minners, NRR, U.S. Nuclear Regulatory Commission, January 23, 1985.
10. "AE00 Engineering Evaluation E414," memorandum from H. L. Thompson, Jr.,

NRR, to C. J. Heltemes, Jr., AE00, U.S. Nuclear Regulatory Comission, July 11, 1984

11. "Prioritization of Interfacing System LOCA at BWRs," memorandum from G. M. Holahan, NRR, to W. Minners, NRR, U.S. Nuclear Regulatory Comission, October 25, 1984.
12. " Rules for Inservice Inspection of Nuclear Power Plant Components," ASME Boiler and Pressure Vessel Code,Section XI, July 1,1977.
13. " Clarification of TMI Action Plan Requirements," NUREG-0737, November 1980.
14. " Fault Tree Handbook," NUREG-0492, January 1981.
15. " Technical Specifications - Enhancing the Safety Impact," NUREG-1024, November 1983.

i

. _ , - . --

Retrieved from "https://kanterella.com/w/index.php?title=ML20135F778&oldid=2840209"