ML20137Y198
| ML20137Y198 | |
| Person / Time | |
|---|---|
| Site: | Trojan File:Portland General Electric icon.png |
| Issue date: | 10/31/1985 |
| From: | Zukor D NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD) |
| To: | |
| Shared Package | |
| ML20137Y190 | List: |
| References | |
| TASK-AE, TASK-E514 AEOD-E514, TAC-60783, NUDOCS 8603120188 | |
| Download: ML20137Y198 (16) | |
Text
. . -
4 AE00/E514 ENGINEERING EVALUATION REPORT CORE DAMAGE PRECURSOR EVENT AT TROJAN by Office for Analysis and Evaluation of Operational Data October 1985 Prepared by: Dr. Dorothy J. Zukor Reactor Operations Analysi Branch i Section 2 1
4 t
4' NOTE:
This document supports ongoing AE0D and NRC activities and does not !
- represent the positions or requirements of the responsible NRC program office, i
860312010s 951000 gDR ADOCM 0 g4
AEOD ENGINEERING EVALUATION REPORT UNIT: Trojan EE rep 0RT N0: AE00/E514 DOCKET NO.: 50-344 DATE: October 8, 1985 LICENSEE: Portland General Electric Co. EVALUATOR / CONTACT: D.Zukor NSSS/AE: Westinghouse /Bechtel
SUBJECT:
CORE DAMAGE PRECURSOR EVENT AT TROJAN
SUMMARY
During 1984 five events occurred at the Trojan nuclear power plant which could have had serious consequences for equipment or personnel had they occurred under different circumstances. The potentially most serious event occurred on September 20, 1984 involving operator errors which initiated the transient and failures of a diesel generator, the diesel-driven auxiliary feedwater pump, and the turbine-driven auxiliary feedwater pump. Thus, multiple, independent, undetected failures of safety-related components resulted in the partial loss of the emergency onsite power supply and the total loss of the safety-grade auxiliary feedwater system (AFWS). If a loss of offsite power had occurred, a core damage scenario could have resulted.
This report also evaluates other potentially significant operating events at Trojan during or immediately after the 1984 refueling outage. On May 4, 1984, the primary system level indication failed causing a temporary total loss of the Residual Heat Removal System (RHR). On September 26, 1984, the reactor tripped and a main steam safety valve stuck open after control room operators failed to notice that the rods were in manual during a turbine runback. On September 13, 1984 a compressive fitting failed during maintenance of the seal table because the fitting was used incorrectly and on September 17, 1984, another compression fitting failed on a pressurizer instrument line because the fitting was incorrectly assembled. Both events represented a breach of the reactor coolant pressure boundary and loss-of-coolant events.
Our findings indicate that the September 20th event was a severe accident precursor with a conditional core melt probability of 3.5E-2 to 4.9E-3 depending upon a* cumptions. LER data indicates that the non-safety grade AFW pump has been called upon for 19% of the known trips occurring in 1983 and 1984 This indicates an AFWS unreliability far above the desired AFW unreliability of 10E-4. We found that portions of the event of September 20th had occurred before. We also found that the settings for switches, relays, etc. are verified only on those systems required by technical specifications despite plant conditions and activities that warrant comprehensive evaluation.
Collectively, these five events and others that are mentioned in the body of the report indicate a lack of attention to detail, a lack of good maintenance .
practices, and a lack of appreciation of the significance of recent operating I experience at other facilities. Since the time of these events, ithe licensee has taken action to correct these deficiencies. If the dependence on the -
non-safety grade AFW pump continues AE00 suggests that the Region require the licensee to improve the reliability of their safety-grade AFWS. The Region V Administrator met with the licensee on October 12, 1984 to discuss the significance of the September 20th event. The Region emphasized that senior management must take more of an interest in the operation of the plant. They are also closely following the licensee's corrective actions. The safety
significance of the September 20th event as a severe accident precursor and its potential consequences were not recognized previously.
1.0 INTRODUCTION
Durir71984, several events occurred at the Trojan nuclear plant which could have had serious safety implications. Fortunately, these events served to reveal a number of failures that were undetectable during surveillance testing and had they occurred under different circumstances could have contributed to a serious event. Among the safety concerns exemplified by these events are the lack of operational readiness following prolonged shutdown, lack of knowledge and use of prevfous industry experience concerning maintenance activities, and undetected failures of safety-related equipment during surveillance tests.
Five specific events will be discussea in detail and others will be mentioned that further illustrate our concerns. The following events will be described:
September 20, 1984 Reactor trip and safety injection.
May 4, 1984 Loss of Residual Heat Removal.
September 26, 1984 Reactor trip and stuck-open main steam safety valve.
September 13, 1984 Seal table fitting failure.
September 17, 1984 Pressurizer instrument line fitting failure.
2.0 DISCUSSION 2.1 Reactor Trip and Safety Injection During startup following an extended 41/2 month refueling outage, the reactor was at 7% power and the operator was loading the turbine at 5%/ minute (Refs. I and 2). To determine if the load was actually being picked up, the operator had two sources of information available to him -- the megawatt meter on the control console and the trace recorder on the back of the main electrical control board. He chose to use the trace recorder because it provides more accurate indication at lower power levels. The operator, while watching the trace recorder, thought that the turbine was not picking up load and directed the operator pulling the rods to continue to do so. Had he used the megawatt meter to verify turbine load, he would have known that the trace recorder was not operating properly. The control rod operator failed to block the low power trips when the P-10 permissive was reached. He was either unaware or had forgotten that the trip settings for the nuclear intermediate range and low power range trips had been reduced from about 25% to about 15% since physics testing for the new core had not yet been completed at full power. Although the trip setpoints had been lowered, the rpd block setpoints were not, i.e.,
the rods could be withdrawn above 15% power. Normally, it takes ' Mut 1 minute to load the turbine to 50 MWe at 5%/ minute. Procedures then call for the loading rate to be reduced to 0.5%/ minute. At this time in the course of the event, the operator had been loading the turbine at a cate of 5%/ minute for almost 2 1/2 minutes. The operator reduced the turbine loading rate to 0.5%/ minute but not soon enough to maintain the reactor coolant system (RCS) above the low-low Tave setpoint and the intermediate range high flux trip
setpoint. The decreased trip setpoints reduced the time available to the operator to unblock the trips once the permissive had been received and the reactor tripped on an intermediate range high flux condition. As the operators were progressing through the procedure following the reactor trip, the shift supervisor noticed that safety injection (SI) had occurred. A valid low-low reactor coolant average temperature (Tave) signal and a spurious high steam flow signal had caused the St. Verification that the engineered safety features (ESF) equipment had actuated revealed that three components failed to operate properly -- the train "A" west emergency diesel generator (EDG), the diesel-driven auxiliary feedwater pump (DDAFWP), and the turbine-driven auxiliary feedwater pump (TDAFWP). Thus, one train of the emergency onsite power supply and the entire safety-grade AFWS were inoperable. Each of these component failures will be discussed separately.
2.- l .1 Emergency Diesel Generator Each emergency diesel generator (EDG) set consists of two diesel engines in tandem to a generator. When the SI start signal was received, both diesels started, but one tripped. The number two engine in the "A" emergency diesel generator set tripped on high crankcase pressure causing the engine and thus the generator to lock out. Having this trip active on an emergency start violated the plant's technical specifications since this trip should have been bypassed on loss of voltage on an emergency bus or on an SI actuation signal.
At Trojan, the high crankcase pressure trip is bypassed after 15 seconds on an automatic start signal. This situation has existed at Trojan since the plant was completed in 1976.
Further investigation did not reveal the root cause of the high crankcase pressure trip. Instrumented tests performed subsequently indicated that no actual overpressure condition existed; however, out of six test starts, one trip occurred on crankcase overpressure. No reason could be found for the trip. In an IE inspection report, inspectors noted that the vendor prints associated with the EDG were confusing and incomplete (Ref. 3). It is possible that the incorrect auto-start logic remained unnoticed because the prints were poor.
A concern in this case is that for ten years, surveillance tests failed to identify the incorrect automatic start logic.
The corrective action to prevent this failure in the future involved bypassing 4
the high crankcase pressure trip on an automatic start signal. In addition, plant drawings are being reviewed with emphasis on the main control boards and the remote shutdown panel. There are plans to update drawings associated with the control panel for the emergency diesel generator (Ref. 4).
2.1.2 Diesel-Driven Auxiliary Feedwater Pump In response to the SI signal, the DDAFWP attempted to start and tripped on low lube oil pressure. The turbine-driven' auxiliary feedwiter pump started satisfactorily (see next section). The start sequence of the pump allows 1 minute for the pump to get to 600 rpm or 25 psig of lube oil pressure and permits three attempts to meet these criteria before it trips. In addition, af ter the engine reaches 600 rpm, there is a 25 second delay before the low lube oil pressure trip is introduced into the circuit. This 25 second delay relay was found set to 0.8 seconds. Thus, inadequate time was allowed for the
engine to build up sufficient lube oil pressure before automatic trip. The time-delay relay with the incorrret setting is located on the C160 remote shutdown panel. The relays on tais panel neither have lockable settings, nor were the correct settings indicated directly on the relays. Extensive modi-fications were done on this paiel during the previous refueling outage in conjunction with upgrading thi diesel starting battery. Four improperly set relays were found on this parel. All were unlockable and all were located on the control panel door. At the time of the event, these time-delay relays were not addressed by the maintenance or surveillance procedures, since only those time-delay relays specifically addressed by technical specifications are periodically verified.
Testing did not reveal the problem because the engine could start with the relays improperly set depending upon engine and oil temperature. The concern here is twofold: first, the failure was not detectable during surveillance testing; and second, despite extensive maintenance in the cabinets, the licensee failed to verify equipment settings before returning the system to service.
The corrective action consisted of checking all the time delays associated with the auxiliary related feedwater system in addition to random sampling of other safety-relays. Except for the relays on the C160 panel, no other incorrect relay settings were found.
A maintenance procedure has been implemented to periodically verify the settings of all safety-related time-delay relays. In addition, some relays have been sealed to their setpoints to prevent inadvertent movement.
2.1.3 Turbine-Driven Auxiliary Feedwater Pump Upon receipt of the SI signal, the TDAFWP started, ran for 5 minutes and then tripped on low suction pressure. Thus, both safety-related auxiliary feedwater pumps were inoperable. Af ter verifying adequate condensate storage tank level and TDAFWP suction pressure, the operator overrode the trip. The pump restarted but turbine steam chest pressure fluctuations and flow oscillations caused the operator to manually trip the TDAFWP to avoid damaging the pump.
With both safety-grade AFWPs inoperable, he started the non-safety related motor-driven AFWP (MDAFWP) to provide adequate feedwater. Investigation of the pump trip showed that the pressure transmitter in the suction line of the TDAFWP had failed due to an electrical component failure causing pump trip on low suction pressure. This particular transmitter had been calibrated on February 15, 1984 It had failed to operate properly three times since it was installed in 1980 -- twice from mechanical problems and once from erratic readings. The cause of these failures is believed to be the mechanical stress that occurs in the suction line as a result of the suction pressure oscillations.
The cause of the turbine steam chest pressure and flow oscillations during pump operation is thought to be insufficient dampening of the fluid pressure in the pump discharge pressure transmitter sensing line which is used for pump speed control. The control system for the TDAFWP maintains the pump speed necessary to develop a pump discharge pressure which is 100 psi greater than the steam generator pressure. Inadequate dampening of fluctuations in the discharge pressure transmitter sensing line affects both steam flow and fluid flow through the pump.
The. low suction pressure trip was installed in 1980 following the post-TMI upgrading of the AFWS.
The MDAFWP was also added at that time.
The concern here is that previous failures of this transmitter indicated its unsuitability for this application, i.e., the transmitter fails when subject to vibrations. It is important that the TDAFWP be reliable, because it is the only feedwater pump available following a loss of all ac power. The DOAFWP is dependent on ac power for cooling. After the event, the failed transmitter was replaced. The pulsation damper in the pump discharge transmitter was changed to smooth out pum,9 speed control. Procedures were revised to ensure adequate pump suction prior to overriding the low suction trip. The calibration frequency of the suction pressure transmitter was increased to each refueling outage. It should be noted that the oscillations, which occurred when the TDAFWP was called upon during the SI, did not occur during the surveillance testing of this pump apparently due to differing operating conditions during test and operation. During the subsequent plant heat-up, the pump was run under varying flow conditions and steam pressures to assure that the oscillations had ceased. During the spring 1985 refueling outage an evaluation of the suction pressure transmitter was performed. No reason for the transmitter failures was found, but because of past experience, the evaluation recommended replacing it with a newer model.
NUREG-0611 published in 1980 mentions that Trojan had a history of problems with both the diesal-driven and the turbine-driven AFWPs (Ref. 5). This evaluation of the Trojan AFW system considered the adequacy of the water supply for the pumps, dependence on non-safety power supplies, restrictions to flow, and the seismic qualifications of the AFWS. The problems with the AFWS which occurred on September 20, 1984 were not specifically addressed.
It appears that many of the problems which occurred during this event were due to incomplete actions prior to return to service of both the components 'of the AFWS and of the control system itself.
An AE00 engineering evaluation (Ref. 6) evaluated five events at various plants where the TDAFWP was unavailable because the steam supply was isolated and this information was not available to the operators in the control room. In some cases the inoperable condition of the pump was found during an inspection, in other cases the condition was found during an SI when the pump failed to run.
Trojan has had problems similar to those discussed in Reference 6. On Janua ry 22, 1983, the operator was unable to restart the TDAFWP when it tripped on overspeed because the pump had been manually tripped incorrectly earlier (Ref. 7). On January 3,1984, a similar event occurred at Trojan when the trip and throttle valve on the TDAFWP was 'found inoperable due to tripped overload i protection contacts. This was discovered during an operability test. The valve had apparently been inoperable from November 23, 1983 until the operability test on January 3,1984. The plant was operating at 100% power at I the time of the di,scovery (Ref. 8). On August 20, 1983, the 00AFWP started following a reactor trip and tripped on overspeed. The TDAFWP and the MDAFWP were used to supply feedwater to the steam generatcrs (Ref. 9). Since 1983, the Trojan plant has relied on the non-safety MDAFWP three times to provide feedwater to the steam generators following a trip (LERs83-002, 83-012 and 84-016). During 1983 and 1984 the non-safety MDAFWP has been called upon for 19% of the known trips.
6-2.1.4 Main Steam Isolation Valves In addition to the above failures which occurred in the AFW system during the September 20, 1984 event, the main steam isolation valves did not close on receipt of a coincident low-low Tave and high steam line flow signal. This cannot be considered a failure of the system to function as designed since the steam line isolation signal was present for less than 1/60th of a second and with a signal of.such short duration the solenoid valves associated with the MSIVs could not actuate. The steam line isolation signal does not seal in
' electrically but does so mechanically by unlatching the solenoid valve that bleeds pressure off of the spring-locked closing mechanism on the MSIVs. An operator error occurred when the operators did not notice that the MSIVs had failed to close.
2.1.5 Risk Assessment of the Event on September 20, 1984 As discussed above, during startup of the reactor, a trip occurred and one DG, the TDAFWP, and the DDAFWP did not operate as expected. The non-safety grade MDAFWP was relied upon to provide AFW to the SG. Had a loss of offsite power occurred, no AFW would have been readily available.
The NRC currently considers a 10E-4 to 10E-5 per demand for AFW system unreliability acceptable according to the SPP Section 10.4.9. Trojan has had to call upon the non-safety grade AFW pump three times in two years suggesting that Trojan's AFW system is not as reliable as desired. The Office of Nuclear Regulatory Research (RES) and the Office of Nuclear Peactor Regulation (NRR) evaluated the risk associated with this event (Ref.10). Oak Ridge National Laboratory (0RNL) performed the evaluation ior RES. ORNL estimated two probabilities for severe core damage depending upon the initiating event and the recovery class assumed for the failed equipm.ent using the existing accident sequence precursor methodology (ASP) and data described in their 1980.d1 Accident Precursor report (Ref.11). The first estimate assumes a recovery class of R1* for the MSIVs and the unavailable diesel generator and a recovery class of R2 for the failed AFWPs. This results in a conditional prot'abfif ty for severe core damage of 1.7E-3. The second estimate assumes a recovery class of R3 for the failed AFWPs and the MS!Vs and a recovery class of R1 for the unavailable diesel generator. This results in a conditional probability for severe core damage of 6.3E-4. For both estimates the dominant contiibution occurs from loss of feedwater (LOFW) or loss of offsite power (LOOP) sequences.
The Reliability and Risk Assessment Branch (RRAR/NRR) also evaluated the risk j associated with this event as 1.3E-4 or less. In their analysis of the LOFW sequence, they postulated the probability of the loss of the 00AFWP to be 0.5, the probability of the loss of the TDAFWP to be 0.5 and the loss of the
'
- Recovery Class .R1 neans that the failure did not appear recoverable in the required period following the assumed initiating event, either from the .
control room or at the failed equipment -- the probability of failing to recover = 0.58. Recovery Class R2 means the probability of failure to recover = 0.34 Recovery Class P3 means the probability of failure to recover = 0.12.
non-safety grade AFWP to be 0.01 to 0.1. These assumptions resulted in a conditional probability of 1.3E-7 to 1.3E-4.
The analyses from RRAB and ORNL differ by about an order of magnitude. Some of this difference probability is due torecovery.
of equipment differences in the assumed failure rates and in the RRAB used assumed failure rates and recovery probabilities based on engineering judgement while ORNL used the methodology and recovery classes defined in the Accident Precursor Study (Ref. 11). Both analyses included the MDAFWP as a source for AFW.
The two evaluations were done using different techniques. RRAB analyzed additional failures or events which resulted in their desired scenario. The ORNL evaluation assumes that the problems with the AFW system would have been detected during the next monthly surveillance test had the start-up on September 20 proceeded normally. As discussed above, there is no assurance that routine surveillance tests would have found the problems in the system.
If credit is not taken for discovery of the faults in the system during the next monthly surveillance tests, the ORNL calculation can be adjusted to account for this. In this case, the first estimate gives an adjusted conditional probability for severe core damage of 3.5E-2 and the second estimate gives an adjusted conditional probability for severe core damage of 4.9E-3. These estimates may be conservative since they assume that none of the faults would be found during surveillance testing, but they definitely indicate that this event represents a significant accident precursor.
3.0 OTHER OPERATIONAL EVENTS The following four events will be' described and discussed to illustrate some of the problems which showed up in the September 20th event. In general, they indicate inadequate solutions to repetitive events, lack of verification of readings before taking action, inadequate communication between management and maintenance personnel, and lack of knowledge of industry experience.
3.1 Total loss of Residual Heat Removal System On May 4,1984 while draining down the reactor coolant system (RCS) in preparation for refueling, residual heat removal system (RHR) was lost for 40 minutes (Ref.12).
RCS level indication consisted of a temporary level transmitter and a tygon hose with a television camera broadcasting to the control room. Both indications were from the drain line in the suction of the "B" reactor coolant pump.
Unknown to the operator, a blockage in the tap line upstream of both the temporary level transmitter and the tygon hose caused erroneous level indication. To perform the ESF response time actuation testing, both RHR pumps were stopped (permitted by technical specifications). The first pump was restarted, but it ihd to be immediately stopped due to cavitation. It took 10 minutes to determine the problem and another 30 minutes to restore RCS levels before the RHR pumps could be restarted. The RCS temperature increased from 105*F to about 200*F, which is approaching saturation conditions. The potential existed for core uncovery and damage. This event represents another core damage precursor.
_r.
The plant had experienced similar losses of this system, but no actions were taken until recently to preclude a recurring significant event.
To prevent similar future occurrences, the following actions were taken:
- 1) the procedure was revised to require that the loop drain to the level standpipe be flushed before use; 2) a second standpipe was installed from a loop flow transmitter sensing line; 3) the procedures were revised to provide better information to the operators during coolant system draining; and, 4) a graph was developed correlating RCS level to the amount of drained water.
(This event is included in an AE00 case study which is presently in Peer Review.)
3.2 Reactor Trip and Stuck Main Steam Safety Valve On September 26,1984 at 10:08 pm, a false main feedwater pump low suction pressure signal was received due to a failed pressure transmitter (Ref.13).
At this time, the operator started reducing turtine load slowly to avoid arming the steam dumps. The control rods were in manual because the operators were performing physics testing following the recent refueling outage. Since the rods did not reduce reactor power automatically, four main steam safety valves lifted. At 10:25 pm, control room personnel realized that the control rods were in manual and started to manually insert them to reduce RCS temperature.
At 10:30 pm, the incoming shif t informed the control room personnel that the safety valves were open. There is no direct indication in the control room to show that a safety valve has lifted, and becuuse of the location of the control room, operators cannot hear a lif ted safety valve from the control room.
The turbine load and reactor power were reduced in order to rescat the safety valves. The "D" steam line safety valve failed to reseat properly, forcing the licensee to enter a Technical Specification action statement. Following a reactor trip at 1.2% power due to low-low level on steam ganerator "D", the "0" safety valve rescated at approximately 890 psig. A review of the setpoints on the steam line safety valves indicated that they were set to open at about 1260 rather than the normal setpoint of 1125. The valve should have rescated at about 1068 psig.
The main feedwater pump low suction pressure alarm was not verified by 'an 1
operator before the control room operator started to reduce turbine load. The control room operators failed to notice the mismatch between reactor and turbine power and that the rods were in manual control. In addition, they i failed to recognize that the main steam safety valves were open. No reason for the abnormal setpoints on the main steam safety valves could be found. There
- was no administrative requirement for periodic reviews of these setpoint controllers.
Our concern is that the operators were so intent on preventing a reactor trip, partially due to the other trips they had experienced previously during start up, that they failed to pay attention to other indications in' the control room.
In addition, similar to the September 20, 1984 event, they chose to believe only one indicator rather than verifying it against other instrumentation. The erroneous setpoints on the main steam safety valves indicate inadequate preparation for restart and apparently reflect the practice at Trojan to check only what is required by the technical specifications.
Humerous corrective actions were implemented following the September 26th event. The safety valves that lifted were examined and administrative prccedures were proposed to ensure better coordination among the operating crews and to utilize information from all sources on plant status during '
unusual conditions (Ref. 2).
3.3 Events Associated With Swagelok Fittings The following two events are being highlighted because they represent a lack of communication between management and maintenance personnel and a lack of knowledge of industry experience. '
On September 13, 1984, a " hot" soak was being performed to verify RCS integrity l
during hot standby (Ref.14). Three small leaks were identified from three 1
Swagelok fittings in containment at the incore instrumentation seal table. Two of the leaks were stopped by tightening the fittings. The third fitting
{-
continued to leak and eventually resulted in an unisolable leak from the i
primary system and the contamination of two maintenance workers. After the i plant was taken to cold shutdown, the leak was stopped. By then about 15,000
- gallons of reactor coolant had leaked into the containment sump. The failed ,
fitting could not be properly repaired with a similar fitting so the line was welded.
The root cause of the event was an improperly installed Swagelok compression -
{ fitting. The leaking conduit was found to be tapered at the end where the Swagelok fitting was installed. This was not noticed during the presoak inspection. Swagelok fittings are not designed to function in tapered tubes
} and their performance under such conditions is unreif able. ;
Discussion with plant maintenance engineers indicated that Swagelok fittings
,' are, in general, extremely reliable fittings. Problems tend to occur due to
+ improper maintenance or installation rather than defects with the fittings themselves. !
At Trojan, the problem which caused the event was a result of the '
personnel being unable to verify that the fitting was installed properly. The fitting which failed was installed during construction of the unit. A device
]
to v6rify correct initial installation exists. The device is a gauge which i
allows the maintenance personnel to verify that the Swagelok fitting has been tightened according to the manufacturer's instructions. Its use was not '.
l widespread among the personnel at the plant, because it was not considered necessary.
j Prior to performing maintenance on this system, an operational assessment i
review (OAR) had been performed at the plant. In such a review, all pertinent j
information on a specific topic, in this case seal table repairs during operating temperatures and pressures, is collected and made available in a summary to the Shift Technical Advisors (STAS) and the engineers. As a result of the Trojan Sequoyah thimble tube ejection accident which occurred on April 19, l 1984, had alread i table repairs (Ref.15)y changbd .
some of the maintenance procedures for seal The revised procedures stated that maintenance on the seal table would be performed during hot standby, not during power operation.
j Although the licensee, the STA and the maintenance supervisor were aware of IE Information Notice 84-55, and the Zion LER on the event of January 20, 1984 j
)
discussing seal table work, the maintenance personnel actually performing the task were not made aware of the experiences at other plants or of the hazards
)' involved in performing this work (Ref.16 and 17).
i, _ _ _ _ _ ____
i The lack of communication between the management and the workers on the subject of previous operating experience and the known hazards of working on hot pressurized systems contributed to the event.
i In addition to increasing the availability of the measuring gauges, additional training in the installation and maintenance of Swagelok fittings is planned 4
for mechanics, electricians andmechanics' engineers. helpers, instrumentation and control technicians,
- The use of Swagelok fittings on thick-walled conduits that require frequent disassembly is being re-evaluated. As a last resort, changes in the design of the seal table are being investigated to 1
determine if it is feasible to eliminate the Swagelok fittings.
j i
A few days later, another event occurred involving Swagelok fittings and exhibited similor deficiencies in management communication and knowledge of the 4
hazards of working on pressurized systems.
On September 17, 1984 during an RCS integrity test, with the reactor at full pressure and temperature, another event occurred involving an RCS leak due to a
! Swagelok fitting when a craftsman attempted to tighten a dripping fitting (Re f. 18) . The fitting separated when he touched it and he quickly left the containment. Maintenance had been done on this line previous to this failure.
Most of the connections in this system are welded. There are four pressurizer level sensors. When the leak developed in one line, it affected both the i
reference level and the reading level. When the licensee attempted to isolate l
the leak, the wrong isolation valve was initially closed reducing the total number of sensors from four to one. The fitting leaked because it had been l assembled with three ferrules instead of two as required. ,
! ii No LER was submitted on this event because the-leak was small (i.e., within technical specification limits) and there were no adverse consequences. Such
)
an event is not reportable.
1 Swagelok of years. fittings have been used reliably on high pressure systems for a number
! fittings.
They are considered among the most reliable of the compressive j They are used on hydraulic systems because of their easy installation and low failure rate. The problems which have recently been noticed concerning these fittings appear to be due to incorrect installation techniques. Problems sometimes occur if more than one type of fitting is used at a plant and parts from one manufacturer are interchanged with parts from another. This has not been a problem at Trojan, but has happened at another plant.
It appears that correct installation and maintenance practices and replacing these fittings with welds where possible would eliminate many of the problems.
l l
In addition, better coordination, training and minimizing maintenance on fully pressurized systems would reduce the hazards to personnel. Actions were taken to correct all of these problems including a possible redesign of the seal table fittings. -
1 0 2
4.0 MANAGEMENT ASSESSMENT I
! As a result of the events at Trojan, an independent assessment was performed by the Manager of the Nuclear Safety Branch and two members of the Trojan Nuclear j Operations Board (TN08) staff to determine the underlying causes of the events (Re f. 19 ) . They conclude that the contributing factors generally fell into two l
1 '
categories -- plant material condition and conduct of plant operations. The plant material aspect refers to the fact that some of the problems which occurred at the plant in mid to late 1984 had occurred before. Part of the problem was that the evaluation of maintenance performed is an additional duty of the plant supervisor whose main job is to keep the plant operational. Plant operations was criticized for lack of coordination among control room personnel and the tendency overview perspective. of the STA to focus on one problem rather than providing an Trojan has had difficulty maintaining control room crew stability. The licensee's commitment to improve requalification exam scores removed experienced personnel from the control room for significant time periods. In addition, crew assignments to special projects, training and vacations have caused restructuring of normally stable crews. The assessment stated that Trojan had recently lost four original STAS and they were trying to qualify new individuals for these positions' as rapidly as possible.
On October 12, 1984, a meeting was held at the corporate office of Portland General Electric Company between the licensee and the Region V Administrator to discuss the implications of the Trojan events (Ref. 20). Among the subjects discussed were the analysis of serious events, repetitive events, use of operating and experience, management and worker equipment restoration practices following maintenance, attitudes. The Region emphasized that senior management must take more interest in the operations of the plant to ensure that corporate policy regarding plant maintenance and operations are well understood by all of their staff.
The Systematic Assessment of Licensee Performance (SALP) for Trojan which was performed for the period September 1,1983 through October 31, 1984 addressed many of the same concerns mentioned above (Ref. 21). The report stated that the licensee's difficulty in requalifying reactor operators may be partially attributed to .the lack of a site specific simulator and insufficient operating crews to allow year-round classroom training. Also noted was the licensee's reluctance to check and readjust all equipment which may be affected by modifications except for those required by regulations. Three violations were identified concerning maintenance, one of them being the licensee's fail.ure to periodically ensure the proper setting of time-delay relays. The report mentioned that many problems which arcse during the assessment period had occurred before and that inadequate investigation of these problems had failed to resolve them.
involvement in plant operation.Overall, the report stressed the need for more management The report was critical of the Trojan Nuclear Operations Board since uncertainties in the Board's responsibility and methods of operation had failed to provide a truly independent and critical assessment of nuclear safety concerns.
This situation has existed since 1981. The June 1985 inspection report for Trojan indicated that changes in the TN0B's membership, procedures, and a clear definition of responsibility for quality assurance has addressed this concern (Ref. 22).
I I
Following the Spring 1985 refueling, a " Ready for Startup" program was implemented which helped to assure a smooth return to power. This program ,
included better coordination of operating crews, closer involvement of plant l management, and better tracking of system readiness for operation.
- 5.0 FINDINGS AND CONCt.USIONS Our findings indicate that the reactor trip and safety injection event of September 20, 1984 can be considered a severe accident precursor with a condi-tional core damage probability between 3.5E-2 and 4.9E-3. The following '
general observations were also made:
1.
The root causes of events were not corrected or adequately addressed which led to repetitive events involving multiple failures that accumulated over time.
- 2. Only equipment required to be operable pursuant to technical specifications is repaired and checked. In addition, the adverse effects that maintenance may have on adjacent equipment were generally not considered or evaluated.
3.
Sometimes the most recent problem receives the most attention to the '
exclusion of other problems which may also exist.
4.
Redundant or corroborating indicators of plant status are not adequately used.
i
- 5.
The tests for the safety-related AFWP did not verify that the pumps would be operable during expected operating conditions.
6.
Prior to the events of 1984, there were no procedures to periodically t check some safety-related equipment such as time-delay relays, although it ,
j is required by maintenance their technical specifications and constitutes a good practice.
2 7.
There appears to be an over-reliance on the non-safety grade MDAFW to per-form the safety function of providing feedwater.
8.
' The information available concerning equipment problems and operating experiences at other plants is not apparently passed on to the workers actually doing the maintenance.
In conclusion, our findings are corroborated by other investigations done i
subsequent to these events. Although there were some mitigating circumstances surrounding the events, the lack of attention to detail, the lack of good I maintenance practices, and the lack of appreciation of the significance of
- operating experience at other plants, in general, cannot be ignored. In particular, it appears that the licensee did not appreciate the significance of
) the September 20th event which until now has gone unnoticed as a serious accident precursor.
Although the licensee has.made plans to improve in the areas discussed above.
it remains to be seen whether these changes are being implemented effectively, i 6.0 SUGGESTION
- There is a past history of problems with the AFWS at Trojan. Problems with the system still exist. We found that the reliability of the safety grade AFW pumps was poor and resulted in the need to rely on the non-safety grade motor driven pump more than is desirable. If the safety grade AFW pumps continue to i
13 -
demonstrate steps to requirea poor improvement. reliability record, as in the past, the Region should take 9
f j i
. REFERENCES 1.
LER 50-344/84-016 " Reactor Trip and Safety Injection."
- 2. IE Inspection Report, 50-344/84-29.
- 3. IE Inspection Report, 50-344/84-18
- 4. IE Inspection Report, 50-344/85-04.
5.
Nuclear Regulatory Commission, " Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant Accident in Westinghouse Designed Operating Plants," NUREG-0611, January 1980. (Available for purchase from National Technical Information Service, Springfield, VA 22161.)
6.
AE0D Engineering Evaluation Report N402, " Events Involving Undetected Unavailability of the Turbine-Oriven AFW Train."
- 7. LER 50-344/83-002
- 8. .LER 50-344/83-022
- 9. LER 50-344/83-012 10.
Memorandum from Gary R. Burdick, Reactor Risk Branch to Ashok Thadant Reliability and Risk Assessment Branch, "Results of An Evaluation of the Significance of the Multiple Failures Occurring at the Trojan Nuclear Power 1985. Plant While Undergoing Startup September 20, 1984" dated March 5, 11.
- W. B. Cottrell1980-1981" Accidents
- and others, " Precursors to Potential Severe Core Damage USNRC Report NUREG/CP-3591, February 1984 (Available for Springfield, VApurchase 22161.) from National Technical Information Service, 12.
LER 50-344/84-010. " Temporary Loss of RHR Cooling In Mode 5." '
13.
LER 50-344/84-017 " Reactor Trip and Stuck Main Steam Safety Valve."
14 LER 50-344/84-014 " Identified Leakage in Excess of 10 gpm from Incore Flux Detector Seal Table." i
- 15. LER 50-327/84-030, " Thimble Tube Ejection."
16.
IE Information Notice 84-55, " Seal Table Leaks at PWRs."
17.
LER 50-295/84-005, "incore Instrumentation, Seal Table High Pressure Seal Failure."
18.
PN0-V-84-62, " Leak from Pressurizer Level Detection System Tubing."
19.
Letter from Bart D. Withers, Portland General Electric Company to John 8.
Martin, NRC Region V. " Trojan Nuclear Plant: Operational Readiness,"
dated October 1,1984
0 15 -
20.
Letter from T. W. Bishop, NRC Division of Reactor Safety and Projects Region V to Bart D. Withers Portland General Electric Company, " Report of Meeting with PGE Management," Report 50-344/84-32 dated October 12, 1984
- 21. NRC Region V Report 50-344/84-35, " Systematic Assessment of Licensee Performance, dated DecemberPortland 11, 1984.General Electric Company, Trojan Nuclear Plant,"
- 22. IE Inspection Report, 50-344/85-18 l
l .
l t
- , - - . ~-- - - . - - , - - - . - . - --
Karl V. Seyfrit discuss the significance of the September 20th
, 1984 to event.The R that senior management must take more of an interest in plant.
n of the the operatioThe They both short term are and also closely following the licensee's corrective actions 1cng term. ,
a kb/
Dorothy J. r, Reactor Systems Section 2e ctor Systems Engineer Reactor Operations Analysis Branch Office for Analysis and Evaluation of Operational Data
Enclosure:
As stated cc w/ enclosure:
C. Trammel, NRR G. Johnston, Region V S. Richards, SRI I
e
,