Text

Informs That a Dibiasio of BNL Will Visit Plant on 930303- 04 to Discuss Encl Draft NUREG risk-based Insp Guide
	ML20138D506
Person / Time
Site:	Hatch
Issue date:	02/12/1993
From:	Jabbour K; Office of Nuclear Reactor Regulation
To:	Hairston W; GEORGIA POWER CO.
References
	CON-FIN-A-3875 NUDOCS 9302220278
	Download: ML20138D506 (53)
	v • d • e

February 12, 1993

,g ,

Docket Hos. 50-321 Di$1RULUI193 and 50-366 ? Docket file E.Merschoff,Rll NRC/ Local PDRs P. Skinner,Rll PDil-3 RF Mr. W. G. Hairston, 111 D.Matthews Senior Vice President - K.Jabbour Nuclear Operations L. Berry Georgia Power Company J.Chung P. O. Box 1295 W.Beckner Birmingham, Alabama 35201 B. Gore, PNL T.Vehec, PNL

Dear Mr. Hairston:

SUBJECT:

RISK-BASED INSPECTION GUIDE - EDWIN 1. HATCH fiUCLEAR PLANT, UNITS 1 AND 2 This is in reference to the development of a Risk-Based Inspection Guide (RIG) to be published as a NUREG report under an NRC Technical Assistance contract with Brookhaven National Laboratory (BNL). This RIG is intended to provide useful guidance for NRC inspection activities.

The purpose of this letter is to inform you that we are planning to send our contractor, Ms. Adele DiBiasio of BNL, to visit Hatch Nuclear Plant on March 3 and 4, 1993. The visiting contractor will accompany the resident inspector in a :ystem walkdown and verify the accuracy of the information. During this visit, the contractor will be available to meet with your staff and receive their comments regarding the RIG in order to reflect your plant status accurately. However, we would like to clarify that your participation during the visit will be strictly voluntary. We are enclosing a draft copy of the RIG, and if you choose to participate during the visit, please inform me and the RlG project coordinator, Dr. Jin Chung at (301) 504-1071.

Your cooperation in this matter is appreciated.

Sincerely,

/s/

tahtan N. Jabbour, Project Manager Project Directorate 11-3 Division of Reactor Projects - 1/11 Of fice of Nuclear Reactor Regulation

Enclosure:

Draft RIG cc w/ enclosure:

See next page O ,)

OFFICE PDII-3)ib PDil-3/PlihPh//4A WE L.BEREi K.JABB0dI[ D.MATTHEWS A

N 2/ll/93 2/l%/93 2/l$/93 ')

0FFICIAL RECORD COPY FILE NAME:G:\ HATCH \HATRIG.LTR 190 # 4

8aaa 88a 8888a8m .. c P PDR

o O

d 'o,,

a UNITED STATES NUCLEAR REGULATORY COMMISSION

{* E WASmNOTON, D. C. 20$55 February 12, 1993 g . . . . . j/

Docket Nos. 50-321 and 50-366 Mr. W. G. Hairston, III Senior Vice President -

Nuclear Operations Georgia Power Company P. O. Box 1295 Birmingham, Alabama 35201

Dear Mr. Hairston:

SUBJECT:

RISK-BASED INSPELI4bh >,lDE - EIA!!N 1. HATCH NUCLEAR PLANT, UNITS 1 AND 2 This is in reference to the development of a Risk-Based Inspection Guide (RIG) to be published as a NUREG report under an NRC Technical Assistance contract with Brookhaven National Laboratory (BNL). This RIG is intended to provide useful guidance for NRC inspection activities.

The purpose of this letter is to inform you that we are planning to send our contractor, Ms. Adele DiBiasio of BNL, to visit Hatch Nuclear Plant on March 3 and 4, 1993. The visiting contractor will accompany the resident inspector in a system walkdcwn and verify the accuracy of the information. During this visit, the contractor will be available to meet with your staff and receive their comments regarding the RIG in order to reflect your plant status accurately. However, we would like to clarify that your participation during the visit will be strictly voluntary. We are enclosing a draft copy of the RIG, and if you choose to participate during the visit, please inform me and-the RIG project coordinator, Dr. Jin Chung at (301) 504-1071.

Your cooperation in this matter is appreciated.

Sincerely, bt/.L bl . $

Kahtan N. Jabbour, Project Manager Project Directorate 11-3 Division of Reactor Projects - 1/11 Office of Nuclear Reactor Regulation Enclosi;re:

Draft RIG cc w/ enclosure:

See next page

'o ,

+j - -

i Mr. W'. G. Hairston, 111 -

Georgia Power Company Edwin 1. Hatch Nuclear Plant ,

i CC:

Mr. Ernest L. Blake, Jr. Mr. R. P. Mcdonald _. :

Shaw, Pittman, Potts-and Trowbridge - Executive Vice President -

2300 N Street, NW. Nuclear Operations :!

Washington, DC 20037 Georgia Power Company- ,

P. O. Box 1295 Mr. J. T. Beckham -

Birmingham, Alabama 35201 Vice President - Plant Hatch Georgia Power Company Mr. > Alan 'R. Herdt, Chief '

l P. O. Box 1295 Project Branch #3 .

Birmingham, Alabama 35201 U. S. Nuclear Regulatory Commission 101 Marietta Street, NW, Suite 2900-Mr. S. J. Bethay Atlanta, Georgia 30323-' q Manager Licensing - Hatch . _i Mr. Dan H. Smith,.Vice President Georgia Power Company i P. O. Box 1295 Power Supply Operations-Birmingham, Alabama 35201 Oglethorpe Power Corporation 2l00 East Exchange Place Mr. L. Sumner Tucker', Georgia 30085-1349 General Manager, Nuclear Plant Georgia Power Company Charles A. Patrizia, Esquire Route 1, Box 439 Paul, HastingsTJanofsky & Walker Baxley, Georgia 31513 12th Floor i 1050 Connecticut Avenue, NW.

Resident inspector Washington, DC- 20036 ,

U. S. Nuclear Regulatory Commission sl Route 1 Box 725 Baxley, Georgia 31513 Regional Administrator, Region-ll '

V. S. Nuclear Regulatory Commission 101 Marietta Street, NW. Suite 2900 l Atlanta, Georgia -30323

- Mr-. Charles H. Badger Office' of Planning and Budget Room 610 270 Washington' Street, SW.

Atlanta, Georgia 30334 i Harold Rehets, Director- o Department of Natural Resources 205 Butler 5treet, SE., Suite 1252 y Atlanta, Georgia 30334 Chairman

.Arpling County Commissioners -

County Courthmse Baxley, Georgia 31513 ;

j

= -

- - , y- g- , - ,.- .-- ---w.y -w

t 4

p 77l a~ ?p/ :. . j j' a .4] NUREG/CR-ei j! I: 3.. 0.. !!I i: BNL-NUREG-l i

lilGli PRESSURE COOLANT INJECTION (IIPCI) SYSTEM- j RISK-BASED INSPECTION GUIDE IIATCil NUCLEAR POWER STATION ,

i f

Prepared liy Adele M. DiBiasio Brookhasen National Lal. oratory i.

Prepared l'o r >

U.S. Nuclear Regulatory Commission i

i

?

b t

e A

, , , , . , ...,.J_~ v - - -- -- , . - . . . . - + -. . - ~ . ,

l NUREG/ cit-IIN L-N UltEG-IIIGII PitESSURE COOLANT INJECTION (IIPCI) SYSTEM IllSK-IIASED INSPECTION GUIDE IIATCll NUCLEAR POWElt STATION Manuscript Completed: January 1993 Date l'ublished:

Prepared by Adele M. DiBiasia J. W. Chung, NRC l'rogram Manager 13rookha'ecn National 1.aboratory Upton, NY 11973 Preparrd for O!Iice of Nuclear Itcactor itesearth U.S. Nuclear itegulatory Commission Washington, DC 20555 N11C FIN A3875 s

~, .

4 A13STRACT A review of the operating experience for the liigh Pressure Coolant Injection (IIPCI) system at the flatch Nuclear Power Station Units 1 and 2. is described _in this report. De information for this review was obtained from llatch IJeensee Event Reports (LERs) that were generated between 1980 and 1992. ncse LERs have been categorized into 23 failure modes that have been prioritized based on probabilistic risk assessment considerations. -In addition, the results of the IIntch operating experience review have been compared with the results of a similar, industry wide operating experience review. This comparison provides an indication of areas in the Ifatch IIPCI system that should be given increased attention in the prioritization ofInspection resources. l l

1 l

4

'i 5

eI

_. i o

lii

. 1

..M , w e. %,-%-.rw.,,w-ww , ,3.e7 -i.+ re-==

CONTENTS bgt ABSTRACT ............................................... iii

1. I NTR O D U Crl O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.1 Purpose ......................................... 11 1.2 Application to inspections . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2. IIPCI SYSTEhi DESCRIPTION . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3. ACCIDENT SEQUENCE DISCUSSION ................ ... 31 3.1 Loss of liigh Picssure injection and Failure to De pre ssurire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.2 Station Blackout (SBO) With Intermediate Ten . . ilure of liigh Pressure injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 3.3 Station Blackout with Short Term Failure of liigh Prs ssu re I njection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 3.4 NrWS With Failure of RPV Water Level Omtrol at liigh Pressure . . . . ................................ 32 3.5 Unisolated LOCA Outside Containment ................. 3-3 3.6 Overall Assessment of IIPCI importance in the Prevention of O) r e D a m a ge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

4. PRA. BASED llPCI FAILURE h10 DES . . . . . . . . . . . . . . . . . . . . . 4-1 IIPCI SYSTEh1 WALKDOWN CllECKLIST BY RISK lh1PORTANCE . . . 5-1 5.

OPERATING EXPERIENCE REVIEW , . . . . . . . . . . . . . . . . . . . 6-1 6.

6.1 IIPCI Failure No.1 - Pump or Turbine Fails to Start orRun.......................................... 6-1 6.2 IIPCI Failure No. 2. System Unavailable Due to Test or hiaintenance Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 6.3 IIPCI Failure No. 3 - False Iligh Steam Line Differential Pressure Isolation Signal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6 6.4 IIPCI Failure No. 4 - Turbine Steam Inlet Wlve F001 Fails t o O pe n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6 6.5 11PCI Failure No. 5 - Pump Discharge Valve F006 Fails t o O pe n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ......... 6-6 6.6 IIPCI Failure No. 6-IIPCI System Interactions ............ 67 6.7 IIPCI Failure No. 7 - System Actuation Logie Fails . . . . . . . . . 6-7 6.8 IIPCI Failure No. 8 -False liigh Area Temperature isolation Signal...................................,....... 6-8 6' IIPCI Failure No. 9. False 12w Suetion Pressure Trips ......... .................. .... ......... 6-8 V

CONTENTS (Cont'd) 6.10 llPCI Failure No.10. False liigh Turbine Exhaust Pressure Signal......................,.................... 68 6.11 IIPCI Failure No.11.Normally Open Turbine Exhaust Valve Fa il s Cl os e d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8 .

6.12 11PCI Failure No.12 -Condensate Storage Tank / Torus Switchover Logi c Fa l l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . 6-8 6.13 IIPCI Failure No.13 - Torus Suetion IJnc Valves Falls to Open 69 6.14 Minimum Flow Valve Fails to Open . . . . . . . . . . . . . . . . . . . . 69 6.15 Other Failures .................................... 6 10 6.16 Iluman Errors ....... . .......................... 6 10 6.17 Additional System Considerations . . . . . . . . . . . . . . . . . . . . . . 6 11 !

7. S U M M AR Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

8. R E FE R EN C ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 APPENDICES A 1

SUMMARY

OF INDUSTRY SURVEY OF llPCI OPERATING EXPERIENCE IIPCI PUMP OR TUR131NE FAILS TO STA RT O R R UN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A1 A 2 SELECTED EXAMPLES OF ADDITIONAL 11PCI FAILURE MODES IDENTIFIED DURING INDUSTRY SURVEY . . . . . . . . . . . . . . . A9 I l

l-l l vi L

-p

, i b

FIGURES Ficure No. Egge :

21 Simplified IIPCI 110w Diagram . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 i

i TABLES Tabk h Eag -

4-1 IIPCI PRA Based Failure Summtry . . . . . . . . . . . . . . . . . . . . . -. . 43 ;

42 liatch 11PCI System LER Survey Compared with Industry Survey . 44 5-1 liatch IIPCI System Walkdown Checklist . . . . . . . . . . . . . . . . . . . . 5 A1 IIPCI Pump or Turbine Fails to Start -Industry Survey R e s u l t s . -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3 A2 Summary of Illustrative Examples of Additional IIPCI '

Failure Modes . . . . . . . .. ... ......................... ' A 11 t

t 1

4 vii

,,.-m c.-,,..4,,,,,.,.._.;, , , _ __ _ _ , . _

i L INTRODUCI'lON 1.1 Purrwe This llPCI System Risk. Based Inspection Guide (S. RIG) has been developed as an aid to NRC inspection activities at the llatch Nuclear Power Station. The liigh Pressure Coolant injection (llPCI) system has been examined from a risk perspective. Common BWR accident sequences that involve llPCI are described in Section 3 for the purpose of reviewing the system's accident mitigation function and to identify system unavailability combinations that can greatly increase risk exposure. Section 4 describes and prioritizes the PRA-based ilPCI failure modes for inspection purposes. A review of BWR operating experience review is presented in Sections 4 and 6 to illustrate these failute modes. This inspection guide also provides additional info mation in related areas such as llPCI support systems, human errors, and system interactions (Section 6).

A summary and list of references are provided.

1.2 Application to insocetions This inspection guide can be used as a reference for routine inspections and for identifying the significance of component failures that occur at llatch. The information presented in Sections 4 and 5 can be used to prioritize day-to-day inspection activities. This S. RIG is also useful for NRC inspection activities in response to system failures. The accident sequence descriptions of Section 3 in conjunction with the discussion of multiple systems unavailability (Section 6), provide ,

some insight into the combinations of system outages that can greatly increase risk. The operating experience review provides some of the more important failure mechanisms (including corrective actions) that are useful for the review of the licensce's response to a system failure. 'lhis system RIG can also be used for trending purposes. Table 4 2 provides a summary of the industry wide distribution of IlPCI failure contributions, and presents a comparison of the llatch IIPCI failure distribution with industry experience. Certain llPCI failure modes (e.g., turbine control valve faults, false high turbine exhaust signal, and lube oil supply faults) appear to account for a disproportionate fraction of the llatch IIPCI system failures and are candidates for increased inspection activity. These areas should be reviewed periodically as additional plant operating ~

experience is compiled.

1-1

2. IIPCI SYSTDI DESCRIPTION ne llatch liigh Pressure Coolant injection (llPCI) system is a single train system consisting of steam turbine-driven injection and booster pumps, a barometric condenser, piping, supports, valves, controls, and instrumentation. A simplified flow diagram is shown in Figure 2-1. He i system is designed to pump a minimum of 4250 gpm into the reactor vessel over a range of scactor pressures from 150 to 1120 psig when automatically activated on a reactor water level low (-47 inches) or drywell high pressure (1.9 psig) signal, or manually initiated frorn the control room.

Cach autornatic initiat?on signal is 'one-out-of-two-twice" logic. Two sources of injection water are avaiSble. Initially, the 11PCI pump takes suction from the condensate storage tank (CST) through a norma!Iy open motor-operated valve E41.F004. The pump suction automatically transfers to the torus on low CST level or high torus level.This transfer is accomplished by a signal that opens the -

torus suction valves E41 F041 and F042. Once these valves are fully open, valve position. limit.

switch contacts automatically close the CST suction valve. Events that raise the torus temperatute above the IIPCI system design 1 mit for suction source temperature may require a manual suction ,

transfer back to the CST.

Upon HPCI initiation, the normally closed injection valve E41-F006, automatically opens, .

allowing water to be pumped into the reactor vessel through the main feedwater header. A minimum flow bypass is provided for pump protection. When the bypass valve E41 FO12 is open, flow is directed to the torus. A full.Dow test line is also provided to recirculate water back to the CST. The two isolation valves, E41 F008 and F011, are equipped with interlocks to automatically close the test line (if open) upon generation of an IIPCI initiation signal.

He HPCI turbine is driven by reactor steam. He inboard and outboard IIPCI isolation valves in the steam line to the HPCI turbine (E41-F002 and F003) are normally open to keep the piping to the turbine at an elevated temperature, permitting rapid startup. Upon receiving a signal from the llPCI isolation logie, these valves will close and cannot be reopened until the isolation signal is cleared and the logic is reset. Inboard isolation valve E41 F002 is powered from 600/208 VAC R24-S011 and controlled by isolation logic system At outboard isolation _ valve E41-F003 is powered from 125/250 VDC R24-S022 and controlled by isolation logie systern D.

Steam is admitted to the IIPCI turbine through supply valve E41-F001, a turbine stop valve, and a turbine control valve, all of which are normally closed and are opened by an HPCI initiation signal. Exhaust steam from the turbine is discharged to the torus, while condensed steam from the steam lines and leakage from the turbine gland seals are routed to a barometric condenser.

2-1 4

r -

l l O ,

l

^

R - . , E?M if M wm Reactat SWm

/% Condensate b

iTn IDC2 ,

feedesW Fill FID% FC) pp from RHR MM "

c.g3

.r FC4 Suppresson pag.g FN9 ,,

M i X ' 'I M06

l _1, L.O.

Y y $1m.Surthr X ,g EO I001 NI Y^ F019 '

F045 re41 / Turb Stoo

/, -- :

f042 Man ll Tut b. Cnut bn*

Pump %q r i ;- C Turbine 3 q,i

. , ,# - Tott1 Leakoff fo Sund-ty

mu e Cas Inmient f059 " P4 R0 v System y I Wn'n* . .... a, H< " _

uvam p g3 r, itU J!LL

'M 04 b e f012 A~ g RO , emwr

/ M gyg

,,3

' Ma lmw tos RO IE

- " POOS

, , Sfstem Test Line {ofi f007 fr m RCIC gogg roti Figure 2-1 Simplitied 11PCI Flow Diagram 22 I

l

3. ACCIDENT SEQUENCE DISCUSSION ne role of the 11PCI system in the prevention of reactor core damage is valuabic information that can be applied in the normal day.to. day inspection activities. If a plant has its own Probabilistic Risk Assessment (PRA), this information is usually available. liowever, rmt all plants have PRAs._ nus, eight representative BWR accident sequences based on a review of the available PRAs have been developed based on design and operational similarities that can be applied to other BWRs for risk based inspections'. Dese representative sequences comprise an - l average of 8We of the dominant core damage frequency for seven plants. This information can be !

used to allocate inspection resourecs commensurate with risk importance and allow the inspector to focus on the important systems /cornponents. De llPCI system contributes to five of the eight representative sequ*:nces. Rese five sequences are discussed below.

I 3.1 im oflilch Pressure inlection and Failure 'to Dspmsyths.

This sequence is initiated by a general transient (such as MSIV elosure, loss of feedwater, or loss of DC power), a loss of offsite power, or a small bicak LOCA. The reactor successfully scrams. The power conversion system, including the main condenser, is unavailable either as a t direct result of the initiator or due to subsequent MSIV closure. The high pressure injection systems (HPC1/RCIC). fail to inject into the vessel. The major sources of _IIPC1/RCIC unavailability include one system disabled due to test or malatenance and system failures such as turbine / pump faults, pump discharge valve or steam' turbine inlet valve failure to open. De CRD . :

hydraulic system can also be used as a source of high pressure injection (llPI), but thc failure of the sectmd CRD pamp or unsuccessful flow control station valving prevents sufficient reactor pressure vessel (RPV) injection. The operator attempts to manually depressurize the RPV, but a common cause tallure of the safety relief valves (SRVs) defeats both manual and automatic depressurization of the reactor vessel. _%c failure to depressurize the vessel after llPI failure results in core damage due to a lack of vessel makeup. j f

3.2 Station Blackout (SBO) with Intermediate Term Failung of Ilich Pressurf_lakdhe This sequence is initiated by a loss of offsite power (LOOP). The emergency dicsci generators (EDGs) are unavailable, primarily due to hardware faults. Maintenance unavailability _

is a secondary contributor. Support system malfunctions include EDG room or battery /szitchgear room liVAC failures, sersice water pump, or EDG jacket cooler hardware failures. IIPCI and RCIC are initially available and provide vessel rnakeup.

The high pressure injection systema can provide makeup untih

the station batteries are depleted, or i

a the system fails due to environmental conditions i.e., high lobe oil temperatures or high turbine exhaust pressure due to the high torus temperature and prcssure, or

the RPV ia depressurized and can no longer support ilPCI or RCIC operation, or-

the llPCI high area temperature logic isolates the system or long term exposure to i high temperatures disables the tuitsine driven pump.

3-1 ,

(

l Plant proecdu 3 should address means to maintain DC power for as long as possible to assure a continued source of water to the llPCI or RCIC. These procedures should also provide contingency measures (such as supplying fire water to the RPV via the RilR system) if the SDO progicsses until reactor pressure (decay heat) can no longer support ilPCI or RCIC. The plant procedures should also be consistert with toe DWR Owner's Group Emergency Proced re Guidelines.

He reactor building environmental conditions can also impact long term IIPCI system operation. The reactor building IIVAC and ilPCI room cooling are dependent on AC power.

There is the possibili'" f spurious activation of the steam line break detection logie, and although the high area tem;x isolation logie may be inactive during SDO conditions, there are potential environmet, qualification concerns at elevated temperatures. The plant actions to monitor and control ...gh area temperatute, during an SBO, should be tcviewed including any calculations necessary to establish a time frame for the implementation of these actions. -

3.3 Station Blackm1LwitlL3hort Term Fallure ofliith Pressute inicylimi This SBO sequence is similar to the previous sequence except the high pressure injection systems fail early. De sources of emergency AC power, i.e., the emergency diesel generators (EDGs) fail primaruy due to hardware failures. Secondary contributors are: output breaker failures and EDG unavailability due to test or maintenance activities. Support system rnalfunctions, such as service water failures in the EDG jacket cooling water train, battery /switchgear room ilVAC failures, or test and maintenance unavailability are significant contributors to th loss of emergency on. site AC power.

Station battery failures (including comma mode) are an important contributor to this sequence, because 11PI systems and the EDGs are DC power dependent. In the 500 sequence, IIPCI unavailability is dominated by turbine /purap failures and maintenance unavailability. Core damage occurs shortly after the failure of allinjection systems.

3.4 ATWS vith Faihge of RPV Water i evel Control at Ilinh Pmssitrs This sequence is initiated by an anticipated transient with initial or subsequent MSIV closure and a failure of the reactor protection system to scram. . Attempts to manually scram are not successful; however the Standby Liquid Control System (SLCS) is initiated. The condenser and the feedwater system are unavailable. The BWR Owner's Group Emergency Procedure Guidelines (EPGs) recommend RPV water level reductions for control of reactor power below 5% and the DWR r;presentative sequence was based on that philosophy.

This sequence postulates a failure to ensure sufficient RPV makeup at high pressure to prevent core damage. There are two failure modes:

L The operator fails to control water level at high RPV pressure. This results in high core power levels, continuous SRY discharges and torus heatup. After the torus reaches saturation, containment pressurization begins. liigh pressure injection fails due i to high torus temperature prior to containment failure.

3-2

l

\

2. The high pressure injection (IIPCI) system fails, primarily due to pump failure to start or testing and maintenance (T&M) unavailability. Injection or inflow valves, suetion '

switchover, or loss of DC power are other potential system failures. IIPCI pump failure to start or run, pump unavailability due to testing and maintenance activities, and Senice Water EDO jacket cooler inlet or return valve fallutes are the major system failures.

I The inability to maintain RPV water level above the top of the active fuel (TAF) requires manual emergency depressurization that is expected to result in core damage before the low pressure ECCS can inject.

The continued operability ofIIPCI during an A'ITVS event is critical. Within the context of this accident sequence, (i.e., time available for success) the licensee's capability to perform the IIPCI suction transfer and high turbine exhaust pressure trip logic bypasses should be evaluated periodically. With regard to IIPCI system availability, the remaining sections of this RIG will discuss system failures and availability evaluation.

3.5 Unisolated LOCA Outside Containment The initiator is a large pressure boundary failu c outside containment with a failure to isolate .

the rupture. The piping failure is postulated in the following systems: rnain steam (50%), i feedwater (10%), high pressure injection (33%), and interfacing LOCA (7%). The percentages ,

5 indicate the estimated relative core damage conttibution of each system . )

An interfacing LOCA initiator is defined as the initial pressurization of a low pressure line which results in a pressure boundary failure, compotmded by the failure to isolate the failed line.

The failure is typically postulated in a low pressure portion of the core spray (CS) system, the ,

LPCI, shutdown conhng and (to a lesser extent), the llPCI or RCIC pump suction or the head spray line of RIIR system.

The unisolated LOCA outside containment results in a rapid loss of the reactor coolant system (RCS) inventory, elirninating the torus as a long term source of RPV injection. These piping failures in the reactor building can also result in unfavorable environmental conditions for the ECCS. Unless the unaffected ECCS systems or the condensate system are available,long term RPV injection is suspect and core damage is likely.

There have been several 11PCI pump suction overpressurization events, primarily'during surveillance testing of the normally closed pump discharge motor-operated valve E41-F006' . This is of particular concern for the discharge configuration with a testable air-operated check valve in ,

addition to the normally closed MOV because of the valve's history of back leakage. The llPCI interfacing LOCA initiator seems to be less of a problern with the contiguration of a-normally 1

closed valve E41-F006, such as exists at 11atch, primarily because another normally open E41 F007 is closed prior to the E41 FD06 suneillance. Ilowever, the concerns of the previous configuration '

are also valid here. There must be reasonable assurance that the normally closed E41 FD06 valve is leak tight during plant operation and, prior to stroke testing. Confirmation is necessary to assure that it is fully closed and will provide the necessary protection for the upstream piping. ;

3-3

4 f

3.6 Overall Auessment of IIPCLhugrunngt.jD the Prevention of Core Qiunage :

As previously stated, the high pressure injection function (11PCl/RCIC/CRD) conteilmtes to five of the eight representatise UWR accident sequences. The system failures for all eight BWR sequences were prioritized by their contribution to core damage (using a normalized FusselWesely ,

importance measure). ne 11PI function in aggregate was in the high importance category. Other high risk important systems are Emergency AC Power and the Reactor Protection System. The llPCI system itselfis of medium risk importance, because of the multiple systems (e.g., RCIC and !

CRD) that can successfully provide vessel makeup at high pressure. For comparison, other systems with a medium risk importance are: Standby Uquid Control. Automatic / Manual Depressuritation.

Service Water, and DC Power, e 1

f s

n 4

6 k

9

-i 4

i.

i .

< 34 t

l

.-.d.,_.,_, ,,,.,,..,,,.m..,.., m..,,,._.m_. ,_ , . , ,,. , ' _ , , , , m,,. ,,, . ,,,

_.y-_.- - _ _ _ . _ - - _ _ _ _

~.

l

4. PRA IIASED llPCI FAILURE MODES PRA models are often used for inspection purposes to prioritize systems, components and human actions from a rid - rspectivc. This enabl s the inspection effort to be apportioned based on a core damage preven, measure called risk importance lhe llPCI failure modes for this system Risk.ilased Inspection Guide (System RIG) were developed from a review of IlWR plant specine RIGS", and the PRA-Based Team Inspection Methodology' . The component failure modes are presented in Table 4-1 and are grouped by risk significar.ee. There are four failure modes of high risk importance, four of medium risk importance and 15 oflower risk importance, for a total of 23 failure modes. The Fussell.Vesely importance Measure has been used to dete mine these rankings. This measure corabines the risk signincance of a failure or unavailability with the likelihood that the failure / unavailability will occur.

PRAs are less helpfulin the determination of specific failure modes or root causes and do not generally provide detailed inspection guidance. This makes it necessary for an inspector to draw on his experience, plant operating history, Licensee Event Reports (LERs), NRC Dulletins, Information Notices and Generie Letters, INPO documents, vendor information and similar sources to conduct an inspection of the PRA prioritized items. Information useful for prioritization of inspection resources has been obtained by performing an operating experience review of industry experience related to PRA derived failure modes for the llPCI system.

Licensee Event Reports (LERs) generated by the industry between 1985 and mid 1989 were surveyed for IIPCI related failures and approximately 200 were identiGed. Sixty two LERs did not have a PRA based failure mode; these LERs generally documented system challenges, administrative deviations, and seismic / equipment qualification concerns. The remaining 140 LERs documented 159 IIPCI faults or degradations. As presented in Table 4 2, the LER failure modes '

have been categorized by PRA failure rnode to provide a relative indication of the contribution to allllPCI faults.

The failure rankings documented in Table 4 2 were subjectively estimated based on PRA-based risk importances, operational input, recovery potential, current accident management '

philosophy and conditional failures. The failure mode identi6cd as llPCI pump or turbine fails to start or run was ranked as *high risk importance" in Table 4-1 and also accounted for the lugest number of LERs related to the llPCI system identiGed in the industry suivey. Thus, as shown in Table 4-2, this failure mode was ranked as numbe. one and was analyzed in greater detail to identify the various causes. A summary of the signiGeant causes of this failure mode are provided in Appendix A-1. In addition, selected examples of all other PRA-based llPCI failure modes are provided in Appendix A 2.

A more extensive LER analysis has been completed for the flatch Plant. For llatch, ali LERs documented between 1980 and 1992 were reviewed to identify failures applicable to llPCI.

The results of this review, tabulated in Table 4 2, indicate that several failure modes show a higher percentage of occurrence than the industry survey results. These failure modes are:

4-1

.. - , . . -.- - - _ _ - - . . . ~ . . _ . .,

L 3 ]

5

IIPCI Pump or Turbine Fails to Start or Run due to:

.i

-Turbine speed control faults 1 Lube oil supply faults 1

-Turbine overspeed and reset problems

-Flow controller failures 3 Turbine control valve faults.

False high turbine exhaust pressure signal.

Pump discharge valve (F006) fails to open. ,

False high steam line differential pressure signal.

The survey of Hatch operating experience is discussed in Section 6.

t 4

k A>

l l;

4-2 l ._

r. . :, . . - , . ..-. . . . . .. . , . . - .. . .-- - . . . --..- -.

l I

sl, -

g i

Tuble 41 IIPCI PRA. based Failure' Summary li.Jgh Rhk Immrtance -

m. Pump or Turbine Fails to Statt or Ruu' System Unavailable Due to Test or Maintenance Acthities* ;

Turbine Steam inlet Valve (F001) Fails to Open l Pump Discharge Valve (F006) Faih x Open ]

Medium Risk immrtane.g CST /Forus Switchover logic Fails Torus Sucutn Valves (FU42 or F041) Fail to Open* . i Normally Open Pump Discharge Valve (F007) Fails Closed or is Plugged '

Minimum Flow Valve (F012) Fails to OpeniGiven Delayed Activation of Purrj Discharge Valve (F006).*

Inwer Jihl ijmnortance ;

CST Suction U$c Check Valve (F019) Fails to Open CST Suction Une Manual Valve (F010) Plugged Normally Open CST Pump Suction Valve (F004)

Fails Closed or is Plugged -

Pump Discharge Check Valve (F005) Falls to Open -

Torus Suction Une Check Valve (F045) Fails to Open

- Norrnally Open Steam Line Containtnent Isolation Valve (F002 or F003) Fail Closed' ,

Steam Une Drain Pot Malfunctions Turbine Exhaust une Faults,' including:

Normally Open Turbine Exhaust Valve (F021) is Plugged

+ Turbirie Exhaust Check Valve (F049) Fails to Open Turbine Exhaust Une Vacuum Breaker (F102,103) Fails to Operate False Iligh Steam Une Differential Pressure Sienal' False liigh Area Temperature Isolation Signal

False low Suction Pressure Trip False liigh Turbine Exhaust Pressure Signal * '

System Actuation logic Fails-Suction Strainer Fails to Pass Fhw

' Indicates a failure mode found in the Ilatch operating experience review discussed in Section 6.

4-3 e

._m_.___d___m___m_________m_l_._.__.__._

Table 4-2 Hatch IIPCI System LER Survey Compared with Industry Survey If atch AllIlW Ps Ccuments 1:ailure Ranking * ,

I'ailure Ikseription .

IIPCI Punip or Turline Fails to Start or Run Turline speed S 12 16 11 control faults 7 4 Lube oil supply 11 17 faults 11 TurNne merspeed 8 4 5

and reset proNem 8 5 Lwerter trips or 2 3 7 4 failures Turbine s:ep valve 1 2 5 3 u failures 1.

Turbine exhaust 2 3 5 3

. rupture dsk failures hkw controller 6 4 4

5 3 failures Turtsne control 6 4 4

3 2 valve faults loss of tube oil 0 0 cooling 2 1 Msc-valid high 0 0 2 1 ihm during testing Fails to start or 37 57 64 40 1 run SUlrIOTAL :

' t bi' .h;i . ' ll . ; I * !> "

f _

t s _

n _

e 7 1" 7 7 7 _

m 4 1 8 5 -

5 5 5 m 4.

o C

)

%(

t r

n .

o 4 8 0 8 3 0 2 0 . 5 0 C 1 er l

u i

a h J _

c t

a A ( .

I s

e r

l u

i a 9 5 0 5 2 0 1 0 3 0 F

fc 2

g i

n k

n a 0 1 R 7 9 2 3 4 5 6 8 1 1 e r l

u i

a F

)

%(

'r.

t ,

n 7 1 1 o 2 6 5 5 2 3 2 1 , < <

C e r u

s l i

R a F

W B

l l

A -

s e

r u

li ,

a 3 0 8 8 3 4 3, 2 1 I ,

F 4 1 (c

w n e e~

o lb' ) s n n a

) i t

a m l l o o de

'd ip l alai o ei ga l ia x a l i hrl .t

. s t

n r c

i a ei a n mH r f a) f t

a er a n

t c .

up u a n u os vaM e(e pen t

t sng a u a eg n e al c hM s t o s r i si r g ph e hge ei n t C nA c o x s r s t s o c s h us t hi

( D uTs - v o iUs ali igta n w igs el

~

e if e ela dI n s it a h rei o o er ht s l aef ia 2- e r moiu hf r i us n i v o p (e ep mcaI mf l es u e u mie n wde es t

4 u t et v b t s mv o c rC t e c t i ept s a s s s a rb v c l i

a puei ct l a nr r el ul i pteP s yv l ar o nl lare l

a hx orl b!

a F Sd a Fipl Tifna blavt o I SiI nI Sk Fe i s t Fp Fe Nt u va

_ T

_ s a&

ittI l!L b[' jti(lllli! l l(l' il ;! j;l fi , f, !:

1 l11I l!Il ,

1 e

t s

n e

n 9 0 1

9 6 m 6 a

C

)

4

(

r tm 0 3 2 C

er l

u ia ne F t

t a

I s

e r

u li a 0 2 1 F

f.

c g

i n

k n

a 2 31 4 R 1 1 er l

u i

a F

)

9(

'r.

i c 1 o < 4 3 C

e r

u s l i

R a F

W U ,

A s e

r u -

li a 1 6 5 F

f o

n o n d

)

d i

t p o r a kia

t i r iss r p o wf n

o c

s e

r c a rts lo)

C e ph nhl io ai f 2 1

D p s a

(

2- e uAl S wai s

s vf e

mU u1 n r m2 )

4 u r

7 t f c pk 4 n im (r ep e l 1 l o ptc0e ihn o Na i

F a Sop C ph u Su1 p s( o Mavto .

T ig a .

{!!IlIIl l

I

. I Table 4 2 Notes

1. Failure contribution is expressed as a percentage of all significamt 11PCI failures as developed !

by the Operating Experience Review. l

2. Failure ranking is a subjective prioritization based on PRA and operational input, recovery !

potential, current accident management philosophy and conditional failures, as applicable.

l

3. llatch significant ilPCI failures are based on a review of all available LERs (1980 to 1992).

4. Although some caution is warranted due to the limited plant specific data, this failure mode seems to comprise a disproportionate fraction of the Ilatch IIPCI unavailability. This area is a candidate for enhanced inspection attention. I

5. Failure importance was upgraded from the PRA-based ranking of Table.41.

6. Failure importance was downgraded from the PRA based ranking of Table 41.

7. IiPCI isolation and trip logie are significant contributors to unavailability. The system can be isolated by a single malfunction, yet instrument surveillance intervals can be greater than the more reliable actuation logic surveillance intervals.

8. Unlike the system trip and isolation logic, the actuation logic arrangement (one out-of-two twice) diminishes the importance of a single instrument to reliable system operation. At least two low RPV level or two high drywell pressure somors must fail.

9. The latest BWROG Einergency Procedure Guidelines deemphasize the torus as an injection sourec.

10. Conditional on the delayed opening of the pump discharge line valve, FD06.

11. Unlike the rest of the failure modes listed herein, " Systems Interactions" is not PRA based; It was identified as a significant failure mechanism during the operating experience review and is discussed in Section 6.

-?

e t

4-7 e

e, yy g y %s- .,y,, 9 , g

. . . . ~ -, .. .- .... - .

l

5. IIPCI SYSTEM WALKDOWN CilECKLIST llY RISK IMPORTANCE Table 5.1 presents the llPCI system walkdown checklist for use by the inspector. - This information permits inspectors to focus their efforts on components important to system availability and operability. Equipment locations and power sources are provided to assist in the "

review of this system.

D e

h

-i h

i 4

4 I

51 1 e

I..

4 r 1 -, e * . ,& -- ,

{ .JM M Table 5-1 Itatch IIPCI System Walkdown Checklist Power Source & location Standby Poution Actual Position -

Ikseription ID No. In:ation A. Components of Ifigh Ri.sk Signilicance IIPCI Room Reactor B!dg. R24-5022. Frame 2A. Rx. Oosed Turbine Steam isolation Valve ROI Dev. 87' BlJg.

R24-S011A. Frame 4A. Open R02 DrywcIl Intmard Steam Isolation Valve Rt.111dg.

R24-SO22. Frsme 2B Rx. Open O;ttuard Steam Isolation Valve RI73 IIPCI Room Bldg.

Torus Room.114' 13ev., R24-S022. Frame 3AI. Rx. Gosed Pump intuard Discharge Valve R06 Az.170 Bldg.

R24-S022, Panel 601 Rx. On Control Room IIPCI inverter Bldg.

u 11 Components of Medium Risk Signllicance R24-S022. Frame 3B. Rx. Open CST Suction Isolation Vaive R04 IIPCI Room Bldg.

R2"S122. Frame 6AL Rt. Open Pump Outtoard Diwharge Valve R07 IIPCI Room Bk!g.

R24-SO22. Frame 6C Rx. Oosed Pump Minimum How Valve R)12 IIPCI Room BIJg.

R24-SO22. Frame SA and Gosed Pump Suetion From Torus (2 Valves) IN1. IIPCI Room IV42 B. Rx. Uldg.

NA Open R121 Torus Room-114' Bev.

Turbine Exh ust to Torus Ax.90 R24-5022. Frame 3AR. Cosed Full How Test Valve to CST ROS IIPCI Room Rx. Bldg.

Notes: 1. All circuit breakers should be closed (ON).

l

2. Valve operability is verified by the licensee with procedurc 34SDV-E410012/IS, 'IIPCI Valve Operabibty.* nese valves are inc l

Inservice Testing (IST) Program, Additionally. some of these valves are required to be tested under Generie Letter 89-10. IST and Genede 89-10 testing results may be reviewed to confirm the valves' operational readiness.

1

6. INDUSTRY AND llATCil OPERATING EXPERIENCE REVIEW An operating experience review was conducted to integrate the recent ir dustry experience of all operating BWRs with PRA derived failure modes for the llPCI syste m The period 1985 to mid 1989 was searched for IIPCI LERs and approximately 200 were it '. 1. Sixty-two LERs did not have a corresponding failure mode. These LERs generally docut, u.acd successful system challenges, administrative deviations, or seismic / equipment quali6 cation concerns. The remaining 140 LERs documented 159 HPCI faults or degradations. As presented in Tables A-1 and A-2, these failures have been categorized by PRA failure mode to provide a relative indication of their contribution to allllPCI faults. Thirteen PRA failure modes that had corresponding failures in the data were examined. Each of these PRA-based failure modes is discussed below. In addition to the industry operating experience review, the failure experience of the llatch Plant Units 1 (Docket Number 50-321) and 2 (Docket Number 50-366) was surveyed over the period 1980 to 1992. One hundred and 6fty-eight ilPCI related LERs were reviewed. This information is integrated into the discussion of each IIFt' failure mode provided in the following paragraphs.

6.1 llPCI Failure No.1 - Pump or Tur%y Fails to Start or Run The major contributor to IIPCI system unavailability, both from a risk and operational viewpoint, is the failure of the turbine driven pump to start or continue running. This failure mode includes many interactive subsystems and components that can make root cause analysis and component repair a complex task. For the purposes of this study, this failure has been detined as those components or functions that directly support the operation of the pump or turbine. He "lIPCI Pump or Turbine Fails to Start or Run" basic event accounted for 64 failures or 40% of the HPCI faults in the industry operating experience review.

Rus, this failure mode has been broken down in the subcategories summarized in Table 4-2.

Representative LERs for each of these subcategories are summarized in Appendix A-1 along with the most likely root cause, the corrective action taken in each case, and any applicable comments.

This information should provide the inspector with additional insight into the particulars of each subcategory.

6.1.1 Turbine Soced Control Faults The turbine speed is controlled automatically by a control system consisting of a How controller and an electro-hydraulic turbine governor. The turbine governor system receives the Dow controller signal input and converts it into hydraulic-mechmical motion to position the governor (control) valve. The system has a " ramp" generator which upon turbine start, will control the acceleration rate up to a speed relative to the Dow controller output signal. The " ramp" rate is adjustable. The turbine speed controlis a very complex area that requires specialized attention.

The inspector should confirm that the licensee acknowledges the complexity of the turbine speed control by having a trained specialist on staff, e good working relationship with the appropriate vendors, and adequate vendor oversight on pr, posed modifications or repairs.

Eight events related to turbine speed control faults were ic'entified in the expanded LER search for IIatch, which included EGM controller and ramp generator signal converter module out of calibration (83-06%321) and failed resistor resulting in loss of power to the electronic governor controlling turbine speed (90-001-321). Additionally, two LERs (80-049 and 069-321) were 6-1

attributed to the turbine speed control being out of calibration. HPCI failed to automatically inject after receiving an automatic signal following a scram. During the event described in LER 80-069-321. RCIC was inoperable.11PCI was manually started after tesetting the isolation signal.

Two LERs (80-122 and 80-52-321) were attributed to defective ramp generators. LER 88-022-366 reported that HPCI tripped due to the magnetic speed pickup cable having been damaged during maintenance. LER 87-017-366 reported a defective controller amplifier card due to " normal aging.

6.1.2 Lube Oil Supply Faults This subcategory consists of eleven industry failures to provide sufficient lubricating oil to various turbine components and control oil pressure to operate the turbine stop and control valves.

3 As presented in Table A-1, most of the failures are related to the auxiliary oil pump (AOP) and include two bearing failures and five auxiliary oil pump pressure switch faults. Tnree other events involving low bearing oil pressure events were attributed to valve mispositions - and oil contamination.

Hatch had eleven tube oil supply faults. Two failures were due to water contamination in the oil (LER 84-011-321 and 83106-321). Two failures were due to a failed coil in the AOP's MCC time delay relay (LER 80-016-366 and 81-032-366). Two were due to personnel errors: a rag was left in the oil sump (LER 86-014-366) and the bearing oil supply valve was mispositioned (L.ER 83-093-321). The other events involved a separated wire that connected to the shunt coil of the AOP motor (LER 81-082-366), an open circuit in the AOP motor armature (LER 90-005-366),

a failed oilline with RCIC inoperable (1.ER 81-013 321), and AOP cycling on and off once due to dirty contacts in the AOP MCC scal-in relay (LER 81-138-321) and another time with the cause unknown (LER 82-012-321).

6.1.3 Turbine Overspeed and Auto Reset Problems The mt .ianical overspeed trip function is set at 125 percent of the rated turbine speed. At most facilities, the displacement of the emergency governor weight lifts a ball tappet that dispiaces a piston, allowing oil to be dumped through a port from the oil operated turbine stop valve.This action allows the spring force acting on the piston inside the stop valve oil cylinder to close the stop valve. The overspeed hydraulic device is capable of automatic reset after a preset time delay.

Hatch LER 81-068-321 documented an event -where HPCI failed to restart due to a malfunction of the overspeed trip caused by excessive clearances between the piston and cylinder bore and oil leakage through the diaphragm control valve seat. Hatch also had four turbine overspeed faults where the turbine failed to trip. These events were attributed to damaged balls in the ball-tappet assembly (81-051-321,83-007-321,84-011-321), setpoint drift due to internal wear of the trip device (80-088-321), and a scored trip piston (81-051-321). GE SIL No. 392, Revision 1 was issued November 1990 and recommended that GE owners with Terry HPCI Turbines install a redesigned mechanical overspeed trip assembly to avoid tappet assembly binding. Hatch's evaluation of this SIL should be reviewed.

6.1.4 HPCI inverter Trins or Failures The HPCI inverter is powered from a 125V DC bus and ultimately powers the turbine flow 6-2 q

- ., . - . _ . ._ . -~ --, . .. .

control circuit. Two inverter trips were identified during the review of flatch LERs. One trip was due to a failed diode in the inverter (89-006-321) and the other was due to the high voltage trip setpoint drifting low (80-003 366), The manual mode'of HPCI was still operable.

. 6.1.5 J T rbine Ston Valve Failures He turbine stop valve is located in the steam supply line close to the inlet connection of the-turbine. The primary function of the valve is to close quickly and stop the flow of steam to the turbine when so signaled. A secondary function of this hydraulically operated valve is to open slowly to provide a controlled rate of admission of steam to the turbine and its governing valve.

The following reportable event involving a HPCI turbine stop valve failure took place at .

Hatch: LER 88-001 describes galling of the turbine stop valve at_ Unit 2 due to inadequate - q maintenance procedures. Tne procedures did not provide adequate guidance to ensure that proper clearances were maintained.

6.1.6 Turbine Exhaust Runture Disk Failures he HPCI ttirbine has a set of two mechanical rupture diaphragms in series which protect-the exhaust piping and turbine casing from overpressure conditions. When the inner disk ruptures, pressure switches cause HPCI isolation signals and turbine trip. Iow pressure steam flows past the -

ruptured diaphragm through a restriction orifice directly into the HPCI toom. _ Rupture of the second disk would vent the turbine exhaust into the IIPCI pump room without flow restriction.

The nominal rupture pressure is approximately 175psig.

One failure that occurred at Hatch (LER 85-005 321), was attributed to water carryover from the exhaust line drain pot causing the exhaust diaphragm to rupture. The blocked drain line was -

cleared. Another event at Hatch involved an exhaust diaphragm leaking. around the outer edge

~

(LER 85-035 321).- Additionally, nine LERs reported the exhaust diaphragm pressure switches -

being out of calibration 'due to setpoint drift and corroded switches. The switches actuated at - ,

r pressures higher than the Technical Specification requirement; allowing the system to operate-longer with a ruptured diaphragm. These LERs_wcre not considered failures. - AEOD Report E402" provides additional, earlier examples of turbine exhaust rupture disk failures.

6.1.7 F_ low Controller Failures The flow controller in' conjunction with the electro-hydraulic turbine governor controls turbine speed and pump flow. The flow controller senses pump discharge flow and outputs an electrical signal to the turbine governor to maintain a constant pump discharge flow rate over the-pressure range of operation.

The expanded LER search for Hatch identified four events in this category including flow; controller malfunction due to loose fasteners in the controller's internal gear (LER 88-012-321)~

and a defective-controller amplifier (LER 86-014-366). The other events involved incorrect

, controller null voltage settings due to personnel error (LER 81 003-321) and intermittent failure of an internal transfer relay (91-33-321). - --- E 6-3

.l 6.1.8 Turbine Control Valve Faults Ilatch reported four events involving the turbine control valve. Two events involved an oil

-leak due to a ruptured diaphragm in the controlvalve (IER 81-088-321 and 81-102-321). IIR F.6 014-366 reported the failure of the control valve to fully open due to a rag left in after maintenance blocking the shaft driven oil pump. The other IIR (81-003-321) reported the control valve stuck open due to two bent lift rods and galling.

6.1.9 less of Lube Oil Cooling The loss of tube oil cooling can be caused by faults in the cooling water lines to and from the cooler, cooler leakage, or flow blockage. A prolonged loss of lube oil cooling can lead to turbine bearing failure. The lobe oil temperature is monitored by a temperature indicating switch with control room annunciation (on Panel P614). A summary of the industry survey oflube oil cooling failures is provided in Appendix A-1.

The expanded LER search for llatch did not identify any additional events in this category.

6.1.10 Miscellaneous Another potential system failure involves the practice of running the auxiliary oil pump to lubricate the turbine hearings or to clear a system ground. Monticello used this practice to attempt to clear a ground in the electro hydraulic governor. When the fault did not clear, a system test was initiated to confirm HPCI operability. When the operator opened the turbine control valve to simulate a cold quick start, the system isolated on high steam flow. The operation of the auxiliary oil pump caused the hydraulically operated turbine stop valve to move from its fullclosed to its full open position. When the stop valve leaves the fully closed position it initiates a ramp generator that provides the flow control signal to the turbine control valve, allowing it to move to the open position. Since the aepliary oil pump had been running for some time the ramp generator had timed out and a maximum steam fiow demand signal was sent to the control valve.

His prevented the turbine control valve from restricting steam llow as it normally would during a turbine start resulting in high steam llow and a valid system isoluion.

Some plant procedures address running the auxiliary pump periodically to keep the turbine bearings lubricated. When the auxiliary oil pump is running, the high pressure coolant injection system willisolate if an automatie initiation signalis received at any time after the ramp generator has timed out, which occurs after approximately 10 to 15 seconds. Monticello has taken the following corrective actions to address the problem:

A modification has been approved that will eliminate ramp generator initiation while the auxiliary oil purap is running unless a valid initiation signal occurs.

The high pressure coolant injection system operating procedures have been revised to include cautions addressing system inoperability when the auxiliary oil pump is running.

The operating procedures that verify system operability have been revised to indude precautions ::hout system status before and during the test. The control system ramp generator function during the opening of the control valve is described in these procedures.

6 -4

In summary, this is a significant concern because a common plant practice has the potential to disable the HPCI system. Ilatch operating procedures should be reviewed to assure that this potential problem is addressed.

6.2 HPCI Failure No. 2 - System Unavailable Due to Test or Maintenance Activities A probabilistic risk assessment develops estimates of system unavailability genually using a fault tree. The fault tree is a diagrammatic representation of the known contributors to system unavailability. In addition to component failures, the system may not be functional due to testing or maintenance (T&M) activities. In a single train system, like HPCI, test and maintenance activities on one component usually disable the entire system. It is important to keep the IIPCI T&M contribution as low as possible because it is so important to system unavailability.

The root sources of excessive llPCI unavailability due to T&M induced failures were _

examined as part of this operating experience review. Forty-three examples of industry test or maintenance errors (27% of all HPCI failures) were divided into three categories.

Inadequate maintenance or inadequate post maintenance testing accounted for 22 HPCI industry failures. A sceand T&M category, consisting of 4 industry events,is attributable to human error that inadvertently or incorrectly disables the HPCI system. Pertinent examples include the disabling of the wrong HPCI system at a two unit site, mistakenly disabling the auxiliary oil pump due to a smoke odor in the HPCI toom, and valvmg errors which later caused a low pump suction trip or inadequate lube oil pressure.

The final category, " system inadvertently disabled during testing," consists of thirteen industry personnel errors that temporarily disabled the HPCI system. These incidents include steam line containment isolation valve closure due to testing errors during isolation logic testing, one valve motor tailure due to overheating caused by excessive stroking during a surveillance test, and an inverter trip caused by personnel error which resulted in a high voltage condition affecting both Channel C battery chargers. Unlike the first two categories, the majority of these fail'ures have a high probability of recovery.

The expanded LER search at llatch identitied numerous events where HPCI was unavailable due to maintenance and testing activities. LER 86-007-366 reported that the steam line containment isolation valve F003 isolated due to a defective steam line differential pressure transmitter calibration procedure, Additionally, HPCI unavailability due to inadequate testing or maintenance procedures was reported in LER 89-004-366, 38-001-366, 87-007-321, 87-004-366,92-6-321, and 92 007-321. LER 86-014-366 discusses an event where the ilPCI turbine failed to achieve rated speed due to a rag, that was left in after maintenance, bkicking the shaft driven oil pump. At Unit 2, during post-maintenance testing. the HPCI turbine tripped due to a damaged cicetrical cable to the turbine magnetic speed pickup (LER 88-022). The damage was caused during maintenance.

In summary, the T&M component of system unavailability must be continuously monitored by the inspector to assure it is as low as possible. The licensee should be administratively limiting the time that the HPCI system is in test or maintenance during operation. System restoration should be vigorously pursued;llPCI should not be down for days, if it can reasonably be repaired in hours. If feasible, portions of the system should be tested during outages. In addition, llPCI 6-5

j unavailability can also be minimized by adequate root cause analysis and effective corrective action to avoid multiple system outages to address the same failure. Other, less frequent, contributors include inadvertent or unnecessary removal from scrsice and system isolations during calibration or surveillances.

6.3 HPCI Failure No. 3 - False Hich Steam Line Differential Pressure Isolation Sicnal The llPCI system is constantly monitored for leakage by sensing steam flow rate, steam pressure, area temperatures adjacent to HPCI steam lines and equipmen:, and high flPCI turbine exhaust pressure. If a leak is detected, the system responds with an alarm and an automatic IIPCI isolation. The steam flow rate is monitored by two differential pressure switches located across two different elbows in the steam piping inside the primary containment. The flow measurement is derived by measuring differential pressure across the inside and outside radius of each elbow.

If a leak is detected, the system isolates the HPCI steam line and actuates a control room _

annunciator.

A summary of failures identitled during the industry survey for this mode is provided in Appendix A-2. The expanded LER search for Hatch identified 16 LERs related to the steam line differential pressure instruments. Eleven LERs reportcd the flow switch setpoints outside the Technical Specification limits due to instrument setpoint drift. The setpoints were found higher than the Technical Specification limits and are not considered failures. Nine of the eleven events occurred at Unit 2 between 1980 and 1983. LER 81-121-366 stated that "An engineering study to tind a means of preventing or reducing the frequency of recurrence has recommended a design change. Recommended corrective actions are being evaluated." LER 82-043-366 concerning the same issue states that " Design changes will be implemented as necessary." A review of Unit 1 and 2's design should be performed to ensure that this problem has been addressed.

Additionally, one LER reported that HPCI isolated on a high differential pressure (LER 80-108-321). The cause was unknown. During another event, llPCI isolated due to a failed differential pressure instrument which was caused by a loss of internal damping in the instrument's bellows (LER 81-048-321). Two other events involved failed switches, caused by an inoperable micro-switch (LER 80112-366)and a short to ground (LER 80-072-366). The remaining event involved a failure of the instrument to actuate given a stimulated high flow due to setpoint drift (LER 81-082-321).

6.4 HPCI Failure No. 4 - Turbine Steam inlet Valve (F001) Falk to Open Motor operated valve E41-F001 is a normally closed. DC powered gate valve. This valve opens on automatic or manualinitiation signal to admit reactor steam up to the turbine stop valve.

The expanded LER search for Hatch did not identify any additional events in this category.

6.5 HPCI Failure No. 5 - Pump Discharce Valve (F004 Fails to Onen Motor operated valve E41-F006 is a normally closed, DC powered gate valve that is automatically opened upon system initiation. The failure of this ulve to open disables HPCI injection into the reactor vessel. There have been 8 pump discharge failures documented in the industry operating experience review, accounting for 5% of all system failures.

6-6

At. Hatch, the expanded LER scarch identified five failures of the HPCI pump discharge

valve to open. LERs82-088 321,80-101-366, and 81-088 366 describe the failure of F006 to open during manual initiation or testing of IIPCI. The reasons for the failures was failed motor -

windings due to its limited duty cyct: and em'ironment. A design change to replace the valve-actuator with an environmentally qualified motor was reported in LER 82-088-321. The inspector. ,

should verify that the de' sign change was also implemented at Unit 2. ' Another failure was due to 'i loose wire connections on the motor terminal block inside the valve operator (LER 83-17-366).

The last event's failure cause was reported as " component failure"(LER 90-001366). Additionally, there was an event where the valve opened but failed to close due to a steam leak causing the motor windings to short out (LER 80-79-366).

6.6 HPCI Failure No,6-HPCI Systems interactions Systems interactions refer to unrelated systern failures that can disable HPCL Although there is no associated PRA category, the industry operating crperience review identified the -

following system interactions that disabled the HPCI system:

1. During a fire protection system surveillance test, approximately one gallon of water :

drained onto a battery motor control center (MCC) causing a circuit breaker overload trip and valve inoperability.

2. A cracked flow control valve test coupling sprayed _ water on a battery MCC and disabled a main steam line drain loss of power monitor HPCI was disabled when the-MCC was deenergized to inspect and dry the components.

3. An automatic sprinkler system in the HPCI room activated after a system test._ The -

probable cause was vapor buildup from the leakoff drain system that activated on ionization detector.

4. Setpoint drift in a Fenwat temperature switch caused activation of a.dcluge system .

during a HPCI turbine overspeed test.

Additionally at Hatch, during RCIC pump sutveillance, the RCIC valve F045 was operated and caused a spurious HPCI automatic isolation due to grounds found in the station battery (LER-80 066-366) and activation of the fire protection deluge system in the control room HVAC system ;

caused the HPCI trip solenoid to energize and disable the system. Other systems were disabled as , ,

an analog trip system panel was effected by the moisture (LER 85-018-321).

- 6.7 HPCI Failure No. 7 - System Actuation I,ngic Fails-Startup and operation of the HPCI system is automatically initiated upon detection of either low reactor vessel ste level (-47 inches decreasing) in the reactor _ vessel or high drywell pressure (L92 psig, increasing). He HPCI system can also be manually initiated from the control room.

Hatch did n'ot report any LERs ir volving failure of system actuation logic througl 1980. ?

6-7 e

4 f

4 6.8 HPCI Failure No. 8 - False Hich Area Temperature Isolation Sicnal ne HPCI system is constantly monitored for leakage by sensing steam tiow rate, steam-pressure, and area temperatures adjacent to the steam line and equipment. If a leak is detected, the system is automatically isolated and alarmed in the control room. This category accounted for three industry HPCI failures (2% of all failures). One event involving false high area temperatore -

isolation signal was reported by Hatch. The faire signal was due to loose terminals on the terminal connection block of the temperature element. The terminals were tightened and the system was returned to sersice (LER 834)6S-321).

6.9 HPCI Failore No. 9 - False inw Suetion Pressure Trips The purpose of the low pump suction pressure trip is to prevent damage to the HPCI pumps due to loss of suction. Pressure switch PS-N653 actuates to cause the turbine. stop valve to close. =

Here have been two turbine trips attributed to false low suction pressure signals identified in the industry survey. Hatch did not report any LERs involving false low suction pressure trips back through 1980.

6.10 HPCI Failure No.10 - False Hich Turbine Exhaust Pressure Signaj The high turbine exhaust pressure signal is one of several protective tuibine trip circuits that close the turbine stop valve and isolate the HPCI system (at 146 psig at Unit 1 and 150 psig at Unit 2). The high turbine exhaust pressure signal is generated by pressure switches PS-N656A and B, and is indicative of a turbine or a control system malfunction. He industry operating experience review found only one LER. Hatch reported three events related to a false high turbine exhaust pressure signal. One LER reported that HPCI tripped due to a shorted pressure micro-switch (LER 81-086-366). The other two LERs reported false alarms due to fouled pressure switch contacts (LER 82-058-366) and interference of a bourdon tube (LER 81-132-366).

6.11 HPCI Failure No,11 - Normally Onen Turbine Exhaust Valve Fails Closed The failure of any of the turbine exhaust valves to open results in a turbine trip due to a valid high turbine exhaust pressure signal. Hatch did not report any LERs involving failure of -

normally open turbine exhaust valves to close back through 1980.

6.12 HPCI Failure No 12 - Condensate Storace Tankfl'orus Switchover Locic Fails in the standby mode, the HPCI pump suction is normally aligned to the condensate storage tank (CST). Upon a low CST level signal via level switch LS-N003, or a high torus level signal via -

level switch LIS-N662B or D, the torus suction valves E41-F041 and F042 automatically open with subsequent closure of the CST suction valve F004. System operation continues with the IIPCI booster pump suction from the torus.

His PRA-based HPCI failure mode has become less important due to changes in the BWR Emergency Procedure which generally advocate the continued use of water sources that are external to the containment. This avoids potential ECCS degradation due to high torus temperature (HPCI high lube oil temperature) while simultaneously increasing torus mass. The 6-8

J -

t4 4

end result is that an HPCI pump suction transfer to the torus is no longer that dcsliable and the

^ ' operator, especially in decay heat accident sequences, is likely to bypass the switchover logie. to maintain the CST suction sourec, or to realign if a switchover to the pool has occurred.. Therefore.

- the inspection focus should be 'on the continued viability of the CST as an injection source during an accident sequence.

There were no failures in this category reported at flatch. .i 6.13 ]IPCI Failure No.13 - Torus Suction Line Valves (F041 and F042) Fails to_Open Ti o At Hatch, there are two 250 VDC powered HPCI pump torus suction valves, F041 and ,

F042, in series with a check valve and a normally open air operated butterfly valve. The HPCI system is initially aligned to the condensate storage tank. The torus suction valves are opened and >

the CST suction valve is closed on a CST low water level or a high torus level' signal. :The '

'importance of this failure mode has been diminished by the current emergency procedure guidelines which emphasize the continued use of outside injection sourcesc This requires operator -

action to bypass the HPCI torus switchover logic to prevent the opening of the torus suction valves i F041 and F042. This is especially true for the decay heat removal (non-ATWS) sequence where it is likely that the CST makeup can be maintained.

^

At Hatch Unit 2 LERs80-089 and 109 reported the-failure of a torus suction valve to-operate during a surveillanec. The valve motors had failed due to room high temperature and' humidity, and for LER 80109 the valve duty cycle was exceeded. LER 80-089 stated that a steam -

l leak from a defective pressure seal on valve F009 caused the adverse environment. Both the seal and the motor were repaired. 'Ihe licensee stated in LER 80-109 that a follow up investigation would be performed.

6.14 HPCI Failure No.14 '- Minimum Flow Valve (F012) Fails to Open .

The minimum flow bypass line is provided for pump protection.L The bypass valve, E41-F012, automatically opens on a-low flow signal of 605 gpm for Unit l'and 500. gpm forLUnit 2,,

when the pump discharge pressure is greater than 125 psig. =When the bypass is open, flow isL a directed to the torus. The valve automatically closes on a high flow signal. During an actual' system demand, the failure of the minimum flow valve to open is important only if the opening of l' the pump discharge valve (F006) is significantly delayed. In general, this combination of events is '

not probabilistically significant. With regard to systern operation and testing in the minimum Dow-mode, the licensee response to Bulletin 88-04" should be reviewed to determine if the design of =

h the minimum flow bypass line. is adequate. Unless there is a design concern or a- recurring

i. problem with'either component, inspection effort should be minimized in this area.

- At Hatch one LER reported the failure of the minimum flow valve to operate afterLbeing _ [

closed with the control switch (LER 81-044 366). A failed HPCI pump discharge pressure switch ;

p was identified as the cause and the switch was replaced. Additionally, there were also three LERs .

l which describe events were the minimum flow valve- failed to close due to mechanical interlock binding and sticking flow switch contacts. The valve is set to automatically close on a signal of 870

gpm for Unit 1 and 800 gpm for Unit 2. Although these events are not included as failures to -

i'

~

open, they are significant in that HPCI fimy would be diverted to the torus instead of to the' l- reactor.

l_

6-9 p

4 e

r + - - ,. 4 e _ -

6.15 Other Failures The industry Operating Experience Review did not identify any HPCI failures for the following ten PRA-based failure modes:

Normally Open Pump Discharge Valve (F007) Fails Closed or is Plugged

Pump Discharge Check Valve (F005) Fails to Open a CST Suction Line Check Valve (F019) Fails to Open

CST Suction Line Manual Valve (F010) Plugged

+ Normally open CST Pump Suction Valve (F004) fails closed or is plugged.

= Torus Suction Line Check Valve (F045) Fails to Open

Normally Open Steam Line Containment Isolation Valve (F002 or 003) Fails Closed

Steam Line Drain Pot Malfunctions

Turbine Exhaust Line Vacuum Breaker (F102,103) Fails to Operate

Suction Strainer Plugged The PRA-based prioritization of HPCI failures correlates well with the actual industry failure experience, With the exception of the first failure mode listed above for the pump discharge valve (F007), all of the faults listed above have been designated as " low importance" in the PRA-based ranking of Section 4.

The expanded LER search for Hatch (1980-1991) did identify one failure' associated with the steamline containment isolation valves. LER 80490-366 reported that valve F003 failed to open due to the reactor pressure isolation setpoint being set too high. The licensee revised the setpoint.

6.16 Human Errors An additicnal category of HPCI failure modes that was not specifically identi6ed in the prioritization of failures involved human errors. Two speci6e examples can occur during normal operation:

Miscalibration of HPCI sensors that can disable system actuation or result in false system isolation signals;

Failure to reset the HPCI system for operation after testing or maintenance.

6-10 l

1

At Hatch, the llPCI pump room cooler was found with its power circuit breaker in the off positior (LER 83-82-321). Room cooling is required for extended llPCI operation. Personnel error was also responsible for a turbine low bearing oil pressure alarm. Tbc bearing oil supply valves were mispositioned (LER 83-093-321). Additionally, the IIPCI pump did not deliver rated flow due to personnel error as reported in LER 88-017-321. The null voltage settings were incorrectly calibrated. As discussed in Section 6.2, a rag left in the oil sump during maintenance caused a failure of the llPCI turbine. LER 89-002 366 reported that the steam line containment isolation valve isolated due to personnel bumping a instrument panel. Another llPCI failure was a result of personnel not verifying the correct replacement parts were issued (87-004-366). These human errors can occur during normal operation and thus, are inspectable through the revicw of surveillance, calibration and maintenance practices and procedures.

6.17 Additional Svstem Considerations The industry LER survey has identified several other llPCI system considerations that could impact the overall risk of a plant. These considerations are discussed in the following sub-sections with any applicable Ifatch experience.

6.17.1 LOCAs Outside Containment Unlike the IIPCI component failure modes discussed previously, that involw the unavailability of the system, the 11PCI system can be involved in potential LOCAs outside containment (Section 3.5). The industry survey identified degradations of the steamline bolation function and pump suction line overpressurizations as potential causes. Identified isolation system problems include:

+ r. steamline differential pressure transmitter with a non-conservative setting; and

an inboard containment isolation valve that failed to close.

Examples of pump suction overpressurizations include: 7

a slow closing pump discharge check valve that caused a pressure surge after a turbine trip; and

. water hammer caused by void collapse following system initiation after feedwater back leakage elevated the temperature in the pump discharge line.

At IIatch, the outboard steam line containment isolation valve failed to close due to mechanical binding in the MOV's close torque switch (LER 81-111-366). In general, the HPCI LOCA outside containment event is a small contributor to the total core damage potential. The examples presented above indicate possible areas for inspection to assure that this core damage potential remains low.

6-11

6.17.2 HPCI Support Systems The high pressure coolant injection system is-dependent on the following systems fore successful operationi DC Power For system control (125 V DC) and valve movement (250 V DC).

Room Cooling For HPCI pump room cooling to support long term operations. This function requires service water (for cooling) and AC power for the fan motor.-

HPCI Actuation RPV level and primary containment pressure instrumentation for system; .

irdtiation and shutdown.

Although the normally open torus suction valve F051 is an air operated valve,it will fail open -

on the loss of air. Valves F041 and 42 are available for isolation. Additionally, the inboard steam

. isolation valve F002 and the vacuum breaker isolation valves F104 and F111 are AC powered.

However, these normally open valves are not required to change position for HPCI. injection.-

During the HPCI operational experience review the influence of support systems on HPCI availability was apparent. The loss or degradation of the DC battery or bus that powers HPCI has '

l a straightforward effect. Besides the battery charger problems or fuse openings, the more unusual !

DC system problems included a battery degradation due to corrosion of the plates. The suspected cause was a galvanic reaction due to plate weld metalimpurities. Another concern is insufficient voltage at the load during transients which could trip the station inverters or fail MOVs. rThis-would be of particular concern during a loss of offsite power or a station blackout event.

~

The room cooling system is typically required to support long term HPCI operation.: Besides. ,

the random failures that can occur at any time, there is one sequence specific effect that should be -

examined. -During station blackout, the- AC. powered room cooling is lost when continued HPCI ;

operation is critical. The licensee should have pump room and steam line temperature calculations or have other procedure provisions (bypass high temperature isolation or portable DC-powered :

fans) to assure long term HPCI operability.

The RPV. level or high drywell pressure instrumentation is required for multiple ECCS systems including HPCI. The operating experience review did not have any pertinent example's of-failures.

i 6.17.3 Simultaneous Unavailability of Multiple Systems- .

i Multiple system unavailability of certain functionally related systems is of concern because of ' l

the increased risk associated with continued operation. Although Technical Specification 3.0.3-tends to limit the risk exposure somewhat, the licensee should, to the extent possible,1 avoid planned multiple system outag:s.

t) 6-12 S ]

i e

a

Within the context of the accident sequences discussed previously (Section 3), certain-combinations of system unavailability result.in a relatively large risk of core damage. For example,-

the HPCI industry operating experience review had nine LERs that documented simultaneous:

HPCI and RCIC unavailability. During this period, the probability of core damage is greatly'-

inercased for accident sequences that require HPCI and RCIC for mitigation. This would include all the sequences described in the Accident Sequence-Description except "Unisolated LOCA Outside Containment," At Hatch, the expanded LER search identified nine LERs which reported.

the occurrence of HPCI and RCIC system unavailability. The unavailability of HPCI and 'an emergency diesel generator would have similar impact on plant risk.

I

']

I t

i 13 4

e

_U_ _

mm m m ,m .. 4 -'- f

T

7.

SUMMARY

This System Risk-Based Inspection Guide (System RIG) has been developed as an aid to HPCI system inspections at Hatch. The document presents a risk based discussion of the HPCI role in accident mitigation and provides PRA-based HPCI failure modes. In addition, the System RIG uses industry operating experience, including illustrative exarnples, to augment the basic PRA failure modes, ne risk-based input and the operating experience have been combined in Table 4-2 to develop a composite BWR HPCI failure ranking. This information can be used to optimize NRC resources by allocating proactive inspection effort based on risk and industry experience. In addition, an assessment of the Hatch operating experience related to the failures is summarized in Section 6, and provides potential insights both for routine inspections and the " post mortem" conducted after significant failures. A comparison of the Hatch and industry-wide BWR HPCI failure distributions is also pr sented in Table 4 2. The two tables contained in the Appendices to this report, A-1 and A-2, contain detailed information on selected industry failures. This should

~

be used by the inspector to gain additional insights into a particular failure mode.

He Hatch operating experience review has identified the following component failure modes that have shown a higher percentage of occurrence:

Lube oil supply faults Turbine control valve faults

False high turbine exhaust pressure signal

Flow controller failures

- Turbine overspeed and reset problems These components should be given additional attention during future routine and specialized inspection actisities. _

This report contains all the Hatch HPCI LERs from 1980 up to 1991. Subsequent LERs can be correlated with the PRA failure categories and used to update the plant specific HPCI failure contributions, and then compared with the more static industry BWR HPCI failure distribution.

The industry operating experience is developed from a variety of BWR plants and is expected to exhibit less variance with time than a single plant. This failure information can be trended to predict where additional inspection oversight is warranted as the plant matures. As the plant matures, the incidence of inadvertent HPCI isolations due to surveillance and calibration activities is expected to decrease. Conversely, in time, aging related faults are expected to become a more significant contributor to the Hatch failure distribution. The review of industry operating experience has identified several aging related failures at Arnold, Cooper, and Brunswick, in addition to Hatch, generally in the pump and turbine electronics.

Recommendations are made throughout this document regarding the inspection activities for the HPCI system at Hatch. Some are of a generic nature but some relate to specific maintenance, testing. or operational activities at Hatch.

7-1

l ,

For example:

1. The inspector should exarcine the surveillance and maintenance programs for the portable diesel generator. In addition, the training program should be periodically reviewed to assure a continues awareness of the temporary connections required under SBO-type conditions.

(Section 3.2)

2. He plant actions to monitor and cor; trol the temperature in the HPCI room should be reviewed and the effect of the loss of room cooling on continued HPCI operation should be evaluated,(Section 3.2)

3. Within the context of the use of HPCI in a ATWS event, the capability of the licensee to perform the necessary bypasses of the system logic should be evaluated periodically. (Section 3.4)

4. The turbine rupture disks should be installed with a structural backing to prevent cyclic fatigue failures.(Section 6.1.6 and Appendix A-1)

5. The inspector should confirm that the licensee acknowledges the comnlexity of the turbine speed control by having a trained staff to test and repair it.(Section 6.1.1)

6. Licensee responses to NRC Bulletin 88-04 should be reviewed to determine if the design of the minimum flow bypass line is adequate. (Section 6.14) 7-2

c

8. REFERENCES

~

1. Brookh'a ven National Laboratory (BNL) Technical Letter Report, TLR A 3874-T6a,

" Identification of Risk Important Systems Components and Human Actions for BWRs," -

August 1989.

2. Shoreham Nuclear Power Station Probabilistic Risk Assessment, Docket No. 50-322, Long :

Island Lighting Co., June,1983.

3. NRC Case Study Report, AEOD/C502, "Overpressurization of Emergency Core Cooling d Systems in Boiling Water Reactors," Peter Lam, September,1985.

4. Brookhaven National I.aboratory (BNL) Technical Report A-3453 87-5 " Grand Gulf I Nuclear Station Unit 1. PRA-Based System Inspection Plans," J, Usher, et al., September, j 1987. 1

5. BNL Technical Report A 3453-87-2, " Limerick Generating Station, Unit 1, PRA-Based System inspection Plans," A. Fresco, et al., May,1987.

6. BNL Technical Report A-3453-87-3, "Shoreham Nuclear Power Station, PRA-Based System )

Inspection Plans," A. Fresco, et al., May,1987,

7. BNL Technical Report A-3864-2," Peach Bottom Atomic Power Station. Unit 2, PRA-Based System Inspection Plan," J. Usher, et al., April,1988.

BNL Technical Report A 3872-T4, " Brunswick Steam Electric Plant, Unit 2, Risk-Based 8

Inspection Guide," A. Fresco, et al., November,1989.

9. NUREG/CR 5051, " Detecting and Mitigating Battery Charger and Inverter Aging," W.E.

Gunther, et al. - August,1988.

10. NRC Circular 80-07, " Problems with HPCI Turbine Oil System," April 3,1980,

11. NRC AEOD . Report E402, " Water Hammer in BWR High Pressure Coolant Injection Systems," January,1984.

12. NRC AEOD Technical Review Report T906," Broken Limiting Beam Bolts in HPCI Terry Turbine," April 18,1989,

13. NRC Bulletin 88-04," Potential Safety Related Pump loss," May 5,1988.

14. NRC Information Notice 82-26,"RCIC and HPCI Turbine Exhaust Check Valve Failures,"

July 22,1982.

15. GPCo HPCI System Operating Procedure 34SO-E41-001-2S, Revision 8. 3

16. GPCo HPCI Operations Training Program Student Text, LT-ST-00501-02, Revision 2.

8-1

._______________________.______.______________._____.____________________________________[

17. liatch Unit 2 HPCI P&lD 11-26020. Revision 23 and 1126021, Revision 18.

j

18. Edwin I. Hatch Technical Specifications Unit 1 and 2.

19. GE Senice Information Letter, SIL No. 392, Revision 1. Improved HPCI Turbine Mechanical-Hydraulic Trip Design," November 28,1990.

8-2 e

e

o ;

= !

.~.

APPENDIX A 1

SUMMARY

OF INDUSTRY SURVEY OF IIPCI OPERATING EXPERIENCE 11PCI PUMP OR TURBINE FAILS TO START OR RUN -

N i

A-1 e

i

. + a .n * -n.- + z n .a .m r a w < . w .s,. + w

. .+ 4 r a .a . a . +,e. e a, n s a< -e-,,na.- ~ < - e . >n n.g,>-u...=..

a sp --.n s s~ .wo a .

.m , s n r i

.r;t A

+..-.

5 4 1

(

f '- .'

c ;. .

1A ' '.

-"M -

-.,p' .4

'i ) .

h e

Y

.k 2

8

h. n s

$ .' O k

5 a

s a

A k i rM 1

5 i

a I'

i

1l .

.-g 4 .

N 4

D 4 5

=2 h

e.-'" 4 6

1 I. .

Y 7'

t 1

T n

6 e

- ~

A-2'

,-.(n' e

t h

.,>^.g,4 I T ***"r tr-4 49--' AssTheW e-- - m.-._mhm-__.--+m-h- -..----__ - -

. . - I. i-. - , . . . - _ . .m

,r

,i.m,._m._1 _.,_,__am.___',____i

u .

Table A-1 IIPCI Pump or Turbine Fails to Start - Industry Survey Results Comments inspect;oc Guidance Cnrrectwe Measures railure Desc. Raw Cause TURI?INF SPf 17D CON IM Of . FA111 13 EGM control bax EGM printed circuit twurds will be Each of these EGM co= trol box malfunction ho simitar failures attributed to aging failures excurred at olier p! ants effects due to long term energization and replaced at eight year intervals, Additional llPCI pump room cooling and appear to be aging related.

posibly elevated ambient temperatures. +

An EGM printed circuit txurd failed and added.

caused a false high steam f!cw signal. He

scomd failure involved the electronics in the ccmtrol bex chassis.

EGM nmtrol txn had a pround. Two printed circuit boards repbced-Miscalibration of nuti voltage settings. Recalibratkm c.f vohage scannes.

Box replaced. Surveillane Failed transistor in the EGM control bot proudures being expanded to verify proper functiccing of the catput

.,ved circuit.

Y w Erriv % ** detected during a Moror speed IIPCI failed acta initi.itirm surveillance twcause the electrical connections between previous test at J? N io Procedures (haneerE G-R revised to functionaffy test the actuator malfunctions. the governor and the controt valve electrohydrache servo were in error, gmernor control system during the krw prenure su veillance testing.

I ziture may have Res caused by Ambient temperatures in Capacitor faihtre in motor gear unit. Replaced capaciter c<;uip ne:st treas should be excessive IIPCI rcaxu verified uith specificatio.u.

temperature.

3 i Component rep!. xd or serviced Improper gaping and foreign accumubtion l on contacts.

EG-R actuator grounded at pin connection Correskm prisincts emoved.

due to the acctimulation of corrosion prodocts.1here were three o.xurrences of this event that have been attributed to a design change in the actuatce pin connections.

lable A.1 (Cdd)

Failure Desc. Root Cause Co.rective Measures Comments Impection Guidance Dropping resister Resistor box design deficiency-special test Resistor tot m.xiified to ensure assembly problems, showed output voltage insufficient when liGM con:rol box will receive input voltage at design ninimum, required vettage under worst case ned;tions.

Resistor Failure Resister axnponer.t replaced Ramp generatorMgnal- Slow IIPCI response time attributed Gain and time settings reset. Settings had not been modified converter bra.. irnwrrect turbine loop gain and ramp time bawd on power ascension test settings. program.

Magnetic speed Cable damaged during IIPCI maintenance Cr.ble repaired.

pickup cable. preventing speed feedback to the speed cxmtroller.

l Speed control Imose contro! room panel termbiations. Repaired panel terminations.

potentiometer, i U11F O!L SUPPI.Y FAlf t TS M Auxiliary oil pump Microrvitch within pressure switch fails. Microswitch replaced. 2 additional failures due to pressure switch fails. miscalkration, and one j attributed to a gdece of teflon tape that blocked sensing orifice of switch.

loose hydraulic control system pressure ' Corstponent adjusted.

switch contacting arra Auxiliary oil pump Pump bearing failure degraded pump . Pump replaced.. ' Similar' event-pump motor -

failure. performance /!ower discharEe pressure, bearing failure was possibly due bearing Lad been recently replaced- to daily use to supply oil to pniential human error. turbine stop valve.

Additional low - liuman error, All control valves Wves correctly positioned. handles Two similar events have oaurred ,.

bearing oil pressure scispositioned ~ removed. Surveillarice evised to at other plants.

occurrenms. check oil pressure during turbine test.

b Lube ei! Para!!in in tube oil cos:ed pistan caused Piston cleaned. L ne process of periodically contamination. ' binding of hydraulic trip relay. sampling luts oil should be verified i.-

e 4 m + w

r , -p ;. -

g

-V

' Table A 1 (Cont *d)

Failure Desc. Root Cause Corrective Mer4ures Comments Inspection Guidance

'IURIN N R-OVFRSPIT?D AND AUlO pl SFI' PROlll RfS Electrical termination locac cicctrical termination on solenoid Wiring to the solenoids will be De corrective action for a failures - nfve coil disabled the remote reset ~ restrained to reduce strain on the sinnlar earher event apparently function.' Failure attributed to nonnal terminations. did not address the root cause of I!PCI vibration. the fr.iture.

Overspeed trip doice Overspeed trip device tappet assembly Tappet remachined. Similar occurrence at another tapped binding. head was bindin5 in valve body. . plant.

Polyurethane tappet, previously machined rer GE guidance, had experienced additional growth.

tmse hydttsufic control system pressure Repaired contactor arm. None.

- >L smitch contactor arm.

On .

Drain port bkxked. Erratic stop valve operation. Blocked drair. Drain port cleared. Additional information on port in cverspeed trip and auto reset surt>ine overspeed trips is piston assembly caused trip mechanism to . provided is t1RC Information cycle between tripped and normal Notice 86-i4 and 6614, Supp.1.

posisms.

INVFRTTR 'ITtIPS OR f- All UltFS Inverter tripped and could not be reset Replaced imtrter.

due to a failed drede. See Ref 16 for effects of inverter aging and preventenve measures, 1

Inverter failed due to the failure of an Replaced inverter. A similar evt. t invoMng a internal capacitor. ruptured capacitor occurred at .g' another pfant. =

d internal electror.ie loverter cuerheating doe' to a failed . Repaired or replaced coh!ing fan.

fatuts :i9tegral cooling fan.

-Inmfer failure due to blown fuse. Replaced fuse.l r

I q , 'p ' O :.- _ a _.a_,... ~. OL

__.lw. __ _ ._

._ :j.'j

n, i _, , . . . . .m m . - - - -

i

~

- Table A-1 iCnnt'd)

Com:nenta inspection Guidanw k Failure Dese. Corrective Measures Itoot cause p

I Inverter trip due to high voltage setpAnt Equalize voltage was reduced intertaA electronic drift. allowing inverter to reset.

faults ;omt'd)

TURalNF SIDP VAX Vi! I'All URES Simitar event at another plant.

Oilleak developed at pilot valve Flange bolts torqued.

CoNrol oi! !cals.

sstembly/ hydraulic cylinder flange bolts were kwxe.

Valve stuck open due to disintegration of Valve's exyndable parts now PPct oil trip soienoid scheduled for replacement at every vahe. diaphragm that caused valve plunger to third refueling nutare.

stick alwwr the seat.

Piston rings were fabricated from f urther discussion in IE Grcular Valve wouk! not open due to excessive resin impregnated feather Vendcs 8407.

leakage of piston rings in hydrauL:

reccm:n. ended replaument every five cylinder actuator.

years. Potential aging concern.

Similar failure occurred involving Overstress and ultimate Vafvc and actuator stems separated at split flalance chamber adjustment was fractme wi!! usually occur

> Mechanical vse couphng. f t. dance chamber adjustment performed in 1955 per GE SIL 352 a loose valve pmtion sensor at the undercut on abe

& failures.

drift believed to have caused increased Adjustment will be checked quarterly bracket that caught on actuator coupling threads due to j for a minimern of 3 quarters. housing when the valve opened.

I momentum and dhk overtravel. Ee valve failed in she open reducing cross section.

position. Incipient stem failure may be indicated by circumferential cracks in threaded stem area.

~!URitINE l'XII AUN r RUFIURI! DISK Improved design appears to AEOD Report E402 Inner rupture d;sk failed due to cyclic bcah disks replaced with an Cyclic fatigue. climinate the cyttie fatigue prmides additi mal fatigt:e (alternating pressure and vacuum imprmed design that has a structural failure mode. examples of turbine backing to prevent ficxing during within the exhaust line). Vacuum occurs exhaust rupture disk during cold quick starts with cold piping. exhaust line vacuum conditions.

failures.

Diocked line cleared; rupture disk A similar event has occurred at Water hammer Exhaust diaphragm ruptured by water another plant. Duration and carryover from enheust fine drain pot due replaccd.

induced disk rurture. frequency of exhaust 1.ne to a blocked drain line. blowdown increased.

+

s k

- - - - _ m

1.-

A sj._.

O "TaNe A4 (Omi'd)

Failure Ikse. Itoot Caese Corrective Measures Onuments Inspectiori Guidance FI OW COV!11Of.ITR Fall. Ult FS Failures appear to be aging Ambient conditions in 9 Failme to c:mtrolin Defective amplifier card and solder joint Repairs performed. related. yet it appears some aress containing this automatic. atitibuted to aging. licensees do not intend tu - equipment shoukt bc periodically rept. ice sensitive ver!Ded against equipment or otherwise address specifications, the root cause of these failures.

9 Dropping resistor failed in the instrument Resistors R26. R24, and rener diale 11 ampliGer circuitry due to normal heat of C24 all appeared to be affected by operation. ambient temneratures and were replxed.

1, Intermittent operation of internal switch The s!ight oxidized contacts were cleaned ar.d lubricated In the long wntacts did not alks the contro!!cr to read the flow setpoirt in auto.- term. permanent jumpers 41 Se insta!!ed to bypass the sniwh<s.

a Gear train failure. I. nose fastener caused intermediate gear to P-occdures mil be revised to require unmesh which prevented adjustment of the a periodic ched of the gear train controller setting. and fasterers.

Miscalibration Ihw controller indicated a flow of 40 Contro!Ier recalihated.

l -. gpm v. hen system cot in operation. Failure attrit-sted to miv.alibsation.

l 1UllItlNI:

1 COVilt 01. val Vfi

!t LAUil!3 -

, Comrol nit leak. .' Oil supply line nipple leakisig because Nipple repaired; plant personnel plant personnel s'epped on fine to gain informed of failure cause.

access to <nntrol valve.

'throitte valve lifting & of the eight lifting beam bohs failed Liccesee sonhange thread tubriennt; Per AEOD Report T106, beam boltmg tailure. : due to stress corrosion cracking of non-metal bearing petroleum jelly improper heat treatment and the improper 8y heat treated bolts.1hc secommended. . use of a copper based anti-renusining two bolts were cracked. seizure wmpound were major -

contributors to this failure.

'A-" ,.

4 _ m" _ _

r me- en v -[ -

. ' TaMc A-1 (Cont'd)

Conunenn Inspection Guidance Root Cause Ovrective Measure

I'ailure Dese.

Formation of a procurement Additional IER reported a

!.OSS OF !.UTIII O!!_, PCV 1135 had an insurrect diaphragm engineering group. diaphragm failure resulting in a $

COO!1NG imta!!cd due to inadequate controts to gpm leak. No cause stated.

update plant information with industry PCV-HOS failures. expdrence.

'P c periodic use of the auxiliary Operating procedures Used auaihary oil pump to flush oil A ejification was proped to i MISCFIJ ANEOUS .nl pump is = common practice shouki be reviewed to through the governor to cicer a grcund. ch:ninate ramp genera:cv initiation that can diuble the IIPCI ensure that cautions Subsequently, system isolated on startup on auxiEary oil pump startup, unic<.

sptem. identify IIPCI system because the oil pump causes the stop and a valid initiation s:gnal b presca inoperability when the coctrol vatves to go full open. mutiriary oil pump is running.

bS l

t l ..

I l

4 j

- 1

-I

. . _ , .. . . .- , . ~ . . ~ , . . , _ - . >

F

't

. . ; n. .

F APPENDIX Ad SELECTED EXAMPLES OF ADDITIONAL 11PCI FAILURE , <

MODES IDENTIFIED DURING INDUSTRY SURVEY 1

P$-

1 W

W i

1 i

~

1

- i

'i s

T e

iO.

'A-9 J

[( ,,

2' L l- .~

h > u __'._--__.L'Lw.x

^ -- -

ep a ma-h t

4 6

o e

A 10'

--_-__________-_--___=

P o

Tabic A-2 Summary of Illustrative Exarr ~ ' Additional !!PCI Failure Modes Gxnments Impectant Gokiance Gwrectrve Measures l'adure Desc. RM Cause R<memmt Tr .-.;tter NRC Inf<wmatum Nanice Differential pessure trammitter failed due Arnplifier card emncetson was 8216 prmles additional IIPCI failure 3 - secured.

l'ai e Iligh Steamline toinadequate connection of amplifier informatwm ce steamime Differential Pressure endition card was either incorrectly pressure measurement.

Isolation 5gnal seated during ista!!ation or worked Imwe.

Wuwg comerske value caused Rmemont Trammitter Mrscabbratkm and a stuck pressure imbeator disaNed Imth dnisions of high riscahbraGm and was ctwrected.

AP trammitters.

Conservatively narrow instrumset Trammitter (Terating outride tok rances Recabbrated trammrtier tderances were used during the dx to inctwrect setpwnt adjustment setp int adjustment. The istrument was a Rosemount Transmitter.

Iterton trammitter increased cahbration Serpnnt was adjusted. frequency may be Serpoint drift cause sperious sprem isr44thms necessary.

Unknown Etarten trammitter.

Setpnt draft caused bv moisture intrusvi through the dial rod straft seal

[

.- Interim cnrrectrw action mas drilling This failure was attnbuted to IllU I~ailure 4 - !.lechanicahhermal bindmg of disk due to procedural anr* training inadequate cicaranses. a boke in the sahr dist DouMe lurbmc Steau Inlet dais were to be insta!!cd during a inadequaocs.

Valve {iTM1) fails to failure refueling cutage as a kmg open term solutkm.

The thermal binding can occur A four Iwnre sprem Thermal binding of dak Rep' aced mntor gears and installed marmup may be res red for ~2 hours after system is larger power supply cane to rnotor.

returned to servn:e folkwhig a . by peccJurcs to circunnent ths probnem.

cxx4dsn. _

Motor failure caused by high Surge protectmen added ic shunt coil Motor failurc vs'Itage tramient in shunt cod of DC motor contr.4 circuitry.

that occurred when supp!v breater opened. ,

i Motor wimisgs faiicd due when Other safety related MOVs '

i Valve rrpaired and torque smitch were alas affected. {

Motor fa.turt torque setting out of adgustment adjutment wrewe mere cerrect*y Jw to kwee tesque sehch Proenteres were rewt.ed torqued. and enrque switch limiter ad;ustment saews.

plates were mstat:cd.

y

~~

~

l i j

. ' bble A-2 (Cont *d)

Cw mems Iespectam GodwKr Hoot Cause Civrectrve Measures Failure Dese.

Vahe motor was reptred llPCI Failure 4- Valve motor failure due to incorrect suam tubrication (cont *d)

Other IX' MOVs were also INPO STR-2548 and Renced step starting resistc.rs.

lacensee review determined that vahe evalu.ated NRC Informatum N,eice might not open due to imufficient torque, 65-72 prm%Ie further p itance.

IIPCI Failure 5 - Mispsisveed auxiliary cretacts in starneg Replaced cretacts-Pump Diwharge time delay relay for valse mnior.

Valve [ITjii6] Fads to Vawe nxtor replaced. Failure attributed to heat related Ope n Vahr rmw farlare u eM=n of vahc rm*w interftall Potent:21 pnNem may anect INMP SER 2548 and Iktnsee review determined that vaht may Step starting resistors had nM tven NRCInformation Notke cemidered in the torque a sahws other DC MOVs have insufGcient torque to open. pnmde a&fitwmal and mere rrami gun.tance t er.e replaced and ground entrected Fuse failure due to electrical grounding.

C IIPCI Failure 7 -

Sptem Actustkm Design nxxfiGed. Further discusske in ALOD Irgic Fails Sptem faPed to actua:e due to inadequate Repet E407.

seal in time.

Failed pmer supply resistcw.

Resistor replacci IIPCI Failure 8 -

Take Ilkh Area ModJe replaced New untet replacement Failed temperature immitoring modute. C'msidered Temperature Isolation Signal g

Mmimum intale serp 4nt II l

Iksign error.

temperature was increased.

j hotated pressur. suttch actuated l Pressure switch isolation valve None.

IIPCI failure 9 - due to chancing envirrmmental Fahe tem Suction inadvertently closed I ctal.tinns.

l Pressure Trip Pressure switch replacci Seat corrosim a&wed moisture IIPCI l'ailure 10 - Corrosion of pressure switch seals. imo casir g and shorted mirinit l False 1 Ugh TurNne I Exhaust Pressure l Signal l

O EME

L?

O

+

' Table A 2 (Cont'd)

Failure Desc. . Root Cause Co-rective Measures Comments Inspectkm Guidance

- IIPCI Failure 11 - IIxhaust line swing check vaive failure Check valve replaced. Failure of check valve was References [2tj and [22)

Normally Open bkxted MOV attributed to overstre wd cyding prmse further Turbine Exhaust due to high exhaust pressure. inform-tion.

Valve Fails Chwed IIPCI Filare 12 Irvel switches out of catibration Switches replaced. Acromulation of foreign staterial CSF/Strypeession Pool on Oost camcJ fadars.

Logie Fails

, IIPCI FJure 13- Motor fadure. Winding insulation Replaced awta. Voltage surge Ifigh witage transients occurred Suppression l'uol degraded due to high wdtage transients. protection added tocircuitry. as supply breaker was opened.

Suetion Une Valves Fail to Open Torque switch out of adjustment. Recabbrated.

Umic swnch out of adjustinent. Replaced hmit switch Valve stem separated from disk. Valve repaired. nree bolts failed due to tensile Dese wahrs were mrkwl. Other similar salves manufactured by were inspected. Asuriated Omtsol

> W at,Inc.

L W IIPCI Failure 14 - Valve inoperable da: to damaged motor Switch replaad. Damage resulted from overtravel Design changes may be Minimum Flow Valve starter disconnect switctL of operating bandle due to pw required as a result of this Fails to Opcn design. failure.

m

_ . _ - . . . _ . . . _ _ _

ML20138D506

Contents

Text

Dear Mr. Hairston:

SUBJECT:

Enclosure:

Dear Mr. Hairston:

SUBJECT:

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML20138D506

Text

Dear Mr. Hairston:

SUBJECT:

Enclosure:

Dear Mr. Hairston:

SUBJECT:

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search