e i; 1

]:

19 [l I! ]

I a + l 000W00 I I I

@ l-- i a ,

m 1  :.: :.: :.: I" I' TTT - N.

Ji EE :9 g .

i _

,g lN g

p g

- [, -

~

p g

Qy

' 0-X i d) noi

l El- @" ,l q.

o i*i l.l - .!) .-

o Q E!

g,._

4-33

A b$ ~ "I I ""l' is gl5 ll ;r .

EI I- :3:

e "5 ejG

~~ {

li h

$E a e sn -

O

,5

- 5, En ik z e

er 3

?.

t

~%- e 25 eg @

5 s'l i s.

?

Sb  !!

si Elux q (

?-

Esm U

ISW', l' 4-34

si is is il il il ,s

s N:In Xt ei:la Zt H:In Zt ei:11 es:II el :li I ~i e ~5 I - i l[i n e@H$s:l 8

_I!!a5 8 @ @ 9:9 _,

s n

a e

n a g =[I !

u Elea .i -

Mie= 'I -

z; ir! <

e, B~: z z i a

• r

-hn I{

s a

~

g 3 G.  ; Dj 3  !

! .I ..ar ., ! .im .i i  :

-, r_.  ;,: "b ,

y. y.

3 e :e:

I!

.h Ell ai

_h 9 G) G) l Xs ya s.!

!!l b 1[I 4-35

t I

i SANTIAGO #1 JL 220 KV NORTH EAST BUS f s' 3' )

s' CONTINUE 0 p p TO SONGS 2 tr 3 IM I4 h h 4022 5 4032 1 est! 3 a *: O P I4 n

= ; I4o I4 n

(

3 p p I4 IMh I4 n

6 I mit 4 es22 8 esu p D p (4 n (40 (4"ECI 0

220 MV NORTH WEST BJS ll-

'i H il H F '

'i Hil H F llCHTNING ARRESTOR 18ANI TRANSFORMER NVVW WW AUX.TRAN1 "A* AUX TRANS. "s" AUX. TRJWIL T NVVW NVVW N\/ VW u WW WW WW mAm samRAt0R it if if 1f TO TO TO TO 4100V 4tM V 4tM V 41epV eustA susis susic suste Figure 4.11220 KV System 4-36

04 S

8 l3

~!

• T

. m 8

, _ = = +T+-e - ,= =

-3 lII -

-4 T lhuffa"i"it 5i gyj  ; non;,.J , ;

, +T+-O =Ll"o'fa

'g*y ,

• J +74 jj'" "' I=U ,

g + A+ { ~4 T ? @'" ".?" ~*i* = "gi 5 = s 3 l

=

ggg-4^j" gg tasva.ns.m nv ans g

n -

e M .

4 ~$ .-yy. J

+^+ 5+ E

-e-T+J-W k

47M .NEm!Ym I. = = $

gi: .=: 4 .m ,

E&

. o E

e! mi V . '""8 "l'""

+ ^gM .c I >

. <<3.l'f* ,

( l g

5 = 9 E l 5, +; .

l  ! l >

! 4 34 5 4k; = @i.A"a" i =-

1

+T* u

= a mij s g.

w Nb b C g- a; = +yg ,,i,g.yg

.=

sE y&

~5 HD y : g u,- . .... . ma

--*-7 :

=

=, g 8

-4 ^B  ; ennse.s ,

sE5.g =

Ej 4I g,3! "

2 I

4^l * '

g.

es R s i o. n == .a o

• q 5s= ' $2 -9

, / ._ y v. > R S a. = == m

. g

-*-7 : {}- ..,  ; -*-7+-e - ,=,=

+r+- -*-7 % ....= =

s!j@

g, r,

3 5

4-37

hhLYtte. I '

u TO BE mctia - IE M E I - TO D E - MM I

nia ) n,a.T T I T T o T T "

n,=) nm) nm) => ) nm) n=>

T)nm)

-ma. .m.,

57 c=aa mm.n c=am.a 57 3 7 c.m.,

uaan vi -

nic c=ns.e

.T -

37 e

w co uww mu,e_a l

NWwT.w ..,an=.w w l w n.

s. m m -

~ 5 pn umsv .a s lE EE lE umar .a r Et

=

usar.s SunTCme0aa0 f%

l --- .- ._

+o o o o o c gfie.cc a 1),...

1),. .. . .. 3.<  !).. 3., 3.< ).<).<

l

_ 1,. . . . . . .

( Figure 4.13 120 V AC and 125 V DC Systems l

l i

i

lll I!! !!! !!!

I I I il

.?

l l

1ll

=

l a

j -

I

~

8 l

gl g

m I!

Il 4-39

T R R

ATE NO T I tWMA E E cUIPR uPUE P N QOE n _

i o -

t a _

i z _

n a

g r

T O N

• E D L R O L" T L" N O R f t

TN O OR A R O i

FE RMS I R TO T STN T h I

H TN I TOV NOR I T N A I A I S SOR I

S I ORE P O R n R C U C ~-T SCPE A

E P S 0 O O U

S 5 1

4 e

r u

g i

F T R R

ATE N BT O

I EWtA t

CUwR UPuE P N eOE O0 RR S"

i8

c f-wa_

~

-~ ' mj%.f m.T2:$~'-

. f

?

1? ~ I y J,R ~ - n. t.,h :;t

% d,.v.2 .

- ..-'< Q

' s )

e

._'. t M~

4._e'm.M~ W m $]'

g

.. i c

c. f J 5 f

,[ , .

f

. __ w r,I.

. e O

"u

~

,..

• i

. .,Y.%. J s i

. I mif~-

c. _ *L . Q^ . ',.

~. 't n

Q- .l .- I

~ e d

_r ... .

A4.;~3;.pk,  :.;W-e t

n

.D'

- rC .

T~- i n

r

% e h j.1 L a *.

~

S f

t p

u

, &g _, ,, h,,. 4_

i

- h

- J

, S D

i l m ,

rI 0 'K , _

o r

0 s - ,

F .

_ ( -

h- u-s ,u1 _

_ n1 r- m _

5 \ - o -

o aE =.

y. R

~

.' =j - l a 3I N. -

o r

i, t n

- 4 W o Q C 1

6,.

wd r-e-

,n ~:h- _ , S

,~, G z .- d2 N

.mi'4.g, %n. g

- ; e

+

, _.- ~

. i .

_a O cr ,a J

S i .w-l . , i.

.5. 3 i C,

~

~ .

.p9P.w(lad .

a 6

1

.w

~ .

7 '

4

- _ ~

c,,,g :> i .w e

\

L.p/)7;. ('  %

,,a :,

r u

g

(*4, p- - y.g n i i

^

,k F f !t! \!

lt yQ&. H. i. gh s; .

1. i.

yg&'s> ,

,h " ' -l 1

• Y Yl [ P b

+S

,l

,.3 fg g~' Y ^ 4 W

W AM T8 E

C H

_T L U8 B'

F E O O C

(

).

- p

_ 4  ; ,

Y C ..

ni EC a .

G .

R E

I s E

E.

t. a

- - "T_

Wm T XS T s OY FS E

N b e N c O u n S fi f

I T N

E O

B ., t m

E n

_ Tr e .

e

_ n c

_ E P

U j

a S d

'T T F

e A

S, t d n

[*- a

(*

• m fI ' o m

o

.u R

.T t l L Eu o

~ n.O e

TP t

r W"p.C T R C P . n W

E G

u o ER '

s o

. C I

R m e

m_

E s

i E

n 7 a 1 m A ls er ms l A T oL nN aP vA o

T T

U n

E s

u l a_

t s

c 4

e AT N tE e o Aed E4 bW T P 2 r Es Ps M10 TO E s

a s  ?

7 u

OA WT AL A IWU T

E R

U P

s o

s e_ ig SC 0 P r n 6 F

~ TN5 u a o L I

e-

'..e.[

C O

AT Y

A R

T T

s T

T i

s l s_

E u

TW I

A M Mu O iu

, eP U TU C a t.

I A0 E0 RC A g

l f DLA i

f s t

u WE W

O1f i w

a OA Ns n

S x L T Ea E

a HIN i U0 P 1 u

A A

P PT!

MU II D e E EE OG i

,TEe l fA c

C CAA T a

A f S Tt R S t COE A R i

E Do E

A u

E Et us Rn U R $

E R

P

},

R I

I I

I OA Co Es 4,

R T

E NI U

IB VD ,

TI T NC AE r d l

SW W

L"" '

't l+:., i4l aIA j j !l

5 LOSS OF POWER EVALUATION 5.1 Electrical System Operations Leading To Auxiliary Transformer C Differential Relay Trip On Wednesday, November 20, 1985, at 23:50, an alarm indicating a ground on 4160-V bus IC was received in the control room at SONGS Unit 1. The ground detector voltmeter indicated a 100 percent or full scale ground. In response to the alarm, the operators referred to Operating Instruction (01) S01-9-7, which deals with 4160-V and 480-V bus and feeder faults. The procedure first has operators attempt to locate and isolate the ground fault in the loads con-nected to the bus. This required operators to shift services to redundant equipment powered from sources other than bus 1C, and stop equipment powered from bus IC. For example. the north charging pump connected to bus 2C was started and the south charging pump on bus 1C was stopped; the operators veri-fied that the ground detector indication did not clear, and then restored the original equipment alignment by restarting the south charging pump and securing the north charging pump. In the case of service station transformers SST 1 and SST 3, alternate supply paths were established to energize the respective 480-V buses prior to disconnecting the SSTs. (Refer to Figures 4.11, 4.12, and 4.13 for details of the electrical distribution system.)

By 00:20, November 21, all lead circuits on bus 1C, except for that of the north circulating water pump and the ' west feedwater" pump,-had been tested;

~

however, the ground fault had not been located. Unit 1 was operating at 250 MWe at this time and the operators received permission to reduce load to 150 MWe in order to stop the west feedwater pump. One of the steps required by the procedure (501-9-7, step 6.2.7) is to check the fuses of the ground detector potential transformer (PT), because a blown fuse will cause a spurious ground fault indication. This step was to be performed if the ground on the bus could not be los nted by deenergizing all feeder circuits. In this instance, the operators proceeded to take this step prior to isolating the two remaining loads. The PT fuses were verified to be good and the PT was returned to service.

At 00:24 the unit was down to the desired 150 MWe. Around this time, the con-trol room operators closed the bus 1A-1C tie breaker 11C01, thus parallelling auxiliary transformers A and C in order to verify that the ground fault was valid and not just a problem with the bus IC ground detector. With the buses parallelled, the ground detector associated with auxiliary transformer A also indicated the fault, thus confirming the existence of the fault. The buses were parallelled for approximately 5 seconds this time.

At 01:30 the south circulating water pump on bus 2C was started (it had been secured earlier to enable a search for salt water leakage into the condenser),

and the north circulating pump on bus IC was stopped. The ground did not clear and the north pump was restarted. At 02:40 the south circulating pump t

was again stopped due to increasing chlorides in the steam generators. At approximately 02:45, an electrical technician was given anproval to check the ground detector on bus 1C. The technician measured the voltage across the 5-1

ground detector relay and confirmed t u voltage to be 215 volts (210 volts is nominally 100 percent on the ground oo ctor voltmeter), thus verifying that a ground fault existed and that the grouna detector was functioning properly.

The technician informed the Shift Superintendent of his finding. Following discussions with control room personnel, the technician checked the PT associated with the ground detector for ground. To do this, the tie breaker between bus 1C and bus 1A (11C01) was again closed.

At this point auxiliary transformer C and auxiliary transformer A were again operating in parallel, connected to the inter-tied buses 1C and 1A. The ground detectors of bus IC and of auxiliary transformer A both indicated the ground fault. The PT of bus 1C was then disconnected, but the ground was still indicated on the other detector. This test eliminated the PT as a possible location of the fault. The PT was returned to service. At this time, 03:35 the auxiliary transformer C source breaker to bus IC, 11C02, was opened by the i control room operator; bus 1C remained energized from bus IA, and the ground ,

indication on both indicators cleared. (In this instance, the two transformers  !

remained in parallel for approximately 2 minutes.) This action isolated the j ground from bus 1C and indicated that it was somewhere between the X winding of I auxiliary transformer C and its circuit breaker 11002. After further discus-sions between control room personnel and the technician, the technician checked the synchronizing PT of bus 1C to further isolate the location of the fault.

To do this, the source breaker 11C02 was reclosed, again paralleling auxiliary transformers A and C for approximately 5 minutes, and the synchronizing PT was disconnected. The fault did not clec . The PT was returned to service and the source breaker was re-opened from the control room isolating the fault. Having determined that the fault was not on bus IC and that the west feedwater pump would not have to be deenergized, at 04:00 the control room operators commenced increasing power and by 04:30 the unit was again at 250 MWe. Meanwhile, the electrical technician and crew were visually inspecting the electrical circuit between auxiliary transformer C and bus IC, the area around the transformer and the X winding's reactor and associated bypass breaker. They were preparing to rack out (remove) the reactor bypass electrical breaker after receiving permis-sion from the control roce.

At this point, the electrical distribution system status was as follows:

Auxiliary transformer C was energized and supplying 4160-V bus 2C; i.e., circuit breakers 4032, 6032 and 12C02 were closed, Generator at 250 MWe and breakers 4012 and 6012 were closed, Auxiliary transformer A was supplying 4160-V buses IA and IC; i.e.,

breakers 11A04 and 11C01 were closed, Auxiliary transformer 8 was supplying 4160-V bus 18, SST 3 and associated 480-V bus 3 were being supplied by 4160-V bus 2C through breaker 12C11, Lighting transformer was on normal supply off bus 1C, South circulating water pump had stopped and both feedwater pumps were running, 120-V ac utility bus was on alternate supply off the lighting switchboard, which in turn was being supplied by 4160-V bus IC, and

• All other electrical-system alignment was normal.

5-2

5.1.1 Relay Trip At 04:50 auxiliary transformer C tripped on actuation of transformer differen-tial relay. Later observation at the relay panel confirmed that the differen-tial trip involved phase B and phase C. Phases B and C trip targets nad dropped, indicating that a fault current in excess of approximately 1500 amperes was involved.

Control room operators received multiple alarms when auxiliary transformer C tripped, among them the turbine first-out alarm for auxiliary transformer C differential trip. Upon loss of the transformer, 4160-V bus 2C and all loads connected to it, including vital bus 4, were lost. Diesel generator 2 automati-cally started upon loss of voltage to bus 2C. The control room personnel observed the loss of vital bus 4 by the loss of its potential indicating light with the green dot on the vertical panel. Based upon this, the reactor was manually

! scrammed; the unit trip pushbutton was also manually actuated.

5.1.2 Discussion In responding to the ground indication on 4160-V bus IC, the operators correctly followed Operating Instruction 501-9-7 in attempting to locate the ground on the load circuits of all connected loads, up to the point which required them to de-energize the feedwater pump motor circuit.

The 01 did not instruct the operators-to use the ground detector on an unfaulted bus (bus 1A ground detector, in this case) to verify the authenticity of the detector on another bus which is indicating a fault. Nor did the OI direct operators to tie a faulty bus to a fur:ctioning bus as a means of transfering power or load. Yet the operators did close tie breaker 11001.three times when a ground fault was present on bus IC. When bus 1C and 1A were thus connected, auxiliary transformer A and auxiliary transformer C (X winding) were operating in parallel. The transformers were operated in parallel three times for periods ranging from 5 seconds to 5 minutes.

Operating two transformers in parallel supplying a faulty 4160-V bus is not appropriate for the following reasons:

1. The ground fault on the ungrounded delta-connected transformer secondary is being supplied by a neutral grounded wye-connected transformer secondary, thus providing a fault current path back to a source.

2. The 4160-V switchgear is not rated to handle phase-to phase or short-circuit faults should they occur while the buses are energized from the switchyard through two transformers in parallel. (This is the same reason why current-limiting reactors are installed in auxiliary transformer C leads while the diesel generators are run in parallel with the transformer.)

3. Feeding a fault from two sources will exacerbate the situation and could lead to the fault tripping both sources.

4. Parallel operation of transformers, especially ones with unequal impedances, would lead to circulating currents being set up between them.

5-3

OI S01-9-7 did not include specific warnings regarding parallel operation of transformers and other sources while a fault exists in the electrical distribu-tion system. (Momentary parallel operation between functioning sources should be permitted; however, where continued parallel operation is required, the system should be designed for it.)

5.2 Unit Trip and Loss of All AC Power On depressing the unit trip pushbutton, the following events occur.

the turbine trips the generator exciter field breaker opens the 4160-V bus IA source breaker 11A04 opens 4160-V bus 1B source breaker 11804 opens an auxiliary relay (UT-X) energizes which in turn trips generator output 220-KV breakers 4012 and 6012 (and energizes another auxiliary j relay for local breaker failure backup protection).

During the event, the unit trip pushbutton was depressed 19 seconds after j auxiliary transformer C tripped. At this point, when breakers 4012 and 6012 opened and power from the switchyard through auxiliary transformers A and 8 to 4

4160-V buses 1A, 18 and 1C was isolated, all ac power to the in plant ac distri-bution system was lost. Only the plant dc system and the inverter powered vital buses (all battery powered) remained operational. The utility bus was now without power. The 4160-V bus 1C undervoltage relays actuated and, with the existing loss of bus 2C, initiated generator lock-up and the loss of voltage auto transfer scheme. Both emergency diesel generators received a start signal and started (diesel generator 2 was already running from a previous signal).

] The control room operators were following Emergency Operating Instruction (E0I)

S01-1.0-10 for reactor trip or safety injection. Step 3 of this instruction requires verification that buses IC and 2C are energized. With these buses i

deenergized, the operators turned their attention to the loss of all ac power instruction, S01-1.0-60. Step 1 of this E0I requires verification of offsite power at the 220-KV switchyard, which the operators did by reviewing the-vol-tage indication in the control room. Step 2 requires a check for SI initiation on the reactor panel first-out annuciator window 2 (RPF0-2). The alarm window was lit, indicating SI actuation; however, this was a spurious alarm and the operators were aware that it would come in on loss of ac power. (See section 8.2 for an explanation of this spurious actuation.) Operators in the control room then checked the SLSS load group lights on the SLSS surveillance panels located on the vertical diesel generator boards and observed that they were not lit, indicating SI had initiated. (See section 8.3 for a discussion on the spurious indication of SLSS load group lights.) The operators then checked the status of pressurizer pressure and containment building pressure, determined that an SI was not warranted and concluded that SI had not initiated.

At step 3a of the E0I, the operators are expected to wait for the automatic operation of the loss of voltage auto transfer scheme to complete and the end-of-sequence light to light. However, the end-of-sequence light did not illuminate. An operator depressed the unit trip reset pushbutton, to enable

. closure of 220-KV circuit breakers 4012 and 6012, but the reset did not occur.

because this action was apparently taken before the generator 18-KV motor-operated disconnect (MOD) opened. The operator at the electrical board checked the-l status of the generator MOD, which was, by then, open as required, and'the 5-4

status of the source breakers to buses 1A and IB (11A04 and 11804) and the tie breakers of buses 1A-1C and 18-2C (11001 and 12C01), which, contrary to expectations, were not all closed. The E01 did not address this particular situation and the control room operators decided to recover power from the switchyard to feed the 4160-V buses one at a time. They attempted to close 220-KV circuit breaker 4012. The first attempt failed because the operator did not depress the synch check bypass pushbutton (see section 4.12.2.1 for a des-cription of closing operation of this breaker). The second and third attempts are believed to have failed because the unit trip reset had not reset the gener-ator lock-up, and breaker 4012 tripped free when the two attempts were made.

(These two attempted closures and trips of breaker 4012 are seen in the oscillograph traces.) After the failures in closing breaker 4012, the operator at the J console again pushed the unit reset button. The operator at the vertical panel tried to close breaker 6012. The first attempt failed because he did not depress the synch check bypass button. The second attempt was success- l ful, following the activation of the synch bypass button. The operator then l closed breaker 11A04 energizing buses 1A and IC (bus tie breaker 11001 was already closed), followed by closing 11804 and 12C01. Thus, four minutes af ter loss of all ac power, power was returned to the station distribution system.

The evaluation of the operator response to the unit trip, loss of all inplant ac power and spurious indication of safety injection actuation, is discussed in Section 7.

The operators were expecting the end-of-sequence light indicating the comple-tion of the auto transfer scheme 2 minutes after loss of ac power. However, based on a review of the scheme, the time required could be closer to 4 minutes.

The shooting actual of time required the transfer will have to be determined during the ongoing trouble-scheme.

The operators' lack of knowledge regarding the timing of this scheme points out inadequacies in SCE's previous test program and in the training operators received on the response characteristics of this system. I The difficulties experienced by the operators during their attempts to recover power from the 220-KV switchyard indicate inadequacies in.their training and understanding of the following:

1

1. Unit trip and generator lock-up reset.

2. 220-KV circuit breaker closing operation, with and without synchronizing check.

3. Loss of voltage auto transfer scheme.

Although both diesel generators were ready and available to supply emergency power to the station during this period, the operators did not use them since 220-KV offsite power was available. Had the operators been unsuccessful in closing either circuit breaker 4012 or 6012, they stated that they would have used the diesel generators to supply power to the station. The procedures are not clear as to when this is to be done.

Just prior to auxiliary transformer C differential trip, the electrical techni-cian was given permission to rack out (remove) the transformer X winding reac-tor bypass breaker. Had he done so, the control room operators would not have been able to close the output breaker of diesel generator 1 because of the elec-trical interlock between the two breakers. A review of the interlock circuit shows this to be a design deficiency.

5-5

m. ___- ._

6 WATER HAMMER EVALUATION This section discusses the water hammer which occurred at SONGS-1 on November 21, 1985, its underlying causes and the damage incurred. Since failed check valves in the feedwater piping were the underlying cause, this section also discusses valve maintenance and inservice testing related to these valves. To clarify the discussions that follow, a brief review of water hammer phenomena and com-monly accepted definitions are provided.

Hydraulic instabilities occur frequently in piping networks as a result of changes in fluid velocity or pressure. Some of the better understood occur-l rences include induced flow transients due to starting and stopping pumps, opening and closing valves, water filling voided (empty) lines, and pressure changes due to pipe breaks or ruptures. As a consequence of the change in fluid velocity or pressure, pressure waves are created which propagate through-out the fluid within the piping network and produce audible noise, line vibra-tions and, if sufficient energy transfer occurs between the pressure wave and the pressure boundary, structural damage to piping, piping supports and attached equipment. More specifically, this pressure transient is a fluid shock wave in which the pressure change is the result of the conversion of kinetic energy into pressure waves (compression waves) or the conversion of pressure into kinetic energy (rarefaction waves). Regardless of the underlying causes, this phenomena is generally referred to as water hammer. The more severe the out-come, the higher the likelihood is of the event being called a water hammer.

Water Hammer Definitions

1. " Classical water hammer" generally identifies a fluid shock, accompanied by noise, which results from a sudden, near instantaneous, stoppage of a moving fluid column. Unexpected valve closures, back flow against a check valve, and pump startup into voided lines where valves are closed downstream are common examples of underlying causes leading to " classical" water hammer and are generally well understood.

Analytical methods have been developed to predict loads for this type of fluid hammer and include the effects of initial pressure, fluid inertia, piping dimensions and layout, pipewall elasticity, fluid bulk modulus, valve operating characteristics (time to open or close), etc.

2. " Condensation-induced water hammer" results when cold water (such as auxiliary feedwater) comes in contact with steam. Conditions conducive to this type of water hammer are: an abundant steam source and a long empty horizontal pipe run being refilled slowly with cold water. The cold water will draw energy from the steam with the rate of energy transfer being governed by local flow conditions. As the steam condenses, addi-tional steam will flow countercurrent to the cold water, and as the pipe fills up (i.e., the void decreases) the steam velocity will increase, setting up waves on the surface of the water, eventually entraining water and causing slug flow. Slug flow will entrap steam pockets and promote 6-1

significant heat transfer between the steam and colder water. Figure 6.1 illustrates (in simplified form) the flow conditions which would come about during the refilling of a voided horizontal feedwater line. Once slug flow conditions commence, a steam pocket will suddenly condense, creating a localized depressurization instantaneously. The resulting pressure imbalance across the slug (approximately 700 psi at SONGS-1) causes the slug to accelerate away from the source of pressure and toward the region of condensation.

Condensation is extremely rapid and predicting the exact location is im-possible. When the water slug suddenly strikes water in a previously

, filled pipe, it produces a traveling pressure wave which imposes loads of l the magnitude that would be induced by " Classical" water hammer in the piping network. This phenomenon, called " condensation-induced" water hammer, occurred at SONGS-1.

Predicting loads associated with this type of water hammer is extremely difficult because of the interactive and complex hydrodynamic and heat transfer phenomena which proceed the sudden condensation. Void fraction (or how empty the pipe is) and subcooling (or how much colder the water is than the saturation temperature of the steam when steam and water come in contact) are two important parameters currently used in models for pre-dicting this type of water hammer occurrence and its associated loads.

3. " Steam generator water hammer" (SGWH) is a condensation-induced water hammer which has occurred principally in pressurized water reactors (PWRs) l with steam generators having a top feedring for feedwater injection. The l

underlying causes are similar to those discussed above (e.g., voiding of l the horizontal feedring and feedwater piping immediately adjacent to the steam generator and subsequent injection of cold water). Damage from SGWH has generally been confined to the feedring and its supports and to the steam generator feedwater nozzle region. However, damage to feedwater line snubbers and supports has also occurred at other plants. A SGWH resulted in a fractured weld in a feedwater line at Indian Point Nuclear Power Plant, Unit 2 in 1972.

6.1 Plant Conditions Leading to Water Hammer Plant conditions at 50NGS-1 which led to a steam condensation-induced water hammer included the voiding of long horizontal lengths of feedwater lines (which allowed for a backflow of steam from all steam generators before opera-tors isolated the FW lines by closing MOVs-20, 21, and 22) and the subsequent refilling of the FW lines with relatively cold (i.e., less than 100 F) AFW.

Table 3.1 highlights approximate times and events which are pertinent to esta-blishing water hammer conditions and which are referred to later in this dis-cussion. Figures 4.3, 4.4, 4.5, G.2, 6.3, and 6.4 describe the flow circuits, valves and other equipment affected by this water hammer.

Upon detection of the fault on C auxiliary transformer, relay protection de-energized 4KV bus 2C, de-energizing the east-side main feedwater (MFW) pump FWS-G-3A (Table 3.1). The continued. operation of west-side MFW pump FWS-G-3A, due to the unusual electrical alignment, plus the failure of the east-side MFW pump discharge check valve FWS-438 to seat, resulted in the overpressurization and failure of the east flash evaporator tube and shell side. The subsequent 6-2

unit trip de energized the west-side MFW pump and denied power to the electric-driven auxiliary feedwater (AFW) pump AFW-G-10S. With the cessation of flow to the steam generators, the failure of check valves FWS-438 and FWS-439, and the failure of the three check valves in all the feedwater control circuits (valves FWS-346, FWS-345, and FWS-338), a path was provided to blowdown all three steam generators through their respective feedwater lines to the atmosphere through the failed flash evaporator.

Tle; drop in the steam generator water level following the unit trip initiated tts AFW system, but the electric pump was de-energized and the steam-driven AFW pump AFW-G-10 took 3 minutes to deliver flow, because of a programmed warmup period for the turbine. Thus, for 3 to 4 minutes no flow was being provided to the steam generators and the leaking check valves permitted the horizontal feedwater lines to void. Further, the initiation of AFW flow at about 135 gpm i

from the steam-driven pump was not effective in halting the voiding, because

! flow was being carried away from the steam generator by the steam blowing down l from the steam generators, through the failed check valves in all three FW con-trol stations and out the leak in the flash evaporator.

Figure 6.5a presents data from temperature recorder TR-456, which records the temperature of fluid in the feedwater line in the common header just upstream of the FW flow control stations. The recorder and pen failed due to the loss of station power but, following re-energization, indicated a sharp rise in temperature (indicative of the presence of steam in the FW line), followed by a rapid drop in temperature (indicative of the injection and mixing of AFW in the fluid passing the sensor), followed by a tailing off of temperature (indicative of the closure of the motor operated isolation valves). In addition, tempera-

, ture recorder TR-96 (Figure 6.5b) data from sensors upstream of the east and west MFW pump suction locations demonstrated a similar temperature increase to about 385 F and then a drop in temperature. In order to have the rise shown by TR-96 (which is about 20 feet lower than TR-456 and has an intervening volume of about 2500 gallons of 300 to 365 F water) a blowdown of a significant portion of the feedwater lines upstream of the FW regulating valves must have

occurred.

Following restoration of unit power, the motor-driven AFW pump (AFW G-105) started automatically, increasing the indicated AFW flow rate to a preset rate of 155 gpm per steam generator. However, all three steam generator levels continued to drop since the FW check valves remained open, the main steam sys-tem had not been isolated, and steam generator blowdown had not been isolated.

Subsequently, operators, following an emergency operating procedure for reactor trip response, isolated the failed FW check valves by shutting the three FW control isolation valves, MOV-20, 21, and 22 at approximately 04:55. Isolation of the.feedwater trains occurred before the water hammer in loop B.

Subsequent to the isolation of the main FW loops, and recognition in the control room that both AFW pumps were delivering water, the operators become concerned 4

for the over-cooling of the primary reactor coolant system and the decrease in pressurizer (PZR) level, at which time operators decreased AFW flow from 155 gpm to zero, and then back up to 40 gpm. The estimated time for AFW flow reduction is 05:00. Thus, refilling the FW lines downstream of the flow control stations was halted and then resumed at a much lower flow rate. This decrease in AFW flow rate adversely influenced the pipe refilling characteristics, particularly in Loop B.

6-3

The slow refilling of the FW lines within the containment building continued from approximately 05:00, when AFW flow was first throttled back to when the water hammer was reported to have occurred at 05:07 by a plant equipment operator. As noted previously, conditions conducive to steam-condensation water hammer in the feedwater lines were present for quite some time. The gross failure of upstream check valves which permitted water to drain from the feedwater lines and be replaced with steam was the underlying cause for water hammer. Leaky chack valves have been previously cited in reports of other water hammer occurrences. Five check valves are known to have been failed at SONGS-1 on November 21.

Estimates of feedwater line voiding and refilling are discussed in Acpendix B.

Figure 6.6 illustrates hypothesized refilling conditions in loop B prior to the water hammer. The much larger voided volume of loop B and manual control of AFW injection following closure of M0Vs-20, -21, and -22 (p wticularly total stoppage of AFW) were major factors in establishing conditions which triggered this water hammer. Appendix B discusses the refill aspects in more detail and j also provides estimates of pipe void conditions when water hammer occurred and l I

provides estimates of water hammer loads based on damage done to piping supports.

Post-event water hammer load calculations estimate that a 1-2 percent void I existed when the steam pocket collapsed; the probable location of that steam pocket is that shown in Figure 6.6.

6.2 Water Hammer-Induced Damage The next four sections detail water hammer-induced damage to Loop B feedwater piping and supports, the FW Loop B flow control station, and to Loop B auxiliary feedwater (AFW) piping and feedwater system check valves.

6.2.1 Piping and Piping Support Damage Damage to the Loop B FW piping was confined to plastic yielding of the NE elbow and to a visible crack on the outside of the pipe, extending approximately 80 inches axially. The crack penetrates approximately 30 percent of the pipe wall at its deepest point from the outside and approximately 25 percent on average.

Damage to supports, in some instances, was severe. This section provides a narrative and pictorial description of the damage visible after the FW piping insulation was removed.

Figure 6.7 shows the FW Loop B piping layout and identifies the piping support stations where damage occurred. This figure also provides directional orienta-tion and indicates piping dimensions. Figure 6.8 shows principal areas of damage, indicates how the pipe moved, and highlights the narrative and picto-rial "walkdown" which follows. Table 6.1 provides a narrative description of the piping and sup ort station damage shown in Figures 6.9 through 6.30, and identifies those support stations.

The water hammer forces were sufficiently large to damage pipe supports and piping and to transmit loads through the containment building penetration structure outward to the B Loop feedwater regulating station. No damage was evident to the steam generator B feedring or nozzle region that can be attri-buted to water hammer, nor was there evident damage or movement to the piping between support H00C and the steam generator B feedwater nozzle (Figure 6.9).

6-4 l

6.2.2 Feedwater Loop 8 Flow Control Station Damage The water hammer originating in the feedwater line within the containment build-ing generated Loop a water B flow control slug which transmitted a pressure wave upstream to the station. Check valves FWS-346 and FWS-378, downstream of the control valves, were designed to prevent backflow, although post-event in-spection revealed that the closure disk for FWS-346 was laying in the bottom of the valve chamber. Thus, any closed valve would be subjected to the water hammer loads.

In addition to check valve FWS-378, the flow control valve (FCV)

FCV-457 and motor operated valve MOV-20 were subjected to the water hammer loads, because they Operating had been(E01).

Instructions closed by operators following procedures in the Emergency Figure 6.30 shows steam generator 8 feedwater piping and valving at the Loop B control station (outside the containment building). Figures 6.31 through 6.34 illustrate the piping and valve conditions found after the occurrence of water hammer.

The 2-inch bleed bypass line suffered minor damage. Figure 6.35 illustrates the relative positions of the main FW (10-inch line) and FW bypass (4-inch line) flow lines and the damaged check valve locations.

Because check valve FWS-378 was intact and operational, it was subjected to water hammer loads and absorbed much of the water hammer energy whereupon the bonnet studs yielded and the gasket was forced outward against the studs (Fig-ures 6.36 and 6.37). The failure of the gasket relieved much of the internal pressure, tion. thereby minimizing damage to other equipment and valves at this sta-However, FCV-457 did incur damage to the flow actuator yoke, as shown in Figures 6.38 and 6.39; and disassembly revealed a bent valve stem.

Further discussions and illustrations of valve conditions (which were found upon disassembly following this event) are provided in Section 6.2.4.

6.2.3 AFW Piping Damage The AFW injection point to the main feedwater piping at SONGS-1 occurs in the "Figures breezeway" upstream 6.40 and 6.41. of the containment building steel shell, as shown in tie into the main feedwater (MFW) line.The AFW lines run horizontally and then verticall containment building penetration function. Figure 6.40 also shows the Loop B Water hammer loads were imposed on AFW Loop B piping, as is evident from the pipe motion recorded in Figures 6.42 through 6.45. Although pipe movement extended several hundred feet upstream, there was no evidence of piping damage.

6.2.4 Valve Malfunctions and Damage Post event disassembly and examination of valves that contributed to water hammer conditions confirmed that check. valve failures were the underlying causes(s) for the occurrence of water hbmmer. Inspection findings identified the following valve conditions:

Valve Description As-Found FWS-345 MFW Reg Check Disc separated from hinge SG A arm, disc stud broken (threaded portion).

6-5

Valve Description As-Found FWS-346 MFW Reg Check Disc separated from hinge SG B arm, disc stud deformed.

FWS-398 MFW Reg Check Disc nut loose.- Disc SG C partially open. Disc caught inside of seat ring.

FWS-438 FWP Discharge Check Disc nut loose. Disc partially open. Disc caught on inside of seat ring.

FWS-439 FWP Discharge Check Disc nut loose. Disc partially open. Anti-rotation lug lodged under hinge arm.

The following observations were common to the MFW regulator check valves:

- 1. Severe wear was evident under the hinge arm; the wear spots were bright. The wear was caused by the disc anti-rotation lugs rotating  ;

against the hinge arm. l

2. The surface around the hinge arm stem hole contacting the disc nut )

was recessed, as if the nut had been ground into the hinge arm forming " ball and socket"~like surfaces.

3. The underneath surface of the bonnet stop was heavily hammered.

4. There is evidence that the disc nut was pinned to the disc.

5. All the valves had anti-rotation lugs welded to the disc.

The following observations were common to the main feedpump discharge check valves (FWS-438 and FWS-439):

1. The disc nuts were loose.

2. The discs were partially open.

3. The disc nuts and washers were in place.

4. Neither the disc nut nor the disc stud was drilled to' accommodate the locking pin.

5. There is no evidence,on the disc stud of its being hammered against the bonnet stop.

The following sections illustrate valve damage.

6.2.4.1 Swing Check Valve FWS-346 This 10-inch swing check valve in feedw te' line B'is the first backflow barrier between SG B and the Loop B flow control .tation. Figure 6.46. illustrates a typical flange-end swing check valve design of the type extensively used in the 50NGS-1 feedwater system.

Disassembly of FWS-346 revealed ~that the closure disk was laying in the bottom of-the cavity, as shown in Figure 6.47. Thus, there was no back flow barrier 6-6

to prevent drainback until the operators manually closed valves MOV-20 and FCV-457 at approximately 9 minutes into the transient.

Figures 6.48 through 6.54 show FWS-346 components and the valve body cavity.

The seat surface of the disc face did not exhibit noticeable damage (see Fig-ure 6.49), although there were two cuts (on the mating face in the valve body) as seen in Figure 6.48. Damage to the disc nut pin is shown in Figure 6.50.and the worn hinge pin hole is shown in Figure 6.51. SCE personnel stated that the nut had previously been pinned and evidently worked loose over a period of time. The worn pin hole and damaged disc stud are evidence of continual opera-tion with a loosened or lost nut. Figure 6.52 and 6.53 show the bottom side of the bonnet and the' disc stop cast into the bonnet. Damage caused by continual impact during operation is evident. Figure 6.54 is a composite photograph of the FWS-346 valve cavity, looking towards SG B. Scratch marks at the bottom support the hypothesis that the disc had been laying free in the bottom of the valve bodf for some time.

As noted above, post-event inspections of the check valves in feedwater loops A and C (FWS-345 and FWS-398) also revealed a failed condition.

6.2.4.2 Swing Check Valve FWS-378 FWS-378, a 4-inch swing check valve of similar design to FWS-346, is the valve location at which the gasket failed. Figures 6.55 through 6.58 show the valve after disassembly. It did not appear to be damaged internally as a result of the water hammer, although, the disc seating surface displayed multiple cracks across the sealing surface. The deformed gasket which failed and relieved water hammer pressure loads is shown in Figure 6.55. Figure 6.58 shows one of the elongated bonnet studs which had been stretched about 1/2 inch.

6.2.4.3 Swing Check Valves FWS-438 and FWS-439 FWS-438 and FWS-439 are 12-inch swing check valves located upstream of the east-side and west side FW pump, respectively. - The failure of FWS-438 to fully close is believed to have resulted in the overpressurization and rupture the i

east-side flash evaporator.

Figure 6.59 illustrates FWS-438 "as-assembled" and "as found" following post-event examination. The nut had loosened and the disk had rotated the anti-rotation " nub" under the hinge arm, thereby preventing the disc from returning to the full seal position. Figures 6.60 and 6.61 show the topside of the FWS-438 check disc. Evidently one nub had oeen subjected to impact for some time (Fig- .

ure 6.60). There was no provision for a locking pin 'in disc nut pin FWS-438.

Post-event inspection also revealed a similar failure of the west-side FW check valve (FWS-439).

6.3 NRC Evaluations of Water Hammer 6.3.1 History and Focus During the early 1970s, the NRC staff became awarc of the increasing frequency of water hammer occurrences in nuclear power plant systems and developed con-cerns for the potential challenge to system integrity and operability that 6-7

. , , , , - - - _ 3 -r_,-, y -t , , _ . +, - --e,+y-~ . .y-

could result from these incident's. For pressurized water reactors, the major contributor to the increased frequency of these incidents was a phenomena called steam generator water hammer (SGWH) (defined in the opening of this section). The significance of these events varied from plant to plant; how-4 ever, NRC was concerned that a severe SGWH might develop that would cause a complete loss of feedwater and would, therefore, effect the ability of a plant to cooldown after a reactor trip.

l Following the SGWH that occurred at Indian Point Unit 2 in 1972, which resulted i in a circumferential weld idilura in one of the feedwater lines, NRC sent inquiries and questions to all utilities (including SCE) requesting design and i operational information describing design features for avoiding SGWH. In 1978, the generic subject of water hammers was declared to be an unresolved safety

issue (USI A-1), and therefore, received increased NRC and industry attention.

SGWH is associated with the draindown of top feedrings and, therefore, NRC attention was directed at the feedring design, and internal SG components near the FW nozzle. Experience had revealed that internal damage to the feedring and supports could occur. Thus, the modifications implemented to prevent SGWH generally required installation of J-tubes to delay draindown of feedrings, short horizontal runs of FW piping adjacent to the SG feedwater nozzle to mini-mize the magnitude of water hammers, limits on AFW flow rates to avoid too rapid an injection of cold water, etc. In general, attention focused on the internal structure and design of the steam generator rather than on conditions in the FW lines and flow control stations.

The NRC was aware of the possibility of developing condensation-induced water -

i hammer extending back into the feedwater piping as a result of line voiding '

because of a water hammer occurrence at the KRSK0 plant in Yugoslavia in 1979.

i Limited information on that event suggested that leaky check valves or preoper-ation pump testing (i.e., start and trip tests), or both, were the underlying causes. However, similar occurrences had not been reported for U.S. plants and, apparently check valve failures were not considered a significant contrib-utor to feedwater svitem water hammer by NRC. The Team conducted interviews of NRC staff involved in the resolution of USI-Al and reviewed staff reports gener-l ated by tho. The Team did not identify any citable references, decisions or

! discuss 4ns specifically related to why the scope of the staff's activities

, associated with the resolution of USI A-1 did not include the potential for and prevention of feedwater water hammers resulting from voiding of main feedwater lines due to leaky feedwater check valves. Implicit in the reliance NRC placed

on "J" tubes to prevent steam generator feedring voiding, thereby preventing i SGWH, was an assumption that feedwater system check valves do not leak. As a i result, the Team conducted additional interviews of NRC staff involved in approv-ing licensee inservice testing programs for safety-related valves. However, the i

Team failed to identify citable references, decisions, or discussions which

- demonstrated that inservice testing programs for safety-related feedwater system j check valves were specifically to be reviewed against criteria that would assure NRC could rely upon the check valve integrity to prevent voiding of feedwater J lines. It appears that the NRC did not consider feedwater piping water hammers q due to failed check valves to be a substantial contribution to the body of reported i occurrences and, therefore, did not pursue this issue further.

A compilation of water hammer occurrences, underlying causes, systems affected, and corrective actions taken is contained in NUREG/CR-2509 (Reference 1).

6-8 i

NUREG-0918 (Reference 2) summarizes (1) the causes of SGWH, (2) various mea-sures employed to prevent or mitigate SGWH, and (3) the nature and status of modifications that have been made at each operating pressurized water reactor plant. NUREG-0927, Rev. 1 (Reference 3) summarizes technical findings relevant to USI A-1, " Water Hammer," and provides insights into means to minimize or eliminate further water hammer occurrences. NUREG-0993, Rev. 1 (Reference 4) contains the regulatory analysis for USI A-1, and documents public comments received and staff response or actions taken in response to those comments on the resolution for this USI.

6.3.2 SONGS-1 Water Hammer History and Evaluations There have been a number of water hammer occurrences at SONGS-1, dating back to 1969.' Five such occurrences are summarized in NUREG/CR-2509 (Reference 1),

three of which involve the feedwater system. The April 29, 1972, January 14, 1974, and May 14, 1979 occurrences damaged FW control valves and piping supports in the main steam and feedwater lines. However, none of these events were attributable by SCE to SGWH, but rather to improper installation of piping supports, inadequate design, faulty flow controller hardware, etc.

Correspondence between the NRC and SCE dating back to 1975 (References 5 to 14) clearly indicates NRC and SCE preoccupation with the prevention of steam gener-ator water hammer (SGWH). NRC concluded (Reference 13) that backfitting SONGS-1 steam generators (to install J-tubes on the feedrings) was not warranted because of: (a) existing design features (i.e., the small horizontal length of FW pip-ing at the SG nozzle was not long enough to allow a steam pocket to form), and (b) that SGWH had never occurred at SONGS-1. Since SGWH had never occurred (although it had occurred in other Westinghouse PWRs), the probability of occur-rence was judged to be very low. As a-result, NRC also waived the need for estimating SGWH loads on FW piping and supports (Reference 14). Followup inter-views by the Team with NRC staff who were involved in previous SONGS-1 water hammer reviews supported the above findings that NRC's concerns were with the prevention of SGWH and not gross voiding of the feedwater lines.

The potential for cold AFW injection to cause water hammer was also included in the Team's evaluation of the references cited and in followup reviews (Refer-ences 15 to 19). The establishment of an upper AFW flow rate limit (i.e., 1_50 gpm per SG), as recommended by Westinghouse (Reference 16), was considered ade-quate and accordingly, operators were alerted in the E0Is not to exceed this flow limit whenever the feedring was uncovered to avoid creating SGWH conditions.

Team members met with SCE staff on December 13, 1985 (Reference 20) and SCE reviewed the SONGS-1 AFW system in terms of the original designs, upgrades (i.e., seismic upgrades), TMI Action Plan requirements, etc. These discussions also delved into prior water hammer occurrences and evaluations (References 5-to 15). Although this_ meeting did not uncover any significant new information, it illustrated the belief that SGWH would not occur, since it had not occured previously, despite numerous feedring uncovery transients, and that limits on AFW flow rate were sufficient to preclude such an occurrence.

6.4 Valve Inservice Testing The ASME Boiler and Pressure Vessel Code,Section XI, which specifies valve inservice testing (IST) requirements for these feedwater check valves, states:

6-9 i

Valves.shall be exercised to the position required to fulfill their function unless such operation is not practical during plant operation . . . Valves that cannot be exercised during plant operation shall De specifically identified by the owner and shall be full-stroke exercised during cold shutdowns.

Full-stroke exercising 'during cold shutdowns for all valves not full-stroke exercised during plant operation shall be on a frequency determined by the intervals between shutdowns as follows: for intervals of 3 months or longer, exercise during each shutdown; for intervals of less than 3 months, full-stroke exercise is not required unless 3 months have passed since last shutdown exercise.

Additionally, the NRC staff position on cold shutdown testing of val'ves is as follows:

1. The licensee is to commence testing as soon as the cold shutdown.

condition is achieved, but not later than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> after shutdown, and continue until complete or the plant is ready to return to power.

2. Completion of all valve testing is not a prerequisite to return to power.

3. Any testing not completed during one cold shutdown should be per-

! formed during any subsequent cold shutdowns starting from the last test performed at the previous cold shutdown.

1 In 1977, SCE submitted its IST program to the NRC for review and approval. The

, program was revised in 1979 and 1983 in response to NRC comments and resubmitted to the NRC 'in January 1984. The IST program for SONGS 1 hes not yet bien ap-proved by tha NRC (as of January 1386). NRC staff interviewed by the Team at-l tribute the delay in approval of the program to (1) the long-term existence of j open issues for which SCE did not propose timely resolution and to (2) NRC re-view scheduling problers. SCE implemented the proposed program while awaiting

, NRC approval.

The feedwater system check valves are all periodically tested in the closed j position. The main and bypass feedwater regulating check valves are'normally tested in cold shutdown (Mode 5) and the feedwater pump discharge check valves j are tested in hot standby (Mode 3).

The Team reviewed the operating history for Unit 1 for the period from November 1984 (last refueling outage) to November 1985~to ascertain when IST could have been performed for the feedwater check valves (i.e., during plant shutdown last-ing more than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />). The periods that IST could have been performed include:

November 1984 Startup after refueling outage February 9-25, 1985 17 days

, May.1-11, 1985 10 days 3

August 21-30, 1985 10 days j -September 19-23, 1985 5 days The IST surveillance recceds were then reviewed for each of the valves. These

,> records indicate that ~zhe valves were last tested as follows:

6-10 i

, _ , - - . . , y + - . - .-- , , , - , ,-% ~ - , , ,p.-.,.4_ ... , ,_,- ,,. . . ,-,,m , _ , - - - ~

Valve Description Last Tested Pass FWS-438 East feedwater pump discharge check November 1984 yes FWS-439 West feedwater pump discharge check November 1984 yes FWS-345 A loop FCV-456 check February 1985 yes FWS-346 B loop FCV-457 check February 1985 yes FWS-398 C loop FCV-458 check February 1985 yes FWS-379 A loop CV-142 check October 1984 yes FWS-378 8 loop CV-144 check October 1984 yes FWS-417 C loop CV-143 check October 1984 yes There are 121 valves that are subject to IST during cold shutdown. Although IST was performed during each outage, all of the valves were not tested.

Consequently, the feedwater valves were tested only one time since October IP'"'.

The available opportunities for valve IST were not always fully utilized due to higher priority operational requirements.

1 Surveillance test procedures for verification of check valve closure for the i

' main feedwater pump discharge valves (FWS-438 and FWS-439) require one main feedwater pump to be running while the other pump is stopped. The discharge valve at the idle pump is then opened and the pressure is monitored between the pump and its discharge check valve. An increase in pressure or an operator observation that the pump is rotating backwards would indicate that the check valve is not closed. While providing reasonable assurance of check valve closure, this testing method also subjects the low pressure pump suction piping to some relatively high discharge pressures if the check valve failed to close (as in the November 1985 event) and thus damage is possible to such components as the flash evaporator. Testing with the idle pump suction valve shut would provide a more rigorous test.

Surveillance test procedures for verifying that the other main feedwater check valves are closed require testing to be performed during plant cold shutdown-with the steam generators filled to above the feedring. The motor operated valve upstream of the check valves is closed and the drain valve between this valve and the associated check valve is opened. The column of water in the steam generator provides approximate,y 4.5 psi differential pressure across the valve to provide the closing force on the check valve disc. The procedure states that this section of piping is to be drained, and that little or no flow from the drain should be verified. This test procedure leaves the surveillance operator to make the decision about how much flow is "little" and thus indica-tive of positive verification of check valve closure. The IST records do not provide a means of determining if flow occurred or its extent, or for verifying that complete valve cavity drainage occurred before a determination was made that "little, or no flow" occurred.

Valves FWS-345 and FWS-346 failed the IST on February 24, 1985 when tested dur-ing Mode 5 (cold shutdown). Maintenance work orders were prepared to repair both valves. However, on February 26, 1985, a "Non-routine and Increased Fre-quency IST" was performed during Mode 3 (hot standby), and the valves passed. I During Mode 3 the steam generator pressure increased the force available to  !

seat the check valves (to approximately 700 psia) and thereby have enabled them to pass. Testing at the higher differential pressure provides a more rigorous test.

The work orders were then cancelled and no corrective maintenance was performed.

6-11

6.5 Feedwater System Check Valv'e Maintenance The main feedwater pump discharge check valves (FWS-438 and FWS-439) were last disassembled, inspected and reassembled on May 5, 1980. All internals and seating surfaces were reported to be in good condition. No additional recorded maintenance since that time has been found.

Maintenance on the main feedwater regulator check valves (FWS-345, FWS-346, FWS-398) dates back to the SONGS-1 refueling outage in 1975. The maintenance history can be summarized as follows:

1975 Refueling:. Inspected three main feedwater regulator check valves and installed new internals in all three check valves.

1977 Refueling: Inspected and installed new internals in all three check valves.

I 1978 Refueling: Inspected all three check valves, found no problems, cleaned parts, and reassembled valves.

1980 Refueling: Inspected all three check valves, replaced cotter pins, washers and nuts on flappers, and reassembled.

SCE personnel could not identify any other completed maintenance work orders for any of the check valves in the feedwater system. However, a cancelled work order was found for FWS-345 (M0 #84103233000) and FWS-346 (o0 #84103232000),

the feedwater regulatory valve check valves for steam generators A and B, re-spectively. These work orders originated about October 26, 1984 because each valve had failed IST according to the problem stated on the work order. The work orders were cancelled on October 28, 1984, although the reasons for their cancellation were not stated. Further, a review of the completed surveillance test results for October 1984 indicated that both valves passed. The Team was not able to identify the reasons for these apparent discrepancies.

A 1976 SCE incident report summarized a failure of the 8 feedwater check valve (FWS-346) that was identified by an unusual noise near the feedwater regulator valve (similar to the noise in June 1985 discussed below). When the valve was inspected, workers found that the disc had fallen to the bottom of the valve body (as happened during this event). These inspection activities would have been authorized by a maintandnce work order, but SCE could not retrieve a related work order.

6.6 Feedwater Train Noise Investigation On June 24,1985 (Reference 21), a rapping noise was noticed in the breezeway between the containment sphere and the turbine building. Initial investigation with the aide of a stethoscope indicated that the rapping metallic sound appeared to originate from the vicirity of feedwater block valve FWS-342, just downstream of the 10-inch feedwater check valve FWS-346. The block valve was radiographed and the valve manufacturer contacted in an attempt to determine the source of the noise. In a subsequent evaluation (Reference 21), the pos-sible causes of the noise were believed to be: (1) a loose hinge pin in check valve FWS-346; (2) a loose disc is check valve FWS-346; (3) a rattling disc in block valve FWS-342; and, cavitation originating in the area of the check or block valve. Although the exact cause was not determined, SCE concluded that the possible causes did not threaten plant safety and scheduled further testing.

6-12

A presentation was made to the Onsite Review Committee (OSRC) on July 18, 1985.

The presentation is based on an earlier memorandum which summarizes the investigation and concludes:

Station Technical feels that it is safe to continue to operate the Unit since the failure of either valve (block or check) does not decrease the margin of safety of the plant. The components of the valve are large enough to pose only a very remote chance of traveling to and damaging the Steam Generator tubes.

The OSRC concurred with this conclusion. On September 3, 1985, SCE's Nuclear Safety Group reviewed the minutes of the Committee meeting and concluded that the station was taking appropriate action related to the B feedwater train noise.

Maintenance orders were generated to inspect the block and check valves during the next available opportunity, which occurred in October 1985 when the plant was shut down for another reason. However, it was decided to delay the inspec-tion of the valves until the refueling outage scheduled to begin at the end of November 1985, because no variation in the feedwater noise sound level or fre-l quency had been noted.

6.7 Valve Failure-Related Findings Check valve failures caused by partial disassembly while in service do not ap-pear to be unique to SONGS-1 or to the valve manufacturer (MCC Pacific). A limited review of Licensee Event Reports (LER) indicates that these valve fail-ures are not unique. The Team reviewed 33 LERs that identified check valve failures in feedwater systems; these indicated that 11 check valves failed be-cause the disc failed to close or because the disc retaining nuts, studs or locking pins failed to allow proper operation of the check valves, resulting in system backflow. None of these LERs specified that the failed check valves were manufactured by MCC Pacific, who was the supplier of the failed check valves at SONGS-1.

Failure of FWS-438 and FWS-439, the main feedwater pump discharge check valves, may have been due to inadequate valve design, since the disc-retaining nut was not provided with a positive locking device that should have reduced the pro-bability of the disc working loose and wedging into the valve seat and failing open. Additionally, excessive clearances between the hinge and disc assembly allowed the disc to rotate past the anti-rotation devices.

The failure of FWS-346, the B feedwater header check valve, may have been caused by the inadequate hardness of the disc attaching stud, which allowed the threads to strip and the end to mushroom over, conditions contributing to the ultimate valve failure. However, the service conditions (i.e., flow-induced vibration) experienced by this valve may also be a major contributor to failure. Such vibration was suspected during the June, 1985, investigation, and as indicated by the significantly mushroomed end of the valve disc-attaching stud. Failure of FWS-345 and FWS-398, the A and C feedwater regulator check valves, may have been due to similar service conditions.

The cracks in the seating surface of FWS-378, the 4-inch check valve in the B loop bypass line, appear to be service related. However, these cracks may be due to the significant forces on the valve from the water hammer.

6-13

. Failure of the yoke of FCV-457, the 8 feedwater regulating-valve, was probably due to lack of sufficient support or bracing of the valve operator during the pipe movement when water hammer loading occurred.

MCC Pacific Valve Co. Bulletin 400 (1978) cautions owners to' check the opera-tional environment and to avoid conditions that lead to high turbulence which can damage valve internal parts and shorten valve life. This same Bulletin also states (under " Service Recommendations") that:

Service in systems involving rapid and frequent flow reversals, pulsation or excessively turbulent flow should be avoided.

Locating swing check valves away from elbows, equipment, etc.

-within the piping system can often minimize or eliminate problems caused by this type of application. Suspected pro-blem systems should be reviewed with the valve manufacturer before selecting and purchasing swing check valves.

The 1975 SONGS-1 refueling maintenance records for the MFW check valves stated:

Main feedwater check valves internal discs, hinge arms and hinge pins were replaced. Excessive wear was noted on the hinge pins and hinge arms.

Despite this finding,- the Team did not find evidence.that the valve manufacturer was contacted as a followup to any previous check valve deteriorations. .'. ' ' h e r ,

the internals were periodically replaced'and operation resumed.

Spinning of discs and induced damage by turbulence in swing check valves are not a new phenomenon. An article in, Power, February 1983, states:

Spinning of the disc by fluid forces has injured many swing check valves. Sometimes the disc stem has worn completely through, allowing the disc to float downstream. Anti-rotation pins (Fig. 202, p S-42) can prevent this.

This .is the type of valve failure discussed in Section 6.3.4.

These IST procedures do not provide a positive means to detect a damaged, or degraded check valve. Only periodic disassembly, inspection and maintenance can provide such assurance.

6-14

. .r - .

References

'I

1. R. L. Chapman, et al, " Compilation of Data Concerning Known and Suspected

-Water Hammer Events in Nuclear Power Plants, CY1969-May 1981,"

NUREG/CR-2059, May 1982.

2. Anderson, N. and Han, J. T., " Prevention and Mitigation of Steam Generator Water Hammer Events in PWR Plants," NUREG-0918, November 1982.

3. Serkiz, A. W., " Evaluation of Water Hammer Occurrence in Nuclear Power -

Plants, Technical Training Relevant to USI A-1," NUREG-0927, Rev. 1, i March, 1984. ,

4. Serkiz, A. W. , " Regulatory Analysis for USI A-1, " Water Hammer,"

NUREG-0993, Rev. 1, March 1984.

5. K. P. Baskin, Southern California Edison Company (SCEC) letter to R. A.

Purple,NRC,

Subject:

" Secondary System Fluid Flow Instability,"

l July 14, 1975.

6. K. P. Baskin, SCEC, letter to A. Schwencer, NRC,

Subject:

Susceptibility to Steam Generator Feedwater Line Water Hammer Events," December 27, 1977.

l

7. J. B. Moore, SCEC, letter to R. H. Engelken, NRC-R/V,

Subject:

" Degraded 1

Conditions of Hydraulic Snubbers," November 6,1978.

8. K. P. Baskin, SCEC, letter to D. L. Ziemann, NRC,

Subject:

"Information Requested on Feedwater Lines," July 3, 1979.

t

9. J. G. Haynes, SCEC, letter to D. L. Zeimann, NRC,

Subject:

"Information Requested Concerning Steam Generator Water Hammer," August 31, 1979.

10. D. L. Ziemann, NRC, letter to J. H. Drake, SCEC,

Subject:

Steam 1

i Generator Water Hammer," September 12, 1979.

j 11. K. P. Baskin, SCEC, letter to D. L. Ziemann, NRC,

Subject:

" Steam j Generator Water Hammer," February 14, 1980.

12. J. A.

Dearien,

EG&G Idaho, letter to R. E. Tiller, 00E,

Subject:

" Steam Generator Water Hammer Technical Evaluation, San Onofre Unit 1," March 31, i

1980.

13. D. L. Ziemann, NRC, transmittal to R. Dietch, SCEC, Subjert: " Steam Generator Water Hammer," April 22, 1980.

! 14. J. G. Haynes, SCEC, letter to D. L. Ziemann,~NRC,

Subject:

" Steam i Generator Water Hammer San Onofre Nuclear Generating Station Unit 1,"

4 April 22, 1980.

15. K. P. Baskin, SCEC, transmittal to D. M. Crutchfield, NRC,-

Subject:

" Automatic Initiation of Auxiliary Feedwater System SONGS-1," March 6, 1981.

i j 6-15

__._.___.______.__m__ _ . _ . _ _ - _ . _ _ _ . - - _ _ _ _ _ _ _

' 16. Technical Bulletin 75-7, " Water Hammer in Steam Generator Feedwater Lines," Westinghouse Nuclear Services Division, March 9, 1977, Exhibit 89-1.

17. D. G. Eisenhut, NRC, to J. H. Drake, SCEC, Subjecti "

Auxiliary Feedwater System Flow Requirements," November 15, 1979.

18. D. M._ Crutchfield, NRR, to R. Dietch, SCEC, " Auxiliary Feedwater System Automatic Initiation and' Flow Indications (TMI Action Plan Item II.E.1.2),

November 18, 1982.

I 19. W. A. Paulson, NRC to K. P. Baskin, SCEC, " Auxiliary Feedwater System Technical Sepcifications," October 21, 1984.

20. Transcript (Set 3-044), December 13, 1985 Meeting at Rosemead, California.

I

21. Exhibit No. 355, 8 Feedwater Noise Investigation, provided by SCE on December 11, 1985.

i l

1 i

i b

l l

1 s

6-16 i

Table 6.1 Description and Corresponding Illustrations of Feedwater Pipe Damage Following SONGS-1 Water Hammer Description of Component, Support Figure Damage, Motion, Etc. Location (s)*

6.9 This snubber station, the closest to the H00A SG 8, showed no visible damage or pipe H008 movement. The feedwater pipe turns H00C vertically, and at an angle, to rise approximately 10 feet to mate with the SG feedwater inlet nozzle.

6.10&6.11 These support stations were the first HOOD that showed damage (or movement) caused H005 by water hammer. H006

( 6.12 View of FW pipe elbow at northeast corner Downstream

showing dent in pipe that resulted when the H006 pipe hitting the concrete corner and then rebounding.

! 6.13 View of pipe (looking south) showing HOOG movement of approximately 12 inches, slippage of vertical support pads off channel beam structures and downward drop of fit pipe.

I 6.14 View of support HOOG looking in opposite HOOG direction from Figure 6.13.

6.15 View of horizontal and vertical support H00H pads displaced southward approxiately 12 inches.

6.16 Evidence of first lateral motion (east- 120 ward); note deformed vertical structure, and then axial rebounding which displaced pipe supports approximately 12 inches south-ward.

6.17 Close up of scratch marks which show 120 evidence of water hammer forces driving

{ pipe inward and then displacing it 1 northward.

~

6.18 Further evidence of axial displacement of H00J FW pipe on east side wall looking north towards support H00J.

f

• See Figure 6.7 for support locations and identification.

i 6-17 i

1

~

Table 6.1 Description and Corresponding Illustrations of Feedwater Pipe Damage Following SONGS-1 Water Hammer (continued)

Description of' Component, _ Support Figure Damage, Motion, Etc. Location (s)*-

' 6.19, 6.20- A series of photos illustrating damage HOOK 6.21, 6.22 incurred at the support structure down-6.23, 6.24 stream of the southeast elbow. The damage 4

incurred by the structure clearly illustrates the magnitude of pipe motion which occurred during the water hammer pulse.

Permanent set (i.e., bend) in FW at elbow 6.25 near sup-pipe. View at elbow from support i

HOOK and looking west toward support ports HOOK l

' HOOL. Pipe has been bent laterally and HOOL.

south from support HOOL to SE corner i

elbow.

I View showing lateral movement (westward) HOOL I 6.26

! of pipe which resulted in sheared vertical support structure.

,' 6.27 View of spalled concrete and support plate HOOL damaged by water hammer, nuts were. loosened and bolts were missing in wall plates.

i' H00M 6.28 View of piping and support damage just downstream of where FW B line takes a j

90 bend to exit the containment building.

.I Note: (a) bent white stucture showing evidence of eastward motion, (b) vertical l

displacement of pipe until restrained l

vertically by white structure.

l A wide angle-view of supports H00M and 'H00M j- 6.29 H014 1 H014. Snubber at H014 was bent westward and FW piping was driven upward, Shows vertical support bending caused by H015 f 6.30 l

vertical motion of FW piping just down-stream o' containment penetration C-3G.

[

i *See Figure 6.7 for support locations and identification.

i 1

4 6-18

i. .

7"f f 'g TTgW" Nyg_-"

g 1/ -

7 +-

4 a gyyt v -yF "-"T-TT-"F"' **M' "E%r- -7 -+7-' ST?-r-"r4 W94 W*Ud""

F= f$ '?-'Md^f-i3y= WW7--v

1 1

1 U

CONDENSATION SURFACE

\ h M

& L STEAM  %

-Ww 3

a. Stop Valve Has Closed and Refill Starts jOdD If T

REPLENISHMENT OF CONDENSED STEAM _

,,l$.

waan -:::sX:i3!8::s::: -  :::$N,_:,:_:,

b. Cold Water Has Filled Bottom of Pipe I - AFW m

-'N 2  ; :I i:M3;  !

w:

b u

c. Pipe is Nearly Full and Surface Waves Form - AFW P

T STIAM V010$

'sigg$$$2saggliMig[N b

d. Slug Flow Conditions are Established -AFW l

Figure 6.1 Filling of a Voided Feedwater Line l l

l l

l 6-19

h E

I -

~

ani I eg 185a

- a en

> N ii - a B E.

a =

- a=

_s g

~

e E l I

e Ee eB e

e n 5 a

5*

a n

h a R

5 Ov , O-(- i 0-X i ,, ,,

-X 5 x

Ed N$ Mf M$

2 n

VJ kN kN z 8

g N d 5 d &

t t &

g E d a a

& y

- K ,

i_s:

/ i it!

4 5 5 kt o

o y ,

l vnme , unime I

6-20

SG "C" C0mTROLS

SG "C" FAILED GASKET h STRETCHED BOLTS 4

x,wS v s x " BYPASS LWE rwS 372 144 Q'rwS 375 CONCRETE TUR9mE WALL YOKE

, CLOSURE DISK tw C0erROLS FOUND IN BOTTOM /

OF VALVE CAVITY /

U

[ RA0V d '

MIwS

/

IL j ($AAAE CONCtPT AS FOR ~8h FCV p 67 p 20 342 f

1. A M

NM VrwS f

y I *

• AII ~E~

2 WNRM a

Flow  : SC *A" C0ttTROLS Y 7 SG "A" FROAS FEEDwATER TR as Figure 6.3 SONGS-1 Loop ~B" Steam Generator Flow Control Station

l

_ - a

=

=

N3 N3 4 2 2 2 N=

nA 3

3 3

3

^*.0,3 1

3

=

m I l " t e

s y

3 3

0 1

= S

)

w_3 A.3 W F

A E

(

t r

t e

a N,,,

N= b 0 2

3 d F

w e

e y

r i

a l

i x

u A

1 M

- S G

3 N

Al N-O

= S 4

- 6

,. e r

3 u

ig F

s i~ f d..

a r-" e7 w

a h= :

9:

AU E,FEEDinin E rz. .Tcw,P

~

minisur avSi end 'l

. w3 g .q MLM50 - . , ,.

^

.2 l Dagv%A7 n  : :. ,. ,

V' +

q; W

- ~

e y .;j'p;%g!?e;: f ._  : 7 ' 1::. f 9p g _. , 3 ; , .

,,_ M,;.p;n 3

'Tr.  ::,9  !!'i g'i t F 'e gp.g,pgg s  ; fi11 ra E g. ..F' 114 ' ;tiIl_ e lit!i!

il I l' l l 'fl' lIll P l~ l l'Il

.! 'i Il l I :lN ;Il k Yi l i-f ll.

j' f 3 !N 2 . h !l u0ll Ill l  ! l f$7h  ! l I . oh  !  ! ,  ! ah

! l H!  ! Ili 'l ll .,

lll l!i i!! l'l _l.I Ifff3"FMd3 f i,_l i__ l'!!. , -

!  ! lif !i!

l I  !  ! l ll lI l l l_m'i bf2 'N.d !l h I' I k'N4 l ll: : bl l .

i. b )l ,

! !! <l ll

!!WI l l i i 1 1 l Xi l' !1L1!il$fT "i !!

Il 0 FW' LOOP "B" l'SOLATEb U U6:30 ill I

., il l' l r- !l l fl' i.

g-~t' i i r ng l' Iil q; o

. > r i i , u

$ il  !;  ; ~T , i j

~

4 h 7Aul /jq, It'  ! I h.

q i

1j l

~l

, 1. -l j t 4 i dil (ti;; Litl tilt i ljy ti

,l i 1- l

l i i .

l l I l' hll COOLING CONTINUES _ i . l' l _

i

[

, i l J! l fi  !

l!y 6 plli;t 4h 4 -

i i i 1 i I

l lll111?Th! luli, li li.1 .il! 11; Isasar

4. t "l;Ti .f i >

p~- WATER HAMMER REPORTED @ 05:07 ~~ I e i- W8%{T]l FH l T

E 'I~

Il ll liylyl lll '

/!

1 1

i i:

l j q '

/ l300lll~ 375l

Loq , 3as t l I' 400 '

, I t. !425 '

}

[ i l'l

! A V / .l ll1111 1 111 1 r --pPERATORS ISOLATE VIA MOV-20 li. fill >MM. i l' i p' l l; ji h #

fi-_. R Pl CO'OL OF AFW @DO N IJE TO I ,;

~

,i ,i w ! li i i BACKFLOW 150 gpm ll l

!b W i

Oli5 AM! 'I!! >;n I I <! . I ,

l' IllllIlliilllllillllihil [j ! j

,! lill!! it l, i f ijf

~

!h llll l l l l !I lll llll il ll LI j i  !!!! il !lll ,

IMl H! !llI @ hi !N I 4 IIN S l  ; -

bdORD'ER lj;!""E"Y

!i! jill!illlli.

i t i ! . 4 AM i : 1>>j' 1.jsll i

g..LM]lli! I Il l j !'! TRANSIENT COMMENCES AT 04:51llillliilIij:itilllil!.Iliill

. iiil

't 'lil, to :I I l ! !!'i '- >

ii' ith

i! lls!! .

i j _i :t!.

' l'l i

'!! (' ll

1. !

llij sil, lll ie l;ll i ll!!ll '!!>

i tit !'ll.l .

l iii' 'l

!!al !, l

'll l!!!

,it! !jli ll. ll ..

. l .l 't l' ! i

.!l! Ql'l :ij  :

Figure 6.5a Temperature Recorder TR-456

,, . . ;;;' C. R O 2 2?IyNcn7 C,~ ' '~ _ 4

'C4'2"

( g. 7 l?.IO- C3 3 A StL.FV_ES${ EAST SIDE ELCC G,-3A .500 TD'dPJ FW PUMP

=

F- j9 GCEA) GGG SOC, fY2 CSS } WESfblDE ,

D^

~~'

FU2.PLE G-36 30C. TC/tIP; FW PUMP g

, g 6 CO' sg g,

N, j,

, g N. / \

' I ' ' '

GREEN

/[,' -

i -

PURPLE.

~~

\

Ns ,

/ \\

' N.

e s/ .

- Y

/' RED 'N g\,

a r>

ss

S

/.

O \\ "%

2, G-3B

\

if

!l ig,

\ q p ',l

f'=~

'#' "$, V/ffp

'l /

f I

$ \  %. , 6 ' J JCT'

,U ' .* g 8 ' ytf ., .

hkay

~,

j

~~ p,

]

t. . '.

ly .

I 1 SARoyal

/

4/ A '

o o

r,

(..s fliCqrg;.;y / 78/F jf

.- i ,

- ' & SUCI l & P f "

[b

- , BLUE T / ._

G-3A

\.

0

\ .

s

. \ >

. s / g ,,

t O \

~

~

-y N

- ', / ,

+

t g ,. -

I C__.__, I i Figure 6.5b Recorder R-7

l l

l 1

SLOW REFILLING OF HORI2ONTAL PIPE

a. Loop "B" Pipe 90% Full When AFW Stoppoo I'

8ACKFLOW OF STEAM TO REPLACE STEAM BEING CONDENSED CRITICAL FLOW CONDITIONS BEGIN TO FORM l

}'.- .!  !!! . !!!,[ I!'!

..::i:i:::;.:.:. ..::i:i:?;j$$.h':!::. .:::: : : ::.;. - : . 2:+ i

b. Wave Instabilities Being Formed Prior to Bridging of the Vertical Elbow

c. Elbow Has Bridged and Vertical Leg Filled

~

.i

d. Probable Steem Pocket Locatior Just Prior to Loop ~B" Water Hammer Figure 6.6 Refilling of Loop "B" Leading to Water Hammer 6-3

%\

b-4  %=E a

\

s-

' /

g

'* \

' / \

\

s

\ e' i E

\ '

$4 h y / 4l i, i

.s

+

+ fr e

?

Y,

</  :

1 w

. + / c i

m

!\ //g N .y.

' \ ,,

ye \ r "-

/

i

'7 4 + \ ff

\ .

' x *

'#d\

c\

\

6-26

4 a er SUPPORI NOOK ELBOW DENTED W THE INSIDE AND SLIGHTLY SULGED -

\ ] ,  ;-

} ,.. a nae:* .,

' l l naa r ss v

/

- A = = = = . .

J VIEW A-A l

l /

i 0

N ^

N N N

N N

N*7 uty- N

-P Cow . m n N

--- Ossi WaTEa lenauREn UPWAA0 g /

CoNnGunanoW as0VERIENT y # ~ PIPING

1. 33MIIVEffD OF PIPNIG p N

/ qp DOUUN

/

N COIITANIRAENT N PENETRATION C3G N

Figure 6 8 Overview of Feedwater Piping Et Support Damage Due to Water Hammer

r

~lr~f M M~Ji1 N

VERTICAL /SEMlVERTICAL

[" RUN OF FW LINE "B" TO SG "B

LOOKING WESTWARD.*

3mL

"(I V4

,m l

SUPPORTS HOOA. HOOB,

1. I

, & HOOC PROVIDE A RIGID SUPPORT. NO DAMAGE WAS

=~

~""* OBSERVED AT THIS SUPPORT STATION.

} l Figure 6.9 FW Line "B" Support Station

' Note: See Figure 6.7 for Direction Orientation, 6-28 A .

w fi I NOTE LATERAL Ogy;b @ MOVEMENT OF

. .ge asa p . #. I. }MPIPE WESTWARD APPROXIMATELY 8 INCHES, AND 1 DISPLACEMENT OF q PIPE INWARD p O RDS CONCRETE i , '8

1: j f

I i

~

. r i Figure 6.10 FW Line "B" Loop Support HOOD l

l

)

I r , j

y. v.-

'k. ' *

^'

hy - ; '".g NOTE BENT BRACKET

{l". *~

af

• g DUE TO LATERAL

[ c^; y '; .. ~

'.. y PIPE MOTION: VIEW

[f ** .s m 3 -i p -

.p, i .**- # ~ LOOKS WESTWARD TOWARDS SUPPORTS p

y, ' y. 77; /] g .-- t ris

' ^

HOOA, HOOB, EtHOOC.

(:

p ',.

R '

^

f Q* t; ..

'l . .,

N* 1 . jf * 'W -l t y s, p- _ ,

~

! l . .

t " 4 ja jy

~

s ay u[.Lh.wa,s ;i .

w u.

Figure 6.11 FW Line "B" Loop Supports H005 & H006 6-29

CONCRETE CORNER LOOKING TOWARDS SG "B" DENT IN FW PIPE 4--+9 l

CORNER ELBOW WHICH BULGED APPROXIMATELY

% INCH S" p ,, ,

~ -. .c

- i;

-: - ua x.:. s?gsw ,u _(~:Sgig, e

i Figure 6.12 Pipe Downstream From H006 Support llfyl/*~

~

alll? '. ' .

7-g

,) BULGED ELBOW

.>;j[ +

[, ((;D"yqqn~ ,g A~'  % , ,; ,Q } -. .

~~ *

~

? l, . . t 'Q : .

. r i%

IN ,,

3) ' , _ l s*

s.f

. ~ts i -3;  ;,L % .s..

N, % 9fQs nf A'*h;ne g$ ?:>c ,t l **

• ' ' )f(

,.e g.f ..d e

NOTE PREVIOUS SUPPORT d

• POSITION: PIPE WAS MOVED p- AXIALLY SOUTHWARD

. - -. _ c[im. - :w. .

.1j Figure 6.13 FW Line "B" Loop Support HOOG 6-30

l l

l l

, 4#- 2 3 s .

[g2. .

- $gt;

.0 f 7 , .gui -

,1 t *.

Nd 3

r i

k T:c:

b

{l:L[ $.

Iiau E  !

Figure 6.14 FW Line "B" Loop Support HOOG, Looking Northward m;xA7

, PIPE SUPPORT PADS 1

7 l NOTE DEFORMED VERTICAL CHANNEL DUE TO IN BOARD (WESTWARD) PIPE IMPACT s v- DUE TO WATER HAMMER b[!;>91jpl?,-

,,m s y; ild%id.A,-;;Q , .-, -.' . LL. >

Figure 6.15 FW Line "B" Loop Support HOOH 6-31

l y v7 g,ry:; m - .

y WW+.a :, a f C 'I, a

w -  %'

l ,

'/

')

l t-f

I

k. 4

( -

i;,' ' <

i 1

i l ~4 m q

i: :s 1% U .; A Figure 6.16 FW Line "B" Loop Support Point 120 (Which is 20'-6" South of Support HOOH)

(- j![E yg

.>i.:

1 i- ,

T .,

b,- '

- SCRATCH MARKS SHOW

' Dl N'

EVIDENCE OF !NITIAL WATER HAMMER LOADS DRIVING FW LINE INWARD (EAST) AND LATERAL (SOUTH) FOLLOWING REBOUNDING AT THE

' .: ,? . DOWNSTREAM ELBOW.

b

g l

,' @~  :

,j !vi e 1 a '?)/( - .i j

" ' ~

.) q _:n

( '-'

. . i. b .-

g

'nl ^'-

~ ~"f

- . , ...i a. .

Figure 6.17 FW Lino "B" Loop Support Point 120

, 6-32

FW LINE "C" 4

HOOJ 1i!

Il\

i Figure 6.18 FW Line "B" Loop Support HOOJ l

t t

?

l f' a \

c;; -  %

v -g ^

\

A VIEW LOOKING j  ; SOUTH: FW LINE

=s HAS MOVED INWARD

& UPWARD

.; m '

J I1

'l

! I k <!

ree 1 '

4 1s l

. . . :.Lik:Laauu ~ i Figure 6.19 FW Line "B" Loop Support Station HOOK j

i 6-33

-_ ..- - _.. ,_ _ - ~ - - . _ - + _ _ _ _ _ . - -

-l .i

~~

}

3 2

+

3, _, ]

1

+ ~< ,

s i

f T #

t 3 '

l

'. :0 i.

J . .: j [ .

}

{

-g. gem . , .

I. .:w I AM G U TO S PPOR S TION HOOK '

L'in"N ?"na's' '^" '

WATER HAMMER Figure 6.21 Local Damage at Support Figure 6.20 FW Line "B" Support Station HOOK HOOK

e

?

l 4

CLOSEUP VIEW, LOOKING ,

DOWNWARD AT HOOK l l

Y l 1

i

\

i i

Figure 6.22 Closeup of Damage at Support j Station HOOK i

( ; g.

- ger7.mmmm _. ~

- j ^.

gx jG f ..a j- ,

M ;/q (( i

, Ms, y.

. ,m, >

. g'. pf

. 3.9,jj A

v* ~ ' - . .

cl ,

+ i

- -:;7"" .

+..

'ri;.g .. , ~, ~

(.. / .- $_

j '

/(

i 4 ,.

^

-w ugyg; Q Figure 6.23 Torn Pipo Support Structure HOOK 6-35 l

- , - - - , - ~ . - - . _ . - . _ - . . _ , - , . . . . . - - , . .-

(j'_ ao 1:

b l

.; . .I; ;

1  ;  : -

. . ~ *,, . .. % ilF l , :,3 ' ' -

Li g.

'}) ,

._m.A l Figure 6.24 Torn Pipe Support Structure HOOK g-

[.'  !

0 ,

i:

e

!: , j

'n .:.

iff ,

Figure 6.25 Outward (or Lateral) Set in FW Line "B" Looking West Toward Support HOOL 6-36

Y W "h '" b }_

"e .9:%

T ^% k wy -

' SHEARED VERTICAL SUPPORT SPALLED CONCRETE w

s' i  ;

L 1: z.

hn

.* " ^{31 .'

!.&

I[t h e ?

I_ ~'

, ON Figure 6.26 FW Line "B" Sheared Support at Support HOOL l

I l

MISSING ANCHOR BOLT i

s. v.-

J .

' _ ej f l

?

:n I

it -

. LOOSENED BOLTS

~#

, t.H .,

(slLp; v w.., .

w ww~.

j ,

m 7., .

,, )

} ,

y  : -;;

l-s.,

j~ '*

c , ;. 3e ) -

c!Q:-fA.

, , j 2

.. _ Y l

Figure 6.27 FW Line "B" Wall Support Structure at Support HOOL i

.. 6-37 l

I,

-_-_m_w-mhw%~m- --ww- _W_ _.W _ m. _ _ _ . _ w-

ELBOW

' ~

l! .

.w

~

NOTE SUPPORT STRUCTURE BENT EASTWARD AND FW PIPE BEING RESTRAINED FROM i

FURTHER VERTICAL

.a MOVEMENT BY SUPPORT HOOM

--l , (AT TOP).

) (<, M

-, ~

L _. __=,.

j

• W~~q y; '

. A

.I - ,

Figure 6.28a FW Line "B" Loop Support at Support HOOM

}~ g.

' Y ((

t ..

f;F 3

s. .u.4 :y

+

( 4 ,,.q i; p . .

k.. .i -

h i

Figure 6.28b FW Line "B" at Support H014 and HOOM 6-38

tT~ '

2 g s_

_.I'\ ,

j p 1

M

. .~.

I NOTE BENT VERTICAL

! ROD DUE TO UPWARD MOTION OF PIPE l

t" em ,

u.

'h s.,-. a . \. . .

Figure 6.29 Pipe Hanger Damage at Support Station H015 6-39

v'

\ i s  ;.

a

/ e e

d.

e o s k

, i 0

, (>

U 5 f

\

k i

E

\

z s*

N*o e 3

l b: d, /  !

i

• +/.,

5

\ b

'a l

l

// '\

2 5

l 6-40

NOTICE CIRCUMFERENTIAL CRACK IN CONCRETE "y TURBINE BUILDING WALL w.

k;l

,,1. ,

l l

v e

Figure 6.31 FW Loop "B" Penetration at Turbine Building Wall j

l r en :r .

I

.L ci >/

[k .

, vie 3

i d & .

i j I, f

4 I / 1 l h i  !

a

• l FWS-342 FWS 346

) Figure 6.32 Inspection of FW Valving i

6-41 I

--_-_--__~.._-.----____~~.m_< -

S )

g -

. -s . ,

R.13 t

p, ,

?

u

+.

ff

. y( '

s

.. =

v-3 }g}hl,ng

%I

a. ,

.+

p' g-I ey

1. 'g

, p kk'~, , .,k!

• i ik Y ff. j'

~

h; f<4

• q3 MWh b .

FCV-457 MOV-20 j Figure 6.33 inspection of FW Piping 5

e .

. q,

'h

. g ._ ~ #

{_#

g' 5 4 7,, g: -1, >

• a ;k;d l ,

~, 3% q l

b s j -d :1 "Ni"N[' , ,

1  %,,.,g , ~ , - #9~ , -

l .,. .b 'Q) l n -

f-i i ,-c- INOR HANGER

! g 3-l}r r.'" AMAGE VISIBLE

1. g;;. T , .[': .f/ )

i l

~i i

f y'

WV  %?s i

~~t f,

?

i

. 2 $ :aWI i.

l Figure 6.34 2-inch Bleed Line at FW Loop "B" 6-42 i

,$1 e

T ,

i b{

g

~w; g jph

[,-  !(_

e+-

r %s.37g 8

icnll" VALVE)

/

$d:

~

%sm, . $~

Y Ch ',.

l '

l . 'g.;-' A'h' ,* 1 lt 'v'h . . .'

( f'epVALygj ~ ;L (:: ,l;. ,

$;7.

/

99

p4 7- ' .,-

3-g:e , -

yf,3 7-

• A<- V %Q;.

l l

Figure 6.35 Overview of Valves FWS-342, FWS-346, FWS-376 and FWS-378 in FW Loop "B" Control Station i

l l

}

1 s

6-43

pg 31 -

9

^

3,% '. 4 '

?

,.,. t ;; .;

_-y

,' (~sd f

.---[' L'

, _f s . -

s b -A__ s - ,

l ', a C 4 1-

/

m.m Figure 6.36 FWS-378 Failed Bonnet

,u  %

{f 31_

NOTE EXTENDED i- BOLTS AND

• 4 GASKET EXTRUDED sr AGAINST BOLTS

s. .

~ ~~t BY WATER HAMMER LOADING

- 99 n V ,l.g, \ .

.( s.

8 i

,y. <

.. :s

. L ._ M '

Floure 6.37 Closeup of FWS 378 Donnet 6-44

.;= 3

.q i k,4 f } 4 1

7 F l,.A7

'N .

s,

'f f%M?y. ,e s: $

' ff. _. QQ'f(;' '" _ _,

Figure 6.38 Damage to FCV-457 Actuator Yoke l

s e

. [

M i

M

' ' 5 *

.. 4 ,

- .s- :ka . :

Figure 6.39 Closeup of FCV-457 Yoke Damage .

I 6-45 L.. __

COMTAIMMEfBT SHELL g gf .

14 NET T N

, n

,.. x t .

s o' -

a

)

P NG 1

7e Figure 6.40 Junction of AFW & MFW at SONGS-1 (FW Loop "B")

CONTAINME q~ <

y ', ..ao .

!? ~ -r i

Y a-Figure 6.41 AFW Piping Run & Routing to Main FW Lino (Loop "B")

, r,- %

I wo- ,

n, .p

,.ci '%4."F' l

1 4.L-,-

, 4

=t

, m -

p= u ,

c. , , . .

,) %

au . . . -

a.

s Figure 6.42 AFW Loop "B" Support J

,h.,

.s* -

'1444 . '. r- ' l' ' r - I .[W'  ?

4

, 4, --

, gs ,

j,]( [ FA %

o:w. ame. -

, ., p -

s.

,p. . _

\g '

4

+ -

.i '4

' -f.

.- .'.Qy"l'h.';_.

'L. *

, %;o f 5K s _. . Q ,

R,; -<' j ^ :.i<- Q .

a.

.>e 1

4 t 7.. ..

F 9(:4 *s yg '

4,

\. , .

x. .., . .: -

..I,

v. & vag-%'

um:

- , u~, w .a t _. ..a^.

• • ~

t."

Figure 6.43 AFW Loop "B" Motion Due to Water Hammer Loads 1

6-47

\

\~

c; - ,

4.

~

L

n L  !. ,.

k&; 4 &n e

r: c. j 2-l .

't

~

s,-

{ .

t .

i %f l

1 a _u.c . -,, ;

Figure 6.44 AFW Loop "B" Piping Displacement Due to Water Hammer Loads

@ 'l , p ,,,

. [~r 9

v,

'?$

j -.

i i

Figure 6.45 AFW Loop "B" Piping Displacement Due to Water Hammer Loads 6-48 l

l VALVE BONNET BONNET STUD A a LNNNNNM9 eke r- g y g rg

-HINGE ANTI ROTATION NUB Q

I f

y -

CLOSURE DISK--

• W w //e v/w

\ VALVE BODY Figure 6.46 Typical Swing Check Valve With Internal Hanger, as Assembled.

6-49

,7 m, hO/ / N s

\

////lW l

L.

I I

l -

/

ANTI-ROTATION BARS s

- ,/

VALVE FWS- 346 AS ASSEMBLED J, -

,' l L/, O 4:

II':*[b.

1 2

1

-p WORN PIN HOLE IMPACTED PIN t

l WORN THREADS I

hmwim, y gM VALVE FWS 346 AS FOUND Figure 6.47 Check Valve FWS-346 6-50

,...,,.s.. mn :m 4

._3 T

.y-

.= 7

g 2C. NOTE DAMAGE l

,a (i.e., CUTS) TO DISC j SEATING SURFACE S

l E Wi i

)

. .)

h

/

Figure 6.48 FWS-346 Seat Ring Damage e4%'* Te ?i'YfTe # ' w77, -J % 'f ~rs' s - '

NLff ;4'b,m%Q$'4,s$$se$

npr?>? s

' ' ~ {l!,',11 '~~~',',i

.Asf~ s3.u,,d#,/ygs . &Sw~ y;;x:p.;;p 9 ; 7 ,m!<s ,~,' .

,s. s e, ,

~. .

s s ,s

?g,p,k/

hk '

k?h '

' ~

s %y.tski u .

.y m 7spp,F

/ ,re s ip,WMDP&q

-C p .t

• [s/

~ f ; 4,/<% -s,;(sd:u p y is %l"s~%

f*- r %

f -- ., ,fc j; e c q( %( ,:},

v

. % ' '% . s .

p-c?-Gp #9ym% e y/*y~ft 'm w .% , r7=f % y % 0 ~,9.

J, , &&* 4 e; s--

-t /s .3 3,ggv 9 -m e4

} f )1 0 h Y,

p f,. / /yr* }7,'p.,

w 1WhC!Qs :,v.,r,"~,m-y: , L s V .N/ ?/: ? 5;.; %/

y Ni. h 1;

} ' f _ x :% N AiN, ,ND k

Figure 6.49 FWS-346 Disc Face 6-51

3 Qls >%f;f}g _,

! ?ff677'{M

$ ~q$ %

? _

y ;>

l'.  ; /I:

t .I %Iw-j-ig.l~j%l .

p, . ,s j ; -

sig .i % .

hj!%f ^

..% NOTE IMPACT '

[f g j';f', g / ' DAMAGE AND ,

7 {,g- WORN THREADS.

'gf% -;!gIi' ,-

NUTWAS MISSING

j. ,

%. .% p ' [ % .- -

L t1,% j' ,

\

lA .gf f of ,% g f - ANTI-ROTATION

1. DEVICES s , ll % '., < ,

T 'jlhb Vrj e, l f"

$ , I#* N [9. ., WORN HINGE .

3 [ PIN HOLE

% ?+ flll:l l:I'g;?i-? ,-  ;"'

k' w n

t i .

a vlj_e ja  ;-G ,

lv A f

9g(?

g\. f ** it e,y* i i ;g

j. 9%di; b,sJ Ig&%

Figure 6.50 Damage to FWS-346 Disc Figure 6.51 Worn and Elongated FWS-346 Nut Pin Hinge Pin Hole l __ _.._. . _ _ _ _ _ . _ _ _ . . _ . . _ . _____

fjTgJpf ATj' S.gr

' ' ' ']q ,

i:. -

4j f i,

,l2 -

• i g.i -

~~

p NOTE DAMAGED .

s DISC STOP I y(- v 4* .e - -

ATTRIBUTED TO 9I s, [ CONTINUED

' ~ IMPACT BY es CHECK DISC r- -a. l Y

4  ?

4' ..

• ': l

, ,. i ;,,_,

Al

(:b h , h ,',::c' n,17  ; '

q'~= s , x ip

..J,Q .. ~s-L J: .ciusd,,JG! : ' ~,

Figure 6.52 FWS-346 Bonnet l

1 l

l l

) "

I j

i i

l e '

- 'd i,

1

- ,E p - ,w , ~:. c . ..

I  ;, ..it

,pMI : '*

i

-;zj, y k . ' , .

1. c ,, ' '!?M

) Figure 6.53 Closeup of FWS-346 Disc Stop 4

I 6-53 ll

e

,6

[ 'I'[*%^ y, OjJ P,".%

g

+

v..,

O Y

E?n g 0 g o k d.

."4

.# # W OO -

or e

o 6

5 o

d A YO 9<

$ d#

h7d j #

2

,< O z O ll 0

6 6-54

../-

1 i .

.;p.

o f h 7,

.h [

< *, , g r..

.g' '1,

~

' p' .

^

Figure 6.55 FWS-378 Check Valve Internals r ryp, rt ., 7tp *.:

-Mj",-f;g;fgs' II ,

y;,: +

~ *;}l i { < .

NOTE RADIAL RESTRAINT PROVIDED TO GASKET BY BONNET BOLTS

~t I

.s

• J Figure 6.56 FWS-378 Gasket Following Water Hammer 6-55

I

, *t y,

.. .fs ~

,,4

, e.f>,s?) y s

b ,

+- .

• 4

, ,,f.

. . M e, NOTE SEVERAL N# HAIRLINE CRACKS ON SEALING FACE y I jfQ _

Figure 6.57 FWS-378 Disc Face NOTE ELONGATED THREAD SECTION AT UPPER END OF STUD

.,Y YghR6:q) a:':a ac..au_ ,_a , , _

Ficure 6.58 FWS-378 Stud and Nut Removed From Bonnet 6-56

~

l/ O /

~

~

\

I

) @

's I /

" %. w - f VALVE FWS.G AS ASSEMBLED o*"  %

~~

s O ' ,

J .

Y 46N '

STUB \

, CAUGHT \

4 UNDER HINGE O

I RO ATED FOUND

- 15

~% 'y -

l VALVE FWS-G AS FOUND q Figure 6.59 Feedwater Swing Check Valve FWS 438 '

6-57

i

_ _ __ . m A

l tv

. s b \

i i ' , ,,->

g l g

. 'g e ,. f'

'

• NOTE 0 " FLATTENED l ,

POSITIONER 2

" NUB" g .,

k ,, '

o t .

]

~' %4.

!,,gf' l ~ ~ j' i

Fi0ure 6.60 FWS-438 Closure Disc 4

r

.. 3

. W.s

.~

/ :N~.L

-s

. s

' Tq,Q4 j.

l -

t .,

i

,.  %[ _%5

] [,

i I .

< , Y, l

l .+ .

r t i

7 I :j

.x ,

t

/

l I a- ..).'

l 4 Figuro G.61 FWS 438 Disc Holding Nut Arran00mont l

\

6-58 i

7 PERSONNEL PERFORMANCE AND HUMAN FACTORS EVALUATIONS 7.1 Introduction This section assesses the response to this event by utility and NRC personnel and the human factors issues affecting their performance. Other organizations, such as local, State, and other Federal authorities, were notified of the event, but did not play a significant role, so their participation is not addressed.

7. 2 SONGS Personnel Performance The utility personnel that responded included the on-shift operating crew, extra operators who were called in, and security and emergency services personnel.

Their performance and the human factors affecting their performance are dis-cussed in the general order of their involvement with the event. The Team interviewed most personnel involved and based the following assessment primarily on transcripts of those interviews.

7.2.1 Operator Performance The utility's immediate response to this event was made by the on-shif t operat-

, ing crew. The crew was larger than normal because a Control Operator trainee and an extra NPE0 were also on duty.

7.2.1.1 Ground Isolation Actions i Upon receipt of the ground alarm, the control room operators first identified i the source of the alarm, used the alarm procedure to identify the appropriate response procedure, and then followed ground isolation procedure 501-9-7, "4160V and 480V Bus and Feeder Faults." Extra personnel, including one SRO-i licensed member of management, and specialists in troubleshooting and repairing grounds were called to assist the operating crew during this phase.

The ground isolation process proceeded as directed in the procedure through the minor loads until operators reached th? steps to test large loads, which verbatim are as follows:

6.2.5 REDUCE Unit load as necessary and DE-ENERGIZE the major equip-l ment such as Circulating Water Pumps, Feedwater Pumps, etc.

One at a time and observe the ground meter, s N0fE: When a grounded circuit has been identified, it should be left de-energized until the problem has been

{ identified and repaired.

i 6.2.6 When the grounded circuit is identified, then initiate a Maintenance Order to have the circuit inspected and tested.

1 7-1 1

l l

6.2.7 M the ground is on 1C or 2C Bus and cannot be located by de-energizing feeder circuits, then CHECK and RENEW, if necessary, the Ground Detector Potential Transformer fuses because a blown fuse will cause a false ground indication.

6.2.8 g the ground is apparently on the Bus, then with the concurrence of the Shift Superintendent, REDUCE Unit load as necessary, TRANSFER the Bus load to other Buses and DE-ENERGIZE the 4160V Bus.

CAUTION If 4160 Volt Bus 1C or 2C is Inoperable in Modes 1-4, tIien restore the Inoperable Bus within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or be in Cold Shutdown within the next 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. (Tech.

Spec. 3.6).

6.2.9 Initiate a Maintenance Order to have the Bus inspected and the source of the ground eliminated.

The actions operators took are identified in the narrative of the event, Section 3.

The procedure provided clear direction to the operating staff. Based on inter-views, the Team determined that management permission to reduce power was granted, j power was reduced and equipment was realigned to allow the testing of major equipment. Subsequently, all major equipment, except the feedwater pump, was tested and the grounded circuit remained unidentified. With the exception of some electrical instrumentation, the remaining potential locations of the grounded circuit were safety-related equipment, the deenergization of which would place the plant in a Technical Specification Action Statement, requiring that the equipment be restored to an operable status in a short period of time, or that the plant be shut down.

At this point, the operating staff decided to deviate from the procedure, de-spite the fact that there was no valid immediate need to do so. A plan of action was developed and discussed with plant management, who approved its im-plementation. As a result, the following steps outside the procedure occurred:

1. Operators checked the ground detector potential transformer fuses before the procedure required that they be checked.

2. Bus IC was paralleled with bus 1A momentarily to use an alternate ground indication to verify the bus 1C ground.

The period of parallel operation of auxiliary transformers A and C was short, but inappropriate, since auxiliary transformer A already had an installed ground path, i.e., a second ground existed which could cause accelerated degradation of the existing problem.

Based on interviews with those involved, the Team determined that the operating staff became aware early in the morning of the event that the plant would prob-ably have to be shut down. The ground looked as though it was either on the feedwater pump or bus IC itself. All required permissions, equipment alignments, power reductions, etc., were completed, satisfying the prerequisite to secure the feedwater pump. Management had been and was consulted again on how to deal 7-2

with the ground. The interpretation of the Technical Specifications was dis-cussed and those involved recognized that the deenergization of the feedwater pump, bus IC, or auxiliary transformer C, would probably require the plant to be shut down.

Preparations were made to shut down the plant when, based on further discussions, the operating staff again decided to implement an ad hoc process to deal with the ground. This decision was made with the understanding that the planned activities were not described in the procedures and that the steps were intended to locate any ground that could be isolated without affecting the operating status of the plant.

As a result, the following steps outside the procedure occurred:

1. Bus 1C was again paralleled to Bus IA and the PT disconnected to test the PT as a possible location of the ground.

This action again paralleled auxiliary transformers A and C, this time for about two minutes, and was inappropriate, as indicated above.

2. With the buses paralleled and the ground location still not identified, the tie breaker between bus 1C and auxiliary transformer C was opened; as a result, the indicated ground on bus IC disappeared.

3. With the ground now known to be on auxiliary transformer C, the tie breaker was again shut to support further attempts to localize the ground.

This action again paralleled auxiliary transformers A and C, this time for about five minutes, and was also inappropriate, as indicated above.

1 4. Subsequently, the tie breaker between bus 1C and auxiliary transformer C i

was reopened, but the transformer was left energized while technicians went out into the plant in a further attempt to find the ground.

The ground still existed on an energized circuit, sustaining the vulnera-bility of the plant while inspections were performed that did not require the transformer to remain energized. Further, inspecting grounded ener-gized circuits involves potentially significant personnel hazards. Deener-gizing auxiliary transformer C would take the plant into an Action State-ment and, as discussed above, might lead to a plant shutdown.

Following identification of the ground on auxiliary transformer C, the trans-i former was lef t energized and inspections were conducted to further localize l

the ground. If the ground location had been identified and found isolable from j the transformer, the plant would not have had to be shut down.

Both the failure to follow procedures and the actions taken that were not specified in the procedures were considered reasonable by the operating staff.

Evidently, their training, plant knowledge and procedures did not alert them to the dangers of tying the grounded IC bus with the normally grounded 1A bus or working around grounded equipment.

In addition, Procedure 501-9-7 does not provide Instructions for the methods and steps to identify ground faults on a transformer. Af ter the operators 7-3 1

__---__-___-_-_____I

localized the ground to the C transformer by steps outside the procedure, they had no training or procedural guidance on the significance of the ground loca-tion or the urgency with which the transformer should be de-energized.

As background, Technical Specification Action Statements can be entered inten-tionally or because of malfunctions, and normally allow time for operators to resolve problems before plant shutdown is required. Valid purposes for occa-sional voluntary entry into Action Statements include preventive maintenance, troubleshooting, and surveillance testing.

Based on the above discussion, it appears that the operators inappropriately deviated from procedures to unnecessarily delay entry into a Technical Specifi-cation Action Statement. Had the procedures been followed, the ground would have appeared to be on bus IC, the bus would have been de-energized, and the plant would subsequently have been shut down.

7.2.1.2 Recognition of the Loss of Vital Bus 4 and Reactor Trip When the initial alarms were received with the transformer trip, the operators assumed, based on their experience and training, that they were attributable to the loss of a vital bus. This was confirmed when they checked the vital bus indications on the electrical auxiliaries panel (Figure 7.4) and found that one of the vital bus availability lights was out. The operators needed to quickly identify which bus was lost in order to determine appropriate actions because the loss of some buses requires an immediate reactor trip whlie the loss of others does not. Efforts to quickly determine which bus was not available were hampered by labels which were too small to be read from where operators were positioned. The operators had to either go to the panel to read them or count the indicator lights on the panel to determine which bus was lost. (Note: the lights are in an unusual order--1, 2, 3, 3a, 4, utility, 5, 6.) However, the operators were able to quickly identify the bus lost, and tripped the reactor about 20 seconds after the loss of the vital bus 4.

1 1 7. 2.1. 3 SI Verification The next operator action of concern was their verification of safety injection (SI) actuation. The second step in procedure 501-1.0-60, " Loss of all AC Power,"

is to verify SI actuation. The procedure specifies that the method of verifying SI is to refer to the SI Actuation alarm (RPF0-2) on the first-out panel. When the procedure was read aloud, the operators' first response was that no SI had occurred, even though RPf0-2 was alarming. This SI actuation alarm was known by some operators to be unreifable because spurious alarms had been experienced with a previous loss of some buses. As a result, the alarm was initially assumed to be spurious. However, it was then discovered that the SLSS remote survell-Iance panel also indicated an SI signal. This panel (Figure 7.2) indicated 51 actuation had occurred by indicating starting and loading of the diesel gener-ators, a condition that only occurs with a loss of power and coincident SI.

This indication, together with RPFO-2 alarm, confused the operators and caused them to check the SI system operation. It was determined that SI was neither in progress nor necessary under existing plant conditions.

While the procedure specifies one method of verifying 51 actuations, it does not Gi ve operators guidance on alternate methods to evaluate whether SI occurred, nor is there a caution that spurious SI indicators will occur on loss of certain 7-4

electrical buses. The operators' duties and responsibilities instructions in-clude guidance not to take actions based solely on a single indication but to use other indications to confirm readings. Although the operators did use other indicators, the procedures provided no specific guidance in this regard.

During interviews, some operators also demonstrated a lack of detailed knowledge concerning the operation of the SLSS.

7.2.1.4 Electrical Power Recovery The next difficulty the operators experienced was with the station loss of volt-age auto-transfer scheme. The system has three primary indications associated with its operation (Figure 7.3). The first was received normally, indicating that the 18kV system had been isolated. The next expected indication was the i

"open" light for the generator's motor-operated disconnect (MOD) (Figure 7.4), l which was also received. The last indication, before operators would normally i take action to recover power, was the end of sequence indicator. This last l light was not received as expected by the operators. Af ter waiting for what '

the operators thought was enough time, they considered the sequencer faulty and took manual actions. Contrary to the procedures, the buses were re-energized bus by bus rather than all buses being tied together before the system was ener-gized. The operators were unsuccessful in three attempts to return power to the site using the 220kV circuit breaker (CB) 4012; the first attempt with the 220kV CB 6012 was also unsuccessful. The second attempt with CB 6012 was suc-cessful and the buses were then energized. CB 4012 was closed later.

The investigation to date has not determined whether or not the system operated as designed. However, no failures of this system have been found. It appears, at this time, that the operators did not know the time required for the auto-matic system to operate. The decision to manually re energize the buses rather than follow the action described in the procedure seems reasonable, but it re-sulted in errors caused by the lack of detailed information that was implicit in the procedure.

The attempts to close breakers CB 4012 and CB 6012 failed for two reasons.

First, the initial attempt to close both breakers was not performed properly.

Before energizing one of the dead buses, the interlock checking the synchroniza-tion across the breaker had to be overridden. The operator did not use the bypass pushbutton for this purpose on his initial attempt to close each breaker.

The 4kV breakers normally manipulated by operators do not contain this inter-lock feature so the operator was not famfilar enough with this unusual operation to remember the bypass without being reminded once during each attempt. The same operator later used the bypass to close CB 4012, even though both sides of the breaker were energized and the interlock should not have been defeated.

The second attempt at closing CB 4012 failed because the initial electrical-trip signal had apparently not been reset properly. For the lockup bus to be reset, the turbine *0enerator motor-operated disconnect (M00) had to have completed its opening. Since the operator attempted the reset early in the event, and because the MOD opens relatively slowly, the first attempts to reset the lockup bus were probably not successful. Further, the operator did not verify that the resets were successful by either observing the light around the reset button itself or by observing the clearing of the alarm on the vertical panel. The procedure, had it been followed, would direct operators to reset the lockup bus after the MOD had opened. Because the procedure was not followed in the order specified, the initial attempts to reset the lockup bus were not successful.

7-6

These operator actions demonstrate their lack of knowledge of the operation of the synchronization bypass switch, the lockup bus reset circuit, and the station loss of voltage automatic transfer scheme.

7. 2.1. 5 Use of the Diesel Generators Using the diesel generators to recover electrical power was considered by the operators during the loss of inplant power. Because operator training and the procedure for the use of the diesels (501-1.0-60) gives priority to available off site power as the preferred source, the operators continued their ef forts to re-anergize the buses from the switchyard. Because inplant power was lost for appr1ximately 4 minutes, the delay in re energizing the buses raises the ques-tion 6: to how long the operators would have continued in their attempts before using the available diesel generators. The procedure, however, provides no guidance on how long the attempt to restore power from offsite power sources should continue. The Shift Superintendent told the Team that he was aware of the difficulties of restoring power from offsite and would not have waited much longer before acting to load the diesels.

The procedure utilized by the operators did not specify the maximum period of diesel generator operation while unloaded, with or without ac-powered auxil-laries. The radiator fan motors must be powered in about 39 minutes to ovuld diesel overheating, and long-term diesel operation at no load is known to be deleterious to diesel operability. The previous version of Procedure 501-1.71, Rev. 2 (Dec. 1981), had the necessary guidance, but it was dropped when the procedure was revised.

7.2.1.6 Initial Response to Indications Af ter the reactor and turbine trips, the behavior of the primary and secondary systems was evaluated based on the operators' experience and training. The review of major plant parameters revealed to the operators that the pressurizer level and the steam generator levels seemed lower than expected, although both were not unreasonably low given the operators' understanding of the plant status.

The low pressurizer level was attributable to a rapid cooldown, although it was also recognized that charging had stopped with the loss of power. The concern

! about the lower-than expected steam generator levels was offset by the realiza-l tion of the design delay in initiating auxiliary feed flow from the steam-driven l auxiliary feedwater pump and that the motor-driven auxiliary feedwater pump was off during the loss of power.

Operators dealt with pressurizer level first by manually starting a charging pump. The second pump automatically started by design in response to the low discharge header pressure. The trip of pressurizer heaters on low level (less than 10 percent) increated operator concern for level and pressure control and raised the possibility of an SI initiation.

The decreasing pressurizer level was evaluated as being caused by the cooling of the RCS by the steam generators. Accordingly, the control operator respon-sible for the RCS directed the operator at the auxiliary feedwater controls to

" cut of(" auxiliary feedwater (AFW) flow to avoid an 51. The concern was based on the decreasing pressurizer level and knowledge that a low pressurizer level would lead to a further decrease in RCS pressure, possibly to the 51 actuation setpoint. Subsequently, AFW flow was reduced from approximately 135 gpm (indi-cated) to zero for about 10 seconds before the Shift Superintendent directed 7-6

that AFW flow be re-established at 25 gpm, because of his concern that the steam l generators would become dry. (Note: steam generator level was already low and decreasing.) This indicated rate of flow (actual rate was determined later to be approximately generator " dry". 40 gpm) met the procedural criteria to avoid declaring a steam A " dry" steam generator is defined in E01 S01-1.3-3, " Response to Steam Generator Low Level," as not having any of the following:

1. Wide range above zero inches.

2. RCS loop differential temperature greater than zero.

3. Feed flow equal to or greater than than 25 gpm.

These actions demonstrated steam generator status. The a reasonable concern for the RCS status over the interaction between the operator responsible for the RCS and the operator at the auxiliary feedwater controls is expected and the Shift Superintendent's actions demonstrated his " big picture" view of plant operations.

7.2.1.7 Decision Not To Recover Normal Steam Generator Water Level Af ter pressurizer level was recovered, reactor coolant pumps A and C were started, and with steam generator water level still observable, the plant was in a relatively stable condition with the cooldown continuing. The procedural guidance for the low steam generator water level (less than 10 percent on narrow range) is to raise level to 50 percent on the narrow range (501-1.3-3). The procedure the reactor contains no cautions concerning the effect of this level change on coolant system. Several operators, the Shift Superintendent and the STA discussed the inadvisability of this action and what direction to take.

There was a known steam leak in the mezzanine area but not specific information as to whether the leak was in the steam or feedwater systems or which loop was affected.

However, operators observed that although steam pressure was low, the leak was not large enough to depressurize the steam system and was not caus-ing an excessive cooldown.

(A steam generator pressure less than 400 psig is the point at which operators refer to procedures for loss of secondary coolant.)

The operators decided that a cooldown could be conducted safely, with a com-fortable margin to the 100-degrees per-hour limit in the Technical Specifications.

This cooldown was initiated by increasing the feed flow to the A and C steam generators since they had their reactor coolant pumps running. This process continued until the plant was placed on RHR.

7.2.1.8 RHR Initiation Operating Instruction 501-4-9, " Residual Heat Removal System Operation," con-tains a prerequisite (3.6), and a step (6.1.8) to close RHR-004, the hot leg recirculation bypas. valve around the east RHR pump. The valve is normally open to allow a flow leg recirculation use.path around the RHR pumps to support the post accident hot The relatively routine RHR use can be accommodated by shutting the valve, which must be locally operated within the containment build-ing. The operators considered that the plant was well enough under control that the procedure should be followed.

RHR alignment encountered difficulties because of a pressure interlock. To protect the relatively low pressure RHR system from the high RCS pressures, one of the RHR inlet isolation valves, MOV-813, and one of the RHR outlet isolation valves, MOV-834, have an opening interlock based on pressurizer pressure. When 7-7

. _ _ .. -_ _ - -. = _ - - .- -- - -- - - - . - - _ _ _ . .- __

the operator attempted to open MOV-813 per step 6.1.6 of S01-4-9, it would not i open. The operators considered entering the containment building to operate

{ the valve, but dropped the idea when they found that the interlock relay was i readily accessible. The RCS pressure indicated in the control room was 370 psig.

j Since this pressure was below the operators' understood relay setpoint of i 400 psig, the relay was locally operated using a contact follower button to I allow the opening of MOV-813. The relay also prevented MOV-834 from opening

and was again overridden.

f Post-event investigation found that the relay was aligned properly and would not reset until pressure dropped to approximately 367 psig (see section 8.8).

The reason operators believed the set point was 400 psig was attributable to their procedures and training. The procedural reference to 400 psig-is in-cluded in step 6.20 of 501-3-5, " Plant Shutdown from Hot Standby to Cold Shut-j down," in 501-4-9 as prerequisite 3.5, and the note following step 6.1.3. It is also included in training study guide number 22. Therefore, the operators had no reason not to expect the relay b allow the valve to operate under exist-1l ing plant conditions.

7.2.1.9 Continuation of Feed Flow to 8 Feedwater Line The operators' joint decision to continue feeding the 8 feedwater line after a l

1eak was identified was based on concerns for the safety of personnel attempt-

ing to locate and isolate the leak. Their intent was to cool the line feeding i l the break and thereby change the escaping fluid from steam to water. However, i unknown to the operators, this action could have created conditions for a second water hammer (from the continued injection of cold water into a horizontal feed

]a line with steam voids). Although there is procedural guidance on a maximum feed-l water flow rate into a steam generator with a low water level to avoid steam

] generator water hammer, there is no guidance and apparently no training for i operators on an acceptable flow rate into a voided feedwater line to prevent -

I feedline water hammer.

i l 7.2.2 Other Site Personnel Performance l This section addresses the performance of site personnel other than operators l who participated in the event. They include the STA, emergency coordinator, i emergency services, and security personnel. This section also addresses the

post-trip review.

I 7.2.2.1 Shift Technical Advisor's Performance l

The STA participated significantly in this event and took part in major deci-1 sions made by the control room operators. After assisting in the search for j the ground fault, the STA informed the Shift Superintendent that he was going j to bed. He had gone to sleep in his trailer at about 04:30, when he was awak-

ened by a loud noise. After attempting to reach the control room by phone j twice unsuccessfully, he started dressing. He also inspected Unit 1 from the l STA trailer and observed nothing unusual. He then heard on the two-way radio j an announcement that a fire truck was headed to Unit 1, and started for the 1 control room in earnest, arriving at about 04

58, according to the control room

! clock. Since that clock had been de-energized for about 4 minutes during the 1

loss of power, the STA arrived 11 minutes after initiation of the event. The

! STA is supposed to arrive in the control room within 10 minutes of such an event.

l l

! 7-8 I

i

He exceeded that requirement at San Onofre because he had not been alerted that the event had occurred.

On arrival, the STA began performing his normal post-trip task of checking the

" Critical Safety Function Status Trees," S01-1,0-1. His only concern was that the steam generators were below the 10 percent water level on their narrow range instruments. Since that condition was common following reactor trips, the STA reported it to the Shift Superintendent and they both agreed to look into it later. From that point, the STA made periodic independent checks of conditions in progress, referred to the Critical Safety Function Status Trees, participated in control room decisions, and checked the guidance of other procedures. The STA contributed to the decision to cooldown at less than the maximum possible l rate, specifically to stay well within the 100 F per hour limit. A rapid cool-down plan was considered, along with recovering steam generator level, after the report of the steam leak in the mezzanine. But, because the plant was relative 19 stable even with the reported leak, the STA recommended that rather than going through another transient that the plant continue to cooldown within the 100 *F per hour limit. Once this alternate plan was adopted, the cooldown was controlled with auxiliary feedwater flow. He checked the procedure for low steam generator level to see if there was anything else they should do to re-cover level and found the reminder to secure steam generator blowdown. The operators then recognized that the steam generator blowdown at about 100 gpm for each steam generator had been inadvertently re-established shortly after the restoration of electric power, and immediately isolated the blowdown by reducing the radiation monitor setpoint. (The status of steam generator blow-down is not indicated in the control room.)

By all reports the STA performed the useful function of independently monitor-ing operating crew activities and made a positive contribution to the shift's performance.

7.2.2.2 Emergency Coordinator The Emergency Coordinator's responsibilities are normally fulfilled by the Shift Superintendent until he is relieved by an operation's management representative.

The acting Unit Superintendent, an individual normally outside the group con-sidered operation's line managers, was on site to assist the Shift Superinten-dent in troubleshooting the electrical ground on the IC 4kV bus. This individ-ual returned to the control room during the 4-minute power loss and, after power was recovered and the situation was evaluated as an Unusual Event, took over the position of Emergency Coordinator.

NRC was never officially notified of the Unusual Event declaration, a responsi-bility of the Emergancy Coordinator, althcugh several phone discussions were held between the site and the NRC. The likely cause of this oversight is that the official declaration to the NRC was simply missed.

The Emergency Coordinator provided the first full explanation of plant conditions to the NRC. The explanation included three major errors which contributed to NRC's confusion. First, the reactor trip was explained as resulting automati-cally from the loss of the transformer. Second, the plant was confirmed to be in an Alert status and third, the feedline leak was initially described as a leak in the main steam system as opposed to a steam leak of unknown origin.

7-9

Thus, there were inadequacies iri the manner in which NRC was notified and in how the event was described.

7.2.2.3 Other Support Services Other support services were provided by emergency service personnel, health physicists and security personnel. Emergency services personnel responded to the event when the possibility of a fire was reported and subsequently partici-pated in attempts to locate and secure the source of the steam leak. No diffi-culties were noted in the performance of the emergency services personnel.

Health Physics personnel took samples as requested. With the loss and restora-tion of power, security systems were affected. Site security personnel and operators recognized the situation and implemented planned compensatory measures.

No significant problems were encountered by plant staff in gaining required access to safety-related equipment, and the procedures appeared to work smoothly.

No difficulties were noted in the performance of health physics and security personnel.

7.2.2.4 Post-Trip Review The unavailability of the critical function monitoring system provided by the Foxboro III computer impeded the post-trip review process due to the lack of data to accurately reconstruct the event. The operators' failure to have the computer reset after its power supply was interrupted during the troubleshooting activities and after the 4-minute loss of power negated the data gathering and recording functions of the system. Consequently, the trend recorders provided the only plant thermal-hydraulic parameter data available for the evaluation of the system responses. As the name implies, these recorders provide only quali-tative information. During the 4-minute loss of ac power, the computer and most trend recorders did not record useful data.

In discussions with SCE technical representatives, the Team observed that, on occasion, some site personnel who generally evaluate plant data lacked a suffi-ciently inquiring attitude. As a result, certain significant underlying reasons for system response or component performance were not detected until brought to SCE's attention by the Team. Examples include (1) the Team's reluctance to accept that the flash evaporator failure was not in some way connected to the water hammer led the Team to hypothesize a connection, which when tested, led to the discovery of the first failed feedwater pump discharge check valve; (2) the Tearr's reluctance to accept the first explanation of the similarities of east and west feedwater pump suction temperature traces led to the discovery of the second failed feedwater pump discharge check valve; and (3) the Team's reluctance to accept cparatcr log entrier %ich could not be confimed on every pertinent recorder trace led to the confirmation of the Team's conclusion that a reactor coolant pump had been started earlier than reported. It appears that SCE's process for evaluating and following up events may not be sufficiently thorough, and not systematic enough, to identify all failed components and root causes of failures.

The SCE's post-trip review report has not been completed. (The unit will be in a scheduled refueling outage for several months.)

7-10

7.3 NRC Emergency Response Performance NRC involvement in the November 21, 1985, event was limited to receiving the initial notification of the plant transient, alerting appropriate staff members, establishing communication links, dispatching resident inspectors to the site, asking questions, evaluating information, notifying other Federal agencies, monitoring SCE activities, and answering questions.

7.3.1 ENS Communications Problems The communications problems between San Onofre Unit I and the NRC can be divided into malfunctions of ENS system hardware and poor communications on the part of site and NRC personnel. The hardware problems with the ENS are discussed in section 8.10 and the site's communications performance deficiencies are dis-cussed in section 7.2.2.2. This section addresses the NRC's part in the com-munications problems.

1 Several of the reasons for poor communications on the ENS are NRC's responsibil-ity. The NRC pursued a line of questions that focused on details rather than on the overall plant status. The information provided to NRC frequently was j not understood because the recipients lacked site-specific background information and were therefore confused about plant conditions. The NRC asked leading ques-tions that produced answers of little value or created misconceptions about the sequence of events.

The NRC did not establish an open phone line to the site for over an hour. NRC Resident Inspectors took over the communications function from SCE personnel and then transferred the phone pickup location to a point remote from the information available in the control room. Finally, the NRC used the ENS phone for purposes other than obtaining information about the plant, i.e., a redundant retelling of information for each new NRC participant who came '

on the line in the ongoing discussion.

7.3.1.1 The Focus of NRC Inquiries in reviewing the transcript of ENS communications, it became obvious to the Team that questions asked by NRC characteristically focused on detail, when frequently a better question would have provided an overall perspective of the plant's status and the sequence of events which produced it.

For example, NRC learned that the plant had experienced a loss of power and that the reactor had been manually tripped. Instead of asking why the plant had to be manually tripped, NRC asked whether they lost flow. The affirmative response by SCE led NRC to conclude that the reactor protection system (RPS) must have failed, because a loss of flow should produce an automatic trip. In reality, a partial loss of puwer nad led the operators to manually trip the plant, which led to a loss of power to reactor coolant pumps, which in turn led to the loss of flow. Nothing was wrong with the RPS.

NRC's information gathering approach arises from the common practice of attempt-ing to understand events in a causal form. This event-based reasoning usually works well in an engineering environment, where engineers evaluate the effects of component or system failures, i.e., when reasoning from an event forward.

The approach fails when the task involves reasoning backwards and the initial cause is incorrectly diagnosed or when there is more than one significant cause.

Because faulty reasoning was a major contributor to problems in the response to 7-11

1 the TMI accident, NRC required the industry to develop another approach for l operator control-during emergencies. This approach has operator procedures j focus on symptoms or safety-functions as the basis for emergency operator actions.

This same concept may be of benefit to NRC staff involved in ENS communications during emergencies.

i 7.3.1.2 NRC Lack of Plant-Specific Knowledge NRC at times misunderstood statements by SCE because the recipients lacked knowl-edge about the unique design and operation features at San Onofre Unit 1. For example, the plant does not automatically load diesels on a loss of power and,

under these conditions, plant-specific procedures require use of off-site power, if it is avalaible. The NRC Duty Officer assumed that the diesel generators should automatically load on loss of power, as is common in the industry, and i therefore assumed that the recovery involved loading the diesels. The site 1

identified the specific transformer lost, but that information was not useful

because the NRC did not know the plant-specific electric bus configuration or identifiers. When the steam leak was reported, the NRC asked which side of the j main steam isolation valves the leak was on. This plant does not have main

. steam isolation valves and must manually shut block valves.

i These and other examples of plant-specific knowledge deficiencies caused mis-understandings that contributed to NRC confusion on what happened.

7. 3.1. 3 Leading Questiogs NRC frequently asked leading questions designed to elicit responses that would i support assumptions about how the plant was designed and operated, or hypothesis j about the sequence of the event. Unfortunately, the SCE staff did not always

( catch the errors in logic, and therefore did not correct them; on occasion SCE

! appeared to confirm inaccurate information, as in the following excerpt:

NRC: OK. Did diesels pick up?

Site: The diesels started.

NRC: Did they loai?

Site: No. They don't automatically load here.

NRC: OK. So that was part of the recovery process j Site: Right. L NRC misinterpreted the response to the implied last question as confirming that i the inplant buses had been recovered by loading the diesel generators. The

! inplant buses were recovered using the preferred source, the switchyard, as l designed and required by procedure. Unlike most other reactor plants, these j diesel generators start on loss of power, but do not automatically load unless J

a safety injection occurs.

1 i

i 7-12 i

Another example follows:

NRC:

Now, the basis for the Alert, that's because you had a loss of offsite power? l Site: It was based on that, that's correct.

NRC: You did lose off-site power?

Site:

We lost off site power to the site for approximately 15 minutes.

NRC:

Was that only to Unit 1 or to the entire station?

Site: No. Only to Unit 1.

NRC: Are you out of the Alert now?

Site: We have not gotten out of the alert right now. We're still eval-uating. As I indicated to you we have a break in the main steam system.

And we're evaluating whether we're in a UE [ Unusual Event] due to a rapid depressurization of the main steam system.

NRC: OK. So you're currently in an Alert.

Site: Right.

Later, after NRC conversation occurs. informs FEMA that the plant was in an " Alert," the following NRC:

The licensee has been emergency borating, they have aux feed-water, is operating satisfactorily. The licensee, correct me if.

I'm wrong, declared an Alert...

Site: No sir, I declared an UE.

NRC: An Unusual Event?

Site: Unusual Event.

NRC: Are you in an Unusual Event?

Site: No Alert was declared.

NRC: Not declared.

Site: We were never in an Alert. We are still in an UE. And we are probably close to getting out of it, now that we've-isolated our steam leak.

The combination of leading questions and confirmation of misinformation signif-icantly confused NRC's understanding of the event and plant status. In the first instance, the site appeared to understand the term " alert" as a generic name for emergencies.

This may be because the individual responding to NRC questions does not normally fill the role of Emergency Coordinator. However, Communication difficulties of this kind are attributable to the-inadequate 7-13 '

training of ENS system users on the subject of how to use the question and answer process to obtain appropriate, timely information.

7.3.1.4 SCE's Inability to Support an Open ENS Line The NRC perceived statements by plant personnel to indicate that they could not support a continuous open ENS line. The first call occurred during the loss of ac power and the Shift Superintendent hurried the NRC off the line to get back to the plant. Near the end of the second call, there was a concern in the con-trol room for a possible SI and the Shift Superintendent again cut the call short. In the third call almost an hour after the trip, originated by the NRC Duty Officer, the Duty Officer requested that an open line be maintained. When he discovered he was speaking with the Shift Superintendent, he suggested that the Superintendent call back when they could support the open line, even though the Shift Superintendent volunteered to provide a summary of plant status. The Superintendent then agreed to call back. In the next call, the site's Emergency Coordinator stated that he did not understand the event yet and asked if he could call back in 15 minutes. (However, the NRC continued to question him regarding the cause of the event and in response he provided information which later turned out to be inaccurate.)

The NRC Headquarters Duty Officer and Emergency Officer took the first two calls to mean that the site did not have sufficient personnel to support an open ENS, which seemed to be confirmed by the subsequent calls. This conclusion resulted in limiting the initial communications with the site unnecessarily.

7.3.1.5 NRC Site Communicators

.Another communication difficulty resulted because NRC Resident Inspectors re-lieved more knowledgable plant operators as ENS communicators. This substitu-tion deprived the NRC staff on the ENS of access to personnel knowledgeable about the plant and capable of interpreting plant data. Further, NRC site per-sonnel used a telephone remote from the control room to communicate with NRC headquarters. (See Figure 4.17 for the location of the phone used in the NRC .

consultation room.) The NRC rationale for the use of this phone was to minimize crowding in the control room. As a result of this relocation, runners had to be used, as available, to take requests to the control room and return with the relevant data. This cumbersome arrangement resulted in the inability of NRC staff on the ENS to monitor plant conditions in a timely manner.

Because SCE had staff and the responsibility to support an open ENS line, it was unnecessary and inappropriate for NRC to assume the role of the lone communicator.

7.3.1.6 ENS Conferencing The ENS system was used by NRC for functions beyond initial notification and information collection from the site. As each new NRC participant was brought into the conversation, he was briefed about what had happened. During these discussions, little new information was revealed and the site communicator was frequently a passive participant. When briefings were not being conducted, the conversation frequently turned into a conference evaluation of past data, some-times to the exclusion of soliciting new information from the site. Both uses of the ENS would have been better handled on separate telephone lines and doing so would have allowed the establishment of systematic processes for obtaining 7-14

information needed by the NRC to understand the event. The situation appears to arise because NRC lacks policy and guidance on the proper use of the ENS.

7.3.2 NRC Incident Response Plan Implementation During the event, the NRC partially staffed the Region V and Headquarters Incident Response Centers (IRC) but did not formally enter a standby response mode, as described in NRC Manual Chapter 0502, "NRC Incident Response Program."

Early communications between the site and NRC were not effective in developing an understanding of the event. The need for additional information and clari-fication of previously established facts was recognized by both the Region V Duty Officer (RD0) and Headquarters Emergency Officer (E0). The RDO informed the Senior Resident Inspector (SRI) of plant status and his concerns, and th e SRI volunteered to go to the site to determine what was going on and then call back. The E0 requested that additional staff members go to the headquarters IRC to establish an open communications line with the site to further evaluate event information. Subsequently, an open line was established between the site, the Headquarters IRC and the Region V IRC. As the morning unfolded, additional NRC personnel staffed these three communications centers.

SCE indicated in the second call that an Alert emergency classification declara-tion would probably be made on a subsequent phone call, and that it would prob-ably be closed in the same call. During later phone discussions, SCE did not notify NRC of the declaration of an Unusual Event. At 05:06, and shortly after L 06:00, SCE personnel appeared to confirm that the plant was still in an Alert.

Based on this information, the HQD0 notified the Federal Emergency Management Agency of the event at San Onofre, Unit 1.

Generally, a site declaration of an Alert would precipitate an NRC response mode transition to standby. This transition can be authorized by an executive team member, or Regional Administrator, or in the event of their unavailability, by the E0. Approximately 15 minutes after the apparent confirmation of an Alert, the Regional Administrator was bridged into the open line and, in response to his request for a summary of what had happened, learned that the site was in an Unusual Event. With this clarification of event classification, and recognition of the current status of NRC response, no formal activation of the incident response plan or transition to standby was warranted. The activities being performed by NRC were appropriate to a normal response mode.

7-15

// l l l l l I Fig. 7.4 Fig. 7.3 Fig. 7.2 J r

,k i

l Figure 7.1 Control Room Orientation of Figures 7.2,7.3,

• and 7.4 amams a amma m .

I sj SEQUENCER O LIGHTS OUT INITIALLY t,

t '

i. . , -

Figure 7.2 Safeguard Load Sequencing System (SLSS)

Surveillance Panel 7-16

C8 4012 y;mn- = .e BREAKER ,a ; w *i-CONTROL F-a y AND INDICATOR .,

" SYNC. '"

BY-PASS" g;j AUX.

CB 6012 ^

BREAKER -

C CONTROL i:

"b- og/ .. '

AND -

s INDICATOR

,  : +.

' " LOSS OF 220KV AUTO

"?

s TRANSFER

'~ END OF SEQUENCE"

" LOSS OF 220KV 18KV SYSTEM Figure 7.3 Electrical Auxiliaries Panel (left side) ISOLATED" VITAL BUS AVAILABILITY LIGHTS (1, 2, 3, 3A, 4, UTILITY AN D 5, 6)

MOD OPEN INDICATOR 7 Tl W " '

N P

$ Cl W EB ' ,g AUX. ~

TRANSFORMER s s-i' C

} l3 IiY' ads [e* s W{f c

5 - ,

~[l

+

s..

Figure 7.4 Electrical Auxiliaries Panel (right side) 7-17

8 OTHER EQUIPMENT AND SYSTEM EVALUATIONS This section identifies and evaluates other equipment and systems that had problems during the November 21, 1985 event. The performance of the equipment and the root cause of the problems are also included.

8.1 Auxiliary Transformer C Secondary Side In the process of searching for the ground f ault on 4160-V bus IC, plant per-sonnel had located it on the X winding (secondary side) of auxiliary transfor-mer C between the transformer and the bus. At 03:35, the operators had isolated the fault from bus IC, but kept the transformer with a ground energized. At 04:51, the auxiliary transformer C differential relay actuated, tripping and isolating the transformer. After the trip, the targets on the differential relay identified that phase 8 and C trip had occurred. Subsequent investigation has located the fault to be in one of the interconnecting cables between the transformer and bus IC. The interconnecting cables are 3/c-750 Kc mil aluminum armored cables, which run in cable trays located in the turbine building. The cable tray which contained the faulted cable section was located directly be-neath a feedwater pipe flange, which appears to have leaked for sometime. Fig-ures 8.1, 8.2, 8.3 and 8.4 show the details of the damaged cable section. A detailed examination of the damaged cable will be performed by SCE.

The root cause of the transformer differential protection actuation is believed to be the phase-to phase fault in the cable section which was damaged. The cause of the cable failure is under investigation; however, the intrusion of water into the cable could have contributed to its ultimate failure.

8.2 Safety Injection Annuciator During the event, when the unit was without ac power, the reactor plant first-out annunciator window 2 (RPF0 2) alarmed indicating SI initiation. The control room operators reviewed plant conditions and concluded that the alarm was spur-ious, and that SI had not initiated and was not required. Subsequent investiga-tion has determined that the alarm relay that actuates the SI annunciator window is ac power dependent and will erroneously alarm on loss of that power. This is a design deficiency.

8.3 SLSS Remote Surveillance Panels During the event when control room operators were verifying SI actuation, the SLSS remote surveillance panel load group status lights were reviewed for indication of SI actuation. The load group status lights on both sequencer panels indicated SI actuation. (Section 4.13 describes the operation of the status lights.) This indication of the SI actuation was also determined to be spurious, but did cause some confusion to the operators during the event. This spurious actuation of the SLSS surveillance panel lights is under investigation by SCE.

8-1

8. 4 Flash Evaporator Unit During the event, the east condensate header was overpressurized causing a catastrophic failure of the east flash evaporator shell.

As shown in Figures 8.5 and 8.6, the evaporator unit consists of a flash evapo-rator in a common housing with the 4th and 5th point low pressure feedwater heaters and drain coolers. The flash evaporators have not been used for several years and extraction steam to them has been isolated. The evaporator condenser is, however, still part of the condensate system flowpath. Design pressure of the flash evaporator condenser, 4th and 5th point low pressure feedwater heater tubes is 350 psig, while the shell side design pressure is 15 psig. The low pressure feedwater heaters were in service on November 21.

When bus 2C deenergized and the east main feedwater pump tripped, failed dis-charge check valve FWS 438 allowed the west main feedwater pump to pressurize the east condensate header. This pressure caused a tube failure in the east evaporator condenser which pressurized the flash evaporator shell resulting in the failure of the shell shown on Figures 8.7 and 8.8. The evaporator heater tubes are visible on Figure 8.8. After the loss of all inplant ac power, the remaining (west) main feedwater pump coasted down, and failed main feedwater regulating valve check valves (FWS 345, 346, and 398) allowed backflow from all steam generators through the failed east and west main feedwater pump discharge check valves (FWS 438 and 439) to the failed tube in the east flash evaporator condenser. This backflow continued until the operators closed motor-operated feedwater header isolation valves 20, 21, and 22, and main feedwater regulating valves FCV 456, 457, and 458.

SCE personnel have partially disassembled the east flash evaporator unit to determine the extent of damage. Figure 8.9 shows the unit with the evaporator heater, flash chamber, and south water box removed. The flash evaporator condenser tubes are visible in this view. Figure 8.10 shows a rupture of one of the evaporator condenser tubes. SCE is continuing its investigation into the damage to the east flash evaporator unit.

Helium leak checks were performed on all east feedwater heaters, revealing no leakage beyond that expected from normal operation. The west feedwater heaters will be leak-tested prior to returning the unit to service.

The failure of the flash evaporator had no direct safety significance.

8.5 Turbine Breakable Diaphragms (Rupture Disks)

During the event, steam was observed issuing from the low pressure turbine breakable diaphragms. As shown on Figure 8.11, each low pressure turbine has four breakable diaphragms designed to protect the turbine casing from over-pressurization. The diaphragms, made of thin lead, are designed to break if turbine exhaust pressure, normally subatmospheric, reaches 5 psig. The diaphragms are supported against external atmospheric pressure and normally seal the turbine casing against air inleakage. All diaphragms were intact prior to the November 21 event. '

8-2 I' -

2_______

Four of the diaphragms ruptured during the event, three on low pressure turbine 1 and one on low pressure turbine 2. Rupture of the diaphragms is not considered unusual for conditions existing after a loss of all ac power with continued energy addition into the main condenser and is of no safety significance.

8.6 Reactor Coolant Pump B Thrust Bearing Temperature Indication Reactor coolant pump B was started at 05:01 and at 05:09 the thrust bearing high temperature alarm was received in the control room. When the operators checked the reading, the temperature indicator appeared to have failed high.

After discussion, the operators decided to accept the indication reading as valid and started the RCPs A and C and stopped B. Subsequent investigation has determined that the temperature detector failed resulting in the high temperature indication. This failure is considered a random failure, not associated with the event.

8.7 Steam Generator Blowdown Isolation On loss of power, the radiation monitors fail in a mode which isolates the con-tainment building, including steam generator blowdown. After power was restored, blowdown resumed when radiation monitors in the control room were reset. A re-view of the design and operation of the operational radiation monitoring system (ORMS), shows that blowdown isolation functioned as designed. However, the status of steam generator blowdown is not indicated in the control room, and the operators did not recognize that steam generator blowdown was re-established when the radiation monitors were reset.

8. 8 RHR Valve Interlock During the event, initial attempts at opening RHR system valves MOV 813 and MOV 834 were unsuccessful. It was assumed that the pressure permissive inter-lock was malfunctioning and the valves were opened by manually depressing the interlock relay. Subsequent investigation had determined that the permissive performed as designed. The procedure was found to be imprecise and information provided in training did not correspond to actual plant setpoints. As a result, the operators did not correctly understand the response of the pressure-permissive interlock.

8.9 Event Recording Systems The majority of the plant capability to record data needed to analyze the event was not available. During troubleshooting for the ground on the IC 4kV bus, the '

power to the Critical Function Monitoring Systems general purpose computer (the Technical Support Center computer), the FOX III, was momentarily interrupted, causing loss of the automatic minute-interval storage of plant data. The system was not reset by the operators. Consequently, when the reactor trip occurred hours later, the 25 minutes of pre-trip data automatically printed was for plant conditions not related to this event. The system did not provide useful infor-mation until reset after the event at approximately 08:30.

I In addition to loss of the FOX III system, nine control room chart recorders {

lost power to their chart drives for the duration of the loss of station power.

In seven cases, power for the recording pens was not lost. The recorders l

l 8-3 l

continued to record parameters values but without the chart drive. As a result, only the minimun and maximum parameter readings are available for the period the power was off. A summary of the recorders affected include:

Chart Drive Lost For: Pen Status:

All Steam Generator Continued marking, steam flow, feed flow and water level.

Pressurizer pressure, Wide range pressure wide and narrow range, indication lost only, level, water temperature.

RCS Cold leg temperature. Continued marking.

T ave /T ref. Failed low.

These failures limited data available to monitor plant behavior in the Technical Support Center and hampered efforts to reconstruct the event and to evaluate system performance after the event.

However, the operators had sufficient instrumentation during the event to follow their procedures and ensure plant safety. The loss of instrumentation and the ability to trend parameters would have become more important if the event had been of longer duration or had involved additional complications.

8.10 Emergency Notification System During the event, the Emergency Notification System (ENS) red prone in the con-trol room rang spuriously while the plant was experiencing electric power prob-lems. Since the spurious ringing apparently coincided with power system trans-ients, a review and investigation of the power supply system of the ENS was conducted. Figure 8.12 shows the power supply arrangement. The root cause could not be determined and is considered as random noise-induced signals.

l However, this spurious operation distracted control room personnel and led, in part, to mixed communications and confusion between SCE and NRC personnel.

8.11 Safeguards System The automated safeguards access control system had two malfunctions during this event. Nevertheless, operators and security personnel implemented appropriate planned compensatory measures. The Team identified no signifi-cant problems that operators had in obtaining access to safety-related plant equipment.

8-4

-.%,.,...3 ,

/ '

. ~:

W. .

/ , . T.J .

4 CW' ' . .~g;p

.,.,^.# -

x ;' -

-- .y e

v. 1

.-y- :4+

. , . , .:  ;' . mi

.; :1

~<

v, .1

.,, .7,

,,a .

L

,.5 '

'*3 _

. . :. ; . ::u.caa aadk i k' . .h .-

Figure 8.1 Cable Length Showing Damage c ,.rw ~.  ;

,rP ; .

• g ' - , .4 ,

f w . s . .

-' \ -

\..

~.j!f f- .-

s. .

4..

../.: 3 . .;

y , py, i i1 ,

o

.,

• gy

. .c-

.4 1

- r N

N' g.y%j -

fry _ , ) ' - ..

,L 4 fi ," "i

['. ~ .

, [- : _.

g1- f.. c,z. . , . )

. g. 6 '.  : 4 ~'

• vjur k ...., . . . . .

.. .. . . s - '*' .

Figure 8.2 End View Showing 3/C 750-Kc mil Copper Conductor, Neoprene Jacket and Aluminum Armor 3

8-5

. _ _ . _ _ _ . . . _ . _ . _ _ _ _ _ _ _ . . _ _ ~ - _ - _ _ _ . _ . . . . . _ _ - . . - . _ _ . - _ . . . . _ . . . , _ _ _ _ _ . _ _ . . _ _

-Q xNs

.g

/

/ ,

~. . .- -

/  ; --

~

, 'g;=, j

-r..

s GW ),- anew

, e.:

.v_ -

s;.

m.

)@3 1

3

- ^g .

l

~

, .,c

1J' ,' 1

~7. _.j

,; 9

~

.uL -

l

. 1 u;p

~

.. ~ . :., c49

_ . u _ ,w m&, .m Figure 8.1 Cable Length Showing Damage g...,, _

M

.a g:

a .-'

f ..

{". # '

_'

• i -

.1, .

. .p ;

s.

i

j. l+ .

q ..e

g. s-g]

. y

,7

' m ;..y 4

, - 4, - - ...

.: s ; - -

h, '

<\..- 4

.e. #

'Ik D

, .}

,. e . 4,

s. .,,.g .

..-(

..g -;,..... ww:p"g

.f ;.

z* .

t

,h#... . . , , . . . . 's.t S*u M. e'. .

Figure 8.2 End View Showing 3/C 750-Kc mil Copper Conductor, Neoprene Jacket and Aluminum Armor l

i 8-5

,. . , q x ; e W ' ' Y;a + ' ' "

~~

'"t.:.. w, f ., _, .f r .

. t

' .Q ,' ; _ *)_ i j; %f *

,  ;; : - ~*

- z. -~. !  : 53:,

. . . . :"  :,y

. .,e

- . . ,:1

%,&.Q; p );, . . - :- , , " , :.

. / ,;. ,, =

M .~ ,,

'9

~

.. u-

~  ?'

m, ,q

, jy;L

, Q ,.,j, ( + ,

.o -

p,4.,>- wouw ~ ,; y ;n,a .

a[g] .;-- 4

,, o

. ..(. . a . n, .- ',; k

• Figure 8.3 Cable Section When Phase-to-Phase Faults Occured

%h q . . ~

E

., . .a. ,

'i

. W '.-' ' ;.n,

. .[__ <

sq '

. , j) u,

.q..

.T.~+ Rg

x, .

,

s ;,5s - -

~ : :,.

e a

;

. ~q +

4 ,;

-.+a . %,. . . ~ . _ ;a Tt

?b - .

4 y

, b.g+. g;;ux 3-,O f.m'4f ... 3., '

&.. .n.a ..t

, +

., ";.1

- (. ; . : ,::( yy

' g eS. *' ,- .

i

,  ?

~ , F' 'j

. , a.

O[ wu

~

Figure 8.4 Close-Up of Damage Caused by the Fault 8-6

H 1

)

Q D W b

'J w

n E u

O I V v 8e P s o

r e s

?

s t

o m r n o t

$ u O s a

l F

a r

o p

n "

! a v

a

/s E HTt S l h A l n

t S

n LENo F

a s

a m

l n a r t

r n F o a t E

T n

r A

se o a E H

8 M e A

f M

t n c n

o g n o

A H

C t

a t

W w r F

4 t

s i

a a

n H S S e i n o A -

o r L r

a a

v r

l e

v t

t g

i n

S 5

o ]

8 i

r u

g e

F dc _

i. d Q) i ' 4  !

5 5

• Q E .2 I

Eg Il* 55 e

{s as lst

-- II k

,a N ei 3

ms N *B  :

I=I

-= S 2

/ k a

e

1. os

'  ?

e 5 s

W k.6 R

(

8-8

.,+CQ \ s . _

p  ; N,;*b x I

Figure 8.7 East Flash Evaporator Unit (Southwest View)

c

up.- _ ,

I ,

A

_hl

,; , -q.

c

'A.

J A

A

'I a-g /"

p.

g

- .g 4 1. c. "

Q

[7 '

k ,

s E1 _ A~u hu ..

Figure 8.8 East Flash Evaporator Unit Showing Shell Failure (South View) 8-9

' \\

\

wiih " ._

gy -

l

{ a E  :;

m  :

kbsm .U ~

[$ 33:

.= ..

4 ~rr

"[~~,f; f . ,

Figure 8.9 Flash Evaporator Unit with Evaporator Heater Flash Chamber and South Waterbox Removed (Northwest View) 1

~.

. ... w ' ..

, ;< [ ti?j'.' fr y?' .(

ac c , ,'s % .1Qpaej g .; p -

~ ,

'a- -;, y 1

-p, p g

._i 2 .

Figure 8.10 Failed Evaporator Condenser Tube 8-10

N 4 N W<

1 MIGN PRESSURE TunemE

. O RUPTURED V

RU'TURED

LOW PRESSURE 1 TURelWE U40AMAGEO RUPTURE 0 i

U4 DAMAGED RUPTURED t

LOW PRESSURE 2 TURenE Ufe0AMAGED U4 DAMAGED Figure 8.11 Arrangement of Low Pressure Turbine Breakable Diaphragms 8-11

l l

22e av AUXILLARY TRANSFORMER C 4 A 4160V BUSIC 4160V BUS 2C 11CD2 12CD2 SWCR NO- 1 I av^c 5*ca ao- 2 I 'v^c ItC10 12C10 h 1102 y 1202 MCC#1 480VAC MCC 72 400VAC NORMAL POWER ALTERNATE SUPPLY POWER SUPPLY r --- - g NC; t : 240 ,l MANUAL TRANSFER SWITCH 1 2 4 l l LOCATED IN 4KV ROOM)

L _ _. ___ _J

~ TO SCE TELECOM. SYSTEM 3NVA EXiDE BATTERIES A W W 48&12B740V TRANS.

2 HG3 5 144AH g 3

, , j ,

RO3

^ l 120 VAC I m BATTERY a L COMMUNICAtl0N 12 CHARGER OtSTR. PANEL M LO N 3

- p 48V. 50A FUSE PANEL FUSE PANEL 120V140y N0; 1 40-2 10.30 BREAKER LORAIN PANEL -

INVIRTER _

WBA 102 81 1 500 VA BACK UP OC POWER SUPPLY VA,C SUPetr

' r r-------------------

g D O

{ ine'? =

i l RED PHONtS 15 TOTAll BREAXER BOX le IENS SYSTEM)

I SCE EQUIPMENT  : T ATiti EQUIPMENT I

Figure 8.12 Power Supply Scheme for the ENS 8-12

l 9 PRINCIPAL FINDINGS AND CONCLUSIONS The event that occurred at San Onofre, Unit 1 on November 21, 1985, was signifi-cant because (a) all inplant ac power was lost for 4 minutes; (b) all steam generator feedwater was lost for 3 minutes; (c) a severe water hammer was ex-perienced in the feedwater system which caused a leak, damaged plant equipment and challenged the integrity of the plant's ultimate heat sink; (d) all indi-cated steam generator water levels dropped below scale; and (e) the reactor coolant system experienced an acceptable but unnecessary cooldown transient.

In addition, other aspects which contributed to the complexity of the event and to the burden placed on the operators included: ' a rupture in a flash evapora-tor unit; spurious and incomplete instrumentation indications; fire alarms and system actuations; and malfunctions in the automated security equipment.

The Team has concluded that the most significant aspect of the event was that five safety related feedwater system check valves degraded to the point of inoperability during a period of less than a year, without detection, and that their failure jeopardized the integrity of safety-related feedwater piping.

The root causes of the check valve failures have not been determined and are still under review by SCE and its contractors. Potential contributors to this problem include inadequate maintenance, inadequate inservice testing, inade-quate design, and inadequate consideration of the effects of reduced power operations.

Maintenance records for these valves were either missing or lacked specificity on what was done. Inservice testing records for these valves were inconsistent; the testing procedure was not rigorous; the test acceptance criteria were subjective; the testing frequency was open-ended; and, the tests did not assure detection of the failures found. These check valves and valves of similar design have a history of like failures. Finally, reduced power operations at Unit I are now routine because of steam generator tube plugging and sleeving, and the reduced feedwater flow may have increased the susceptibil-ity of check valve components to hydraulic-induced vibration.

In addition to this major conclusion on the underlying cause of the event, the Team has made the following related findings and conclusions. There is no significance to the order in which they are presented.

1. The primary cause for the water hammer in the feedwater piping was the failure of multiple check valves in the feedwater system. These failures permitted the piping to empty and fill with steam before the motor-operated feedwater isolation valves were closed. Although the steam condensation-induced water hammer ~ occurred in only one feedwater line, the potential existed for water hammer to occur throughout the safety-related portions of the feedwater system.

2. The failures of the five check valves in the feedwater system provided a mechanism for potential common mode failure of the heat sink provided by the three steam generators. The failed check valves permitted high pres-sure steam and water from the steam generators to flow back to the low pressure condensate system; the backflow carried with it the auxiliary 9-1

feedwater flow necessary to maintain the heat sink provided by the steam generators. Operator actions were necessary to stop the backleakage and prevent a more serious sequence of events.

3. Long horizontal runs of feedwater piping with the potential for voiding are particularly susceptible to destructive steam condensation-induced water hammers. Further, operators are not provided the means for detecting the voiding of these lines or given guidance on appropriate ways to deal with the situation. Design or procedural changes may be warranted.

4. The flash evaporator failed when overpressurized by the discharge flow of an operating feedwater pump due to the partial loss of power and a stuck open feedwater pump discharge check valve that should have prevented the backflow.

5. The timing of the five check valve failures could not be ascertained with certainty. The Team concluded that all check valves had failed prior to the event because the missing parts to the valves were not found in the inspected feedwater piping after the event. Noise from the B steam gener-ator feedwater piping, evident to plant personnel since June 24, 1985, supports the conclusion that the feedwater control station check valve in the B feedwater line had failed earlier. The inspection of the steam gen-erators has not yet been completed by SCE.

6. The surveillance procedure for testing the check valves in the Inservice Testing (IST) program lacked adequate methods and objective acceptance criteria for determining whether check valves are closed. Thus, although the check valves had been tested within the past year, operators may have misinterpreted the test results. Furthermore, the IST is not designed to detect developing conditions that may lead to the failure of the check valves, e.g., loose disks and stud nuts.

t 7. The NRC had not completed its review of SCE's Inservice Testing Program.

The initial program was submitted in September 1977 and revised in its entirety on January 24, 1984. Disagreement between SCE and NRC on resolu-tion of certain open issues and scheduling problems with NRC's review have substantively contributed to this delay.

8. The resolution of the Unresolved Safety Issue, USI A-1, " Water Hammer,"

did not specifically address the prevention and mitigation of the conse-quences of condensation-induced water hammers in feedwater piping upstream of the feedring. Interviews of NRC staff involved in resolution of water hammer issues failed to develop citable references, decisions, or discus-sions that provided a basis for excluding further consideration of feed-water piping water hammer. However, in the regulatory analysis of the resolution of USI A-1, the staff acknowledged that elimination of water hammers is not feasible, that the frequency of water hammers had been sub-stantially reduced by changes in design and operations, and that studies of water hammer had revealed a significantly lesser safety concern than previously hypothesized. It appears that further consideration of water hammers due to main feedwater line voiding was not pursued due to a lack of reported occurrences in U.S. plants.

9. NRC's reliance on "J" tubes to delay the development of conditions neces-sary to support steam generator water hammer implicitly assumes that feed-water check valve integrity would be maintained to prevent steam generator 9-2

feedring voiding. However, corresponding regulatory requirements to ensure that these check valves performed this safety function were not part of the resolution of the water hammer issue. ,

10.

The root cause for the loss of power was a phase-to phase fault of an electrical cable from auxiliary transformer C to bus IC. The underlying reason for the cable failure has not yet been determined; however, it appears that the cable may have become wetted by a long-term flange leak from the feedwater system, running above the cable tray.

l 11.

The plant is designed to experience an extended loss of inplant ac power on loss of offsite power without safety injection. Operators are required to restore power from the switchyard or to load the diesel generators to restore inplant power. SCE's Emergency Operating Instructions on loss of ac power lack guidance on how long operators can attempt to restore power from offsite sources before the diesel generators should be loaded follow-ing a loss of inplant ac power, or how long the diesel generators can run unloaded without overheating, if their ac powered radiator fans remain de-energized.

12.

The station loss of voltage auto transfer scheme for establishing the delayed access to offsite power may not have functioned as designed. SCE evaluations are continuing.

13.

The multiple spurious indications early in the event that a safety injec-tion actuation had occurred, added to the confusion of the situation and unnecessarily increased the burden on the operators. Operators diagnosed plant conditions and appropriately disregarded these indications. The safety injection annuciator will always incorrectly alarm on a loss of ac power. This is a design deficiency.

The cause of the spurious indication on both safeguard load sequencer system panels is still unknown.

14.

The operating staff, with the concurrence of management, did not follow appropriate procedures when troubleshooting the electrical ground. Their actions unnecessarily delayed entry into Technical Specification Action Statement requirements that could require plant shutdown.

15.

Once the electrical ground was located on the feeder from auxiliary trans-former the C to bus auxiliary IC, the operators did not a w essively pursue isolating transformer. Instead, they opted to leave the transformer energized while technicians performed inspections that did not require the transformer to be energized.

16.

The operators' actions, after the transformer trip, were consistent with their training. However, in the Team's judgment, some operators lacked detailed plant knowledge in the following areas:

Cautions associated with paralleling transformers.

Requirements for resetting unit generator trips.

The process for operating 220KV circuit breakers.

Expected indications and timing of the loss of voltage automatic transfer scheme.

Setpoints for residual heat removal system pressure interlock.

Expected indication and meaning of lights on SLSS sequencer panels.

Operability of diesel generators with auxiliary transformer C reactor coil bypass breakers removed.

9-3

These deficiencies may be due to inadequate operator training and/or procedures.

17. On occasion, some site personnel who generally evaluate plant data lacked a sufficiently inquiring attitude. As a result, certain significant indi-cations of underlying reasons for system response or component performance were not detected until brought to the attention of SCE by the Team. It appears that SCE's process for evaluating and following up events may not be sufficiently thorough and systematic to assure that failed components are detected and adequately explained.

18. The status of the steam generator blowdown system is not indicated in the control room. The reestablishment of blowdown when the radiation monitors were reset was not recognized and adversely contributed to the cooldown of the reactor coolant system and to the delay in recovering the steam gener-ator' levels.

19. During the loss of all inplant ac power, sufficient information was avail-able in the control room to enable the operators to follow their procedures and ensure plant safety. However, control room operators had failed to have the Technical Support Center computer reset following electrical ground troubleshooting activities. This failure disabled the computer's ability to record new plant data and thereby denied the operators access to pre-trip and post-trip trends that would have assisted real time and post-event analysis and evaluation. Had the station blackout been of longer duration, or involved additional complications, operator responses and the functions provided by the Technical Support Center could have been hampered by the lack of trend data.

20. Station maintenance records are incomplete, difficult to locate and, when available, lack sufficient detail to determine what was done.

21. The spurious ringing of the NRC red phone at the beginning of the event has not been explained, but it distracted control room personnel and con-tributed to the confusion in the communications between SCE and NRC.

22. ENS communications between NRC and SCE were not effective because: (1) the NRC Duty Officer was not knowledgeable about the unique design of the plant and, therefore, misinterpreted operator responses to questions; (2) commun-ications with the plant were initially limited because statements by plant operators incorrectly implied that sufficient personnel were not available to support the establishment of an open line; (3) NRC asked leading ques-tions and operators sometimes did not correct, and in some cases appeared to confirm, inaccurate information; (4) NRC questions characteristically focused on details rather than on the " big picture"; (5) NRC cluttered the communications channel with repetitive discussions about the sequence of events as additional NRC personnel came on the line to the exclusion of obtaining new plant information; (6) NRC resident inspectors relieved more knowledgeable plant operators as ENS communicators and reestablished com-munications at a location remote from real time plant information; and, (7) plant operators failed to inform the NRC of the declaration of an unusual Event.

23. There were two malfunctions of the automated security access control equip-ment; however, site personnel implemented appropriate planned compensatory measures, thereby precluding a safety-safeguards interface problem.

9-4

c

24. There was-no significant release of radioactivity.

It must be recognized that this' report was compiled prior to completion of all required inspections and evaluations of equipment involved in the event. SCE's continuing diagnostic efforts have unearthed additional information nearly daily; however, this information has been easily integrated into the Team's understand-ing of the incident and in most cases has confirmed long-held hypotheses on the sequence'of events. Future reports from SCE will incorporate the findings of-those studies which are not yet complete.

9-5 L

4 APPENDIX A Memorandum from W. J. Dircks, Executive Director for Operations, to the Commission, November 22, 1985

APPENDIX A

[os =eg'o UNITED STATES

~g E o NUCLEAR REGULATORY COMMISSION

$ e $ WASHINGTON, D. C. 20555

.....* NOV 221985 MEMORANDUM FOR: Chairman Palladino Commissioner Roberts Commissioner Asselstine Comissioner Bernthal Commissioner Zech FROM: William J. Dircks Executive Director for Operations

SUBJECT:

INVESTIGATION OF NOVEMBER 21, 1985 EVENT AT SAN ON0FRE UNIT 1 WILL BE CONDUCTED BY AN INCIDENT INVESTIGATION TEAM (IIT)

At about 5:00am on November 21, 1985, San Onofre Unit 1 experienced a loss of an auxiliary transformer. Subsequently, a partial loss of electrical power occurred and the control room lighting was lost. The reactor was manually scramed which resulted in a short-term loss of all AC power. A sizeable, unisolable leak was then identified in the feedwater system which is used to maintain steam generator levels, and other failures were experienced in the plant equipment. The plant is now in cold shutdown. There were no releases and adequate core cooling was maintained at all times.

Because of the nature and complexity of this event, I have requested AE0D to take the necessary action to send a five member IIT of technical experts to the site to: (a) fact find as to what happened; (b) identify the probable cause as to why it happened; and (c) make appropriate findings and conclusions which would form the basis for any necessary follow-on actions.

The team will report directly to me and is comprised of: Thomas T. Martin, Director of the Division of Engineering and Technical Programs, Region I; Mr. Waynt. Lanning, Chief, Incident Investigation Staff, AE0D; Mr. Steven Showe, Chief, PWR Training Branch, IE - Chattanooga; Mr. William Kennedy, Safety Operational Engineer, Division of Human Factors, NRR; and Mr. Matthew Chiramal, Chief. Engineering Section, AE0D. The team was selected on the basis of their knowledge and experience in the fields of reactor systems, reactor operations, human factors, and power distribution systems. Team members have no direct involvement with San Onofre Unit 1. The team is currently enroute to the site.

A-1

The licensee has agreed to a request by Jack Martin, Regional Administrator, to preserve the equipment in an "as-found" state until the licensee and the NRC Team have had an opportunity to evaluate the event. The licensee has also agreed to maintain Unit 1 in a shutdcwn condition until concurrence is received frem the NRC to return to power.

The IIT report will constitute the single NRC fact-finding investigation report.

It is expected that the team report will be issued within 45 days from now.

Wi iam J. Dircks xecutive Director for Operations cc: SECY OPE OGC ACRS OPA Regional Administrators l

l l

A-2

APPENDIX B 1

Plant Conditions When Water Hammer I Occurred and Estimated Piping Support Loads l

l

w 4

APPENDIX B i

This appendix deals with voiding conditions when wat.~ hammer occurred at SONGS-1, the refilling process and the estimated war.(.. hammer loads that resulted as based on' analyses of damage to piping supports. These estimates have been used to develop the findings reported in section 6.

PLANT CONDITIONS WHEN WATER HAMMER OCCURRED Estimated Voiding of Loop B The void present in loop 8 feedwater pipe downstream of motor-operated isolation valve MOV-20 when water hammer occurred was estimated several ways:

1. Sequence of events and volumes

2. Hydrodynamic instability 3.

Evidence of water hammer load at FWS-378 j

The first method relies to a large extent on operator recollections and fill volume calculations; the second method relies on current theories related to steam-condensation water hammer phenomenon and the flow instabilities leading to steam pocket collapse; the third method relies on calculations of the loads required to plastically yield (i.e., stretch) the bonnet studs of FWS-378 (the 4-inch check valve in the Loop B flow control train). This last method is the most reliable. Determining the void fraction is necessary for estimating steam-condensation water hammer loads. Since the water hammer load that affected FWS-378 was a traveling wave (i.e., " classical" water hammer) the extent to which the bonnet studs were elongated can be used to back calculate the impulse wave and the reflected wave.

Sequence-of-Events and Volumes Method The lower estimate of void fraction can be calculated assuming that:

1. MOV-20 was closed at 04:55 2.

AFW flow had increased to 155 gpm* (two AFW pumps were operating)

3. AF.

flow was reduced to zero at 05:00 and then reset to 41 gpm at 05:00:15

4. The feedwater pipe downstream of MOV-20 was not completely voided when MOV-20 closed

5. The water hammer occurred at 05:07.

• Based on correcting indicated values from flow calibration data found after the event.

B-1

The total injected AFW is calculated to be 1051 gallons; the piping volume downstream of MOV-20 is calculated to be 860 gallons. These calculations indicate a full line when the water hammer occurred, that is, a zero percent void fraction.

The upper estimate of void fraction can be calculated from the following assumptions:

1. MOV-20 was closed at 04:55  !

2. The AFW flow was 135 gpm

3. AFW flow was reduced to zero at 04:59:30 and restored to 25 gpm at 04:59:45

4. AFW flow was constant at 25 gpm* until the water hammer

5. The feedwater line downstream of MOV-20 was completely empty when MOV-20 closed.

The volume of AFW injected under these assumptions is 789 gallons, or a liquid volume fraction of 84.5 percent.

This method yields an estimated void fraction of zero to 15.5 percent.

Hydrodynamic Instability Methods The refilling of the feedwater piping is a transient controlled by hydrodynamic instabilities. Initial refill conditions will be determined by whether or not the pipe " runs full," which is a function of AFW injection flow rates.

Experiments have show (Reference 1) that a critical Froude number must be reached for the pipe to run full (see below). This was not the case for 150 gpm injection flow and, therefore, initial AFW injection filled the lower portion of the horizontal feedwater pipes for all FW flow circuits. In other words, steam existed along the top of the entire line as cold AFW filled up the bottom.

The simultaneous presence of steam and colder water in the horizontal FW pipe results in mass and energy transfer taking place; this transfer results in condensation on the water surface and the pipe wall. The colder water in the bottom of the pipe acts as a heat sink drawing heat from the top of the pipe; the pipe acts as a conducting fin drawing the latent heat of condensation to the colder bottom where the cold AFW is laying. As steam condenses locally, it is replenished from the steam generator (SG) and hydrodynamic instabilities are et up on the water surface. As the water level in the pipe rises (refilling i continuous following closure of MOV-20), a more pronounced surface hydraulic interaction is set up, with transition from stratified flow occurring (Figure 6.1.c). As the void fraction decreases, the backflow of steam corresponding to condensation on the water surface and pipe wall will become high enough to result in a transition to slug flow; this condition is called a critical void fraction.

Two correlations available for estimating this critical void fraction as a function of steam flow are the Taitel-Duckler (Reference 2) and Wallis-Dobson (Reference 3) correlations. These correlations are fundamentally the same and since the Wallis-Dobson correlation has been used in previous NRC studies

• 0perator observed value.

B-2

related to SGWH (Reference 4), this correlation was used to estimate the void fraction existing at the time of water hammer occurrence.

A lower estimate of critical void fraction of 4 percent was calculated, (assum-ing condensation only on a semi quiescent water surface). Including condensation on the upper pipe wall in the calculations raised the estimated critical void fraction to 15 percent. Both estimates (Reference 5) were based on hand calcu-lational models, which will overestimate void fraction. (A calculation taking into account time and pipe position transients, including pipe wall heat capa-city effects, would be required to refine these estimates.) .It should also be noted that these void fraction estimates are based on the total horizontal pipe length (i.e, the 203 feet of B feedwater line between the vertical elbow next to the steam generator back to FWS-346).

Limiting Load Method The water hammer force was back-calculated at FWS-346 by estimating the force necessary to stretch the bonnet bolts approximately 0.5 inches; that force would require an internal pressure of 16,000 psi. Since water hammer wave reflection will essentially double the load (References 6 and 7), the initial impact pressure from a traveling slug was estimated to have been 8000 psi.

This load would correspond to a void fraction of 22 percent. Other calculations related to structural support damage (see above) revealed lower forces and support an estimated void fraction of less than 1 percent when the water hammer occurred.

In summary, these three methods arrive at overlapping values of void fraction, with a probable range of between 1 and 15 percent and support the hypothesis that the water hammer occurred just about when the Loop B horizontal piping run was nearing complete refill.

Flow Conditions When Water Hammer Occurred For steam condensation-induced water hammer to occur, several hydrodynamic phenomena must precede it. First, the pipe must fill (this is a function of refill rate ard whether the pipe will run full), the steam-water interface (which controls the rate of heat transfer between the steam and cold water),

the hydrodynamic flow conditions which change as the pipe fills (see Figure 6.1) from stratified flow to slug flow. Eventually a steam pocket is entrapped, which then collapses, and accelerates a water slug in the direction of pressure inbalance.

The SONGS-1 water hammer can be attributed to the refill transient (e.g. , the {

time required to refill the voided lines and existing flow conditions and l operator actions. Initially, the AFW flow rate (after the MOVs were closed) was 155 gpm. This flow rate is too low to maintain full pipe flow and can be deduced from Froude number considerations. The Froude number (a dimensionless parameter) is the ratio of fluid inertial forces to gravity effects and has been long used to model wave effects (i.e., the " hydraulic jump" phenomena, or wave cresting in open channel flow). The Froude numbe. necessary to fully fill a circular horizontal pipe (with some water running ahead of the filled section) is approximately 0.5 (Reference 1).

B-3

.. _ _ _ _ o

For an AFW injection flow rate of 155 gpm, the Froude number is 0.13 (averaged over the total FW pipe cross-sectional area) and is 0.02 for an AFW flow rate of 25 gpm. Thus, the FW pipe (which is horizontal) will not run full during the refill transient (see Figure 6.6) and the variation of AFW injection during the time preceding the water hammer is important.

The'AFW piping refill transient can be examined simplistically as a filling of voided pipe volumes. During the 5 minutes following closure of MOVs -20,

-21, and -22, more than sufficient AFW had been injected to totally fill loops A and C. However, the horizontal piping run in loop B was only 90 percent full (Table B-1) and at this point the operators reduced AFW rate to zero and then back to 41 gpm.

Loops A and C would have been completely filled in about 3.5 minutes since they have about 50 percent of the volume of loop B. Thus, this simplistic fill vol-ume approach correlates well with the fact that operators throttled back AFW at about 05:00 following detection of overcooling of the reactor coolant systems.

SGs A and C were receiving cold water and reinitiating cooldown (all three SGs had essentially boiled dry previously).

Reducing the AFW flow rate to 41 gpm had several adverse ef fects on the con-tinued refilling of loop B: (1) reverting the refill process to a quiete'r (or more gradual) hydraulic condition, (2) allowing the steam void at the top of the pipe to propogate backwards to MOV-20 and (3) allowing the cold AFW to stay in contact with the hot steam for a longer period of time. Following resump-tion of AFW injection, calculations indicate that loop B would have been com-pletely filled at about 05:04, suggesting that a steam bubble may have been trapped during the refilling and that the bubble collapsed later.* The water hammer occurred at 05:07.

Examination of flow conditions existing at the vertical upturn elbow region at these low Froude numbers (Fr = 0.03 at 41 gpm) is important to an understanding of local flow conditions just prior to the water hammer. The low Froude num-bers which enhance a quiet filling condition versus slug flow may be-a signifi-cant factor in averting water hammer in loops A and C. SCE provided informa-tion (Reference 8) related to air-water tests conducted at Creare, Inc. which were designe' M simulate refilling of the horizontal FW pipe at SONGS-1.

These exper p- showed that for Froude numbers of 0.02 to 0.12:

As the liquid level neared the top of the pipe (void fraction of a few percent) the air gap at the vented end of the pipe is bridged by a single slug and water immediately starts filling the vent riser. Most of the remaining air stays trapped in the pipe when filling is. continued.

This quiescent refilling, coupled with rapid bridging of the elbow region to fill the vertical pipe at low void fractions (i.e. , < 10 percent), is likely the reason that loops A and C did not experience a water hammer. At SONGS-1 the steam pocket could have been swept out due to a not perfectly horizontal pipe run. The Creare air-water tests were very carefully run to ensure a perfectly level horizontal pipe run.

• Uncertanties in the calculation assumptions may have contributed to this result.

B-4

~

The total stoppage of AFW and resumption at 41 gpm when loop 8 was 90 percent full delayed fluid bridging of the elbow and increased the time that steam and cold water remained in contact. Whether total flow stoppage or the significant AFW flow reduction were the critical factors leading to a water hammer cannot be determined without a refined thermal-hydraulic refilling analyses. Nonethe-less, operator actions which delayed the total refilling of loop B enhanced the probability the steam condensation-induced water hammer would occur.

The hypothesized loop B refill conditions prior to the occurrence of water ham-mer are shown in Figure 6.6. A 0.5-inch gap at the top of loop B horizontal FW pipe corresponds to a void of approximately 2 percent. The actual position of the steam pocket at the time of collapse is unknown. However, pipe displace-ments and loads experienced at the damaged supports suggest that the slug was formed in the horizontal run of loop B piping just upstream from the vertical piping run and then accelerated upstream. This postulated low void fraction condition is supported by the calculated structural damage loads discussed below.

Another well point beyond of interest is that conditions conducive to water hammer existed 05:07. Feedwater leakage was manually isolated at 10:45 on November 21, 1985 (Table 3.1). Although backflow of steam for loops A and C would have been blocked by the closure of the MOVs, the failed gasket in 4-inch check valve FWS-378 continued to provide an open backflow path until manual isolation (via closure of FWS-376) was accomplished.

COMPARISON OF ESTIMATED LOADS WITH DAMAGE INCURRED Souther California Edison (SEC) provided the Team with the following comparison of estimated water hammer loads with observed and measured damage incurred (Reference 9).

data taken following the water hammer incident. Figure 6.62 shows measured piping Characteristics of Damage Forces Based on the survey of the horizontal pipe displacements between the as-found and the design configurations (Figure 8.1), it is obvious that the major force exerted on the pipe is opposite to the direction of normal feedwater flow. This force is caused by the water hammer induced pressure wave propogating in the direction opposite that of the normal feedwater flow. A reflected pressure wave was generated following transmission of the first wave which loaded valves FCV-457 and FWS-378.

From Figure B.1 it is observed that the largest displacement is along the longest run of the pipe (between support location 100 [H00G] and 140

[H00K].) This displacement is a result of the large impulse load in this section of the line, coupled with increased line flexibility after the support damage done by the water slug. It is also in this region that the i

FW piping material incurred an 80-inch axial crack. The crack started on the outside of the pipe and had an approximate 25 percent thru wall penetration [from the outside wall (Figure 6.8)].

Pipe Support Damage The minimum forces needed to damage some of the pipe supports and the maximum forces that some intact pipe supports can withstand are estimated in this section.

B-5

This estimate provides an upper bound and a lower bound of the force exerted on the pipe during the water hammer event. The pipe support locations and identification numbers for various suppcru are shown in Figure 6.7. A brief description of the calculated loads and findings is provided below.

1. H00A - Based on the fact that the base plate was pulled out from the wall and the welded dummy support (to which the snubber is attached) was not damaged, it is estimated that the force parallel to the snubber axis was between 40,000 to 90,000 lbs.

This translates into a force of 45,000 lbs. to 101,000 lbs.

parallel to the pipe axis.

2. H006 - Based on the fact that the snubber was functionally tested and found to be damaged, it is estimated the force 3 exerted parallel to the axis of the snubber is 40,000 lbs.

This translates into a force parallel to the pipe of at least 44,000 lbs.

3. H00J - Based on the fact the dummy support was sheared from the pipe, the force parallel to the pipe is estimated between 62,000 lbs. and 164,000 lbs., depending on the manner of' loading.

4. HOOK - Based on the severe damage of the pipe guide, the force I needed to deform the structure is estimated to be around 112,000 lbs. parallel to the axis between support locations 150 and 170.

However, because the energy loss in collapsing the structure and creating the dent is not considered in the analysis, the actual force may be as high as 180,000 lbs.

5. HOOL - Based on the fact that the dummy stub was sheared off and the various base plates were pulled off or damaged during the event, the minimum force needed to cause such damage ranges from 36,000 to 82,000 lbs, depending on the nature of the loading.

Timing History Analysis The time-history analysis is another way to estimate the force exerting on the pipe. This method is an iterative process, starting with an estimated force and then comparing the calculated horizontal pipe displacement with the observed horizontal displacement. The solution is the force at which the calculated displacement is close to the observed displacement.

The time-history analysis performed by Bechtel (Reference 9) showed that the impulse force, which resulted in a 12-inch displacement of the long north-south run of pipe, is about 160,000 lbs.

Analysis Results Based on the time-history analysis and the observed damage to support HOOK, it is clear that the force exerted on the segment of the horizontal pipe between the locations 150 and 180 ranges from 112,000 lbs. to 180,000 lbs. Also, the maximum force exerted on the pipe segment, to which the supports H00A and H006 are attached, is limited to 101,000 lbs. Based on B-6

the experiments done by Swaffield and Phil (Reference 10) the pressure wave transmits only 90 percent of its strength downstream of a 90 degree pipe elbow. Also, the pressure wave tends to decrease as the energy of the impulse is dissipated during propogation. Therefore, the forces exerted on H00A, H006, and HOOK are consistent and are probably caused by the same pressure wave propogating opposite to.the direction of the feedwater flow.

Assuming the energy loss due to damage on the' pipe support system between the locations of pipe support HOOK and check valves FWS-346 is negligible, the force at the location of FWS-346 can be estimated by increasing the force at the location 160 by 10 percent. This 10 percent is again based on the data discussed in Swa1 field and Phil (Reference 10). This increase will result in a force of 123,000 to 198,000 lbs. at FWS-346. The corre-sponding impact pressure for this force ranges from 1600 to 2600 psi.

Using the methods developed by the CREARE in NUREG-0291'(Reference 4) for NRC's prior water hammer analysis, an impact pressure of 1600 to 2600 psi would be equivalent to a void fraction of 1.5 percent to 2.5 percent, as-suming the subcooling of the slug formed by steam-condensation was in the range of 85 'F to 200 F.

The data related to the dents around the first elbow of the horizontal pipe (at the NE corner) and around pipe support location 140 were not used in the above analysis because of the uncertainties in determining the force needed to cause indentation resulting from impact against the concrete.

This large uncertainty is composed of various analysis uncertainties re-lated to pipe property, force direction, plastic deformation model, and concrete characteristics before and after the impact.

Therefore, based on this more detailed analysis of the damage forces calculated at various damaged pipe supports, it was concluded that:

1. The force exerted on the pipe between support locations 40 and 90 ranges from 45,000 to 101,000 lbs. The actual force was probably closer to 101,000 lbs. than to 45,000 lbs.

2. The force exerted on the pipe between locations 150 and 180 ranges from 112,000 to 180,000 lbs.

3. The impact pressure of a water slug, or the surge pressure of the pressure wave, is estimated to range from 1600 to 2600 psi.

4.

The void fraction in the main feedwater line at the time of water hammer is estimated to range from 1.5 to 2.5 percent, depending on the subcooling of the water slug. This void fraction is estimated for a total FW pipe length of 203 feet.

These calculations further refine the void fraction estimates discussed above and indicate that very low void fractions existed in the horizontal line just upstream of the vertical elbow leading to steam generator B (i.e., 1-2 percent void).

8-7

Table B.1 SONGS-1 Feedwater Flow System Parameters and Volumes Design Parameter Data Feedwater Pipe Schedule (Loops A,B,&C) 10-inch, Schedule 60 Inside Diameter 9.75 inches Estimated Length of Horizontal Pipe:

Loops A & C 118 feet Loop B 221 feet Estimated Volume of Horizontal Pipe:

Loop A 459 gal.

Loop B 857 gal.

Estimated Volume of Vertical Pipe Rise at SG B 60 gal.

Estimated Refill Characteristics Loop B:

04:55 to 05:00 @ 155 gpm = 775 gals > 857 gal.

Est'd void fraction @ 05:00 = 10% in Horizontal Pipe 05:00 to 05:07 @ 41 gpm = 236 gal.

Total Volume Injected = 1011 gal. > (857+60); pipe is full Loop A or C:

04:55 to 05:00 @ 155 gpm = 775 gal. > 459 gal.

> 459+60 gal. i B-8

References

1. Wallis, G. B.,

et al., " Conditions for a Pipe to Run Full When Discharing Liquid into a Space 1977, pp. 405-413.

Filled with Gas," Journal of Fluid Dynamics, June 2.

Y. Taitel and A E. Duckler, "A Model for Predicting Flow Regime Transitions in Horizontal and Near Horizontal Gas-Liquid Flow," AICHE Journal, Vol. 22, pp. 47-55.

3.

G. B. Wallis and J. E. Dobson, "The Onset of Slugging in Horizontal Stratified 1973.

Air-Water Flow," J. of Multiphase Flow, Vol 1, pp.173-193, 4.

J. A. Block, et al., "An Evaluation of PWR Steam Generator Water Hammer,"

NUREG-0291, U.S., NRC, 1976.

5.

Letter from F. M. Joos (CREARE, Inc.) to C. Chiu (Southern California Edison) on December 16, 1985. Exhibit 427.

6.

H. Rouse, Engineering Hydraulics, John Wiley & Sons, Inc., New York, 1949.

7. V. C. Streeter and E. B.- Wylie, Hydraulic Transients, McGraw-Hill Book Company, New York, 1967. '

8.

Joos, 1986.

F. M. (CREARE, Inc. ), to Chiu, C (SCEC) letter dated January 6, i I

9.  !

Bechtel Power Corporation Calculations MC-077-002, " Hydraulic Transient Load on MFW and AFW Piping at Vicinity of SG-8," December 15, 1985.

Exhibit 495.

10. Swaffield, J. A. and Phil, M., "The Influence of Bends of Fluid Transients Propagated 603-14, Vol. in Incompresible Pipe Flow," Proc. Instr. Mech. Engrs., pp.

183.

(

B-9

s' f

% / \

$ /

\

/ /I

\ /g \ #

8

/

\l g#

/ f l5 I "

I /\

m iE f

3

\ / 'l \/ i

\

9 I% i s l gs =

\ /

/

I

\ / I [

,i a

\ i 2

\ e

/

\ li I

i

1. llgI

' 5

' hSh')'g -

e 3 i B-10

APPENDIX C Regulatory Review of the Potential for Water Hammer at San Onofre Unit 1 t .

APPENDIX C NRC's concerns related to the potential for water hammer at SONGS-1 date back to 1975. The correspondence summarized below provides a historical perspective of these concerns.

5/13/75 - NRC informs the licensee (Southern California Edison) that the poten-tial and consequence of secondary system water hammer needs to be analyzed; that uncovering the steam generator feedring and subsequent operation of the

' auxiliary feedwater system may cause a water hammer; that changes in plant design or operation necessary to prevent water hammers or assure system inte-grity should be identified for NRC evaluation.

7/14/75 - SCE informs the NRC staff that changes in design or operation of the feedwater system are not necessary; that feedwater flow is continued through periods of low steam generator level; that the layout of the feedwater lines external to the steam generators will minimize the magnitude of a water hammer; that auxiliary feedwater flow is not automatically initiated; that analysis of feedwater piping using dynamic forcing functions modeling water hammer j phenomena have not been performed.

{

l 9/2/77 - NRC informs SCE of the staff conclusion that keeping steam generator feedwater lines and feedwater spargers full should preclude the occurrence of .

water hammer and that SCE should propose plant design and procedural modifica-tions to minimize probability of SGWH.

12/27/77 - SCE informs staff no modification to plant design is warranted and that administrative controls wii! be imposed on operations to assure feedwater is added slowly af ter the feedwater sparger is uncovered.

5/25/79 - NRC requests information on the design of feedwater lines including questions on the history of feedwater line water hammers.

6/18/79 -SCE provides requested information.

7/3/79 - SCE provides additional information on feedwater line water hammer experiences to supplement response of 6/18/79.

8/2/79 - NRC requests that SCE provide additional information pertaining to susceptability of plant to SGWH per telephone conversation.

8/31/79 - SCE provides requested information on susceptability to SGWH and indicates flow meter indication at low flows is not available.

9/12/79 - NRC acknowledges plant operating history does not show that SGWH has occurred at the plant, but requests additional information to provide further assurance that SGWH would not occur in the future and that surveillance procedures would be adequate to detect water hammer or damage from water hammer, if it were to occur.

C-1 APPENDIX C

2/14/80 - SCE responded to the NRC request and informed the staff that the steam generator feedwater spargers have been uncovered many times without SGWH; that administrative controls are in place to reduce the frequency of uncovering the spargers; that transient and accident analysis were not affected by these con-trols; that the impact of automating the auxiliary feedwater system would be evaluated; that visual inspections would be conducted if water hammers occur; that there had been no loss of offsite power with the plant operating; and that further evaluations of the potential for an appropriate corrective action for water hammer would be performed.

4/15/80 - SCE confirms discussions with the NRC staff that the evaluation to be performed by SCE of water hammer would not include SGWH, but would include the development of forcing functions for classic water hammers, such as valve closure and pump start.

4/22/80 - NRC forwards the safety evaluation report (SER) relating to the potential for water hammer in plant feedwater lines and documents the SCE commitment to evaluate further the potential magnitude of water hammers. The SER concludes that the potential for SGWH is sufficiently low to permit con-tinued plant operations. The basis for this conclusion is stated to be a review of operating history and related operational and procedural characteristics of the feedwater system which showed that although conditions conducive to SGWH l have been encountered, SGWH had not occurred.

10/16/80 - SCE informs NRC of plans to automate and upgrade the auxiliary feedwater system in response to TMI lessons learned requirements. A discussion of revised administrative controls to prevent SGWH were not included since they .

were discussed in the correspondence of 2/14/80. l 11/25/80 - SCE provided its promised evaluation of the effects of " classic" type water hammers on feedwater piping in the plant. It concluded that classical water hammer has no significant effect on piping stress and support loads and that existing administrative controls are adequate.

3/6/81 - SCE provides an evaluation of the potential for SGWH with the automated auxiliary feedwater system; indicates that uncovering the feedring cannot be prevented; that flow limits are required because conditions conducive to SGWH cannot be eliminated for the auxiliary feedwater system; that new flow meters enabled improved administrative controls on flow rate; and, that auto-mation of the auxiliary feedwater system with these controls does not increase the probability of inducing SGWH.

3/82 - NRC issues NUREG-0918, which summarized the resolution of the concern for SGWH at operating pressurized water reactors. It stated, in part, that:

San Onofre 1 has short horizontal feedwater pipe (less than 3 feet) leading to the SG inlet. SGs still use the " unmodified" feedring with bottom-discharge holes. The auxiliary feedwater flow at the plant can only be started manually: this allows the plant operator to feed the SGs with heated main feedwater whenever possible.

The staff has accepted the present implementation at San Onofre 1.

However, this matter will be reexamined if any SGWHs occur at the plant in the future.

C-2 APPENDIX C

1 (NUREG-0918 referenced the NRC staff SER produced in April 1980. )

It is clear from reviewing the prior correspondence cited above, and from followup interviews with NRC staff who were involved in previous SONGS-1 water hammer reviews, that the thrust of NRC concern was directed at the prevention and mitigation of consequences of SGWH and not at preventing gross voiding of the FW lines.

SONGS-1 AFW System Evaluations The potential for cold AFW injection to produce SGWH was included in the NRC and SCE water hammer evaluations discussed above and cited in Section 6.

Enclosure 2 of Reference 22 of Section 6 provides a review of those evaluations 4 and reaches the conclusion that establishing an upper flow rate limit (i.e.,

150 gpm/SG) on AFW (as recommended in Westinghouse's Bulletin 75-7, Reference 23 of Section 6) would prevent too rapid an injection of cold water into the feedring and, therefore, avoid SGWH. Operators were cautioned in the E0Is not to exceed this upper AFW flow limit whenever the steam generator feedring was uncovered so as not to set up conditions for water hammer.

In 1979, as a result of NRC's Bulletins and Orders Task Force review of operating reactors following the TMI-2 accident, SCE was requested to provide information regarding AFWS flow requirements at SONGS-1 (Reference 1).

Enclosure 1 of Reference 2 discusses the basis for AFWS flow requirements and includes plant transient analyses dealing with the following transients and accidents identified by NRC staff:

1. Loss of main feedwater (LMFW)

2. LMFW with loss of offsite ac power

3. LMFW with loss of onsite and offsite ac power

4. Plant cooldown

5. Turbine trip with and without bypass

6. Main steam isolation valve closure

7. Main feed line break

8. Main steam line break

9. Small break LOCA

10. Other transient or accident conditions not listed above.

It should be noted that none of these analyses considered the additional compli-cations which might arise from failure of feedwater system check valves, includ-ing the potential blowdown of steam generators or the failure of the low pres-sure piping in the feedwater system.

NRC completed review of AFWS automatic initiation and flow indication (THI Action Plan Item II.E.1.2) for SONGS-1 in 1982 (Reference 3) and approved the AFWS Technical Specifications in 1984 (Reference 4).

The Team met with SCE staff on December 13,1985 (Reference 5), at which meet-ing SCE reviewed the SONGS-1 AFW system in terms of the original designs, up-grades (i.e. , seismic upgrades), TMI Action Plan requirements, etc. These dis-cussions also delved into prior water hammer occurrences and SGWH evaluations.

Although this meeting did not reveal any significant new information, it again illustrated the belief that SGWH would not occur within the steam generator, since it had never occurred at SONGS-1, despite numerous transients involving uncovered feedrings, and limits on AFW flow rate were sufficient to preclude such an occurrence.

C-3 APPENDIX C

References

1. D. G. Eisenhut, NRC to J. H. Drake, SCEC, " Auxiliary Feedwater System Flow Requirements," November 15, 1979.

2. K. P. Baskin, SCEC, transmittal to D. M. Crutchfield, NRC, " Automatic Initiation of Auxiliary Feedwater System SONGS-1," March 6,1981.

3. D. M. Crutchfield, NRR to R. Dietch, SCEC, " Auxiliary Feedwater System Automatic Initiation and Flow Indications (TMI Action Plan Item II.E.1.2),

November 18, 1982.

4. W. A. Paulson, NRC to K. P. Baskin, SCEC, " Auxiliary Feedwater System Technical Specifications," October 21; 1984. ,

5. Transcript (Set 3-044), December 13, 1985 Meeting at Rosemead, California.

C-4 APPENDIX C

U S NUCLt AM HE GUL ATOa. COMui55 SON REPOR T NUMutu f.ssgaea e, TsOC. eed vos JWe , se ea, A

. .a FORM 335 asnC. i Bell 2RAPHIC DATA SHEET NUREG-1190

> t ...a.

3 TITLE ANO SU8TsTLE e HECne,t h,4 ACCT 55 tun NuwetM

/

Loss of Powe and Water Hammer Event at San Onofre, Unit 1 * "" "'"

" ' P"" "

on November , 1985 " "

/

r l " '"

. &u f ,.0a.5, January 1986

, oAu ..,fe r 55u o

-ONr f lu Aa Jany6ry 1986 9 PHO Cie T A5miWOMn UNI, NUM9E R

$ 9 E*FORutNG ORGANilATION N AME ARio MAeLaNG ADDHE 55 fiar*wer /* Codrs Incident Investigation Team Executive Director for erations [ , ,, ,,,, ,,

i U.S. Nuclear Regulhtory ommission Washington, D.C. 20555

,, SPON50RsNG OHGANs2 Af SON N Auf AND W AsteNgDont s5 tsachee le Cees

'/ 1 24 f.PE OF HEPOR T Incident Investigation Team \

Executive Director for Operat' ions Technical U.S. Nuclear Regulatory Commis'. ion 'i= Piaim Covaatou-~ ~ ~<d Washington, D.C. 20555 n suu u . NTA.,Nori5 iA A.5raACT,m e, ,

T On November 21, 1985, Southern California dison's San Onofre Nuclear Generat-ing Station, Unit 1, located south 'of San flemente, California, experienced a partiallossofinplantacelectricaipowdrwhiletheplantwasoperatingat g

60 percent power. Following a manual re/ctor trip, the plant lost all inplant ac power for 4 minutes and experienced' severe incidence of water hammer in the feedwater system which caused a le ( damaged plant equipment, and chal-lenged the integrity of the plant's he ' sink. The most significant aspect of the event involved the failure of fivg safgty-related f check valves in the feed-water system whose failure occurred ip less\than a year, without detection, and jeopardized the integrity of safety yystems.\The event involved a number of equipment malfunctions, operator errors, and procedural deficiencies. This report documents the findings and cdnclusions hf an NRC Incident Investigation Team sent to San Onofre by the NRCfxecutive Diepctor for Operations in confor-mance with NRC's recently establis ed Incident In estigation Program.

15e EG Y WORDS AND DOCout er ANAL.585 15h DE SCHeP IONS

\

loss of power lp water hammer j San Onofre, Unit 1 j ll 4

3

.. A... A.,<,,.5,A,.. N,

, , 5g'u,..

, . , u . s 5.. ,< a ,,eN ,, No .. ~ ...s.5 Uncia s,,s,i fied Unlimited , , 5, Co.. . . C , .s , . .C A , ,o, o P,m ,

UEdEssified s

UNITED STATES sncea ,coaruet,ssnat.

m5m

• HE5 NO

- NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555 g;{Egy OFFICIAL BUSINESS PENALTY FOR PRIVATE USE. 4300 p'AR{078877 1

POL I l tr 1 g ,,, " ' on tiyj?y ' opvol'ec

,B soc

,G T og, R.pg kURtc CC 2055$

c __ - _ _ _ - _ _ - _ _ _ _ _ - _ - _ _ _