Text

Evaluation of STS 3/4.3.4 Turbine Overspeed Protection Sys
	ML20137F194
Person / Time
Site:	Seabrook
Issue date:	08/31/1985
From:	Fan D, Kiper K, Moody J; PUBLIC SERVICE CO. OF NEW HAMPSHIRE, YANKEE ATOMIC ELECTRIC CO.
To:	;
Shared Package
ML20137F170	List: ML20137F166; ML20137F182; ML20137F194;
References
	NUDOCS 8508260169
	Download: ML20137F194 (45)
	v • d • e

Enclosure 2 ,

9 EVALUATION OF STANDARD TECHNICAL SPECIFICATION 3/4.3.4 TURBINE OVERSPEED PROTECTION SYSTEH SEABROOK STATION D. C. Fan, YAEC K. L. Kiper, PSNH J. H. Moody, YAEC Completed: March 1984 Published: August 1985

- 8508260169 850823 PDR A

ADOCK 05000443 PDR

TABLE OF CONTENTS Pare

1.0 INTRODUCTION

AND

SUMMARY

.......................................... 1 1.1 Introduction................................................ 1 1.2 Conclusion............................................?..... 2

. 1.3 Recommendation.............................................. 3 2.O' BASES FOR PRESENT TECHNICAL SPECIFICATION (TS)........... . . . . . . . . 5 2.1 Present Technical Specification............................. 5 2.2 Review of Technical Specification........................... 5 2.3 Other NRC Guidelines........................................ 5 2.4 Summary..................................................... 7 3.0 SEABROOK SPECIFIC ANALYSES........................................ 8 3.1 Turbine Missile Evaluation.................................. 8 3.2 Seabrook Station Probabilistic Safety Assessment (SSPSA).... 9 3.3 Summary..................................................... 11 4.0 SENSITIVITIES OF TESTING.......................................... 12 4.1 Turbino Missile Frequency vs. Testing....................... 12 4.2 Turbine Trip Initiating Event Impact........................ 13 4.3 Summary..................................................... 14 5.0 COST.............................................................. 15 5.1 Testing..................................................... 15 5.2 Turbine Failures............................................ 16 5.3 Value/ Impact................................................ 16 5.4 Summary..................................................... 16 REFERENCES 17 APPENDIK A - STANDARD TECHNICAL SPECIFICATION 3/4.3.4, " Turbine Overspeed Protection" APPENDIK B - TURBINE OVERSPEED PROTECTION SYSTEM ANALYSIS

, . - , - _ _ . - c, .,. _ .- .__, ._ . . _ . _ .

1.0 INTRODUCTION

AND

SUMMARY

l 1.1 Introduction The Standard Technical Specification 3/4.3.4, " Turbine overspeed' Protection", requires that the turbine stop, control', intermediate stop, and intercept valves be tested every 7 days. This evaluation reviews this requirement and its bases to determine whether the Technical Specification is necescary with regard to risk, and to assess whether operability of these valves can be

- demonstrated on a more cost-effective approach.

This Technical Specification exists due to concern. for turbine missiles generated by turbine overspeed events. Turbine failures can occur above design overspeed and the probability of these failures depends on the availability of the overspeed protection system. Turbine wheel failures are more likely to occur at or near normal operating speeds. The probability of these failures is strongly dependent on material considerations such as stress corrosion, and is~ independent of the overspeed protection system.

The following summarizes the approach taken in this evaluation:

1. The Technica'l Specification, its bases, and NRC guidelines were reviewed in order to determine what technical justification existed for establishing the Technical Specification. The results of this review are documented in Section 2.

2. Using Seabrook-specific analyses, the risk to the public associated with turbine overspeed failures was assessed in Section 3.

3. The sensitivity of turbine overspeed failure and the resulting risk versus testing frequency was considered in Section 4.

4. The costs associated with testing, inadvertent trips, and turbine failures were estimated to assess financial risk.

This is provided in Secticn 5 along with value/ impact considerations.

Finally, note that this evaluation focuses on turbine overspeed failures. The assessment of turbine failures at or near operating speed and_the review in detail of missile trajectories and resulting damage were outside the scope of this study.

1.2 Conclusion ,

The conclusion of this evaluation is that the subject Technical Specification (TS) should be removed from the Seabrook Station technical specifications because turbine missiles have a negligible impact on public risk. In place of the Technical Specifications, plant procedures should dictate the surveillance and testing requirements. Weekly testing of valves is not

_1

cost-effective and increasing the test interval (decreasing tect frequency) reduces public risk. These conclusions are discussed further below:

1. The " Bases" section of the Standard Technical Specification provided no explicit justification,. However, the Standard Review Plans provide an exceedance criteria of 10,6 to

.10-7 per year probability of exceeding 10CFR100 guidelines j (Section 2). This is a conservative licensing criterion but '

NRC allows for demonstration with plant-specific analysis.

2. Based on the conservative turbine missile analysis in the FSAR, the probability of exceeding 10CFR100 is less than 10-6 to 10-7 per year. Therefore the Technical Specification is not required for additional protection to meet licensing criteria (Section 3.1).

3. Based on the Seabrook Station Probabilistic Safety Assessment (SSPSA), the contribution of turbine missiles to public risk is negligible (Section 3.2). Available resources to control risk should be spent elsewhere.

4. These conclusions are not sensitive to increased testing because a conservative value for turbine failure probability was used relative to estimates of overspeed protection failure as a function of test frequency and because failures are more likely to occur independent of overspeed failure (Section 4.1).

5. Public risk due to plant transient initiating events increases with increased testing. This is caused by an i increase in inadvertent plant trips during valve testing.

Also, this risk is expected to exceed the risk from turbine missiles. Thus, public risk can be reduced by decreasing the test frequency (Section 4.2).

6. The financial risk to the plant of turbine failure is small relative to the cost of testing (Sections 5.1 and 5.2). Also from a value/ impact perspective, increased testing is not cost-effective at reducing off-site exposures (Section 5.3).

7. Quarterly testing is reasonable both from a probabilistic and a cost perspective. However, based on the systems analysis and reviews of operating experience (Appendix B) problems are i more prevalent at initial startup of the plant. Also as the

~

plant ages, problems with deposits on stems have been observed.

Finally, turbine missiles had been a generic safety issue (NRC -

Issue A-37 in Reference 1) for some time. Recently, NRC concluded in NUREG-0933 (Reference 2) that A-37 should be dropped from further consideration based on its value/ impact assessment. This analysis supports the Reference 2 conclusion.

1.3 Reco.nmendation The recommendation is made to remove the turbine overspeed protection system from the Technical Specifications and the following be considered in developing the Station Maintenance Procedures:

1. Quarterly test all turbine valves by direct observ'ation.of

the movement of each of the valves (listed below) through one complete cycle from the operating position to the closed position and back to the operating position.

a) .Four high pressure turbine stop valves. .

b) Four high pressure turbine control valves, c) Six low pressure turbine intermediate stop valves, d) Six low pretuure turbine intercept valves.

~

2. Test all turbine valves during a plant startup after a shutdown of greater than 7 days if the valves have not been tested in the last month.

3. Weekly test all turbine valves during the initial plant '

startup (i.e. , pre-commercial operation).

4. Once per refueling outage perform a channel calibration of the turbine overspeed protection system.*

5. ~ Once every two refueling outages, disassemble at least one of 6 each of the above valves and perform a visual and surface inspection of valve seats, disks, and stems to verify no unacceptable flaws or corrosion.*

6. The Electrohydraulic Control System (EHC) fluid should be checked periodically at least consistent with Item 1.*

7. The test and maintenance program, including test frequency should continuously reflect feedback of results such as the following:

The emphasis of this evaluation was on the turbine valves although the control system was considered in the systems analyses (Appendix B). The testing frequency of the control system, Electrohydraulic Control System (EHC) fluid, EHC support systems, etc., was not evaluated. The test and maintenance (T&M) program for the overspeed protection system obviously must consider the manufacturer recommendations'. However, it is '

. suggested that these recommendations be considered during T&M program development regarding the potential impact on plant transient initiators, risk, and economics. Also, the total T&M program should be flexible and ' subject to feedback of results as indicated by Item 7.

. _3

.-.,m._ _ .__- _.~,m.__. _ - _ . _ , . . , . ___.,.,~ _,. -.,_ __, , , ,. - -.-. ,, . _, _ _ . ~ _ . - - ~ _ . - , ,_

i a) Evaluate the startup test results and recommend test j frequency (weekly, monthly, quarterly) for the remainder ,

of the first cycle. ;

b)- Evaluate the test and operation results and disassembly

^

inspection results at each refueling outage and recommend test frequency for the next cycle. ,

c) Recommend test frequency changes at any time during cycle as necessary.

The above recommendation is based on the results and conclusions of this study including the operating experience review discussed in Appendix B.

e e

. . , , . . - ~ . -

2.0 BASES FOR PRESENT TECHNICAL SPECIFICATION (TS) 2.1 Present Technical Specification For convenience, the'present Standard technical Specification 3/4.3.4 and its bases are reproduced in Appendix A (Reference 3).

2.2 Review of Technical Specification !

The " Bases" section of the TS indicates that excessive over. speed of the turbine could generate potentially damaging missiles which

- could impact and damage safety-related components, equipment, or structures. This basis is quite general and may be appropriate for the generic Standard Technical Specifications. However, deletion of this TS may be justified on a plant-specific basis based on the results of a turbine missile evaluation and an assessment of public risk. ,

In general, it is not difficult to postulate any number of hazards at a plant that could impact and damage safety equipment.

Obviously, what is important is the likelihood of the hazard occurring as well as the impact associated with the event. For Seabrook, the turbine missile hazard has been explicitly included in the Seabrook Station Prcbabilistic Safety Assessment (SSPSA)

(Reference 4). This is discussed in Section 3.2 below. Also, a turbine missile evaluation is presented in the Seabrook Station FSAR (Reference 5) and is discussed in Section 3.1 below. These sections conclude that the contribution of turbine missiles to risk is assessed to be negligible.

In addition, the " Bases" section indicates that the TS is provided to ensure that the turbine'overspeed protection instrumentation and turbine speed control valves are OPERABLE and will protect the turbine from excessive overspeed. There is no disagreement that operability and surveillance testing are necessary. However,-

these requirements may be more appropriately derived from a cost-effective approach to plant availability. As discussed above, this may not necessitate a TS requirement.

2.3 Other NRC Guidelines WRC guidelines for the evaluation of the turbine missile hazard are presented in Standard Review Plan (SRP) Section 3.5.1.3 (Reference 6).

The Acceptance Criteria provided in SRP 3.5.1.3 are summarized below:

1. Turbine placement and orientation such that safety-related structures and components are excluded from low trajectory missiles are acceptable. In cases whera exclusion of

, safety-related structures is impractical, target size, shielding, or redundancy may be considered with respect to l

missile protection. The combined strike and damage probability

for these targets should be less than 10-3 per turbine failure.

2. Plant designs with unfavorable turbine placement and orientation should have sufficient turbine missile protection in terms of one of the following: missile barriers; target redundancy; turbine disc integrity; or overspeed protection. ]

I i The SRP 2.2.3 risk acceptance guidelines will be used in determining the sufficiency of protection against turbine I

- missiles. [ Frequency of exceeding 10CFR100 exposure guidelines less than 10-7 per year is acceptable. Also, 10-6 per year is acceptable, if, when combined with reasonable qualitative arguments, the realistic probability can be shown to be lower.)

3. When turbine missile risks exceed the guidelines of SRP 2.2.3, the following requirements should be met:

a) Design and testing of overspeed protection including turbine valves should be in accordance with SRP 10.2. A determination should be made of whether increased valve testing should be required based on cost-benefit considerations.

b) Perform a detailed strike and damage analysis, etc.

Criteria 1 and 2 appear to be very conservative guidelines.

Thc 10-3 per turbine failure criterion in combination with a 10-4 per year total probability of turbine missile results in a 10-7 per year combined probability of strike and

. damage to safety structures and equipment. This is a very conservative criterion from a public risk perspective for several reasons: (1) a probability of 10-7 per year indicates a very rare event', (2) strike and damage does not guarantee a radiological release to the public, and (3) 10-4 per year total probability of turbine missile may be an upper bound. (The contribution from overspeed failure is even less.) Estimates of the probability of-turbine missiles range from 10-8 to 10-4 per year (References 7 and 8). Estimates of about 10-4 are based on historical records whereas the 10-8 value is based on analysis of causes of missiles from modern CE turbines. However, Reference 7 did not consider stress corrosion cracking which is now believed to dominate the probability of missiles (Reference 9).

Throughout this evaluation, a best-estimate mean value is assumed where probabilities are used unless stated otherwise.

I l

These conservatisms were apparently recognized because Criterion 2 above takes a risk-based approach still retaining a 10-7 goal or 10-6 if adequate conservatism is demonstrated. However, even l this appears conservative when compared with realistic assessments I of degraded cores of modern PWRs in the range of 10-5 to 10-4 l per reactor year. I Finally, Criterion 3 above indicates that only in the ase where

. Criteria 1 and 2 could not be met should increased valve testing be considered. Seabrook specific analyses demonstrate compliance

, with Criteria 1 and 2 as discussed in Section 3. Even if these criteria were not met, Sections 4.2 and 5.0 indicate that increased testing should not be required based on cost-benefit considerations (Criterion 3).

2.4 Sunnary The 10-6 to 10-7 per year risk criterion is a conservative guideline. Only in cases where this criterion is not met would increased valve testing even be considered. The Standard Technical Specification apparently is meant to cover such cases.

Additionally, more detailed analysis and/or installation of barriers, etc., can be considered with regard to demonstrating compliance with the criterion and providing justification for eliminating the Technical Specification.

4 4

3.0 SEABROOK SPECIFIC ANALYSES 3.1 Turbine Missile Evaluation A conservative turbine missile evaluation is documented in the Seabrook Station-FSAR (Section 3.5.1.3). Turbine crientation and placement in addition to recognition of conservatisms p,recluded the need for more realistic analysis; the probabilities are believed to be small enough. The results of the evaluation and the conservatisms are summarized below.

The probability of a high-trajectory turbine missile hit is less than 10-7 per yea'r for any single structure (FSAR).

High-trajectory missiles ejected more than a few degrees from the vertical, either have sufficient speed such that they land off-site, or their speeds are low enough so that their impacts on most. plant structures are not significant hazards (SRP 3.5.1.3).

Since such missile strikes will not result in unacceptable damage (FSAR), the 10-3 and 10-7 per year criteria (Criterion 1 and 2 in Section 2.3) are considered met for high-trajectory missiles.

When considering low-trajectory turbine missiles, each unit at the Seabrook Station has a favorable turbine placement and orientation with respect to itself. However, each unit's turbine has a somewhat unfavorable placement and orientation with respect to the other unit's safety structures. As a result, the combined strike and damage probability for each unit's targets was conservatively calculated to be between 10-3 and 10-2 per turbine failure.

(Criterion 1 in Section 2.3 establishes 10-3). The total probability, for each unit, of unacceptable d: mage to safety-related structures from low-trajectory missiles is less than 10-6 per year (FSAR). This is conservative, as discussed below, and therefore, meets Criterion 2 in Section 2.3.

Unacceptable damage to safety-related structures does not necessarily mean release to the public. Therefore, some J conservatism can be demonstrated by extending the existing l conservative FSAR evaluation to consider the likelihood of I exposures exceeding 10CFR100 guidelines. First of all, these exposures could occur due to core damage or core melt events that are beyond the plant's-design basis. These scenarios are considered in the SSPSI and are addressed in the next Section.

Secondly, noncore damage scenarios must be addressed. Except for the Reactor Coolant System (RCS) and the reactor vessel, areas of the plant that could contain sufficient radioactive materials (i.e., fuel storage building, waste processing building, tank farm, Unit 1 primary auxiliary building, and most of Unit 2 i

primary auxiliary building) are outside the possible turbine -

l missile trajectory zone (FSAR Figure 3.5-1). Based on the conservative analysis in FSAR Section 15, exceeding the 10CFR100 guidelines would be very unlikely even if missiles did hit these i . structures.

i

~

A plant transient concerrent with equipment failures is expected given a turbine missile. In general, these events are not expected to exceed 10CFR100 guidelines based on FSAR Sections 3.5.1.3 and 15 analyses. For design basis events, in order to exceed 10CFR100, either the containment isolation function must fail or the missile must hit and fail the containment. The containment isolation function unavailability is less than 10-3 (SSPSA Section D.13) and its failure due to missile hit is judged

. to be even~1ess likely. Therefore..these scenarios are conservatively less than 10-7 per year. The probability of hit and unacceptable damage to either containment structure is approximately 1.3 x 10-3 per turbine failure (FSAR Section 3.5.1.3). Therefore, these scenarios are conservatively estimated at approximately 10-7 per year.

A total probability of 10-4 per year was used for the FSAR turbine missile evaluation and in the above discussion. As discussed in Section 3.2, failure due to destructive overspeed (overspeed protection system failure) is only part of the total.

Other conservatisms are discussed in Section 4.1 and FSAR Section'3.5.1.3.

3.2 Seabrook Station Probabilistic Safety Assessment (SSPSA)

SSPSA Section 9.9 estimates the likelihood of generating turbine missiles and analyzes the most probable consequences. The results, discussed below, indicate that the contribution from turbine missiles to risk is negligible.

l Thetotalmeanannualfreguencyofturbinomissilegenerationwas estimated to be 8.3 x 10 . The conditional probability of l damage to structures and systems as calculated in FSAR Section 3.5.1.3 was used and reproduced in SSPSA Section 9.9.

The frequency of serious damage due to a turbine missile (f) is given by:

f=fi- (f2*f1 3 where:

ft = frequency of missile generation due to turbine failure, f2*f3 = frequency of a turbine missile striking an essential system and causing unacceptable damage, given that

. a turbine missile has been generated.

There are two failure modes for turbine missiles: ,

1. failure up to design overspeed (f t '), and 2, destructive overspeed failure (f 1 **).

The turbine overspeed protection system (includes the stop, control, and combined intercept valves) is designed to prevent

' turbine failures at overspeed conditions.

_g_

i " - -

The SSPSA mean annual frequency of turbine missile generation is given as:

f' t (operating speed) 6.3 x 10-5 ft " (overspeed) 2.0 x 10-5 ft (total) 8.3 x 10-5 .

These numbers were derived from estimates made by CE (Reference 7) and by Bush & Heasier (Reference 8). The estimates based on historical records were used as an upper bound (95th percentile) because they include older vintage turbines. Based on analysis of causes of missiles from modern turbines, CE estimated the annual l frequency of turbine missile generation. This estimate is used as a lower bound (5th percentile). The mean used in the SSPSA analysis was calculated assuming a lognormal distribution.

The resulting turbine missile damage frequencies for structures are listed in Table 9.9-4 cf the SSPSA. From this list, the six most important common cause initiating events were chosen and included in the plant model for quantification. The six scenarios are discussed below:

1. & 2. Steam Line Break (TMSLB) and Loss of Condenser Vacuum (TMLCV) were both conservatively assumed to occur given a turbine missile had been generated. These were included as initiating events in the SSPSA. However, the mean annual frequency of steam line break outside containment (SLB0 - 6.04 x 10-3) and loss of condenser vacuum (LCV .42) from other causes totally dominate any contribution from turbine missiles (8.3 x 10-5 for TMSLB and TMLCV).

3. Control Room (TMCR) impact was chosen as the most critical location that can be hit by a turbine missile with relatively high frequency and serious consequences.

The mean annual frequency of this initiating event (control building impact) is 3.98 x 10-7 Most major functions needed to mitigate the effects of the steam line break are conservatively assumed to be lost without operator recovery as a result of the destruction of the control Room. However, thic ic an insignificant contribut. ion to core melt imquency and public risk because it is two orders of magnitude less frequent than other scenarios wit', h e 'e damage.

l l 4. A Large LOCA (TMLL) initiating event with a mean annual frequency of 7.44 x 10-8 (containment impact) was included in the SSPSA. If the missile were to penetrate",

damage to multiple systems is not expected. Among possible scenarios, the one chosen which seems to be bounding due to spatial arrangement of systems is: One or two steam generators are damaged leading to. at most, a large LOCA and results in a loss of containment isolation combined with random unavailability of.one high pressure or low pressure injection train and containment spray train due to missile hit. Again, this is an insignificant contribution to core melt frequency and public risk. Another train of low pressure injection must fail to result in core melt. Therefore, the mean annual frequency of core melt with containment bypass is less than 10-B. *

5. Condensate Storage Tank (TMCST) impact in addition to

' steam line break and loss of condenser vacuum was included as an initiating event with a mean annual frequency of 6.09 x 10-8 Again, core melt frequency is dominated by other initiating events with loss of emergency feedwater.

6. Loss of Primary Component Cooling (TMPCC) water system due to primary auxiliary building impact was included with a mean annual frequency of 1.27 x 10-8 This is an insignificant contribution to core melt frequency and

! loss of PCC.

The above probabilities compare with realistic assessments of degraded cores of modern PWRs in the range of 10-5 to 10-4 per year. Given the conservative analysis in the FSAR, the probability of core damage from turbine missiles is judged to be small enough to not substantially contribute to risk.

3.3 Summary The conservative criteria in SRP 3.5.1.3 are met without a need to consider excessive valve testing or the subject Technical Specification. The contribution.of turbine missile to public risk is considered negligible. Therefore, the justification for deleting the subject Technical Specification has been demonstrated for the Seabrock Station.

I i

l I

i

4.0 SENSITIVITIES OF TESTING 4.1 Turbine Missile Frequency vs. Testing The overspeed protection system was analyzed to derive both qualitative and quantitative conclusions of how this system might fail. This analysis, which included a review of Nuclear Power Experience (Reference 11), is discussed in detail in Appendix B.

As discussed in Appendix B, GE recommends very frequent testing to substantially improve system reliability. Also, GE calculates very small probabilities (approximately 10-8 per year) for-overspeed failures. Probability of turbine overspeed trip failure vs. test frequency is addressed in Appendix B.

From Appendix B, testing of the turbine valves quarterly (every ,

three months) would result in approximately a 10-6 per year l probability of failure versus the 10-4 per year value used )

throughout thic evaluation to show that the risk from turbine missiles is negligible. A mean overspeed failure of 10-6 per year is considered reasonable based on the Appendix B evaluation and a review of References 7, 8, and 11. Some of these reasons are discussed below. Quantitatively, frequencies much less than 10-6 cannot be defended easily due to difficulties in quantifying common cause failures at such low frequency.

The probability of turbine missile for modern plants from overspeed failure should be much less than the 10-5 to 10-4 per year estimate from historical records. No overspeed failures have occurred in modern plants most likely due to the improved protection systems. Improvements continue; for example, the Seabrook Station will have titanium coolers in the hydraulic system to reduce the likelihood of foreign material and common cause failures. Also, stainless steel trip valves in the hydraulic system are expected to increase reliability and reduce the potential for common cause failures.

Some precursors to overspeed failures can be found from operating

, experience such as phosphate buildup (valve failures). But improvements with secondary chemistry and consideration of this experience in the maintenance and test program is expected to reduce the likelihood of these failures as well.

In addition, if the probability of turbine missiles is not dominated by overspeed failures or if the probability of missiles at design speed is of_ equal importance then substantial reduction from increased testing would be of little value.

~

I References 6, 7, and 8 indicate that the frequency of turbine missiles at operating speed up to design overspeed is of equal importance to destructive overspeed missiles. For example, SRP 3.5.1.3 recommends 6 x 10-5 for design overspeed and 4 x for d'structive overspeed.

. 10-5 e Only the destructive overspeed l

failure is dependent on f ailure of the overspeed protection system. Therefore, risks of turbine missiles are not very sensitive to improvements (such as-increased testing) in the overspeed protection system.

Recent GE analyses of turbine rotor inspections (Reference'9) have concluded that the dominant mechanism for wheel burst is stress corrosion cracking. This cracking has been detected in the axial key-way of intermediate rotor wheels due to moisture and oxygen concentration and occurs at normal operating speeds. Because of

. the high reliability of the overspeed protection system, wheel burst due to ductile fracture at destructive overspeed is much less likely than bursts at normal speed. Thus, turbine missile probability is not sensitive to changes in reliability of the overspeed protection system.

Inspections of G.E. turbines have indicated that cracking occurs in the middle stage wheels rather than the largest, last stage wheels, previously assumed by GE (Reference 7). Given the most likely scenario (middle stage wheels at operating speed), recent GE analysis indicates that the probability of a missile external to the turbine casing given a Wheel burst is low (less than 0.1) and the external energy of a missile, if it did penetrate would be very low. This is in contrast with older G.E. analyses, Reference 7, Which concluded that the missiles cannot be expected to be contained.

4.2 Turbine Trip Initiating Event Impact The contribution to core melt and release from inadvertent turbine trip as a result of turbine valve testing is estimated below with a relative comparison to the turbine missile contribution.

The mean frequency of core melt and release is estimated to be i

2.8 x 10-6 per reactor year for a turbine trip initiating event (Scquence 15 in SSPSA Table 13.2-12). The turbine trip initiating event mean frequency for this sequence equals 2.0 per reactor year. In order to estimate the contribution from testing to Sequence 15, operating experience from the Yankee plant was

-considered. During twenty years of operation at Yankee, at least one turbine trip occurred due to testing (potentially 3 events).

Therefore, the initiating event frequency due to te' sting is estimated to be 5 x 10-2 per year. The turbine valves are exercised every 4 to 6 weeks. The contribution to Sequence 15 from monthly testing can be estimated as follows:

.05 x 2.8 x 10-6 = 7 x 10-8 per year (core melt plus 2 release)

If all core melt sequences initiated by turbine trip were included, the mean frequency of core melt from testing would be greater than 10-7 per year.

These results are expected to increase with increased testing. If the Yankee data is assumed to be based on monthly testing and spurious trips are assumed to be proportional to the number of 9

- rw-- - y ,- .-----,v,-, w- , . - - ,. , - - - - - - - , . , .---ww.-- n-.r w--,

l l

tests, the following can be estimated for weekly and~ quarterly l testing:

Weekly: 4 x (7 x 10-8) = 2.8 x 10-7 per year (core melt plus ]

release)

Quarterly: 1 x (7 x 10-8) = 2.3 x 10-8 per year (core melt plus 3 release)

Data were reviewed for inadvertent plant trips due to turbine valve testing for a 12-month period using Reference 12. A total of 8 events.(and 4 additional potential events) were identified in 73 plants with an availability factor between 0.6 and 0.7. The frequency of plant trip for this 12-month period is calculated as follows:

(8 events per year) / (73 reactors x 0.7 availability) = 0.16 plant trips from valve testing per reactor year of operation.

The plants experiencing these events were testing valves weekly.

Therefore, this limited data search does support the assumption that increased testing would increase trips.

The frequency of core melt and release from turbine missiles in-SSPSA and discussed above in Section 3.2, is conservatively estimated to be approximately 10-7 per year or less. This.value would be less than 10-8 per year if only the' contribution from overspeed failures were considered with a realistic resulting turbine missile frequency of about 10-6 per year for quarterly testing of valves. Therefore, increased testing to weekly is expected to increase risk not reduce risk.

4.3 Summary The overspeed protection system is very reliable. The frequency of turbine missiles from overspeed failure used to conclude that the risk is negligible is. conservative. Public risk can be reduced by increasing the test interval.

4 4

9

5.0 COST 5.1 Testinr. .

The effect on plant productivity of testing turbine valves is quite significant. The operability cycling test for all of the valves (20 in total) is estimated to require 3 to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , due to the time needed to reduce power to 85%, test, and return to 100%

power. The average percentage reduction in power during test period is estimated as 1/2 x (100% - 85%). If the valves are tested weekly and a 4-hour test cycle and a 70% capacity factor are assumed, the annual lost output was estimated as follows:

[52 tests /yr)[4 hrs / test) [1/2 x .15) [1,150 MWe] [.70) =

12,558 MWhe/ year At forty dollars per MWhr, the annual cost is approximately

$502,300. If the valves were tested quarterly, the cost is about

$38,600 per year. Thus, the annual cost penalty if the valves are tested weekly rather than quarterly is approximately $463,700.

In addition, the cost of inadvertent plant trip due to frequent turbine valve testing was considered. The cost has been estimated using the following assumptions:

1. The time to recover from a plant trip (0 to 100% power) is estimated to take 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (with a range of 20 to 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months ).

This assumes no equipment failures or other problems which could extend the outage.

2. The power lost, assuming a constant ramp recovery from 0 to 100%, for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , is as.follows:

power lost = (.5)(24 hr)(1150 MWe)

3. It was assumed that the frequency of inadvertent trips is directly proportional to the frequency of testing. The relationship, as established in Section 4.2, is 0.05 trips /yr, for monthly testing. Thus for weekly testing, 0.2 trips /yr. and for quarterly testing, 0.02 trips /yr. were used. ,

I Therefore, the annual cost was estimated as follows:

Weekly [.5 x 24 he x 1150 MWe x $40/MWhr x .2/yr] = $110,400/YR Quarterly = $11.040/YR Thus, the annual cost difference from spurious trips between weekly and quarterly testing is approximately $100,000. ,

While additional costs may be incurred from frequent testing, such

. as component wearout, the factors considered above were judged to i be the most significant.

l l

1

5.2 Turbine Failures The cost of a turbine failure could be substantial especially if it were due to destructive overspeed failure, on the order of $100 million. If the probability of a destructive overspeed . failure is conservatively assumed to equal 10-4 per year, the annual risk (i.e., the maximum savings if the probability is reduced to zero by increased testing), can be estimated as: .

(10-4/ year)(108 dollars) = 10,000 dollars / year As discussed in Section 5.1, spurious trips alone from increased testing is expected to far exceed this cost. Also, the costs that will be incurred from minor events associated with the turbine (plant unavailability) are expected to be much greater during the life of the plant.

5.3 Value/Inmact NUREG-0933 (Reference 2) performed a value/ impact analysis on the turbine missile issue and concluded that "this issue should be DROPPED from further consideration". 'This anal assumedaPWR-8 release (fromWASH-1400)at10gsisconservatively per turbine year. This would be a large LOCA causing fuel damage with containment bypass. In Section 3 above, this frequency was conservatively estimated to be less than 10-7 per year.

Even if it is conservatively assumed that increased testing reduced the probability from 10-5 per year to zero at a cost of only $500,000 per year and the PWR-8 release occurred as in NUREG-0933, the following cost per man-rem can be estimated as follows:

= $665,000/ man-rem 5

(10 /yr) x 75,000 man-rem The NRC's proposed safety goal (Reference 10) recommends

$1,000/ man-rem as a goal. Therefore .the cost of increased i testing is clearly not cost-effective at reducing risk. Also, as discussed in Section 4.2, increased plant transient events are expected to actually increase the potential for man-rem exposures.

5.4 Summary The cost of testing weekly substantially exceeds the financial risk of turbine failure and far exceeds any benefit if there is any. l l

l REFERENCES

1. NUREG-0371, " Task Action Plans for Generic Activities (Category A)",

November 1978.

2. NUREG-0933, "A Prioritization of Generic Safety Issues", November 1983.

3. NUREG-0452, " Standard Technical Specifications for Westingho se

. Pressurized Water Reactors", Revision 4, Fall 1981.

4. ,

Seabrook Station Probabilistic Safety Assessment (PLG-0300), December 1983.

5. Seabrook Station Final Safety Analysis Report, Amendment 50.

6. NUREG-0800, Standard Review Plan, July 1981.

7. J. E. Downs, " Hypothetical Turbine Missiles - Probability of Occurrences", General Electric Company Memo Report, March 14, 1973.

8. S. Bush and P. Heasier, " Probability of Turbine Missiles", paper presented at EPRI Steam Turbine Missile Dise Integrity Seminar, April 6-8, 1981, New Orleans.

9. General Electric Nuclear Wheel Seminar III, January 17-19, 1984, Dallas, Texas.

10. NUREG-0880, " Safety Goals for Nuclear Power Plants", May 1982.

11. Nuclear Power Experience (NPE) by Petroleum Information Corporation.

12. NUREG-0020, " Licensed Operating Reactors", November 1982 through November 1983 except July 1983 which was not available.

13. WASH-1400, Reactor Safety Study, April 1975.

9

l I

APPENDIX A STANDARD TECHNICAL SPECIFICATION 3/4.3.4 TURBINE OVERSPEED PROTECTION G

9

4 4'

1 INSTRUMENTATION 3/4.3.4 TURBINE OVERSPEED PROTECTION LIMITING CONDITION FOR OPERATION 3.3.4 At least one turbine overspeed protection system shall be OPERABLE.

APPICABILITY: MODES 1, 2, and 3.

ACTION:

a. With one stop valve or one governor valve per high pressure turbine steam lead inoperable and/or with one reheat stop valve or one reheat intercept valve per low pressure turbine steam lead incperable, restore the inoperable valve (s) to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , or close at least one valve in the affected steam lead (s) or isolate the turbine from the steam supply within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

.b. With the above required turbine overspeed protection system otherwise inoperable, within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months isolate the turbine from the steam supply.

(",

SURVEILLANCE REQUIREMENTS 4.3.4.1 The provisions of Specification 4.0.4 are not applicable.

4.3.4.2 The above required turbine overspeed protection system shall be

. demonstrated OPERABLE:

i a. At least once per 7 days by cycling each of 'the following valves through at least one complete cycle from the running position.

1. (Four) high pressure turbine stop valves.

2. (Four) high pressure turbine governor valves.

3. (Four) low pressure turbine reheat stop valves.

4. (Four) low pressure turbine reheat intercept valves.

~

b. At least once per 31 days by direct observation of the movement of each of the above valves through one complete cycle from the running position. ,

c. At least once per 18 months by performance of a CHANNEL CALIBRATION on the turbine overspeed protection systems.

d. At least once per 40 months by disassembling at least one of each of

( the above valves and performing a visual and surface inspection of

's valve seats, disks and stems and verifying no unacceptable flaws or corrosion.

W-STS 3/4 3-71 NOV 2 1981

,.. -m_ . , -- _ . _ _ . . . _ , _ . - - , . _ - . , - _ .....,,,.__,__.7 _ _ _ - . . - _ . . - . . . _ . . . , .,_%_._ , _ ., - - - _ . , , . , , - _

i INSTRUMENTATION I

BASES

.3/4.3.3.7 CHLORINE DETECTION SYSTEMS The OPERABILITY of the chlorine detection system ensures that sufficient capability is available to promptly detect and initiate protective action in the event of an accidental chlorine release. This capability is required to protect control room personnel and is consistent with the recommendations of Regulatory Guide 1.95, " Protection of Nuclear Power Plant Control Room Operators Against an Accidental Chlorine Release," February 1975.

3/4.3.3.8 FIRE DETECTION INSTRUMENTATION

. 0PERABILITY of the fire detection instrumentation ensures that adequate warning capability is available for the prompt detection of fires. .This capability is required in order to detect and locate fires in their early stages. Prompt detection of fires will reduce the potential.for damage to safety-related equipment and is an integral element in the overall facility fire protection program.

In the event that a portion of the fire detection instrumentation is f inoperable, the establishment of frequent fire patrols in the affected areas (

is required to provide detection capability until the~ inoperable instrumentation is restored to OPERABILITY.

3/4.3.3.9 LOOSE-PART DETECTION INSTRUMENTATION The OPERABILITY of the loose part detection instrumentation ensures that sufficient capability is available to detect loose metallic parts in the primary system and avoid or mitigate damage to primary system components. The allowable out-of-service times and surveillance requirements are consistent with the recommendations of Regulatory Guide 1.133, " Loose-Part Detection Program for the Primary System of Light-Water-Cooled Reactors," May 1981.

3/4.3.4 TURBINE OVERSPEED PROTECTION This specification is provided to ensure that the turbine overspeed protection instrumentation and the turbine speed control valves are OPERABLE ~

and will protect the turbine from excessive overspeed. Protection from turbine excessive overspeed is required since excessive overspeed of the turbine could generate potentially, damaging missiles which could impact and damage safety related components, equipment, or structures, k

W-STS B 3/4 3-4 f!OV 2 1981

4 9

APPENDIX B

.. TURBINE OVERSPEED PROTECTION SYSTEM ANALYSIS

\

9 e

e O

APPENDIX B TURBINE OVERSPEED PROTECTION SYSTEM ANALYSIS B.1 SYSTEM DESCRIPTION B.I.1 Accident Mitimation Function !

The turbine overspeed protection system functions, in the event of a sudden loss of generator load or other events leading to a turbine trip signal, to rapidly close off steam supply to the turbines, preventing destructive turbine overspeed and damage from resulting missiles.

B.l.2 System Success Criteria All turbine stop valves or all turbine control valves must close and at least one of the pair of combined intercept valves in each cross-over steam line must close on emergency turbine overspeed trip in order to prevent destructive overspeed.

B.l.3 Configuration The turbine overspeed protection system consists of the turbine stop and control valves, the combined intermediate (intercept) valves, and a series of electro-hydraulic valves that make up the overspeed protection system. The stop and control valves function to shut off the supply of high pressure steam from the steam generators. The combined intercept valves shut off the steam supply contained in the moisture-separator reheaters and cross-around piping going to the LP turbines.

The turbine overspeed protection system monitors for turbine overspeed conditions and functions to close turbine valves.

Maior Components Component Component No./ Abbrev.

4 turbine stop valves MS-V135 through MS-V138 4 turbine control valves MS-CV1 through MS-CV4 6 combined intermediate valves MS-CIV1 through MS-CIV6 ;

(intercept valve, intermediate MS-V159, MS-V160 )

stop valve) MS-V161, MS-V162 MS-V163, MS-V164 MS-V165, MS-V166 MS-V167, MS-V168 MS-V169, MS-V170 ,

l 1

B-1

Component Copponent No./ Abbrev.

1 mechanical trip valve MTV 1 mechanical trip solenoid valve MTSV 1 mechanical trip pilot valve -MTPV .

. 1 mechanical shut-off valve MSOV 1 mechanical lockout solenoid valve MLV 1 electrical trip valve ETV 1 electrical trip solenoid valve ETSV 1 electrical lockout solenoid valve ELV B.l.4 System Operation - Event Response Automatic Response A turbine stop valve is welded directly to the inlet nozzle of each of the four angle body control valves. Each combined intermediate valve consists of a stream strainer and two valves (intercept valve and intermediate stop valve) utilizing the same seat and casing, but controlled independently of each other.

The valves are opened by a 1,500 psig hydraulic fluid system and are closed by springs and steam forces upon depressurization of the hydraulic fluid system. The valve actuation system is such that loss of hydraulic fluid pressure for any reason leads to valve closing and consequent unit shutdown. The turbine is tripped every time.the reactor is tripped; a reactor trip is initiated upon a turbine trip above approximately 50%'of full power.

In case of sudden loss of generator load, an overriding signal from the load control unit closes directly and simultaneously all main control and intercept valves by fast action and initiates a unit reference load runback toward zero power. The loss of generator load is detected by comparison between the turbine mechanical power and the generator electrical output.

The excess of turbine power over the generator output, Which is an indication of impending speed increase, will trigger the fast closing signal. This rapid action will limit the shaft

- overspeed to a level below the setpoint of the emergency

- overspeed trip and permit the unit to have a full load rejection and remain running near synchronous speed under control of the.

speed control system. The power-load unbalance system is the first line of defense against emergency overspeed. If this fails, when the shaft speed reaches the emergency trip setpoint of 110% of rated speed, the overspeed protection system will B-2

depressurize and shut down the unit by rapidly closing all stop, control and combined intermediate valves. If this mechanical overspeed trip also fails, the electrical backup overspeed trip, )

set at 1/2% higher than the mechanical overspeed trip, energizes '

the mechanical trip solenoid valve and de-energizes the l

. electrical trip solenoid valve to trip the turbine. l l

Control System * '

The overspeed protection system is pressurized from the high pressure hydraulic fluid supply, through a series of valves listed above and shown in Figures B-1 and B-2. I The MSOV and MTV are controlled hydraulically by the MTPV, and when their pilot lines are depressurized, these valves shut off their input lines and drain their output lines, tripping the hydraulic system.

The MTPV is operated by the trip latch rod, which is tripped by the mechanical overspeed trip. device, the mechanical trip piston (through the NTSV), and the manual trip handle.

During testing, the MLV is energized, which bypasses the MSOV and MTV. This permits these two valves and two of the three signal paths that actuate them to be tested without tripping the system.

The ETV is controlled hydraulically'by the ETSV. When its pilot line is depressurized, this valve shuts off its input line and drains its output line, tripping the system.

The ETSV has two 24 V de solenoids which are normally energized when the ETSV is in the reset state. The valve trips When both solenoids are de-energized.

Similar to the MLV, the ELV is energized during' testing, which bypasses the ETV. This permits this valve and the signal path that actuates it to be tested without tripping the system.

The system has two fundamental trip circuits, the 125 V trip bus and the 24 V trip circuit. Upon receipt of an overspeed signal, the 125 V trip bus trips the mechanical solenoid valve (NTSV) directly by energizing its solenoid, while the 24 Y trip circuit trips the electrical trip solenoid valve (ETSV) directly by de-energizing its two solenoids.

. When activated, the 125 V trip bus trips the 24 V trip circuit.

- resulting in an indirect trip on the ETSV. In some cases of 24 V trip circuit activation, depending on the causes, the 24 V .

trip circuit trips the 125 V trip bus, resulting in an indirect trip of MTSV.

B-3

1 Manual Operation j The operator has been modeled in two actions: l

1. Manually tripping the turbine from the control room by depressing the master trip button;

2. Manually tripping the turbine by pulling the manu'al trip handle locally, which manually disengages the trip latch rod.

B.1.5 Controls and Indicators Controls, indicators, and alarms are available in the main control room as well as locally.

B.1.6 Testina. Inspection. and Surveillance Requirements Each turbine stop, control, and combined intermediate valve is tested as described in Appendix A (Technical Specification).

B.2 SYSTEM LOGIC MODEL B.2.1 Analysis Boundary and Assunctions The system is analyzed with the following boundary conditions and assumptions:

1. The 24 V de and 125 V de power sources are assumed available. Unavailability of these would not have a significant effect on system unavailability. Failure of the 24 V de power is fail safe because this would de-energize the ETSVs initiating a trip. Failure of 125 V de power would fail the NTSV which must be energized to operate.

However the MTV is also tripped by the mechanical overspeed trip which is independent of 125 V de and the NTSV. Also the 24 V de trip circuit and ETV portion of the system would have to fail.

2. The MLV and ELV are excluded from the analysis. The likelihood that the MLV actuates and goes undetected or actuates at the time of trip demand is considered small compared to the failure rate of the MTV. A similar argument can be made for the ELV.

3. Support systems such as electro-hydraulic fluid (EHF) cooling and ventilation systems are excluded from the

, analysis. These should not significantly affect system availability due to trouble alarms and the time available for corrective action. ,

4. Pipe, failures in the hydraulic system are excluded, however,

- depressurizing the system would rce uit in success.

B-4

5. Turbine overspeed protection system failure is evaluated given a demand (loss of generator load). Only the mechanical overspeed and backup overspeed trip signals are modeled. No credit is taken for normal speed control.

Manual trips by the operator are included in the fault tree model to examine their contribution to minimal cut sets, but no quantitative credit is taken.

6. It is assumed that both the mechanical trip valve (NTV) and the mechanical trip pilot valve (NTPV) must function properly to dump the hydraulic pressure but the mechanical

- trip shut-off valve (MSOV) need not function'for success.

This could be slightly conservative because proper operation of the MTPV might be sufficient to reduce pressure without the MTV.

7. Extraction steam nonreturn check valves ace not included in the model because failure of these valves would cause only a slight overspeed (Reference 7).

B.2.2 Loxie Model The system failure criterion is that one turbine stop valve fails to close on demand and one turbine control valve fails to close on demand, or any pair of combined intermediate valves fail.

This can occur in two ways:

1. Failure of turbine stop and control valves or combined intermediate valves to close given an emergency overspeed trip signal.

2. Failure of the overspeed protection system to generate an emergency overspeed trip signal, given a demand signal.

The fault tree minimal cut sets (MCS) were obtained using the SETS computer code. A total of 45 MCS were obtained; 31 were two-element MCS, 3 were three-element MCS, and 11 were four-element MCS. A simplified reliability block diagram is provided in Figure B-3.

The 31 two-element MCS can be represented as follows:

16 cut sets of the form TSVj . TCV k/j ,k = 1,2,3,4 6 cut sets of the form CIV i /i = 1,2,3,4,5,6 9 cut sets associated with the control system

[NTV + MTPV + LATCH) x [ETV + ETSV + B24)

, B-5

where:

TSV = failure of an individual turbine stop valve to close on demand.

i TCV = failure of an individual turbine control valve to close on demand. -

. CIV = failure of a pair of combined intermediate valves to close on demand.

NTV = NTV fails to dump pressure given MTPV depressurizes successfully.

1 MTPV = MTPV mechanical failure.

LATCH = trip latch assembly mechanical failure.

B24 = 24 V de trip logic fails to function.

ETSV = ETSV fails to de-energize.

ETV = ETV fails to depressurize due to mechanical failure, l.

The 3 three-element MCS can be represented as follows

[ BOT] [0Pl] [NTV + MTPV + LATCH]

where:

BOT = failure of backup overspeed trip signal.

i OP1 = failure of the operator to trip the turbine from the Control Room.

If the operator is excluded, 3 more two-element cut sets result.

However, BOT is judged to be less than other failures in combination with [NTV + NTPV + LATCH] above. Also, no credit was given to normal speed control; therefore, these cut sets were not included for quantification.

The 11 four-element cut sets can be represented as follows:

[0T) [0P2] [ETV + ETSV + B24] (B125 + MTP + NTSV]

Plus

[0P1] [0P2] [0T) (BOT + B24]

where:

4- OT = failure of overspeed trip device.

.B-6

- --m~_- . . - , - . . , , . , . . . - - - , - - - ,-,_,-,,n_, ---,,-.w,,--e,,-.-.<-r-.,, _---w -m.~4 :- y- --v.m w -ma. -

OP2 = failure to trip the turbine locally.

B125 = failure of the 125 V trip bus.

MTP = failure of mechanical trip piston.

NTSV = failure of mechanical trip solenoid valvg.

s

! . .Again, if the operator is excluded, 9 three-element cut sets-

! result. These are excluded from quantification since they are j small in magnitude compared to the above two-element cut sets.

l Also 2 two-element cut sets result as follows:

4 [0T] [ BOT + B24]

For similar reasons discussed above, these were excluded from

~

quantification.

The resulting logic expression for " failure of turbine overspeed

!: protection system" (TOP) can be simplified and represented with I the following algebraic expression:

TOP = 16(TSV)(TCV) + 6 CIV + [ETV + ETSV +B24) [MTV + NTPV l + LATCH)

B.3 REVIEW OF OPERATING EXPERIENCE i Nuclear Power Experience (NPE) by Petroleum Information Corporation was reviewed to identify failures or problems with turbine valves and the 4

overspeed protection system for the reporting period between 1967 and 1981.

l Among the over four hundred reported events that were reviewed relating to the turbine, 17 were turbine valves failure to fast-close on demand.

, None of these challenged the operation of the emergency overspeed trip

. system before the plants returned to stable conditions. Five events

' involved control valves failure due to failure of their fast-acting solenoid valves (four of the events occurred at one pitnt in 1976).

However, it is most likely that if the emergency overspeed trip was challenged, it would have closed these valves independent of the fast-acting solenoid. The failure mechanisms of the remaining events were valve binding due to steam cutting of the shaft seal and misalignment of the shaft, valve sticky operation due to build up of phosphate derivatives, valve bolt failure, and other hardware failures.

In addition, spurious trips due to testing were reported in NPE as well as multiple failures of stop or control valves.

. All stop valves stuck open due to phosphate buildup at one plant. This failure mode is not applicable to Seabrook because of the use of ,

volatile secondary chemistry. There were two events at another plant where control valve fast-acting solenoids were sluggish. Although these are potential common cause failure modes of the overspeed protection

. system, there were no events reported where both stop and control valves failed due to potential common cause.

B-7

A total of 5 reported emergency trip events were found. All overspeed protection systems functioned properly and there were no turbine failures associated with these events. However, after one of these events, damage was found on the last stage wheel believed to be from a foreign object left in the turbine.

The most commonly occurring problems with the electro-hydraulic controls (EHC) reported to NPE include foreign material in the hydraulic fluid 4-system, leakage in the hydraulic fluid system, and EHC System spurious actuation due to faulty electronic cards or electrical components. The

, major concern here is the existence of foreign material in the hydraulic fluid system since this could result in commen cause failure of the overspeed protection system.

No overspeed protection system failure ~ event has been identified in NPE, but Bush (Reference 8) has evaluated the probability of turbine .

overspeed failures based on review of an extensive turbine operating 4

experience. Since 1951, several turbine missile events were reported to

!- have occurred in older fossil plants. These missiles were generated.

l from fragments breaking through turbine casing at or near operating speed. In the nuclear industry throughout the world, there were five (5) reported overspeed turbine failure (with missiles) events. These events occurred until 1960 on older demonstration (less than 100 MW(e))

i plants. The overspeed protection system for modern G.E. systems have been substantially improved and these events probably would not have occurred with the Seabrook Station System (Reference 7).

Sixty-three (63) events had been reported on serious turbine blade damages, corrosions, and bearing damages. These events do not include the cracks and other damages found during a scheduled inspection or maintenance on the turbine. It is estimated that 98 percent of the severe turbine damages occurred at the low pressure turbine end.

B.4 OUANTIFICATION The unavailability of -the turbine overspeed protection system was quantified using the above algebraic expression and failure data from the Seabrook Station PRA. The mean frequency of component failures is provided in Table B-1. For the LATCH assembly, 3 x 10-4 was used as t

the mean frequency of failure to operate on demand (WASH-1400 (Reference 13), clutch mechanical).

J Simplifying the algebraic expression, a point estimate (mean) for TOP can be calculated.

TOP = 22 (TCV]2 + [ETV + ETSV + B24] (MTV + MTPV + LATCH]

~

= 22 (1.25 x 10 1 + variance term + ,

(2.66 x 10" + 2.43 x 10" + 3.89 x 10~ ) [2.66 x 10~ +

1.52 x 10" + 3 x 10~ ]

~ ~

= 22 (1.25 x 10 ]2 (1.6) + (2.7 x 10 ] [2.1 x 10-3]

(Note the variance term fcr ETV x MTV was neg1ceted.)

. B-8

4 4

) = 5.5 x 10- + 5.7 x 10~

= (VALVES) + (CONTROL) 4 Assuming the failure data used is reasonable and assuming common cause failures do not dominate (not included in quantification), it appears that the control system dominates system failure. However, in an attempt to keep the modeling simple, no credit was taken for normal sp.eed control (power-load unbalance logic) which is the first line of defense in

, preventing overspeed. This speed control system closes the control valves and intercept valves. A fast-acting solenoid associated with each control and intercept valve must function to dump hydraulic pressure.

These fast-acting solenoid valves also were not modeled in the analysis even though they receive a signal from the electrical portion of the I

emergency trip system. As a result, the control system unavailability could be at least two orders of magnitude' smaller. Then the system 1 failure would be dominated by stop and control valve failures.

Regardless of what dominates, the mesn frequency of failure given a demand is small ( 10-6 or less) assuming common cause. failures are

, also small. Common cause failures less than 10-6 are difficult to substantiate even when no such failures have occurred. Of course, there is always human interaction which becomes important at such low frequencies and from operating experience review, there appear to be two other potential common causes for the system:

1. Foreign deposits on valve stems. Although failures were not found

! Where both control and stop valves failed at the same time, this is a potential comacn cause. Valve testing should include inspections for this type of failure mode and the test frequency optimized based on buildup of deposits, if applicable.

2. Foreign material in electro-hydraulic fluid. Problems with this fluid has the potential to affect a number of valves resulting in common cause failure of the system. However, this seems unlikely given today's improved systems (titanium coolers and stainless steel valves) and given that the fluid is inspected periodically, sluggish operations would be expected before common cause total ,

failure, if conditions were allowed to deteriorate.

i I

G i

i B-9 i

4 TABLE B-1 FAILURE DATA Generic Failure .

Component Components Mode Mean. Source

Electro-Hydraulic MTPV Fail to Operate 1.52-3 23 Valve on Demand Turbine Stop/ TSV, Fail to Operate 1.25-4 42 Turbine Control TCV, on Demand Valve CIV Solenoid Valve ETSV Fail to Operate 2.43-3 18 on Demand Air-Operated ETV, Fail to 2.66-4 21 Valve. MTV Transfer to Failed Position

' Bistable B24 Fail to Operate 3.89-7 72 on Demand

Source for hardware failure data in Table 6.2-1 in Seabrook Station PRA.

NOTE: Exponential notation is indicated in abbreviated form:

i.e., 1.52-3 = 1.52 x 10-3,

? B-10 1

E-

B.5 Review of Vendor Requirements The manufacturer's instruction manual (CEK-46527) recommends a number of tests; only 2 of the tests include the following:

o Fully close the main stop valves and combined valves, DAILY.

o Full test ALL main steam valves and OBSERVE the travel of*the valve stems and linkages locally, WEEKLY. j Obviously, these stringent recommendations are meant.to make the overspeed protection system as reliable as possible. However, other criteria must be considered as follows:

o Impact on public risk.

o Financial risk and other costs.

o Relative contribution of valve failures probability to total probability of overspeed protection failure and other causes of turbine failure.

o Value/ impact.

These are discussed in the main report.

! GE provided the results of an analysis of the sensitivity of turbine overspeed to test frequency. (See Nuclear Wheel Newsletter #2, j 11/24/82.) The factor by which the overspeed probability is estimated to increase, based on various test frequencies, is provided below. GE also provided a modifying factor, comparing the " base" case (consisting of Cu-Mi fluid coolers and a carbon steel mechanical trip valve in the EHC System) with the " modified" system (titanium coolers and stainless steel valve). The factor by which the overspeed probability is decreased is 80. A factor of 7 was given for the valve and 11 for the titanium cooler.

The as recommended test frequencies, referred to as base case below, are:

Daily Test: Main Stop Valves i Combined Intermediate Valves Weekly Test: Control Valves If longer test intervals than above are practiced, then the overspeed probabilities are estimated to increase as follows:

Overspeed probability is Estimated to Increase by Test Frequency a Factor of

1. As recommended (base) -

2. Control valves - monthly 4 Others - daily

3. All valves - weekly 9 B-11

- . - - - , - . , +,r.,p--ee,-e-,+,,,,.e,,v,~,,--,-n,-e.ww r- n ,-,--w-,--,,, -y.-o,-- -, ~,.,,p -

gw-w,

Overspeed Probability is Estimated to Increase by Test Frequency a Factor of

4. Control valves - monthly 30 Others - weekly

5. Control valves and stop valves - monthly 165 ,

. Others - daily J

6. All valves -- monthly 165

7. All valves - bi-monthly 650 The Newsletter did not describe how these factors were derived.

However, they can be ' calculated as follows:

For the overspeed protection system to fail, one (1) control valve and one (1) main stop valve or one (1) combined intercept and one (1) combined stop in the same line must fail to close.

~

The result is sixteen (16) minimal cutsets of the fotia (MSV](CV) and six (6) minimal cutsets of the form (CIV][CSV), where:

MSV = Nain Stop Valve CV = Control Valve CIV = Intercept Valve CSV = Intermediate Stop Valve The simplified algebraic expression for Overspeed Protection System failure is:

4 (NSV) x 4 (CV) + 6 (CIV][CSV) (1)

= 16 (MSV][CV) + 6 (CIV][CSV)

Now, if all valves are assumed to have a constant standby failure rate, q, then:

(NSV) = 1/2 q Tysy (CV] = 1/2 q TCV

[CIV) = 1/2 q TCIV i (CSV) = 1/2 q TCSV i Where T is the time interval between tests.

. The simplified expression for failure becomes:

Aq2 TusyTCV + 6/4 q 2TeryTCSV .

For Test Frequency 1 above (the as-recommended base case),

Tysy = TC1V = TCSV. Therefore:

q2(4TggyTCV+1.5Tjsy)

B-12 e

with Tysy = Daily and TCV = weekly = 7Tgsy q(28+1.5)Tdsy 2

For Test Frequency 2: Tggy = daily and TCV = monthly q(120+1.5)Tdsy 2

121.5 = 4.12 increase over base 29.5 For Test Frequency 3: Tysy = weekly and TCV = weekly g(196+73.5)Tksy 2

269.5 = 9.14 increase over base 29.5 For Test Frequency 4: Tysy = weekly and TCV = monthly 2

q(4x7x30+1.5x7)Tdsy 2 913.5 = 31 increase over base 29.5 For Test Frequency 7: All valves bi-monthly q(60)2(4+1.5)Tdsy 2

19.800 = 671 increase over base 29.5 The above simple model essentially reproduces the increased overspeed probability in the Newsletter. The slight difference is probably because slightly different failure rates are used by GE for stop and control valves whereas the above model assumes one failure rate for all valves. These factors assume that control system failure or any common cause failure, which is common to all valves, does not dominate or significantly contribute to the probability of overspeed protection failure.

CE in Reference 7 provides failure rates for stop and control valves as follows:

q = 2.6 x 10-7/hr for MSV, CIV, and CSV q = 4.2 x 10-7/hr for CV Using Equation 1 above, the probability of failure for test frequency 1 (base) can be estimated as follows:

~ ~'

4[.5 x 2.6 x 10 x 24) x 4[.5 x 4.2 x 10 x 168] +

B-13

i

~

6[.5 x 2.6 x 10 x 241

= (1.25 x 10- ) x (1.41 x 10- )

+ 5.84 x 10"

~ ~

= 1.76 x 10 ' + 5.84 x 10" = 1.8 x 10 If it is assumed that all valves are tested monthly, which could be considered a reasonable test frequency associated with the demand

- failure used in Section B.4, the result is approximately 2.8 x 10-7 This compares favorably with 5.5 x 10-7 estimated in Section B.4.

Also, if quarterly testing is assumed, the result is approximately 2.5 x 10-6, e

B-14

GEK 46400A s !! - -

-. - - g -

u: E .:

-= ;ea E .

.a

- I" ::

_E s_ = v- 3_ .a :.-

- -; 3

r.:

g a- -

= .

. . =. y.gs -

es g

a _

dI I d' h

, A

$h.

a . Y Es =

r b* $ ' 8 SII Ed rg. se es-(- En cg n ~.. a5

$[E **

~

"* ~*

- 5'5s=

si u *d 'E' e a

- eI s

W *s u

g ;

g g 1

==;g 4

~#3

$ C Et ng $E:g 3 --. Es- -

s e g- sg,E -

= .* g. . .O

+ I I.= g T_,.

s _

i- si-- si EE

= **EE

gg;

.n

-' I N5 h , % 3

e s 2 '

_ te i i 8 5 g r 5

=

r .3:. -

F. r ,

= in n Ee

- s;

> ==

mE g a-T -:

_ _ =.

- E*

i t soi.-asti ar---

g disa stess .-* s! gr

ENEE ===e EN I" estie-not N' t.g* G.- y j, visa ssosa --* 5 g

"! gE Eis

---+

.t gli -- e *W r

g- +-

-* gg' e

se . --+ -

a 5 ftg. T- 5 =

1 ,

= -o - ti!

_.L

-o-a s m

t nr u- -

= O-* ),"" ... ,

-s &

s I .r.-

.sr- i . .g" .5 W Sg y E

- -O + I) 8

-O-* 3

-e V

gy v

sl g- - 5g r Is. -

---+

((g -o-. l -6*$l!E -o-*

- - - EE!

i u s

!g 3-t s

r

,r. nr -

. g.E , /

Ng s '

2 g

. wg -

E - -=o- - -- ijg -*

.s - g 5h s .

FIGURE B-1 4-77 (1M)

lilli i

. - . i : s.

( I. , . I I g

I k.rs!;

3-n . - ,; !. .p-

!!'l' ! !I!!!o! i ! ! hin

!! i!!!a, 'I i= ji!!,'!D.

l e

! li:ii-s.'lg i

' f r :re ; ii:!!'!

i.tl!I!!s'i feil

. f r .! s ns e - e =

=

t r !!! ss l: .: g;;g!r If,lar !!ii![i ! eis em si I ,r;i j,---. .....,: .. - . n!.,ge Eli Err il if o

eb . . . . g, ,62 y .,

& s.r g8]

e-

r. g E

!,[g,Ifsg [jpflFS,8l

,Ps?g s [.6E j,,er g'I s-3*

. I FI' gI-3-

'f . . l'e r geB e en e fe E!.*l s' E' c '

l

r sEj us IgIh-3.

IE ts- Is5 -t 's g~>c'l] fa*! lgin181e. " i,gr i -

g g [.e I.f age g

.tc sk ' tlitti-=i - gs;E' gg, -

3g

=-

a gg - r6 .5

-g' i.

! Iir I

Ei!

!**!.d E!!se rIts>3s!g I!!!i!.EN:

g.I

!*" ! ., a!$fi!j re.

i I![ I!

!f g

g a

Egsg

.L. ggt s. SIEIff S .

rI,gb 15ett LIr> laf) sg

3. ;, r g(

5 f i j

-a ~2 a I P e

o .$

! _d. 1

'IT5 F T . Ta c.$[ T L .

=. s s 7 M, g g "

T

'T C.& Tj LT j u v O

% -2 -i g

6 $ $ $ nv

,E i

!! - !!- i .

i i !!i jr;! *r ,I, .

e ; [g gg ,, [ l 5 g

i5 i , ' tEij.n., , ,e s=!gai r!

l !I 'l Ej i !! : t!!

i

' 35 3 8 '= i 5 g!!jQ!!!!!!j

ir

'lgli!!!,

4 T 2 ! G} !' '

g h s s

!;nig..i:.

ri_a, - I;5 al ini lis

- er i l * .: ! [ j lt a - - -

i i ! i r 515 j!

! 1 il lr l I ir vi l :- o ttu tt ,

AAAA li

I s

g "I r I-r

.3 .

! r.

r'

r.

! -l i i

" ..! L

.?! .?l :;i; 't!! "i

- g! l r[irei i

~

tj :s E - iI;i!: s l

= -

!l.? !! ! r r!E i ib Ils !! ;N $! EN :;i':;!!i!!!l'!I

$l!i 1

t. 1

~ .

FIGURE B-2A

i .

i i

a -

i +1 i: & i I

ll y - , .

l" P-trfI a a 4 -

. n

! 'i t dt i t '

=

i 3 *;,

>I; : i ;! !4 i

' +

r it til

[

! .sII . I

!l 'I

! l!i, i

['i b-_5: ['h=s :sl i -

T l, 4.rl.r);.;

l,!,!! ...

5 T T '

,j iji'iji'i l: 3:

. a E~A !!s I:

1:

s, t,-

1_1 1I .i E

i,s g !! !! r II 1 lI 4 7 4 llll II Q-

% *gaig l'

y . = = -

c - E i3- yL J srah e s ,, ,

f 9 p

.a .g, n e 8

4 i

a V n' s

t;3

4 % 11 .

5 8

1+ - ,

it ni.

+ a.3h. *.; O r, I !. - --

i e r.

Y< : !

s .. ..

g_._.I.,=, r . .

i ii t1

.L !) C !)I i h

- Ml;=5

_ ...s

___ - P

- i

.g;

-r

~r

.' 5

--Q ~

a S

,e

:a ga, , 6.

. i , ,.

. [ii li!

.is zu :;

g -

e,riil in

$~;;

' ^ '

f*,

y

.Tf ,,

A -

. p ,

A7 = . , => u

.t :a! hi5 t i- -l :

's II F s . 5 ?h5? $

i FIGURE B-2B

. Electrical , 24 V _ ETSVs & __

Back-up - 14gic ETV Trip

- i r

\

t Turbine 125V Lo5i c a EHC i Overspeed i OPl MTSV & Depressurization Event MTP i ,

o Mechanical _

'atch L _

MTPV & _

= Overspeed MTV Tirp OP2 l

NOTE:

MTSV = Mechanic Trip Solenoid Valve MTP = Mechanical Trip Piston )

MTPV = Mechanical Trip Pilot Valve MTV = Mechanical Trip Valve ETSV = Electricl Trip Solenoid Valve ETV = Electric Trip Valve EHC = Electrohydraulic Control System OP 1 = Operator trip turbine from control room. Not credited in quantification.

OP 2 = Manual turbine trip using mechanical trip handle. Not credited in quantification.

Figure B- 3. EHC System Reliabiilty Block Diagram

Enclosure 3 Technical Specification Changes (Please substitute these pages for the same pages in the July 26. 1985, submittal of the proposed Seabrook Station draft Technical Specifications.)

Page 3/4 7-4 Page 3/4 8-1 Page 3/4 8-2 t

t..

PLANT SYSTEMS 12 t1GRc.Gnc Y

.ALMtlARY FEEDWATER SYSTEM LIMITING CONDITION FOR OPERATION tw @ tuncMenc't @

3.7.1.2 At least -thr o :independent steam generator -auxf' f ary feedwater

-pumps and associated flow paths shall be OPERABLE with:

One @

Iwo motor-driven auxemey9pacy

a. . ry feedwater pumps,-eaeb capable of being poweredfromreg2r:t emergency bussM, and

b. One steam turbine-driven eweg aux. facy: ry feedwater pump capable of being powered from an OPERABLE steam supply system.

APPLICABILITY: MODES 1, 2, and 3. j ACTION:

eme

a. With one :: #gencyf ry feedwater pump inoperable, restore the requiredeaux; g ency

.iary feedwater pumps to OPERABLE status wif.hin 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or be in at least HOT

-STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in HOT SHUTDOWN within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

sm ere g

b. With two aux',tency i cr3 feedwaterpumpsinoperable,[beinatleastHOT STANDBY witin 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in HOT SHUTDOWN within the following .

6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

j

. 4. With thr:: cuxi' # ~ ree A -ter : =a; ir.:: rr

fcorrective action to restore at least one E:UjEfeedwater N: kmmediately initiat

~

pump i

t--

to OPERABLE status 2: = = :: p;;aj) A or -

[m \ hot SURVEILLANCE REQUIREMENTS eme ency 4.7.1.2 Each aux'gf ary feedwater pump shall be demonstrated OPERABLE:

a. At least once per 31 days by:

1. Verifying that each motor driven pump develops a discharge pressure of greater than or equal to J2fgypsig at a flow of greater than or equal to lofer gpm.

l 2. Verifying that the steam turbine driven pump develops a discharge pressure of greater than or equal to hh r psig at a flow of greater than or equal to lafer gpm tahen the secondary steam supply pressure is greater than leder psig. The provisions of Specification 4.0.4 are not applicable for entry into MODE 3.

I F

l W-STS 3/4 7-4 AUG 7 1980

3/4.8 ELECTRICAL POWER SYSTEMS 3/4.8.1 A.C. SOURCES OPERATING LIMITING CONDITION FOR OPERATION 3.8.1.1 OPERA 8LE:

As a minimum, the following A.C. electrical power sources shall be a.

Two physically independent circuits between the offsite transmission network and the onsite Class IE distribution system, and b.

Two separate and independent diesel generators, each with:

g 1.

Separate day ::d er;f ; c ant;d fuel tanks containing a minimum volume of @ gallons of fuel, 2.

A separate fuel storage system containing a minimum volume of la+cy gallons of fuel, and

3. A separate fuel transfer pump.

APPLICA8ILITY: MODES 1, 2, 3, and 4.

ACTION:

a.

Wi'th either an offsite circuit or diesel generator of the above e

required A.C. electrical power sources inoperable, demonstrate the

@, OPERASILITY of the remaining A.C. sources by performing Specification 4.8.1.1.la within i hour and at least once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter (Ot'EitABLE wus,q offsite circuitsTand two diesel generators to OPERABLE stat L" 4 3 b, / in COLD SHUTDOWN within the following 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months .j 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or be in

b. With one offsite circuit and one diesel generator of the above required A.C. electrical power sources inopeiable, demonstrate the OPERASILITY of the remaining A.C. sources by performing Specifications i

4.8.1.1 la within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and at least once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter and Specification 4.8.1.1.2.a.4 within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months ; restore at least one of

'g the inoperable sources to OPERA 8LE status within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months or be in at w

least HOT STAN08Y within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in COLD SHUTDOWN within (OPERABLE *tv3 the following 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months . Restore at least two offsite circuitsland two diesel generators to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from the dO 7 '15 -

time of initial loss or be in at least HOT STAN08Y within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months .

c.

With one diesel generator inoperable in addition to a or b ab'ove, verify that:

(1) all required systems, subsystems, trains, components and devices that depend on the remaining OPERABLE diesel generator as a

, source of emergency power are also OPERABLE, and l

W-STS 3/4 8-1 1

JUL 2 71981

l

ELECTRICAL POWER SYSTEMS i

ACTION: (Continued) emer eacy (2) When in MODE 1, 2, or 3, the steam-driven tur"g: y feed pump is .

0PERA8LE.

(J % o w % in Ade% a. oc 2 %

~~within the following 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months .~~

~~SURVEILLANCE REQUIREMENTS l~~

~~I 4.8.1.1.1 Each of the above required independent circuits between the offsite 1 transmission network and the onsite Class 1E distribution system shall be:~~

~~a. Determined OPERABLE at least once per 7 days by verifying correct breaker alignments indicated power availability, and~~
~~b. Demonstrated OPERA 8LE at least once per 18 months during shutdown by transferring (manually and automatically) unit power supply from the normal circuit to the alternate circuit.~~
~~4.8.1.1.2 Each diesel generator shall be demonstrated OPERABLE:~~
~~a. In accordance with the frequency specified in Table 4.8-1 on a i STAGGERED TEST BASIS by: g~~
~~1. Verifying the fuel level in the day :-d e-g = x r-led fuel tank, W-STS 3/4 8-2 JUL 2 71931~~
_

ML20137F194

Contents

Text

1.0 INTRODUCTION

SUMMARY

1.0 INTRODUCTION

SUMMARY

a . Y Es =

Navigation menu

ML20137F194

Text

1.0 INTRODUCTION

SUMMARY

1.0 INTRODUCTION

SUMMARY

a . Y Es =

Navigation menu

Search